Veterans Affairs: The Critical Role of the Chief Information
Officer Position in Effective Information Technology Management
(14-SEP-05, GAO-05-1017T).
In carrying out VA's mission of serving the nation's veterans and
their dependents, the agency relies extensively on information
technology (IT), for which it is requesting about $2.1 billion in
fiscal year 2006. VA's vision is to integrate its IT resources
and streamline interactions with customers, so that it can
provide services and information to veterans more quickly and
effectively. Fully exploiting the potential of IT to improve
performance is a challenging goal for VA, as it is throughout
government. The Clinger-Cohen Act of 1996 addressed this
challenge by, among other things, establishing the position of
chief information officer (CIO) to serve as the focal point for
information and technology management within departments and
agencies. The Committee requested that GAO discuss the role of
CIOs in the federal government, as well as provide a historical
perspective on the roles and responsibilities of VA's CIO. In
developing this testimony, GAO relied on its previous work at VA
as well as on the CIO role across government, including a 2004
review of CIOs at major departments and agencies.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-05-1017T
ACCNO: A36777
TITLE: Veterans Affairs: The Critical Role of the Chief
Information Officer Position in Effective Information Technology
Management
DATE: 09/14/2005
SUBJECT: Agency missions
Chief information officers
Information resources management
Information technology
Internal controls
Productivity in government
Federal agency reorganization
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-05-1017T
United States Government Accountability Office
GAO Testimony before the Committee on Veterans' Affairs, House of
Representatives
For Release on Delivery Expected at 10:00 a.m. EDT September 14, 2005
VETERANS AFFAIRS
The Critical Role of the Chief Information Officer Position in Effective
Information Technology Management
Statement of Linda D. Koontz
Director, Information Management Issues
GAO-05-1017T
[IMG]
September 14, 2005
VETERANS AFFAIRS
The Critical Role of the Chief Information Officer Position in Effective
Information Technology Management
What GAO Found
CIOs play a critical role in managing information and technology within
federal agencies. According to GAO's 2004 review, CIOs generally held wide
responsibilities and reported to their agency heads or other top level
managers. In general, CIOs reported that they were responsible for key
information and technology management areas; for example, all the CIOs
were responsible for five key areas (capital planning and investment
management, enterprise architecture, information security, strategic
planning for information technology and information resource management,
and information technology workforce planning). However, in carrying out
their responsibilities, the tenure of federal CIOs was often less than the
length of time that some experts consider necessary for them to be
effective and implement changes: the median tenure was about 2 years, and
the most common response regarding time required to be effective was 3 to
5 years. In contrast, CIOs were generally helped in carrying out their
responsibilities by the background and experience they brought to the job:
most had background in information technology (IT) or related fields, and
many also had business knowledge related to their agencies. Other factors
that help CIOs meet their responsibilities include (1) being supported by
senior executives who recognize the importance to their missions of IT and
an effective CIO; (2) playing an influential role in applying IT to
business needs; and (3) being able to structure their organizations
appropriately. At the same time, CIOs cited several challenges, of which
the two most frequently mentioned were implementing effective IT
management and obtaining sufficient and relevant resources.
Over time, the CIO position at VA, as well as information and technology
management as a whole, has received increased attention at the department.
After several years with CIOs whose primary duty was not information and
technology management or who were serving in an acting capacity, the
department appointed a full-time permanent CIO in August 2001. In 2002,
the department proposed further strengthening the position and
centralizing IT management, recognizing that aspects of its computing
environment were particularly challenging and required substantial
management attention. In particular, the department's information systems
and services were highly decentralized, and a large proportion of the
department's IT budget was controlled by the VA's administrations and
staff offices. To address these challenges, the Secretary issued a memo in
2002 announcing that IT functions, programs, and funding would be
centralized under the department-level CIO. This realignment held promise
for improving accountability and enabling the department to accomplish its
mission. The additional oversight afforded the CIO could have a
significant impact on the department's ability to more effectively account
for and manage its IT spending.
United States Government Accountability Office
Mr. Chairman and Members of the Committee:
Thank you for inviting us to take part in your discussion of the
information technology organization at the Department of Veterans Affairs
(VA) and the role of the Chief Information Officer (CIO). In carrying out
its mission of serving our nation's veterans, the department relies
heavily on information technology, for which it is requesting about $2.1
billion in funding for fiscal year 2006. The CIO will play a vital role in
ensuring that this money is well spent and that information technology is
managed effectively. As we have previously reported, an effective CIO can
make a significant difference in building the institutional capacity that
is needed to improve an agency's ability to manage information and
technology and thus enhance program performance.
