Security clearances, cybersecurity, 2020 census remain on GAO’s High-Risk List
The latest edition of the Government Accountability Office’s “High-Risk List” of federal programs highlights problems in the governmentwide program for granting security clearances, and it reiterates concerns about the 2020 census and the government’s role in the nation’s cybersecurity.
The new report, which will be featured in a House hearing Wednesday afternoon, also includes familiar notes about IT modernization. “Significant work remains for federal agencies to establish action plans to modernize or replace obsolete IT investments” under FITARA, the GAO says, noting that many of its recommendations remain unchanged from previous editions of the report.
The GAO singles out the Government-Wide Personnel Security Clearance Process for “significant challenges related to processing clearances in a timely fashion, measuring investigation quality, and ensuring information technology security.” The backlog of clearance applications was approximately 565,000 as of February, the GAO says.
The agency issued an alert in early 2018 about the clearance process, and although the new report says the executive branch “has taken some action and made some progress” on core issues, several challenges remain. The GAO praised the Trump administration’s “leadership commitment” on the problem but said it only partially met needs for expanding capacity, monitoring the process and showing demonstrated progress. The administration has not met the criteria for an action plan, but the GAO pointed to an effort by the Office of the Director of National Intelligence, the Department of Defense and the Security Clearance, Suitability, and Credentialing Performance Accountability Council (PAC), which is chaired by the deputy director for management of the Office of Management and Budget (OMB).
“Officials from ODNI, DOD, and the PAC told us they are working on an initiative called Trusted Workforce 2.0, an effort to transform the fundamental approach to workforce vetting, and supporting policies that will also overhaul business processes and modernize the IT architecture,” the report says. “According to officials, this effort is an expansion of reform since our January 2018 high-risk designation that will consider both risk and trust.”
One defense-related item — the Pentagon’s supply chain management — has been removed from the GAO’s list.
2020 census
The GAO report, which the agency issues every two years at the start of a new Congress, first added the 2020 census in 2017, but lawmakers and outside watchdogs were expressing concerns well before then. The questions for new bureau Director Steven Dillingham have only continued as the national headcount grows closer.
“For the 2020 Census, the U.S. Census Bureau … plans to implement several innovations, including new IT systems,” the GAO report notes. “The challenges associated with successfully implementing these innovations, along with other challenges, puts the Bureau’s ability to conduct a cost-effective census at risk.”
In particular, the GAO pointed to a workforce shortage that directly affects IT systems.
The bureau “continues to experience skills gaps in the government program management office overseeing the $886 million contract for integrating the IT systems needed to conduct the 2020 Census. Specifically, as of November 2018, 21 of 44 positions in this office were vacant,” the GAO says. “These vacant positions add risk that the office may not be able to provide adequate oversight of contractor cost, schedule, and performance.”
National cybersecurity
“Federal agencies and other entities need to take urgent actions to implement a comprehensive cybersecurity strategy, perform effective oversight, secure federal systems, and protect cyber critical infrastructure, privacy, and sensitive data,” the GAO report says, echoing a regular set of concerns inside and outside of government, as the Trump administration continues to work on issues that include IT modernization and protecting elections from cyberattacks.
The needle didn’t move much on those issues since the 2017 report, the GAO says, but it notes the May 2017 executive order on cybersecurity by President Donald Trump; the National Cyber Strategy that the White House issued in September 2018; and the Cybersecurity and Infrastructure Security Agency Act of 2018 into law, which enabled the Department of Homeland Security to restructure the existing cybersecurity components within the National Protection and Programs Directorate. In the meantime, the White House also eliminated a cybersecurity coordinator position that was created during the George W. Bush administration.
“Going forward, it will be critical for the White House to clearly define the roles and responsibilities of key agencies and officials in order to foster effective coordination and hold agencies accountable for carrying out planned activities to address the cybersecurity challenges facing the nation,” the GAO says.
Workforce needs
The GAO criticizes federal CIOs for not doing more to shore up agencies’ IT workforces — an area where the Trump administration has tried to make strides under the President’s Management Agenda and initiatives such as the Cyber Reskilling Academy.
“The majority of the agencies minimally addressed or did not address their CIO’s role in assessing agency IT workforce needs, and developing strategies and plans for meeting those needs,” the GAO says. “Correspondingly, the majority of the 24 CIOs acknowledged they were not fully effective at implementing IT workforce responsibilities.”