SPECIAL PURPOSE IT DERAILED: UNINTENDED CONSEQUENCES OF UNIVERSAL IT LAWS AND POLICIES

Abstract

The quantity of Information Technology (IT) has rapidly expanded within the federal government. As a result, the government spends in excess of $75 billion annually on IT.2 This growth was unregulated with little thought of lifecycle management, modernization, security, configuration control, or centralized planning and control. Therefore, Congress began enacting laws and policies to establish governance over IT spending. These laws primarily target large data centers and enterprise IT with little exception for unique special purpose/platform IT. As such, all systems are required to comply with registration and reporting, data center level security controls, and other requirements imposing an impractical compliance burden on special purpose systems. For example, the average cost of compliance per system for the Certification and Accreditation (C and A) is $78,000 per system initially and $21,000 annually thereafter.8 Thus, just taking into account the C and A costs, a conclusion can be made that for smaller systems, compliance costs may exceed the value and functional mission benefit of the system. To explore the issue a problem/solution framework was used to define special purpose IT, identify key laws and policies, address intent, ascertain the level of previous research, assess impacts, and provide recommendations. In discovery, little research has been completed on the subject and to some extent concessions are being made for special purpose IT. However, there is room for improvement by tailoring policies based on results versus scorecards, drawing a distinction between IT enabled scientific equipment and traditional IT, increasing exceptions, establishing a DoD IT governance Research, Development, Test and Evaluation (RDT and E) mission area, and reassess what needs to be registered and reported. In summary; if the cost of compliance exceeds the systems value or benefit, compliance requirements should be challenged.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Oct 26, 2017
Accession Number
AD1040774

Entities

People

  • Peter L. Reichert

Organizations

  • Air Command and Staff College

Tags

Communities of Interest

  • Biomedical
  • Cyber
  • Weapons Technologies

DTIC Thesaurus Topics

  • Application Software
  • Business Administration
  • Computers
  • Cybersecurity
  • Data Centers
  • Department Of Defense
  • Digital Communications
  • Information Systems
  • Management Personnel
  • National Governments
  • National Security
  • Operating Systems
  • Organizational Structure
  • Personnel Management
  • Test And Evaluation
  • Test Facilities
  • United States Government

Readers

  • Defense Acquisition Program Management
  • Economics
  • Systems Analysis and Design