Federal Chief Information Officers: Responsibilities, Reporting
Relationships, Tenure, and Challenges (21-JUL-04, GAO-04-823).
Although the federal government has invested substantially in
information technology (IT), its success in managing information
resources has varied. Agencies have taken steps to implement
modern strategies, systems, and management policies and
practices, but they still face significant information and
technology management challenges. Recognizing the key role of the
chief information officer (CIO) in helping an agency to achieve
better results through IT, congressional requesters asked GAO to
study the current status of CIOs at major departments and
agencies. Among the topics this report describes are (1) CIOs'
responsibilities and reporting relationships, and (2) current
CIOs' professional backgrounds and the tenures of all of the CIOs
since enactment of the Clinger-Cohen Act.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-04-823
ACCNO: A11071
TITLE: Federal Chief Information Officers: Responsibilities,
Reporting Relationships, Tenure, and Challenges
DATE: 07/21/2004
SUBJECT: Chief information officers
Electronic government
Government information dissemination
Information resources management
Information technology
Reporting requirements
Strategic planning
Systems design
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-04-823
United States Government Accountability Office
GAO Report to Congressional Requesters
July 2004
FEDERAL CHIEF INFORMATION OFFICERS
Responsibilities, Reporting Relationships, Tenure, and Challenges
a
GAO-04-823
Highlights of GAO-04-823, a report to congressional requesters
Although the federal government has invested substantially in information
technology (IT), its success in managing information resources has varied.
Agencies have taken steps to implement modern strategies, systems, and
management policies and practices, but they still face significant
information and technology management challenges. Recognizing the key role
of the chief information officer (CIO) in helping an agency to achieve
better results through IT, congressional requesters asked GAO to study the
current status of CIOs at major departments and agencies. Among the topics
this report describes are (1) CIOs' responsibilities and reporting
relationships, and (2) current CIOs' professional backgrounds and the
tenures of all of the CIOs since enactment of the Clinger-Cohen Act.
As Congress holds hearings on and introduces legislation related to
information and technology management, GAO suggests that Congress consider
the results of this review and whether the existing statutory requirements
related to CIO responsibilities and reporting to the agency head reflect
the most effective assignment of information and technology management
responsibilities and reporting relationships. In responding to a draft of
this report, most agencies stated that they had no comment.
www.gao.gov/cgi-bin/getrpt?GAO-04-823.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact David A. Powner,
202-512-9286 or [email protected].
July 2004
FEDERAL CHIEF INFORMATION OFFICERS
Responsibilities, Reporting Relationships, Tenure, and Challenges
GAO administered a questionnaire and interviewed CIOs at 27 major
departments and agencies, finding that respondents were responsible for
most of the 13 areas we identified as either required by statute or
critical to effective information and technology management (see figure
below). All of the CIOs had responsibility for five areas, including
enterprise architecture and IT investment management. However, two of
these areas-information disclosure and statistics-were outside the purview
of more than half of the officers. Although the CIOs generally did not
think placing responsibility for some areas in separate units presented a
problem, having these responsibilities performed by multiple officials
could make the integration of various information and technology
management areas, as envisioned by law, more difficult to achieve. Given
these results, it may be time to revisit whether the current statutory
framework of responsibilities reflects the most effective assignment of
information and technology management responsibilities. The law also
generally requires that CIOs report directly to their agency heads, and 19
of the 27 said that they did. However, views were mixed among current and
former officers on whether such a direct reporting relationship was
important.
Agency CIOs come from a wide variety of professional and educational
backgrounds, but they almost always have IT or IT-related work or
educational experience. Since enactment of the Clinger-Cohen Act, the
median tenure of a federal CIO has been about 2 years; in contrast, both
current CIOs and former agency IT executives most commonly cited 3 to 5
years as the time they needed to become effective. According to some
current CIOs, high turnover is a problem because it can limit CIOs'
ability to put their agendas in place. Various mechanisms, such as human
capital flexibilities, are available for agencies to use to help them try
to reduce CIO turnover or mitigate its effect.
Number of CIOs with Responsibility for Information and Technology
Management Areas
Capital planning and investment management 27
Enterprise architecture 27
Information security 27
IT/IRM strategic planning 27
IT/IRM workforce planning 27
Major e-gov initiatives 25
Systems acquisition, development and integration 25
Information collection/paperwork reduction 22
Records management 21
Information dissemination 20
Privacy 17
Information disclosure/Freedom of information
9
Statistical policy and coordination 0 5 1015202530
8
Source: Agency CIOs.
Contents
Letter
Results in Brief
Background
Scope and Methodology
CIOs Responsible for Most Areas and Generally Reported to Agency
Heads CIOs Have Diverse Backgrounds and Generally Remained in Office
about 2 Years Major Challenges Facing Agency CIOs Conclusions Matter for
Congressional Consideration Agency Comments and Our Evaluation
1 3 6 9
12
20 25 32 32 33
Appendixes
Appendix I: Appendix II:
Appendix III:
Appendix IV: Appendix V: Appendix VI:
Appendix VII:
Appendix VIII:
Appendix IX: Appendix X:
Appendix XI:
Chief Information Officers (CIO) Interviewed 39
Former Agency Senior Information Technology (IT)
Executive Panels 40
Summary of CIOs' Information Management and Technology
Responsibilities at Major Departments and Agencies 41
CIO Tenure at Each Department and Agency 46
Comments from the Department of Agriculture 50
Comments from the Department of Defense (including the
Departments of the Air Force, Army, and Navy) 51
GAO Comments 53
Comments from the Department of the Interior 54
GAO Comments 55
Comments from the Office of Personnel Management 56
GAO Comments 59
Comments from the Department of the Treasury 60
Comments from the U.S. Agency for International
Development 61
GAO Contact and Staff Acknowledgments 62
GAO Contact 62
Staff Acknowledgments 62
Contents
Tables Table 1: Former Agency Senior IT Executive Panels 40
Table 2: Statistical Analysis of CIO Tenure 49
Figures Figure 1: Number of CIOs Reporting That They Were Responsible
for Each Information and Technology Management
Area 14
Figure 2: Major Challenges Facing Agency CIOs 25
Figure 3: Time Line of CIO Tenure at Each Department and
Agency 47
Abbreviations
CIO chief information officer
EA enterprise architecture
e-gov electronic government
FOIA Freedom of Information Act
IRM information resources management
IT information technology
OMB Office of Management and Budget
PRA Paperwork Reduction Act
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
A
United States Government Accountability Office Washington, D.C. 20548
July 21, 2004
The Honorable Susan M. Collins
Chairman,
Committee on Governmental Affairs
United States Senate
The Honorable Tom Davis
Chairman, Committee on Government Reform
House of Representatives
The Honorable Adam H. Putnam
Chairman, Subcommittee on Technology, Information
Policy, Intergovernmental Relations and the Census
Committee on Government Reform
House of Representatives
Our work and that of others has shown that the federal government has had
long-standing information and technology management problems. Various
laws have been enacted to improve the government's performance in this
area. For example, the Clinger-Cohen Act of 1996 requires agency heads to
designate Chief Information Officers (CIO) to lead reforms to help control
system development risks, better manage technology spending, and
achieve real, measurable improvements in agency performance through
better management of information resources.
We have long been proponents of having strong agency CIOs and a central
federal government CIO in order to address the government's many
information and technology management challenges.1 Eight years after the
passage of the Clinger-Cohen Act, our work2 illustrates that despite the
government's expenditure of billions of dollars annually on information
technology (IT), its management of these resources has produced mixed
1U.S. General Accounting Office, Improving Government: Actions Needed to
Sustain and Enhance Management Reforms, GAO/T-OCG-94-1 (Washington, D.C.:
Jan. 27, 1994), Government Reform: Using Reengineering and Technology to
Improve Government Performance, GAO/T-OCG-95-2 (Washington, D.C.: Feb. 2,
1995), and Government Reform: Legislation Would Strengthen Federal
Management of Information and Technology, GAO/T-AIMD-95-205 (Washington,
D.C.: July 25, 1995).
2U.S. General Accounting Office, High-Risk Series: An Update, GAO-03-119
(Washington, D.C.: January 2003) and Major Management Challenges and
Program Risks: A Governmentwide Perspective, GAO-03-95 (Washington, D.C.:
January 2003).
results. Although agencies have taken constructive steps to implement
modern strategies, systems, and management policies and practices, our
most recent high-risk and performance and accountability series identified
continuing high-risk modernization efforts and governmentwide information
and technology management challenges. As we have previously reported, an
effective CIO can make a significant difference in building the
institutional capacity needed to implement improvements to an agency's
information and technology management capabilities which, among other
things, should result in technology solutions that improve program
performance.
Recognizing the continued importance of the CIO position to achieving
better results through information and technology management, you have
asked us to perform two reviews in this area. First, this report will
discuss the current status of federal CIOs at major departments and
agencies. Second, we are beginning work on the development of a set of CIO
best practices, based on the practices of leading organizations in the
private sector. Along with our earlier work addressing the high-level
organization and support of the CIO position in the private sector,3 these
reports are expected to provide the Congress and others with an
understanding of the current status of the role, responsibilities, and
reporting relationships of agency CIOs and to describe opportunities to
improve their status.
3U.S. General Accounting Office, Maximizing the Success of Chief
Information Officers: Learning from Leading Organizations, GAO-01-376G
(Washington, D.C.: February 2001).
In this report, our objectives are to describe (1) the responsibilities of
agency CIOs and their reporting relationships, (2) the current CIOs'
professional backgrounds and the tenures of all of the CIOs in office
since enactment of the Clinger-Cohen Act, and (3) what the CIOs viewed as
their major challenges. To address these objectives, we administered a
questionnaire-covering 13 information and technology management areas,
specifically IT/IRM strategic planning, IT capital planning and investment
management, information security, IT/IRM human capital, information
collection/paperwork reduction, information dissemination, records
management, privacy, statistical policy and coordination, information
disclosure, enterprise architecture, systems acquisition, development and
integration, and e-government initiatives4-to the CIOs of the 27 major
federal departments and agencies (23 entities identified in 31 U.S.C.
901,5 the Department of Homeland Security, and the 3 military services).6
In addition, we conducted interviews with each of these CIOs to
corroborate information we had already received in the questionnaire and
to obtain more specific information.
We conducted our work at the 27 agencies during November 2003 through May
2004 in accordance with generally accepted government auditing standards.
Results in Brief Generally, CIOs were responsible for most of the 13 areas
we identified as either required by statute or critical to effective
information and technology management, and about 70 percent of them
reported directly to the agency heads. All of the CIOs were assigned
responsibility for five information and technology management areas-such
as enterprise
4These areas are further defined in the Scope and Methodology section of
this report.
5This section of the U.S. Code requires 24 departments and agencies to
establish chief financial officers. We did not include the Federal
Emergency Management Agency in our review, even though it is 1 of the 24
departments and agencies, because this agency has been transferred to the
Department of Homeland Security.
6The 27 agencies covered by this report are the Departments of
Agriculture, the Air Force, the Army, Commerce, Defense, Education,
Energy, Health and Human Services, Homeland Security, Housing and Urban
Development, the Interior, Justice, Labor, the Navy, State,
Transportation, the Treasury, and Veterans Affairs; and the Environmental
Protection Agency, General Services Administration, National Aeronautics
and Space Administration, National Science Foundation, Nuclear Regulatory
Commission, Office of Personnel Management, Small Business Administration,
Social Security Administration, and U.S. Agency for International
Development.
architecture and IT investment management-although they sometimes reported
that they shared responsibility for these areas with other organizational
units. In contrast, two of the information and technology management
areas-information disclosure and statistics-were the responsibility of
fewer than half of the CIOs. While this alternative assignment of
responsibility is not consistent with the statutes, the CIOs generally
believed-in large part because other organizational units were assigned
these duties-that not being responsible for certain information and
technology management areas did not present a problem. Nevertheless,
having these responsibilities performed by multiple officials could make
the integration of various information and technology management areas, as
envisioned by law, more difficult to achieve. Regarding the statutory
requirements that certain CIOs have the management of information
resources as their primary duty7 and that CIOs report directly to the
agency head,8 only a few said that they had other major duties and 19 said
they reported directly to their agency heads. Views were mixed among
current CIOs and former agency IT executives on whether a direct reporting
relationship was crucial to the success of the CIO.
