[House Hearing, 108 Congress] [From the U.S. Government Publishing Office] WHERE'S THE CIO? THE ROLE, RESPONSIBILITY AND CHALLENGE FOR FEDERAL CHIEF INFORMATION OFFICERS IN IT INVESTMENT OVERSIGHT AND INFORMATION MANAGEMENT ======================================================================= HEARING before the SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS AND THE CENSUS of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED EIGHTH CONGRESS SECOND SESSION __________ JULY 21, 2004 __________ Serial No. 108-260 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform U.S. GOVERNMENT PRINTING OFFICE 98-209 WASHINGTON : 2005 _________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman DAN BURTON, Indiana HENRY A. WAXMAN, California CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland DOUG OSE, California DENNIS J. KUCINICH, Ohio RON LEWIS, Kentucky DANNY K. DAVIS, Illinois JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri CHRIS CANNON, Utah DIANE E. WATSON, California ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California NATHAN DEAL, Georgia C.A. ``DUTCH'' RUPPERSBERGER, CANDICE S. MILLER, Michigan Maryland TIM MURPHY, Pennsylvania ELEANOR HOLMES NORTON, District of MICHAEL R. TURNER, Ohio Columbia JOHN R. CARTER, Texas JIM COOPER, Tennessee MARSHA BLACKBURN, Tennessee BETTY McCOLLUM, Minnesota PATRICK J. TIBERI, Ohio ------ KATHERINE HARRIS, Florida BERNARD SANDERS, Vermont (Independent) Melissa Wojciak, Staff Director David Marin, Deputy Staff Director/Communications Director Rob Borden, Parliamentarian Teresa Austin, Chief Clerk Phil Barnett, Minority Chief of Staff/Chief Counsel Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census ADAM H. PUTNAM, Florida, Chairman CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri DOUG OSE, California STEPHEN F. LYNCH, Massachusetts TIM MURPHY, Pennsylvania BETTY McCOLLUM, Minnesota MICHAEL R. TURNER, Ohio Ex Officio TOM DAVIS, Virginia HENRY A. WAXMAN, California Bob Dix, Staff Director Dan Daily, Professional Staff Member/Deputy Counsel Juliana French, Clerk Adam Bordes, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on July 21, 2004.................................... 1 Statement of: Brubaker, Paul, executive vice president and chief marketing officer, IS International; James Flyzik, partner, Guerra, Kiviat, Flyzik & Associates; and Debra Stouffer, vice president of strategic consulting services, Digitalnet..... 49 Johnson, Clay, III, Deputy Director for Management, Office of Management and Budget; Karen Evans, Administrator, Office of E-Government and Information Technology, Office of Management and Budget; and David Powner, Director, Information Technology Management Issues, U.S. Government Accountability Office...................................... 8 Nelson, Kimberly, Assistant Administrator of Environmental Information and Chief Information Officer, Environmental Protection Agency; Steven Cooper, Chief Information Officer, Department of Homeland Security; Vance Hitch, Deputy Assistant Attorney General, Information Resources Management and Chief Information Officer, U.S. Department of Justice; and Ira Hobbs, Deputy Assistant Secretary for Information Systems and Chief Information Officer, Department of the Treasury................................. 77 Letters, statements, etc., submitted for the record by: Brubaker, Paul, executive vice president and chief marketing officer, IS International, prepared statement of........... 51 Clay, Hon. Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of................... 6 Cooper, Steven, Chief Information Officer, Department of Homeland Security, prepared statement of................... 90 Evans, Karen, Administrator, Office of E-Government and Information Technology, Office of Management and Budget, prepared statement of...................................... 14 Flyzik, James, partner, Guerra, Kiviat, Flyzik & Associates, prepared statement of...................................... 62 Hitch, Vance, Deputy Assistant Attorney General, Information Resources Management and Chief Information Officer, U.S. Department of Justice, prepared statement of............... 97 Hobbs, Ira, Deputy Assistant Secretary for Information Systems and Chief Information Officer, Department of the Treasury, prepared statement of............................ 104 Johnson, Clay, III, Deputy Director for Management, Office of Management and Budget, prepared statement of............... 10 Nelson, Kimberly, Assistant Administrator of Environmental Information and Chief Information Officer, Environmental Protection Agency, prepared statement of................... 80 Powner, David, Director, Information Technology Management Issues, U.S. Government Accountability Office, prepared statement of............................................... 24 Putnam, Hon. Adam H., a Representative in Congress from the State of Florida, prepared statement of.................... 3 Stouffer, Debra, vice president of strategic consulting services, Digitalnet, prepared statement of................ 67 WHERE'S THE CIO? THE ROLE, RESPONSIBILITY AND CHALLENGE FOR FEDERAL CHIEF INFORMATION OFFICERS IN IT INVESTMENT OVERSIGHT AND INFORMATION MANAGEMENT ---------- WEDNESDAY, JULY 21, 2004 House of Representatives, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 2:40 p.m., in room 2154, Rayburn House Office Building, Hon. Adam Putnam (chairman of the subcommittee) presiding. Present: Representatives Putnam, Miller, Murphy, Ose, Turner, Clay, and Lynch. Staff present: John Hambel, senior counsel; Dan Daly and Shannon Weinberg, professional staff members/deputy counsels; Juliana French, clerk; Felipe Colon, fellow; Jamie Harper, legislative assistant; Colin Samples and Sean Hardgrove, interns; Adam Bordes, minority professional staff member; and Jean Gosa, minority assistant clerk. Mr. Putnam. A quorum being present, this hearing of the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census will come to order. Good afternoon and welcome to the subcommittee's hearing on ``The Role, Responsibility and Challenge for Federal Chief Information Officers and IT Investment Oversight and Information Management.'' In 1996, Congress passed the landmark Clinger-Cohen Act, bringing fundamental changes to the way the Federal Government manages information technology. One of the most important parts of the act was the establishment of the Chief Information Officer as the position that leads agency efforts to manage IT. Now, 8 years after the passage of Clinger-Cohen, we must ask: Where is the CIO? Who do they report to? What authority do they have? And why is the turnover for the position so high? As many know, this subcommittee releases a report card on each agency's implementation of the Federal Information Security Management Act. On the last report card, the average grade was a D. Additionally, the scores for implementing e- government under the President's management agenda, although improving, are not terribly encouraging. The subcommittee has held several hearings throughout this Congress examining the CIO's responsibilities, including managing IT investment, developing agency-wide enterprise architectures, and implementing sound information security practices. Throughout these hearings, I have learned that CIOs in the Federal Government are facing significant uphill challenges in meeting their responsibilities. To better understand these problems, I asked the Government Accountability Office to examine the role of the CIO in Federal agencies. As we will hear today, some of the findings, and the questions they raise, are intriguing. For example: The average tenure for a Federal CIO is only 23 months, yet experts say that a CIO needs 3 to 5 years on the job to be effective. CIOs often do not have control over all IT investment in an agency. Major bureaus may buy IT systems without going through the CIO, making capital planning and effective IT management all the more difficult. CIOs juggle many responsibilities and often face internal push back as they try to institute reforms at their agencies. CIOs have 13 major areas of responsibilities, from IT investment management to e-government to privacy. And with time and new laws, the role is sure to expand. Finally, Clinger-Cohen requires that CIOs at the largest department and agencies report directly to the agency head, but this is not always the case. In an increasingly networked world, the Government has become more dependent on information technology to deliver its services. Federal agencies cannot operate efficiently without solid leadership from a CIO that is supported by the top officials in the agency. I look forward to hearing from our panels of experts on this topic, including the administration's leadership in information technology, as well as former and current CIOs, to see what this subcommittee and this Congress can do to improve the situation. I welcome all the witnesses. [The prepared statement of Hon. Adam H. Putnam follows:] [GRAPHIC] [TIFF OMITTED] 98209.001 [GRAPHIC] [TIFF OMITTED] 98209.002 Mr. Putnam. As is the case with all of our hearings, it is being Webcast and can be viewed by going to reform.house.gov and clicking on multimedia. I would like to recognize the distinguished Member from Missouri, the gentleman, Mr. Clay, for any opening remarks that he may wish to have. Thank you. Mr. Clay. Thank you, Mr. Chairman, and I thank the witnesses for taking their time to be with us today. I consider today's hearing an opportunity to extend the dialog our subcommittee established in March, when several of today's witnesses testified about the strengths and weaknesses of IT oversight within the CIO community. Since the Federal Government will spend approximately $60 billion on IT in fiscal year 2004, we must strive to utilize the best practices for implementation and oversight of our Government's investments. According to GAO's testimony, the CIO community is facing challenges due to limited resources, a strained IT work force, and the inconsistent delegation of IT management duties among non-CIO personnel. Further, the lack of tenure among CIOs is hindering agencies from achieving their long-term IT management goals and objectives. Such factors tell us why agencies rarely meet their full potential with regard to strategic planning, IT investment management, and work force training and development. At the heart of the matter are two issues. First, with an average CIO tenure of 23 months, we must promote mechanisms to ensure that long-term strategic planning and implementation does not cease due to limited tenures among those who serve. Second, I believe we ought to examine the issue of statutorily authorized CIO responsibilities that are being delegated to non-CIO personnel. Perhaps these problems stem from the lack of tenure among CIOs, human capital deficiencies, or inadequate agency planning. Nevertheless, it is our responsibility to identify the root cause of these problems and seek out appropriate remedies. Thank you, Mr. Chairman, and I ask unanimous consent that the full text of my remarks be included in the record. Mr. Putnam. Without objection. [The prepared statement of Hon. Wm. Lacy Clay follows:] [GRAPHIC] [TIFF OMITTED] 98209.003 [GRAPHIC] [TIFF OMITTED] 98209.004 Mr. Putnam. With that, I would ask the first panel and anyone accompanying you who will be answering your questions to please rise for the administration of the oath. [Witnesses sworn.] Mr. Putnam. Note for the record that all the witnesses responded in the affirmative, and we will move directly into testimony. Our first witness is Mr. Clay Johnson. We are very appreciative of the time that he has made to be before this subcommittee. Mr. Johnson is Deputy Director for Management at the Office of Management and Budget, where he provides governmentwide leadership to executive branch agencies to improve agency and program performance. Before that he was Assistant to the President for Personnel, responsible for the organization that identifies and recruits 4,000 Government officials. He received his undergraduate degree from Yale and a master's from MIT's Sloane School of Management. Welcome to the subcommittee, and we look forward to your testimony. You are recognized. STATEMENTS OF CLAY JOHNSON III, DEPUTY DIRECTOR FOR MANAGEMENT, OFFICE OF MANAGEMENT AND BUDGET; KAREN EVANS, ADMINISTRATOR, OFFICE OF E-GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET; AND DAVID POWNER, DIRECTOR, INFORMATION TECHNOLOGY MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Johnson. Mr. Chairman, Ranking Member Clay, thank you for having me here today. I bet that I am going to refer you to Karen Evans for a lot of your questions, but let me give you my general comments and a general view of IT and e-government in the CIO world. As you mentioned, Ranking Member Clay, we spend almost $60 billion a year on IT, more than anybody else in the world. We ought to be nearly the best at it, and we are not, and we share that goal. We need to figure out what we need to do to make sure that we are the best at IT since this is a goal we share. Something that the Federal Government does a lot of is sending information to people and receiving information from people; we send them money, they send us money. A lot of information and money changes hands. We take large amounts of information and we try to make sense of it for intelligence purposes; we take a lot of information and put it in the hands of Federal managers so that they can manage programs and costs more effectively. We move a lot of information around, and it costs us $60 billion a year to do that. The CIO is the person in the agency who is responsible for making sure that money is being spent most intelligently, and that the IT operations are producing the functionality that we intended when you all authorized and appropriated the money consequently, the CIO is extremely important. Relative to a couple of questions that have been asked and suggested here, I personally do not believe that the CIO needs to report to the Secretary of the department. The CIO needs to work for somebody who can help him or her be successful, and that is typically not the Secretary. The CIO is plenty important in an organization without having to report to the Secretary. I think the CIO ought to report to the senior management person in an organization. At Homeland Security, for instance, that is Under Secretary for Management, Janet Hale, who works most closely with Jim Loy. In a lot of agencies, it is the Deputy Secretary. To me, working for the Secretary is not the issue; it is working with somebody who is most involved in how the department is managed. And I think in terms of the primary responsibility that a CIO has, that the CIO in an organization does a whole lot. I think the CIO's primary responsibility is to make sure that it is very, very, very clear what a new IT project or an old IT project is supposed to accomplish and what the desired functionality is. Usually, is the bigger the project, the more disastrous it is or the more telling it is. Oftentimes, we will get in the middle of the development of new IT projects, and it is not clear what it is we are trying to accomplish, and then the problems begin. And the CIO, in my mind, is the regulator, the person at the agency that can assure that does not happen. Additionally, the CIO ensures that the program managers cannot spend IT funds unless the disciplines are in place, and it is really clear what we are supposed to be accomplishing, at what cost, for whom, and by when. And that is the primary role, in my opinion, from a 20,000 foot view, for a CIO. There are other responsibilities as well, but I think our discussion here should be what does the CIO need to have to make sure he or she can perform that role most effectively. [The prepared statement of Mr. Johnson follows:] [GRAPHIC] [TIFF OMITTED] 98209.005 [GRAPHIC] [TIFF OMITTED] 98209.006 Mr. Putnam. Thank you, Mr. Johnson. Our next witness, our