A Federal watchdog report is sounding the alarm over missing cybersecurity plans, weak performance tracking, and major delays across some of the Defense Department’s (DoD) priciest tech programs.
Despite planning to spend $10.9 billion on major IT business programs through fiscal year (FY) 2025, the DoD is falling short in several critical areas, according to a new report from the Government Accountability Office (GAO).
The report, which analyzed data from DoD’s FY 2025 Federal IT Dashboard, reveals systemic issues across 24 of the department’s major IT programs – including the lack of key cybersecurity strategies, failure to use performance metrics as required, and ongoing cost overruns and schedule delays.
Four of the largest programs account for nearly half of the $10.9 billion planned spending. Yet, two of those programs had no approved cybersecurity strategy, and none had plans to implement a zero trust architecture – a DoD mandate by 2027.
Performance tracking was also inconsistent. Of 19 programs with operational investments, five failed to report the minimum required metrics in areas such as customer satisfaction and financial performance. Only one program met all its performance goals; one met none.
“Not identifying and reporting results data on performance metrics in each category makes it harder to determine if these programs are achieving their intended goals,” the report says while explaining that the lack of data also results in increased costs and project delays.
For instance, cost increases were reported by half the programs, with overruns ranging from $6.1 million to $815.5 million. Schedule delays hit seven programs, stretching timelines by as much as four years.
Additionally, of the 24 programs, 11 reported actively developing software using recommended Agile and iterative software development approaches and practices. However, in areas related to tracking customer satisfaction and progress of software development, three of the 11 programs did not use metrics and management tools required.
“Implementing our prior recommendations regarding use of Agile metrics and cybersecurity planning will further DOD’s goals of efficient and secure business software development effort,” the report says.
GAO did acknowledge that “DoD continues to make efforts to improve its management of IT investments as a result of legislative and policy changes.”
“These efforts include revising its business systems investment management guidance, modernizing its business enterprise architecture, adopting a zero trust cybersecurity strategy, and developing AI acquisition guidance,” the report reads.
However, the Federal watchdog doubled down calling for DoD to implement prior recommendations in relation to these issues. GAO also issued a new call for action: ensure all programs report on required performance metrics.
DOD agreed with the recommendation and cited ongoing efforts to address the gaps.