Current CIOs come from a wide variety of professional and educational
backgrounds, and-since the enactment of the Clinger-Cohen Act-the
permanent CIOs who had completed their time in office had a median tenure
of about 2 years. Regarding their backgrounds, the current CIOs had worked
in various sectors, almost always had IT or IT-related work or educational
experience, and generally had business knowledge related to their
agencies. Such variety is not unexpected, because a CIO should be selected
based on the specific needs of an agency and the type of role he or she is
expected to play. Agency CIOs' average time in office, however, was less
than the 3 to 5 years that was most commonly cited by both current CIOs
and former agency IT executives as the time needed for a CIO to be
effective. In particular, in the 8 years since the enactment of the
Clinger-Cohen Act, only about 35 percent of the permanent CIOs who had
7The Clinger-Cohen Act requirement that agency CIOs have IRM as their
primary duty applies to the major departments and agencies listed in 31
U.S.C. 901(b), which does not include the Department of Homeland Security,
or the military departments of the Air Force, the Army, and the Navy.
8The Homeland Security Act of 2002 states that the CIO for the Department
of Homeland Security shall report to the Secretary of Homeland Security or
to another official as directed by the Secretary. As allowed by the law,
the Secretary has directed the CIO to report to the Under Secretary of
Management.
completed their time in office reportedly stayed in office for a minimum
of 3 years. A high turnover rate is a problem, according to some current
CIOs, because it can negatively impact their effectiveness. For example,
they may not have time to put their agenda in place or form close working
relationships with agency leadership. Various mechanisms, such as human
capital flexibilities, are available to agencies to help them try to
reduce CIO turnover or mitigate its effect.
Current CIOs reported that they faced several major challenges,
particularly in implementing effective IT management, obtaining sufficient
and relevant resources, communicating and collaborating internally and
externally, and managing change. These challenges are not new-we have
previously reported on some of them. Nevertheless, the extent to which
CIOs effectively tackle such challenges can contribute to their ability to
achieve success. To support their efforts, we have issued guidance related
to many of the reported challenges.
We are suggesting that, as it holds hearings on and introduces legislation
related to information and technology management, Congress consider
whether the existing statutory requirements related to CIO
responsibilities and reporting to the agency head reflect the most
effective assignment of information and technology management
responsibilities and reporting relationship. The results of this review-in
conjunction with our ongoing work on best practices for CIOs' roles and
responsibilities that are based on leading organizations in the private
sector-may provide insights to contribute to that process.
Based on their reviews of a draft of this report, OMB and all of the 27
agencies that were included in our review sent us responses. Most of the
agencies stated that they had no comment. Of those that provided specific
comments, OMB noted that they were unclear on the correlation between, or
conclusions drawn about, who holds responsibility for the 13 areas we
reviewed, and they questioned the need to include 3 responsibilities not
required by statute to be the responsibility of the CIO. First, we did not
attempt to draw conclusions regarding the relationship between the
assignment of specific responsibilities and an agency's success in
achieving desired outcomes in those areas. Second, the importance of the 3
areas questioned by OMB is borne out by the fact that over 90 percent of
the CIOs have been assigned responsibility for them. The Departments of
Defense and the Interior disagreed with the part of our Matter for
Congressional Consideration that suggested that the Congress consider the
results of this review that are related to CIO reporting relationships
when holding
hearings and introducing legislation on information and technology
management. Although having CIOs report to agency heads can help provide
strong support for CIOs in executing their responsibilities, the
participants in our review offered a number of alternative reporting
arrangements that could also provide CIOs with such support and that also
warrant consideration. Accordingly, we continue to believe that, as the
Congress holds hearings or considers legislation related to CIOs'
responsibilities or reporting, it consider the results of our review in
its deliberations. Finally, the Office of Personnel Management provided
examples of actions the agency has taken to encourage the use of human
capital management flexibilities, but it was outside the scope of this
work to review these actions. We address these comments more fully in the
Agency Comments and Our Evaluation section of this report.
Background Despite a substantial investment in IT, the federal
government's management of information resources has produced mixed
results. Although agencies have taken constructive steps to implement
modern strategies, systems, and management policies and practices, our
work continues to find that agencies face significant challenges. These
challenges can be addressed with strong and committed leadership by the
agency CIOs-a position that was established by the Congress to serve as
the focal point for information and technology management issues within an
agency.
Major Information and Technology Management Challenges Facing Agency CIOs
Our most recent high-risk and performance and accountability series
identified continuing high-risk system modernization efforts and
governmentwide information and technology management challenges,9 namely,
o pursuing opportunities for e-government;
o improving the collection, use, and dissemination of government
information;
o strengthening information security;
9GAO-03-119 and GAO-03-95.
o constructing and enforcing sound enterprise architectures;
o employing IT system and service management practices; and
o using effective agency IT investment management practices.
Unless and until these challenges are overcome, federal agencies are
unlikely to optimize their use of information and technology, which can
affect an organization's ability to effectively and efficiently implement
its programs and missions.
Agency CIOs are key leaders in addressing these challenges. To allow them
to serve effectively in this role, federal agencies must utilize the full
potential of CIOs as information and technology management leaders and
active participants in the development of the agency's strategic plans and
policies. The CIOs, in turn, must meet the challenges of building credible
organizations and developing and organizing information and technology
management capabilities to meet mission needs.
Legislative Evolution of Agency CIO Roles and Responsibilities
For more than 20 years, federal law has structured the management of
information technology and information-related activities under the
umbrella of information resources management (IRM).10 Originating in the
1977 recommendations of the Commission on Federal Paperwork, the IRM
approach was first enacted into law in the Paperwork Reduction Act of 1980
(PRA).11 The 1980 Act focused primarily on centralizing governmentwide
responsibilities in the Office of Management and Budget (OMB). The law
gave OMB specific policy-setting and oversight duties regarding individual
IRM areas-for example: records management, privacy, and the acquisition
and use of automatic data processing and telecommunications equipment
(which was later renamed information technology). The law also gave
agencies a more general responsibility to carry out their IRM activities
in an efficient, effective, and economical manner and to comply with OMB
policies and guidelines. To assist in this effort, the law required that
each agency head designate a senior official
10IRM is the process of managing information resources to accomplish
agency missions and to improve agency performance.
11P.L. 96-511, December 11, 1980.
who would report directly to the agency head to carry out the
responsibilities of the agency under the law.
Together these requirements were intended to provide for a coordinated
approach to managing federal agencies' information resources. The
requirements addressed the entire information life cycle, from collection
through disposition, in order to reduce information collection burdens on
the public and to improve the efficiency and effectiveness of government.
Amendments to the PRA in 1986 and in 1995 were designed to strengthen
agency and OMB implementation of the law. Most particularly, the PRA of
1995 provided detailed agency requirements for each IRM area, to match the
specific OMB provisions. The 1995 Act also required agencies to develop,
for the first time, processes to select, control, and evaluate the results
of major information systems initiatives.
In 1996, the Clinger-Cohen Act supplemented the information technology
management provisions of the PRA with detailed CIO requirements for IT
capital planning and investment control and performance and results-based
management.12 The 1996 Act also established the position of agency CIO by
amending the PRA to rename the senior IRM officials CIOs and specifying
additional responsibilities for them. Among these responsibilities, the
act required that the CIOs in the 24 major departments and agencies
specified in 31 U.S.C. 901 have IRM as their "primary duty." Accordingly,
under current law,13 agency CIOs are required to carry out the
responsibilities of their agencies with respect to information resources
management, including
o information collection and the control of paperwork;
o information dissemination;
o statistical policy and coordination;
o records management;
12P.L. 104-106, February 10, 1996. The law, initially entitled the
Information Technology Management Reform Act (ITMRA), was subsequently
renamed the Clinger-Cohen Act in P.L. 104-208, September 30, 1996.
13The E-Government Act of 2002 reiterated agency responsibility for
information resources management. P.L. 107-347, December 17, 2002.
o privacy, including compliance with the Privacy Act;
o information security, including compliance with the Federal Information
Security Management Act;
o information disclosure, including compliance with the Freedom of
Information Act; and
o information technology.
Together, these legislated roles and responsibilities embody the policy
that CIOs should play a key leadership role in ensuring that agencies
manage their information functions in a coordinated and integrated fashion
in order to improve the efficiency and effectiveness of government
programs and operations.
Scope and To address the objectives of this review, we first identified
and reviewed major information and technology management legislative
requirements.
Methodology Specifically, we reviewed o o o o o o o
the Paperwork Reduction Act of 1995,
the Clinger-Cohen Act of 1996,
the E-Government Act of 2002,
the Federal Information Security Management Act of 2002,
the Federal Records Act,
the Freedom of Information Act, and
the Privacy Act of 1974.
We identified the following 13 major areas of CIO responsibilities as
either statutory requirements or critical to effective information and
technology management.14
o IT/IRM strategic planning. CIOs are responsible for strategic planning
for all information and information technology management functions- thus,
the term IRM strategic planning [44 U.S.C. 3506(b)(2)].
o IT capital planning and investment management. CIOs are responsible for
IT capital planning and investment management [44 U.S.C. 3506(h) and 40
U.S.C. 11312 & 11313].
o Information security. CIOs are responsible for ensuring compliance with
the requirement to protect information and systems [44 U.S.C. 3506(g) and
3544(a)(3)].
o IT/IRM workforce planning. CIOs have responsibilities for helping the
agency meet its IT/IRM workforce or human capital needs [44 U.S.C. 3506(b)
and 40 U.S.C. 11315(c)].
o Information collection/paperwork reduction. CIOs are responsible for
the review of agency information collection proposals to maximize the
utility and minimize public "paperwork" burdens [44 U.S.C. 3506(c)].
o Information dissemination. CIOs are responsible for ensuring that the
agency's information dissemination activities meet policy goals such as
timely and equitable public access to information [44 U.S.C. 3506(d)].
o Records management. CIOs are responsible for ensuring that the agency
implements and enforces records management policies and procedures under
the Federal Records Act [44 U.S.C. 3506(f)].
o Privacy. CIOs are responsible for compliance with the Privacy Act and
related laws [44 U.S.C. 3506(g)].
14Three areas of responsibility--enterprise architecture, systems
acquisition, development and integration, and e-government
initiatives--are not assigned to CIOs by statute; they are assigned to the
agency heads by law or guidance. However, in virtually all agencies, the
agency heads have delegated these areas of responsibility to their CIOs.
o Statistical policy and coordination. CIOs are responsible for the
agency's statistical policy and coordination functions, including ensuring
the relevance, accuracy, and timeliness of information collected or
created for statistical purposes [44 U.S.C. 3506(e)].
o Information disclosure. CIOs are responsible for information access
under the Freedom of Information Act [44 U.S.C. 3506(g)].
o Enterprise architecture. Federal laws and guidance direct agencies to
develop and maintain enterprise architectures as blueprints to define the
agency mission, and the information and IT needed to perform that mission.
o Systems acquisition, development, and integration. We have found that a
critical element of successful IT management is effective control of
systems acquisition, development and integration [44 U.S.C. 3506(h)(5) and
40 U.S.C. 11312].
o E-government initiatives. Various laws and guidance direct agencies to
undertake initiatives to use IT to improve government services to the
public and internal operations [44 U.S.C. 3506(h)(3) and the E-Government
Act of 2002].
We then developed and administered a questionnaire to the CIOs of the 27
major departments and agencies requesting information on whether these
officials were responsible for each of these areas, their reporting
relationships, their professional and educational backgrounds, and their
challenges.15 We also asked each agency to supply the name, beginning and
ending dates in office, and circumstances (e.g., whether they were in an
acting or permanent position) of each of the individuals who had served as
CIO at the agency since the enactment of the Clinger-Cohen Act. We
subsequently interviewed each of the CIOs who were in place at the time of
our review (see app. I for the list of the CIOs) in order to corroborate
their responses and obtain more detailed explanations of these responses.
