Upgrading IT to replace legacy systems and increasing cyber-protections were common themes of four agency IGs at a recent House hearing on major management challenges facing federal agencies.
HHS “must continue to find ways to leverage data to enhance decision-making, including streamlining and accelerating internal data exchange. Similarly, it is critical that the department ensure that the systems on which it relies are able to promptly detect problems to help prevent inappropriate payments, protect people, and reduce time-consuming and expensive ‘pay and chase’ activities,” an official from the IG’s office there said. He cited problems such as lack of interoperability and noted that the IG has issued a series of reports recommending fixes for specific security problems, as well as a greater management focus on strengthening information security across the department.
SSA’s IT environment “includes hundreds of applications and an array of technologies, and it is increasingly difficult and expensive to maintain” and still uses applications programmed with decades-old COBOL language, an official from the IG’s office there said. SSA spends most of its annual $1.2 billion in IT funding to maintain such systems and would need an additional $300 million to carry out a plan calling for enhancing applications critical to processing core workloads, updating its data infrastructure, and pursuing cloud computing to reduce data storage costs, he said.
The Labor Department suffers from “long-standing information security deficiencies, including third-party oversight, incident response and reporting, risk management, and continuous monitoring,” an official from the IG’s office there said. He said his office has recommended that management make funding to address those problems a higher priority, along with giving the CIO there greater independence and authority for implementing and maintaining an effective information security program.
Similarly, the Education IG “has identified repeated problems in the department’s information technology security” and recently concluded that its overall information security programs “were generally not effective . . . our work identified repeated weaknesses that limit the department’s ability to mitigate threats to its systems and data, leaving them vulnerable to unauthorized access and attack,” an official said.
