Federal spending on information technology and cybersecurity passed the $100 billion mark – annually. Yet IT acquisition and ensuring security remain stubbornly on the High Risk List maintained by the Government Accountability Office. Many longstanding GAO recommendations remain undone. A director on GAO’s IT and cybersecurity team, Kevin Walsh, had the latest on Federal Drive with Tom Temin.
Insight by Apptio: Download the results of his strategic guidance survey and learn how CIOs at ITA, LoC and other agencies are maximizing their investments to make sure resources are aligned to mission goals.
Tom Temin: Kevin, good to have you back.
Kevin Walsh: Thanks. It’s good to be here. Thank you for the invitation.
Tom Temin: And one could almost make a career of watching federal IT acquisition not improve substantially. Or cybersecurity. What are the latest findings? I mean, what does it look like here in 2021, as we contemplate the beginning of another fiscal year in a few months?
Kevin Walsh: Sure. So you’re absolutely correct, our high risk area related information security has been on the high risk area since 1997. So, you know at this point, more than two decades. Our related area on IT acquisitions and operations has been on the high risk areas since February of 2015. Now, in our most recent update in March, we noted that the area related acquisitions and operations had pretty much stayed stable since our last update. But the cyber security of the nation had back slid a little bit, mainly related to leadership commitment. We really wanted to see director in place at the Office of the National Cyber Director, and to the administration credit, the president announced his intended nominee in April. But we still want someone in that position.
Tom Temin: Sure. And let’s go to the acquisition side of this for a moment. Because since 1997, there have been at least three major landmark reform pieces of legislation. So it’s not like Congress has been listening to the GAO, its own GAO when it comes to trying to get this right. And now we have the proper authorities, at least in statute for who should do what in the acquisition chain, you’ve got this cooperation with CIOs and CFOs and program people and all of this FITARA. So what is the essential issue do you think for the government that these acquisitions seem to take so long in gender, so many protests, and never quite get the government totally modernized?
Kevin Walsh: So there’s no doubt in my mind that we’re getting better at this Tom. IT capabilities are improving, you know, you can see the vast growth in just how pervasive IT is across the board in everything that we do both personally and as a government. But as it has become more complex, it also gets harder. So you noted correctly that Congress has taken several swings at improving IT acquisitions operations most recently FITARA. And the oversight that Congress has provided to FITARA is bar none probably some of the best oversight that’s going on right now. But, we still do need to make progress, agencies need to fully implement FITARA. There are many specific provisions of FITARA that they have not fully implemented. And it’s going to be all the more important with the billion dollars that the Technology Modernization Funds just recently received. So, we’re looking forward to helping agencies and the administration and move forward to address this area.
Tom Temin: And we’ll get to those scores in a moment, we should remind people FITARA stands for Federal Information Technology Acquisition Reform Act, and it does require periodic reports to Congress. You mentioned some of the provisions of FITARA have not been fully implemented. What couple of them are the least implemented by the most agencies?
Kevin Walsh: Back in 2018, we made a report listing, [I] believe about 35 different responsibilities that CIOs were required to do, by law. And we found that agencies had gaps in virtually all of them. So these are things like making sure that your CIO is involved in data center acquisitions and operations, IT strategic planning, workforce planning and budgeting, investment management, there’s a whole raft of them. So since that report was issued, we have only had three of the 24 agencies fully closed and fully address those responsibilities for the CIOs. In particular, probably the most notable is having a CIO report directly to the agency head, if you don’t have a CIO with direct access to the agency head that makes it much harder to control and reform and improve your information technology.
Tom Temin: And those three agencies with the gold stars are?
Kevin Walsh: The General Services Administration, the Social Security Administration, and USAID.
Tom Temin: Interesting, none of the big cabinet level ones.
Kevin Walsh: As you might expect, it takes a loss to move the bigger agencies, the more federated an agency is, the harder it is to get all the players in the room at the same time. So, these three agencies, you’re absolutely right and astute in observing that these are not the big ones, but they are monolithic. They don’t have many components to really work with or shift the needle on.
Tom Temin: We’re speaking with Kevin Walsh, he’s a director on the IT and cybersecurity team at the Government Accountability Office. And the most recent FITARA scorecards that are just out and there’s been a statement from the committee that looks at these things. What’s the highlight there? And what should the takeaway be from the latest scores?
Kevin Walsh: Sure, so this was a update that the committee released in December, and they just recently held the hearing on this past Friday. The basic gist of it is there were two major changes that the committee had made to their scorecard. They had retired the area related to agency’s efforts to manage their software licenses. They retired it because all the agencies were getting an A. So mission accomplished, well done. But with that sunset, they also added a new area related to agencies transition to the EIS telecommunications contracts. And that’s particularly important because the last time the government tried something similar back in 2007 on to the network’s contracts, it was delivered late and rife with missed opportunities for cost savings. So, really glad to have their attention on that matter.