In addition, as applicable, we collected and reviewed the resumes or
biographies of the current CIOs.
15The 23 major departments and agencies identified in 31 U.S.C. 901, the
Department of Homeland Security, and the 3 military services (see footnote
6 for a list of agencies).
In analyzing CIOs comments on their challenges, two GAO analysts reviewed
the responses and arrived at agreement for the broad categories. Each
comment was then placed into one or more of the resulting categories, and
agreement regarding each placement was reached between the two analysts.
We also conducted two panel discussions with former agency IT executives
(six in each panel), including former CIOs, that addressed their
experiences and challenges. Appendix II lists these panelists. Finally, we
discussed our findings with representatives of OMB's Office of Information
and Regulatory Affairs and the members of our Executive Council of
Information Management and Technology-a preexisting panel of outside
industry, state government, and academic experts-to obtain their views.
We conducted our work at the 27 agencies during November 2003 through May
2004 in greater Washington, D.C. in accordance with generally accepted
government auditing standards.
CIOs Responsible for Most Areas and Generally Reported to Agency Heads
CIOs generally were responsible for most of the 13 key areas we had
identified as either required by statute or among those critical to
effective information and technology management, and most reported
directly to their agency heads. All 27 CIOs had responsibility for 5 of
the 13 areas, such as information security and IT capital planning. Of the
other eight areas, two of them-information disclosure and statistics-were
the responsibility of fewer than half of the CIOs. This assignment of
responsibilities is not consistent with the law. However, in those cases
where the CIOs were not assigned the expected responsibilities and
expressed an opinion about this situation,16 more than half of the CIOs'
responses were that the applicable information and technology management
areas are appropriately held by some other organizational entity.
Moreover, virtually all of the responses indicated that the CIOs were
comfortable with their roles. Nevertheless, having these responsibilities
performed by multiple officials could make the integration of various
information and technology management areas, as envisioned by the law,
more difficult to achieve.
16Out of a total of 69 possible responses (instances of CIOs without
responsibility for one or more of the 13 information and technology
management areas), CIOs expressed an opinion on whether they had any
concerns with their agency's assignment in 42 instances.
In addition to requiring that federal agency CIOs have many specific
responsibilities, federal law also generally requires that these CIOs
report directly to their agency heads. This requirement establishes an
identifiable line of accountability and recognizes the importance of CIOs'
being full participants in the executive team in order to successfully
carry out their responsibilities. Nineteen of the CIOs we interviewed have
a direct reporting relationship to their agency head as required by the
statute. The other eight have various reporting relationships, often
through their agencies' senior administrative or management executives.
While reporting to the agency heads may be a means to ensure that the CIO
has sufficient stature to "have a seat at the table," only about a third
of those who did not report to their agency heads expressed a concern with
their reporting relationships.
Given these results, it is clear that questions arise about whether the
current statutory framework of roles and responsibilities reflects the
most effective assignment of information and technology management
responsibilities. Our work developing a set of best practices for CIOs'
roles and responsibilities, based on leading organizations in the private
sector, may shed additional light on this issue.
Agency CIOs Generally Responsible for Most Areas
The Congress has assigned a number of responsibilities to the CIOs of
federal agencies. In addition, we have identified other areas of
information and technology management that can contribute significantly to
the successful implementation of information systems and processes.
Figure 1 lists the 13 areas of responsibility and the number of CIOs who
are assigned responsibility for each (app. III contains additional
information on each of these areas). Five of the 13 areas of
responsibility were assigned to every agency CIO. These areas are capital
planning and investment management, enterprise architecture, information
security, IT/IRM strategic planning, and IT workforce planning. Two of
these areas- enterprise architecture and capital planning-were mentioned
by several CIOs as the mechanisms they use for integrating
responsibilities across some of the other areas, because, for example they
can provide a checkpoint where the CIO has the opportunity to review
proposals and investments before they are funded. The governance processes
used in implementing enterprise architecture and capital planning can also
provide the opportunity to ascertain that other responsibilities are being
executed as required. For example, these processes can require that plans
for new
systems meet security or records management standards before they are
allowed to progress to the next stage of development or funding.
Figure 1: Number of CIOs Reporting That They Were Responsible for Each
Information and Technology Management Area
Capital planning and investment management 27 Enterprise architecture
27
Information security
IT/IRM strategic planning
IT/IRM workforce planning
Major e-gov initiatives
Systems acquisition, development and integration
Information collection/paperwork reduction
Records management
Information dissemination
Privacy
Information disclosure/Freedom of information
Statistical policy and coordination
8 9 17 27
27
27 25
25 22 21 20
0 5 10152025 Number of CIOs Source: Agency CIOs.
The next six areas of responsibility shown on the chart-systems
acquisition, major electronic government (e-gov) initiatives, information
collection/paperwork reduction, records management, information
dissemination, and privacy-were assigned to CIOs at between 17 and 25
agencies. Although these responsibilities were formally assigned to the
CIO, it was not uncommon for CIOs to report that multiple units
contributed to carrying out the activities associated with these
responsibilities. For example,
o in the management of e-gov initiatives, several CIOs said that they
managed the overall effort and share responsibility with the functional
unit;
o in systems acquisition, several agencies reported that responsibility
is shared among the CIO and other officials, such as a procurement
executive or program executive. In addition, many CIOs mentioned that they
provided metrics and measures of ongoing work, while the
procurement or program executive managed the contractor relationship;
o for records management, several CIOs described execution of
responsibilities as a cooperative effort with administrative or program
employees to collect, aggregate, and store the volumes of records;
o responsibility for information dissemination at a few agencies was
described as being coordinated with the public affairs office, as this
unit performs quality reviews and the CIO provides technical support; and
o responsibility for privacy at a few agencies was described as being
coordinated with the general counsel, as these officials provide high
level guidance and the CIO implements it.
Finally, information disclosure/Freedom of Information Act and statistical
policy, both statutory responsibilities of the CIO, are the areas least
often assigned to the CIO. In these areas, fewer than 10 of the CIOs hold
responsibility as specified by the PRA. Disclosure is a responsibility
that has frequently been assigned to offices such as general counsel and
public affairs in the agencies we reviewed, while statistical policy is
often the responsibility of separate offices that are responsible for
agency data analysis, particularly in agencies that contain Principal
Statistical Agencies.17
Even for those areas of responsibility that were not assigned to them,
several CIOs reported that they contributed to the successful execution of
agency responsibility. For example, a few mentioned that they provide
technical support for the responsible units, such as assisting with Web
services for information dissemination or maintaining electronic archives
17Principal Statistical Agencies include the Bureau of Economic Analysis
(Department of Commerce), Bureau of Justice Statistics (Department of
Justice), Bureau of Labor Statistics (Department of Labor), Bureau of
Transportation Statistics (Department of Transportation), Economic
Research Service (Department of Agriculture), Energy Information
Administration (Department of Energy), Environmental Protection Agency,
Internal Revenue Service's Statistics of Income Division (Department of
the Treasury), National Agricultural Statistics Service (Department of
Agriculture), National Center for Education Statistics (Department of
Education), National Center for Health Statistics (Department of Health
and Human Services), Science Resources Statistics (National Science
Foundation), Office of Policy (Social Security Administration), Office of
Management and Budget (Executive Office of the President), and the U.S.
Census Bureau (Department of Commerce).
for electronic records management. In addition, five CIOs mentioned that
they supported the unit responsible for records management by providing,
for example, specific support for the design of systems compatible with
electronic records management or by serving in an oversight or
coordination role.
Most CIOs told us they were comfortable with the existing assignment of
responsibilities, although only five CIOs at the 27 major departments and
agencies were responsible or shared responsibility for all 13 information
and technology management areas. In fact, one of the panels of former
agency IT executives suggested that not all 13 areas were equally
important to CIOs. A few of the former agency IT executives even called
some of the areas relating to information management distractions from the
CIO's primary responsibilities. However, this is not consistent with the
law, which envisioned that having a single official responsible for the
various information and technology functions would provide integrated
management. Specifically, one purpose of the PRA is to coordinate,
integrate, and-to the extent practicable and appropriate-make federal
information resources management policies and practices uniform as a means
to improve the productivity, efficiency, and effectiveness of government
programs by, for example, reducing information collection burdens on the
public and improving service delivery to the public. Moreover, the House
Committee Report accompanying this act in 1980 described that aligning IRM
activities under a single authority should provide for greater
coordination among an agency's information activities as well as greater
visibility within the agency.18
18U.S. House of Representatives, Paperwork Reduction Act of 1980, House
Report 96-835, (Washington, D.C.: Mar. 19, 1980).
Although many agencies did not have the CIO responsible for all IRM
activities, a number of CIOs described alternative mechanisms that their
agencies used to coordinate or integrate at least some of the activities.
Examples of such integrating mechanisms included IRM plans, enterprise
architecture processes, and IT capital planning processes. We agree that
such mechanisms can provide elements of integration, but we have
repeatedly reported that agencies have not effectively implemented such
activities.19 For example, in January 2004, we reported that agencies IRM
plans often did not address information functions such as information
collection, records management, and privacy or their coordinated
management.20 Accordingly, we recommended that OMB develop and disseminate
to agencies additional guidance on developing their strategic IRM plans.
In addition to specifying areas of responsibility for the CIOs of major
departments and agencies, the Clinger-Cohen Act calls for certain CIOs to
have IRM as their primary duty.21 All but a few of the agencies complied
with this requirement. The other significant duties reported by some CIOs
generally related to other administrative or management areas, such as
procurement and human capital. We22 and Members of Congress23 have
previously expressed concern about agency CIOs having responsibilities
beyond information and technology management and have questioned whether
split duties allow a CIO to deal effectively with an agency's IT
challenges. For example, we previously recommended that one agency, which
had a CIO who was also the chief financial officer, appoint a CIO
19See, for example, U.S. General Accounting Office, Information Technology
Management: Governmentwide Strategic Planning, Performance Measurement,
and Investment Management Can Be Further Improved, GAO-04-49 (Washington,
D.C.: Jan. 12, 2004) and Information Technology: Leadership Remains Key to
Agencies Making Progress on Enterprise Architecture Efforts, GAO-04-40
(Washington, D.C.: Nov. 17, 2003).
20GAO-04-49.
21The Clinger-Cohen Act requirement that agency CIOs have IRM as their
primary duty applies to the major departments and agencies listed in 31
U.S.C. 901(b), which does not include the Department of Homeland Security,
or the military departments of the Air Force, the Army, and the Navy.
22U.S. General Accounting Office, Chief Information Officers: Ensuring
Strong Leadership and an Effective Council, GAO/T-AIMD-98-22 (Washington,
D.C.: Oct. 27, 1997).
23U.S. Senate Committee on Governmental Affairs, Paperwork Reduction Act
of 1995, Senate Report 104-8 (Washington, D.C.: Jan. 30, 1995).
with full-time responsibilities for IRM.24 This agency later implemented
our recommendation, thereby taking a significant step toward addressing
critical and long-standing information and technology management
weaknesses.
CIOs Generally Reported to Agency Head
Federal law-and our guide on CIOs of leading private sector
organizations-generally calls for CIOs to report to their agency heads, 25
forging relationships that ensure high visibility and support for
far-reaching information management initiatives. Nineteen of the CIOs in
our review stated that they had this type of reporting relationship. In
the other eight agencies, the CIOs stated that they reported instead to
another senior official, for example, a deputy secretary, under secretary,
or assistant secretary.
Current CIOs and former agency IT executives had mixed views about whether
it is important for the CIO to report to the agency head. For example, of
the eight CIOs who did not report directly to their agency heads, (1)
three indicated that it was important or critical, (2) two stated that it
was not important, (3) two noted that it was generally important but that
the current reporting structure at their agencies worked well, and (4) one
stated that it was very important that a CIO report to at least a deputy
secretary. In contrast, 15 of the CIOs who reported to their agency heads
stated that this reporting relationship was important. (One agency CIO
stated that reporting to the CIO was not important, one CIO did not
clearly address the question, and this issue was not discussed with two
CIOs.) For example, one of them stated that a direct reporting
relationship to the agency head was crucial because top management support
is essential for CIOs to carry out their responsibilities; another CIO
pointed out that it is difficult to influence IT budget and policy
decisions without reporting to the agency head. Eight of the 19 CIOs who
said that they had a direct reporting relationship with the agency head
noted that they also report to another senior executive, usually the
Deputy Secretary or Undersecretary for Management, on an operational
basis. Finally, members of our
24U.S. General Accounting Office, VA Information Technology: Improvements
Needed to Implement Legislative Reforms, GAO/AIMD-98-154 (Washington,
D.C.: July 7, 1998).
