DOD Faces Challenges and Worries in Implementing Fashionable Approaches and Addressing Cybersecurity Tactics

What GAO Uncovered

According to the Office of Defense’s (DOD) fiscal year (FY) 2021 spending budget request, DOD spent $2.8 billion on the 29 selected major company details engineering (IT) systems in FY 2019. The department also claimed that it prepared to devote above $9.7 billion on these applications amongst FY 2020 and FY 2022. In addition, 20 of the 29 applications reported suffering from price tag or program improvements since January 2019. Application officers attributed price and timetable alterations to a selection of causes, which include modernization adjustments and needs modifications or delays. Seventeen of the 29 applications also reported dealing with challenges linked with the early impacts of the COVID-19 pandemic, which include the slowdown of contractors’ program growth attempts.

DOD and GAO’s assessments of software danger recognized a assortment of application threat ranges and indicated that some courses could be underreporting challenges. Precisely, of the 22 programs that ended up actively employing a sign up to handle application challenges, DOD rated 9 packages as low hazard, 12 as medium threat, and one as superior possibility. In contrast, GAO rated 7 as reduced possibility, 12 as medium possibility, and three as substantial chance. In complete, GAO identified 10 packages for which its numerical assessments of software chance mirrored greater hazard than noted by DOD, whilst DOD had 3 programs with increased noted danger than GAO. DOD officers pointed out that distinctions in possibility ranges may possibly be connected with a assortment of variables, which includes different possibility evaluation strategies. Even so, the variations in threat degree GAO discovered spotlight the have to have for DOD to make certain that it is precisely reporting system challenges. Right up until the office does so, oversight of some plans could be minimal by overly optimistic danger views.

As of December 2020, plan officials for the 22 key DOD business enterprise IT systems that were actively creating program reported using approaches that could support to restrict cost and program threats. (See table.)

Chosen Computer software Development and Cybersecurity Approaches That Could Limit Hazards and Variety of Key DOD Business enterprise IT Applications That Documented Employing the Strategy

Program progress and cybersecurity strategies that may possibly restrict possibility

Number of packages that reported making use of the method

Making use of off-the-shelf software

19 of 22

Utilizing constant iterative application progress

18 of 22

Delivering software at the very least every 6 monthsa

16 of 22

Building or organizing to create a cybersecurity approach

21 of 22

Conducting developmental cybersecurity screening

16 of 22

Conducting operational cybersecurity tests

15 of 22

Source: GAO investigation of Division of Protection questionnaire responses. | GAO-21-351
aThe Defense Innovation Board encourages far more frequent shipping and delivery of functioning software to buyers for Agile and DevOps tactics.

Method officials also noted going through a selection of software program advancement problems even though implementing these strategies. These bundled troubles discovering and selecting personnel, transitioning from waterfall to Agile computer software enhancement, and taking care of technological environments. DOD’s continued attempts to address these troubles will be critical to the department’s implementation of modern-day application growth methods.

DOD has also built organizational and policy modifications meant to improve the management of its IT acquisitions, this kind of as getting ways to employ Agile program improvement and enhance info transparency. In addition, to handle statutory needs, DOD has taken methods to clear away the department’s chief administration officer (CMO) situation. Nevertheless, the section experienced not however adequately carried out these modifications. Officials from numerous of the 18 courses GAO assessed that reported using Agile advancement reported that DOD experienced implemented pursuits associated with Agile changeover finest procedures to only some or tiny to no extent, indicating that the division had not adequately applied very best procedures. For example, 12 of the 18 courses documented that DOD’s lifestyle-cycle routines only supported Agile approaches to some or little to no extent. Software officers also noted difficulties related with employing Agile software program development. The division has a variety of efforts underway to support with its implementation of Agile software program development. DOD officers stated that the department’s changeover to Agile will take many years and will need sustained engagement throughout DOD.

In addition, DOD has taken actions aimed at enhancing the sharing and transparency of details it works by using to check its acquisitions. In accordance to a November 2020 proposal from the Business office of the Beneath Secretary for Acquisition and Sustainment, DOD officers are to develop facts tactics and metrics to assess functionality for the department’s acquisition pathways. Having said that, as of February 2021, DOD did not have facts tactics and had not finalized metrics for the two pathways associated with the plans talked about in this report. Officers stated they were being performing with DOD packages and elements to finalize initial pathway metrics. They said that they strategy to put into practice them in fiscal yr 2021 and continue on to refine and regulate them in excess of the coming many years. Without the need of crucial knowledge from acquistion pathways and methods, DOD risks not having timely quantitative perception into plan functionality, such as its acquisition reform attempts.

Eventually, DOD’s CMO position was removed by a statute enacted in January 2021. This placement was liable for key initiatives related with the department’s enterprise units modernization, which has been on GAO’s Significant Danger Record because 1995. DOD programs to acquire measures to address the uncertainty involved with the the latest elimination of the situation.

Why GAO Did This Analyze

For fiscal year 2021, DOD asked for somewhere around $37.7 billion for IT investments. These investments involved main small business IT applications, which are supposed to aid the division have out essential organization features, this sort of as money administration and well being treatment.

The National Protection Authorization Act for Fiscal Yr 2019 involved a provision for GAO to assess picked IT systems every year via March 2023. GAO’s aims for this assessment have been to (1) summarize DOD’s documented efficiency of its portfolio of IT acquisition courses and the causes for this efficiency (2) evaluate DOD’s assessments of system threats (3) summarize DOD’s ways to software program enhancement and cybersecurity and detect linked difficulties and (4) appraise how chosen organizational and policy alterations could have an effect on IT acquisitions.

To address these objectives, GAO selected 29 key organization IT programs that DOD described to the federal IT Dashboard (a public web page that contains facts on the overall performance of major IT investments) as of September 2020. GAO reviewed prepared expenses for these plans, from fiscal several years 2019 via 2022, as described in the department’s FY 2021 price range request. It also aggregated method workplace responses to a GAO questionnaire that asked for facts about value and agenda modifications that transpired given that January 2019 and the early impacts of COVID-19.

GAO also analyzed the challenges of the 22 programs that were actively utilizing central repositories recognized as hazard registers to control software risks. GAO employed these registers to produce method threat scores, and then when compared its scores to these of the DOD main information and facts officer (CIO).

In addition, GAO aggregated DOD application office responses to the questionnaire that requested info about the software package and cybersecurity methods utilized by 22 of the 29 IT systems that had been actively developing program. GAO compared the responses to applicable direction and leading practices.

GAO reviewed selected IT-associated organizational and plan improvements and reviewed stories and documentation connected to the outcomes of these changes on IT acquisitions. GAO also aggregated application office environment responses to the questionnaire that asked for info about DOD’s implementation of these adjustments. This incorporated information on DOD’s implementation of best methods as component of its attempts to put into action Agile software package enhancement. GAO achieved with appropriate DOD officials to examine just about every of the subject areas dealt with in this report.