Cyber ​​concerns are expanding IT software development programs

The best listening experience is Chrome, Firefox, or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or Podcast One.

Federal IT practitioners who can cloud the mirror are or should be thinking about cybersecurity lately. After reviewing 15 large-scale software development programs underway at the Pentagon, Congressional auditors found that cyber concerns could expand projects and boost costs. Kevin Walsh, Director of the Information Technology and Cyber ​​Security Team of the Government Accountability Office, participated. Federal drive with Tom Temin For more information.

Tom Taemin: Federal IT practitioners who can cloud the mirror have recently been thinking about or should be cybersecurity issues. After reviewing 15 large-scale software development programs underway at the Pentagon, Congressional auditors found that cyber concerns could expand projects and boost costs. Here are some highlights and the director of the Information Technology and Cyber ​​Security team at the Government Accountability Office of Kevin Walsh. Mr. Walsh, thank you.

Kevin Walsh: Tom, thank you for being here.

Tom Taemin: These 15 programs you have reviewed will give you an overview of them. Were they related to combat? Were they related to logistics, or were they entirely?

Kevin Walsh: I’ve acknowledged. So we looked at 15 major IT programs that had formal cost estimates. This is known as the baseline for acquisition programs. These include HR systems, financial management, healthcare, communications and more. And these are not small amounts. These are very large programs, spending hundreds of millions and even billions of dollars throughout their life cycle.For example, we are watching DoD Modernization of healthcare management systems and replacement of networks such as bases, ships and submarines by the Navy. Therefore, these are very large and very important, but do not include the weapon system. Therefore, to manage expectations, these are enterprise systems and so on.

Tom Taemin: I took it. So I guess it usually takes 10 or 15 years or so, even if they do them. What did you generally find regarding your ability to maintain program schedule goals?

Kevin Walsh: I’ve acknowledged. So this is a kind of good news, bad news. There were 11 pieces that reduced costs. Great news for taxpayers. The other four increased their costs. But the bad news is that these four have significantly increased costs to two, adding a total of over $ 1 billion. And looking at the overall changes, the sum of all 15 changes added a total of over $ 1 billion. This means that 11 people who did a good job outnumbered 4 people who exceeded the cost.

Tom Taemin: Which was the bad boy?

Kevin Walsh: I’ve acknowledged. Therefore, the two largest and most guilty are the Army’s Integrated Personnel and Payroll System Increment II and the aforementioned modernization of the medical management system. They both exceeded their cost by over $ 1 billion.

Tom Taemin: Wow. Now let’s talk about the schedule.

Kevin Walsh: I’ve acknowledged. So we looked at cost scheduling and some of these 15 performance aspects. Therefore, for schedules, we have identified five schedules that have increased or delayed by more than a year. That is, in some cases, 5 years, 2 years, 2 years, 3 years, 1 year. The other 10 had no scheduled delays or several months of order delays. Again, good news, bad news. Good news. The 10 delays were completely absent or minimal, while the remaining 5 had delays of over a year.

Tom Taemin: The report also specifically mentions the fact that cybersecurity concerns can cause delays, cost overruns, or both. And given the fact that all institutions are thinking about cyber these days, what did you discover about how you could infiltrate cyber without losing control of your entire project?

Kevin Walsh: You are absolutely right Tom. We would like to meet an agency that is frequently considering cybersecurity early on. And I hope it’s built in from the beginning. Therefore, in the honor of the Pentagon, their guidance requires it, which requires having a cybersecurity strategy, and something like conducting a vulnerability assessment. Therefore, each of the 15 we examined had a cybersecurity strategy, and 8 of the 15 performed some form of vulnerability assessment. Please note that the remaining seven are programs under development, so it may have been a bit too early to actually perform these vulnerability assessments. And one program actually cites the great involvement of the Pentagon red team in the guise of a villain as one of the reasons for its success. So DoD is doing a good job in cyber — at least for DoD — thinking about it as they progress. But, as you can see from recent SolarWinds violations, thinking about it doesn’t mean it’s bulletproof.

Tom Taemin: I’m talking to Kevin Walsh, Director of the Information Technology and Cyber ​​Security Team at the Government Accountability Office. And what else would make them exceed schedules and costs? Were there any common factors they needed to address?

Kevin Walsh: I’ve acknowledged. As a result, we have found that changing requirements causes delays in both schedule and cost overruns, as is common in government programs. If you change your goal post, it will be difficult to actually reach your goal. But the agency also did a lot of good things. The 10 people who reduced costs, basically maintained tight controls, and monitored costs also cited the government acting as a system integrator as a reason for the cost reductions. In many ways, we may also reduce the scope to reduce costs. This may result in products not being delivered as originally expected. But changing requirements and the difficulty of integrating software are probably more common than we’ve seen.

Tom Taemin: It also reports that most of the 15 or 12 projects use what is loosely called agile development techniques, as opposed to waterfalls, but the strict definition of agile trade associations. It may not meet. But that wasn’t the old-fashioned way.

Kevin Walsh: exactly. And that’s seen as a good thing to move forward. It’s agile and iterative, and DevOps and DevSecOps make it possible in case of failure, so it’s a good idea to fail these programs early. That way, many of these programs do. Therefore, incrementals can also be used to identify problems early and provide a viable product early in the software development life cycle.

Tom Taemin: And if you do things step by step, you’ll avoid some of the very expensive and time-consuming change requests and redoes. Vendors like it. But it takes things up to the stratosphere.

Kevin Walsh: Tom, it’s perfectly on target.

Tom Taemin: Fine. And this was a report with no recommendations. So this was just a look, look, we want you to know what we are looking at,

Kevin Walsh: you are right. And this is actually an annual evaluation. Therefore, one of these can be expected to be seen almost every year. Congress requires us to conduct this type of investigation each year. However, although there are no recommendations, the report highlighted some opportunities for DoD to continue improving IT capabilities. We also focused on the issues that the Pentagon has in finding the right people. As a result, many of these programs have found it difficult to find the right staff with the right expertise. And this is what we’ve heard over and over again in federal IT. Finding and deploying the right people can be difficult for governments.

Tom Taemin: Therefore, reading the line spacing will tell you what to do.

Kevin Walsh: Yes, that is absolutely correct.

Tom Taemin: Fine. Kevin Walsh is Director of the Information Technology and Cyber ​​Security Team of the Government Accountability Office. Thank you for your participation.

Kevin Walsh: Thank you, Tom. I’m glad to be able to participate.

Cyber ​​concerns are expanding IT software development programs

Source link Cyber ​​concerns are expanding IT software development programs

Back to top button