The Defense Department relies heavily on information technology to protect the nation and deter war. It requested about $36.1 billion for IT for fiscal year 2020.
The Government Accountability Office looked at how cost and schedule estimates have changed in 15 major DOD IT programs and examined how software development approaches and cybersecurity practices may affect costs and timeframes.
Cost estimates decreased for 11 programs (ranging from .03% to 33.8%) and 10 programs experienced schedule delays (ranging from 1 month to 5 years).
All reported developing cybersecurity strategies but only 8 conducted systematic cybersecurity vulnerability assessments.
GAO reported in June 2020 that, of the 15 major Department of Defense (DOD) information technology (IT) programs selected for review, 11 had decreased their cost estimates as of December 2019. The decreases in cost estimates ranged from a .03 percent decrease to a 33.8 percent decrease. In contrast, the remaining four programs experienced increases in their life-cycle cost estimates—–two with increases exceeding 20 percent. Program officials reported several reasons for the increases, including testing delays and development challenges.
Ten of the 15 programs had schedule delays when compared to their original acquisition program baselines. Schedule delays ranged from a delay of 1 month to a delay of 5 years. Program officials reported a variety of reasons for significant delays (delays of over 1 year) in their planned schedules, including cyber and performance issues.
Regarding software development, officials from the 15 selected major IT programs that GAO reviewed reported using software development approaches that may help to limit risks to cost and schedule outcomes. For example, 10 of the 15 programs reported using commercial off-the-shelf software, which is consistent with DOD guidance to use this software to the extent practicable. Such software can help reduce software development time, allow for faster delivery, and lower life-cycle costs.
In addition, 14 of the 15 programs reported using an iterative software development approach which, according to leading practices, may help reduce cost growth and deliver better results to the customer. However, programs also reported using an older approach to software development, known as waterfall, which could introduce risk for program cost growth because of its linear and sequential phases of development that may be implemented over a longer period of time. Specifically, two programs reported using a waterfall approach in conjunction with an iterative approach, while one was solely using a waterfall approach.
With respect to cybersecurity, programs reported mixed implementation of specific practices, contributing to program risks that might impact cost and schedule outcomes. For example, all 15 programs reported developing cybersecurity strategies, which are intended to help ensure that programs are planning for and documenting cybersecurity risk management efforts.
In contrast, only eight of the 15 programs reported conducting cybersecurity vulnerability assessments—systematic examinations of an information system or product intended to, among other things, determine the adequacy of security measures and identify security deficiencies. These eight programs experienced fewer increases in planned program costs and fewer schedule delays relative to the programs that did not report using cybersecurity vulnerability assessments.