The US Department of Defense is struggling to adequately track performance and secure its major IT business systems despite planning to spend $10.9 billion on these programs through fiscal year 2025, according to a new Government Accountability Office assessment.
The GAO’s sixth annual review of the DoD’s IT business programs found significant gaps in performance reporting and cybersecurity planning across the Pentagon’s 24 major IT investments, which support critical functions including healthcare, human resources, financial management, logistics, and contracting.
The audit reveals that five of 19 operational IT programs failed to identify the minimum required performance metrics across key categories, leaving defense officials unable to assess whether these systems are improving customer satisfaction, delivering financial returns, or driving innovation. Only one program met all its performance targets, while 17 programs achieved at least some goals, and one program failed to meet any targets.
“The extent to which these five programs were improving customer satisfaction, increasing financial performance, and delivering innovative approaches is unknown,” the report said.
Cybersecurity readiness lags behind deadlines
The assessment also uncovered troubling cybersecurity gaps as the Pentagon faces mounting digital threats. Two programs lack approved cybersecurity strategies entirely, while four programs have yet to develop implementation plans for zero trust architecture despite a 2027 departmental deadline.
Zero trust, a security model that assumes no user or device should be automatically trusted, has become a cornerstone of federal cybersecurity strategy. The Biden administration has mandated that federal agencies adopt zero-trust principles to combat increasingly sophisticated cyberattacks.
“GAO will continue to monitor the department’s progress in developing plans to address zero trust,” the report added, highlighting the urgency of addressing these security gaps.
Cost overruns and schedule delays persist
Financial management remains problematic across DOD’s IT portfolio. Officials from 14 of the 24 programs reported cost increases, schedule delays or both since January 2023. Cost overruns ranged from $6.1 million to $815.5 million, with a median increase of $173.5 million per program.
“This included 12 programs that reported cost increases of $6.1 million to $815.5 million (a median of $173.5 million) and seven programs that reported a schedule delay ranging from 3 months to 48 months,” the report said.
Schedule delays proved equally concerning, stretching from three months to four years, with a median delay of 15 months. These setbacks compound the challenge of modernizing aging defense systems while maintaining operational readiness.
The four largest programs account for 43% of planned spending across the entire portfolio, concentrating significant financial risk in a handful of critical systems.
Software development practices show mixed results
While 11 programs reported using recommended Agile and iterative development approaches, three of these failed to implement required metrics and management tools for tracking customer satisfaction and development progress. This gap undermines the benefits of modern software development practices and reduces visibility into project health.
The GAO previously recommended that DoD address similar issues, indicating persistent challenges in adopting industry best practices across the department’s sprawling IT organization.
DoD officials concurred with the GAO’s new recommendation to ensure IT business programs properly identify and report performance metrics. The department described ongoing actions to address the recommendation, though specific timelines and implementation details were not provided.
“DoD concurred with GAO’s recommendation and described actions it was taking to address the recommendation,” the report added.
The Pentagon continues broader efforts to improve IT investment management, including revising business systems investment guidance, modernizing enterprise architecture, and developing artificial intelligence acquisition guidance. The report said DoD “continues to make efforts to improve its management of IT investments as a result of legislative and policy changes.”
Implications for enterprise leaders
The GAO findings underscore challenges that many large organizations face when managing complex IT portfolios. The DoD’s struggles with performance measurement, cybersecurity planning, and cost control mirror issues confronting enterprise CIOs across industries.
The report highlights the critical importance of establishing comprehensive performance metrics, maintaining rigorous cybersecurity practices, and implementing effective project management disciplines. For enterprise leaders, the Pentagon’s experience serves as a cautionary tale about the risks of inadequate governance in large-scale IT transformations.
DoD’s challenges reflect broader industry trends where organizations struggle to balance innovation with operational stability. The GAO findings demonstrate how inadequate performance measurement can obscure critical business outcomes, leaving executives unable to justify IT investments or identify failing initiatives before they consume significant resources.
The cybersecurity gaps are particularly concerning given the defense sector’s role as a primary target for nation-state actors and sophisticated cybercriminal organizations. The delayed zero trust implementation suggests that even well-funded organizations with clear mandates can struggle to execute comprehensive security transformations within prescribed timeframes.
For enterprise IT leaders, the report underscores the importance of establishing clear accountability mechanisms, regular performance reviews, and robust project governance frameworks. The Pentagon’s experience shows that substantial budgets alone cannot guarantee successful IT outcomes without disciplined management practices and consistent oversight.
The National Defense Authorization Act requires GAO to conduct these annual assessments through March 2029, ensuring continued scrutiny of the Pentagon’s IT management practices.
Read More from This Article: Pentagon’s B IT modernization struggles with cost overruns, delays, and cybersecurity gaps
Source: News