FAA off high-risk list, but most others remain

When the Government Accountability Office unveiled its 2009 high-risk list on Thursday, the biggest news wasn't who was on the list, but rather who came off.

After 14 years, the audit agency removed the Federal Aviation Administration's air traffic control modernization program from the list after GAO determined the agency made significant progress in improving the management of the program.

"The FAA's removal from the GAO high-risk list for financial management and air traffic control modernization demonstrates that they are spending the taxpayers' dollars wisely and are well-positioned to implement the NextGen system," said former FAA acting administrator Robert A. Sturgell in an e-mailed statement. "This is the culmination of years of hard work by the leadership team, program managers and contracting officials."

GAO designates programs high risk if it considers them to be of national significance and vulnerable to fraud, waste, abuse and mismanagement. This year's list features 30 programs, including three new additions, none of which were focused on information technology.

FAA first began its ambitious effort to modernize its air traffic control system in 1981. It requires the agency develop a vast network of radar, navigation, communications and information-processing systems. GAO first designated the $36 billion program as high risk in 1995, after it found consistent problems with the program, including ballooning costs and delays.

For more than a decade, FAA struggled to instill best management practices to improve the program's performance to no avail. But in the past few years, the agency made progress in improving the management of the huge IT program, according to Joel Willemssen, managing director of information technology at GAO.

"If you look at the January 2007 report, we spent quite a bit of narrative talking about the great progress they've made," he said. "We considered taking them off the list but wanted to see more sustained implementation of best practices and more from top management to turn this around. Overall, based on . . . them having addressed the key root causes for these problems, we concluded it was time to take them off the list."

GAO still will be aggressively monitoring FAA's progress on implementing the NextGen air traffic control system, which it began to roll out in November.

Many federal IT programs remained on the high-risk list, including Census 2010. GAO designated the program as high-risk in March 2008 because of the Census Bureau's problems with handheld computers being developed for use in recording household data.

"They're running out of time," Willemssen said. "That's why we decided to put it on the list out of cycle."

GAO cited the limited testing of the bureau's IT systems it plans to use in the 2010 census. The Census Bureau has said the decennial count will be the most technologically advanced yet. GAO is preparing a draft of its report on the December field testing of the handheld computers. Willemssen declined to comment on the contents of the report.

Another program on the high-risk list since 1995 is the Internal Revenue Service's Business Systems Modernization. Willemssen said security of the agency's networks is the primary reason the program remains on the list. GAO and the Treasury Inspector General for Tax Administration have released reports criticizing the IRS' information security management. GAO still is waiting on a detailed explanation of how IRS plans to utilize the Customer Account Data Engine, a new tax processing tool deployed in the fall.

Cybersecurity governmentwide, which was first added to the list in 1997, remained on the list. Willemssen said the area is one in which government would have to apply continued scrutiny to ensure it is keeping up with rapidly evolving threats.

"The biggest thing we'd like to see in terms of federal agencies is for each one to focus on having a highly effective, agencywide information security program," he said. "Oftentimes we'll note that the policies and procedures are there but not being implemented, therefore critical data and systems remain at risk."

Willemssen said GAO has issued hundreds of recommendations to agencies to improve information security, but they have not instituted many of the suggestions. He noted that unlike six to 10 years ago, agencies have taken basic security measures, but the cybersecurity risk continues to be high and GAO cannot take it off the list.

"It's a moving target, not static and we have to continue to have a mature capability to address whatever evolving risk," Willemssen said. "We don't always see that [capability] from the agencies we look at."

The Defense Department's Business Systems Modernization program, which was first added in 1995, remains on the list. Defense must develop an enterprise architecture and ensure that controls are in place to increase oversight of acquisition and IT investments, GAO said.

"Again we see very mixed results, in too many cases controls are not well-implemented, leading to cost and schedule issues," Willemssen said. "DoD has not quite institutionalized best practices. More needs to be done."