Major Pentagon IT Projects Lack Plans to Secure Networks, Supply Chains: GAO
Watchdog also noted cost increases among most of the Defense Department's top 25 IT efforts.
The Defense Department should keep better track of its cybersecurity and supply chain risk management plans, according to a recent watchdog report.
The Government Accountability Office found that of the 25 DOD major IT programs it reviewed, only 15 of those programs had a department-approved cybersecurity strategy and just 10 had submitted a system security plan for information-and-communications-technology supply-chain risk management.
The GAO also found that most of DOD's major IT business programs experienced cost or schedule changes between fiscal years 2020 and 2022, ranging from $100,000 to nearly $11 billion. According to a report released June 14, 19 of the 25 programs evaluated "did not fully report progress on their operational performance."
DOD CIO officials cited "a reorganization that shifted responsibilities for IT investment management and confusion about reporting requirements.
The findings come as the Defense Department continues to increase its investment in information technology and cybersecurity year over year—a trend that could likely mean more scrutiny. The GAO also found that the Coast Guard's small IT programs lacked consistent oversight in a recent report.
GAO recommended the defense secretary have the CIO make sure business programs report operational performance as part of DOD's submission to the federal IT Dashboard and that major IT business programs develop approved cybersecurity strategies and plans to address supply chain risk management.
Tanya Skeen, the acting assistant defense secretary for acquisition, concurred in the department's response, but saidthat DOD "has already laid a foundation" for its components to maintain their own supply-chain risk-management policies for information and communications technology, even though it is not yet a requirement.
"Additionally, the department is in the process of enhancing Risk Management Framework guidance guidance for the [supply chain risk management] family of controls, with tailoring guidance for components' implementation," Skeen wrote.