IT Portfolio Management: OMB and Agencies Are Not Fully Addressing Selected Statutory Requirements
GAO-25-107041
Published: Nov 14, 2024. Publicly Released: Nov 14, 2024.
Fast Facts
The federal government invests more than $100 billion annually in IT. But these investments can be poorly managed—resulting in IT that fails to deliver needed improvements and is often late and over budget.
A law aimed at improving IT management requires agencies to review their portfolios of IT projects and high-risk IT investments. Our report shows that agencies haven't completed these reviews.
We recommended improving guidance, processes, and reporting.
Improving federal IT management is on our High Risk List.
Highlights
What GAO Found
The Office of Management and Budget (OMB) is not fully addressing eight key statutory requirements contained in the Federal Information Technology Acquisition Reform Act (FITARA). Specifically, OMB is partially following four of the five requirements on IT portfolio reviews, and not following the three requirements on high-risk IT investments (see table). Until OMB adheres to FITARA's portfolio management requirements, its oversight of agencies' IT portfolios, including potentially troubled IT investments, will be limited. As a result, the federal government will continue to expend resources on IT investments that do not meet the needs of the government or the public.
Extent to Which the Office of Management and Budget (OMB) Followed Statutory Requirements
|
Requirement |
Assessment |
|---|---|
|
IT portfolio reviews |
|
|
Implement a process to assist agencies in reviewing their IT portfolios. |
◐ |
|
Develop standardized cost savings/avoidance and performance metrics for agencies to implement the process. |
◐ |
|
Carry out the Federal Chief Information Officer's (CIO) role in being involved in an annual review of each agencies' IT portfolio in conjunction with the agency's CIO and Chief Operating Officer or Deputy Secretary (or equivalent). |
○ |
|
Submit a quarterly report on the cost savings/reductions in duplicative IT investment identified through this review process to key committees in Congress. |
◐ |
|
Submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by agencies for information systems and how the benefits relate to the accomplishment of the goals of the agencies. |
◐ |
|
High-risk IT investment reviews |
|
|
Carry out consultation responsibilities of the Federal CIO to agency CIOs and program managers of major IT investments that receive high-risk ratings for four consecutive quarters. |
○ |
|
Communicate the results of high-risk IT investment reviews to key committees in Congress. |
○ |
|
Deny any request of additional development, modernization, or enhancement funding for a major investment that has been rated high-risk for a year after the high-risk IT investment review. Additional funding should be denied until the agency CIO determines that the root causes of the risk have been addressed, and there is capability to deliver the remaining increments within the planned cost and schedule.a |
○ |
Legend: ◐ Partially followed = the agency demonstrated that it was following some, but not all, of the requirement; ○ Not followed = the agency did not demonstrate that it was following the requirement.
Source: GAO analysis based on OMB data. | GAO-25-107041
aThis requirement does not apply to investments at the Department of Defense.
Agencies have also not fully addressed FITARA requirements for IT portfolio management. Specifically, none of the 24 agencies fully met the requirements for annual IT portfolio reviews. In addition, eight agencies with major IT investments rated as high-risk for four consecutive quarters did not follow the FITARA requirements for performing high-risk IT investment reviews. Three of the eight agencies performed the reviews, but they did not address the specific requirements in law. The remaining five agencies did not perform the reviews. Not performing these required reviews can permit investments with substantial cost, schedule, and performance problems to continue unabated without necessary corrective actions.
Why GAO Did This Study
The executive branch has undertaken numerous initiatives to better manage the more than $100 billion that is annually invested in IT. However, federal IT investments too frequently fail to deliver capabilities in a timely manner. Recognizing the issues related to the government-wide management of IT, in December 2014, Congress enacted federal IT acquisition reform legislation, commonly referred to as FITARA.
GAO was asked to evaluate IT executive reviews. This report evaluates the extent to which OMB and agencies are following requirements for IT portfolio management oversight, including annual IT portfolio and high-risk investment reviews. To do so, GAO identified related requirements from FITARA. GAO then compared agency documentation from OMB and the 24 agencies to the requirements. GAO also interviewed OMB and agency officials regarding their IT portfolio management practices.
Recommendations
GAO is making 10 recommendations to OMB to improve guidance, processes, and reporting; and 36 recommendations to 24 agencies to improve their IT portfolio processes.