25The Homeland Security Act of 2002 states that the CIO for the Department
of Homeland Security shall report to the Secretary of Homeland Security or
to another official as directed by the Secretary. As allowed by the law,
the Secretary has directed the CIO to report to the Under Secretary for
Management.
Executive Council on Information Management and Technology, which is
composed of noted IT experts, told us that what is most critical is for
the CIO to report to a top level official.
The members of our panels of former agency IT executives also had various
views on whether it was important that the CIO report to the agency head.
For example, one former IT executive stated that such a reporting
relationship was extremely important, another emphasized that
organizational placement was not important if the CIO had credibility, and
others suggested that the CIO could be effective while reporting to a
chief operating officer. We have explored the application of the chief
operating officer concept to the federal government environment in a
roundtable and forum that included participants with current or recent
executive or management experience.26 While participants expressed a range
of views on the chief operating officer concept and its application to the
federal government, there was general agreement that there is a need to
elevate attention and integrate various key management and transformation
efforts, as well as to institutionalize accountability for addressing
them.
As the Congress holds hearings on and introduces legislation related to
information and technology management, there may be an opportunity to
consider the results of this review and whether the existing statutory
framework related to CIO responsibilities and reporting to the agency head
is the most effective structure. Our work developing a set of best
practices for CIO roles and responsibilities, based on leading
organizations in the private sector, may shed additional light on this
issue.
26U.S. General Accounting Office, Highlights of a GAO Roundtable: The
Chief Operating Officer Concept: A Potential Strategy to Address Federal
Governance Challenges, GAO-03192SP (Washington, D.C.: Oct. 4, 2002) and
Comptroller General's Forum: High-Performing Organizations: Metrics,
Means, and Mechanisms for Achieving High Performance in the 21st Century
Public Management Environment, GAO-04-343SP (Washington, D.C.: Feb. 13,
2004).
CIOs Have Diverse Backgrounds and Generally Remained in Office about 2
Years
At the major departments and agencies included in our review, the current
CIOs had diverse backgrounds, and since the enactment of the Clinger-Cohen
Act, the median tenure of permanent CIOs whose time in office had been
completed was about 2 years.27 Both of these factors can significantly
influence whether a CIO is likely to be successful. First, the background
of the current CIOs varied in that they had previously worked in the
government, the private sector, and academia, and they had a mix of
technical and management experience. Because a CIO should be selected
based on the specific needs of the agency and the type of role that he or
she is expected to play, it was not unexpected to see such diverse
backgrounds. Second, the median time in position for agencies' permanent
CIOs was 23 months in office. When asked how long a CIO needed to stay in
office to be effective, the most common response of current CIOs and
former agency IT executives was 3 to 5 years. This gap is consistent with
the views of many agency CIOs, who believed that the turnover rate was
high and that the political environment, the pay differentials between the
public and private sectors, and the challenges that CIOs face contributed
to this rate. Various mechanisms, such as human capital flexibilities, are
available for agencies to use to help reduce CIO turnover or mitigate its
affect.
Current CIOs Have Varied Work and Educational Backgrounds
Although the qualifications of a CIO can help determine whether he or she
is likely to be successful, there is no general agreement on the optimal
background that a prospective agency CIO should have. The conference
report accompanying the Clinger-Cohen Act, which established the agency
CIO position, requires them to possess knowledge of-and practical
experience in-the information and IT management practices of business or
government.28 While people like current CIOs and former agency IT
executives also echoed the need for the CIO to have IT experience, other
types of background, such as business knowledge, and an understanding of
how IT can be used to transform agencies and improve mission performance
were also seen as critical.
27We did not include acting CIOs in this calculation, unless the acting
CIO later was put in the permanent position. Further analysis of tenure
data is provided in appendix IV.
28House of Representatives, National Defense Authorization Act for Fiscal
Year 1996, Conference Report to Accompany S.1124, House Report 104-450
(Washington, D.C.: Jan. 22, 1996).
The personal attributes of a CIO, such as leadership, communication, and
political skills can also be key factors in the selection and success of a
CIO. For example, members of our Executive Council on Information
Management and Technology, which is composed of noted IT experts, told us
that a CIO needs personal attributes like leadership ability to succeed in
aligning the business and IT sides of the organization. In particular, he
or she must be able to work as a partner with other business or program
executives and build credibility with them, in order to be accepted as a
full participant in the development of new systems and processes and to
achieve successful outcomes with IT investments. According to our CIO
guide, the degree of importance that senior executives place on the
various attributes that are considered in selecting a CIO depends on the
information leadership model and the needs of the enterprise.29
This lack of a standard set of qualifications for CIOs is reflected in the
varied work and educational backgrounds of current agency CIOs. For
example, 24 of the CIOs had previously worked for the federal government,
16 had worked in private industry, 8 had worked in state and local
government, 2 had been in academia. Seventeen CIOs had worked in some
combination of two or more of these sectors. Further, virtually all of
them had work experience and/or educational backgrounds in IT or
IT-related fields. For example, 12 current agency CIOs had previously
served in a CIO or deputy CIO capacity. Those who did not have an IT or
IT-related professional or educational background had significant non-IRM
responsibilities, and their backgrounds were more specific to their other
roles (e.g., human capital management). Moreover, most of the CIOs had
business knowledge related to their agencies because they had previously
worked at the agency or had worked in an area related to the agency's
mission. As the diversity of the current CIOs demonstrates, there is no
single template for a CIO's background; this illustrates that an agency
head should select someone based on the specific needs of the agency and
the type of role that he or she is expected to play.
29GAO-01-376G.
Median Tenure of Agency CIOs Was about 2 Years
Another element that influences the likely success of an agency CIO is the
length of time the individual has to implement change. For example, our
prior work has noted that the experiences of successful major change
management initiatives in large private and public sector organizations
suggest that it can often take at least 5 to 7 years until such
initiatives are fully implemented and the related cultures are transformed
in a sustainable manner.30 The need for major changes in federal
information and technology management is demonstrated by our high-risk and
performance and accountability series reports, which show that there are
long-term information and technology management problems and challenges
facing federal agencies that will take years of sustained attention and
continuity to resolve.31
When asked how long a CIO needed to stay in office to be effective,
current CIOs and former agency IT executives most commonly responded 3 to
5 years. In particular, some cited the budget cycle as a reason why a CIO
needed to be in place for a while in order to allow sufficient time for
the CIO's vision and priorities to be reflected in the agency's budget
requests and subsequent appropriations.
Nevertheless, since February 10, 1996 (the date the Clinger-Cohen Act was
enacted), the median tenure of agencies' permanent CIOs who had completed
their time in office was about 23 months (see app. IV for a chart that
illustrates the tenure of each permanent and acting CIO and a table that
presents further statistical analysis of the tenure data).32 Moreover,
between February 10, 1996, and March 1, 2004, only about 35 percent of the
permanent CIOs who had completed their time in office reportedly stayed in
office for a minimum of 3 years. This is consistent with the views of many
agency CIOs, who believed that the turnover rate was high. A high turnover
rate is a problem, according to some current CIOs, because it can
negatively impact their effectiveness. For example, CIOs may not have time
30U.S. General Accounting Office, Results-Oriented Cultures:
Implementation Steps to Assist Mergers and Organizational Transformations,
GAO-03-669 (Washington, D.C.: July 2, 2003).
31For the most recent reports, see GAO-03-119 and GAO-03-95.
32We did not include acting CIOs in this calculation-unless the acting CIO
was later put in the permanent position-but about three-quarters of the
agencies had acting CIOs at some time since the inception of the
Clinger-Cohen Act. The median tenure of acting CIOs who had completed
their time in office was about 7 months.
to put their agenda in place or form close working relationships with
agency leadership. Echoing this view, one former agency IT executive
stated that with too much turnover nothing really substantial is
accomplished by a CIO.
Among the reasons cited for a high turnover rate were the challenges that
CIOs face, the political environment, and the pay differentials between
the public and private sectors. For example, among the challenges cited by
current CIOs were being perceived as an adversary by others in the agency,
the complexity of the issues, and the high-stress nature and long hours
typical of the position. Another factor affecting the turnover rate is the
number of CIOs who were political appointees; they stayed about 13 months
less than those in career civil service positions. Specifically, the
median time in position for career CIOs who had completed their time in
office was about 32 months, while the median for political appointees was
about 19 months. Nevertheless, there was a lack of consensus among the
current CIOs and former agency IT executives about whether CIOs should be
political appointees or not. For example, some believed that political
CIOs could be more effective because they might have more access to, and
influence with, the agency head. Others believed that CIOs in career
positions could be more effective because, for example, they would be more
likely to understand the agency, including its culture and work
environment.
A number of mechanisms could be used to ensure continuity in the face of
frequent CIO changes in agencies. For example, we have previously reported
that results-oriented performance agreements can help to maintain a
consistent focus on a set of broad programmatic priorities during changes
in leadership.33 This can help to reduce significant discontinuities in
objectives as new CIOs step in. One mechanism that came to our attention
through our interviews is the establishment of a deputy CIO position. A
deputy CIO can help to ensure continued attention to ongoing objectives
when there is a hiatus between one CIO and the next. A deputy CIO can also
increase the effectiveness of the CIO organization by providing skills and
work experiences that are complementary to those of the CIO. Moreover, the
appointment of deputy CIOs was anticipated by the Congress when the
Clinger-Cohen Act was passed. The conference report accompanying the act
states "the conferees also intend that deputy chief
33U.S. General Accounting Office, Managing For Results: Emerging Benefits
From Selected Agencies' Use of Performance Agreements, GAO-01-115
(Washington, D.C.: Oct. 30, 2000).
information officers be appointed by agency heads that have additional
experience [in specific technical areas]."34 At the time of our review, 24
departments and agencies had deputy CIO positions, of which 22 were
filled. The establishment of this position at almost all of the agencies
is important because successful information and technology management
rests on the skills and performance of the entire CIO organization within
the department and agency-not just the CIO as an individual.
In addition to taking action to help ensure continuity, agencies may also
be able to use human capital flexibilities-which represent the policies
and practices that an agency has the authority to implement in managing
its workforce-to help retain its CIOs. For example, our model on strategic
human capital management notes that recruiting bonuses, retention
allowances, and skill-based pay can attract and retain critical skills
needed for mission accomplishment.35 Similarly, two members of our panels
of former agency IT executives stated that the government should examine
its rewards systems and learn from the private sector's incentive
programs. Other panelists asserted that additional money is not key to
attracting and retaining CIOs; instead they cited the importance of
nonmonetary incentives, such as offering an attractive package of
authorities and responsibilities. We have previously identified six key
practices for the effective use of human capital flexibilities, including
planning strategically and making targeted investments and educating
managers and employees on the availability and use of flexibilities.36 In
addition, we have reported that although the Office of Personnel
Management has taken several actions to assist agencies in the
identification and use of human capital flexibilities, additional actions
by this agency could further facilitate the use of flexibilities.37
34House Report 104-450.
35U.S. General Accounting Office, A Model of Strategic Human Capital
Management, GAO02-373SP, Exposure Draft (Washington, D.C.: Mar. 15, 2002).
36U.S. General Accounting Office, Human Capital: Effective Use of
Flexibilities Can Assist Agencies in Managing Their Workforces, GAO-03-2
(Washington, D.C.: Dec. 6, 2002).
37U.S. General Accounting Office, Human Capital: OPM Can Better Assist
Agencies in Using Personnel Flexibilities, GAO-03-428 (Washington, D.C.:
May 9, 2003).
