GAO Issues Cyber, IT Guidance to Treasury CIO
The Government Accountability Office is pressing the Department of the Treasury’s Chief Information Officer, Sam Corcos, to close 21 outstanding recommendations aimed at strengthening federal cybersecurity and improving IT management across the department.
In a new report, the congressional watchdog said the open items fall squarely within two long-standing high-risk areas: ensuring the cybersecurity of the nation and improving IT acquisitions and management. GAO argues that addressing these gaps would measurably reduce risk, tighten fiscal oversight, and improve the department’s ability to detect and respond to cyber threats.
Key areas GAO wants Treasury to address
- Time-bound rollout of multifactor authentication (MFA) for SaaS: Commit to a clear, department-wide timeline for implementing MFA across all software-as-a-service environments to reduce credential-based attacks.
- Full compliance with OMB event logging requirements: Complete Treasury’s implementation of government-wide logging standards to enable better detection, investigation, and response to incidents.
- Comprehensive inventory of mobile devices and services: Establish and maintain an up-to-date, department-wide inventory covering all mobile hardware and services to improve asset visibility and spending control.
- Governance for AI applications aligned with EO 13960 Section 5: Develop a plan to ensure every AI application in use complies with the federal directive on trustworthy AI, including maintaining and sharing a current list of agency AI use cases.
Why it matters
GAO’s recommendations target foundational capabilities that agencies often struggle to operationalize at scale. A defined MFA timeline would lock in a core defensive control for cloud-based tools. Completing event logging requirements set by the Office of Management and Budget helps Treasury achieve the depth of telemetry needed for rapid incident triage and forensic investigations.
On the IT management side, a single authoritative inventory of mobile devices and services gives leaders clear visibility into assets and contracts, enabling better lifecycle management and spend optimization. And with AI increasingly embedded in mission systems, aligning applications with Executive Order 13960 Section 5 provides a framework for transparency, accountability, and responsible use—beginning with a complete inventory of AI use cases.
The bottom line
GAO asserts that closing these 21 open recommendations will harden Treasury’s cyber posture and sharpen oversight of its IT portfolio. For CIO Sam Corcos, that means setting milestones, tracking progress department-wide, and ensuring governance mechanisms are in place to make the improvements stick. The result, GAO says, would be stronger cybersecurity, better-managed technology, and greater value for taxpayers.
