The Coast Guard invests millions of dollars each year in "non-major" IT acquisition programs—those with assets totaling less than $300 million.
When designating an IT program as non-major, acquisition staff consider 8 factors, including technical risks and legal concerns. They rank potential risks as low, medium, or high, but Coast Guard guidance doesn't define what constitutes such risk levels.
As a result, the Coast Guard can't ensure consistency when designating IT acquisitions as non-major.
Our recommendations include defining risk levels for Coast Guard IT acquisitions.
What GAO Found
In 2017, the Coast Guard developed and implemented a multistep process to identify and designate if an IT system should be managed as a non-major acquisition program (assets with total costs of less than $300 million). However, the Coast Guard's process does not clearly indicate to officials how they should evaluate risks to determine if an IT system should be managed as a non-major acquisition. The Coast Guard identifies eight factors, such as technical risks and legal concerns, to evaluate as low, medium, or high risk in its guidance. However, it does not provide definitions for what constitutes these levels of risks for acquisition officials to use (see figure). Consequently, the Coast Guard cannot ensure that its acquisition professionals are making risk-based decisions when designating IT systems as non-major acquisition programs.
Risk Factors Used in the Coast Guard's Non-Major Acquisition Designation Process
Further, GAO found that the Coast Guard's oversight of its non-major IT acquisition programs is hindered because programs are establishing, revising, and communicating cost and schedule goals (known as baselines) inconsistently. Three of the four non-major IT acquisition programs with approved baselines inconsistently established and revised their cost goals, hindering leadership's insight into cost changes. For example, one program used a different dollar measurement to calculate baseline costs when it revised its goals in 2021. This measurement did not accurately capture the almost $300 million increase from its initial cost baseline.
Without clearly communicating how to establish, revise, and communicate baseline information, programs may calculate costs inconsistently or not include key schedule events in their baselines. This approach could make it difficult for the Coast Guard to track how programs are performing against their cost and schedule goals.
Why GAO Did This Study
The U.S. Coast Guard, a component within the Department of Homeland Security (DHS), invests millions of dollars in IT systems to help execute its various missions. DHS oversees the Coast Guard's major IT acquisition programs—assets with total costs of $300 million or more—while the Coast Guard generally manages non-major IT acquisition programs—assets with total costs of less than $300 million. Since 2017, GAO has identified gaps in the Coast Guard's oversight of its non-major acquisition programs, including IT systems. GAO was asked to review the Coast Guard's management of its non-major IT acquisitions.
This report addresses the extent to which the Coast Guard (1) developed and implemented a process to identify non-major IT acquisition programs and (2) effectively oversees its non-major IT acquisition programs. GAO reviewed relevant DHS and Coast Guard policies, guidance, and documentation. GAO also interviewed DHS and Coast Guard officials.
GAO is making three recommendations to improve Coast Guard non-major IT acquisition oversight processes, including defining risk levels to evaluate potential acquisition programs, and clearly communicating how programs should establish, revise, and communicate baseline information consistently. DHS concurred with all three recommendations.
Recommendations for Executive Action
|United States Coast Guard||The Commandant of the Coast Guard should ensure the Coast Guard Component Acquisition Executive revises the Coast Guard's Non-Major Acquisition Program Manual or the Level 3 Non-Major Acquisition Program Governance Form to provide clarity on how to evaluate risk factors as low, medium, or high when designating non-major acquisition programs. (Recommendation 1)|
|United States Coast Guard||The Commandant of the Coast Guard should ensure the Coast Guard Component Acquisition Executive takes action, such as clearly communicating how non-major acquisition programs should: (1) establish and revise baseline cost and schedule goals, including specifying the dollar type and required schedule events, pursuant to DHS policy, and (2) communicate accurate and consistent baseline information in annual briefings. (Recommendation 2)|
|United States Coast Guard||The Commandant of the Coast Guard should ensure the Coast Guard Component Acquisition Executive, in coordination with DHS's Office of Program Accountability and Risk Management revises the Coast Guard's non-major breach policy to specify that programs that fail to meet their cost, schedule, or performance goals are considered to be in breach status. (Recommendation 3)|