The Department of Defense (DoD) is looking to spend $12 billion on its 29 largest business IT systems from fiscal years (FY) 2019 through 2022, although, the Government Accountability Office (GAO) found that DoD may be underestimating the risks for some acquisitions and need to do more to improve the sharing and transparency of data it uses to monitor acquisitions.
“DOD and GAO’s assessments of program risk identified a range of program risk levels and indicated that some programs could be underreporting risks,” GAO wrote in a report. “Specifically, of the 22 programs that were actively using a register to manage program risks, DOD rated nine programs as low risk, 12 as medium risk, and one as high risk.”
GAO, on the other hand, rated seven as low risk, 12 as medium risk, and three as high risk. DoD notes that the difference in risk level could be due to different factors, including different risk assessment approaches. However, GAO says that the differences in risk level “highlight the need for DoD to ensure that it is accurately reporting program risks.”
Elsewhere in the report, GAO found 22 programs that are “actively developing software reported using approaches that reduced risk of cost and schedule overruns such as early cybersecurity testing.” Program officials did, however, report a variety of software development challenges to implementing these approaches, such as finding and hiring staff, transitioning from waterfall to agile software development, and management technical environments.
Additionally, DoD has made organizational and policy changes to improve IT acquisitions management and taken steps to remove its chief management officer position, but DoD has not yet sufficiently implemented these changes.
GAO made two recommendations that DoD concurred with. The first being for DoD’s CIO to revisit program risk ratings for its next Federal IT Dashboard submission for the programs that DoD’s CIO program risk ratings indicated less risk than GAO’s assessments of program risk.
The second recommendation is for the under secretary of Defense for Acquisition and Sustainment to ensure “data strategies and data collection efforts for the business system and software acquisition pathways define, collect, automate, and share with the appropriate level of visibility, the metrics necessary for stakeholders to monitor acquisitions and that are critical to the department’s ability to assess acquisition performance.”