Accession Number:

AD1040774

Title:

SPECIAL PURPOSE IT DERAILED: UNINTENDED CONSEQUENCES OF UNIVERSAL IT LAWS AND POLICIES

Descriptive Note:

Technical Report

Corporate Author:

AIR COMMAND AND STAFF COLLEGE, DISTANCE LEARNING, AIR UNIVERSITY MAXWELL AFB United States

Personal Author(s):

Report Date:

2017-10-26

Pagination or Media Count:

42.0

Abstract:

The quantity of Information Technology IT has rapidly expanded within the federal government. As a result, the government spends in excess of 75 billion annually on IT.2 This growth was unregulated with little thought of lifecycle management, modernization, security, configuration control, or centralized planning and control. Therefore, Congress began enacting laws and policies to establish governance over IT spending. These laws primarily target large data centers and enterprise IT with little exception for unique special purposeplatform IT. As such, all systems are required to comply with registration and reporting, data center level security controls, and other requirements imposing an impractical compliance burden on special purpose systems. For example, the average cost of compliance per system for the Certification and Accreditation C and A is 78,000 per system initially and 21,000 annually thereafter.8 Thus, just taking into account the C and A costs, a conclusion can be made that for smaller systems, compliance costs may exceed the value and functional mission benefit of the system. To explore the issue a problemsolution framework was used to define special purpose IT, identify key laws and policies, address intent, ascertain the level of previous research, assess impacts, and provide recommendations. In discovery, little research has been completed on the subject and to some extent concessions are being made for special purpose IT. However, there is room for improvement by tailoring policies based on results versus scorecards, drawing a distinction between IT enabled scientific equipment and traditional IT, increasing exceptions, establishing a DoD IT governance Research, Development, Test and Evaluation RDT and E mission area, and reassess what needs to be registered and reported. In summary if the cost of compliance exceeds the systems value or benefit, compliance requirements should be challenged.

Subject Categories:

  • Computer Systems Management and Standards

Distribution Statement:

APPROVED FOR PUBLIC RELEASE