Major Challenges Facing Agency CIOs
Current CIOs reported that they faced major challenges in fulfilling their
duties (see fig. 2). In particular, two challenges were cited by over 80
percent of the CIOs: implementing effective IT management and obtaining
sufficient and relevant resources. This indicates that CIOs view IT
governance processes, funding, and human capital as critical to their
success. Other common challenges cited were communicating and
collaborating internally and externally and managing change. Effectively
tackling these reported challenges can also improve the likelihood of
CIOs' success. To aid them in addressing the multitude of challenges that
they face, we have issued guidance that address several of the problems
they cited.
Figure 2: Major Challenges Facing Agency CIOs
Source: GAO.
Implementing Effective IT Leading organizations execute their IT
management responsibilities
Management reliably and efficiently. A little over 80 percent of the CIOs
reported that they faced one or more challenges related to implementing
effective IT management practices at their agencies. This is not
surprising given that, as we have previously reported, the government has
not always successfully carried out its responsibilities in the IT
management areas that were most
frequently cited as challenges by the CIOs; information security,
enterprise architecture, investment management, and e-gov.38
o Fifteen agency CIOs cited managing and improving information security
as a challenge. For example, one agency CIO cited a challenge of
increasing the security maturity of his agency while dealing with
increased security risks and threats; another discussed institutionalizing
information security policies in the management, planning, and operation
of over 200 systems. We have previously issued guidance addressing
security best practices to help agencies with their information security
challenges.39
o Fifteen CIOs discussed challenges associated with IT investment
management, including strengthening an agency's process to help ensure
that investments are in line with its mission, business needs, and
enterprise architecture and implementing appropriate IT performance
measures. For example, one CIO reported a challenge in developing a
capital planning process that will ensure that the agency's IT investments
are selected, resourced, and acquired to optimize mission accomplishment.
This individual further elaborated that the agency's capital planning
process was unwieldy and, therefore, not a good fit in an IT environment
that requires agility to deal with a rapid rate of change. Another CIO
reported problems with performance measurement-such as a lack of baseline
data-and planned to introduce a balanced scorecard approach and a
portfolio management tool to address this challenge. We have previously
issued guidance related to IT investment management including, most
recently, a new
38See, for example, U.S. General Accounting Office, High-Risk Series:
Protecting Information Systems Supporting the Federal Government and the
Nation's Critical Infrastructures; GAO-03-121 (Washington, D.C.: Jan. 1,
2003); GAO-04-49; GAO-04-40; and GAO-03-95.
39U.S. General Accounting Office, Executive Guide: Information Security
Management: Learning from Leading Organizations, GAO/AIMD-98-68
(Washington, D.C.: May 1, 1998) and Information Security Risk Assessment:
Practices of Leading Organizations, GAO/AIMD-00-33 (Washington, D.C.: Nov.
1, 1999).
version of our framework, which offers organizations a road map for
improving their IT investment management processes in a systematic and
organized manner.40
o Eleven agency CIOs emphasized the building and enforcement of an
enterprise architecture as challenging. For example, one CIO noted that
keeping the agency's enterprise architecture up-to-date was a challenge in
light of evolving federal enterprise architecture guidelines. In April
2003, we issued a framework that provides agencies with a common
benchmarking tool for planning and measuring their efforts to improve
their enterprise architecture management.41
o Seven CIOs mentioned that they faced challenges related to implementing
e-government; two of them citing addressing the egovernment element of the
President's Management Agenda as a challenge. Other challenges associated
with e-government included (1) meeting the requirements of the
E-Government Act of 2002 (P.L. 107347), (2) needing more comprehensive
modernization and/or migration plans that incorporate governmentwide
solutions, and (3) balancing and integrating rapidly evolving e-government
initiatives with the need to provide responsive ongoing operational
support.
In addition to managing IT, agency CIOs also reported challenges
associated with specific technological solutions. In particular, eight
CIOs reported dealing with integration and consolidation issues as a
challenge. Other specific technological challenges included ensuring
adequate bandwidth and network connectivity.
Obtaining Sufficient and Relevant Resources
One key element in ensuring an agency's information and technology success
is having adequate resources available. Virtually all agency CIOs cited
resources, both in dollars and staff, as major challenges. The funding
40U.S. General Accounting Office, Information Technology Investment
Management: A Framework for Assessing and Improving Process Maturity,
Version 1.1, GAO-04-394G (Washington, D.C.: Mar. 1, 2004). See also, U.S.
General Accounting Office, Executive Guide: Measuring Performance and
Demonstrating Results of Information Technology Investments,
GAO/AIMD-98-89 (Washington, D.C.: Mar. 1, 1998).
41U.S. General Accounting Office, Information Technology: A Framework for
Assessing and Improving Enterprise Architecture Management (Version 1.1),
GAO-03-584G (Washington, D.C.: April 1, 2003).
issues cited generally concerned the development and implementation of
agency IT budgets and whether certain IT projects, programs, or operations
were being adequately funded. We have previously reported that the way
agency initiatives are originated can create funding challenges that are
not found in the private sector.42 For example, certain information
systems may be mandated or legislated, so the agency does not have the
flexibility to decide whether or not to pursue them. Additionally, there
is a great deal of uncertainty over the funding levels that may be
available from year to year. The multitude of players in the budget
process can also lead to unexpected changes in funding. The CIOs cited
similar challenges. They observed some specific budgetary or funding
challenges such as (1) technology moving faster than the budget process,
(2) systems requirements not always accompanied by funding, (3) ensuring
adequate and stable funding to support Office of CIO operations, and (4)
difficulty prioritizing IT initiatives within the budget to ensure that
the agency meets Presidential and Secretarial priorities and mission.
The government also faces long-standing and widely recognized challenges
in maintaining a high-quality IT workforce. In 1994 and again in 2001, we
reported the importance that leading organizations placed on making sure
they had the right skill mix in their IT workforce.43 About 70 percent of
the agency CIOs reported on a number of substantial IT human capital
challenges, including, in some cases, the need for additional staff.
Examples of specific comments follow.
o Recruiting. Seven CIOs named recruiting as a challenge. For example,
one CIO stated that the hiring process takes too long and that good
candidates are no longer available by the time the hiring process is
completed. Another CIO noted that turnover in technical positions is high
and that that government cannot fill openings as fast as they occur.
o Training and development. Seven CIOs listed training and development as
a challenge. One CIO noted that training funds were inadequate. In
addition, several CIOs pointed to project management as a particular area
in need of enhancement.
42U.S. General Accounting Office, Chief Information Officers: Implementing
Effective CIO Organizations, GAO/T-AIMD-00-128 (Washington, D.C.: Mar. 24,
2000).
43U.S. General Accounting Office, Executive Guide: Improving Mission
Performance Through Strategic Information Management and Technology,
GAO/AIMD-94-115 (Washington, D.C.: May 1, 1994) and GAO-01-376G.
o Retention. Four CIOs listed retention of high quality skilled staff as
a challenge. One CIO commented that, as staff become more skilled and
obtain certifications, they become more difficult to retain and that more
flexibility in retaining staff was needed.
o Succession planning. Three CIOs cited succession planning as a
challenge; succession planning can help an organization identify, develop,
and select human capital to ensure that successors are the right people,
with the right skills, available at the right time for leadership and
other key positions.
We have previously reported that many of these same issues exist for the
government as a whole, not just for information and technology management.
As a result, in January 2001 and again in January 2003, we designated
strategic human capital management as a governmentwide high-risk area.44
Moreover, in June 2004, we reported that within the government and the
private sector it has been widely recognized that the federal government's
hiring process is lengthy and cumbersome and hampers agencies' ability to
hire high-quality people.45 We have issued several reports that discuss
these issues in more depth and provide possible solutions and
recommendations.46
44U.S. General Accounting Office, High-Risk Series: An Update, GAO-01-263
(Washington, D.C.: January 1, 2001) and High-Risk Series: Strategic Human
Capital Management, GAO03-120 (Washington, D.C.: January 2003).
45U.S. General Accounting Office, Human Capital: Additional Collaboration
Between OPM and Agencies Is Key to Improved Federal Hiring, GAO-04-797
(Washington, D.C.: June 7, 2004).
46See U.S. General Accounting Office, Human Capital: A Guide for Assessing
Strategic Training and Development Efforts in the Federal Government,
GAO-04-546G (Washington, D.C.: Mar. 1, 2004); Human Capital: Selected
Agencies' Experiences and Lessons Learned in Designing Training and
Development Programs, GAO-04-291 (Washington, D.C.: Jan. 30, 2004); Human
Capital: Key Principles for Effective Strategic Workforce Planning,
GAO-04-39 (Washington, D.C.: Dec. 11, 2003); Human Capital: Insights for
U.S. Agencies from Other Countries Succession Planning and Management
Initiatives, GAO-03-914 (Washington, D.C.: Sept. 15 , 2003); Human
Capital: Opportunities to Improve Executive Agencies' Hiring Processes,
GAO-03-450 (Washington, D.C.: May 30, 2003); Human Capital: OPM Can Better
Assist Agencies in Using Personnel Flexibilities, GAO-03-428 (Washington,
D.C.: May 9, 2003); and Information Technology Training: Practices of
Leading Private-Sector Companies, GAO-03-390 (Washington, D.C.: Jan. 31,
2003).
Communicating and Collaborating Internally and Externally
Our prior work has shown the importance of communication and
collaboration, both within an agency and with its external partners. For
example, one of the critical success factors we identified in our CIO
guide focuses on the CIO's ability to establish his or her organization as
a central player in the enterprise.47 Specifically, effective CIOs-and
their supporting organizations-seek to bridge the gap between technology
and business by networking informally, forming alliances, and building
friendships that help ensure support for information and technology
management. In addition, earlier this year we reported that to be a
high-performing organization, a federal agency must effectively manage and
influence relationships with organizations outside of its direct
control.48
Ten agency CIOs reported that communication and collaboration were
challenges. For example, one CIO stated that it is a challenge for him to
deal with the sheer diversity and volume of interactions within and
outside the agency and with the need to align these organizations' agendas
with his agency's objectives. Examples of internal communication and
collaboration challenges included (1) cultivating, nurturing, and
maintaining partnerships and alliances while producing results in the best
interest of the enterprise and (2) establishing supporting governance
structures that ensure two-way communication with the agency head and
effective communication with the business part of the organization and
component entities. Other CIOs cited activities associated with
communicating and collaborating with outside entities challenging,
including sharing information with partners and influencing the Congress
and OMB. Although communication and collaboration can be problematic, our
work on the Year 2000 computing challenge demonstrated their value.49 Both
effective communication and partnering were cited by agencies and others
as lessons learned that contributed to the government's success in this
critical effort. Specifically, for the Year 2000 effort, government
actions went beyond the boundaries of individual programs or agencies and
involved governmentwide oversight; interagency cooperation; and
cooperation among federal, state, and local governments; private sector
entities; and foreign countries.
47GAO-01-376G.
48GAO-04-343SP.
49U.S. General Accounting Office, Year 2000 Computing Challenge: Lessons
Learned Can Be Applied to Other Management Challenges, GAO/AIMD-00-290
(Washington, D.C.: Sept. 12, 2000).
Managing Change Top leadership involvement and clear lines of
accountability for making management improvements are critical to
overcoming an organization's natural resistance to change, marshalling the
resources needed to improve management, and building and maintaining
organizationwide commitment to new ways of doing business. Some CIOs
reported challenges associated with implementing changes-those originating
both from outside forces and at their own initiative. For example, one CIO
found it a challenge to maintain compliance with changing regulations and
ever-increasing executive direction and data calls. Another CIO cited
dealing with resistance to the use of a rigorous IT methodology as a
challenge.
Implementing major IT changes can involve not only technical risks, but
also nontechnical risks, such as those associated with people and the
organization's culture. Six CIOs cited dealing with the government's
culture and bureaucracy as challenges to implementing change. For example,
one CIO reported that there was institutional resistance to departmentwide
changes. Another noted that one of his challenges was breaking down
longstanding stovepipes that make no sense in a global information
environment. Former agency IT executives also cited the need for cultural
changes as a major challenge facing CIOs. Accordingly, in order to
effectively implement change, it is important that CIOs build
understanding, commitment, and support among those who will be affected by
the change.
