Every dog has its day, and every federal agency has its occasional report from the U.S. Government Accountability Office (GAO).
At the discretion of Congress, the GAO conducts various reports on issues plaguing wide-ranging aspects of federal agencies. Upon the completion of a report, the GAO publishes all unclassified "recommendations" to the public and awaits agency improvements.
Sometimes the GAO is ruthless in its reports. Callous, some might even say. And although its authority is respected and needed, sometimes those in the IT industry can get a kick out of the GAO's wholesome bluntness.
Still, the GAO maintains its approach is working, David Powner, director of IT management issues at the GAO, told CIO Dive.
The GAO only reviews agencies after being "tipped off" about problems. Its sometimes harsh presentation makes agencies more receptive to recommendations when "you're hard-hitting" but also "balanced," according to Powner.
Essentially, if the GAO's toughness is mildly cushioned by also acknowledging an agency's successes, agencies are more inclined to digest and complete its suggested remedies.
Here are 10 of the best GAO zingers from recent reports:
1. Yes, federal agencies still use floppy disks
The GAO released a May 2016 report on the federal government's legacy technology issue after finding 5,233 of 7,000 IT investments are spending "all of their funds" on operations and maintenance. Spending on development, modernization and enhancement was reduced approximately $7.3 billion to accommodate maintenance funding since 2010.
"In addition, some legacy systems may use parts that are obsolete and more difficult to find. For instance, Defense is still using 8-inch floppy disks in a legacy system that coordinates the operational functions of the United States' nuclear forces."
2. Another dollar wasted
A June 2017 report followed the progression of FITARA, a piece of legislation meant to reignite CIO authority in federal agencies. After saying the procurement of previous agency-wide IT budgets "often failed," the GAO found about 47% of the 800 recommendations made were resolved from 2010 to 2015. Still, agencies were starting failed initiatives that only ate at the federal IT budget.
"The Department of Homeland Security's Secure Border Initiative Network program was ended in January 2011, after the department obligated more than $1 billion for the program."
3. GAO doesn't care if an agency disagrees
The GAO looked into how the IRS managed its IT investments after it "expended" about $2.7 billion for IT in FY16. About 70% of that spending was dedicated to operational systems. In an October 2017 report, the GAO found recurring "weaknesses" in the IRS' ability to report its modernization efforts.
"IRS did not agree with the use of the technique, stating that it was not part of the agency's current program management processes and that the cost and burden to use earned value management would outweigh the value added. We disagreed with the agency's view of earned value management because best practices have found that its value generally outweighs the cost and burden of its implementation."
4. GAO wants actions, not just goals
The GAO made five recommendations to the Federal Motor Carrier Safety Administration (FMCSA) after it spent about $46 million in IT investments in FY16, according to a July 2017 report. Four factors including costs, schedules, investment performance and customer/business needs were examined as part of the operation analysis.
"FMCSA lacks complete plans to guide its systems modernization efforts. Specifically, the agency's IT strategic plan lacks key elements. While the agency has an IT strategic plan that describes the technical strategy, vision, mission and direction for managing its IT modernization programs … the plan lacks timelines to guide its goals and strategies related to integrated project planning and execution, IT security and innovative IT business solutions, among others."
5. HUD's cost estimates are 'unreliable'
The GAO analyzed the Department of Housing and Urban Development's request for $36 million for IT investments for FY17 because of the 2015 Consolidated and Further Continuing Appropriations Act. The GAO was set to examine HUD's "cost estimating practices" and released its findings in February 2017.
"The estimates were unreliable and did not provide a sound basis for informing the department's investment and budgetary decisions. Specifically, none of the estimates exhibited all of the characteristics of a reliable estimate, as they were not substantially or fully comprehensive, well-documented, accurate and credible."
6. VA and DOD have had difficulties
The Department of Veterans Affairs (VA) had "difficulty managing its information systems" over the years, and the GAO was enlisted to make recommendations to modernize its IT systems. In FY15, the VA had only closed 6% of its 356 data centers, which placed it 19th out of 24 examined federal agencies. Its healthcare services, sometimes partnered with the DOD, were still of concern.
"The IPO [Interagency Program Office] is responsible for monitoring and reporting on VA's and DOD's progress in achieving interoperability and coordinating with the departments to ensure that these efforts enhance health care services … Nevertheless, in our August 2015 report, we noted that the IPO had not specified outcome-oriented metrics and goals that could be used to gauge the impact of the interoperable health record capabilities on the departments' health care services."
7. Census Bureau struggles sometimes
The GAO released a report in November 2016 that highlighted the difficulties in "managing the interdependencies" of the U.S. Census Bureau's (Bureau) 2020 Decennial Census and Census Enterprise Data Collection and Processing programs. Data collection and goals will be stalled until proper technical management is put in place, according to the GAO.
"The Bureau is not alone in facing challenges in acquiring IT systems — it is a systemic issue that plagues the federal government. Although the executive branch has undertaken numerous initiatives to better manage the more than $80 billion that is annually invested in IT, we have a significant body of work that has found that federal IT investments too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes."
Bonus: "Looking forward, there is uncertainty as to whether the Census Bureau will be ready for the 2018 end-to-end test."
8. Don't agree? Doesn't matter to GAO
The GAO reviewed agencies' incremental development of IT investments and their certification by the CIO and released the report in November 2017. The GAO found that only four agencies, the Departments of Commerce, Energy, Homeland Security and Transportation, had "clearly defined CIO incremental development certification policies and processes." The Office of Management and Budget (OMB) was tapped to give CIOs its annual IT capital planning guidance, to which the GAO said it failed to make clear how CIOs can make statements of compliance to FITARA's provisions.
"OMB disagreed with several of GAO's conclusions, which GAO continues to believe are valid, as discussed in the report."
9. Library of Congress, get out of the Copyright Office's way
The GAO was selected to review the Copyright Office's current state of IT and released its findings in March 2015. The Copyright Office, a part of the Library of Congress, requested $7 million for FY15 and FY16 for online filing, a digital repository for "electronic materials," software application development and a data management team. But the GAO found that the Copyright Office did not wholly justify the investments and is potentially stalled by the Library as, at the time of the report, it had not had a CIO in more than two years.
"From the Copyright Office's perspective, the lack of clearly defined roles and responsibilities at the Library has impeded its ability to carry out its mission."
10. Stay strong OPM
Finally, since its 2015 data breach that impacted 21.5 million people, the Office of Personnel Management (OPM) has been under the watchful eye of the GAO and its recommendations. It determined that OPM had resolved 11 of the 19 recommendations, as stated in its report from August 2017. Cyberthreats are increasingly undermining the integrity of organizations' cybersecurity, but due to OPM's slow progress, the GAO believes OPM's sensitive data could still be at risk. After all, the report noted it took 17 months for OPM to validate evidence it had successfully fulfilled the the US-CERT recommendations.
"OPM provided comments concerning the approach of our audit and aspects of our report message. In particular, the agency stated that … the report does not present a fully accurate picture of the agency's cybersecurity posture. As we state in this report, our objectives were to evaluate OPM's actions taken since the 2015 breach … We designed and performed audit procedures to collect sufficient evidence to accomplish these objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions."