Pentagon May Be Underestimating IT Investment Risks, GAO Says

When it comes to information technology investments, the Defense Department needs work on providing oversight and accountability, according to a government watchdog report. 

In an annual review of major IT programs released June 23, the Government Accountability Office assessed performance, risks, approaches and challenges related to software and cybersecurity, and how organizational and policy changes affected IT acquisitions at DOD. As part of its review, GAO determined the Pentagon needs to do more to provide transparency into its IT projects. 

For example, DOD may be rating the risk of IT investments with more optimism than they merit, GAO found. Federal chief information officers are required to rate the risk of major IT investments and submit ratings to the Office of Management and Budget’s IT Dashboard—with five representing low risk investments and one representing more risk. But when GAO conducted its own risk review, it found 10 programs it assessed at greater risk levels than DOD reported. 

“[O]ur assessments show that some programs could be underreporting program risks,” the report reads. “In those cases, public and congressional interest in and oversight of those programs could be limited by overly optimistic risk perspectives, resulting in a less clear picture of the risks facing those programs.”

Officials cited a range of potential reasons for the differences in ratings. But at a minimum, the discrepancies in the way GAO and DOD accounted for risk demonstrates that the Pentagon needs to improve the ways in which it collects data and reports on programs, auditors concluded. 

And while many IT programs are implementing best practices related to iterative software development that may limit risk and improve cybersecurity, DOD lacks plans for how it will provide automated oversight of such programs, according to the report. Officials from the office of the undersecretary of defense for acquisition and sustainment, or USD(A&S), told GAO they are finalizing strategies for the software and business system acquisition pathways, and plan to implement the strategies this fiscal year. 

“DOD’s ability to oversee and manage these critical systems will be important to their success, as well as the department’s future capabilities,” the report reads. 

GAO has had modernizing DOD business systems in its crosshairs for some time—it’s a topic the watchdog has included on its High Risk List since 1995. 

The agency is planning to spend $12 billion through 2022 on 29 such systems, including $8.8 billion in 2021 on developing, modernizing, operating and maintaining business system programs.

As part of the modernization work, DOD is adopting agile software development practices and rethinking the best ways to acquire IT to account for the need to continuously improve software to ensure the utility and longevity of systems. Despite improvements, GAO has reported the agency still has a ways to go in the shift from waterfall development. 

Talent is a significant issue here: in a January audit showing 10 of 15 DOD IT projects had fallen behind schedule and in another report released earlier this month on weapon systems, GAO found DOD is challenged with finding and retaining appropriate software development expertise. In the June audit, GAO reported that over half of all major defense acquisition programs and middle-tier acquisition programs said they had staffing challenges that included hiring staff in time and finding expertise in software development. USD(A&S) officials told GAO it’s working with various components and military departments to develop a plan that will address software workforce issues, according to the June 23 report. 

In this most recent publication, GAO made two recommendations, with which DOD concurred. First, GAO said the defense secretary should direct the CIO to revisit its risk ratings for those programs where DOD claimed a lower risk rating than GAO and revise those ratings the next time it submits to the IT Dashboard. Second, GAO said USD(A&S) should ensure data strategies and collection efforts for the business system and software acquisition pathways clearly flesh out how stakeholders should monitor acquisitions so that performance can be accurately understood.