OMB did not agree or disagree with its recommendations but stated that it disagreed with parts of the report. As discussed in the report, GAO maintains that the recommendations are warranted. Of the 24 agencies, seven agreed with their recommendations, two agencies neither agreed nor disagreed, and 15 stated that they had no comments.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | The Director of OMB should update existing guidance or issue new guidance to agencies to implement a process to assist agencies in reviewing their IT portfolios that includes the requirements provided in FITARA. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | The Director of OMB should develop standardized performance metrics for agencies to implement the IT portfolio review process, as prescribed by FITARA. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | The Director of OMB should ensure that the Federal CIO carries out its role in annually reviewing each agency's IT portfolio that is conducted by each agency's CIO in conjunction with the Chief Operating Officer or Deputy Secretary (or equivalent) and the Federal CIO, as prescribed by FITARA. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | The Director of OMB should direct the Federal CIO to submit a quarterly report to the FITARA-identified committees in Congress on the cost savings and reductions in duplicative IT investments identified through the IT portfolio review process, as prescribed by FITARA. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | The Director of OMB should direct the Federal CIO to ensure that the agency cost savings on the IT Dashboard that are being used to fulfill statutory requirements to report to Congress are accurate and correctly attributed to IT portfolio review. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | The Director of OMB should submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by agencies for information systems and how the benefits relate to the accomplishment of the goals of the agencies, as prescribed by FITARA. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | The Director of OMB should ensure that the Federal CIO carries out the consultation responsibilities of the Federal CIO to agency CIOs and program managers of major IT investments that receive high-risk ratings for four consecutive quarters, as prescribed by FITARA. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | The Director of OMB should direct the Federal CIO to communicate the results of high-risk IT investment reviews to committees in Congress, as prescribed by FITARA. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | The Director of OMB should deny any request of additional development, modernization, or enhancement funding for a major investment that has been rated high risk for a year after the high-risk IT investment review, as prescribed by FITARA. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Management and Budget | The Director of OMB should direct the Federal CIO to update existing guidance or issue new guidance to direct agencies' efforts on holding high-risk IT investment reviews in accordance with FITARA's requirements. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Agriculture | The Secretary of Agriculture should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Commerce | The Secretary of Commerce should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Education | The Secretary of Education should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO, as prescribed by FITARA. (Recommendation 14) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Energy | The Secretary of Energy should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 15) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 16) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 17) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the department CIO to ensure that the Federal CIO is consulted in performing high-risk IT investment reviews, as prescribed by FITARA. (Recommendation 18) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the department CIO, in conjunction with the project manager, to conduct high-risk IT investment reviews, as prescribed by FITARA. (Recommendation 19) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the department CIO to work with OMB to ensure that its high-risk IT investment reviews include the extent to which these causes can be addressed (e.g., action items and due dates) and the probability of future successes (e.g., outcomes), as prescribed by FITARA. (Recommendation 20) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Housing and Urban Development | The Secretary of Housing and Urban Development should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 21) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Housing and Urban Development | The Secretary of Housing and Urban Development should direct the department CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 22) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Justice | The Attorney General should direct the CIO of the Department of Justice to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 23) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Labor | The Secretary of Labor should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 24) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Labor | The Secretary of Labor should direct the department CIO to work with OMB to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 25) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of State | The Secretary of State should direct the department CIO to work with OMB to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 26) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of State | The Secretary of State should direct the department CIO to work with OMB to ensure that the Federal CIO is consulted in performing high-risk IT investment reviews, as prescribed by FITARA. (Recommendation 27) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of State | The Secretary of State should direct the department CIO to work with OMB to ensure that its high-risk IT investment reviews include a root cause analysis of the high level of risk and the probability of future successes (e.g., outcomes), as prescribed by FITARA. (Recommendation 28) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of the Interior | The Secretary of the Interior should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 29) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of the Interior | The Secretary of the Interior should direct the department CIO to ensure that the Federal CIO is consulted in performing high-risk IT investment reviews, as prescribed by FITARA. (Recommendation 30) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of the Interior | The Secretary of the Interior should direct the department CIO to ensure that its high-risk IT investment reviews document the extent to which these causes can be addressed (e.g., action items with due dates), as prescribed by FITARA. (Recommendation 31) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of the Treasury | The Secretary of the Treasury should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 32) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Transportation | The Secretary of Transportation should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 33) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should direct the department CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 34) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Environmental Protection Agency | The Administrator of the Environmental Protection Agency should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 35) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| General Services Administration | The Administrator of the General Services Administration should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO, as prescribed by FITARA. (Recommendation 36) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The Administrator of the National Aeronautics and Space Administration should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 37) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Science Foundation | The Director of the National Science Foundation should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 38) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Nuclear Regulatory Commission | The Chairman of the Nuclear Regulatory Commission should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 39) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO, as prescribed by FITARA. (Recommendation 40) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should direct its agency CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 41) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of the Small Business Administration should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 42) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of the Small Business Administration should direct its agency CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 43) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Social Security Administration | The Commissioner of the Social Security Administration should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 44) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| U.S. Agency for International Development | The Administrator of the U.S. Agency for International Development should direct its agency CIO to work with OMB to ensure that annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA. (Recommendation 45) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| U.S. Agency for International Development | The Administrator of the U.S. Agency for International Development should direct its agency CIO to ensure they conduct a review in conjunction with the investment's program manager and in consultation with the Federal CIO, for major IT investments that have been designated as high risk for four consecutive quarters, as prescribed by FITARA, including identifying (1) the root causes of the high level of risk of the investment; (2) the extent to which these causes can be addressed (e.g., action items and due dates); and (3) the probability of future success (e.g., outcomes). (Recommendation 46) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Full Report
GAO Contacts
Topics
Acquisition reformChief information officersCompliance oversightCost savingsHigh-risk issuesHomeland securityIT investment managementIT investmentsInformation technologySmall business