In 2002, we convened a forum to identify useful practices and lessons
learned from major private and public sector organizational mergers,
acquisitions, and transformations that agencies could implement to
successfully transform their cultures.50 Examples of the nine key
practices identified are (1) ensuring that top leadership drives the
transformation, (2) setting implementation goals and a time line to build
momentum and show progress, and (3) using the performance management
system to define responsibility and ensuring accountability for change.
50U.S. General Accounting Office, Highlights of a GAO Forum: Mergers and
Transformation: Lessons Learned for a Department of Homeland Security and
Other Federal Agencies, GAO-03-293SP (Washington, D. C.: Nov. 14, 2002),
Results-Oriented Cultures: Implementation Steps to Assist Mergers and
Organizational Transformation,
GAO-03-669 (Washington, D.C.: July 2, 2003).
Conclusions Agency CIOs generally reported that they had most of the
responsibilities and reporting relationships required by law or critical
to effective information and technology management, but there were notable
exceptions. In particular, contrary to requirements in the law, some
agency CIOs reported that they were not responsible for certain areas,
such as records management, and that they did not report to their agency
heads. However, views were mixed as to whether CIOs could be effective
leaders without having responsibility for each individual area.
The success of the CIO position also hinges, at least in part, on whether
the individuals placed in this role have the background and attributes
necessary to assume an agency's IT leadership mantle and whether they
spend sufficient time in office to implement changes. Current agency CIOs
have had a wide variety of prior experiences; but they generally have work
and/or educational backgrounds in IT or IT-related fields, as well as
business knowledge related to their agencies. However, most CIOs did not
stay in office for 3 to 5 years, which was the most common response when
we asked current CIOs and former agency IT executives how long a CIO
needed to be in office to be effective. Agencies' use of various
mechanisms, such as human capital flexibilities, could help reduce the
turnover rate or mitigate its effect. Reducing turnover among CIOs is
important because the length of time CIOs are in office can affect their
ability to successfully address the major challenges they face. Some of
these challenges-such as how IT projects are originated-may not be wholly
within their control. Other challenges-such as improved IT management-are
more likely to be overcome if a CIO has sufficient time to more
effectively address these issues.
Matter for As it holds hearings on and introduces legislation related to
information
and technology management, we suggest that the Congress consider
theCongressional results of this review and whether the existing statutory
requirements Consideration related to CIO responsibilities and reporting
to the agency heads reflect the
most effective assignment of information and technology management
responsibilities and reporting relationships.
Agency Comments and Our Evaluation
We received written or oral responses on a draft of this report from OMB
and from all 27 of the agencies that were included in our review.51 In
particular, OMB and three agencies made specific comments on the report.
These comments and our analysis are summarized below:
o Oral comments were provided by representatives of OMB's Office of
Information and Regulatory Affairs, Office of Electronic Government and
Information Technology, and Office of General Counsel. Representatives of
these offices noted that, although this report focused on the extent to
which CIOs reported that the areas of responsibility assigned to them are
consistent with 13 areas that GAO identified as critical to effective
information and technology management, they were unclear on the
correlation between or conclusions drawn about who in the agency is
responsible and whether the agency achieves intended outcomes or results.
The objective of this review was to determine which responsibilities were
assigned to current agency CIOs. We did not attempt to draw conclusions
regarding the relationship between the assignment of specific
responsibilities and an agency's success in achieving desired outcomes in
those areas. The OMB representatives also noted that only 10 of the 13
areas surveyed by GAO are mandated by statute, and they questioned the
need to include 3 nonstatutorilymandated areas of CIO responsibility in
this report. We continue to believe that the 3 additional responsibilities
included in this report- systems acquisition, development, and
integration; major e-government initiatives; and enterprise
architecture-can contribute significantly to the successful implementation
of information systems and processes. Furthermore, these responsibilities
are assigned to agencies by statute (though not to the CIO explicitly),
the President's Management Agenda, and OMB's own guidance. The importance
of these three areas to CIOs was borne out by the fact that over 90
percent of the CIOs have been assigned responsibility for them. Finally,
the representatives had no opinion about whether these areas or the agency
official designated to be responsible for them are "critical" to effective
information and technology management, and they drew no conclusions about
the adequacy or effectiveness of the current statutory framework of CIO
responsibilities.
51DOD submitted a single letter that included comments from the
Departments of the Air Force, Army, and Navy.
o The Department of Defense's Deputy Assistant Secretary of Defense
(Deputy CIO) agreed with the findings of the report but did not concur
with our suggestion that the Congress consider the results of our review
when it holds hearings on and introduces legislation related to
information and technology management. In particular, Defense recommended
that either we make no suggestion to the Congress or that we suggest that
the Congress consider ways to strengthen the CIOs' authority and to focus
on specific responsibilities for congressional review. We agree that
strengthening the authority of CIOs can be crucial to their success and to
the effectiveness of information and technology management in their
agencies. Nevertheless, with respect to reporting to the agency head, the
participants in our review offered a number of alternative arrangements.
These alternatives included reporting to a deputy secretary or to a chief
operating officer or equally high-level official, or maintaining a dual
reporting relationship that includes the agency head. Such reporting
relationships may provide the authority and accountability necessary for
CIOs to be effective in their organizations. Accordingly, we continue to
believe that such alternatives deserve consideration if the Congress holds
hearings or introduces legislation related to CIOs' reporting
relationships. With respect to being more specific in our suggestions for
changes to CIO responsibilities, we do not want to suggest that the
Congress constrain the scope of its deliberations should it choose to take
another look at the responsibilities of the CIO. The Department of Defense
also provided a technical comment that we addressed, as appropriate.
Defense's written comments-along with our responses-are reproduced in
appendix VI.
o The Department of the Interior's Assistant Secretary for Policy,
Management and Budget provided comments suggesting that the Congress
consider the impact of continuing changes on the ability of agencies to
effect those changes. While we recognize that agencies require time to
implement major changes, we also note that most of the statutory
requirements considered in our report have been law since 1996. The
Assistant Secretary also recommended that the CIO continue to be required
to report to the agency head, which is the reporting relationship at
Interior. Interior's CIO reporting relationship is consistent with the law
and potentially provides strong support for the CIO in executing his or
her responsibilities. However, as we previously noted, the participants in
our review offered a number of alternative reporting arrangements that
could provide the CIO with the necessary support. We believe that these
alternatives deserve consideration.
Interior's written comments, along with our responses, are reproduced in
appendix VII.
o The director of the Office of Personnel Management provided written
comments in which she included several examples of actions the agency has
taken to encourage the use of human capital management flexibilities to
recruit and retain a high quality workforce. It was outside the scope of
this report to review the Office of Personnel Management's actions to
encourage the use of human capital flexibilities. The Office of Personnel
Management's written comments, and our response, are reproduced in
appendix VIII.
With respect to the other agencies in our review, most generally agreed
with our findings or declined to comment specifically. The agencies'
responses are as follows:
o The Department of Agriculture's CIO thanked GAO for the opportunity to
review the report but provided no further comments. The department's
written comments are reproduced in appendix V.
o The Department of Commerce's GAO Liaison e-mailed a response in which
she thanked GAO for the opportunity to review the report but provided no
further comments.
o A management and program analyst from the Office of the Secretary at
the Department of Education e-mailed a response in which the department
provided no comments.
o A program analyst from the Office of the CIO at the Department of
Energy e-mailed a response in which the department provided no comments.
o The Environmental Protection Agency's GAO Liaison Officer e-mailed a
response in which the agency offered no comments.
o A management analyst at the General Services Administration e-mailed a
response in which the agency provided no comments.
o The Department of Health and Human Services' E-Gov Program Coordinator
and CIO provided an e-mail response in which the department provided no
comments.
o The Department of Homeland Security's GAO Liaison provided an e-mail
response in which the department offered no comments.
o The director of Department of Housing and Urban Development's Office of
Management and Planning, Office of Administration, e-mailed a response in
which the department offered no comments.
o The Department of Justice's Justice Management Division Audit Liaison
at the Department of Justice provided an e-mail response in which she
thanked GAO for the opportunity to review the report but provided no
further comments.
o A senior accountant in the Office of the Chief Financial Officer at the
Department of Labor e-mailed a response in which the department generally
agreed with GAO's findings and conclusions. In particular, they concurred
on the challenges a CIO faces and on other general conclusions.
o The National Aeronautics and Space Administration's GAO/OIG Audit
Liaison Team Leader e-mailed a response in which the agency offered no
comments.
o The CIO at the National Science Foundation provided e-mail comments in
which he described the report as very informative and well organized and
presented. He commented that it is certain to be of use as the foundation
considers the role of the CIO in the future. He did not have any further
comments or suggestions.
o The Special Assistant to the CIO at the Nuclear Regulatory Commission
provided an e-mail response in which he thanked GAO for the opportunity to
review the report but provided no further comments.
o The Assistant Administrator for Congressional and Legislative Affairs
at the Small Business Administration provided an e-mail response in which
he thanked GAO for the opportunity to review the report but provided no
further comments.
o The audit liaison at the Social Security Administration provided an
email response in which he thanked GAO for the opportunity to review the
report but provided no further comments.
o A program analyst at the Department of State provided e-mail comments
in which she thanked GAO for the opportunity to comment on the report and
described it as a useful tool for supporting the advancement of
information technology throughout the federal government. She also
provided technical comments that we incorporated, as appropriate.
o The Department of Transportation's Director of Audit Relations emailed
that the department had no comments.
o The Department of the Treasury's CIO provided written comments in which
he agreed with the report's identification of the major challenges a CIO
faces. Treasury's written comments are reproduced in appendix IX.
o The U.S. Agency for International Development's Assistant
Administrator, Bureau for Management, provided written comments in which
he concurred with the content of the report. The U.S. Agency for
International Development's written comments are reproduced in appendix X.
o The Department of Veterans Affairs' Acting Director of the
Congressional Reports and Correspondence Service in the Office of
Congressional and Legislative Affairs provided an e-mail response in which
he agreed with the information presented in our report.
We are sending copies of this report to the secretaries of the Departments
of Agriculture, the Air Force, the Army, Commerce, Defense, Education,
Energy, Health and Human Services, Homeland Security, Housing and Urban
Development, the Interior, Justice, Labor, the Navy, State,
Transportation, the Treasury, and Veterans Affairs; the administrators of
the Environmental Protection Agency, General Services Administration,
National Aeronautics and Space Administration, Small Business
Administration, and U.S. Agency for International Development; the
commissioners of the Nuclear Regulatory Commission and the Social Security
Administration; and the directors of the National Science Foundation,
Office of Management and Budget, and Office of Personnel Management. We
will also make copies available to others upon request. In addition, this
report will be available at no charge on the GAO Web site at
http://www.gao.gov.
If you have any questions on matters discussed in this report, please
contact me at (202) 512-9286 or Lester Diamond, Assistant Director, at
(202) 512-7957. We can also be reached by e-mail at [email protected] and
[email protected], respectively. Other key contributors to this report are
listed in appendix XI.
David A. Powner Director, Information Technology Management Issues
Appendix I
Chief Information Officers (CIO) Interviewed
Department/agency Chief information officera
Department of Agriculture Lawrence Scott Charbo
Department of Commerce Tom Pyke
Department of Defense John P. Stenbit
Department of the Air Force John M. Gilligan
Department of the Army Lieutenant General Steven W. Boutelle
Department of the Navy David Martin Wennergren
Department of Education William J. Leidinger
Department of Energy Rosita Ortiz Parkes
Department of Health and Human Kathleen D. Heuer Services
Department of Homeland Security Steve Cooper
Department of Housing and Urban Vickers B. Meadows Development
Department of the Interior W. Hord Tipton
Department of Justice Vance Hitch
Department of Labor Patrick Pizzella
Department of State Bruce Morrison
Department of Transportation Daniel P. Matthews
Department of the Treasury Drew Ladner
Department of Veterans Affairs Edward Francis Meagher
Environmental Protection Agency Kimberly T. Nelson
General Services Administration Michael W. Carleton
National Aeronautics and Space Patricia Lee Dunnington Administration
National Science Foundation Dr. George O. Strawn
Nuclear Regulatory Commission Ellis W. Merschoff
Office of Personnel Management Janet L. Barnes
Small Business Administration Stephen D. Galvan
Social Security Administration Thomas P. Hughes
U.S. Agency for International John Marshall Development
Source: GAO.
aThese CIOs were in their positions during the time of our review, but
some are no longer the CIOs at their agencies.