At your request, we will discuss the role of CIOs in the federal
government, as well as providing a historical perspective on the roles and
responsibilities of VA's CIO.
In developing this testimony, we reviewed our previous work in this area.
All work covered in this testimony was performed in accordance with
generally accepted auditing standards.
Results in Brief
Since the Clinger-Cohen act established the CIO position in 1996, federal
CIOs have played a central role in managing information and technology
within federal agencies. According to CIOs at major departments and
agencies, they generally held wide responsibilities and reported to their
agency heads or other top level managers.1 In general, CIOs reported that
they were responsible for key information and technology management areas;
for example, all the CIOs were responsible for five key areas (capital
planning and investment management, enterprise architecture, information
1 GAO, Federal Chief Information Officers: Responsibilities, Reporting
Relationships, Tenure, and Challenges, GAO-04-823 (July 21, 2004).
security, strategic planning for information technology and information
resource management, and information technology workforce planning). In
carrying out these responsibilities, the tenure of federal CIOs was often
less than the length of time that some experts consider necessary for them
to be effective and implement changes: the median tenure was about 2
years, and the most common response regarding time required to be
effective was 3 to 5 years. In contrast, CIOs were generally helped in
carrying out their responsibilities by the background and experience they
brought to the job. Although their background was varied, most had
background in information technology (IT) or related fields, many having
previously served as CIOs; many also had business knowledge related to
their agencies, having previously either worked at the agency or in an
area related to its mission. Other factors that help CIOs meet their
responsibilities effectively are described in guidance2 that we have
issued; key among these are (1) being supported by senior executives who
recognize the importance to their missions of IT and an effective CIO; (2)
playing an influential role in applying IT to business needs; and (3)
being able to structure their organizations appropriately. At the same
time, CIOs cited several challenges, of which the two most frequently
mentioned were implementing effective IT management and obtaining
sufficient and relevant resources.
Over time, VA has devoted increased attention to the CIO position and to
IT management. After going for 2 1/2 years after the passage of the
Clinger-Cohen Act without a CIO, followed by 2 years with an executive
whose time was divided among CIO and other major duties, and then 1 year
with an acting CIO, the department appointed a full-time permanent CIO in
August 2001. Since then, the department proposed further strengthening the
position and centralizing IT management, recognizing that aspects of its
computing environment were particularly challenging and required
substantial management attention. In particular, the department's
information systems and services were highly decentralized, and a large
proportion of the department's IT budget was controlled by
2 GAO, Maximizing the Success of Chief Information Officers: Learning from
Leading Organizations, GAO-01-376G (Washington, D.C.: February 2001).
the VA's administrations and staff offices. To address these challenges,
the Secretary issued a memo in 2002 announcing that IT functions,
programs, and funding would be centralized under the department-level CIO.
In our view, this realignment held promise for improving IT accountability
and enabling the department to accomplish its mission. The additional
oversight afforded the CIO could have a significant impact on the
department's ability to more effectively account for and manage its
approximately $2.1 billion in planned IT spending.
Background
VA comprises three major components: the Veterans Benefits Administration
(VBA), the Veterans Health Administration (VHA), and the National Cemetery
Administration (NCA).3 VA's mission is summed up in its mission statement,
a quotation from Abraham Lincoln: "to care for him who shall have borne
the battle and for his widow and his orphan." VA carries out this mission
by providing benefits and other services to veterans and dependents.
The department's vision is to be a more customer-focused organization,
functioning as "One VA." This vision stemmed from the recognition that
veterans think of VA as a single entity, but often encountered a
confusing, bureaucratic maze of uncoordinated programs that put them
through repetitive and frustrating administrative procedures and delays.
The "One VA" vision is to create versatile new ways for veterans to obtain
services and information by streamlining interactions with customers and
integrating IT resources to enable VA employees to help customers more
quickly and effectively. This vision will require modifying or replacing
separate information systems with integrated systems using common
standards to share information across VA programs and with external
partner organizations, such as the Department of
3 VBA provides nonmedical benefits to veterans and their dependents; VHA
provides services through the nation's largest health-care system; and NCA
provides burial services in 115 national cemeteries.
Defense. Accordingly, effective management of its IT programs is vital to
VA's successful achievement of its vision and mission.
