Are CIOs being frank with the IT dashboard?

CIOs in various agencies are undercutting the usefulness of the federal IT dashboard, Government Accountability Office watchdogs warn.

The dashboard is meant to offer feds and the public alike a way to keep tabs on how IT investments are likely to proceed, but in a report released June 2, GAO found that many agency CIOs are giving green "low risk" ratings to projects that are actually medium- or high-risk.

GAO estimated risk ratings for 95 IT investments, and asserted that its projections determined higher risk ratings than agency CIOs gave for 65 percent of those projects.

In some cases, agencies didn't update assessments often enough, while in others they ignored active risks, GAO said.

"Consequently, the associated risk rating processes used by the agencies generally are understating the level of risk, raising the likelihood that critical federal investments in IT are not receiving the appropriate levels of oversight," the report stated.

The Defense Department was among the worst offenders. GAO concluded that more than a dozen projects to which the DOD had given green, low-risk ratings actually deserved red, high-risk scores. (This has long been a problem for the Pentagon, according to GAO.)  DOD also failed to update ratings for any of its 25 projects that GAO reviewed in April.

Under current Office of Management and Budget guidance, agencies are required to update their ratings at least once a month, but DOD is one of a few agencies -- along with the Social Security Administration and Education Department -- that does not meet this standard.

GAO's report took a dim view of the fact that OMB plans to eliminate the monthly update requirement for fiscal 2018, noting that regular review is key to accurate risk assessments.

Across 17 agencies, GAO found mixed approaches to calculating CIO dashboard ratings.

Nine agencies used all six of OMB's recommended criteria: risk management, requirements management, contractor oversight, historical performance, human capital and "other."

The rest picked and chose.

The Health and Human Services Department's sparse formula drew only on historical performance and "other" criteria from OMB's list.

Most agencies agreed with GAO's recommendations to consider active risks and update their ratings more regularly.

The Homeland Security Department, DOD and Environmental Protection Agency, on the other hand, defended their existing risk assessment schema against GAO's recommendations.