A new report from the Government Accountability Office (GAO) says U.S. Coast Guard guidance does not define risk levels for IT programs.
In 2017, the Coast Guard developed and implemented a multistep process to identify and designate if an IT system should be managed as a non-major acquisition program (assets with total costs of less than $300 million).
Since implementing its process in 2017, the Coast Guard identified and submitted 44 of its 403 IT systems to the Non-Major Acquisition Oversight Council (NMAOC) for review as potential non-major IT acquisitions. Of those 44 IT systems, the NMAOC screened 38 and designated 15 as non-major IT acquisition programs.
However, GAO has found that the Coast Guard’s process does not clearly indicate to officials how they should evaluate risks to determine if an IT system should be managed as a non-major acquisition.
The Coast Guard identifies several factors, such as technical risks and legal concerns, to evaluate as low, medium, or high risk in its guidance – but it does not provide definitions for what constitutes these levels of risks for acquisition officials to use. Consequently, the Coast Guard cannot ensure that its acquisition professionals are making risk-based decisions when designating IT systems as non-major acquisition programs, GAO said.
Acquisition Support Office officials told GAO that evaluating risk requires the acquisition professionals’ knowledge and should not be formulaic because risks can vary by program.
GAO also found that there are various reasons why screened IT systems are not designated as acquisition programs. For example, the Auxiliary Data system, a web-based application that collects data used to support auxiliary Coast Guard personnel, was identified as a potential acquisition program because it required development of interfaces to Coast Guard information systems. However, upon further review, the NMAOC determined that the commercial off-the-shelf product required minimal integration and did not designate it as an acquisition program. Another reason that an IT system may not be designated as an acquisition program is that the system has not obtained funding through the Coast Guard’s annual budget process.
The government watchdog considered the Coast Guard’s oversight of its non-major IT acquisition programs to be hindered because “programs are establishing, revising, and communicating cost and schedule goals (known as baselines) inconsistently”. GAO determined that three of the four non-major IT acquisition programs with approved baselines inconsistently established and revised their cost goals, hindering leadership’s insight into cost changes. For example, one program used a different dollar measurement to calculate baseline costs when it revised its goals in 2021. This measurement did not accurately capture the almost $300 million increase from its initial cost baseline.
Coast Guard acquisition officials told GAO that they are considering excusing non-major IT acquisition programs that are dependent on other Coast Guard programs from declaring schedule breaches. For example, a Tactical Cryptology Afloat Recapitalization program (TCA Recap) official said it did not achieve the full operational capability date of June 30, 2021 for its first phase because it is dependent on the operational asset availability of the National Security Cutters. The program is now using the full operational capability date of September 30, 2024 for its second phase as the only breachable schedule event date. As a result, the TCA Recap program avoids having to declare breaches in the interim should the National Security Cutters continue to be unavailable on the planned dates.
In order to improve clarity on risk levels, GAO recommends that the Coast Guard revise its Non-Major Acquisition Program Manual or the Level 3 Non-Major Acquisition Program Governance Form. Coast Guard agreed and said it will do so by the end of September, 2022.
GAO also recommended that the Coast Guard clearly communicate how non-major acquisition programs should: establish and revise baseline cost and schedule goals, including specifying the dollar type and required schedule events, pursuant to DHS policy, and communicate accurate and consistent baseline information in annual briefings. Coast Guard again concurred and expects to complete the required work by March 2023.
Finally, GAO called for a revision to the Coast Guard’s non-major breach policy to specify that programs that fail to meet their cost, schedule, or performance goals are considered to be in breach status. Coast Guard agreed and expects to make the revision by March 2023.