Table 1 shows a breakdown of VA's approximately $2.1 billion IT budget
request for fiscal year 2006. Of the total, VHA accounted for
approximately $1.8 billion, VBA approximately $150 million, and the
National Cemetery Administration (NCA) approximately $11 million. The
remaining $84 million was allocated to the department level.
Table 1: Breakdown of VA's Fiscal Year 2006 Information Technology Budget
Request (in millions)
Organization Request
VHA $1835 88%
VBA 150 7%
NCA 11 <1%
Department 84 4%
Total $2080
Source: GAO analysis of VA data.
CIO Plays Major Role in IT Management
The Congress has long recognized that IT has the potential to enable
federal agencies to accomplish their missions more quickly, effectively,
and economically. However, fully exploiting this potential presents
challenges to agencies. Despite substantial IT investments, the federal
government's management of information resources has produced mixed
results. One of the ways in which the Congress has addressed this issue
was to establish the CIO position; an agency's CIO serves as the focal
point for information and technology management within an agency.
Legislative Evolution of Agency CIO Role
For more than 20 years, federal law has structured the management of IT
and information-related activities under the umbrella of
information resources management (IRM).4 The IRM approach was first
enacted into law in the Paperwork Reduction Act of 1980.5 The intention of
the Congress was to provide for a coordinated approach to managing federal
agencies' information resources, addressing the entire information life
cycle, from collection through disposition, with the ultimate goal of
improving the efficiency and effectiveness of government while reducing
the "paperwork burden" on the public.6
The 1980 Paperwork Reduction Act centralized governmentwide IRM
responsibilities in the Office of Management and Budget (OMB), giving OMB
specific policy-setting and oversight duties regarding individual IRM
areas, such as records management, privacy, and the acquisition and use of
IT.7 Agencies were given responsibility for carrying out their IRM
activities in an efficient, effective, and economical manner in compliance
with OMB policies and guidelines. The law also required that each agency
head designate a senior official, reporting directly to the agency head,
to carry out the agency's responsibilities under the law.
In 1996, the Clinger-Cohen Act established the position of agency CIO by
giving this title to the "senior IRM official" mentioned in the Paperwork
Reduction Act and specifying additional responsibilities for this
position.8 Among these responsibilities, the Clinger-Cohen
4 IRM is the process of managing information resources to accomplish
agency missions and to improve agency performance.
5 Pub. L. 96-511 (Dec. 11, 1980).
6 That is, the burden of responding to government information collections:
forms, surveys, and questionnaires.
7 The 1980 Paperwork Reduction Act referred to this as "automatic data
processing and telecommunications equipment," a term that has since been
replaced by "IT."
8 Pub. L. 104-106, February 10, 1996. The law, initially entitled the
Information Technology Management Reform Act, was subsequently renamed the
Clinger-Cohen Act in Pub. L. 104208, September 30, 1996.
act required that the CIOs in the 24 major departments and agencies9 have
IRM as their "primary duty." 10
The view of the Congress as reflected in current law is thus that CIOs
should play a key leadership role in ensuring that agencies manage their
information functions in a coordinated and integrated fashion in order to
improve the efficiency and effectiveness of government programs and
operations.
CIO Responsibilities and Reporting Relationships
Besides their statutory responsibilities, CIOs have other responsibilities
that can contribute significantly to the successful implementation of
information systems and processes. In July 2004, we interviewed 27 CIOs at
major agencies 11 on their roles, responsibilities, and challenges, among
other things. For this report, we identified major areas of CIO
responsibilities that were either statutory requirements or critical to
effective information and technology management.12 Altogether, we
identified the 13 areas shown in table 2.
9 The 24 major departments and agencies are specified in 31 U.S.C. 901.
10 The E-Government Act of 2002 reiterated agency responsibility for
information resources management. Pub. L. 107-347, December 17, 2002.
11 The 27 agencies covered by our report were the Departments of
Agriculture, the Air Force, the Army, Commerce, Defense, Education,
Energy, Health and Human Services, Homeland Security, Housing and Urban
Development, the Interior, Justice, Labor, the Navy, State,
Transportation, the Treasury, and Veterans Affairs; and the Environmental
Protection Agency, General Services Administration, National Aeronautics
and Space Administration, National Science Foundation, Nuclear Regulatory
Commission, Office of Personnel Management, Small Business Administration,
Social Security Administration, and U.S. Agency for International
Development.
12 GAO, Federal Chief Information Officers: Responsibilities, Reporting
Relationships, Tenure, and Challenges, GAO-04-823 (July 21, 2004).