Tom Temin: Yeah. Because EIS is more than just switching phone carriers. I mean, it’s really a panoply of technology opportunities to do that modernization feat.
Kevin Walsh: Entirely correct. It is basically the telecommunications and internet infrastructure behind every single agency. So it is crucially important to have it done right.
Tom Temin: And what are your latest recommendations then, with this topic, still being on the latest list of high risk items?
Kevin Walsh: So the EIS related recommendations, we issued a report I believe in late 2020 on the topic, and we made 25 recommendations to five agencies to fully implement the best practices that we have identified. So this wasn’t a fully cross cutting report that we looked at, EIS back in back in 2020. But we do think that this is critically important to have the government looking at in more and more depth.
Tom Temin: And turning to the cybersecurity side, you are asking the government to enhance the federal response to cyber incidents. And since the July 2019 report on that, the cyber incidents have gotten more frequent, and in many ways more comprehensive to put it kindly, in the number of agencies they affect.
Kevin Walsh: You’re entirely correct. In our recent statement, we reiterated four major challenges facing the nation. We need to have a comprehensive cybersecurity strategy, secure our systems and information, protect critical infrastructure, and protect privacy and sensitive data. But, as you note, there have been a multitude of significant cyber threats that we have faced recently, most notably perhaps, the SolarWinds breach that was noted several months ago, but since then, the cybersecurity infrastructure security agency, also known as CISA, has issued a number of emergency directives about various backdoors. Even last month, there was a new emergency directive related to Microsoft Exchange Server, which is basically behind your emails, inboxes, and calendars that was being actively exploited. So this is continuing to be a source of headaches for our IT professionals, but also critically important to pay attention to.
Tom Temin: And so now GAO seems to be saying that or you seem to be saying that with leadership at the White House level reestablished on cybersecurity, maybe that will kind of drive the agencies to make sure they’re organized to what’s the contemporary threats really are.
Kevin Walsh: You’re entirely correct. Basically, we had no real central coordination authority until recently. In January of ’21, so earlier this year, Congress enacted a statute establishing the Office of the National Cyber Director. And so, the administration has just announced their intended nominee to head that office. And hopefully, that central coordination and core really, really helps energize that high risk area.
Tom Temin: And this is probably a little bit outside of the report area. But one debate that’s never really been decided, and maybe it will be now in the next couple of years, is what a proper response should be to nation state actors and non nation state actors that are attacking the United States on behalf of nation states. That’s a growing area, private companies that do the dirty work of bad leaders that are our, you know, rivals around the world. And, you know, do we shoot them back and knock out their networks? Or do we simply defend ours or some range of activities in between? It seems like that one needs to be settled also.
Kevin Walsh: So you see several times in recent news briefs from the administration that they talk about the actions that they’re taking publicly as well as non public action, so can’t speculate about what the government’s doing behind closed doors to protect our infrastructure. And this SolarWinds breach is even more complicated, because the way that the bad actors in this case got into our networks was not from foreign networks. They used American corporations basically to hide or to go into, you know, stealth mode to get into the government and into SolarWinds. So it’s even harder to sniff out issues when they’re using our own infrastructure and internet, basically companies, against us.
Tom Temin: And the supply chain itself, that’s kind of the next frontier here, even though there’s been a lot of work already in the CMMC program and other policies for supply chain security, the government is not totally mature on that issue yet either, is it?
Kevin Walsh: Absolutely spot on again. We had a recent report looking at seven key best practices in supply chain risk management. Basically, do you have executive oversight? Some sort of strategy? Do you have a process to identify your own supply chains? Do you have a process to assess the risks to your supply chains? That as well as a few more. And we found that of the 23 civilian CFO Act agencies that we looked at, nobody had done a good job across the board. In fact, the vast majority of best practices that we found, agencies really hadn’t done at all. The one strategy area that was done the most was there were five agencies that have established executive oversight, meaning there were 18 agencies that had not, so, very disappointing.
Tom Temin: Yeah, so the old idea of trust, but verify, we’re pretty good on the trust side of suppliers. But so far, not so much on the verify side.
Kevin Walsh: Indeed, and in many cases, we don’t even know what our supply chains are. So it’s hard to protect what you don’t know.
Tom Temin: Kevin Walsh is a director on the IT and cybersecurity team at the Government Accountability Office. We could go on for hours, but we’ll have you back. Thanks for joining me.
Kevin Walsh: Thank you. Always a pleasure.