Defence IT risks persist
An audit has put Defence's security vetting system under serious scrutiny.
The Australian National Audit Office (ANAO) has released a report detailing the challenges faced by the Department of Defence in implementing the myClearance system, a whole-of-government security vetting system.
Launched on 28 November 2022, the project quickly encountered significant user issues that attracted parliamentary interest.
The audit, prioritised for 2023–24 by the Joint Committee of Public Accounts and Audit, aimed to assess the effectiveness of Defence's management of the project.
The report concluded that while initial planning was largely effective, shortcomings in governance, oversight, and procurement processes hindered overall success.
The myClearance system had a total budget of $138.6 million, with 60 per cent allocated to systems integration services.
By July 2023, 87 per cent of the budget had been spent, with ongoing development of the continuous assessment module.
In November 2023, Defence recommended, and the government agreed, to reduce the project's scope by eliminating key functionalities such as continuous assessment and automated risk sharing.
Defence's procurement processes did not fully comply with its own policies or the Commonwealth Procurement Rules.
Specifically, the process for engaging the systems integrator was flawed, with tender documentation listing mandatory products that reduced competition and increased project risks. Governance and reporting arrangements were also ineffective, failing to support informed decision-making.
Initial implementation faced unresolved risks, ineffective data migration, and truncated testing processes.
Although remediation efforts have led to improvements, the system will not deliver the full functionality initially approved.
The ANAO made two recommendations to improve risk management and security for Defence's ICT projects, which Defence has agreed to implement.
More details are accessible here.