Table 2: Major Areas of CIO Responsibility Area of responsibility Description
Applicable laws
IT/IRM strategic planning Performing strategic planning for all
information and information technology management functions
44 U.S.C. 3506(b)(2) IT capital planning and Planning and management of IT 44
U.S.C. 3506(h), investment management capital investments
40 U.S.C. 11312 & 11313
Information security Ensuring agency compliance 44 U.S.C. 3506(g)
with the requirement to and 3544(a)(3)
protect
information and systems
IT/IRM human capital Helping agency meet IT/IRM 44 U.S.C. 3506(b),
workforce needs 40 U.S.C. 11315(c)
Information Reviewing agency information 44 U.S.C. 3506(c)
collection/paperwork reduction collection proposals to maximize the
utility and minimize public paperwork burden
Information Ensuring that information 44 U.S.C.
dissemination 3506(d)
dissemination activities
meet
policy goals such as
timely and
equitable public access
to
information
Records management Ensuring that agency 44 U.S.C. 3506(f)
implements and enforces
records management policies
and procedures under the
Federal Records Act
Privacy Ensuring agency compliance 44 U.S.C. 3506(g) with the Privacy Act
and related laws
Statistical policy and Performing statistical policy and 44 U.S.C. 3506(e)
coordination coordination functions, including ensuring the relevance,
accuracy, and timeliness of information collected or created for
statistical purposes
Information disclosure Ensuring appropriate information 44 U.S.C. 3506(g)
access under the Freedom of Information Act
a
Enterprise architecture Developing and maintaining the OMB guidance
enterprise architecture defining the agency's mission and the information
and IT needed to perform it
Systems acquisition, Controlling the acquisition, 44 U.S.C. 3506(h)(5),
a
development, and integration development, and integration of 40 U.S.C.
11312 IT systems
Area of responsibility Description Applicable laws
a
E-government initiatives Supporting initiatives to use IT to 44 U.S.C.
3506(h)(3), improve government services to E-Government Act of the public
and internal 2002, other laws and operations guidance
Source: GAO analysis.
a The last three areas of responsibility-enterprise architecture; systems
acquisition, development, and integration; and e-government
initiatives-are not assigned to CIOs by statute; they are assigned to the
agency heads by law or guidance. However, in virtually all agencies, the
agency heads have delegated these areas of responsibility to their CIOs.
According to our report, CIOs were generally responsible for the key
information and technology management areas shown in the table, although
not all CIOs were completely responsible for all areas.13 For example:
0M All the CIOs were responsible for five areas (capital planning and
investment management, enterprise architecture, information security,
IT/IRM strategic planning, and IT workforce planning).
0M More than half had responsibility for six additional areas (systems
acquisition, major e-government initiatives, information
collection/paperwork reduction, records management, information
dissemination, and privacy).
0M Fewer than half were responsible for two areas (information disclosure
and statistics).
It was common for CIOs to share responsibility for certain functions, and
in some cases responsibilities were assigned to other offices. For
example, systems acquisition responsibility could be shared among the CIO
and other officials, such as a procurement executive or program executive;
disclosure could be assigned to general counsel and public affairs, while
statistical policy could be assigned to offices that deal with the
agency's data analysis.14 Nevertheless, even for areas of responsibility
that were not assigned
13 The acting CIO at VA at the time of the review responded that the CIO
was responsible for all the activities except for statistical policy and
coordination.
14 This is particularly the case in agencies that contain Principal
Statistical Agencies, such as the Bureau of Economic Analysis (Department
of Commerce), Bureau of Justice Statistics (Department of Justice), Bureau
of Labor Statistics (Department of Labor), and others.
to CIOs, agency CIOs generally reported that they contributed to the
successful execution of the agency's overall responsibilities in that
area.
In carrying out their responsibilities, CIOs generally reported to their
agency heads. The Paperwork Reduction Act-as well as our
guidance15-generally calls for CIOs to report to their agency heads,16
forging relationships that ensure high visibility and support for
farreaching information management initiatives. For 19 of the agencies in
our review, the CIOs stated that they had this reporting relationship. In
the other 8 agencies, the CIOs stated that they reported instead to
another senior official, such as a deputy secretary, under secretary, or
assistant secretary. In addition, 8 of the 19 CIOs who said they had a
direct reporting relationship with the agency head noted that they also
reported to another senior executive, usually the deputy secretary or
under secretary for management, on an operational basis. According to
members of our Executive Council on Information Management and
Technology,17 what is most critical is for the CIO to report to a top
level official.
