The Pentagon should keep better tabs on IT cybersecurity, supply chain risks, GAO says
The findings come as the Defense Department continues to increase its investment in information technology and cybersecurity year over year—a trend that could likely mean more scrutiny.
The Defense Department should keep better track of its cybersecurity and supply chain risk management plans, according to a recent watchdog report.
The Government Accountability Office found that of the 25 DOD major IT programs it reviewed, only 15 of those programs had department-approved cybersecurity strategy and just 10 had and submitted a system security plan for information and communications technology supply chain risk management.
The GAO also found that most of DOD's major IT business programs experienced cost or schedule changes between fiscal years 2020 and 2022, ranging from $100,000 to nearly $11 billion. According to a report released June 14, 19 of the 25 programs evaluated "did not fully report progress on their operational performance,"
DOD CIO officials cited "a reorganization that shifted responsibilities for IT investment management and confusion about reporting requirements.
The findings come as the Defense Department continues to increase its investment in information technology and cybersecurity year over year—a trend that could likely mean more scrutiny. The GAO also found that the Coast Guard's small IT programs lacked consistent oversight in a recent report.
GAO recommended the defense secretary have the CIO make sure business programs report operational performance as part of DOD's submission to the federal IT Dashboard and that major IT business programs develop approved cybersecurity strategies and plans to address supply chain risk management.
Tanya Skeen, the acting assistant secretary of defense for acquisition, concurred in the department's response saying that DOD "has already laid a foundation" for DOD components to maintain their own supply chain risk management policies for information and communications technology, even though it is not yet a requirement.
"Additionally, the department is in the process of enhancing Risk Management Framework guidance guidance for the [supply chain risk management] family of controls, with tailoring guidance for components' implementation," Skeen wrote.