IT Systems Annual Assessment: DOD Needs to Strengthen Software Metrics and Address Continued Cybersecurity and Reporting Gaps
Fast Facts
DOD spent, or planned to spend, $9.1 billion on IT business programs in FYs 2022-24.
In our annual assessment, we reviewed 21 of those programs and found 10 are developing software and using an Agile approach. This is an iterative development process in which software is delivered in increments throughout the project, letting program staff catch errors quickly and get continual user feedback.
But 4 of these programs didn't use metrics or management tools required for this type of approach—especially when tracking customer satisfaction and software development progress.
We recommended that DOD address this issue.
Highlights
What GAO Found
According to the Department of Defense's (DOD) fiscal year (FY) 2024 Federal IT Dashboard data, DOD's planned expenditures for 21 selected IT business programs amounted to $9.1 billion from FY 2022 through FY 2024. The four largest programs accounted for just over half of the planned cost of the portfolio (see figure).
The Department of Defense's (DOD) Planned Costs for the Four Largest IT Business Programs Compared to the Remaining 17 Selected Programs from Fiscal Year (FY) 2022–FY 2024
For the 21 programs, 70 percent ($6.4 billion) of the total reported cost across the 3 years was for operating and maintaining the systems and 30 percent ($2.7 billion) was for development and modernization.
Officials from 15 of the 21 IT business programs reported cost and/or schedule changes since January 2022 (see figure).
Selected Department of Defense (DOD) IT Business Programs Reported Cost and Schedule Changes Since January 2022
This included 13 programs that reported cost increases ranging from $0.5 million to $1.3 billion (a median of $163.3 million) and seven that reported schedule delays ranging from 15 months to 36 months (a median of 24 months).
Programs reported mixed progress on performance. Programs are required to identify and track a minimum of five metrics covering customer satisfaction, business results, financial performance, and innovation. Of the 21 programs, four reported meeting all performance targets, 10 reported meeting at least one, and one reported meeting none. The remaining six programs did not report. GAO has previously recommended that DOD ensure that such reporting occur.
The 10 DOD IT business programs actively developing software reported using recommended Agile and iterative approaches. However, in areas related to tracking customer satisfaction and progress of software development, four of the 10 programs did not use metrics and management tools required by DOD and consistent with GAO's Agile Assessment Guide. As a result, the department risks not having sound information on its Agile software development efforts.
Further, while program officials for all 21 programs reported conducting cybersecurity testing and assessments, several programs did not have an approved cybersecurity strategy. In June 2022, GAO had recommended that DOD's Chief Information Officer (CIO) ensure that programs each develop such a strategy. The department concurred with the recommendation and officials stated that they were continuing to follow up with programs that did not have a strategy.
Regarding legislative and policy changes, DOD is revising its business systems investment management guidance, modernizing its business enterprise architecture, and adopting zero trust cybersecurity principles. GAO will continue to monitor DOD's efforts to redistribute roles and responsibilities, improve department management of IT investments, and adopt zero trust cybersecurity.
Why GAO Did This Study
Information technology is critical to the success of DOD's major business functions. These functions include such areas as health care, human capital, financial management, logistics, and contracting.
The National Defense Authorization Act for FY 2019, as amended, includes a provision for GAO to conduct assessments of selected DOD IT programs annually through March 2026. GAO's objectives for this fifth such review were to (1) examine the cost, schedule, and performance of selected DOD IT business programs, (2) assess the extent to which DOD has implemented key software development and cybersecurity practices for selected programs, and (3) describe DOD actions to implement legislative and policy changes that could affect its IT acquisitions.
To address the first objective, GAO selected 21 DOD IT business programs, including (1) 20 business programs listed as major IT investments in the department's FY 2024 submission to the Federal IT Dashboard and (2) an additional business program that that had been previously designated as major and continued to have high annual costs. In analyzing the FY 2024 Dashboard data, GAO examined DOD's planned expenditures for these programs from FY 2022 through FY 2024.
GAO also administered a questionnaire to the 21 program offices to obtain and analyze information about cost and schedule changes that the programs reported experiencing since January 2022.
Further, GAO compared programs' performance metrics data reported on the Dashboard to OMB guidance and met with DOD CIO officials to understand differences in how the data were reported.
To address the second objective, the questionnaire also sought information about the programs' software development and cybersecurity practices, including their use and documentation of Agile metrics and development of cybersecurity strategies. GAO compared the responses and documentation against relevant guidance and best practices (e.g. DOD guidance and GAO's Agile Guide) to identify gaps and risks associated with not following the guidance. For programs that did not follow the guidance or demonstrate having documentation, GAO followed up with DOD officials for clarification on reasons why the programs did not do so.
For the third objective, GAO reviewed policy, plans, and guidance associated with the department's efforts to reorganize former CMO responsibilities; implement changes to its defense business systems investment management guidance and business enterprise architecture; and adopt zero trust cybersecurity principles. GAO also met with DOD CIO officials to discuss the department's efforts in these areas.
Recommendations
GAO is making one recommendation to DOD to ensure that IT business programs developing software are using Agile metrics and management tools required by DOD and consistent with GAO's Agile Guide. DOD concurred with GAO's recommendation and described actions it planned to take to address it. In its prior annual assessment reviews, GAO made three recommendations related to performance reporting and cybersecurity strategies. Although DOD described actions it planned to take to address the recommendations, they have not yet been implemented. Doing so would help ensure that the issues GAO identified are addressed.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Defense | We are making one recommendation to the Department of Defense that the Secretary direct the Chief Information Officer and Under Secretary of Defense for Acquisition and Sustainment to ensure that IT business programs developing software use the metrics and management tools required by DOD and consistent with those identified in GAO's Agile Assessment Guide. |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|