Progress has stalled with several federal programs and broad governmentwide challenges, in part, due to a lack of leadership attention that spans several administrations, the Government Accountability Office said in its 2021 high-risk list.
GAO’s high-risk list, which the agency released Tuesday, serves a biennial check-in on a wide variety of federal programs and broad challenges across government. Congressional oversight committees see the GAO report as a checklist for their own work.
Federal human capital management has been high-risk since 2001, and agencies made little progress with the topic since GAO published its last list in 2019.
In fact, a lack of progress with federal human capital issues is driving regression with other large agency programs and challenges, including cybersecurity, IT modernization and others.
“I’m concerned about the status of the federal workforce,” Comptroller General Gene Dodaro told reporters Tuesday morning. “22 of the high risk areas that are on the list are on, in part, because of critical skills gaps. The federal government needs to place much greater attention to make sure that it has the workforce sufficient to meet 21st century needs.”
Staffing shortages at some agencies are contributing to the problem, GAO said, and the government doesn’t have a broad plan to address skills gaps in cybersecurity and science, technology, engineering and math (STEM).
Agencies regressed in this space over the last two years, in part, due to a lack of stable, focused leadership attention on human capital issues across government.
GAO pointed to leadership inconsistences at the Office of Personnel Management, which has had three directors since 2019. Acting directors have led OPM for 18 out of the last 24 months, GAO said.
Lack of leadership was a consistent theme across GAO’s recommendations this year, and agencies can’t remove programs from the high-risk list without attention from top leaders, Dodaro said.
“The areas that we have taken off the list in the past have all had essential ingredients — top agency leadership, support from OMB, which has been lacking recently, and also support from the Congress and leadership,” Dodaro told the Senate Homeland Security and Governmental Affairs Committee. “When those three ingredients are present, that is the prescription for success in dealing successfully with these high risk areas in achieving what we all want.”
Dodaro pointed to arrangements that both the Obama and Trump administrations made, where the Office of Management and Budget’s deputy director for management served as the acting OPM director.
“[It] deluded the attention of the deputy for management over there,” he said. “Both happened in the Obama administration and the Trump administration. That’s one of the reasons OMB has kind of lost its focus over time.”
GAO added two areas this year, including the Small Business Administration’s emergency loan program and national efforts to prevent, respond and recover from drug misuse.
The high-risk list now covers 36 topics, though agencies have made some progress in some areas over the last two years.
The Defense Department, for example, managed to reduce its $1.3 trillion infrastructure footprint in recent years, leading GAO to remove the topic from its 2021 high-risk list.
Federal agencies have also trimmed down their real property, and the General Services Administration has reduced its reliance on expensive leases, GAO said.
Cybersecurity progress is slow going, GAO says
But progress in other areas has lagged. Five topics have been on GAO’s list since its inception in 1990.
GAO ratings for 20 federal programs haven’t changed since the oversight agency last published the high-risk list in 2019, and five areas have regressed.
Progress with cybersecurity has lapsed, GAO said, it’s been a high risk since 1997.
“You need a whole of government approach,” Dodaro said of the government’s cybersecurity challenges. “[The Cybersecurity and Infrastructure Security Agency] can play a very important role, but they don’t decide who appoints the chief information officers in the agencies. They don’t pick the chief information security officers; that’s the agency heads’ responsibility. They need to be involved. OMB needs to be involved and they haven’t been as involved as they have been in the past and need to be in the future. They can help both in making sure the resource investments are there, properly set out the right policies and guidance and make sure they get vetted during the budget preparation process.”
Lawmakers on both the House and Senate committees said they wanted to see the Biden administration more quickly appoint a national cybersecurity coordinator, which Congress codified in law last year.
“We continue to suffer unacceptable breaches,” said Gary Peters (D-Mich.), chairman of the Senate Homeland Security and Governmental Affairs Committee. “This Congress, this committee is going to be taking a close look at making some significant improvements to federal cybersecurity.”
Lawmakers in both the House and Senate were particularly concerned about a lack of progress with cybersecurity, especially as they continue to learn more about the recently discovered SolarWinds breach.
GAO has made 3,300 recommendations in the cyber field since 2010, and 750 of them remain open.
“If your recommendations had been in place, do you think it would have prevented this cyber attack?” said Carolyn Maloney (D-N.Y.), chairman of the House Oversight and Reform Committee.
Maloney led a joint hearing with the House Homeland Security Committee last week on the SolarWinds breach.
“Well, it certainly would have led to an earlier discovery of the attack,” Dodaro said. “We would have been better postured to detect the attack ourselves and take quicker action.”
Beyond federal human capital management and cybersecurity, the financial posture at the U.S. Postal Service has also regressed since 2019, GAO said. USPS lost more than $87 billion during the last 14 years, including $9.2 billion alone during the last fiscal year.
The House oversight committee is considering legislative proposals that might put USPS in a better financial position, and Postmaster General Louis DeJoy shared part of his 10-year business plan with members last week.
“There needs to be an agreement within the Congress about what services do you really want?” Dodaro told the House committee. “You need to figure out what services you want to provide, how you want to pay for them and then structure a governance and organization that fits that on a sustainable basis going forward.”
Several members of the House oversight committee expressed frustration that several large federal programs and broad topics have been on GAO’s watch list for decades, and they questioned whether agencies had the right incentives to act on recommendations.
“Don’t we have to ask ourselves what is the effectiveness of having a high-risk list if there is no incentive for agencies to get off it?” said Rep. Jody Hice (R-Ga), ranking member of the government operations subcommittee. “What are we ultimately accomplishing? It’s almost like it’s become the norm for certain agencies to just be on there every year.”
Actions that Congress and executive branch agencies have taken based on GAO’s high-risk list report have saved $575 billion over the last 15 years, James Comer (R-Ky.), ranking member of the House Oversight and Reform Committee, told reporters Tuesday morning.
But both Congress and agencies need to do more, Dodaro said.
A few members, including Hice, suggested Congress should punish agencies who fail to improve and respond to GAO’s recommendations. There could be benefits and drawbacks to that approach, Dodaro said, and Congress should host more hearings on specific challenges to more fully understand them.
“What we’re trying to do when we do this at the beginning of each new Congress is to help set the oversight agenda for the Congress for the entire two-year period,” he told the House oversight committee. “It’s still possible to take each of these areas and have more hearings on them… This committee could pick a subset of issues and focus on them with more in-depth work. I have plenty of experts at GAO that could come and testify.”