The Department of Defense (DOD) plans to spend $12 billion on its 29 largest business information technology systems during fiscal years 2019-2022. But the Government Accountability Office (GAO) says DOD may be underestimating the risks for some of its acquisitions.
According to DOD’s FY 2021 budget request, the department spent $2.8 billion on the 29 selected major business information technology (IT) programs in FY 2019. DOD also reported that it planned to invest over $9.7 billion on these programs between FY 2020 and FY 2022. In addition, 20 of the 29 programs reported experiencing cost or schedule changes since January 2019. During GAO’s review, program officials attributed cost and schedule changes to a variety of reasons, including modernization changes and requirements changes or delays. Seventeen of the 29 programs also reported experiencing challenges associated with the early impacts of the COVID-19 pandemic, including the slowdown of contractors’ software development efforts.
DOD and GAO’s assessments of program risk identified a range of program risk levels and indicated that some programs could be underreporting risks. Of the 22 programs that were actively using a register to manage program risks, DOD rated nine programs as low risk, 12 as medium risk, and one as high risk. In contrast, GAO rated seven as low risk, 12 as medium risk, and three as high risk. In total, GAO found 10 programs for which its numerical assessments of program risk reflected greater risk than reported by DOD, while DOD had three programs with greater reported risk than GAO. DOD officials noted that differences in risk levels might be associated with a variety of factors, including different risk assessment approaches. However, the watchdog said the differences in risk level it identified highlight the need for DOD to ensure that it is accurately reporting program risks.
Program officials told GAO that they faced a variety of software development challenges, which included difficulties finding and hiring staff, transitioning from waterfall to Agile software development, and managing technical environments.
GAO found that DOD has made organizational and policy changes intended to improve the management of its IT acquisitions, such as taking steps to implement Agile software development and improve data transparency. Meanwhile, to address statutory requirements, DOD has taken steps to remove the department’s chief management officer (CMO) position. The position was eliminated by a statute enacted in January 2021 and DOD plans to address the uncertainty associated with the recent elimination of the position. Officials from many of the 18 programs GAO assessed that reported using Agile development reported that DOD had implemented activities associated with Agile transition best practices to only some or little to no extent, indicating that the department had not sufficiently implemented best practices. The department has a variety of efforts underway to help with its implementation of Agile software development, and DOD officials stated that the department’s transition to Agile will take years and will require sustained engagement throughout DOD.
GAO also found that DOD has taken steps aimed at improving the sharing and transparency of data it uses to monitor its acquisitions. According to a November 2020 proposal from the Office of the Under Secretary for Acquisition and Sustainment, DOD officials are to develop data strategies and metrics to assess performance for the department’s acquisition pathways. However, GAO reports that as of February 2021, DOD did not have data strategies and had not finalized metrics for the two pathways associated with the programs discussed in this report. Officials told the watchdog they were working with DOD programs and components to finalize initial pathway metrics. They stated that they plan to implement them in fiscal year 2021 and continue to refine and adjust them over the coming years.
For fiscal year 2021, DOD requested approximately $37.7 billion for IT investments. These investments included major business IT programs, which are intended to help the department carry out key business functions, such as financial management and health care. To ensure this spending is not burdened by undue risk, GAO is making two recommendations to DOD related to revisiting the department’s risk ratings and improving data strategies and automated data collection efforts. First, that the Secretary of Defense should direct the Chief Information Officer (CIO) to revisit program risk ratings for its next submission to the federal IT Dashboard for the programs where the DOD CIO’s program risk ratings indicated less risk than GAO’s assessments of program risk. Second, that the Secretary of Defense should direct the Under Secretary of Defense for Acquisition and Sustainment USD (A&S), in consultation with appropriate internal and external stakeholders, to ensure the data strategies and data collection efforts for the business system and software acquisition pathways define, collect, automate, and share, with the appropriate level of visibility, the metrics necessary for stakeholders to monitor acquisitions and that are critical to the department’s ability to assess acquisition performance.
DOD concurred with both recommendations and stated that it planned to examine risk ratings for the programs where DOD’s CIO risk ratings indicated less risk than GAO’s assessment. In addition, the department stated that it had identified, and was in the process of finalizing, reporting information standards for each of its pathways, including the business and software acquisition pathways. Further, the department stated that USD(A&S) was collaborating with the services on short- and long-term plans for automating data implementation and collection for all Adaptive Acquisition Framework pathway core data standards.