Title: DOD's Back Office IT--We Looked At Costs and Cybersecurity Risks Description: The Department of Defense plans to spend big bucks modernizing the IT systems it uses for everything from health care and human-capital needs, to logistics and contracting. Congress asked GAO to look at whether DOD's efforts are meeting costs and scheduling needs, as well as key cybersecurity practices. GAO's Vijay D'Souza tells us more. Related work: GAO-24-106912, IT Systems Annual Assessment: DOD Needs to Strengthen Software Metrics and Address Continued Cybersecurity and Reporting Gaps Released: July 2024 {Music} [Vijay D'Souza:] DOD spends a lot of money on IT systems. But a lot of these systems are late and don't meet expectations. [Holly Hobbs:] Hi, and welcome to GAO's Watchdog Report, your source for fact-based, nonpartisan news and information from the U.S. Government Accountability Office. I'm your host, Holly Hobbs. The Department of Defense plans to spend big bucks modernizing the IT systems it uses for everything from health care and human-capital needs, to logistics and contracting. Here at GAO, we were asked to look at whether DOD's efforts are meeting costs and scheduling needs, as well as key cybersecurity practices. Joining us to tell us more about our latest report is GAO's Vijay D'Souza, an expert on federal IT acquisitions. Thanks for joining us, Vijay. [Vijay D'Souza:] Thanks. It's great to be here. [Holly Hobbs:] So, Vijay, can you give us an idea of the scope of what DOD is trying to do? What are they updating? Why are they updating it? And what's the cost? [Vijay D'Souza:] Well, DOD is the largest federal agency, and that means they have got a lot of resources and money to spend on IT. And for this report, it's important to understand we're not talking about the IT that DOD uses for its weapon systems. We're just talking about the IT it uses to run its day-to-day operations. Even just looking at that, DOD spends a ton of money. For Fiscal year 2024, it was estimated that DOD is going to spend about $43 billion on these systems. Now, we didn't look at all of these systems. We just looked at 21 of them. But even for those for over the last three fiscal years, DOD spent about $9 billion. All of these systems are really important for DOD. They run everything behind the scenes in the agency, including human capital, logistics, financial management and contracting. And a lot of these systems are really old. In fact, the average age of the systems we looked at was 19 years. So, they're in urgent need of modernization. [Holly Hobbs:] Congress has asked us to monitor DOD's efforts. What's the concern there? [Vijay D'Souza:] Well, unfortunately, DOD, like a lot of other federal agencies, has had a lot of problems with its systems modernization efforts. They are often delays, poor management, missed expectations, and so on. One of the biggest examples we heard recently was DOD's travel management system, the My Travel system. Last year, DOD decided to scrap a new system it had been working on for 5 years and went back to the older system. And this was a subject of a lot of congressional interest and public interest as well. But that's just one example of DOD track record in this area. [Holly Hobbs:] So DOD's undertaking this big effort. What's the status of the effort so far? Are they meeting deadlines? Are they meeting cost estimates? [Vijay D'Souza:] Well, for the 21 systems that we looked at, 15 of them reported cost or schedule changes since January of 2022, the last time we had looked at it. Almost all of these were either cost increases or scheduled delays, unfortunately. But this is in line with what we found in prior years. And it is generally in line with what we find for a lot of IT projects. [Holly Hobbs:] So what about cybersecurity? Is DOD doing what we would expect given the potential risks? [Vijay D'Souza:] Well, we took a look at a couple cybersecurity issues in the systems that we looked at. The first was Zero Trust. This is a big area in cybersecurity now. A lot of these systems were in the early stages of implementing Zero Trust processes and policies. So, it's really probably too early to tell how these systems are doing. The second area we looked at was testing and assessments, and we found that most of them were doing various types of cybersecurity testing and assessment. So that's a good thing. And then the third area was cybersecurity strategies. And we had a previous recommendation that not all of these systems had cybersecurity strategies in place, but they should have. And unfortunately, we found that several of the systems we looked at still didn't have these strategies in place. So that's something that we've reiterated in this report--that these systems really need to have cybersecurity strategies in place. [Holly Hobbs:] DOD also recently made changes to its acquisitions policies. Do we know how that's impacted any of its efforts? [Vijay D'Souza:] Well, a lot of these changes have actually been made for quite some time. But because DOD is such a large organization, it's taken them a long time to implement these things. In 2020, DOD revised what it calls this acquisition pathway, which is its overall process for doing large procurements. And one of the interesting things about it is they developed a special pathway for software projects. And this was further developed in a 2022 strategy that they developed. The idea is to do things for software in a way that's more likely to lead to success. And part of what we were doing in this project is assessing the extent to which DOD was following some of these newer processes. But honestly, they're not really that new. Some of the underlying things that DOD is trying to do,they've been trying to do since 2018 or even earlier. {MUSIC} [Holly Hobbs:] So Vijay just told us that DOD has spent a lot money and time updating its IT systems--including to prevent cyberattacks. But that many of these modernization efforts are delayed and more costly than planned. So, Vijay, what more do we think DOD should be doing to ensure its IT modernization efforts are meeting its needs? [Vijay D'Souza:] To tie into what you were just talking about--DOD really needs to further implement the pathway or revised software acquisition process, it itself has developed. This includes following something called an agile methodology, which is something most new software projects follow. One of the things we found is that for the ten systems we looked at, where they were actively developing software--all of them said they were using agile, but many of them didn't have a lot of the underlying tools or metrics you'd expect to see. And in fact, we made a recommendation to DOD that they needed to ensure that these systems had these tools in place to follow the agile process. In addition, we found some deficiencies in performance metrics. Each of these systems is supposed to report high-level performance metrics so that DOD management and the taxpayers understand whether they're doing what they're supposed to be doing or achieving their intended milestones. And we found a lot of gaps here. This is something we had made a recommendation on in a prior version of this report. So, we just re-emphasized that recommendation. [Holly Hobbs:] Congress has asked us to keep looking at this issue. What are we going to look at next? [Vijay D'Souza:] Well, this is an annual mandate. So, we're actually starting work on next year's version of this report as we speak. We'll continue to look at some of the same things we've looked at, but we'll modify it a little bit based on some of our prior findings. We're also starting work actually looking at the My Travel system and some of the issues there--trying to see what steps DOD has taken to address them. All of this ties into the high risk area that GAO's identified for DOD business systems modernization. This is something that we track across the DOD, and we're actually in the process of updating our high risk report for the start of the next Congress. [Holly Hobbs:] And last question, what's the bottom line of this report? [Vijay D'Souza:] DOD spends a lot of money on IT systems. But a lot of these systems are late and don't meet expectations. They've taken some steps to improve what they're doing, but there's really a lot more that they can do. [Holly Hobbs:] That was Vijay D'Souza talking about our new report on DOD IT. Thanks for your time. [Vijay D'Souza:] Thanks. [Holly Hobbs:] And thank you for listening to the Watchdog Report. To hear more podcast, subscribe to us on Apple Podcasts, Spotify or wherever you listen. And make sure to leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at GAO.gov.