most frequent witness, is Ms. Karen Evans. Ms. Evans was appointed by President Bush to be the Administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget. Ms. Evans is a 20-year veteran of the Federal Government. Before joining OMB, she was Chief Information Officer at the Department of Energy and served as vice chairman of the CIO Council. Previously, she served at the Department of Justice as Assistant and Division Director for Information System Management. Welcome again. You are recognized. Ms. Evans. Good afternoon, Mr. Chairman and Ranking Member Clay. Thank you for inviting me to speak about the critical role that chief information officers play in driving increased agency performance, achieving results, and serving our citizens. In fiscal year 2005, the Federal Government will spend $60 billion on information technology. This afternoon I will outline the vision, strategy, and tools the Office of Management and Budget and the Federal CIO Council have developed to enable CIOs to be more successful. Eight years ago Congress passed the Clinger-Cohen Act, creating the position of CIO and elevating them to senior management rank. Throughout the last 8 years, but especially under the focused attention of the President's management agenda and as a result of the E-Government Act of 2002, CIOs have taken on new and expansive responsibilities. To be most effective, the CIO should work most with and be responsible to the department's top management person, which in most cases, as previously stated, is the deputy secretary. Without a high performing and capable CIO, an agency will not be able to fully achieve the goals of the President, Congress, and the American people. As for my role, the OMB's Office of E-Government and Information Technology is statutorily responsible for managing Federal Government information technology and policy. Throughout the past few years, we have implemented a series of tools to support Federal CIOs. First, we are empowering CIOs to drive business and technology change through the President's management agenda scorecard. Supported by their secretary and deputy secretary, agency CIOs use the scorecard to manage agency performance. Second, we are driving accountability and responsibility to agency bureaus and program offices by requiring agencies to score and remediate their exhibit 300 IT business cases before submission to OMB. Also, we are requiring a closer alignment between the 300's and the Program Assessment Rating Tool, or the PART, to assist the CIO in ensuring that IT investments enhance and compliment the overall objective of a particular program. Third, we are positioning CIOs to play a key part in the long-term success of their agency through our investment in enterprise architecture. Developing their enterprise architecture, CIOs identify IT investments and develop a blueprint for the future, including detailed transition plans. Enterprise architecture, supported by budget and related data, is bringing greater rigor and stronger decisionmaking to information resource management. Fourth, we are enabling CIOs to provide leadership for IT investment performance by setting cost, schedule and performance requirements. Agencies are required to use the same standard used in industry. This will result in tighter management and increased investment responsibility by the immediate IT project manager and CIO. Fifth, we are providing CIOs with the ability to realize considerable cost savings for their agencies through acquisition activities such as the SmartBuy program. This allows dollars to be invested in providing better services and stronger results for core mission responsibilities. In addition to OMB, the Federal CIO Council plays a critical role in supporting CIOs in fulfilling their obligation to serve their fellow Americans, identify new governmentwide solutions, and ensure their agency strategic goals are achieved. The Council is successful because it exemplifies a critical e-government principle: encouraging cooperation and sharing of ideas and resources. The Council is led by OMB Deputy Director for Management, directed by myself, and vice-chaired by Dan Matthews, the CIO at the Department of Transportation. The Council membership consists of agency CIOs who chair committees focused on critical issues before the Federal IT community. In consultation with OMB, these committees are developing the tools to assist their fellow CIOs and agency IT employees, including the CIO strategic plan and the most recent recommendations on IT work force project management qualifications. While the necessary tools are in place, the road ahead for Federal CIOs is not without its challenges. To realize the vision of the President's management agenda and the E- Government Act of 2002, CIOs must provide leadership to achieve their e-government migration milestones. In this, cross-agency collaboration is critical, both within an agency and across agencies. We need to continue to work in partnership with Congress, industry, and State and local governments. In conclusion, the administration will continue to work with agency heads, CIOs, and the CIO Council to empower CIOs to achieve results and transform our Federal Government into a more citizen service organization. We look forward to continued work with the committee on this matter, and I would be pleased to take questions at the appropriate time. [The prepared statement of Ms. Evans follows:] [GRAPHIC] [TIFF OMITTED] 98209.007 [GRAPHIC] [TIFF OMITTED] 98209.008 [GRAPHIC] [TIFF OMITTED] 98209.009 [GRAPHIC] [TIFF OMITTED] 98209.010 [GRAPHIC] [TIFF OMITTED] 98209.011 [GRAPHIC] [TIFF OMITTED] 98209.012 [GRAPHIC] [TIFF OMITTED] 98209.013 [GRAPHIC] [TIFF OMITTED] 98209.014 Mr. Putnam. Thank you, Ms. Evans. Our third witness for this panel is David Powner. Dave Powner is responsible for a large segment of GAO's information technology work, including systems development and IT investment management reviews. He has over 15 years of public and private information technology-related experience. In the private sector, he had several positions with Quest Communications, including director of internal audits, responsible for information technology and financial audits, and director of information technology, responsible for Quest digital subscriber lines software development efforts. He has an undergraduate degree from the University of Denver and a graduate's degree from Harvard. Welcome to the subcommittee. You are recognized for 5 minutes. Mr. Powner. Thank you, Mr. Chairman, Ranking Member Clay. We appreciate the opportunity to testify on the report we are releasing today on Federal CIOs. We have long been proponents of having strong agency CIOs to lead technology solutions that improve program performance. Eight years ago the Clinger-Cohen Act first required agency heads to designate CIOs. Effective CIOs can make significant differences in building the capabilities needed to implement improvements in the management of the billions spent annually on IT. This afternoon I will discuss CIO responsibilities and reporting relationships, tenure, and major challenges. I will also discuss actions to address our findings. First, CIO responsibilities and reporting relationships. As this chart to your left, Mr. Chairman, illustrates, the 27 major departments and agency CIOs are generally responsible for most of the 13 key areas required by statute on critical to effective information and technology management. Not surprising, all 27 CIOs reported that they are responsible for areas such as capital planning and investment management, enterprise architecture, and information security. However, not all CIOs are responsible for each of the areas called for in law, and views were mixed as to whether it is important for CIOs to have responsibilities for each of these areas. A significant number of CIOs who do not hold these responsibilities believe that it did not present a problem because other organizational units were appropriately assigned these duties. A few former CIOs told us that some of these areas were distractions from CIOs' primary responsibilities. Regarding reporting relationships, 19 of the 27 CIOs told us that they report to the agency head as required by law. Consistent with Mr. Johnson's comments, views were mixed as to whether it is important for the CIO to report to the agency head. Some stated that a direct reporting relationship was crucial, especially when influencing budgets and policy decisions. Others stated that organizational placement was not as important as credibility and relationships with other key executives. Next, regarding CIO tenure since Clinger-Cohen was enacted. The median tenure of agencies' permanent CIOs is just less than 2 years, or 23 months. Career CIOs, on average, stayed longer than political appointees. Nevertheless, in either case CIOs are staying less than the 3 to 5 years that was most commonly cited by both current and former CIOs as the time needed for a CIO to be effective. Since 1996, only about a third of the permanent CIOs who had completed their time in office stayed 3 years or more. Among reasons cited for high turnover were the political environment, pay differentials with the private sector, and the significant challenges CIOs face. Too short a tenure can reduce the CIO's effectiveness and ability to address the major challenges cited. These challenges included implementing effective IT governance practices, obtaining sufficient and relevant resources, and communicating and collaborating within the agency and with external partners. Congress and agencies can take actions to address these findings. With respect to Congress, hearings such as this, Mr. Chairman, help to raise the issues and suggest solutions. To further assist you in your oversight role, as requested, we are beginning work on private sector CIO responsibilities and best practices to complement the report we are releasing today. Agencies too can take actions to address the high turnover rate and challenges cited. Specifically, human capital flexibilities such as recruiting bonuses, retention allowances, and critical position pay authority may help to attract and retain qualified candidates. Regarding the major challenge of implementing effective governance practices, GAO and others have issued guides to assist agencies in institutionalizing sound governance such as our IT investment management framework. In summary, not all CIOs are responsible for the areas called for in law, nor do they all report to the agency head. In addition, most CIOs do not stay in office for the 3 to 5 years recommended. Given the many challenges facing CIOs, having laws that focus on the most effective assignment of responsibilities, flexibilities to lessen turnover, and governance practices to effectively manage critical areas will be essential. This concludes my statement, Mr. Chairman. I would be pleased to respond to any questions that you have at this time. [The prepared statement of Mr. Powner follows:] [GRAPHIC] [TIFF OMITTED] 98209.015 [GRAPHIC] [TIFF OMITTED] 98209.016 [GRAPHIC] [TIFF OMITTED] 98209.017 [GRAPHIC] [TIFF OMITTED] 98209.018 [GRAPHIC] [TIFF OMITTED] 98209.019 [GRAPHIC] [TIFF OMITTED] 98209.020 [GRAPHIC] [TIFF OMITTED] 98209.021 [GRAPHIC] [TIFF OMITTED] 98209.022 [GRAPHIC] [TIFF OMITTED] 98209.023 [GRAPHIC] [TIFF OMITTED] 98209.024 [GRAPHIC] [TIFF OMITTED] 98209.025 [GRAPHIC] [TIFF OMITTED] 98209.026 [GRAPHIC] [TIFF OMITTED] 98209.027 [GRAPHIC] [TIFF OMITTED] 98209.028 [GRAPHIC] [TIFF OMITTED] 98209.029 [GRAPHIC] [TIFF OMITTED] 98209.030 [GRAPHIC] [TIFF OMITTED] 98209.031 [GRAPHIC] [TIFF OMITTED] 98209.032 [GRAPHIC] [TIFF OMITTED] 98209.033 Mr. Putnam. Thank you very much. I want to thank all of you for your opening remarks, and at this time I will yield for the first round of questions to the ranking member, the gentleman from Missouri. Mr. Clay. Thank you, Mr. Chairman, and thank all the panelists for being here today. Mr. Johnson, GAO found that agency CIOs were unanimously responsible for IT areas such as information security and IT investment management, but were much less likely to be responsible for areas such as information disclosure or statistical policy, all of which they are statutorily responsible for. Should the CIOs be responsible for each of these 13 areas, and are OMB or the CIO Council planning to respond to these findings? Mr. Johnson. Ask Karen Evans after me, and you should pay more attention to what she says than what I do. To answer your question, if that is the law, then that is what they are supposed to be doing, is one. I do think that 80+ percent of the value of a CIO is in those top four, five, or six categories. And when we have major problems in the IT arena, it is because we have a $100 million project that is producing nothing, or a $500 million project that is 2 years past due. And that is where the bigger numbers are and bigger opportunities to perform or fall behind. But in terms of the CIO Council addressing those particular things, I really don't know. If it was agreed to that is what they are supposed to be doing, then that is what they are supposed to be doing. Mr. Clay. Let me ask you, then, a followup. Whose responsibility does it become to fulfill the CIO's role when the position is vacant? And are there circumstances where the bureaucracy is demonstrating better results in agencies where the CIO position is vacant? Mr. Johnson. When the position is vacant, the chief operating officer of an agency, which may be the head of a smaller agency or under secretary for management at larger departments will fill the vacancies. If there is a vacancy in a political position or a career position, the work is supposed to be go on. Big IT development projects are supposed to continue on budget and on schedule. We are supposed to be running these agencies, and they are responsible for designating somebody to serve in an acting capacity in the absence of a CIO; and it might be the deputy CIO, it might be somebody from the outside, it might be any number of different people. But we are not supposed to stop spending $60 billion wisely just because the CIO is missing. We hold the operating head of the agency responsible for everything that goes on in that agency, whether all his or her senior positions are filled or not. The absence of people in those positions is not an excuse. Mr. Clay. OK, thank you for that response. And I will ask you, too, Ms. Evans. Welcome today. What about GAO's findings that the agency CIOs were responsible for IT areas such as information security and investment management, but much less likely to be responsible for areas such as information disclosure? Ms. Evans. In looking at those responsibilities--and I have had the opportunity to be an operational CIO, as well as being in component organizations, and I have had the opportunity to work with statistical agencies. Statistical agency and policy coordination is usually jointly developed in those agencies where statistical agencies are present, because by law statistical agencies have information requirements that are levied on them, as well, as to how they need to protect that information before it is released out to the public. And so usually what will happen is those responsibilities will be jointly done. The two that you specifically mentioned are usually jointly done with the general counsel's office and the CIO's office, because there is an information dissemination piece where the CIO's policies and rules and procedures would come in place, but there is also a programmatic piece associated with the management of that information. So I think those two areas really highlight the partnership that is required that a CIO must have into multiple program areas, because we don't necessarily have the expertise in all the program areas, so we have to partner with the appropriate expertise that we need. So there is a programmatic aspect to the two pieces that you have brought up that we would generally rely on general