Lawmakers push DOD to identify legacy IT in 2022 NDAA draft

The new House subcommittee charged with overseeing the Department of Defense’s cybersecurity and IT programs wants the department to take stock of all the legacy systems that could be sunset, according to a summary of draft legislation.

Initially published Tuesday in the House Armed Services Subcommittee on Cyber, Innovative Technology and Information Systems markup of the fiscal 2022 National Defense Authorization Act, the proposed mandate calls on each of the military services to audit their IT portfolios for legacy systems and applications within 270 days of the NDAA’s enactment, typically Jan. 1.

Secretaries of the services would also be required to issue a report to Congress that — in addition to identifying the legacy IT, their sources of funding and who’s accountable for their operation — lays out a plan to discontinue use and funding for those systems to “ensure that redundant and unnecessary investments can be better aligned to departmental priorities,” the draft says.

The subcommittee approved its draft Wednesday and sent it to the full committee for markup and inclusion in the larger annual defense policy bill, a process that begins Sept. 1.

Other notable proposed additions from the subcommittee include reports on how the department is overcoming barriers to scaling innovation. There are many offices focused on building and buying prototypes of emerging technology, but few that have the ability to turn small improvements in tech into broader enterprise changes. It’s a challenge that leaders in Congress and in the DOD have long bemoaned.

“This year’s mark makes substantial progress in key areas of innovation, technology transition, and emerging areas of competition including the information domain and electromagnetic spectrum,” subcommittee Chair Rep. Jim Langevin, D-R.I., said in an opening statement.

This is the subcommittee’s first mark since it was created in a February reorganization of the House Armed Service Committee to focus its legislative work more on the DOD’s pivot to competing with China through technical means.

Other provisions in the mark include:

• A report on the effectiveness of DOD’s Silicon Valley outpost that works to purchase emerging technology, the Defense Innovation Unit;
• A report on the barriers DOD faces in scaling emerging technology acquisitions, like the prototypes DIU purchases, and a pilot program to break through those barriers;
• A pilot program to more effectively transition Small Business Innovation Research grants onto larger contracts;
• Increase cyber threat testing and protections for DOD systems;
• A report on the state of digital twin practices, where physical objects have artificial mirror images of them stored in software; and
• New hiring authorities to pay for relocation fees for 15 Defense Advanced Research Projects Agency (DARPA) employees a year.

The proposed requirement for the services to report on their legacy IT systems comes after members of the subcommittee expressed frustration with DOD’s own tracking of its IT. In hearings before the mark was released, Langevin chided acting DOD CIO John Sherman over a lack of transparency on how the DOD accounted for its disparate IT systems.

“With all due respect, if your office cannot be troubled to put together the necessary materials for this committee’s oversight, how can we trust the stewardship of this critical portfolio?” he said in a previous hearing.