The Government Accountability Office (GAO) said in a new report this week that the United States Coast Guard needs to get a better handle on risk evaluations for some of its smaller IT acquisition projects.
The Coast Guard classifies IT acquisitions worth less than $300 million as “non-major” deals, and uses factors like risk level to make that determination. However, the agency does not have a system that clearly defines what constitutes a low, medium, or high-risk level, leading to inconsistencies in designations, GAO said in the new report.
According to GAO, the Coast Guard developed a program to define certain IT acquisitions as non-major in 2017. It identified eight factors – including technical risk and legal concerns – to define the risk of an acquisition as high, medium, or low.
“[Coast Guard] does not provide definitions for what constitutes these levels of risks for acquisition officials to use,” the report says. “Consequently, the Coast Guard cannot ensure that its acquisition professionals are making risk-based decisions when designating IT systems as non-major acquisition programs.”
GAO recommends that the Coast Guard commandant ensure that the acquisition executive revises the Non-Major Acquisition Manual or Governance form to provide clarity on when and how to designate risk factors as high, medium, or low.
Additionally, GAO said that the Coast Guard’s insight into its non-major IT acquisition program is held back due to inconsistency in how programs are establishing, revising, and communicating baselines – their cost and schedule goals.
“Without clearly communicating how to establish, revise, and communicate baseline information, programs may calculate costs inconsistently or not include key schedule events in their baselines,” the report found. “This approach could make it difficult for the Coast Guard to track how programs are performing against their cost and schedule goals.”
To remedy the situation, GAO also recommends that the Coast Guard clearly outlines how non-major IT acquisition programs “establish and revise baseline cost and schedule goals” and “communicate accurate and consistent baseline information in annual briefings.”
GAO’s final recommendation is for the Coast Guard to revise its “non-major breach policy to specify that programs that fail to meet their cost, schedule, or performance goals are considered to be in breach status.”
The Coast Guard concurred with all three recommendations and has begun identifying actions to take to complete the recommendations.