counsel advice as well as the statistical heads of the agencies as designated by law. Mr. Clay. OK, let me ask one last question. Do you believe the requirement to have agency CIOs report directly to the agency heads still make sense in today's environment? Ms. Evans. I would like to think that the focus of this is that IT is a strategic asset, and so the agency head, or the chief operating officer in this particular case, views IT as a strategic asset; therefore, the CIO would be involved in those. Do I think it is necessary that they directly report to the secretary? I don't think that is the case. I think that what is important is the way that IT is managed within that agency, and that it is viewed as a strategic asset and that the CIO manages it that way with the appropriate staff. Mr. Clay. Thank you for your response. My time has expired. Mr. Putnam. Mr. Johnson, thank you again for being with us. If you would just step back and in your time you have had an opportunity to evaluate this, see what is working, what is not working. If we were to make modifications to the law governing CIOs, what changes to the statute make the most sense for the operational day-to-day activities of making the Government work, holding it accountable, and running it efficiently? Mr. Johnson. Well, I have a better sense of what we need to make sure that all of this happens. If you are asking what of the Clinger-Cohen currently allows or doesn't allow, I don't know. But what I think the CIO needs to be able to do, and needs to be charged to do is to define really clearly what any dollars spent on IT is supposed to produce which is their most important role as I mentioned earlier. And oftentimes program managers say we need a new intelligence system or a new financial management system, and people start spending large sums of money before it is really clearly defined what it is that we are trying to accomplish. The CIO is the person that the head of the agency, Karen, all of you, and I should look to when we have IT projects that run amok, that are not producing defined goals with defined benefits at an acceptable cost, on schedule. That is their primary responsibility, in my mind, and they are the ones that we should hold accountable for that. If they need extra authorities or extra tools to be able to do that, then we should allow that. I don't know what Clinger- Cohen allows now or not, but I do know that all too often we are not a very good client; we don't develop most of these systems ourselves, we hire other people to come in, we act as their client, and we work with them. The fact that we allow large, large sums of money to be spent on these projects that are years behind or have not achieved the functionality we expect, says that we are not as good a client and as good a spender of these resources as we should be. To me, we have to be a disciplined client and a disciplined spender. This means we have to be rigorously inclined to define what it is we consider success and what it is we are trying to accomplish: by when, for whom, and at what cost. And that is the discipline. That is the rigor that is missing, I think, between a really good spender of $60 billion and a not-so-wonderful spender of $60 billion. Mr. Putnam. What is the best management tool to impose that discipline, that rigor, to have that accountability when programs do go south? And, frankly, it happens more frequently than any of us would like, and it involves an awful lot of commas and zeros. Mr. Johnson. I think it is a combination of things. I think one of the things the President's management agenda points out is the value of clearly defining what you expect to achieve in human capital, in IT or budget integration, or competitive sourcing. Then you can hold someone accountable for achieving it, and you give quarterly updates on how good a job they are doing. So, for instance, one of the things that the President's management agenda does is require the IT operations in the agencies to use Form 300's, which develop really well thought- out business cases. Are the business cases acceptable or not; do they define the adequacy of the management of the project, the security provisions being made, the desired functionality, and so forth? How good are our business cases, and does the value of the system far exceed the cost? And we could talk about what percent of the business cases are acceptable or not. That is information, particularly with the bigger projects, that we probably ought to be more interested in and pay more attention to than we are. But I think one of the things we have done is start to publicize what percent of the case are acceptable or not and, what percent of the systems are secure. That information is public, and some agencies are great and some agencies are not so great. We ought to be kind of hard on the agencies that are not so great. We required CIOs to utilize earned value management for all projects to determine whether projects are on budget and on schedule. And we keep track of what percent of the projects are within 30 percent of the planned budget and schedule, as an intermediate goal, and the ultimate goal is to get within 10 percent of the budget and schedule. That information ought to be made public; people ought to be held accountable for getting it to an acceptable level and holding it there. So it is a clear definition of success, and I think information about how good each CIO is or how good each agency is at achieving those standards should be made public. And we ought to be relentless about it. I think that we do a good job with the President's management agenda, but it can be even more visible than what it is today, which is a charge to us. In the past, what I heard a lot of people say about management issues in general in the Federal Government was: we have always had goals, we have always said we want to accomplish this with GPRA, and we want to accomplish this with IT. What seems to be new in the last couple of years is that we are actually expecting people to achieve those goals, and we are actually defining more clearly what success means. We are publishing report cards, and we are publishing performance information and letting the American people and Congress know who is achieving those goals, who is not, and making it real clear that we expect people to produce results. There are things that we are employing now: earned value management, Form 300's, President's management agenda. There have been other things as well that will allow us to do that even better. I don't know that we necessarily mandate those by statute, but that discipline, I think is, in general, what is called for. Mr. Putnam. So the oversight, the scrutiny, and the publicity that arises from failing to meet those goals then is the accountability you speak of. Mr. Johnson. Yes. Karen and I have talked about understanding that the more money involved, the greater the risk. Maybe there is a second and a third level of quality control that should exist for large IT projects. How do we ensure that it happens? Do we require it? Do we suggest it? I don't know yet. But whenever we are trying to write something new or develop a system, we are trying to do something that has never been done before, so there is risk involved. We must find out how to manage that risk. We just need to be more conscious of our track record, ensuring that it is not going to go awry. We need to try to do more things to make sure it doesn't. So, to do so, we can identify where we do have problems, identify where we do have success, make sure that we spread our best practices and avoid our worst practices, and have lots of clarity and accountability. Mr. Putnam. Ms. Evans, having been on both sides of this, is there enough accountability in the system currently on individuals, on CIOs? Ms. Evans. I would say that right now, based on the statutes that we have in place, the authorities that are out there and the responsibilities that we have, it is very clear what we are supposed to do. I would echo the same comments that Mr. Johnson has just made. And I was obviously in the Federal Government when Clinger-Cohen was first passed, and have seen how it continues to progress and evolve the roles, but the difference now is the accountability. We always knew what we were supposed to do; we have always had an A-130. We have always had A-11s. We have always had the guidance going forward of what we were supposed to do, but now OMB has stepped up and the President, himself, with the scorecard is really in a very public way publishing what are the expectations, what do we expect agencies to do, how do we expect them to perform, and holding them accountable, meeting with them quarterly and asking them about the progress of how they are going, giving us results that we can see, tangible results, not just telling us that they are doing it, but us actually can see it, because then, as the taxpayer, you will be able to see it as well, has really made a difference. And I have seen great, great changes that have occurred with the introduction of the scorecard, holding the agencies accountable, and it really has truly energized people within the agencies because they know at the highest ranks of the Federal Government their work is being looked at, and it is important and it is making a difference. Mr. Putnam. So Clinger-Cohen, has it had its intended impact? Ms. Evans. I would say yes. And I would say that you are going to continue to see more things happen. I think that Congress, 8 years ago, had the foresight to realize what information technology was going to do, the impact that it was going to have on the Federal Government. But as we continue to evolve and as you see technology continues to just morph and morph and morph, that it has had the impact; it has heightened the awareness, it has made agencies' officials be held accountable, and we are introducing more and more tools so there is more clarity to what the intent of Clinger-Cohen really was meant to be. Mr. Putnam. The A-130 was last revised in late 2000. Is it outdated, it is in need of revision, or is it OK the way that it is? Ms. Evans. You are right, it has not been updated since 2000; however, as each piece of legislation comes out, we have implemented policy guidance to deal with the implementation of that legislation. We are in a review process for it right now to see if we really do need to update it, but there are no policy gaps as far as guidance to the agencies are concerned, because we have issued those. We are reviewing it. If we were to update it, it wouldn't happen until the next fiscal year, going into the next fiscal year. Mr. Putnam. Mr. Powner, you pointed out the turnover in the CIOs in your report. Mr. Johnson, we have had hearings about this at all levels of the Federal Government, the human capital problems. How big a deal is it? Is it typical of what we are seeing across the Federal Government, a little bit better, a little bit worse, is it a crisis, is it one of many problems? How would you characterize it? Mr. Johnson. I know in the political appointees in general, their adage is--which is what I was involved in with the President when he first came to office--the average time supposedly that somebody stays in a political position is 2\1/ 2\ years or so, and the general reasons given for that is this is hard work, the volume of work, the public scrutiny, it is hard. You have been here long than I have. And it doesn't mean necessarily someone leaves, but they stay in one job on point 11, 12 hour days, and 2\1/2\ years plus or minus, then they tend to move to something else or the good ones are asked to do something else, whatever, but 2\1/2\ years. So the fact that the turnover for CIOs is 2 years doesn't strike me as being dramatically different. I know of CIOs who, in general, can come in and have a huge impact on an organization within months, and I know other CIOs that can come into an organization and be there for 3 or 4 years and have little impact. So I wish CIOs in general would be there 3 or 4 years, versus one or two, but I am not sure there is a direct correlation between time on the job and their effectiveness. This is a very hot market, and I don't know what impact the IT and the Internet growth of the industry in the late 1990's had on turnover. I would think it would be hard for us to compete with people that are hiring our CIOs and paying them lots of money and lots of stock options and so forth. It would be easier when the market is not heated up like that. I don't know that there is any immediate, direct problem with CIO turnover, because I think a good CIO can come in and have an impact in a very short period of time. I think the primary thing is being able to hire them initially and get them on board in a hurry, more so than once they are here, keeping them and letting them grow into the job. We spend so much money in almost every agency; we don't need to be hiring CIOs that can take 18 months to get up to speed. Invariably, when they walk in on the job, they have tens of millions of dollars of projects that need to be managed and huge issues bigger than anything they have ever faced, and they need to be effective pretty much within the first couple of weeks. Mr. Putnam. Ms. Evans, you chair the CIO Council. How would you characterize the turnover issue? Ms. Evans. I think it is indicative of the marketplace of where we are competing. Is it a problem that their turnover is every 18 months? Again, I would re-echo the same comments that Mr. Johnson did. When you come into the job, you have to be able to hit the ground running. You could be there 3, 4, 5 years and not be a very effective person, and not just as CIO, but in any position. So do I see a change on the Council? They come in, we come in, we bring them up to speed, we make sure that the best practices are there so that they have everything that they need to hit the ground running. But for the most part, do I think that it impacts our overall performance on the Council? I would say no, because we have our processes and our procedures and our best practices; we continue to evolve those. We have those in place so that we can ensure that the turnover doesn't impact the functioning of the Council. Mr. Putnam. Mr. Powner, do you agree with that? Mr. Powner. In terms of the tenure and the turnover with the CIOs, a couple things that we heard that actually could help to mitigate some of the transition periods is the deputy CIO position. Many CIOs mentioned to us the importance of that position. The other thing that is very important, and this is in line with what Ms. Evans is saying here, is when we have performance-oriented goals, such as the E-Gov section of the PMA, which really covers a number of those top seven areas there, that keeps the focus on several key IT management areas, whether we have turnover or not. That is very important. Your grades, that is another area. Folks are very focused on those grades, whether we have turnover at the CIO position or not, because the heads of those agencies are clearly focused on those grades and those scores. Mr. Putnam. Thank you all very much. We have three panels today, so we are going to move right along. I really appreciate all of you coming down and spending some time with the subcommittee. These are important issues and you have all been very supportive of this subcommittee's agenda in working together with you to improve our IT efficiency. So the subcommittee will stand in recess and we will arrange for the second panel. [Recess.] Mr. Putnam. If the witnesses and anyone accompanying them will please rise and raise your right hands. [Witnesses sworn.] Mr. Putnam. Note for the record that all of the witnesses responded in the affirmative. We will move immediately into testimony. I would like to welcome our witnesses for this panel and introduce Paul Brubaker. Mr. Brubaker served as executive vice president and chief marketing officer for IS International. He