The Government Accountability Office (GAO) is urging the Department of Defense (DoD) to improve reporting of operational performance metrics data and development planning of fiscal year (FY) 2023 IT projects and funding.
In a June 13 report, the watchdog agency reviewed the performance of DoD’s 25 major IT business programs for FY2023, including their software development and cybersecurity practices.
According to the report, for FY2023, DoD planned to spend about $9 billion on its portfolio of 25 major IT business programs, and about $31 billion on its 723 standard IT infrastructure investments from FY2021 through FY2023 – which accounted for 30 percent of total planned spending on the department’s unclassified IT portfolio.
While GAO identified that 22 of 25 programs had at least the minimum required number of operational performance metrics, consistent with Office of Management and Budget (OMB) guidance, the other three programs did not.
“The other three programs did not identify the minimum required metrics, including two that did not identify any metrics data,” the report states, adding that of the 25 programs, 13 didn’t fully report on their achieved goals.
According to GAO, by not ensuring that programs fully identify, and report required performance metrics, the DoD “limits program accountability” and its ability to “oversee performance effectively.”
In addition, the report found that 11 programs didn’t have approved user training and deployment plans to help implement the software development process. DoD officials provided various reasons for not having the plans in place, including that systems were nearing retirement or predated the requirement.
“DoD officials acknowledged that programs should have user training and deployment plans and stated that they will follow up with the programs that did not have them,” GAO said. “Without such plans, the department is at increased risk of programs not achieving required organizational changes and delivering business systems that do not meet their users’ needs and are not widely adopted by users.”
DoD officials also were required to conduct cybersecurity assessments and tests, but six programs did not demonstrate having an approved cybersecurity strategy.
“Until the [DoD] ensures that all programs develop strategies, it lacks assurance that programs are positioned to effectively manage cybersecurity risks and mitigate threats,” GAO said. As a result, DoD programs are at increased risk of adverse cost, schedule, and performance impacts, the watchdog agency said.
GAO made two recommendations to DoD to ensure programs identify operational performance metrics data, as appropriate, in its reporting to the Federal IT Dashboard, and develop plans that address conducting user training and deployment, as appropriate.
GAO also reiterated the need for DoD to address previous recommendations focused on improving major IT programs.
While DoD agreed with the content of GAO’s report, the department did not concur with the recommendations because it believes it has already taken actions to address them. However, according to GAO, the Department did not provide sufficient evidence indicating it had done so.