Summary
GAO has designated the Department of Defense's (DOD) multi-billion dollar business systems modernization efforts as high risk, in part because key information technology (IT) management controls have not been implemented on key investments, such as the Navy Cash program. Initiated in 2001, Navy Cash is a joint Department of the Navy (DON) and Department of the Treasury Financial Management Service (FMS) program to create a cashless environment on ships using smart card technology, and is estimated to cost about $320 million to fully deploy. As requested, GAO analyzed whether DON is effectively implementing IT management controls on the program, including architectural alignment, economic justification, requirements development and management, risk management, security management, and system quality measurement against relevant guidance.
Key IT management controls have not been effectively implemented on Navy Cash, to the point that further investment in this program, as it is currently defined, has not been shown to be a prudent and judicious use of scarce modernization resources. In particular, Navy Cash has not been (1) assessed and defined in a way to ensure that it is not duplicative of programs in the Air Force and the Army that use smart card technology for electronic retail transactions and (2) economically justified on the basis of reliable analyses of estimated costs and expected benefits over the program's life. As a result, DON cannot demonstrate that the investment alternative that it is pursuing is the most cost-effective solution to satisfying its mission needs. Moreover, other management controls, which are intended to maximize the chances of delivering defined and justified system capabilities and benefits on time and within budget, have not been effectively implemented. System requirements have not been effectively managed. For example, neither policies nor plans that define how system requirements are to be managed, nor an approved baseline set of requirements that are justified and needed to cost-effectively meet mission needs, exist. Instead, requirements are addressed reactively through requests for changes to the system based primarily on the availability of funding. Program risks have not been effectively managed. In particular, plans, processes, and procedures that provide for identifying, mitigating, and disclosing risks have not been defined, nor have risk-related roles and responsibilities for key stakeholders. System security has not been effectively managed, thus putting the confidentiality, integrity, and availability of deployed and operating shipboard devices, applications, and data at increased risk of being compromised. For example, the mitigation of system vulnerabilities by applying software patches has not been effectively implemented. Key aspects of system quality are not being effectively measured. For example, data for determining trends in unresolved system change requests, which is an indicator of system stability, as well as user feedback on system satisfaction, are not being collected and used. Program oversight and management officials acknowledged these weaknesses and cited turnover of staff in key positions and their primary focus on deploying Navy Cash as reasons for the state of some of these IT management controls. Collectively, this means that, after investing about 6 years and $132 million on Navy Cash and planning to invest an additional $60 million to further develop the program, the department has yet to demonstrate through verifiable analysis and evidence that the program, as currently defined, is justified. Moreover, even if further investment was to be demonstrated, the manner in which the delivery of program capabilities is being managed is not adequate. As a result, the program is at risk of delivering a system solution that falls short of cost, schedule, and performance expectations.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Randolph C. Hite
Government Accountability Office: Information Technology
(202) 512-6256
Recommendations for Executive Action
Recommendation: Because of the uncertainty surrounding whether Navy Cash, as defined, represents a cost-effective solution, the Secretary of Defense should direct the Secretary of the Navy to limit further investment of modernization funding in the program to only (1) deployment to remaining ships of already developed and tested capabilities; (2) correction of information security vulnerabilities and weaknesses on ships where it is deployed and operating; and (3) development of the basis for an informed decision as to whether further development and modernization is economically justified and in the department's collective best interests.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To develop the basis for an informed decision about further Navy Cash development, the Secretary of Defense should direct the appropriate DOD organizations to (1) examine the relationships among DOD's programs for delivering military personnel with smart card technology for electronic retail and banking transactions; (2) identify, in coordination with the respective program offices, alternatives for optimizing the relationships of these programs in a way that minimizes areas of duplication, maximizes reuse of shared services across the programs, and considers opportunities for a consolidated stored value card program across the military services; and (3) share the results with the appropriate organizations for use in making an informed decision about planned investment in Navy Cash.