has responsibility over marketing and helps guide IS toward future opportunities. He joined IS with over 16 years of experience in government services and the public sector. As the former deputy CIO for the Department of Defense, Mr. Brubaker was the Department of Defense's second highest ranking technology official. Welcome to the subcommittee. You are recognized for 5 minutes. STATEMENTS OF PAUL BRUBAKER, EXECUTIVE VICE PRESIDENT AND CHIEF MARKETING OFFICER, IS INTERNATIONAL; JAMES FLYZIK, PARTNER, GUERRA, KIVIAT, FLYZIK & ASSOCIATES; AND DEBRA STOUFFER, VICE PRESIDENT OF STRATEGIC CONSULTING SERVICES, DIGITALNET Mr. Brubaker. Thank you, Mr. Chairman, Mr. Clay, and members of the subcommittee. I am here today speaking as a citizen. These are my own views and do not reflect those of my firm, per my general counsel. I was originally involved in developing the Clinger-Cohen provisions, including the CIOs and the deputy CIO provisions that were in the report language, as well as served at DOD, so I think I have a fairly unique perspective on both the formulation of the legislation and how it is applied at the largest Federal agency. I would like to commend you, Mr. Chairman and Mr. Clay, as well as the General Accounting Office, for convening this hearing today and undertaking this review. I would like to point out that--you see these outlined over here in the chart that GAO put forward--work before programs run amok, not after they run amok. Management is another area responsibility in developing and enhancing architectures, including operational architectures, and standards is absolutely key, encouraging and ensuring process change throughout the organization, and the intent was for visionaries and strategic thinkers as it relates to applying information technology in the enterprise. What is the most useful reporting structure? Simply reporting to the agency head. GAO made reference to a chief operations officer in their report today, which I believe to be an excellent idea and merits further study. Now, should a COO be established, then I would highly recommend that both the CIO and the CFO report directly to that person. The bottom here is that a seat at the management table is absolutely critical for a CIO to be effective; they should be tantamount to the financial officer in terms of the organizational structure. Wherever that CFO reports, the CIO should report as well. You asked about the specific duration of time in which a CIO must remain in their position to be most effective. Honestly, it has to be longer than 19 to 32 months, as was outlined in the report, especially given the fact that the general consensus out there in the management circles is that you need 3 to 5 years to be effective. I would highly recommend term appointments on the part of CIOs, certainly greater than 6 years, no more than 12; can be reappointed; perhaps some perks related to retirement that would attract some of the best and brightest of that position. You asked about characteristics and qualifications that a CIO should possess. Simply put, knowledge of applied technology and a nose for transformation, a desire and a passion to reform, and business acumen. It is absolutely critical that if they are operating the capital planning and investment control process, that they understand concepts like risk management, risk mitigation, return on investment, and so forth. Major challenges? In a word I can sum it up: culture. The culture of the organization, when we introduced the concept of CIO, was not all-embracing, and basically what you have is an information-aged position that we are putting into an industrial-aged bureaucracy, and, frankly, it has been difficult and a long road to get it to work. And I would be pleased to answer any questions that you may have. [The prepared statement of Mr. Brubaker follows:] [GRAPHIC] [TIFF OMITTED] 98209.034 [GRAPHIC] [TIFF OMITTED] 98209.035 [GRAPHIC] [TIFF OMITTED] 98209.036 [GRAPHIC] [TIFF OMITTED] 98209.037 [GRAPHIC] [TIFF OMITTED] 98209.038 [GRAPHIC] [TIFF OMITTED] 98209.039 [GRAPHIC] [TIFF OMITTED] 98209.040 [GRAPHIC] [TIFF OMITTED] 98209.041 Mr. Putnam. Thank you very much. Our second witness is James Flyzik. Mr. Flyzik is a partner in a consulting company he co-founded. Before this, he served as Senior Advisor to Governor Ridge in the Office of Homeland Security. He provided advice on the national strategy and information management. Prior to that, he was the Chief Information Officer for the Department of the Treasury. Welcome to the subcommittee. You are recognized for 5 minutes. Mr. Flyzik. Mr. Chairman, Mr. Clay, distinguished members of the subcommittee, it is my pleasure to testify today on issues of critical importance to achieving world-class performance within Government agencies. I have been involved in information technology issues during my entire 27-year government career, and I now work in the private sector to find ways to help make government IT programs succeed. I applaud the subcommittee for making these issues a priority. I had the honor and privilege to work for the public for over 27 years as a career civil servant. I held senior information technology positions at Secret Service, Department of Treasury, CIO, served as Vice Chair of the Federal CIO Council from 1998 until 2002. I also had the privilege to head up the IT team during the reinventing government program and served on the administration's team during the crafting of the Information Technology Reform Act, the Clinger-Cohen legislation. I finished my career as an IT advisor to then Governor Ridge, following the terrorist attacks of September 11. In all these roles, the empowerment of Federal CIOs was the key issue that impacted program success. My message today is simple: If the Government is to take full advantage of the power of IT, it must make achieving world-class IT implementation a priority on the agenda of the heads of our Government agencies. I believe progress to date has been good, but far short in what is needed and far short of what Clinger-Cohen originally envisioned. Many CIOs today find themselves being held responsible and accountable for results, but lack the authority to impact the programs they are expected to implement. I participated in the GAO study of these issues. With that, I will address the five questions posed by the subcommittee. What are the responsibilities of a Federal CIO most critical to success? The CIO must be responsible to bring best- in-class IT practices to Government agencies. This implies responsibility for gaining detailed understanding of the key critical mission objectives and defining how IT can realize these objectives. If we are to hold CIOs accountable for program performance, then we need to empower them to make strategic decisions about resources. This means responsibilities for IT capital planning, investment decisions, budget execution, program and portfolio management. I would also suggest that an important responsibility for a CIO is to become credible in an agency and part of that senior team making strategic business decisions. This means becoming credible to senior political executives, career executives, middle management, and subordinates. Only when a CIO is seen as a key player can he or she be influential in getting results. A CIO will gain this credibility by understanding the business objectives of the agency and how IT can add value to meeting those objectives. On the question of reporting structure, a CIO that reports to the agency head immediately gains the empowerment of being on the senior leadership team if that CIO has a seat at the table. A seat at the table means being part of the strategic decisionmaking, not merely a line on an organization chart. Can other organizational models work? Yes, but only when the CIO gains the empowerment to effectuate change and is seen as part of that senior leadership. For example, during my tenure as CIO at Treasury, I reported on a dotted line to the secretary for all IT matters, but administrative reporting was through an assistant secretary. Yet I believe this worked. Why? Because the assistant secretary made it clear to all subordinate bureaus that all IT budget and program decisions needed to be approved by the CIO. In this case, it wasn't structure that empowered, it was process. But I must also point out that empowerment doesn't guarantee results. Empowerment provides the opportunity for results. A competent CIO will get the results. In reference to the question of time duration, I believe a CIO cannot achieve any meaningful results if they are in that role less than 2 years, based on budget and procurement cycles. On the other hand, I also believe it is in the best interest of Government agencies to bring in fresh ideas over time. I believe it a good practice to rotate CIOs and into key CIO Council executive committee positions to encourage the development of alternative viewpoints. I believe CIOs should be rewarded for innovative and creative enterprise approaches such as heading up governmentwide initiatives. In addressing the question of characteristics and qualifications, I would like to point out that the Federal CIO Council invested a great deal of time identifying many of the technical and business skill sets required to be a successful CIO. Universities now teach these. But rather than reiterate these well documented qualifications, I would like to point out that a good CIO needs to understand technology, but, more importantly, how to apply that technology to solve business problems. A good CIO has technical skills, finds ways to stay current on technology, understand business practices and business skills such as financial management, and know how to build relationships, relationships with Congress, top managers in the agency, the private sector, and their peers. Challenges they face are numerous and dynamic. The delicate balance of privacy versus national security, interoperability, information sharing. But in my opinion, the most challenging issue is the need to use technology to challenge and change agency cultures, traditional institutionalized processes. We have seen major programs continually plagued with cost overruns and time delays. We see now new powerful approaches such as performance-based acquisitions to address these. The concept is simple, yet implementing these concepts requires not just the CIO. Mr. Chairman, to sum up, if UPS and the Federal Express can tell you where and when your package is located at any point in time during shipment with a click of a mouse, why can't Government tell you when your tax return will arrive, how to change your mailing address without going agency by agency, when your street will be cleared from snow? Citizens demand and expect fundamental government information in realtime. I thank the subcommittee for giving me this opportunity to make my points, and I look forward to working with you in any way I can to help move these important issues forward. I would be happy to answer questions when appropriate. [The prepared statement of Mr. Flyzik follows:] [GRAPHIC] [TIFF OMITTED] 98209.042 [GRAPHIC] [TIFF OMITTED] 98209.043 [GRAPHIC] [TIFF OMITTED] 98209.044 Mr. Putnam. Thank you very much. Our third witness on this panel is Debra Stouffer. In February 2003, Ms. Stouffer became vice president of strategic consulting services at DigitalNet Government Solutions, where she is responsible for developing and managing a comprehensive suite of analytical and technical services designed to enable government and commercial business leaders to achieve improved mission performance. She previously served in the Federal Government as the EPA Chief Technology Officer, as the Federal Enterprise Architecture Program Manager at OMB, and as the Department of Housing and Urban Development's Deputy Chief Information Office for Information Technology Reform. Welcome to the subcommittee. You are recognized. Ms. Stouffer. Thank you. Good afternoon, Mr. Chairman and members of the subcommittee. Thank you for inviting me here to discuss the evolving role of the Federal CIO. My experience in the public sector has shaped my perspectives on the topics that I will share with you today. In terms of the CIO's responsibilities and criticality, the role of the Federal CIO today is broader and more complex than it ever has been. Further, the statutory and regulatory framework is complex as well. CIO responsibilities are derived from numerous IT-related statutes and regulations. For example, there are over nine IT-related statutes that lay out the CIO's responsibilities, and just since 1994 at least 12 separate memoranda and circulars issued by OMB related to Federal IT policy and budget procedures. New Federal CIOs often find it difficult to understand the Federal requirements to which they must comply and the competencies they must exhibit to perform effectively. Further, CIO duties vary across the Federal Government, depending upon the agency's size, complexity, and organizational structure. As size and complexity increase and structure is disaggregated, the influence the CIO has over business and budget decisions is likely to diminish. Until the past few years, Federal CIOs have been responsible for the more traditional information resource management concerns. Recently, however, as a result of the administration's efforts to ensure Federal agencies are citizen-focused and results-oriented, the CIO is increasingly viewed as a change agent for business modernization and transformation. Further, they must ensure that IT investments are delivering intended results in terms of mission performance, not just finishing on time and within budget. In terms of reporting structure, many Federal CIOs report to the executive heads of the agencies. I believe, however, similar to many comments you have heard today, that based on their evolving role, that CIO effectiveness would improve with organizational reporting to their agency's COO, that is, those executives responsible for the agency's day-to-day business operations This would provide the CIO with equal footing among agency business leaders in all key decisions regarding agency business operations. In addition, Federal CIOs informally report to the Administrator for Electronic Government at OMB; however, this reporting structure is not clearly defined in the E-Gov Act of 2002. In regards to their optimal time duration, it should be longer. Available evidence suggests that the median tenure of a Federal CIO is about 2 years. Often, 3 to 5 years is needed to lead business transformation. Equally important to tenure is the ability to participate in executive decisions, an activity often limited to politically appointed business leaders. Some CIOs are politically appointed; others are not. All need to have a seat at the table on their senior management teams. Perhaps term appointments are an option. In regards to personal traits and qualifications needed, CIOs must certainly have the correct technical and business and management skills to meet their agency's needs. Further, to lead transformation, they must be strong leaders, strong communicators, and have a strong business acumen. Challenges include the following: understanding the existing and complex Federal statutory and regulatory framework for information resources management; recruiting and retaining skilled IT professionals, to include project managers; fostering business and cultural change to achieve e-government transformation; maturing governance processes and integrating those governance processes; and ensuring adequate resources for cross-agency collaboration are identified and made available to the people that are charged with implementing e-gov initiatives. In conclusion, Federal CIOs can and should play a significant role in improving the management and performance of the Federal Government, and ensuring that our Government is more responsive to the needs of citizens. IT has transformed the way that we all do business, and none of us