U.S. GAO – Data Technological innovation: DOD Application Enhancement Approaches and Cybersecurity Procedures May possibly Affect Cost and Agenda

What GAO Found

GAO reported in June 2020 that, of the 15 big Office of Protection (DOD) information technological know-how (IT) packages chosen for assessment, 11 experienced lowered their value estimates as of December 2019. The decreases in value estimates ranged from a .03 p.c minimize to a 33.8 % lower. In contrast, the remaining four programs expert increases in their lifestyle-cycle price estimates—–two with increases exceeding 20 per cent. Program officers noted a number of good reasons for the boosts, which includes testing delays and development troubles.

Ten of the 15 plans experienced routine delays when in contrast to their original acquisition software baselines. Plan delays ranged from a hold off of 1 month to a delay of 5 years. Program officers noted a assortment of explanations for major delays (delays of in excess of 1 12 months) in their planned schedules, including cyber and overall performance challenges.

Concerning software enhancement, officers from the 15 selected big IT packages that GAO reviewed reported utilizing software enhancement ways that could assistance to restrict dangers to charge and routine outcomes. For instance, 10 of the 15 applications claimed utilizing business off-the-shelf software, which is consistent with DOD assistance to use this software package to the extent practicable. This kind of computer software can assistance reduce application growth time, let for faster shipping and delivery, and lessen lifestyle-cycle charges.

In addition, 14 of the 15 packages claimed working with an iterative computer software development solution which, in accordance to leading tactics, may perhaps aid lessen cost progress and deliver improved final results to the buyer. On the other hand, plans also described applying an more mature solution to software program improvement, known as waterfall, which could introduce chance for software price growth for the reason that of its linear and sequential phases of progress that could be executed over a lengthier period of time. Exclusively, two packages reported using a waterfall strategy in conjunction with an iterative strategy, when one particular was exclusively working with a waterfall tactic.

With regard to cybersecurity, programs described blended implementation of distinct techniques, contributing to plan dangers that might effect value and schedule outcomes. For instance, all 15 programs documented building cybersecurity methods, which are intended to support assure that courses are preparing for and documenting cybersecurity hazard administration efforts.

In contrast, only 8 of the 15 packages described conducting cybersecurity vulnerability assessments—systematic examinations of an data procedure or product or service supposed to, between other matters, ascertain the adequacy of security measures and identify stability deficiencies. These eight courses experienced much less will increase in prepared method expenditures and fewer agenda delays relative to the programs that did not report making use of cybersecurity vulnerability assessments.

Why GAO Did This Examine

For fiscal calendar year 2020, DOD asked for roughly $36.1 billion for IT investments. All those investments incorporated key IT plans, which are intended to help the office sustain vital functions.

The National Protection Authorization Act for Fiscal Year 2019 involved a provision for GAO to assess picked IT systems on a yearly basis by way of March 2023.

GAO’s goals for this evaluation were being to, among other things, (1) explain the extent to which selected main IT systems have transformed their planned expenses and schedules given that the programs’ first baselines and (2) describe what selected computer software progress and cybersecurity pitfalls or issues, if any, may possibly impact key IT programs’ acquisition results.

GAO selected courses centered on DOD’s listing of main IT packages, as of April 10, 2019. From this checklist, GAO identified 15 major IT systems that experienced proven an original acquisition plan baseline and that have been not absolutely deployed by December 31, 2019.

GAO compared the 15 programs’ original price and plan baselines to present-day acquisition method estimates. In addition, GAO aggregated DOD method business office responses to a GAO questionnaire about program enhancement strategies and cybersecurity practices applied by the 15 plans.

GAO compared this information and facts to top techniques to detect pitfalls and worries influencing cost, routine, and performance results.

This report is a community model of a “for formal use only” report issued in June 2020.

For more facts, get hold of Kevin Walsh at (202) 512-6151 or [email protected].