Cybersecurity and IT remain top concerns on the Government Accountability Office’s (GAO) biennial list of high-risk government programs.  While this may come as a surprise to some, given the considerable rhetoric surrounding these issues, a closer look shows that government tech systems remain high-risk for a number of reasons.  First, Congress fails to put its money where its mouth is.  Agencies can’t get money in their own budgets to modernize IT and strong Senate opposition has prevented the passage of a more generalized $1billion boost to the IT Modernization Fund.  Second, any experienced IT contractor will tell you that there can be a huge gulf between IT system security directives and how agencies actually go about acquiring IT equipment.  Perhaps the best example of this is agency use of E-Bay to acquire old equipment that agencies need in order to run current systems, regardless of supply chain directives. Agencies turn to E-Bay, with all of its myriad risks, because new parts for existing solutions are no longer available.  Again, lack of funding prevents real modernization.  Third, some agencies also look requirements right in the eye and blink.  It’s simply “too costly” to buy compliant equipment, regardless of whether there are secure supply chain or other security directives.  Besides, the contractor has to certify, right?  Pushing off requirements on contractors is a time-honored, if incomplete, way to try and ensure cyber compliance.  Contractors that have compliant solutions and actually obtain proper certifications can be at a disadvantage in the market.  These companies need to let OMB and Congress know what they see “in the trenches”.  Only when Congress gets serious about funding and OMB provides appropriate oversight can we expect to see cybersecurity no longer be a “high-risk” area in government.