can predict what the future may hold. As the CIO role broadens and expectations increase, so do the challenges. I am confident, however, that with the proper support from Congress and the administration, CIOs can be successful and effective in their role. I thank the committee for the opportunity to speak this afternoon. [The prepared statement of Ms. Stouffer follows:] [GRAPHIC] [TIFF OMITTED] 98209.045 [GRAPHIC] [TIFF OMITTED] 98209.046 [GRAPHIC] [TIFF OMITTED] 98209.047 [GRAPHIC] [TIFF OMITTED] 98209.048 [GRAPHIC] [TIFF OMITTED] 98209.049 Mr. Putnam. Thank you very much. And I have been notified that we are expecting a series of votes around 4, so I would ask for your indulgence. We are going to cut the questions short for this panel in hopes of being able to get through the third panel before the voting bells go off. This is a unique opportunity, I would assume, for former CIOs to be able to come back and do essentially an exit interview with Congress and have the opportunity to reflect on what you wish someone would have told you or prepared you for as you went into the job, so that is my first question: What would you advise someone who is considering taking this job, in its current role and its current form, with its current responsibilities? What is it that you would share with them that you wished someone had shared with you? And we will begin with Mr. Brubaker. Mr. Brubaker. Well, I came at this with a little different background; I wasn't in the Federal Government, I had actually come off the Hill and gone into industry for a few years. So having been involved in what I thought I knew what the requirements were, having been involved in drafting legislation and the position description, if you will. My advice would be don't expect the agency to have an understanding of the roles and responsibility of the CIO when you walk in. Part of the job is actually to educate your management and the people that you work with and your colleagues in the agency as to what your role is. The first time you start snooping around IT investments--at least this was true when I was at the Defense Department--people tend to get pretty excited; they feel somewhat threatened. So you have to concentrate on your governance processes, and the culture and how you are going to overcome cultural obstacles, and have a proactive plan for addressing those issues. Mr. Putnam. Mr. Flyzik. Mr. Flyzik. Yes, Mr. Chairman, and you are right, it is kind of unique to have an opportunity to testify today, for the first time, where I didn't need to go through a clearance process with the legislative affairs, the legal counsel, OMB, and all the other various chains, but be able to write and say what I have been thinking. But with that in mind, I would suggest to you, sir, that building relationships and partnerships has to be a first step. As I mentioned in my testimony, I believe a CIO can only be effective if they are credible, and credible means building relationships within their own agency, the career officials, the political officials, members of the Hill like yourself and your staff, and OMB and those others, and the private sector. I think there is a very fine, delicate balance, too. A CIO needs to reach out, get out in the community and build these partnerships, but at the same time remember their responsibilities within their own agency. And I think it is a very delicate challenge that CIOs face to do that, but I think it is critical to gain that credibility, because once one gains credibility, then one has the power to effectuate change. Mr. Putnam. Ms. Stouffer. Ms. Stouffer. Several things are critical, in my opinion. One is to know the business. The CIO has to understand the business of the organization, understand where the performance gaps are, and be able to apply technology to close those performance gaps or enable business performance. Second, obviously, know information technology. You can't offer up a solution of enabling technology if you don't understand it and know how to apply it. Third, in building relationships, you need to communicate, communicate, communicate value, and you have to do that differently with different stakeholders. So it is important not to have one story, but to be able to communicate the value of enabling technology to different people in different ways so they understand it from their own unique perspectives. Mr. Putnam. I would ask all of you also if is it critical that the CIO report directly to the head of the agency? And I would ask you to be brief. Something more than yes or no. Mr. Brubaker. At this moment, yes. I think I covered it in my statement. Mr. Flyzik. As mentioned in my statement, I think it certainly helps gain that credibility I am talking about. I also suggested that the key issue is can the CIO be in the strategic management team and be empowered. If we are going to hold the CIO accountable for results, then they need the responsibility and the authority to control resources, both financial and human resources, to get the job done. Ms. Stouffer. In my opinion, it could be more effective for them to report to the COO, and that is a different person in different organizations. I say that because the head of an organization or the secretary or administrator is typically outward facing, they do a lot of externally-oriented work. The deputy or whoever is effectively the COO of the organization really runs the day-to-day business of that organization. Informally, if not formally, the assistant secretaries and administrators report to them anyway. Mr. Putnam. Is turnover a big deal? And if so, how do we fix it? Ms. Stouffer. Ms. Stouffer. I think that it is. And, I believe that term appointments, and perhaps politically appointed term appointments, might be one action to consider. It might help to have term appointments that extend more than 18 months or 2 years. Often a CIO has even a shorter period than that to be effective when they are politically appointed, because the time it takes to bring them into the agency. Yet, because political appointees start out with a great deal of credibility, they have an easier time coming to the table with the other senior business leaders. For this reason, perhaps a politically appointed term would make the most sense. Mr. Putnam. Mr. Flyzik. Mr. Flyzik. Mr. Chairman, I believe the answer to that question is it depends how effective the deputy and the staff below the CIO are, and how well that succession planning has been built. If you build a very strong team and effective staff, then a program should be able to sustain its momentum through a turnover process. If you can sell your program to the ultimate customer of government, that is, the citizen of government, then the program will live beyond an individual. And the question is developing key players that can run those programs coming up right behind that CIO. Mr. Brubaker. Mr. Chairman, I strongly advocate term appointments. In my written statement I gave a little more detail on it, but I think a term appointment of at least 6 years for a CIO would be smart, with a Senate confirmation for those who are statutorily required. You know, from personal experience, people can't wait you out. I actually, during my lame duck period, if you will, while the administration changed and people knew I was going out, I actually had somebody tell me that they were going to wait for the next guy, because I was challenging a program and something that they wanted to do. So I am a strong advocate of term appointments, political, with Senate confirmation for the statutorily appointed ones. Mr. Putnam. Why is it so important that a CIO have Senate confirmation? Mr. Brubaker. Why is it important? Mr. Putnam. I know you would never get that question in the Senate. Mr. Brubaker. It is important for oversight purposes, to make sure that you take a look at--it provides an opportunity to talk about what that agenda is going to be. It provides an opportunity for the appointee and the agency to commit to certain types of oversight and to ensure that appointee is going to be given the support on the part of the agency. It gives you an opportunity to have a hearing, it gives you an opportunity to talk to some of the agency officials to make sure that they understand what the roles and responsibilities are, and I think it is good to vet those people through that process. Mr. Putnam. How do we hold CIOs accountable? Mr. Brubaker. Mr. Chairman, can I add something to that as well? Mr. Putnam. Sure. Mr. Brubaker. If you are conducting oversight over other PASes, Presidential appointment, Senate confirmed, there is a hierarchy that is important as well, and I don't want to underestimate that. If you are giving advice on technology programs in an oversight capacity to somebody who is a Presidential appointment that has been Senate confirmed, you rank up there with them, and, frankly, that is another real reason to have a Senate confirmation; it is a hierarchical, it is a pecking order issue. Mr. Putnam. It is an ego issue for the Senate. But the accountability issue I think is important. How do we really get down to holding CIOs responsible for $100 million projects that go south, that fall 3 years behind, that are abandoned midstream? What is the appropriate level of accountability, what form does it take, and is it adequate? Mr. Brubaker. There is an accountability issue, but there is also a responsibility issue, and the issue that Clinger- Cohen was a three-legged stool: you have responsibility that is delineated on the part of OMB, you have responsibility that is delineated to the agency head, and you have responsibility that is delineated to the CIO; and they all have to work in concert. And there is a lot of authority there, but there isn't the commensurate responsibility because the law, frankly, hasn't been implemented as it was originally envisioned. You know, can you take somebody to the woodshed, if you will, on a program that went south? Yes, you can do it, you can beat them up, but if they didn't have absolute responsibility, authority, and budget control over that program, then it is pretty difficult to make a fair case that they were responsible for the program going south. There is too much diffused responsibility and not enough--you know, we used to refer to it as who is the single belly button. Who is the single person that I can point to who has absolute accountability, authority, responsibility for a program? And, frankly, it is almost by design in the bureaucracy that responsibility is diffused among a lot of different people, because a lot of different people want to play in that role. And what Clinger-Cohen tried to do was delineate those responsibilities and be clear about who was responsible for what, and, frankly, we are not to that point yet; you have too many people with their hands in that cookie jar, and then when the cookie is gone, you can't figure out who took it. Mr. Putnam. Mr. Flyzik. Mr. Flyzik. Yes, sir. The accountability issue, as I mentioned before, I am a big advocate of performance-based approaches, and I think one can define performance metrics, as well as with contractors. However, if we are going to hold the CIOs responsible and accountable, they need to have the authority to control those resources. I would suggest that when a project is approved, particularly in a performance-based environment, that CIO be given the authority and the budget to put that program in place, and be held accountable, and have the authority to control the resources necessary to get that job done. And if more resources are needed, the authority to work with the CFO and agency head to come back up to the appropriations process and be completely in charge of the program. I feel in a lot of cases were are holding CIOs accountable because you have to hang someone when things don't work. But, yet, if you look behind the scenes, did that CIO really have the ability to control the financial resources and the human resources in that agency? I will give you an example. We talked today about the Ds received in information system security. I believe a lot of CIOs in Government know what it takes to address those deficiencies in information system security, yet they lack the dollars and the resources and the staff to do it, and the authority to get that resources and staff. So I think we need a model that, as when projects are approved, dollars are set aside, but those dollars are controlled by the CIO, and then we can hold them accountable. Mr. Putnam. Ms. Stouffer. Ms. Stouffer. I think there would be value in reworking the entire statutory framework and providing more clarity regarding roles and responsibilities and accountability. Clearly, the CIO needs to have influence on the budget process, particularly as it relates to information technology investments. So clearly understanding that they have a place at the table in that process is important. It would be helpful if OMB worked to develop strategy that is consistent across the board on how we pull funds when we do cross-agency initiatives. This strategy would address consistent criteria for how agencies are assessed for their share of an initiative making it easier for the CIOs when they are actually trying to implement e-gov initiatives and scramble for dollars at the same time. So I think, again, one value would be to rework the entire statutory framework and the guidance that is coming out of OMB, provide some clarity, perhaps consolidate some of it in such a way that it is easier to understand and point to; and I think that would be useful. Mr. Putnam. You have also served as a CTO. Ms. Stouffer. Yes. Mr. Putnam. Some agencies have them, some agencies do not. Please, if you will, share our impressions of the value of having a CTO as well as a CIO, and whether that is something that should be adopted by every agency. Ms. Stouffer. I believe that having a position entitled CTO is valuable. I think that even where you have organizations that don't have a position entitled CTO, you often have people fulfilling that role entitled something else. Typically they are more focused on the technology issues and less focused on the information issues and the business issues associated with performance gaps and leveraging technology to fill those gaps. So they are very focused on technology. I think CTOs are everywhere, they just have different titles at different agencies. Mr. Putnam. And finally, because we are going to need to seat the third panel--I hate to cut this short, but we will be submitting questions and answers for the record--as we have all of these hearings, typically agency culture, personnel and training are greater issues than technology itself in terms of being an impediment to progress and to change. Has the role of the CIO been fully accepted and worked into the management structure of the agencies as you have seen it? Ms. Stouffer. Ms. Stouffer. I believe that CIOs are becoming more and more effective. Obviously, as technology advances and as CIOs mature and their role in the organization is better understood, they are having more and more of an impact. Technology has now actually become disruptive in some cases because it is driving certain business decisions in areas where it can actually accomplish business needs. Having the knowledge of emerging technologies, and how they can further desired business outcomes is important. The CIO's contribution in making major business and technology decisions is increasingly recognized. So they are making progress. Mr. Putnam. Mr. Flyzik. Mr. Flyzik. Mr. Chairman, I believe the results are mixed all over the Government. I believe in some Government agencies you see CIOs making strategic decisions in part of every strategic process that takes place; I think in others we have a long way to go. I think in some agencies under secretaries, assistant secretaries view the CIO as someone that gets in the way and I need to find my way around that particular individual in order to get my