Some of the Department of Defense’s (DoD) major IT acquisition business programs lack approved cybersecurity strategies and have failed to develop plans to address ICT supply chain risks, as well as report operational performance data to the Federal IT Dashboard, according to a new Government Accountability Office (GAO) report.
In the report, GAO examined DoD’s top 25 IT business programs, which DoD has planned to spend $8.8 billion on between fiscal year (FY) 2020 and 2022 – according to DoD’s submission to the Federal IT Dashboard. The General Services Administration’s Federal IT Dashboard is a public website that includes information on the performance of IT investments.
The IT programs reported operational performance data to the Federal IT Dashboard, however, 19 of the 25 programs did not fully report their progress. Additionally, the 25 programs identified 172 operational performance metrics as of December 2021, but programs did not report any progress for 95 of those metrics.
“By reporting incomplete performance data, DoD limits Congress’ and the public’s understanding of how programs are performing,” GAO wrote.
As for cybersecurity, 15 of the programs have an approved cybersecurity strategy and provided a copy of their strategy to GAO. Seven of the programs reported having an approved cybersecurity strategy but were unable to validate their claim with a copy of their strategy. Three programs did not have an approved cybersecurity strategy at all. Two of those programs plan to develop one, while the other did not have a plan to.
Officials from DoD said they will follow up with the programs that do not currently have approved cybersecurity strategies. GAO noted, “until DoD ensures that these programs develop strategies, programs lack assurance that they are effectively positioned to manage cybersecurity risks and mitigate threats.”
According to the report, 10 of the programs have – and provided to GAO – a system security plan that addresses information and communications technology (ICT) supply chain risk management, “as called for by leading practices.” One program was unable to provide its plan to GAO. Fourteen did not have an ICT supply chain risk management plan at all, with only half planning to develop one.
“DoD guidance does not require programs to address ICT supply chain risk management in security plans,” GAO wrote. “However, 15 of DoD’s major IT programs did not demonstrate that they had a supply chain risk management plan. Until DoD ensures that these programs have such plans, they are less likely to be able to manage supply chain risks and mitigate threats that could disrupt operations.”
GAO recommended DoD ensure programs report operational performance data to the Federal IT Dashboard, develop cybersecurity strategies, and develop plans to address ICT supply chain risk management. DoD concurred with all three recommendations.
“The department is committed to acquisition reform and continual improvement for all of our systems with software-defined capabilities, including business systems that were the focus of this GAO report,” Tanya Skeen, acting assistant secretary of defense for acquisition, said. “While we have made great strides to date, we understand that transformation is a journey and will continue pushing to make progress.”