Editor’s Note: The following is ane excerpt from GAO-15-106, CIO Reporting Requirements. The complete report is available here.
From: US GAO
• For government-wide tracking of cybersecurity resources, one agency CIO commented that it was helpful to determine how much funding was spent on cybersecurity, but providing the supporting detailed accounting of the resources called for in the requirement was difficult. Another CIO commented that tracking resources helped in understanding the investments made and historical data provided insight into whether prior allocated resources were impactful; however, the reporting requirement needed to be consolidated with annual Federal Information Security Management Act reporting.
Consequently, establishing a common understanding between OMB and the CIOs on the priority of the reporting and related initiatives is key to the success of OMB reforms. As part of this understanding, it is also important to address underlying reasons cited by CIOs regarding the usefulness of requirements, including when department priorities are reportedly different than OMB’s and the burdensome and duplicative nature of requirements. . . .
The CIOs did propose a number of changes aimed at increasing the usefulness of reporting requirements and providing for effective feedback, but OMB had not yet established an effective approach to address them. Until it does, OMB risks requiring agencies to report on and manage IT in a suboptimal manner, which is inconsistent with its goal of improving federal IT management.
According to OMB, it chose to take no position on the recommendations due to its concerns that: (1) our draft report’s count of reporting requirements was not currently accurate, (2) our survey approach did not fully support the report’s findings and recommendations, (3) the second objective to solicit CIO views did not allow for sufficient context setting, and (4) OMB has taken steps to solicit feedback and streamline requirements that are not reflected in the draft report.
Leave a Reply