programs done. All in all, though, I think we are moving in the right direction and I think hearings like these are a good way to keep the momentum on the move in that direction. I think culture change, sir, takes a long time. I know my life at Treasury, I believe it took, in my opinion, probably 10 years before we actually got into a true enterprise environment from the days it was first talked about to where everybody actually bought into a concept of an enterprise approach to very large programs. I think culture is going to take time, but I think we are moving in the right direction and I think we have to keep the pressure on and keep momentum moving in the right direction, and I applaud this subcommittee for being a catalyst in doing that. Mr. Putnam. Mr. Brubaker. Mr. Brubaker. Yes, I think the prior two speakers are right. It depends on the agency. Yes, in some cases; no in many others. But from my view, my experience in government, things seem to just be moving too slowly, and that is why I was particularly pleased to see the advocacy of the chief operating officer position in the GAO report. Maybe advocacy is too strong of a word, but they mentioned it, and I have seen it in the press and in some pronouncements out of GAO, where they seem to be advocating for a chief operating officer position that would be a term appointment with a contract that would lead that management team of the CIO and the CFO to really transform agencies. I think that is critical. I think you are still dealing with that industrial age bureaucracy, if you will, and we are expecting information age results out of it, and it just doesn't work. Mr. Putnam. Thank you all very much. I again apologize for cutting this short, but we are interested in hearing from all three panels before the meeting is broken up by votes. So at this time the subcommittee will recess to set up the third panel. Thank you all very much. [Recess.] Mr. Putnam. The third panel, I appreciate your patience and your willingness to come before the subcommittee. Please rise and raise your right hands for the administration of the oath. [Witnesses sworn.] Mr. Putnam. Note for the record that all the witnesses responded in the affirmative. Our first witness for this panel is Kim Nelson. Ms. Nelson is the Assistant Administrator for Environmental Information and Chief Information Officer at the EPA. Before joining EPA, Ms. Nelson served the Commonwealth of Pennsylvania for 22 years. Notably, she was the first executive to hold the position of chief information officer in Pennsylvania's Department of Environmental Protection. Thank you for joining the subcommittee again. Your testimony is always very helpful. You are recognized for 5 minutes. STATEMENTS OF KIMBERLY NELSON, ASSISTANT ADMINISTRATOR OF ENVIRONMENTAL INFORMATION AND CHIEF INFORMATION OFFICER, ENVIRONMENTAL PROTECTION AGENCY; STEVEN COOPER, CHIEF INFORMATION OFFICER, DEPARTMENT OF HOMELAND SECURITY; VANCE HITCH, DEPUTY ASSISTANT ATTORNEY GENERAL, INFORMATION RESOURCES MANAGEMENT AND CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF JUSTICE; AND IRA HOBBS, DEPUTY ASSISTANT SECRETARY FOR INFORMATION SYSTEMS AND CHIEF INFORMATION OFFICER, DEPARTMENT OF THE TREASURY Ms. Nelson. Thank you, Mr. Chairman. I appreciate the opportunity to return today and talk about some of the issues that are on your agenda today, particularly the role of the CIO. You have asked some important questions, and while I have answered those in my written testimony, I will just briefly touch on some of those as part of the oral testimony here today. First and foremost, I want to emphasize the fact that the chief information officer title has the word information in it, and that is important. What is also important is that the word technology is not there. And what I want to emphasize is the fact that it is the information component which I think is most important to the role that we play in our organizations. And while technology is important and we tend to talk a lot about IT and technology, the fact is that technology is only an enabler, and what you are looking for in a CIO is somebody who can really work with people and organizations to achieve results; and that takes a lot of work to work in concert with people and processes to make a difference in your organization. You have asked some questions about the responsibilities that are most critical for a Federal CIO. I was looking at this chart before the hearing began, and looked at all the responsibilities that were listed there. In my own testimony, I focused on those that are listed at the top as some of the most important ones, and I think that is supported by the chart. I would say, however, that the position I hold at EPA in fact includes all of those responsibilities in whole or in part, including the one at the bottom, statistical work. For instance, this last year my office, in conjunction with our Office of Research and Development, issued the first ever Report on the Environment. And again that is significant because it is the first time we were ever able to report to the American public what we know about the condition of the environment, and that is a way to use information to be able to demonstrate real results. Again, the focus being on how we use information. Reporting structure has been a topic today. I do think it is an important topic. I believe I am fortunate to have, frankly, one of the best positions in the entire Federal Government when it comes to the roles and responsibilities of a CIO. At EPA I report to the administrator through the deputy administrator. I have a position that is equal to the peers in my organization that manage the business units, the air office, the water office, the emergency response and waste office. So I sit at the table at the same level and with the same political appointment and confirmation by the Senate as the other people who are setting policy within the organization. I think that is important because if you look, frankly, at some of the most recent Gartner research, what it shows is that it is important to have that ability to sit at the table and have access to an understanding of the business of the organization. And, frankly, if I weren't at that same level, I would not be able to interact with those that are making business and policy decisions within the organization. When we talk about the duration, I, of course, am new to the Federal Government. I guess when you had your previous panel here, I am the first one speaking who actually came in as someone new to the Federal Government to have taken the CIO position. I had 22 years in State government; I actually held a very similar position in my agency shortly before I left there. I came into this position fully expecting to stay at least 3 years, and in September will mark 3 years from the date I arrived and November will be 3 years from the date I was confirmed. And I expect it will take at least that amount of time to achieve some of the things I wanted to do when I came on board; and I cited a number of reasons why I think 3 years is important in my testimony that I submitted. Finally, some of the characteristics that are important to the CIO; you have already heard about vision, leadership, communication. They are all important. The bottom line is you have to be able to deliver results. And, last, the one point I want to make about the biggest challenge. The single biggest challenge, in my mind today, is the CIO's responsibility to manage enterprise-wide projects. We talked about some of those at a hearing earlier. The governance issues surrounding managing projects across agency are considerable, and we are treading new water here. We are breaking new ground, and it is critical we establish those processes for managing these governmentwide projects. So I will stop there and I will take questions later when you are ready. Thank you. [The prepared statement of Ms. Nelson follows:] [GRAPHIC] [TIFF OMITTED] 98209.050 [GRAPHIC] [TIFF OMITTED] 98209.051 [GRAPHIC] [TIFF OMITTED] 98209.052 [GRAPHIC] [TIFF OMITTED] 98209.053 [GRAPHIC] [TIFF OMITTED] 98209.054 [GRAPHIC] [TIFF OMITTED] 98209.055 [GRAPHIC] [TIFF OMITTED] 98209.056 [GRAPHIC] [TIFF OMITTED] 98209.057 Mr. Putnam. Thank you. Our next witness is Steven Cooper. Mr. Cooper was appointed by President Bush to be the first CIO of the Department of Homeland Security. He and his team have responsibility for the information technology assets supporting 190 Federal employees of the 22 agencies now comprising the new department. Before joining Federal Government service, Mr. Cooper spent more than 20 years in the private sector as an information technology professional. Welcome to the subcommittee. You are recognized, sir, for 5 minutes. Mr. Cooper. Thank you, Mr. Chairman. It is indeed my pleasure to appear before you today and share a few views based upon nearly 30 years as an information technology professional, including the past 2\1/2\ in the Federal sector. I have served as the CIO of the Department of Homeland Security since its inception, and it has been a fairly significant learning curve for me coming into the Federal environment. There is, as you have heard from previous panelists, a significant amount of legislation and statutory requirements which, in a very short period of time, is fairly substantial to absorb. Therefore, I would argue that one of the primary responsibilities of any CIO is to ensure the optimal and appropriate use of information and to understand the legislative and statutory requirements that enable an agency to succeed and a CIO to be successful. A CIO must also act as an agent of change by guiding organizational and transformational and business process re- engineering to most effectively meet the strategic and operational objectives of the agency. I would argue that the CIO is one of the very few individuals whose view of the agency is always horizontal. Every day we see not a vertical view of any particular business unit or organizational segment, but we are the people who are held accountable for understanding how all those moving parts and pieces that use information technology fit together. It is in that context that I do think that the placement of the CIO in the organization does become important. What is most important has been stated by my colleagues here on this panel and the previous panelists, and that is the seat at the business table is what is critical. The placement in the organization, simply put, the higher the level, the more that the placement kind of ensures the seat at the table. It doesn't automatically imply that a CIO cannot succeed if they do not report directly to the secretary. It makes it significantly more difficult the more levels that the individual is kind of down from the head of the agency, and you have to offset that by the time it takes to then build the credibility and gain the seat at the business table. With regard to roles and responsibilities, primarily the CIO is responsible for leading the use and application of all IT assets deployed across the department, and that includes both the human resources and the financial resources. That is what actually ensures the ability to use information effectively within the department. This is achieved, in my opinion, by guiding the department's development and use of enterprise architecture best practices, and they include obtaining senior management employee buy-in and involvement, demonstrating how IT can enable mission effectiveness and efficiency; guiding the proper choice of technology to meet mission goals; documenting and using portfolio management techniques that allow rapid decisionmaking regarding IT investment choices in very difficult times and also in a resource-constrained environment. As far as characteristics and qualifications that CIOs should possess, good business skills, business mission operation sense of what is going on in the agency, that is the credibility; good management skills, ability to lead change, working knowledge of IT gained from hands-on or practical experience, great communication skills, and most importantly, in my opinion, a sense of humor and a pretty tough skin. Guts are in there somewhere. We have to be able to place mission first and career second. We are held accountable for basically everything in the IT environment. And I will leave to my colleagues and previous panelists, and perhaps the question and answer period, how best to actually accomplish accountability, responsibility, and the blend thereof. I happen to think that a whole lot of it has to do with metrics and performance measures. In closing, I would simply like to say that the opportunity is unique at the moment inside the Department of Homeland Security simply because we are still in a startup mode, and a lot of what I face as a CIO in the Department of Homeland Security, I am envious of other CIOs who have a bit more stability and maturity to their organizations. So some of what my experience has been may not be reflective or may not be typical of what some of the other more mature departments and other Federal CIOs may face. I look forward to your questions. [The prepared statement of Mr. Cooper follows:] [GRAPHIC] [TIFF OMITTED] 98209.058 [GRAPHIC] [TIFF OMITTED] 98209.059 [GRAPHIC] [TIFF OMITTED] 98209.060 [GRAPHIC] [TIFF OMITTED] 98209.061 Mr. Putnam. Thank you very much. Our next witness is Mr. Vance Hitch. Mr. Hitch serves as the Chief Information Office of the Department of Justice. He manages the Department's $1.7 billion IT program, overseeing management acquisition and integration of the Department's information resources. His oversight includes strategic planning, policy, capital planning, systems development, telecommunications, information security, data management, enterprise architecture, e-government, and user computing. Before coming to the Department of Justice, Mr. Hitch was a senior partner with Accensure. He has 28 years of experience in leading government organizations successfully through major change initiatives. Welcome to the subcommittee, sir. You are recognized. Mr. Hitch. Thank you, Mr. Chairman. I am pleased to be here to talk about my job and how it fits at the Department of Justice and the Federal community. As you have stated, I come from the outside, 27 years of outside experience managing large IT projects and major change programs, both in a variety of industries as well as government. I have been the CIO of the Department of Justice for 2 years this past April, so I already am senior to the average CIO, which is hard to believe. You asked a number of questions, responsibilities critical to my success. I believe my principal responsibility as a CIO is to create and lead an organization that will enable our mission accomplishment through technology. That is first and foremost my responsibility. And there is a lot of management responsibilities that go along with, but I view my job as mission accomplishment. At the Department of Justice I came upon a very decentralized organization, and, therefore, my job in accomplishing that mission was to more strongly coordinate from a central perspective the IT organization, and that has required major change. That was particularly important in the Department of Justice, since I came on board after September 11 and a new mission had been created at the Department of Justice, and that was counterterrorism. So we really had to do things differently than we had done before, which was a burning platform for me; and I used that in terms of creating the organization that I needed to carry out what I view as my mission. Some of the key responsibilities that I have are those that are listed there on the chart by the GAO: obviously, enterprise architecture, IT investment management, security, IT human capital planning, and program oversight. And I think all of those are important, but I do think having a major impact on the IT budget is absolutely critical. Having the ability to start and stop projects, if