In a report published on Wednesday, the oversight agency said it had found at least 10 instances in major business IT programs audited, where independent assessments conducted by the DOD underestimated the level of cybersecurity risk.
The office has recommended that the DOD review how it conducts risk assessments across its IT system and warned that until it does so the department’s oversight of programs could be proving over-optimistic.
IT programs that the GAO says should be classified as having elevated risk levels include the DOD’s defense travel system, enterprise accounting and management system, logistics chain management systems, and the Marine Corps’ global combat support system.
GAO’s review also found challenges in DOD’s implementation of agile software practices. Among the concerns raised by the report were the inability of the department to hire the requisite staff and to manage the technical environments that are needed for agile software development.
The department has been trying to update its software practices to include agile development, which follows the principle of iterating and quickly updating code, and replaces the traditional waterfall method of IT development.