GAO’s Annual IT Assessment Warns DOD: Improve Cybersecurity Planning and Performance Reporting

The U.S. Government Accountability Office (GAO) has released its sixth annual assessment of the Department of Defense’s (DOD) major IT business programs, revealing troubling gaps in cybersecurity readiness and performance tracking that could undermine mission effectiveness and cost control. In the report titled “IT Systems Annual Assessment: DOD Needs to Improve Performance Reporting and Cybersecurity Planning” (GAO-25-107649, June 2025), GAO evaluates 24 major IT programs expected to cost $10.9 billion between FY 2023 and FY 2025, identifying widespread deficiencies in how DOD manages performance metrics, software development practices, and cybersecurity implementation.

According to GAO, nearly half of the selected programs reported cost or schedule changes since January 2023. Twelve programs experienced cost increases ranging from $6.1 million to over $815 million, while seven programs reported delays up to four years. These shifts often stemmed from unanticipated technical challenges, cloud migration difficulties, and expanded requirements. Despite some improvements in performance reporting, only 14 of 19 programs with operational investments met the minimum required metrics in four performance categories: customer satisfaction, strategic/business results, financial performance, and innovation. One program met all performance targets, 17 met at least one, and one failed to meet any—raising serious questions about transparency and mission alignment.

In terms of software development, DOD is attempting to modernize through the use of Agile and iterative methodologies. Eleven programs reported using these approaches, but three failed to use metrics and management tools required under GAO’s Agile Assessment Guide. These tools are essential for tracking development progress and customer satisfaction, and their absence undercuts DOD’s ability to monitor results and make timely course corrections. GAO reaffirmed a prior recommendation to enforce the use of such tools, a recommendation which DOD has yet to fully implement.

The report also uncovered significant cybersecurity vulnerabilities. While 22 of the 24 programs had an approved cybersecurity strategy, two still lacked one. More concerning, four programs had no documented plan for implementing zero trust architecture—a DOD-mandated cybersecurity model that assumes no implicit trust inside or outside the network and requires continuous verification. Given the 2027 deadline for full zero trust adoption, these omissions represent a growing risk as cyber threats escalate globally.

GAO credits DOD for taking steps to implement several legislative and policy reforms, including modernization of its Business Enterprise Architecture (BEA), release of a new AI acquisition strategy, and issuance of updated guidance under its adaptive acquisition framework. Still, implementation gaps remain. GAO reiterated five unaddressed recommendations from prior assessments and issued one new recommendation: that DOD ensure all IT business programs identify and report results data across the required performance categories.

As DOD requests $64.1 billion in IT and cybersecurity funding for FY 2025—including $47.8 billion for unclassified investments—the stakes are high. The report paints a picture of a department moving in the right direction but still hampered by persistent shortfalls in execution, oversight, and accountability. With over two-thirds of spending devoted to operations and sustainment—often of aging legacy systems—the report serves as a clear warning that DOD must sharpen its focus on modern development methods and cyber resilience if it hopes to transform its digital infrastructure and meet national security demands.

Credit to Vijay D’Souza, Director, Information Technology and Cybersecurity, and the audit team at the U.S. Government Accountability Office for the production of GAO-25-107649, which can be accessed in full at: https://www.gao.gov/products/gao-25-107649.

Disclaimer:

This summary is provided for informational purposes only and does not constitute legal advice or official guidance. The content is based on publicly available GAO data and should not be relied upon for compliance or policy decisions without further professional consultation.