necessary, is important. So I think those things are echoing what I have heard some of the other panelists say. One of the things that I did that is unique at the Department of Justice that I used as a platform to help create some of the change in carrying out my responsibilities was a program that we are now pursuing called the Law Enforcement Information Sharing Program. And initiated this program about a year ago as a way of bringing together our various law enforcement components who, as I said, grew up with strong cultures of their own and as a decentralized organization, to get them to better share information effectively. And that is particularly important in our counterterrorism as well as our law enforcement missions. The way I did that was by creating subgroups to deal with any policy changes we needed, any changes in our concept of operations, as well as technology; and out of that technology subgroup came what I call our strategic IT architecture for information sharing at the Department of Justice. We now have that as kind of the bible of what we are trying to do to achieve information sharing, and what I am doing is mapping all of the forty-some odd programs that we have and IT initiatives that we have that many of them came before I became CIO at the Department of Justice; they had their origins as stovepipe systems. I am sure you have heard that term. So it was my job to somehow fit them together. This IT information sharing architecture is what lets me do that, and I map into that architecture and then it basically allows me to identify the changes necessary in each IT program to achieve our overall information sharing goals. So that is one of the ways I have used enterprise architecture as a tool to help me achieve my mission. You wanted some comments, and you got lots of them from everybody, about the most important aspect of the reporting structure, and what is the most effective way that we can report. I will comment on what we have at the Department of Justice, which I think works very well. I will say that it was new with me coming on board, it did not exist prior to my coming on board as the CIO in April of 2 years ago. The reporting relationships that I have are I do report directly to the Attorney General on matters of IT policy and IT strategy, and I report to the Assistant Attorney General for administration on operational matters. I think reporting to the top of the organization is extremely important because I must be viewed at the same table and I must be viewed as a peer of the component heads, and those are the heads of the FBI, the heads of the Drug Enforcement Agency, the U.S. Marshals, all those major agencies within the Department of Justice. I must be viewed as somebody who can be their helper in making things happen at their agency and across the department in IT. And that is the only way that I will be able to achieve my mission of making IT a strategic enabler of our mission accomplishment, which is law enforcement and counterterrorism across the whole department. As part of my reporting responsibilities, I sit on the Strategic Advisory Council, which is chaired by the deputy attorney general, and that includes all the members of the largest components of the organization and deal with all strategic matters. Obviously, I sit on it as a representative of the IT interest of the whole department. I also sit on a council called the National Security Coordinating Council within the Department of Justice. It is composed of the component heads, once again, of the law enforcement agencies, and that enables me to get close to their business to make sure that I have my finger on the pulse of what is our mission and what we are trying to achieve from a law enforcement standpoint. So I think those are critical reporting relationships. Commenting on the duration, the term that is necessary. Basically, I believe 3 to 4 years is what is necessary to have a lasting impact. Actually, I do believe that I was effective almost immediately, and that is through having an impact on individual programs that were already underway. But given the fact that it takes at least 2 years to have an impact on the budget itself, because of the budgeting cycle in the Federal Government, to get those programs initiated and to make them real, it is going to take at least 3 to 4 years to have them implemented. Concerning the characteristics, I think you have heard a lot. Mr. Putnam. We will get to this in questions, but I do want to get to the testimony before we have votes, and your time has expired. So if you could just summarize for us, please, and then I will go to Mr. Hobbs. Mr. Hitch. OK. I don't think I have anything new to add in terms of characteristics of a CIO, except I do want to add one, which is persistence. You know, basically working in the Federal Government is a big bureaucracy; it takes a long time to accomplish things. I think you have to keep at it, go the extra mile, do whatever it takes to earn respect and confidence of the colleagues. Major challenges, I think my biggest one is culture change, because I said initially that we are going from a decentralized organization to one which is much more strongly centrally coordinated. The concept of a CIO was not there when I arrived, so making that culture change to become an effective CIO in that kind of organization is the biggest challenge that I face. [The prepared statement of Mr. Hitch follows:] [GRAPHIC] [TIFF OMITTED] 98209.062 [GRAPHIC] [TIFF OMITTED] 98209.063 [GRAPHIC] [TIFF OMITTED] 98209.064 [GRAPHIC] [TIFF OMITTED] 98209.065 [GRAPHIC] [TIFF OMITTED] 98209.066 Mr. Putnam. Thank you very much. Our next witness is Mr. Hobbs. Mr. Ira Hobbs is the Treasury Department's Chief Information Officer. Mr. Hobbs came to Treasury from the U.S. Department of Agriculture, where he has served as the Deputy Chief Information Officer for the past 7 years. He has an extensive background in Federal policy development and information technology and program management, including a 22-year career at USDA. Welcome to the subcommittee, sir. You are recognized for 5 minutes. Mr. Hobbs. Thank you. Mr. Chairman and members of the subcommittee, thank you for inviting me here today to discuss the roles and responsibilities of Federal chief information officers. With the current Clinger-Cohen Act as our guide, I have been one of many Federal executives working to improve our Government's management of our information and IT resources. While we still have many miles to go, I am proud of what, as a community, we have achieved, and I hope my perspective will add some value to our discussion this afternoon. Having already heard from so many experienced executives, I will keep my opening comments brief. I am honored to be here today representing the U.S. Department of the Treasury as its chief information officer. Prior to joining Treasury, I did serve as the Deputy Chief Information Officer of the Department of Agriculture, where I worked for 7 years under three different political CIOs. To be a successful Federal chief information officer, one must practice executive leadership, and have strong management and communication skills. Fundamentally, I believe these qualities are more important than having a strong technical background. The major challenges we face are not technical challenges; addressing and overcoming them requires seasoned and skilled leadership. Meeting these challenges also require support from the secretary's office, time to learn organizational business and culture, and to establish the relationships necessary to effectively implement change; prioritizing amongst the many competing responsibilities of a CIO; and, most importantly, directing and motivating employees and contractors who are the people every CIO relies on to get the job done and results achieved. In my experiences, some of the issues raised, such as the time required for CIOs to achieve transformation, are mitigated by having a strong deputy CIO. In addition to providing for continuity and complimenting the skills of a CIO, a good deputy CIO can shorten the learning curve of a new CIO and free the CIO to focus on high-priority outward-facing initiatives while the deputy CIO serves as the chief operating official internally, making sure that all of the trains are kept running and that they are kept running on time. This was the model during my tenure as deputy CIO at the Department of Agriculture, and I like to believe that it was a successful one. A large part of the progress we have made in recent years is due to the statutory framework laid out by Congress in the Clinger-Cohen Act and related legislation, the aggressive implementation of these laws by the Office of Management and Budget, and the continuing, maturing role of the Federal CIO. Thank you for the opportunity to be present today to present my thoughts, and I look forward to any questions that I might be able to answer. [The prepared statement of Mr. Hobbs follows:] [GRAPHIC] [TIFF OMITTED] 98209.067 [GRAPHIC] [TIFF OMITTED] 98209.068 [GRAPHIC] [TIFF OMITTED] 98209.069 Mr. Putnam. Thank you very much. We appreciate all of your testimony and I am particularly pleased that we are were able to get through it without the votes interrupting us. For all of you, how do your offices interact with the other high-ranking officers in the agency, like the CFO, when making capital planning decisions? And we will begin with Ms. Nelson. Ms. Nelson. The partnership we have with the CFO is probably the most important partnership in the agency. We have set up a process since I have been at EPA as part of our investment and planning process where the deputy CIO and the deputy CFO oversee a committee made up of others throughout the agency that review our portfolio, and it is through that committee that is chaired by the two offices that the portfolio is approved and then ultimately comes to me for final approval. I work with the CFO to ensure that everything that is in that portfolio is accounted for in our budget. So no longer are we doing what we used to do, which is put business cases forward when funding didn't exist in the budget for those business cases. Mr. Cooper. In the Department of Homeland Security, under the under secretary for management, all of the CXOs, the chief administrative officer, the chief human capital officer, the chief procurement officer, the chief financial officer, chief information, we meet twice a week and basically are in lockstep on almost everything related to management, particularly the financial budget process, capital planning and investment. I would argue that within the department we have a very strong and every effective relationship with the other chiefs, and we will continue to mature those processes. It is also reflected in our investment review process, which we have introduced into the department. Mr. Putnam. Mr. Hitch. Mr. Hitch. At the Department of Justice , I report from an operational standpoint to the assistant attorney general for administration, to whom the controller reports. So I interact on a regular basis with the controller and the CFO. From a more form standpoint, I chair the IT investment management process and I invite as members both the controller and the assistant attorney general for administration to review all our IT projects in some level of detail as they are coming along. Also, in the budget process, which we go through, it seems like, all the time, but we are going through right now for the 2006 budget year, I am involved in all of the budget deliberations about all of the IT budget items, both in the initial cuts as well as the final cut. Mr. Putnam. Mr. Hobbs. Mr. Hobbs. Being new to the Department of the Treasury, our relationship is evolving; however, to start out, we have both a chief financial officer and a budget officer. I have been involved in all of the 2006 budget preparations in terms of hearings by the deputy secretary with all of the major bureaus and asked to comment and provide feedback on proposals in that regard. The CFO and I have a relationship that we are starting to evolve as we look at our capital investments and our ongoing investments, and so I believe that we are on a firm footing to establish a very strategic and tactical relationship in terms of our reviewing the information technology budgets and performance of IT investments for the department. Mr. Putnam. Mr. Hobbs, you are relatively new to the Treasury, you said your relationship is still evolving, but tell us, if you would, were there major differences in process, procedures, and approach, the fusion of the CIO into management between the two Federal departments that you have now worked for? Mr. Hobbs. I think it is fair to say that they are different. At the Department of Agriculture the process was a lot more mature. The Department of Treasury has gone through a fairly large reorganization that has pulled a lot of that maturity out of its organizations. It is now being reformulated, but I think they are on a very positive path. We have some growing to do, we have some maturing to do, but the deputy secretary has established a process where we all have an equal seat at the table from a management perspective, and he expects us to work together for a common good in terms of how we deliver goods and services back to the citizens. That involves a very active engagement and role by the CIO in the budget and funding process of IT investments across the department. Mr. Putnam. Mr. Cooper, Mr. Hitch, let me ask you a twist on the same question. Both of you have extensive private sector experience, senior partner at Accensure. How dramatic a difference did you find between your work at the private sector for years and your career in the Federal world? Mr. Hitch first. Mr. Hitch. Well, it was pretty dramatic. I did have a taste of what it might be like because during my career I worked with the Federal Government on many major projects, as well as State and local governments, so I knew kind of what I was getting into, but you never really know for sure until you are there. And then going through the budget process is where you really learn how to operate in the Federal Government, I think, effectively. So it was a very big change, but I do think my background prepared me very well for the challenges that I face, because we are dealing with very large projects, we are dealing with culture change and major change programs, and as I said in my statement, having a business perspective is extremely important, because we are really managing a portfolio. And then I think also the process orientation that I bring, understanding the business processes, where you start. You don't start with the technology. I think really having that as a strong background really helps me be effective in my organization, because that is why I said my main job, I believe, is enabling the mission of the organization through technology. Mr. Putnam. Mr. Cooper. Mr. Cooper. Yes. Having served as a CIO in the private sector, it is, in my opinion, dramatically different. In the private sector the CIO was a member of the executive committee; there were basically about five or six people across the company, and those people effectively sat at the same table, heard all the same business decisions, participated in strategy vision development for the corporation. That is a little different than what I have experienced thus far in the Department of Homeland Security. Not a value judgment, just different. One of the things that was able to be done in the private sector, if business drivers or external events drove a change in the business plan of the corporation, the ability of basically the CIO to immediately reprioritize or reprogram or change the investment of assets or the direction of programs or something was in fact instantaneous. That is, again, a little bit different in the Federal sector; there are more people involved, it is a little bit lengthier process, honestly a little bit more