Defense audit shines a light on IT woes

The Department of Defense has a long way to go before it can account for its estimated $2.7 trillion in far-flung assets, but the completion of its first ever financial audit, even this failed one, is a cause for celebration.

"We never thought we were going to pass an audit, right," Deputy Secretary of Defense Pat Shanahan said at a Nov. 15 briefing. "Everybody was betting against us, that we wouldn't even do the audit. And then, what we've been doing since early on in the audit is we've been getting preliminary findings…The real work we've been doing is let's not count the findings. We need to put corrective action. We need to develop the plans to address the findings, and actually put corrective actions in place."

The information technology portfolio of the military services, the joint commands and the various defense agencies is proving particularly nettlesome for auditors. Some of the IT flaws and vulnerabilities released in the Nov. 15 report on the audit were identified years prior. Material weaknesses in the financial management systems and IT were named in fiscal 2017 inspector general report. Antiquated military pay systems, which lacked audibility framework and required manual manipulation, were first identified in fiscal 2011.

Shanahan wants to get a handle on those seemingly small missteps in compliance that aggregated into serious security risks.

"With some of the compliance issues are irritating to me because, you know, I just -- the point of the audit is to drive better discipline in our compliance with our management system and our procedures. So, some of those things frustrated me because they have a job to do and we just need to follow our - - our procedures," he said.

Shanahan said mitigation for those shortfalls in IT and cyber have been underway, particularly with cloud infrastructure.

"We've literally really been shoring up cybersecurity, and then we've been, as an enterprise, now able to establish a -- a higher degree of standardization," he said. "That's why this cloud," a reference to the ongoing Joint Enterprise Defense Infrastructure procurement, "is such a big deal, and then we've set this foundation for [artificial intelligence], which you're going to see, you know, as a reformed category. We have a strong strategy there and a plan."

Ken Kartsen, public sector vice president at McAfee, said that DOD was on the right track in terms of solving its IT woes by "leveraging a lot of outside services."

"It is absolutely necessary to outsource the unique capabilities to deliver best on that mission," Kartsen said, "like going to the cloud or going to Office 365. Because whether it’s Amazon or Azure or Box those companies are the best at what they do," and industry partnering with government and the Defense Department is the best way to get there.

But like a runner limping across a marathon finish line, Shanahan said finishing the audit was the victory -- despite the organization having decades to prepare for it. “It's so ugly,” he jested of the audit result, “We need to put corrective action. We need to develop the plans to address the findings, and actually put corrective actions in place.”

The way forward

House Armed Services Committee Chair Mac Thornberry (R-Texas), who previously suggested getting rid of DOD’s IT agency, the Defense Information Systems Agency, said in a statement that the audit would help "identify areas for future reform" to make “the Pentagon more efficient and agile, but warned against it being used as an excuse for "arbitrary cuts."

DOD plans to "develop and implement a plan for an integrated pay and personnel system" that will report financial management data, capture and store key documentation and determine pay and benefits by 2020.

For IT, requirements will be updated and Investment Review Board oversight increased as core business systems are fully deployed. Also by 2020, DOD will also work to boost cybersecurity scorecard participation, redo user access policies. The policy on shared file and drive protection will also be updated to include encryption use, authentication, and minimum password protection requirements and stringent password protection.

No fraud or abuse was detected during the audit but monitoring of risks and vulnerabilities in payroll, beneficiary payments, grants, large contracts, IT services; purchase, travel, and fleet cards, and commissary will continue.

The Defense Department Office of Inspector General plans to release the full audit report in December.