Tenure and Backgrounds of CIOs
Federal CIOs often remained in their positions for less than the length of
time that some experts consider necessary for them to be effective and
implement changes. At the major departments and agencies included in our
review, the median time in the position of permanent CIOs whose time in
office had been completed was about 23 months.18 For career CIOs, the
median was 32 months; the
15 GAO, Maximizing the Success of Chief Information Officers: Learning
from Leading Organizations, GAO-01-376G (Washington, D.C.: February 2001).
16 The Homeland Security Act of 2002 states that the CIO for the
Department of Homeland Security shall report to the Secretary of Homeland
Security or to another official as directed by the Secretary. As allowed
by the law, the Secretary has directed the CIO to report to the Under
Secretary for Management.
17 This panel of industry, state government, and academic experts provides
outside expertise to GAO on information technology issues.
18 We did not include acting CIOs in this calculation, unless the acting
CIO was later put in the permanent position. We calculated tenure since
the enactment of the Clinger-Cohen Act (1996).
median for political appointees was 19 months. To the question of how long
a CIO needed to stay in office to be effective, the most common response
of the CIOs (and former agency IT executives whom we consulted) was 3 to 5
years. Between February 10, l996, and March 1, 2004, only about 35 percent
of the permanent CIOs who had completed their time in office reportedly
had stayed in office for a minimum of 3 years. The gap between actual time
in office and the time needed to be effective is consistent with the view
of many agency CIOs that the turnover rate was high, and that this rate
was influenced by the political environment, the pay differentials between
the public and private sectors, and the challenges that CIOs face.
In contrast, the CIOs interviewed for our report were generally helped in
carrying out their responsibilities by the background and experience they
brought to the job. The background of the CIOs varied in that they had
previously worked in the government, the private sector, or academia, and
they had a mix of technical and management experience. However, virtually
all had work experience or educational backgrounds in IT or IT-related
fields; 12 agency CIOs had previously served in a CIO or deputy CIO
capacity. Moreover, most of the them had business knowledge related to
their agencies because they had previously worked at the agency or had
worked in an area related to the agency's mission.
Success Factors and Challenges of CIOs
To allow CIOs to serve effectively in the key leadership role envisioned
by the Congress, federal agencies must use the full potential of CIOs as
information and technology management leaders and active participants in
the development of the agency's strategic plans and policies. The CIOs, in
turn, must meet the challenges of building credible organizations and
developing and organizing information and technology management
capabilities to meet mission needs.
In February 2001, we issued guidance19 on the effective use of CIOs, which
describes the following three factors as key contributors to CIO success:
0M Supportive senior executives embrace the central role of technology in
accomplishing mission objectives and include the CIO as a full participant
in senior executive decision making.
0M Effective CIOs have legitimate and influential roles in leading top
managers to apply IT to business problems and needs. Placement of the
position at an executive management level in the organization is
important, but in addition, effective CIOs earn credibility and produce
results by establishing effective working relationships with business unit
heads.
0M Successful CIOs structure their organizations in ways that reflect a
clear understanding of business and mission needs. Along with knowledge of
business processes, market trends, internal legacy structures, and
available IT skills, this understanding is necessary to ensure that the
CIO's office is aligned to best serve agency needs.
The CIO study that we reported on in July 2004 also provides information
on the major challenges that federal CIOs face in fulfilling their
duties.20 In particular, CIOs view IT governance processes, funding, and
human capital as critical to their success, as indicated by two challenges
that were cited by over 80 percent of the CIOs: implementing effective
information technology management and obtaining sufficient and relevant
resources.
0M Effective IT management.
Leading organizations execute their information technology management
responsibilities reliably and efficiently. A little over 80 percent of the
CIOs reported that they faced one or more challenges related to
implementing effective IT management practices at their agencies. This is
not surprising given that, as we have previously
19 GAO, Maximizing the Success of Chief Information Officers: Learning
from Leading Organizations, GAO-01-376G (Washington, D.C.: February 2001).
20 GAO, Federal Chief Information Officers: Responsibilities, Reporting
Relationships, Tenure, and Challenges, GAO-04-823 (Washington, D.C.: July
21, 2004).
reported, the government has not always successfully executed the IT
management areas that were most frequently cited as challenges by the
CIOs-information security, enterprise architecture, investment management,
and e-gov.21
0M Sufficient and relevant resources.
