We determined whether DoD Components rationalized their software applications by identifying and eliminating any duplicative or obsolete applications. This audit focused on the Marine Corps, the Navy, and the Air Force. We did not include the Army in our audit scope because the Army Audit Agency reviewed software application inventories and software application rationalization at its data centers.
A software application is a program that performs a specific function for a user, such as office automation, e-mail, or web services. Software application rationalization is the process of optimizing an enterprise’s information technology portfolio by:
identifying all software applications owned and in use on the enterprise networks;
determining whether existing software applications are needed, duplicative, or obsolete based on mission objectives and costs; and
determining whether a software application already exists within the enterprise before purchasing applications.
The Marine Corps, the Navy, and the Air Force commands and divisions we reviewed did not consistently rationalize their software applications. Although the Marine Corps divisions and the Navy commands had a process in place to prevent duplication when purchasing software applications, the Air Force did not. In addition, the U.S. Fleet Forces Command was the only command we reviewed that had a process in place for eliminating duplicative or obsolete software applications it owned. Furthermore, none of the commands or divisions we reviewed maintained accurate software inventories to facilitate that process.
This occurred because the DoD Chief Information Officer (CIO) did not implement an enterprise-wide solution for software application rationalization in response to Federal Information Technology Acquisition Reform Act requirements and, instead, limited rationalization to data center consolidation efforts.
As a result, the DoD and its Components are exposing the DoD Information Network to unnecessary cybersecurity risks because they lack visibility over software application inventories and, therefore, are unable to identify the extent of existing vulnerabilities associated with their owned software applications. In addition, the DoD is not realizing the cost savings associated with the elimination of duplicate and obsolete software applications that it has already procured and is paying to maintain.
We recommend that the DoD CIO, in coordination with the DoD Chief Management Officer:
establish guidance requiring the DoD Components to conduct software application rationalization and require DoD Component CIOs to develop implementing guidance that outlines responsibilities and processes for software application rationalization within their Components. The policy should also require DoD Components to regularly, at least annually, validate the accuracy of their owned and in use software applications inventory; and
Management Comments and Our Response
The DoD CIO did not provide a response to recommendations in a draft of this report; therefore, the recommendations are unresolved. We request that the DoD CIO provide comments on the final report.
This report is a result of Project No. D2018-D000CU-0098.000.