Three lessons to take away from the IRS breach
August 27, 2015
There is no silver bullet to prevent the kind of attack that exposed the tax records of more than 300,000 people, but there are lessons to be learned.
David Stegon was a staff reporter for FedScoop and StateScoop from 2011-2014.
Opportunities exist to improve transparency and oversight of investment risk for information technology at selected federal agencies, the Government Accountability Office said in a new report.
Part of that includes the Office of Management and Budget beginning to analyze the investment risk of these IT systems over time as reflected in the Information Technology Dashboard and present its analysis with the president’s annual budget submission.
To conduct its report, the GAO found that chief information officers at six federal agencies rated the majority of their information technology IT investments as low risk, and many ratings remained constant over time. Those agencies include Department of Homeland Security, Department of Defense, Department of Health and Human Services, Department of Interior, Office of Personnel Management and the National Science Foundation.
Specifically, CIOs at the selected agencies rated a majority of investments listed on the federal IT Dashboard as low risk or moderately low risk from June 2009 through March 2012. At five of these agencies, these risk levels accounted for at least 66 percent of investments.
These agencies also rated no more than 12 percent of their investments as high or moderately high risk, and two agencies, DOD and NSF, rated no investments at these risk levels.
Over time, about 47 percent of the agencies’ dashboard investments received the same rating in every rating period. For ratings that changed, DHS and OPM reported more investments with reduced risk when initial ratings were compared with those in March 2012. The other four agencies reported more investments with increased risk.
According to GAO, in the past OMB reported trends for risky IT investments needing management attention as part of its annual budget submission, but discontinued this reporting in fiscal year 2010.
Agencies generally followed OMB’s instructions for assigning CIO ratings, which included considering stakeholder input, updating ratings when new data become available, and applying OMB’s six evaluation factors, GAO said.
DOD’s ratings were unique in reflecting additional considerations, such as the likelihood of OMB review, and consequently DOD did not rate any of its investments as high risk. However, in selected cases, these ratings did not appropriately reflect significant cost, schedule and performance issues reported by GAO and others.
Moreover, DOD did not apply its own risk management guidance to the ratings, which reduces their value for investment management and oversight, GAO said.