The Government Accountability Office (GAO) told the National Telecommunications and Information Administration (NTIA) this week that it still needs to work through an extensive list of foundational considerations as the agency moves forward with modernizing the IT systems it uses to manage radiofrequency spectrum.
The watchdog agency made five recommendations to NTIA to close gaps in the process, and it said the agency concurred with each of those.
“NTIA is working to modernize its spectrum management IT systems but hasn’t fully followed leading practices for doing so,” GAO said in a report issued on May 22.
“For example, it hasn’t completed an organization-wide risk assessment,” GAO said. “This, and other practices, would enable NTIA to identify, track, mitigate, and reduce cybersecurity risks and more.”
In the new report, GAO said that NTIA is more than three years into the spectrum IT systems modernization project, and last December awarded two contracts totaling $110 million to support that work.
On the plus side of the project, GAO said that NTIA has implemented “many leading cybersecurity practices” but failed to completely address or implement others.
“In addition, NTIA has defined key requirements for its cloud service provider. However, it has not fully developed a risk management strategy and has not completed an organization-wide risk assessment,” GAO said.
“Further, while it has developed system security plans that address most required elements, these plans were not always current,” the report says. “Also, in its cloud access management policies, NTIA did not fully define user privilege levels for its systems.”
“Fully implementing leading practices can enable NTIA to identify, track, mitigate, and reduce cybersecurity risks during the remainder of its modernization effort,” GAO said.
NTIA still has more work to do on developing a data governance plan, GAO reported.
In total, GAO said it made five recommendations to NTIA “to implement leading practices on completing an organization-wide risk assessment, developing a risk strategy, maintaining current system security plans, defining cloud access management procedures, and developing a data governance plan.”
“NTIA concurred with the recommendations and stated it will develop an action plan to implement them,” GAO said.
GAO covered earlier phases of NTIA’s planning efforts for the modernization project in a report issued in March 2024.