IT Systems Annual Assessment: DOD Needs to Improve Performance Reporting and Cybersecurity Planning

Fast Facts

The Department of Defense spent, or planned to spend, $10.9 billion to maintain its IT business programs in FYs 2023-25.

In our annual assessment, we reviewed 24 of those programs. DOD didn't report required performance measures on all of them—like customer satisfaction levels.

We also found:

2 programs didn't have a strategy in place to reduce cybersecurity threats

4 programs hadn't developed plans to implement a more rigorous cybersecurity approach—zero trust architecture—by the 2027 deadline

Our recommendations address these issues.

Highlights

What GAO Found

According to the Department of Defense's (DOD) fiscal year (FY) 2025 Federal IT Dashboard (Dashboard) data, the department planned to spend $10.9 billion on its portfolio of 24 major IT business programs from FY 2023 through FY 2025. The four largest programs account for 43 percent of the planned spending (see figure).

Officials from 14 of the 24 IT business programs reported cost and/or schedule changes since January 2023. This included 12 programs that reported cost increases of $6.1 million to $815.5 million (a median of $173.5 million) and seven programs that reported a schedule delay ranging from 3 months to 48 months (a median of 15 months).

While DOD improved its performance reporting, not all programs reported required categories of performance and most programs reported mixed progress in achieving performance goals. If they have operational investments, programs are required to identify and track a minimum of five performance metrics in the

categories of customer satisfaction, strategic and business results, financial performance, and innovation. Of the 19 IT business programs that had operational investments, 14 identified the minimum required number of performance metrics in each category. However, the remaining five did not do so. Accordingly, the extent to which these five programs were improving customer satisfaction, increasing financial performance, and delivering innovative approaches is unknown.

Regarding achieving performance goals, of the 19 programs that identified metrics, one program met all performance targets, 17 programs met at least one target, and one program met no targets.

Of the 24 programs, 11 DOD IT business programs reported actively developing software using recommended Agile and iterative software development approaches and practices. However, in areas related to tracking customer satisfaction and progress of software development, three of the 11 programs did not use metrics and management tools required by DOD and consistent with GAO's Agile Assessment Guide (see table). GAO previously recommended that DOD address this issue.

Development approach or practice

Number of programs that reported using each approach or practice

Using recommended Agile and iterative approaches

11 of 11

Using required metrics and management tools to track customer satisfaction and progress of software development

8 of 11

Source: GAO analysis of DOD program questionnaire responses as of March 2025. | GAO‐25‐107649

Further, two programs did not have an approved cybersecurity strategy. GAO has previously recommended that all programs develop such a strategy. In addition, four programs had not developed plans to implement zero trust architecture in their cybersecurity frameworks by DOD's 2027 deadline. GAO will continue to monitor the department's progress in developing plans to address zero trust.

Development approach or practice

Number of programs that reported using each approach or practice

Having a DOD approved cybersecurity strategy

22 of 24

Implementing zero trust architecture as part of the security framework

20 of 24

Source: GAO analysis of DOD program questionnaire responses as of March 2025. | GAO‐25‐107649

DOD continues to make efforts to improve its management of IT investments as a result of legislative and policy changes. These efforts include revising its business systems investment management guidance, modernizing its business enterprise architecture, adopting a zero trust cybersecurity strategy, and developing AI acquisition guidance. GAO will continue to monitor DOD's efforts to improve how the department manages its IT investments.

Why GAO Did This Study

Information technology is critical to the success of DOD's major business functions. These functions include health care, human capital, financial management, logistics, and contracting.

The National Defense Authorization Act for FY 2019, as amended, includes a provision for GAO to conduct assessments of selected DOD IT programs annually through March 2029. GAO's objectives for this sixth such review were to (1) examine the current status of cost, schedule, and performance of selected DOD IT business programs; (2) determine the extent to which DOD has implemented key software development and cybersecurity practices for selected programs; and (3) describe actions DOD has taken to implement legislative and policy changes that could affect its IT acquisitions.

To address the first objective, GAO selected 24 DOD IT business programs that DOD listed as major IT investments in its FY 2025 submission to the Federal IT Dashboard. In analyzing the FY 2025 Dashboard data, GAO examined DOD's planned expenditures for these programs from FY 2023 through FY 2025.

GAO also administered a questionnaire to the 24 program offices to obtain and analyze information about cost and schedule changes that the programs reported experiencing since January 2023.

Further, GAO compared programs' performance metrics data reported on the Dashboard to OMB guidance and met with DOD Office of the Chief Information Officer officials to determine reasons for differences between how metrics data were reported and reporting guidance.

To address the second objective, the questionnaire also sought information about software development and cybersecurity practices. This included programs' use and documentation of Agile tools and metrics and development of cybersecurity strategies, including zero trust cybersecurity. GAO compared the responses and documentation against relevant guidance and leading practices to identify gaps and risks. For programs that did not demonstrate having documentation or strategies, GAO followed up with DOD officials for clarification.

For the third objective, GAO reviewed (1) policy, plans, and guidance associated with the department's efforts to implement changes to its defense business systems investment management guidance and business enterprise architecture and (2) efforts to adopt zero trust cybersecurity principles and develop AI acquisition guidance. GAO also met with DOD Office of the Chief Information Officer officials to discuss their efforts in these areas.

Recommendations

GAO reiterates that DOD address the five recommendations previously made that have not yet been implemented from prior annual assessment reviews. GAO is also making one new recommendation to DOD to ensure IT business programs identify and report results data on the minimum required number of categories of performance metrics.

DOD concurred with GAO's recommendation and described actions it was taking to address the recommendation.

GAO Contacts

Media Inquiries

Public Inquiries

Topics

Recommendations

GAO reiterates that DOD address the five recommendations previously made that have not yet been implemented from prior annual assessment reviews. GAO is also making one new recommendation to DOD to ensure IT business programs identify and report results data on the minimum required number of categories of performance metrics.

DOD concurred with GAO's recommendation and described actions it was taking to address the recommendation.