Pentagon Lags on Software-Buying Reforms, GAO says

The Defense Department continues to emphasize rapid software acquisition and agile development to keep pace with near-peer competitors Russia and China, but a new Government Accountability Office report issued Wednesday found that the bulk of the recommendations meant for achieving those goals remain unimplemented.

With software procurement becoming more essential for quickly deploying both critical weapons and information technology systems, two advisory bodies tasked with providing the DOD with advice on technology acquisition practices — the Defense Science Board and Defense Innovation Board — offered 17 recommendations between 2018 and 2019 on how to address antiquated practices and speed up development.

Those recommendations spanned areas like workforce development, acquisition pathways, software testing and verification, source code access, authority to operate reciprocity and others designed to make buying software more efficient and developing it more iterative. 

But the GAO found that while defense officials have taken steps to streamline software development and acquisition, and have fully or substantially implemented four recommendations, they have yet to completely implement 13 others. 

"DOD officials told us that, while they are not required to implement these actions because the DSB and DIB are federal advisory boards, they expect they may implement some of them through future software modernization efforts," the report said. "These officials told us that, in other cases, they have determined that implementing the recommended actions would be impractical."

Among the recommendations still outstanding are all seven from the DSB, including those that concern software factors — which use cloud capabilities to develop software tools to collectively develop applications faster — as well as practices for workforce upskilling, establishing iterative development, instituting risk reduction metrics, reviewing software sustainment documentation and verifying and validating machine learning. 

The report notes that the DOD has partially taken steps to implement those recommendations, such as issuing guidance on assessing agency and vendor software factories, it did not require its use.

Other recommendations like transitioning current and legacy programs to continuous iterative development saw officials develop policy for programs within its software acquisition pathway, but noted that, "DOD officials stated that they do not intend to direct prime contractors to transition to a hybrid model and adopt continuous iterative development within current contracts, as recommended by the DSB." 

Instead, defense officials noted "that contractors who propose modern practices forfuture programs will likely be more competitive than contractors proposing a legacy model."

The DIB fared better in its recommendations, with defense officials fully implementing a new acquisition pathway and a new appropriation category for software, prioritizing security considerations and offering acquisition workforce training for leadership and program managers.

However, six recommendations remain partially implemented, including obtaining source code access to enable security testing, ATO reciprocity, shifting from system requirements to software features, using digital infrastructure to enable rapid deployment and others. 

DOD officials told the GAO they plan to continue working on some of the recommendations, but deemed others — such as the Science Board's suggestion that prime contractors transition from waterfall to a more iterative software development approach — impractical because of the large number of contracts, adding that "programs can make assessments of individual contracts once they have an understanding of modern software development practices."