US auditors beg Pentagon to pay attention to latest report about IT system flaws

US government auditors have been trying to whip the Pentagon's IT programs into shape for half a decade, and the latest report suggests it continues to be an uphill battle. 

The 2025 IT Systems Annual Assessment, published by the US Government Accountability Office (GAO) Thursday, concluded that the Department of Defense's major IT business programs plan to suck up $10.9 billion of the agency's budget, but are still missing the mark in a number of ways. 

These are critical systems, mind you: military ERP software, healthcare systems, payroll, maintenance tracking, analytics, and the like are all part of the list of 24 IT projects the DoD has been reporting on in recent years, and the GAO doesn't seem happy with the state of things. 

According to the auditors, 14 of the 24 programs reported cost or schedule changes since 2023. That includes 12 that have seen their cost increase between $6.1 million and $815.5 million and seven that are facing delays between three months and four years. 

Moreover, only 19 of the 24 programs have actually resulted in functional software. Those pieces of functional software are supposed to report on a minimum of five performance metrics to help the Office of Management and Budget determine how successful they are, but the GAO said that's been a struggle, too. Of the 19 operational systems, five failed to report the bare minimum number of metrics, and only a single program reported meeting all its performance targets.

Software development processes have been hard to force on the DoD too, the report found. Only 11 of the 24 programs are using Agile and iterative development practices as required by the DoD's own policies. 

As for cybersecurity practices, things have definitely improved at the DoD, but not by enough. 

"In our June 2022 report, we found that 10 of DoD's major IT business programs had not demonstrated having an approved cybersecurity strategy," the GAO wrote in this year's report. "As of March 2025, two programs still did not have an approved strategy." 

Oh, and four of the 24 "had not developed plans to implement zero trust architecture … by DoD's 2027 deadline," the GAO noted. 

Out of all that mess, the GAO came away with a single new recommendation for the DoD, asking it to "ensure that IT business programs identify and report results data on the minimum number of performance metrics." 

"Information technology is critical to the success of DoD's major business functions," the GAO wrote in its summary of this year's report. "Not identifying and reporting results data on performance metrics in each category makes it harder to determine if these programs are achieving their intended goals."

It also offered a stern reminder about its past recommendations, many of which have been ignored.

"GAO reiterates that DoD address the five recommendations previously made that have not yet been implemented from prior annual assessment reviews," the auditors noted. 

In other words, you need to fix this, but you also need to go back and fix the rest of the stuff we've been pointing out for years. 

For instance, looking back to 2021, the GAO said that the Pentagon has yet to demonstrate that it has improved the monitoring of its IT acquisitions by implementing appropriate data strategy and data collection metrics. That's despite the Department saying it intended to take action by August 2024. 

Auditors also made three recommendations in 2022, none of which have been addressed. Those concerns consisted of programs not fully reporting operational performance measures, a lack of approved cybersecurity strategies and missing supply chain risk management plans. 

• Pentagon declares war on 'outdated' software buying, opens fire on open source
• The Pentagon has the worst IT helpdesk in the US govt
• Feds arrest DoD techie, claim he dumped top secret files in park for foreign spies to find
• Signalgate: Pentagon watchdog probes Defense Sec Hegseth

Both requests from 2023 were fulfilled, but those from 2024 were not. The GAO recommended last year that the Pentagon properly implement its own Agile software development standards. That still hadn't been accomplished as of March. 

"DoD's persistent problems developing both business systems and weapons systems IT securely, timely, and on budget are serious issues," Vijay D'Souza, director at GAO, told The Register in an email. "That is why these areas remain on our High Risk list."

We'll note that business systems modernization has been on the high risk list since 1995.

But hey - at least the DoD is getting rid of the most bloated of its software projects. 

The Pentagon abandoned a long-running attempt to overhaul its civilian HR IT system in March after running 780 percent over budget - from $36 million to $280 million - and seven years behind. Many of the 24 programs the GAO reported on are also over budget and behind, but not by that much. 

Call it a small victory. Now they can get back to planning that $45 million Trump US Army birthday parade. ®