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To further develop this basis for an informed decision about Navy Cash development, the Secretary of Defense should direct the Secretary of the Navy to ensure that the appropriate Navy organizational entities prepare a reliable economic analysis that encompasses the program's total life cycle costs, including those of FMS, and that (1) addresses cost-estimating best practices and complies with relevant Office of Management and Budget (OMB) cost-benefit guidance and (2) incorporates data on whether deployed Navy Cash capabilities are actually producing benefits.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To address Navy Cash information security management weaknesses and improve the operational security of the system, Secretary of Defense should direct the Secretary of the Navy to ensure that the Navy Cash program manager, in collaboration with the appropriate organizations, develop and implement a patch management approach based on National Institute of Standards and Technology (NIST) guidance, which includes a complete Navy Cash systems inventory; an automated patch deployment capability; and a patch management performance vulnerability measurement capability, including metrics for susceptibility to attack and mitigation response time.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To address Navy Cash information security management weaknesses and improve the operational security of the system, Secretary of Defense should direct the Secretary of the Navy to ensure that the Navy Cash program manager, in collaboration with the appropriate organizations, institute a process to plan, implement, evaluate, and document remedial actions for deficiencies in Navy Cash information security policies, procedures, and practices, and ensure that this process meets Financial Information Security Management Act requirements, as well as applicable OMB and NIST guidance.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To address Navy Cash information security management weaknesses and improve the operational security of the system, Secretary of Defense should direct the Secretary of the Navy to ensure that the Navy Cash program manager, in collaboration with the appropriate organizations, update the Naval Supply Systems Command (NAVSUP)/FMS memorandum of agreement, in collaboration with FMS, to establish specific security requirements for FMS and the financial agent to periodically perform information security control reviews, including applicable management, operational, and technical controls, of the Navy Cash system, and to provide NAVSUP with copies of the results of these reviews that pertain to the Navy Cash system and its supporting infrastructure.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To address Navy Cash information security management weaknesses and improve the operational security of the system, Secretary of Defense should direct the Secretary of the Navy to ensure that the Navy Cash program manager, in collaboration with the appropriate organizations, develop a complete contingency plan to include a sequence of recovery activities.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To address Navy Cash information security management weaknesses and improve the operational security of the system, Secretary of Defense should direct the Secretary of the Navy to ensure that the Navy Cash program manager, in collaboration with the appropriate organizations, develop a complete contingency plan to include procedures for notifying ship personnel with contingency plan responsibilities to begin recovery activities; and to test the contingency plan in accordance with NIST guidance, including documenting lessons learned from testing.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To address DON information security guidance limitations, the Secretary of Defense should direct the Secretary of the Navy to ensure that the Navy Operational Designated Approving Authority, as part of the Naval Network Warfare Command, updates its certification and accreditation guidance to require the development of plans of action and milestones for all above identified security weaknesses.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: If further investment in development of Navy Cash can be justified, the Secretary of Defense should direct the Secretary of the Navy, through the appropriate chain of command, to ensure that the Navy Cash program manager with respect to requirements development and management, (1) develop detailed system requirements; (2) establish policies and plans for managing changes to requirements, including defining roles and responsibilities, and identifying how the integrity of a baseline set of requirements will be maintained; and (3) maintain bi-directional requirements traceability.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: If further investment in development of Navy Cash can be justified, the Secretary of Defense should direct the Secretary of the Navy, through the appropriate chain of command, to ensure that the Navy Cash program manager with respect to risk management, (1) establish and implement a written plan and defined process for risk identification, analysis, and mitigation; (2) assign responsibility for managing risk to key stakeholders; (3) encourage program-wide participation in risk management; (4) include and track the risks discussed in this report as part of a risk inventory; and (5) apprise decision making and oversight authorities of the status of risks identified during program reviews.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: If further investment in development of Navy Cash can be justified, the Secretary of Defense should direct the Secretary of the Navy, through the appropriate chain of command, to ensure that the Navy Cash program manager with respect to system quality measurement, collect and use sufficient data for (1) determining trends in unresolved change requests and (2) understanding users' satisfaction with the system.
Agency Affected: Department of Defense
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