Appendix II
Former Agency Senior Information Technology (IT) Executive Panels
In March 2004, we held two panels of former agency senior IT executives,
during which we discussed CIOs' roles and responsibilities, reporting
relationships, and challenges. Table 1 provides the former and current
titles of these officials.
Table 1: Former Agency Senior IT Executive Panels Name Former agency/positions
Current organization/position First panel, held March 2, 2004
Mayi Canales Department of the Treasury/Acting Deputy Assistant M Squared
Strategies, Inc./Chief Executive Secretary (Information Systems) and CIO
Officer
Dr. Renato A. DiPentima Social Security Administration/Deputy Commissioner
for SRA International, Inc./President and Chief Systems Operating Officer
James J. Flyzik Department of the Treasury/Deputy Assistant Secretary
Guerra, Kiviat, Flyzik, and Associates, for Information Systems and CIO
Inc./Partner
Norman E. U.S. Postal Service/Chief DigitalNet./Senior Vice
Lorentz Technology Officer; Office of President,
Management and Budget/Chief Intergovernmental Solutions
Technology Officer
William C. General Services Unisys Corporation/Partner,
Piatt Administration/CIO; U.S. Peace U.S. Federal
Corps/CIO Government Group
Daniel E. CACI International
Porter Department of the Navy/CIO Inc./Senior Vice
President, Navy Account,
Defense &
Intelligence Business Group
Second panel, held March 4, 2004
Roger W. Baker Department of Commerce/CIO General Dynamics Network
Systems/Vice President, Federal Civilian Operations
Paul Brubaker Department of Defense/Deputy Assistant Secretary and SI
International/Executive Vice President Deputy CIO and Chief Marketing
Officer
Spain (Woody) Hall, Department of Homeland Science Applications
Jr. Security/Assistant International
Commissioner and CIO of Corporation/ Enterprise
Customs and Border and Infrastructure
Protection; U.S. Customs Solutions
Service/Assistant Group/Corporate Vice
President
Commissioner and CIO; and for Project Management
Department of Energy/
Deputy Assistant Secretary
and CIO
Department of e-Associates,
George R. Molaski Transportation/CIO LLC/President and Chief
Executive Officer
Alvin M. Environmental Protection Grant Thornton
Pesachowitz Agency/Associate Assistant LLP/Global Government
Administrator, Office of Group/Director of IT
Environmental Information and Consulting
CIO
Debra Stouffer Department of Housing and Urban Development/Deputy
DigitalNet./Vice President, Strategic CIO for IT Reform; Environmental
Protection Consulting Services Agency/Chief Technology Officer
Source: GAO.
Appendix III
Summary of CIOs' Information Management and Technology Responsibilities at
Major Departments and Agencies
Capital Planning and Investment Management-Federal laws and guidance
direct agencies to develop and implement processes for IT capital planning
and investment management. 44 U.S.C. 3506(h) and 40 U.S.C. 11312 & 11313.
Results Yes: 27 No: 0
Summary
o Although all the CIOs had primary responsibility for this area, several
said that other organizational units supported the execution of this
responsibility, often through diverse membership on an IT investment
board, which virtually all agencies had in place. At a majority of
agencies, the CIO chaired this IT investment board. Other mechanisms CIOs
used to ensure that their responsibilities were being executed included
making sure appropriate policies and guidance were in place, conducting
periodic investment reviews, and building strong relationships with other
officials.
o Working within the constraints of the federal budget cycle, including
responding to evolving budget exhibit requirements, was perceived as a
challenge by almost half of the CIOs, as was working with the business
side of the agency. Capturing sufficient attention from top management to
build an effective process was mentioned as a challenge by several CIOs.
Another challenge was how to exert influence over IT investments within
agency components. Prioritizing investments and cutting projects due to
budget constraints was also mentioned by several CIOs.
Enterprise Architecture (EA)-Federal laws and guidance direct agencies to
develop and maintain enterprise architectures as blueprints to guide IT
modernization.
Results Yes: 27 No: 0
Summary
o The CIOs used a variety of mechanisms to address their EA
responsibilities, such as participating on investment review boards to
ensure compliance with EA requirements and chairing or participating in
committees that review and approve EA development activities. Several CIOs
also said that they promote EA awareness and ensure that the EA include
key business processes and requirements. Finally, some CIOs commented that
understanding of and support for the agency EA are improving.
o CIOs said they faced challenges with the activities related to the
development and implementation of the EA. These challenges included
documenting the "as is" architecture, including interdependencies and
interoperability, compliance with the agency EA and the federal enterprise
architecture, and implementation and transition issues. Of the CIOs who
reported challenges pertaining to EA activities, among other things, they
identified obtaining staff buy-in and building relationships with business
components and field offices as another key challenges.
o Of the CIOs who responded to a question about changes they would
recommend, 13 commented that no changes were needed to their role, and
some CIOs described EA legislation and guidance as being adequate.
However, seven identified the need for changes in other areas, including
increased support from management and staff, discipline, oversight, and
improvements in managers' and staff's knowledge and skills. Two reported
that CIOs needed to play a greater role in EA activities.
Appendix III
Summary of CIOs' Information Management
and Technology Responsibilities at Major
Departments and Agencies
(Continued From Previous Page) Information Security-The agency CIO is
responsible for protecting information and systems. 44 U.S.C. 3506(g) and
3544(a)(3).
Results Yes: 27 No: 0
Summary
o CIOs described several mechanisms for ensuring that their information
security responsibilities were being carried out, including periodic
meetings to review agency security performance, Federal Information
Security Management Act reporting, vulnerability and intrusion detection
testing, and risk mitigation strategies. All of the agencies had senior
information security positions to take direct responsibility for this
area. Many CIOs mentioned that they followed Federal Information Security
Management Act guidance and were satisfied with it.
o Challenges in this area included institutionalizing strong security
practices throughout the agency and reducing the number of networks and
systems to be secured. In addition, five CIOs mentioned that it was
difficult to find qualified staff for the security function.
o Many CIOs expressed concern with the criteria used to score information
security performance at their agencies. Seven CIOs mentioned the need for
greater clarity in the definition of information security success or
progress, and five CIOs suggested that it would be helpful if the various
oversight bodies could develop a consistent set of criteria. Finally, two
CIOs suggested that quicker turnaround between measuring and reporting
performance would present a more accurate picture of the actual security
condition.
IT/IRM Strategic Planning-The agency CIO is responsible for strategic
planning for all information and technology management functions-thus, the
term information resources management (IRM) strategic planning. 44 U.S.C.
3506(b)(2).
Results Yes: 27 No: 0
Summary
o In describing how they ensure that this responsibility is being carried
out, many said they made sure that appropriate policies, procedures, or
processes were in place. Seven CIOs mentioned using the investment
management process to ensure that strategic priorities were enforced.
o Nearly half of the CIOs mentioned that coordination across various
stakeholders was a challenge in this area. Several CIOs also cited
measuring performance as a challenge.
o Several CIOs suggested any changes in this area, although three
mentioned that additional guidance would be beneficial.
IT/IRM Workforce Planning- CIOs have responsibilities for helping the
agency meet its IT/IRM workforce or human capital needs [44 U.S.C. 3506(b)
and 40 U.S.C. 11315(c)]
Results Yes: 27 No: 0
Summary
o Responsibility for this area is often shared. Most CIOs worked with
other organizational units to identify agency workforce needs and define
gaps in available staff. The process of addressing these gaps - through
hiring, training, or contracting - was carried out by most CIOs in
collaboration with the human resources or procurement units of the agency.
o Most CIOs identified personnel management as a key challenge in this
area, including the ability to attract staff with specific skills
required, ensure personnel retention, and keep adequate numbers of
personnel in the IT leadership pipeline. Additionally, several CIOs
described hiring processes as cumbersome and a factor that tends to hinder
workforce planning activities.
Appendix III
Summary of CIOs' Information Management
and Technology Responsibilities at Major
Departments and Agencies
(Continued From Previous Page)
Major electronic government (e-gov) initiatives-Various laws and guidance
have directed agencies to undertake a variety of e-gov initiatives
relating to using IT to improve government services to the public, as well
as operations within the government.
Results Yes: 25 No: 2
Summary
o At agencies where CIOs have been given responsibility for major e-gov
initiatives, CIOs have adopted a number of mechanisms to ensure that their
responsibilities were being carried out adequately. Several agencies have
established an e-gov program management office and/or have assigned
project managers. Several CIOs reported that they use a scorecard, or
other grading system, to identify strengths and weaknesses in their e-gov
initiatives. Even when the CIOs have been assigned primary responsibility,
they sometimes share responsibility with the functional unit.
o A few agencies have assigned responsibility for major e-gov initiatives
to a senior-level political appointee to raise the visibility of the
initiatives.
o Challenges in this area included managing projects of the scale of the
major e-gov initiatives.
Systems Acquisition, Development, and Integration-GAO found that a
critical element of successful IT management is effective control of
systems acquisition, development, and integration.
Results Yes: 25 No: 2
Summary
o Several CIOs who had responsibility for this area shared that
responsibility with other officials, including the senior acquisition
official and system owners. Most CIOs reported that they utilized various
control processes, such as system review boards and investment management
boards, to provide oversight of systems acquisition and development
activities. The enterprise architecture was also mentioned as a mechanism
to guide these activities and ensure interoperability of systems.
o The two CIOs who did not have responsibility for this area reported
that they contributed to the successful execution of responsibilities by
ensuring that systems comply with the EA or other standards. Where the CIO
did not have primary responsibility, the senior acquisition or procurement
official usually had that responsibility.
o Several CIOs mentioned that coordinating activities related to systems
acquisition was a challenge. Monitoring activities to ensure adherence to
standards was also mentioned as a challenge. A few CIOs also reported that
attracting and retaining individuals with expertise in acquisition and
development was difficult.
Information Collection/Paperwork Reduction-The agency CIO is responsible
for overseeing a process to review agency information collection proposals
in order to maximize the utility and minimize the public "paperwork"
burdens associated with the agency's collection of information. 44 U.S.C.
3506(c).
Results Yes: 22 No: 5
Summary
o Most CIOs said that they focused on statutory and Office of Management
and Budget (OMB) requirements in meeting their responsibilities in this
area, and several CIOs noted that they developed reports for OMB in this
area. Several CIOs specifically mentioned the use of internal systems and
databases to produce automated reports. A few CIOs mentioned using agency
Web sites as a mechanism to support information collection and paperwork
reduction, for example, by allowing for public comment on collections.
Several CIOs described this function as largely administrative and not a
priority.
o In most agencies where the CIO did not have this responsibility,
administrative units carried out these activities.
o A general lack of understanding of the area and its terminology was
mentioned as a challenge by a few CIOs. CIOs at a few agencies also
mentioned that coordinating and implementing their responsibilities was
difficult when they dealt with large and complex collections.
Appendix III
Summary of CIOs' Information Management
and Technology Responsibilities at Major
Departments and Agencies
(Continued From Previous Page)
Records Management-The agency CIO is responsible for ensuring that the
agency implements and enforces records management policies and procedures.
44 U.S.C. 3506(f).
Results Yes: 21 No: 6
Summary
o Most CIOs with responsibility for records management felt that they
were the most appropriate official to have that responsibility. Several
also stated that their involvement in the area has been made more
important since agencies began maintaining records electronically. Most of
the CIOs stated that they have developed policies and procedures to make
sure records management activities are carried out appropriately, and a
few mentioned they also use OMB and NARA reporting to oversee activities
in the area.
o In agencies where the CIO was not responsible for records management,
various other officials held responsibility, including senior
administrative officials and General Counsel.
o A few CIOs mentioned that NARA guidance was continuing to evolve,
particularly in the area of electronic records. A few CIOs also described
the need for agencies to become more aware of the value of records
management and begin to use it to manage the agency's records as an asset.