One key element in ensuring an agency's information and technology success
is having adequate resources. Virtually all agency CIOs cited resources,
both in dollars and staff, as major challenges. The funding issues cited
generally concerned the development and implementation of agency IT
budgets and whether certain IT projects, programs, or operations were
being adequately funded.
We have previously reported that the way agency initiatives are originated
can create funding challenges that are not found in the private sector.22
For example, certain information systems may be mandated or legislated, so
the agency does not have the flexibility to decide whether to pursue them.
Additionally, there is a great deal of uncertainty about the funding
levels that may be available from year to year.
The government also faces long-standing and widely recognized challenges
in maintaining a high-quality IT workforce. In 1994 and 2001, we reported
on the importance that leading organizations placed on making sure they
had the right mix of skills in their IT workforce.23 About 70 percent of
the agency CIOs reported on a
21 See, for example, GAO, High-Risk Series: Protecting Information Systems
Supporting the Federal Government and the Nation's Critical
Infrastructures; GAO-03-121 (Washington, D.C.: Jan. 1, 2003); Information
Technology Management: Governmentwide Strategic Planning, Performance
Measurement, and Investment Management Can Be Further Improved, GAO-04-49
(Washington, D.C.: Jan. 12, 2004); Information Technology: Leadership
Remains Key to Agencies Making Progress on Enterprise Architecture
Efforts, GAO-04-40 (Washington, D.C.: Nov. 17, 2003); and Major Management
Challenges and Program Risks: A Governmentwide Perspective, GAO-03-95
(Washington, D.C.: January 2003).
22 GAO, Chief Information Officers: Implementing Effective CIO
Organizations, GAO/T-AIMD-00-128 (Washington, D.C.: Mar. 24, 2000).
23 GAO, Executive Guide: Improving Mission Performance through Strategic
Information Management and Technology, GAO/AIMD-94-115 (Washington, D.C.:
May 1, 1994) and GAO-01-376G.
number of substantial IT human capital challenges, including, in some
cases, the need for additional staff. Other challenges included
recruiting, retention, training and development, and succession planning.
In addition, two other commonly cited challenges were communicating and
collaborating (both internally and externally) and managing change.
0M Communicating and collaborating.
Our prior work has shown the importance of communication and
collaboration, both within an agency and with its external partners. For
example, one of the critical success factors we identified in our guide
focuses on the CIO's ability to establish his or her organization as a
central player in the enterprise.24 Ten agency CIOs reported that
communication and collaboration were challenges. Examples of internal
communication and collaboration challenges included (1) cultivating,
nurturing, and maintaining partnerships and alliances while producing
results in the best interest of the enterprise and (2) establishing
supporting governance structures that ensure twoway communication with the
agency head and effective communication with the business part of the
organization and component entities. Other CIOs cited activities
associated with communicating and collaborating with outside entities as
challenges, including sharing information with partners and influencing
the Congress and OMB.
0M Managing change.
Top leadership involvement and clear lines of accountability for making
management improvements are critical to overcoming an organization's
natural resistance to change, marshaling the resources needed to improve
management, and building and maintaining organizationwide commitment to
new ways of doing business. Some CIOs reported challenges associated with
implementing both changes originating from their own initiative and
changes from outside forces. Implementing major IT changes can
24 GAO-01-376G.
involve not only technical risks but also nontechnical risks, such as
those associated with people and the organization's culture. Six CIOs
cited dealing with the government's culture and bureaucracy as challenges
to implementing change. Former agency IT executives also cited the need
for cultural changes as a major challenge facing CIOs. Accordingly, in
order to effectively implement change, it is important that CIOs build
understanding, commitment, and support among those who will be affected by
the change.
Effectively tackling these reported challenges can improve the likelihood
of a CIO's success. Until these challenges are overcome, federal agencies
are unlikely to optimize their use of information and technology, which
can affect an organization's ability to effectively and efficiently
implement its programs and missions.
Roles and Responsibilities of the CIO Position at VA Have Evolved
over Time Since enactment of the Clinger-Cohen Act in 1996, the roles and
responsibilities of VA's Chief Information Officer have evolved. From
lacking a CIO entirely, the department has taken steps to address the
challenges posed by its multiple widespread components and its
decentralized information technology and services.
