Can reorg plans get agencies off the high-risk list?

As agencies continue preparations to submit their reorganization plans, many also have to reckon with their places on the Government Accountability Office's high-risk list.

Comptroller General Gene Dodaro
 

Comptroller General Gene Dodaro, shown here introducing the 2015 GAO High-Risk List.

As agencies continue preparations to submit their reorganization plans, many also have to reckon with their places on the Government Accountability Office's high-risk list.

Since 1990, GAO has chronicled a single list of government programs imperiled by waste, fraud, abuse and mismanagement. The 2017 edition identified 34 high-risk areas, with government-wide IT management, cybersecurity and strategic human capital management making repeat appearances.

At an Aug. 23 event hosted by the National Academy of Public Administration, GAO head Gene Dodaro said that, contrary to perception, it's not impossible to get off the high-risk list after being placed on it -- but it does require a specific, committed response.

"We've taken over 20 areas off over the years," he said, adding that agencies "don't have to have the risk completely solved … but you have to have it under management as much as possible and actually demonstrate you're fixing some of the problems."

One area of particular concern for Dodaro is federal cybersecurity, which made its debut on the high-risk list in 1997 and has become an omnipresent issue for agencies.

"Obviously, the cyber challenges today are a lot more dramatic than they were in 1997," he said.

In addition to the challenges posed by governmentwide reliance on legacy equipment, agencies "are not working with enough urgency" to mitigate vulnerabilities and unauthorized access on their networks, Dodaro said.

"Most of the attacks involve areas of known weakness that haven't been patched or haven't been fixed," he said, adding that GAO has made thousands of recommendations over the years, and that 1,000 remain open. "While there is an inherent problem, there are known things that could be done to reduce agencies' vulnerability."

Dodaro gave credit to agencies' inspectors general, who have taken a lead role in identifying and helping resolve concerns in the cybersecurity arena, and to Congress for its continued legislative and oversight interests.

Congress has "taken a lot of legislative action" on cybersecurity and workforce issues in recent years, "and I don't expect attention in Congress to wane," Dodaro said.

Dodaro added that despite laws like the Federal IT Acquisition Reform Act that have given CIOs more authority, "the government does not get an adequate return on investment" on its annual IT spend of about $90 billion.

However, the recent departures of top agency tech officials at Homeland Security, Treasury and Agriculture -- as well as the prolonged absence of a current federal CIO -- is "an area to be concerned about," he said.

Dodaro said that the high number of remaining vacancies throughout the Trump administration has "not yet" resulted in a slowdown in the reporting or progress on program reform efforts, but added, "it's something to keep an eye on."

On the human capital front, there's an intrinsic relationship between the government's security posture and recruiting and retaining a skilled workforce.  

Veronica Villalobos, principal deputy associate director for the Office of Personnel Management's Employee Services division, pointed out that sequestration, repeated continuing resolutions and this year's federal hiring freeze have also made filling cyber positions more difficult.   

Dodaro said GAO is currently investigating the effects of President Donald Trump's hiring freeze and expects to publish a report "later this year." In the past GAO has reported that hiring freezes don't help the cause of government efficiency,

Ongoing reorganization efforts, Dodaro said, present the "perfect opportunity" to work with GAO and address remaining open recommendations. Whether agencies will take the opportunity to address the recommendations, "we'll wait and see," he said. "But we've done our part."