Information Dissemination-The agency CIO is responsible for ensuring that
the agency's information dissemination activities meet policy goals, such
as timely and equitable public access to information. 44 U.S.C. 3506(d).
Results Yes: 20 No: 7
Summary
o Several CIOs reported that they participate in internal review
activities to determine compliance with requirements. Five CIOs develop
policies, procedures, and guidance for information dissemination
activities. Several CIOs also reported that they shared information
dissemination responsibilities with other agency staff to fulfill the
department's information dissemination responsibilities.
o In those agencies in which the CIO was not responsible for this area,
responsibility was most often held by the Office of Public Affairs.
o One CIO said that transitioning from traditional information
dissemination methods to digital information delivery was presenting
challenges, including developing appropriate access controls and updating
policies. A few CIOs also identified challenges in balancing security
and/or privacy with access to information. Another challenge was ensuring
consistency in information dissemination activities across the agency.
Privacy-The agency CIO is responsible for compliance with the Privacy Act
and related laws. 44 U.S.C. 3506(g).
Results Yes: 17 No: 10
Summary
o Of the CIOs holding this responsibility, their responsibilities
included activities to ensure compliance with privacy laws, such as
developing privacy policies, conducting privacy impact assessments, and
monitoring their agency's Web sites. Two CIOs said that they have
centralized persons or units reporting directly to them that perform all
information privacy responsibilities. In order to increase staff awareness
of privacy requirements, a few CIOs conducted training programs to address
privacy issues.
o In the agencies in which the CIO did not have responsibility for
privacy, the responsibility was most often held by the Office of General
Counsel and various FOIA and Privacy Offices. Only one CIO expressed some
concern with this assignment of responsibility.
o A few CIOs reported challenges in distinguishing privacy concerns from
security concerns and in balancing privacy with requests for information.
This ambiguity sometimes made it difficult to understand if information
should be released, or not.
Appendix III
Summary of CIOs' Information Management
and Technology Responsibilities at Major
Departments and Agencies
(Continued From Previous Page)
Information Disclosure/Freedom of Information Act (FOIA)-The agency CIO is
responsible for information access requirements, such as those of the FOIA
and related laws. 44 U.S.C. 3506(g).
Results Yes: 9 No: 18
Summary
o Most CIOs with this responsibility reported that it was executed in
concert with other units. Departmental and component-level FOIA offices
were most often cited as partners in this area.
o Where the CIO did not have responsibility for this area, responsibility
was assigned to units such as department- and component-level FOIA
offices, offices of public affairs, and offices of general counsel.
o Several CIOs reported that the interplay among FOIA, privacy, records
management, and security sometimes created challenges, such as whether to
release specific information and under what conditions. Other CIOs stated
that it is difficult to anticipate the volume and nature of requests and
to plan accordingly. Coordination of activities with and ensuring
adherence to standards by component-level organizations was also cited as
a challenge by a few CIOs.
Statistical Policy and Coordination-The agency CIO is responsible for the
agency's statistical policy and coordination functions. 44 U.S.C. 3506(e).
Results Yes: 8 No: 19
Summary
o CIOs used various mechanisms to ensure that their responsibilities were
being carried out, including guidance, tools, assessments and performance
reviews, and information quality reports to OMB. Only 3 agencies with 1 of
the 15 Principal Statistical Agenciesa had assigned responsibility to the
CIO.
o Over half of the CIOs who did not have responsibility for this area
reported that this function was appropriately assigned to other units. No
CIOs expressed concern that they should have responsibility if they did
not. Nine of the agencies where the CIO did not have responsibility for
this function were home to 1 of the 15 Principal Statistical Agencies.
Source: GAO.
aPrincipal Statistical Agencies include the Bureau of Economic Analysis
(Department of Commerce), Bureau of Justice Statistics (Department of
Justice), Bureau of Labor Statistics (Department of Labor), Bureau of
Transportation Statistics (Department of Transportation), Economic
Research Service (Department of Agriculture), Energy Information
Administration (Department of Energy), Environmental Protection Agency,
Internal Revenue Service's Statistics of Income Division (Department of
the Treasury), National Agricultural Statistics Service (Department of
Agriculture), National Center for Education Statistics (Department of
Education), National Center for Health Statistics (Department of Health
and Human Services), Science Resources Statistics (National Science
Foundation), Office of Policy (Social Security Administration), Office of
Management and Budget (Executive Office of the President), and the U.S.
Census Bureau (Department of Commerce).
Appendix IV
CIO Tenure at Each Department and Agency
Agencies provided us with the start and end dates of the tenure of each of
their CIOs since the passage of the Clinger-Cohen Act in February 1996.
These data are represented in figure 1.
Appendix IV
CIO Tenure at Each Department and Agency
Figure 3: Time Line of CIO Tenure at Each Department and Agency
Source: GAO.
Appendix IV
CIO Tenure at Each Department and Agency
aThe number of bar elements for an agency may not add up to the total in
this column because some individual CIOs are shown more than once, as
their circumstances changed (e.g., an acting CIO that became a permanent
CIO).
bThe Department of Defense named this individual as a Senior Civilian
Official during this time; he had been nominated to the CIO position but
not yet confirmed by the Senate. However, because the department stated
that he was serving in the role of the CIO, we classified him as an Acting
CIO until he was confirmed.
cThe first CIO for the National Aeronautics and Space Administration was
in this position prior to the enactment of the Clinger-Cohen Act and left
in February 1996, the same month that the second CIO was named.
dThe current Department of State CIO was made permanent on February 25,
2004.
Table 1 contains statistical analysis of the data presented in figure 1.
Computations have been provided both including and excluding the current
CIOs. In cases where the current CIOs are included, the end of their
tenure was established as of March 1, 2004, the ending date of data
collection for this report.
Appendix IV
CIO Tenure at Each Department and Agency
Table 2: Statistical Analysis of CIO Tenure
Permanent Permanent
and acting and acting
CIOs CIOs Permanent
Permanent
excluding CIOs Acting Acting Only
including CIOs CIOs CIOs current
current current excluding including excluding
including permanent
CIOs current current current
CIOs current CIOs CIOs CIOs CIOs
CIOs
Mean (in 21 21 27 30 9 9
months)
Median (in 15 15 23 23 7 7
months)
Minimum (in 1a 1a 1a 3a 1 1
months)
Maximum (in 94 75 94 75 26 26
months)
Number of
CIOs in this
population 108 81 74 49 34 32
Number of
CIOs in
office
less than 3 89 64 55 32 34 32
years
Number of
CIOs in
office
greater than 4 3 4 3 0 0
5 years
Number of
CIOs in
office
between 3 15 14 15 14 0 0
and 5 years
Percentage
of CIOs in
office at
least 3 18% 21% 26% 35% 0% 0% 8%
years
Source: GAO.
Note: CIOs who moved from acting to permanent status have been treated as
if they were permanent the entire time, and calculations were performed on
their aggregated time as one length of service. Also, these acting CIOs
who became permanent were not included in the acting calculations above.
aThe first CIO for the National Aeronautics and Space Administration was
in the CIO position prior to the enactment of the Clinger-Cohen Act and
left in February 1996, the same month that the second CIO was named. The
numbers listed for minimum tenure are the next shortest tenure.
Appendix V
Comments from the Department of Agriculture
Appendix VI
Comments from the Department of Defense (including the Departments of the
Air Force, Army, and Navy)
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
Appendix VI
Comments from the Department of Defense
(including the Departments of the Air Force,
Army, and Navy)
See comment 1.
See comment 2.
See comment 3.
Appendix VI
Comments from the Department of Defense
(including the Departments of the Air Force,
Army, and Navy)
The following are GAO's comments on the Department of Defense's letter
dated July 1, 2004.
GAO Comments 1.
2.
3.
We agree with the Department of Defense that strengthening the authority
of CIOs in many of the areas for which they have responsibility can be
crucial to their success and to the effectiveness of information and
technology management in their agencies. However, we do not agree that
there was an overall consensus that CIOs should report to their agency
heads. The participants in our review offered a number of alternative
reporting arrangements, including reporting to a deputy secretary or to a
chief operating officer or equally high-level official, or maintaining a
dual reporting relationship that includes the agency head. While such
reporting relationships are not necessarily directly to the agency head,
they may provide the authority and accountability necessary for CIOs to be
effective in their organizations. We believe these alternatives deserve
consideration if the Congress holds hearings or introduces legislation
related to CIOs' reporting relationships.
We disagree that our Matter for Congressional Consideration should be more
specific. While the two responsibilities mentioned by the Department of
Defense clearly differ from the others in the number of CIOs reporting
that they hold responsibility, the Congress has established a coordinated
approach to managing federal agencies' information resources. As the
Congress considers future statutory frameworks, this same coordinated
approach may well be critical in its deliberations. Given the broad range
of the Congress's purview, we do not want to suggest that the Congress
constrain the scope of its deliberations should it choose to take another
look at the responsibilities of the CIO.
We believe that we accurately characterized Dr. Wells's status. The Office
of Personnel Management has used the term "political appointees" in
various documents to describe Schedule C appointees.
Appendix VII
Comments from the Department of the Interior
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
See comment 1.
See comment 2.
Appendix VII
Comments from the Department of the
Interior
The following are GAO's comments on the Department of the Interior's
letter dated July 6, 2004.
GAO Comments 1.
2.
While we recognize that agencies require time to implement major changes,
most of the statutory requirements considered in our report have been law
since 1996. Since the findings of our report indicate that opinions are
mixed on whether the current statutory framework is the most appropriate,
we continue to believe that if the Congress holds hearings or introduces
legislation related to the CIOs' reporting relationships, the findings of
this report should be considered.
We believe it is critical for CIOs to have the authority and
accountability that they need in order to be effective in their
organizations. The Department of the Interior's approach, with the CIO
reporting to the Secretary, is consistent with the law and potentially
provides strong support for the CIO in executing his responsibilities.
However, the participants in our review offered a number of alternative
reporting arrangements that could provide the CIO with the necessary
support; these included reporting to a deputy secretary, to a chief
operating officer, or equally high level official, or maintaining a dual
reporting relationship that includes the agency head. We believe these
alternatives deserve consideration if the Congress holds hearings or
introduces legislation related to the CIOs' reporting relationships.
Appendix VIII
Comments from the Office of Personnel Management
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
Appendix VIII
Comments from the Office of Personnel
Management
Appendix VIII
Comments from the Office of Personnel
Management
Appendix VIII
Comments from the Office of Personnel
Management
The following are GAO's comments on the Office of Personnel Management's
letter dated July 6, 2004.
GAO Comments 1. As we have stated in this report, we believe that human
capital flexibilities offer opportunities for agencies to help reduce CIO
turnover or mitigate its effect. However, it was outside the scope of this
report to review the Office of Personnel Mangement's activities in this
area. The Office of Personnel Management's description of these activities
in its written comments provides a few examples of opportunities that
agencies may be able to take advantage of.
Appendix IX
Comments from the Department of the Treasury
Appendix X
Comments from the U.S. Agency for International Development
Appendix XI
GAO Contact and Staff Acknowledgments
GAO Contact Lester Diamond, 202-512-7957 or [email protected]
Staff Neha Bhavsar, Margaret W. Davis, Neil J. Doherty, Joanne Fiorino,
Evan B. Gilman, Peggy A. Hegg, Ashfaq M. Huda, Robert G. Kershaw, Linda J.
Acknowledgments Lambert, Mary Beth McClanahan, David F. Plocher, and
Cynthia J. Scott made key contributions to this report.
GAO's Mission The Government Accountability Office, the audit, evaluation
and investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of The fastest and easiest way to obtain copies of GAO
documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO postsGAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To Testimony have GAO e-mail you a list of newly posted products
every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Contact:
Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470
Congressional Gloria Jarmon, Managing Director, [email protected] (202)
512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125
Relations Washington, D.C. 20548
Public Affairs Jeff Nelligan, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
Presorted Standard
Postage & Fees Paid
GAO
Permit No. GI00
United States
Government Accountability Office
Washington, D.C. 20548-0001
Official Business
Penalty for Private Use $300
Address Service Requested
*** End of document. ***