A recent audit by the Defense Department’s (DOD) Inspector General found that the Office of the Chief Digital and Artificial Intelligence Officer (OCDAO) failed to implement several required interface controls for Advana, the department’s enterprise data and analytics platform.
Under the Trump administration, DOD was rebranded as the War Department.
Advana, launched in 2021, is a departmentwide data repository that collects, aggregates, and stores data from 437 financial and non-financial systems to support analytics and data-driven decision-making.
The findings come as the Pentagon moves to restructure Advana under a directive issued earlier this year by Defense Secretary Pete Hegseth. The directive calls for separating financial data functions from a new War Data Platform intended to support warfighting and intelligence missions across the department.
According to the report, OCDAO did not implement effective interface controls between Advana and non-financial source systems in accordance with National Institute of Standards and Technology (NIST) guidance on “Security and Privacy Controls for Federal Information Systems and Organizations.”
Without effective interface controls, OCDAO has “limited assurance” that data transferred between source systems and Advana are accurate and complete, the report states. Auditors also warned that inaccurate or incomplete data could lead DOD leaders to make misinformed decisions affecting operations.
Specifically, auditors found the office did not establish data sharing agreements with 78 of 387 source systems before connecting them to Advana. The report also said OCDAO failed to grant privileged access for 26 of 29 privileged users based on accurate and complete access request forms, and it did not properly manage ongoing access.
The audit further found that OCDAO did not establish an effective process to monitor user access to Advana, implement validation checks to ensure the platform received accurate and complete data from source systems, or notify system owners when interface errors occurred.
According to OCDAO officials, the controls were not fully implemented because officials did not believe NIST requirements applied to all source systems. Officials also cited high staff turnover and personnel shortages as contributing factors.
The audit included 12 recommendations, including development and implementation of interface controls aligned with NIST requirements, implementation of data sharing agreements for systems lacking them, automatic notification to system owners when interface errors occur, and implementation of validation checks for all systems.
The deputy under secretary of war for research and engineering, responding on behalf of the OCDAO, agreed with two recommendations and outlined planned corrective actions. Those recommendations remain open pending verification that corrective measures have been implemented.
The office did not agree with 10 recommendations in the report, including a recommendation to immediately establish data sharing agreements for the 78 systems lacking them. In its response, the CDAO said the Advana program plans to reduce the number of systems governed through data sharing agreements over the next two years and instead use agreements only when nonstandard data-sharing or governance requirements exist.
Auditors requested that the CDAO provide additional comments addressing the unresolved recommendations within 30 days of the final report.