Federal prison system, cybersecurity, human capital and more on GAO’s high risk list

Agencies made more improvements than usual with federal programs and governmentwide challenges, the Government Accountability Office said in its high risk list. But more long-standing problems are miring further progress.

GAO’s 2023 high risk list, a biennial report that the agency published Thursday, details a broad range of troubled federal programs that are vulnerable to fraud, waste, abuse and mismanagement. Congressional committees use GAO’s high risk list to help create their own oversight agenda.

Overall, 16 of the 37 items on the high risk list improved for 2023, including health care at the Department of Veterans Affairs, as well as the Postal Service, GAO said in its report.

Some areas saw improvement due to more stable funding from Congress, said U.S. Comptroller General Gene Dodaro, head of GAO. Still, there are significant reasons that the programs remain high risk.

“Congress passed the Postal Service Reform Act that eliminated some of the financial pressures on the Postal Service, but the business model is still not viable in the future. They continue to lose money and that remains on the list,” Dodaro said during a Senate Homeland Security and Governmental Affairs Committee hearing Thursday. “Congress has provided some additional resources to IRS, which deals with our high risk area of tax administration.”

Despite a few improvements, GAO added several new areas to the high risk list since the previous version of the report, published in 2021.

For one, persistent deficiencies in leadership at the Department of Health and Human Services led GAO to add public health emergency coordination to the high risk list in 2022.

“The department’s response to the COVID-19 pandemic compounded our long-standing concerns about its ability to execute its role in leading federal public health and medical emergencies and responding to extreme weather events,” GAO said in its high risk list report.

Additionally, GAO said the Unemployment Insurance System, a program in the Labor Department, faces challenges that “have affected the system’s ability to meet the needs of unemployed workers.”

The Small Business Administration’s emergency loan program, added to the list in 2021, remained an area of concern for both GAO and lawmakers for mismanaged government spending.

GAO was working with SBA to try to build in a better fraud risk framework early on in the COVID-19 pandemic, Dodaro said, but the agency did not cooperate.

“There was enormous pressure to get the money out,” Dodaro said during the HSGAC hearing. “In the original days of the creation of that program, [SBA said] ‘we’re too busy to focus on that, we have to get this money out.’”

The exact amount of mismanaged funds from the SBA program is not yet known. But one lesson learned, Dodaro said, is to not allow self-certification from loan applicants.

Attrition at Federal Bureau of Prisons

Management of the Federal Prison System is the latest addition to the high risk list, and the only area that GAO added in 2023.

Many of the challenges with the program’s management stem from staff attrition at the Federal Bureau of Prisons (BOP), the office within the Justice Department in charge of the program.

BOP also does not have reliable methods for assessing staffing levels, GAO said. As a result, the agency’s use of overtime hours increased by over 100% in the past few years.

“That’s always an indication that you have some sort of staffing challenge,” Dodaro said.

“Not only did overtime go up, it’s continuing to go up,” GAO Managing Director for Homeland Security and Justice Charles Johnson added during the hearing. “There have been continued gaps in their staffing as well … They have a 15% gap in their authorized staffing levels.”

BOP ranked the worst of any agency subcomponent in the Partnership for Public Service’s 2022 Best Places to Work rankings. The agency subcomponent also received the lowest employee engagement and satisfaction of the entire rankings, with a score of 35.5 out of 100.

GAO said the Federal Prison System also has issues planning and evaluating programs that help incarcerated people have a successful return to the community.

Cybersecurity risks remain top of mind

Threats to national cybersecurity persist as a major risk governmentwide. Cybersecurity has remained a high risk on GAO’s list since 1997.

“GAO has placed our nation’s cybersecurity as one of the top five high risk areas that need significant attention, and has issued more than 4,000 recommendations in the cybersecurity domain since 2010,” Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) said during the hearing Thursday. “If we’re going to be truly effective at strengthening our networks and leading the world in this fast growing area, and protecting our national security, then we must have qualified and dedicated cybersecurity, IT and AI experts working all across the federal government.”

Many of the issues with federal cybersecurity stem from long-term challenges with the cybersecurity workforce.

“There’s no comprehensive way for us to know whether each federal agency actually knows what it needs [for cyber staffing],” GAO Managing Director of IT and Cybersecurity Nick Marinos said during the hearing. “Each agency then needs to focus on not only recruiting and hiring, but also retaining really highly qualified staff. We know there’s a shortage not only within the federal government, but across the nation.”

“This is a cautionary tale,” Dodaro added. “There were really no qualification standards for cyber people for a number of years. We were way behind the curve.”

But there is competition among agencies, as well as different types of hiring authorities available, depending on the individual agency.

“There’s an unlevel playing field. Some agencies have special hiring authorities and pay — others don’t,” Dodaro said. “I think there needs to be a look at that, and whether that’s rationalized properly.”

Issues with federal hiring, and looking at ways to reform the process, have remained a concern for lawmakers as well.

“There are about 105 hiring authorities, and when I asked the [chief human capital officers] about it, [they said] about 20 of them are used more than 90% of the time,” Sen. James Lankford (R-Okla.), a HSGAC member, said during the hearing. “But every time I bring up direct hiring authority, everyone has a conniption on it and thinks that’ll never work.”

The White House released its national cyber strategy in March, but implementation will be the next crucial step for the Biden administration, Dodaro said.

The implementation plan should include “who’s responsible for what, how much money we need, how are we going to measure performance and improvements in those areas,” Dodaro said. “Cybersecurity remains a grave threat to our economy and our national security — it needs to be better addressed.”

A long road for human capital management

Broader categories on the high risk list are also causing deep-rooted issues for federal programs.

Notably, strategic human capital management is a risk area that has remained on GAO’s list since 2001.

But OPM’s limited resources and internal staffing are slowing progress for human capital management governmentwide, another recent GAO report found.

“The Office of Personnel Management does not have its own plan for improving its workforce,” Dodaro said. “The human resource people in the government, whether centralized at OPM or at individual agencies, aren’t what we need in order to help support the recruitment and hiring of cyber people.”

Human capital management challenges can pose risks to hiring issues, including for the federal cybersecurity workforce.

“We have seen flexible hiring authorities as one way for federal agencies to take advantage,” Marinos said. “But in order to do so, the human resource employees need to be aware and cognizant of how to leverage those flexibilities.”

Human resources is also one of the top governmentwide skills gaps, OPM reported in November.

Two areas of improvement on the 2023 high risk list, where GAO removed items from the list, were the 2020 decennial census and the Pension Benefit Guaranty Corporation’s insurance programs.

GAO said it will monitor 2030 census planning for emerging risks and challenges.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.