convoluted for me in the learning curve type of situation. The other thing that plays out is that there was a more effective process to prioritize in the private sector across different business units. The way I would exemplify that, in the Department of Homeland Security I can tell you the top 10 of each of our under secretaries and/or their major programs. Where I have a little bit more difficulty is determining which of all of those top 10 are in fact the department's top 10. Now, part of that is maturity, so this is not criticism. We are learning, we are shaping, we are putting processes and we are becoming more effective with each month that goes by. But that is a significant difference. Those three examples that I give you are significantly different than what I had experienced in the private sector. Mr. Putnam. Ms. Nelson, difference between State and Federal? Ms. Nelson. You know, I had the good fortune of having an almost identical position in an environmental agency in State government, so the transition here probably wasn't nearly as startling as it was for somebody simply coming in from the private sector. The roles, responsibilities, and reporting relationship were almost identical. What is different, and I tell everybody, are things like this. We didn't have anybody in the general assembly who really cared and held hearings. We didn't have anybody in our legislative and budget and finance committee, which is comparable to GAO, who cared and audited or wrote reports. We didn't have an inspector general who provided the kind of oversight that we often get here. And, in fact, we didn't have anything like a Clinger-Cohen Act. What we did, while it is almost identical to the roles and responsibilities I have now, we simply did because it was good government, and, consequently, we often did it without a lot of oversight like this. Mr. Putnam. You have heard the second panel of former CIOs, and like all good former Federal employees, they have an awful lot of bolder statements to make than perhaps they would have made had they still been on the payroll. What do you glean from what they have shared with this subcommittee, what lessons learned can you apply, particularly with respect to the questions that we have asked both panels, the turnover, the reporting to the top administrator? Most of you have touched on this, but if you would address it more fully, just if you would reflect on what they have said with regard to those and other matters that they raised. Mr. Hobbs, we will begin with you. Mr. Hobbs. And here I was waiting for you to come the other way. Mr. Putnam. Well, I like to keep people off guard. Mr. Hobbs. First with respect to the issue on turnover. I think that succession planning is an integral part of any manager's responsibility, for one never knows the moment, the hour, the day when a person will leave. I believe very strongly in the dual role of the CIO and the deputy CIO. My own experiences have demonstrated over 7 years I served under three different CIOs, yet our organization continued, I thought, to move forward and to function. I am not sure that going to term appointments means any more than going to politically appointed positions means any more than going to career appointed positions. I think it is inherently the responsibility of each manager to prepare for the organization in terms of when you are not there, not so much for while you are there. So I think succession planning is the key and I think that it is one of the missing elements that we have in the Federal Government in terms of how we prepared our organizations for transitions and transformations. I believe it is also very critical, when we talk about transformation, I hear people talking 3, 4, and 5 years. I believe the transformations come in succession. And what I mean by that is, as one of my colleagues here said today, it takes 2\1/2\ years to effect a budget process. That is one form if transformation. It takes 2 or 3 years to impact people and culture. That is another form of transformation. The important thing is to establish an approach and a plan about how you are going to do it and then build in the succession planning models that allow your organization to function in your absence. I believe that is key and critical for us who are in government leading large organizations. Mr. Putnam. Mr. Hitch. Mr. Hitch. I do think turnover is an issue. I do think that turnover is an issue for CIOs everywhere, not just in the Federal Government. But I do think it is even more of an issue in the Federal Government. I think that it does take a while to have a lasting impact. I think you need to be effective early on and you can be effective on a lot of issues early on, but to have a lasting impact, to really change the culture, to really change the programs, to really bring in the people that are needed, at least in an organization that needs a lot of help when you first get there, is going to take a while to do. So I think turnover is an issue. I think the 3 to 4 year timeframe is realistic and perhaps even optimistic and aggressive, in terms of really getting something done, but I feel that is a good benchmark. It somewhat depends on the maturity and the depth of the organization you came in to run, if you are taking over. I came into an organization that didn't have a real CIO and didn't perform many of the Clinger-Cohen functions, so I had to create an organization, fill those positions. So I think that turnover is an issue depending on the stability and maturity of the CIO organization within the agency you are talking about. Mr. Putnam. Mr. Cooper. Mr. Cooper. I too would agree that I think turnover is an issue and it is important to be addressed. I would actually concur with what Mr. Hobbs said. I think the key points that he raised, deputy succession planning, are fundamental and critical success factors in addressing that. But I would offer one additional observation that I actually haven't heard mentioned in any of our three panels today. One of the things that I have observed in a relatively short period of time, so I have no data beyond about 2, 2\1/2\ years, the lure of the private sector for skilled and seasoned chief information officers out of the Federal Government is very, very significant. One of the things that obviously plays a role in that is kind of the overall ability of the Federal environment to compensate and incent and reward not just chief information officers, but key career individuals across the Federal Government. I would suggest that perhaps over time that might be something that could be explored through surveys or appropriate bodies to explore how much does compensation and incentives play a role in decisions to leave the Federal Government from a CIO position. Ms. Nelson. In preparation for today's hearing, I actually brushed up on some long overdue reading and research, and while most of it confirmed my own suspicions, there was one thing that I found very surprising, and it was a Gartner survey of CEOs across the country. In response to a question about transformation, they cited two things that most often get in the way of transformation. The first was culture, and we have talked about that on several occasions. The second, interestingly enough, was IT, both technology and their technology organizations, their IT organizations. They cited them as often being slow, cumbersome, risk adverse, and getting in the way of the changes they want to make. That being the case, and in combination with another survey that was done of what are the characteristics most exhibited by successful government CIOs, one of those characteristics was the fact that the CEO of the organization selected the CIO. And I think those two go hand in hand to paint the picture that I agree with. I believe a CIO can best serve the organization if they are political, because that means they are sitting with the most senior leadership in the organization. In most agencies, the senior leadership is political; the cabinet head, the deputy secretary. So in order to be able to sit at the table to truly understand the business, the strategy, and the policies of the organization, I do think you need a political CIO. I agree with Ira that you are going to have turnover. I don't think the turnover of political CIOs is all that much different than the turnover of political appointees in general. So we just need to accept the fact that you are going to have turnover, just like the Army accepts the fact that you can bring people in for a couple of years and train them and put them back out when there is a draft. Accept the fact and have a strong deputy CIO, have a strong transition planning process, and I think those two things combined can oftentimes achieve the greatest results, because the CIO is close to the CEO, or in government case, a deputy secretary or agency head, understands the demands, understands they have a short time period, and they will push for change. Mr. Putnam. Mr. Cooper, you raised the issue of compensation, which is a fair one to raise. I had been raising the issue of accountability on the negative side. Compensation is certainly an appropriate thing to bring up on the positive side, on the encouragement, incentivizing side. It does raise a number of interesting questions. For example, in Department of Homeland Security, your department's budget is what? Mr. Cooper. For IT or overall? Overall it is about $40 billion. Mr. Putnam. And for IT? Mr. Cooper. About 10 percent, about 4.2 of that. Mr. Putnam. So slightly larger than most of the private sector companies---- Mr. Cooper. That is correct. Mr. Putnam [continuing]. That are attracting a lot of our talent and paying them substantially more. I hate to ask you to solve the question that you raised, but recognizing that it is a legitimate issue, how do we arrange a schedule that is commensurate with running the Department of Defense, running the Department of Homeland Security or running the Department of Justice or Treasury? Of course, I think Mr. Hobbs just goes out to the printer in the back room and pulls a few sheets of or something like that to take care of the Christmas bonus. But if you don't work in that department, how do we compensate people and compete with the private sector, knowing what people would be worth in the private sector for far less responsibility than what you carry? Mr. Cooper. Mr. Chairman, would you allow me to think on this for a week and get back to you? Mr. Putnam. I would. Mr. Cooper. I don't have a good answer. I am not trying to duck the question at all; it is one that we really have talked about a fair amount in the department. We simply just don't have a real effective answer yet. There is perhaps a model that might serve. I know, for example, that in the Department of Veterans Affairs physicians actually are on slightly different pay scales; they are able to pay higher than just what I think of as the GS pay scale. I also know that in our own department there are some incentives around our scientists for, specifically, the reason that we have to compete with the universities and the research institutes across the United States. Those might serve as models for key technical personnel in the Federal Government. But if you allow me to give it a little bit more thought, I would like to comment. Mr. Putnam. Sure. And there is an entire commission working on it. I think this is what somebody gave Paul Volcker the job of going and solving this problem. It is a legitimate issue, but there are no easy answers considering the system of government that we have. Mr. Hitch, what brought you into public service? What brought you into the public sector, coming from where you were? Mr. Hitch. Yes, I kind of went in the reverse direction from what we find in many of the CIOs who spend a long time career in the Government and then went outside. Frankly, I came to the Department of Justice to make something happen that I would hope would help the national security of the country. And I think that goal is something that is real, the desire to do public service, just like people in Congress or anything else; you are here to do public service. It is especially hard on CIOs because there is such a huge disparate pay scale, and the draw of the counterparts in the private sector funds that work for us who make multiples. So I think a different pay schedule, something like Steve was talking about, may be helpful. I do think we do need to solve better, I think, the problem of just accountability and responsibilities, because I hear it in a lot of private discussions among CIOs, and I also have experience in some of the components within Justice who brought people in from the outside, very, very accomplished CIOs who were on the outside, who came in basically because of changes in culture and not able to adapt quickly enough to the culture, an inability to make something happen in a realtime basis, which is different in the Federal Government from the private sector. You can make things happen faster in the private sector, that is why I made the comment about persistence. So I think the reporting relationships are important, because that is what enables you to make something happen in more of a reasonable time. It is going to take longer in the government than it does in the private sector, but if you aren't positioned properly in the organization and don't have enough credibility and are viewed as a peer by the people that you need to influence strongly in order to be effective, it is a disincentive, so that is a reason a lot of people leave. Mr. Putnam. I would like to give our panelists an opportunity for closing comments as we wind this down. Give us the answer to the question you wish you had been asked or final thoughts, whatever you choose, beginning with Ms. Nelson. And, Mr. Hobbs, you are going to get the last word for us. So, Ms. Nelson, you are recognized. Ms. Nelson. The day is late, everybody is tired, I am sure, so I have said everything I needed to say or someone else has said it. So thank you for the opportunity. Mr. Putnam. Beautifully spoken. Mr. Cooper. Mr. Cooper. That is tough to follow, but I would echo the same thing. Thank you. Mr. Putnam. Mr. Hitch. Mr. Hitch. I am not going to delay this any more. Mr. Putnam. You all act like it is excruciating. Mr. Hobbs. I guess, Congressman, the last word does come to me. I think it important, from my perspective, that the role of the Federal CIO continues to be examined, and certainly applaud you for the work that you have done within our community in the last couple of years and continue to ask us to raise the bar in terms of performance and in terms of accountability and in terms of results. But I also point out sometimes that when we are called, it seems as if we are islands unto ourselves, that we somehow are responsible for everything. And so I simply point out what an old friend has always said to me: it is more about the team than it is about the individual. And that team is both the management group across the department, as well as the organization that CIOs build. So sometimes I think it important to examine team performance just as closely as we look at the CIO's role. We hope sometimes to have more authority and more responsibility than we actually have. So I applaud you for your effort, but I also point out the team is smarter than any one individual is ever going to be in terms of improving the economy and the efficiency of government, and that is where I believe the proof of the pudding truly lies, with the team. Mr. Putnam. Thank you very much. I appreciate the testimony of all of our witnesses, and in the event that there may be additional questions we did not have time for today, the record will remain open for 2 weeks for submitted questions and answers. This meeting is adjourned. [Whereupon, at 5 p.m., the subcommittee was adjourned, to reconvene at the call of the Chair.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] 98209.070