DOD may be 'overly optimistic' with IT program risks, GAO says
The Government Accountability Office found that DOD often underestimated risks to IT programs compared to its own assessments.
The Defense Department may be "overly optimistic" when it comes to reporting IT program risks from costs to performance, which could be affecting proper acquisition oversight, according to a watchdog report.
The Government Accountability Office found that DOD often underestimated risks to IT programs compared to its own assessments.
DOD and GAO's assessments of program risk identified a range of program risk levels and indicated that some programs could be underreporting risks. Overall, GAO scored 10 programs with a higher risk level than DOD reported, while DOD scored only three programs as having a greater risk compared to GAO's rating.
The report notes that ratings differences likely resulted from different methodologies, but the disparities "highlight the need for DOD to ensure that it is accurately reporting program risks" because "oversight of some programs could be limited by overly optimistic risk perspectives."
The report comes as DOD upped its IT spend request for fiscal 2022 by nearly $3 billion, hitting $38.6 billion, compared to 2021 and plans to spend approximately $10 billion between 2020 and 2022, while adopting policies that fuel rapid software production.
GAO also found that 22 of the 29 major DOD business IT programs as of December 2020 were actively developing software and using cybersecurity approaches that could mitigate program risks. Only one of the programs didn't report developing a cybersecurity strategy. More than 70% of the programs were conducting developmental and operational cybersecurity testing.
The report also mentioned how some of DOD's organizational and policy changes have affected IT acquisition management, including the failure to fully implement changes involved in the elimination of the chief management officer position. And some policy changes, such as embracing agile software development and increasing data visibility, haven't taken hold.
The GAO recommended that DOD's CIO "revisit program risk ratings" for programs where the rating may indicate less risk than GAO's assessments before the next update to the federal IT dashboard. The watchdog also suggested DOD's acquisition chief make sure data strategies and collection efforts for business systems and the software acquisition pathways yield the necessary visibility and metrics to monitor acquisitions and their performance.