GAO faults some DOD IT assessments
The Defense Department needs to improve how it assesses if efforts to modernize the department’s thousands of business systems comply with its overarching information technology architecture, according to government auditors.
The Government Accountability Office concluded that DOD’s internal process for assessing whether efforts to comply with the department’s federated Business Enterprise Architecture (BEA) is insufficient. In a report issued today, GAO makes several recommendations for how DOD should improve its guidance, assessment tool and approval processes to ensure that business system investments comply with the department’s overall IT design.
According to the findings, GAO examined two Navy programs, and found that, although the programs largely followed DOD’s compliance guidance, used DOD's compliance assessment tool, and were certified, it remains unclear whether the modernization investments satisfy the department’s BEA, GAO said.
The assessments did not include all relevant information and were not required to do so by DOD guidance, the auditors found. For example, the assessments did not examine how the systems complied with certain technical standards useful for system interoperability, potential areas where the programs duplicated other efforts, or assess whether the systems complied with aspects of the Navy’s enterprise architecture.
According to the report, DOD does not require assessments to cover these areas and the assessment tools are not configured to do so.
In addition, even though the assessments were certified as compliant with DOD’s BEA, each program’s compliance assessment was not validated by certification entities. GAO said.
To ensure that business system modernization investments comply with DOD’s BEA, the department should:
• Revise the compliance assessment guidance to include data about relevant architecture data and to ensure that assessments are conducted to have a timely effect on the program.
• Use the program-specific data in the compliance assessment tool to check for potential overlaps and duplication of other programs.
•Explicitly assign responsibility for validating BEA compliance assertions.
DOD said it agreed with GAO’s recommendations and it will meet the intent of the recommendations in future versions of its compliance guidance, policies and methodologies as architectures mature.
Ben Bain is a reporter for Federal Computer Week.