In June 1998, VA assigned CIO responsibility to a top manager. 25 However,
we reported in July 199826 that the person holding the CIO position at VA
had multiple additional major responsibilities, as this person also served
as Assistant Secretary for Management, Chief Financial Officer, and Deputy
Assistant Secretary for Budget. According to the act, the CIO's primary
responsibility should be information and technology management. Noting
that VA's structure
25 Section 5604 of the Clinger-Cohen Act specifically created the position
of Chief Information Officer at VA effective August 8, 1996. See 38 U.S.C.
S: 310.
26 GAO, VA Information Technology: Improvements Needed to Implement
Legislative Reforms, GAO/AIMD-98-154 (Washington, D.C.: July 7, 1998).
was decentralized, its IT budget was large, and its CIO faced serious
information and technology management issues, we recommended that the
Secretary appoint a CIO with full-time responsibilities for IRM.
Concurring with the recommendation, VA established the position of
Assistant Secretary for Information and Technology to serve as its CIO.
As of May 2000, however, the position of Assistant Secretary for
Information and Technology was vacant, and as we reported at the time,27
it had been unfilled since its creation in 1998. The Secretary then
created and filled the position of Principal Deputy Assistant Secretary
for Information and Technology, designating that person as VA's acting CIO
until an Assistant Secretary could be appointed. The Secretary also
realigned IRM functions within VA under this position, which reported
directly to the Secretary.
As we reported,28 the Principal Deputy Assistant Secretary was involved in
IT planning issues across the department. In addition to advising the
Secretary on IT issues, he served as chair of the department's CIO Council
and as a member of the department's Capital Investment Board, and he
worked with the CIOs in VBA and VHA (at the time, NCA had no CIO).
According to this official, one of his priorities was to ensure that IT
activities in VBA and VHA were in concert with VA's departmentwide
efforts.
In August 2001, VA filled the CIO position. In March 2002,29 we testified
that this hiring was one of the important strides that the Secretary of
Veterans Affairs had made to improve the department's IT leadership and
management, along with making a commitment to reform the department's use
of IT.
27 GAO, Information Technology: Update on VA Actions to Implement Critical
Reforms, GAO/AIMD-00-74 (Washington, D.C.: May 11, 2000).
28 GAO, Information Technology: Update on VA Actions to Implement Critical
Reforms, GAO/AIMD-00-74 (Washington, D.C.: May 11, 2000).
29 GAO, Progress Made, but Continued Management Attention Is Key to
Achieving Results, GAO-02-369T (Washington, D.C.: Mar. 13, 2002).
On June 29, 2003, the CIO retired after a tenure of almost 2 years (about
the median length of tenure for federal CIOs, as discussed above); the
current CIO was confirmed in January 2004.
Figure 1 is a time line showing the history of the CIO position at VA
since the passage of the Clinger-Cohen Act.
Figure 1: Time Line of CIO Tenure at VA
August 1996: CIO July 1998: CIO
position established by responsibilities assigned
Clinger-Cohen Act to VA executive
June 2000: Deputy assistant secretary position established; acting CIO in
position June 29, 2003: CIO retired; deputy acts as CIO
August 2001: CIO
January 2004: CIO
confirmed confirmed
Vacant
CIO with multiple responsibilities
Acting
Permanent dedicated position
Source: GAO.
VA Proposed to Realign its IT Organization in Response to IT Management
Challenges
Our prior work highlighted some of the challenges that the CIO faced as a
result of the way the department was organized to carry out its IT
mission.30 Among these challenges was that information systems and
services were highly decentralized, and the VA administrations and staff
offices controlled a majority of the department's IT budget. For example,
in VA's information technology budget for fiscal year 2002 of
approximately $1.25 billion, VHA controlled about $1.02 billion (over 80
percent), whereas the department level controlled about $60.2 million
(less than 5 percent).
30 GAO, VA Information Technology: Important Initiatives Begun, Yet
Serious Vulnerabilities Persist, GAO-01-550T (Washington, D.C.: Apr. 4,
2001) and VA Information Technology: Progress Made, but Continued
Management Attention Is Key to Achieving Results, GAO-02-369T (Washington,
D.C.: Mar. 13, 2002).
In addition, we noted that there was neither direct nor indirect reporting
to VA's cyber security officer-the department's senior security
official-thus raising questions about this person's ability to enforce
compliance with security policies and procedures and ensure accountability
for actions taken throughout the department. The more than 600 information
security officers in VA's three administrations and its many medical
facilities throughout the country were responsible for ensuring the
department's information security, although they reported only to their
facility's director or to the chief information officer of their
administration.
