Cybersecurity and IT top GAO’s High Risk List, yet again

Leadership commitment to national cybersecurity regressed, in large part due to the lack of a comprehensive National Cyber Strategy or national cyber director.
U.S. Comptroller General Gene Dodaro of the Government Accountability Office testifies during a hearing before the Coronavirus Crisis Subcommittee of House Oversight and Reform Committee June 26, 2020 on Capitol Hill in Washington, DC. (Photo by Alex Wong/Getty Images)

Federal leadership regressed ensuring national cybersecurity the past two years, and IT acquisitions and operations continue to require “significant attention,” according to the Government Accountability Office.

Government’s leadership commitment to cybersecurity rating declined between 2019 and 2021 from “met” to “partially met,” according to GAO‘s biannual High Risk List report released Tuesday.

While the report doesn’t mention the massive SolarWinds hack that saw at least nine agencies compromised in 2020, it does flag missing components to the National Cyber Strategy and the unfilled national cyber director role.

“[A]nother silent battle is being fought in our IT networks by cyberattackers intent on stealing our intellectual property and undermining our national security,” said Rep. Carolyn Maloney, D-N.Y., during the House Oversight Committee’s hearing on GAO’s report. “The SolarWinds breach that came to light last December, as well as escalating and targeted cyberattacks that have drained millions of dollars from struggling hospitals, are just two examples of the threats we know about.”


The National Security Council‘s Implementation Plan, which accompanies the National Cyber Strategy, lacks goals and timelines for 46 of the 191 activities it recommends agencies undertake and fails to identify resources for 160 of them. Nor does the plan provide a means to monitor agencies’ progress, according to GAO’s report.

Of more than 3,300 cybersecurity recommendations GAO has made since 2010, 750 hadn’t been fully implemented as of December.

“[A]s the federal government responds to and mitigates the impacts of the recent SolarWinds attack, the effective cybersecurity leadership and coordination GAO calls for is critical,” Sen. Rob Portman, R-Ohio, ranking member on the Homeland Security Committee, said in a statement.

While the rating of IT acquisitions and operations remained unchanged since 2019 in the new High Risk List, the area continues to require “additional attention,” according to GAO’s report.

The government invests more than $90 billion in IT annually, and yet GAO found 21 of 24 Chief Financial Officers Act agencies haven’t fully addressed the roles of their chief information officers. Additionally, many agencies haven’t made IT modernization plans, or they’re missing accepted best practices.


Duplicative IT contracts abound, and the General Services Administration and the Office of Management and Budget lack the funds needed to lead the governmentwide movement to replace legacy systems. Although that could change with news that the Senate version of the American Rescue Act includes $1 billion for the Technology Modernization Fund.

More than 400 IT recommendations by GAO remain open.

Other areas of concern

Another area on the High Risk List that saw regression was the decennial census.

GAO cited the Department of Commerce’s request that the Census Bureau shorten data collection and response processing timeframes — despite COVID-19 halting operations for three months — for the rating downgrade.


“Compressing the time frame to collect data and process responses has increased the risk of compromised data quality,” reads the report. “The Census Bureau found data anomalies during the processing of census responses that have delayed the delivery of apportionment numbers, which as of February 2021 had not been delivered to the president.”

A new addition to the High Risk List is small business emergency loans, which the Small Business Administration continues to have trouble administering during the COVID-19 pandemic. Changing program requirements have forced SBA to adapt its E-Tran loan system with mixed results.

Hundreds of billions of COVID-19 relief funds have been provided by the Paycheck Protection Program (PPP) and Economic Injury Disaster Loans (EIDL) but not without “evidence of fraud and significant program integrity risk,” according to GAO.

At least 2 million approved PPP loans worth $189 billion were flagged as not in conformance with legislation, and more than 6,000 EIDLs worth $212 million were potentially made to ineligible borrowers, according to SBA’s independent auditor.

The Department of Justice is dealing with at least 90 cases of fraud tied to SBA’s COVID-19 loans — further proof more oversight and management is needed, according to GAO.


GAO Comptroller General Gene Dodaro recommended additional congressional action, commitment from agency leadership and involvement from OMB in High Risk List areas at Tuesday’s House hearing.

Government saw $225 billion in benefits from addressing High Risk List areas between 2019 and 2021, bit more resource investments are needed — as are regular meetings between the OMB deputy director for management, top agency leaders and GAO.

“[A]gency leaders need to do more to address the hundreds of open recommendations we have made to reduce the government’s high-risk challenges,” Dodaro said, in his House testimony. “OMB’s leadership role is especially important because many high-risk areas are government-wide or involve multiple agencies.”

Latest Podcasts