IT Systems Annual Assessment: DOD Needs to Strengthen Software Metrics and Address Continued Cybersecurity and Reporting Gaps

What GAO Found

According to the Department of Defense's (DOD) fiscal year (FY) 2024 Federal IT Dashboard data, DOD's planned expenditures for 21 selected IT business programs amounted to $9.1 billion from FY 2022 through FY 2024. The four largest programs accounted for just over half of the planned cost of the portfolio (see figure).

The Department of Defense's (DOD) Planned Costs for the Four Largest IT Business Programs Compared to the Remaining 17 Selected Programs from Fiscal Year (FY) 2022–FY 2024

For the 21 programs, 70 percent ($6.4 billion) of the total reported cost across the 3 years was for operating and maintaining the systems and 30 percent ($2.7 billion) was for development and modernization.

Officials from 15 of the 21 IT business programs reported cost and/or schedule changes since January 2022 (see figure).

Selected Department of Defense (DOD) IT Business Programs Reported Cost and Schedule Changes Since January 2022

This included 13 programs that reported cost increases ranging from $0.5 million to $1.3 billion (a median of $163.3 million) and seven that reported schedule delays ranging from 15 months to 36 months (a median of 24 months).

Programs reported mixed progress on performance. Programs are required to identify and track a minimum of five metrics covering customer satisfaction, business results, financial performance, and innovation. Of the 21 programs, four reported meeting all performance targets, 10 reported meeting at least one, and one reported meeting none. The remaining six programs did not report. GAO has previously recommended that DOD ensure that such reporting occur.

The 10 DOD IT business programs actively developing software reported using recommended Agile and iterative approaches. However, in areas related to tracking customer satisfaction and progress of software development, four of the 10 programs did not use metrics and management tools required by DOD and consistent with GAO's Agile Assessment Guide. As a result, the department risks not having sound information on its Agile software development efforts.

Further, while program officials for all 21 programs reported conducting cybersecurity testing and assessments, several programs did not have an approved cybersecurity strategy. In June 2022, GAO had recommended that DOD's Chief Information Officer (CIO) ensure that programs each develop such a strategy. The department concurred with the recommendation and officials stated that they were continuing to follow up with programs that did not have a strategy.

Regarding legislative and policy changes, DOD is revising its business systems investment management guidance, modernizing its business enterprise architecture, and adopting zero trust cybersecurity principles. GAO will continue to monitor DOD's efforts to redistribute roles and responsibilities, improve department management of IT investments, and adopt zero trust cybersecurity.

Why GAO Did This Study

Information technology is critical to the success of DOD's major business functions. These functions include such areas as health care, human capital, financial management, logistics, and contracting.

The National Defense Authorization Act for FY 2019, as amended, includes a provision for GAO to conduct assessments of selected DOD IT programs annually through March 2026. GAO's objectives for this fifth such review were to (1) examine the cost, schedule, and performance of selected DOD IT business programs, (2) assess the extent to which DOD has implemented key software development and cybersecurity practices for selected programs, and (3) describe DOD actions to implement legislative and policy changes that could affect its IT acquisitions.

To address the first objective, GAO selected 21 DOD IT business programs, including (1) 20 business programs listed as major IT investments in the department's FY 2024 submission to the Federal IT Dashboard and (2) an additional business program that that had been previously designated as major and continued to have high annual costs. In analyzing the FY 2024 Dashboard data, GAO examined DOD's planned expenditures for these programs from FY 2022 through FY 2024.

GAO also administered a questionnaire to the 21 program offices to obtain and analyze information about cost and schedule changes that the programs reported experiencing since January 2022.

Further, GAO compared programs' performance metrics data reported on the Dashboard to OMB guidance and met with DOD CIO officials to understand differences in how the data were reported.

To address the second objective, the questionnaire also sought information about the programs' software development and cybersecurity practices, including their use and documentation of Agile metrics and development of cybersecurity strategies. GAO compared the responses and documentation against relevant guidance and best practices (e.g. DOD guidance and GAO's Agile Guide) to identify gaps and risks associated with not following the guidance. For programs that did not follow the guidance or demonstrate having documentation, GAO followed up with DOD officials for clarification on reasons why the programs did not do so.

For the third objective, GAO reviewed policy, plans, and guidance associated with the department's efforts to reorganize former CMO responsibilities; implement changes to its defense business systems investment management guidance and business enterprise architecture; and adopt zero trust cybersecurity principles. GAO also met with DOD CIO officials to discuss the department's efforts in these areas.