Given the large annual funding base and decentralized management
structure, we testified that it was crucial for the departmental CIO to
ensure that well-established and integrated processes for leading,
managing, and controlling investments are commonplace and followed
throughout the department. This is consistent with the finding in our CIO
review that implementation of IT management practices was a challenge;
over half of federal CIOs identified IT investment management
specifically.
Recognizing weaknesses in accountability for the department's IT resources
and the need to reorganize IT management and financing, the Secretary
announced a realignment of the department's IT operations in a memorandum
dated August 2002. According to the memorandum, the realignment would
centralize IT functions, programs, workforce personnel, and funding into
the office of the department-level CIO. In particular, several significant
changes were described:
0M The CIOs in each of the three administrations-VHA, VBA, and NCA-were to
be designated deputy CIOs and were to report directly to the
department-level CIO. Previously, these officials served as
component-level CIOs who reported only to their respective
administrations' under secretaries.
0M All administration-level cyber security functions were to be
consolidated under the department's cyber security office, and all monies
earmarked by VA for these functions were to be placed under the authority
of the cyber security officer. Information
security officers previously assigned to VHA's 21 veterans integrated
service networks31 would report directly to the cyber security officer,
thus extending the responsibilities of the cyber security office to the
field.
0M Beginning in fiscal year 2003, the department-level CIO would assume
executive authority over VA's IT funding.
In September 2002,32 we testified that in pursuing these reforms, the
Secretary demonstrated the significance of establishing an effective
management structure for building credibility in the way IT is used, and
took a significant step toward achieving a "One VA" vision. The
Secretary's initiative was also a bold and innovative step by the
department-one that has been undertaken by few other federal agencies. For
example, of 17 agencies contacted in 2002, 8 reported having
component-level CIOs, none of which reported to the department-level CIO.
Only one agency with component-level CIOs reported that its
department-level CIO had authority over all IT funding.
We also noted that the CIO's success in managing IT operations under the
realignment would hinge on effective collaboration with business
counterparts to guide IT solutions that meet mission needs, and we pointed
out the importance of the three key contributors to CIO success described
in our 2001 guidance (discussed earlier).33
Although we have not reviewed the current status of this proposed
realignment or VA's current organizational structure, it remains our view
that the proposed realignment held promise for building a more solid
foundation for investing in and improving the department's accountability
over IT resources. Specifically, under
31 The veterans integrated service network (VISN) is the basic budgetary
and planning unit of the veterans health care system. Funding and other
resources are distributed through the VISN. Each VISN covers a geographic
area that encompasses a population of veteran beneficiaries.
32 GAO, VA Information Technology: Management Making Important Progress in
Addressing Key Challenges, GAO-02-1054T (Washington, D.C.: Sept. 26,
200s).
33 GAO, Maximizing the Success of Chief Information Officers: Learning
from Leading Organizations, GAO-01-376G (Washington, D.C.: February 2001).
the realignment the CIO would assume budget authority over all IT funding,
including authority to veto proposals submitted from subdepartment levels.
This could have a significant effect on VA's accountability for how
components are spending money.34
To sum up, the CIO plays a vital role in ensuring that VA's funds are well
spent and in managing information technology to serve our nation's
veterans. In our view, the realignment of VA's IT organization proposed in
2002 held promise for improving accountability and enabling the department
to accomplish its mission. The additional oversight afforded the CIO could
have a significant impact on the department's ability to more effectively
account for and manage its proposed $2.1 billion in planned IT spending.
Mr. Chairman, this concludes my statement. I would be pleased to respond
to any questions that you or other members of this Committee may have at
this time.
Contacts and Acknowledgements
For information about this testimony, please contact Linda D. Koontz,
Director, Information Management Issues, at (202) 512-6240 or at
[email protected]. Contact points for our Offices of Congressional Relations
and Public Affairs may be found on the last page of this statement.
Individuals making key contributions to this testimony include Barbara
Collier, Lester Diamond, Barbara Oliver, and Eric Trout.
34 GAO, VA Information Technology: Progress Continues Although
Vulnerabilities Remain, GAO/T-AIMD-00-321 (Washington, D.C.: Sept. 21,
2000).
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
GAO's Mission
Obtaining Copies of GAO Reports and Testimony
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Contact:
Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470
Gloria Jarmon, Managing Director, [email protected] (202)
512-4400Congressional U.S. Government Accountability Office, 441 G Street
NW, Room 7125 Relations Washington, D.C. 20548
Public Affairs Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
PRINTED ON RECYCLED PAPER
*** End of document. ***