Multiple branches of the military are failing to rationalize the software applications they use because the Pentagon hasn’t laid out a process to do so, says a new watchdog report.
The Navy, Marine Corps and Air Force do not have consistent processes in place for software rationalization — the method of identifying existing applications to determine if they are needed, duplicative or obsolete — according to the Department of Defense’s inspector general. Rationalization is particularly important when agencies are preparing to buy new software.
The report does credit the Marine Corps and Navy for having processes in place to prevent buying duplicative software. But of the seven military commands or divisions audited, only the U.S. Fleet Forces Command, based in Norfolk, Virginia, “had a process to identify duplicate software applications after they were purchased; however, the process did not consider whether the software applications were installed or used on the network.”
None of the commands has a comprehensive inventory of the applications operating on their networks, though, the IG found.
The Army was not subject to this audit because its own Army Audit Agency conducted a similar review in 2017.
The IG places the blame squarely on the DOD CIO — currently Dana Deasy — who is required by the Federal IT Acquisitions Reform Act to provide an enterprisewide plan for software rationalization.
“This occurred because the DoD CIO did not implement an enterprise-wide solution for software application rationalization in response to FITARA requirements and, instead, limited rationalization to data center consolidation efforts,” the audit says. “As a result, the DoD and its Components are exposing the DoD Information Network to unnecessary cybersecurity risks because they lack visibility over software application inventories and, therefore, are unable to identify the extent of existing vulnerabilities associated with their owned software applications.”
Some context: DOD in 2010 set out through its Joint Information Environment plan to conduct software application rationalization. That plan, however, changed in 2017, limiting rationalization to DOD data centers.
“An enterprise-wide approach to software application rationalization is needed to reduce duplication and identify cost savings across the DoD,” the report says. “The approach should include all software applications to ensure that the DoD obtains the maximum benefits from its rationalization efforts,” including mitigating cybersecurity risks and cutting costs.
Since taking over as CIO in April, and while this audit was ongoing, Deasy issued a memo in July emphasizing the need to improve DOD software inventory management using automation, according to the report.
The IG recommended that Deasy develop an enterprisewide process for rationalization and establish guidance for DOD components commands to conduct periodic reviews and validate the accuracy of their software inventories. On top of that, the DOD CIO’s office should validate that work and make sure components are eliminating any duplicate or obsolete software.