2005: 7 lessons from GAO

A review of reports with critiques and ideas from which many agencies might benefit.

If there's a problem in government, you can bet the Government Accountability Office will eventually investigate it. From bad management to bad contracting, from failing to be up-to-date on cybersecurity to failing programs, the government's watchdog agency will likely investigate what happened and why.

Along the way, GAO will give program officials a chance to speak out, challenge the findings, correct them or promise to do better. That certainly was the case in 2005 as GAO tackled hundreds of problems involving the use and misuse of federal information technology. GAO's findings offer plenty of lessons for agencies to learn. Here is a look at some of those reports on IT issues — the good and the bad — with examples of how GAO's scrutiny changes agencies' behavior.

Lesson #1: Keep an eye on your contractors

GAO auditors found that only five of 24 executive branch agencies had developed policies for ensuring that federal contractors protect government information on computer networks, according to a report GAO released in May.

Federal agencies have few resources at their disposal for holding contractors accountable for the security of government information on systems and networks that contractors control, the auditors found. Three tools that agency officials use to oversee contractors — contracts, oversight policies and self-assessments — have been relatively ineffective at preventing the risks posed by contractor operations, the report states.

Those risks include unnecessary exposure to worms and viruses, weak system access controls and unauthorized release or use of government information.

Lesson #2: Learn to deliver the bad news

Federal agencies need more detailed instructions to handle and report computer security threats, such as phishing, spyware and hacking, government auditors said in a June report.

GAO auditors found that most federal officials do not understand which computer security incidents they should report or how and to whom they should report them, even though such reporting is mandatory under the Federal Information Security Management Act.

As a result, the Homeland Security Department's U.S. Computer Emergency Readiness Team, which handles incident reporting, is unable to coordinate and respond to cyberthreats that target multiple federal agencies.

To remedy the lack of accurate and comprehensive reporting, the auditors recommended that Office of Management and Budget officials increase their oversight of agencies' efforts to identify, report and respond to emerging cybersecurity threats.

Lesson #3: Think in terms of budget trade-offs

In July, GAO admonished the Federal Aviation Administration for not divulging how belt-tightening efforts, needed to finish an overdue air traffic control modernization program, were affecting aviation safety systems.

GAO auditors recommended that FAA officials clearly identify trade-offs they are making to reach their budget targets by highlighting programs slated for funding increases and reductions. Without such information, according to GAO's report, lawmakers cannot evaluate the FAA's budget requests.

For decades, GAO's auditors have criticized the air traffic control modernization program for wasting taxpayer dollars through costly schedule and performance miscalculations.

A new FAA unit, the Air Traffic Organization (ATO), was created in 2004 to streamline the agency's acquisitions.

Auditors said ATO officials don't include all the pros and cons of cuts when they submit budget proposals for senior officials and lawmakers to review.

Lesson #4: Plan for trouble

GAO gave kudos to the National Archives and Records Administration for practicing good risk management in its Electronic Records Archives program.

The program has some weaknesses, but GAO declined to make any recommendations, saying the agency already had plans in place to address those issues.

NARA officials said they were aware of the risks in not forecasting the volume of e-records they might process now and in the future. It might mean they miscalculate the archives' size and scalability specifications.

NARA also accepted GAO's criticism for not knowing whether they will save e-files in their original formats or migrate the files to easily accessible formats.

NARA officials' self-reported risks should help them achieve their goals, according to NARA and GAO officials. At the time of the report, NARA had achieved all major milestones on or ahead of schedule.

Lesson #5: Communicate, communicate, communicate

In July, GAO took the Defense Department to task for continuing development of its new National Security Personnel System without holding adequate discussions with various stakeholders.

DOD did not identify key people interested in the personnel reforms or their concerns, according to the auditors' report. Employees were not part of the DOD working groups that drafted the plan.

"Failure to adequately consider a wide variety of people and cultural issues can lead to unsuccessful transformations," the July GAO report states.

But the agency commended DOD for using many practices for successful organizational transformations. Auditors cited DOD's process to design a system that department and Bush administration officials could support. GAO praised DOD for the guiding principles and performance parameters that guided the new personnel system's design process.

GAO recommended that DOD also devise a way to evaluate the effect of the new personnel system after its implementation.

In contrast to the low grades DOD earned on its collaborative report card, the Environmental Protection Agency got a thumbs up from GAO for good collaboration when it created a cross-agency e-rulemaking initiative.

"Even when an agency's suggestion was not incorporated into the system design, [those agencies] acknowledged that e-Rulemaking officials treated their concerns fairly, completely, and they understood why the suggestion was rejected," the report states.

Lesson #6: Put it in writing, distribute it widely

When GAO gave the Census Bureau advice on managing the 2010 decennial census, one theme was prevalent: Don't just say it, document it.

Census officials had developed policies and procedures to successfully manage IT in several areas, but those policies are not fully and consistently performed, according to the auditors' report.

For example, the bureau has established executive-level investment boards but does not have written procedures for how those boards should operate and make decisions on IT spending. GAO recommended creating a comprehensive repository of up-to-date investment information accessible to decision-makers.

GAO suggested that bureau officials develop and implement criteria and document policies for overseeing all IT projects. The bureau should also establish a written policy endorsing and enforcing enterprise architecture, the auditors said.

Lesson #7: Collect data...and use it

Agencies could improve the federal contracting process by reporting more information about contractors involved in suspension and debarment cases, GAO said in a September report.

The additional reporting could make it harder for excluded contractors to continue getting new contracts in defiance of their status, the auditors wrote. GAO specifically recommended that a governmentwide database of information on exclusions, the Excluded Parties List System, be modified so that each excluded company's contractor identification number would become part of the company's database listing.

That number is a unique identifier, so its mandatory inclusion would make it harder for an excluded company to get new business under a different name. GAO also recommended that agencies be required to share with other agencies any information on administrative agreements between an agency and a company.

Data is worthless if no one uses it, GAO wrote in a September report.

GAO reported that agencies are doing a good job of collecting data to measure the effectiveness of their programs, as required by the Government Performance and Results Act of 1993. They collect more now than they did in 1997, when GAO conducted a similar review. But auditors found that federal managers have not progressed much beyond where they were in 1997 in using that data to make better management decisions.

NEXT STORY: Forget MTV... I want my Web

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.