The Defense Department’s software development approaches are helping to avoid cost increases and schedule delays for many major information technology systems, but uneven implementation of cybersecurity best practices may be introducing risk to these programs, according to a watchdog report.
In the first of a series of annual reviews of major Defense IT systems, the Government Accountability Office examined 15 business and non-business DOD IT programs and found 10 programs had schedule delays, including one 5-year delay. Eleven had decreased cost estimates as of December 2019, according to the audit, which was released to the general public just before the holidays.
While GAO didn’t make any specific recommendations in the audit, DOD in its comments said the audit “highlight[s] opportunities for continued improvement to acquiring IT capabilities.” The main challenge for DOD’s major IT systems is the agency’s mixed record on incorporating cybersecurity best practices.
While all 15 programs are using cybersecurity strategies, only eight conducted cybersecurity vulnerability assessments, which help determine whether security measures are strong enough. In addition, 11 of the 15 programs conducted operational cybersecurity testing, but only six conducted developmental cybersecurity testing.
“According to the DOD Cybersecurity Test and Evaluation Guidebook, programs that do not perform developmental testing are at an increased risk of cost and schedule growth and poor program performance,” the audit notes. “In addition, according to the guidebook, programs that do not perform operational testing are at risk of not resolving operational cybersecurity of the operational effects of discovered vulnerabilities.”
But addressing cybersecurity takes software development talent, and nearly all of the 15 programs told GAO they had trouble with government and contractor software development staff. Nine programs said it was hard to find staff with the requisite expertise, and another seven said it was hard to find enough software development staff. Seven more programs said hiring staff in time was a problem, and six said staffing plans didn’t come to fruition.
DOD in its comments said continued implementation of the DOD Cyber Strategy, which addresses talent and cyber workforce issues, will help mitigate these challenges.
The bulk of the report was dedicated to tracking estimated cost and schedule fluctuations for each program as well as describing what kind of software development method programs are using.
Almost every program audited is relying on continuous iterative software development, which is the Defense Science Board’s recommended methodology. Seven programs are using agile development and three are using DevOps. Just two programs are using DevSecOps, though, which is considered the latest and greatest software development method. DOD released its DevSecOps reference architecture in 2019.
Three programs are still using the older waterfall development, which GAO said may contribute to cost growth and schedule delays.
The 11 programs that saw decreasing costs include the Air Force’s Maintenance Repair and Overhaul Initiative, which had the lowest decrease in estimated costs at .03%, and the Army Contract Writing System, which had the largest decrease in estimated costs at 33.8% below the original estimated sticker price. Program officials reported three main reasons for decreasing cost estimates: lower than expected costs for the contracts, good program management and contract cost revisions.
The Defense Logistics Agency also attributed a small decrease in estimated costs to running a competitive awards process, and the Air Force reduced costs on one of its programs by reducing the scope of the project.
Four programs experienced cost estimate increases. The National Security Agency’s Public Key Infrastructure Increment 2 program exceeded cost estimates because of testing delays, program officials said, and Army officials indicated the Integrated Personnel and Pay System-Army Increment 2 program sustained costs increases because of development challenges.
Most of the major IT programs—10 of the 15—are behind their original schedules, with delays ranging from a month to five years. GAO listed two examples describing why programs were delayed. Defense officials said a need to fix “significant cybersecurity and performance issues” led to an over three-month delay on the Defense Information Systems Agency’s Teleport Generation 3 program. And a longer than expected maintenance period as well as a lengthy budget approval process delayed the Navy’s Consolidated Afloat Networks and Enterprise Services program, according to the audit.