DoD IT Dashboard whitewash

Tools

Federal chief information officers don't rate agency information technology programs as risky even when there's evidence that they are, says the Government Accountability Office.

In a report (.pdf) dated Oct. 16 not posted online until Nov. 15, auditors say the Defense Department in particular has never publicly assigned to IT projects a rating greater than "medium risk," eschewing an evaluation of "high risk" or even "moderately high risk." The Office of Management and Budget requires agency CIOs to assign risk scores for publication on the IT Dashboard--which the GAO has several times noted has been beset by other inaccuracies.

From the first iteration of the IT Dashboard in June 2009 through March 2012, DoD rated 85 percent of its projects as either "low risk" or "moderately low risk," and the remainder as "medium risk," the report says.

According to documentation reviewed by the GAO, Defense officials decided internally that they would assign a high risk rating only if the project in question was slated for a restructuring or cancelation. They also said the ratings were based on a "measured assessment of how DoD believes an investment will perform in the future."

As a result, the DoD CIO made assessments of dubious validity, or what the GAO says are ratings that "do not reflect other available information."

Auditors single out the performance of Defense enterprise resource planning projects, which outside observers--and even DoD officials--have characterized as troubled. For example, the Air Force's Defense Enterprise Accounting and Management System, which is at least 2 years behind schedule and $500 million over its $1.1 billion budget, has never had a rating greater than "moderately low risk" on the IT dashboard. Similarly, the Army's Global Combat Support System-Army, which is also at least 2 years behind schedule and $300 million over its $3.9 billion budget, has never had a rating greater than "moderately low risk."

Asked by the GAO for their reasoning, DoD officials then told auditors that the cost variances aren't that large compared to the overall size of the DoD and its IT spend and that anyway it takes on average 7 years for the DoD to implement a large scale program. Auditors say those two reasons are inconsistent with the department's own risk management guidance, which says a program's risk should be assessed against its own cost and schedule baseline, not other projects'. Defense officials also told auditors that they have risk mitigation plans in place, to which auditors note that plans do "not necessarily lower investment risk."

For more:
- download the report, GAO-13-98 (.pdf)

Related Articles:
Systemic problems with DoD ERP strategy and implementation, warns report
Key DoD ERPs $8 billion over budget, say auditors
GAO: IT Dashboard better, still has problems
GAO: OMB doesn't have accurate tally of agency IT spending