Software Development: DOD Faces Risks and Challenges in Implementing Modern Approaches and Addressing Cybersecurity Practices
For fiscal year 2021, DOD requested approximately $37.7 billion for IT investments. These investments included major business IT programs, which are intended to help the department carry out key business functions, such as financial management and health care.
The National Defense Authorization Act for Fiscal Year 2019 included a provision for the US Government Accountability Office (GAO) to assess selected IT programs annually through March 2023. That assessment is now available.
GAO’s objectives for this review were to (1) summarize DOD’s reported performance of its portfolio of IT acquisition programs and the reasons for this performance; (2) evaluate DOD’s assessments of program risks; (3) summarize DOD’s approaches to software development and cybersecurity and identify associated challenges; and (4) evaluate how selected organizational and policy changes could affect IT acquisitions.
To address these objectives, GAO selected 29 major business IT programs that DOD reported to the federal IT Dashboard (a public website that includes information on the performance of major IT investments) as of September 2020. GAO reviewed planned expenditures for these programs, from fiscal years 2019 through 2022, as reported in the department’s FY 2021 budget request. It also aggregated program office responses to a GAO questionnaire that requested information about cost and schedule changes that occurred since January 2019 and the early impacts of COVID-19.
GAO also analyzed the risks of the 22 programs that were actively using central repositories known as risk registers to manage program risks. GAO used these registers to create program risk ratings, and then compared its ratings to those of the DOD chief information officer (CIO).
In addition, GAO aggregated DOD program office responses to the questionnaire that requested information about the software and cybersecurity practices used by 22 of the 29 IT programs that were actively developing software. GAO compared the responses to relevant guidance and leading practices.
GAO reviewed selected IT-related organizational and policy changes and reviewed reports and documentation related to the effects of these changes on IT acquisitions. GAO also aggregated program office responses to the questionnaire that requested information about DOD’s implementation of these changes. This included information on DOD’s implementation of best practices as part of its efforts to implement Agile software development. GAO met with relevant DOD officials to discuss each of the topics addressed in this report.
The review resulted in GAO making two recommendations to DOD related to revisiting the department’s CIO risk ratings and improving data strategies and automated data collection efforts for the business system and software acquisition pathways necessary for stakeholders to monitor acquisitions and critical to the department’s ability to assess acquisition performance.
First, that the Secretary of Defense should direct the Chief Information Officer to revisit program risk ratings for its next submission to the federal IT Dashboard for the programs where the DOD CIO’s program risk ratings indicated less risk than GAO’s assessments of program risk.
Second, that the Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment, in consultation with appropriate internal and external stakeholders, to ensure the data strategies and data collection efforts for the business system and software acquisition pathways define, collect, automate, and share, with the appropriate level of visibility, the metrics necessary for stakeholders to monitor acquisitions and that are critical to the department’s ability to assess acquisition performance.
To read the full report visit: www.gao.gov/assets/gao-21-351.pdf