The CIO 14 years later: Power vs. paperwork
14 years after the job was established, chief information officers still struggle for real control
Two years ago, shortly after Commerce Department officials confessed to Congress that a $595 million project for using handheld computers in the 2010 census would not be ready because of significant schedule, performance and cost issues, one observer opined in a trade journal: Where was the Census Bureau chief information officer while this train was derailing?
The answer: He was busy tending to the bureau's networks, servers and office computers, much as he was asked to do. In fact, the bureau's CIO's job description and assignments did not include being on the handheld management team, even though it was one of the agency's most significant information technology projects ever.
Census leaders are now working to correct that disconnect. The bureau’s new associate director for IT and CIO is Brian McGrath, and he said things have changed. His spot on the 2020 Decennial Leadership Group, plus a plan to centralize more IT efforts, will give him much more say as Census leaders envision and develop the technology systems used for future population counts and other bureau activities.
In this report
So you want to be a CIO?
The CIOs' growing workload
“We’re being given the opportunity to be involved in programs and projects in the formative stage,” McGrath said.
This is the way it was supposed to be. The IT Management Reform Act of 1996, later renamed the Clinger-Cohen Act for its chief sponsors, former Rep. William Clinger (R-Pa.) and former Sen. William Cohen (R-Maine), created the CIO position in government agencies and intended for those who hold the jobs to have pivotal positions and influence over how agencies buy and use IT.
Fourteen years later, many say the government CIO role is still very much a work in progress, and the original intentions of Clinger-Cohen, while moving toward that target, are not nearly fulfilled.
But if ever there were a need for a strong, plugged-in CIO, it is now. The speed of new technology washing over government has accelerated drastically since 1996, all begging for a CIO’s studied attention and singular focus.
IT is seeping into every corner of government, including powering an agency’s telephones and building-security systems, serving the public and supporting agency operations, and increasingly enabling — at the very bones of democracy — greater interaction between government and the governed. IT is also at the nexus of many hot-button issues, from government transparency to environmental sustainability.
“The work on our plate has grown,” said Casey Coleman, the General Services Administration's CIO.
Unfortunately, big-ticket IT programs still run amok far too often, punctuated by slip-ups with consequences that dwarf their simple circumstances and reveal the high costs of mismanagement. For instance, in 2006, a Veterans Affairs Department employee lost a laptop computer loaded with millions of veterans’ unsecured personal records. VA had to pay $20 million last year to settle the class-action lawsuit that followed.
In response to that incident and threats from Congress to do something before it does, VA leaders launched a plan to drastically recast the department’s IT organization. Atop the newly centralized IT office now sits a CIO with complete authority over the department’s entire $3.3 billion IT appropriation, power that he hasn’t been shy to use.
“That is so many orders of magnitude of change from the standard department CIO role that it’s really difficult to express,” said Roger Baker, VA’s assistant secretary for information and technology and CIO. Baker also was the Commerce Department's CIO from 1998 to 2001.
However, VA doesn’t have a lot of company around government in this highly empowered-CIO approach. So why is it taking so long for federal CIOs to do the job they were supposed to do? Why aren’t more agencies leaning on their CIOs to choose technologies wisely and manage IT projects effectively?
Present and past government CIOs say there are several reasons. For one, before the new-desk smell could even wear off in their freshly decorated offices, CIOs became burdened with a growing set of compliance paperwork and reports. The obligations are well intended, such as bolstering cybersecurity and rooting out waste and mismanagement from IT programs. But they have required CIOs and their staffs to perform a constant juggling act.
CIO authority has also been checked time and again by calcified and often decentralized agency cultures that resist ceding power. Many CIOs lack the access to or credibility with agency officials necessary to play a more influential role. Finally, it has simply taken a lot of time for agencies to stand up and mature the capital planning and project management techniques that are critical tools of CIO power and effectiveness.
Progress is being made on all those fronts, but it’s taking much longer than expected.
Welcome to the Government
The seeds of the CIO position were planted in the early 1990s as businesses realized that they could use IT to do more than just speed existing paper-based routines or wring inefficiency from traditional operations. They could fundamentally change — or re-engineer, as the buzzword of the day went — their work processes and organizational structures using IT as a catalyst and enabler.
This increasingly important role for IT, measured both by its growing presence and the big money spent on it, meant that an organization’s top technology managers needed to complement their expertise with a better, more in-depth understanding of the business side of the house.
In the public sector, proponents for creating the CIO position in government were motivated as much by the desire to seize new opportunities as they were to improve the government’s famously inconsistent track record on managing large-scale, expensive IT projects.
The government CIOs envisioned by the Clinger-Cohen Act would serve as strategic advisers to agency leaders and apply the IT investment controls and planning and project management tools that the private sector was successfully using.
However, many of those in the initial crop of CIOs that agencies selected to meet the new law were expeditious choices, competent government careerists but not instant power brokers or partners with top agency executives.
“A lot of the departments and agencies just took the director in charge of automatic data processing operations and gave them the title of chief information officer to be in compliance with the new directives,” said Karen Evans, administrator for electronic government and IT at the Office of Management and Budget from 2003 to 2009.
The CIO office quickly became the focal point for a growing workload of regulations and compliance exercises that arose whenever IT or information management issues were involved. Some, as part of Clinger-Cohen, were there from the start, such as strengthening the capital planning and investment controls for IT spending and using enterprise architecture modeling.
CIOs are supposed to use enterprise architecture to inventory all existing IT assets and processes and how they support agency operations. That insight and understanding should allow them to identify and eliminate redundancies and other inefficiencies. It should also help them better plan for and guide new technology investments that more closely align with evolving operational needs and priorities. Agencies must annually submit their enterprise architectures to OMB for review.
Many other compliance responsibilities soon landed on the CIO’s plate. Among them, OMB started requiring agencies in 2001 to submit business cases for proposed IT systems and document that they were following proper project management practices. A year later, the Federal Information Security Management Act required agencies to file quarterly and annual reports showing that they have certified and accredited IT systems, regularly inventory those systems and their security configurations, and trained staff on security issues.
The piling up of reporting requirements began dictating the focus of CIO attention. “Ten years ago, we were a compliance organization,” said Robert Carey, who became the Navy Department's CIO three years ago. But that orientation is not the best fit for today’s environment, in which industry introduces new technologies at a dizzying pace and government risks getting left behind.
“Now we have to be far more agile in our ability to render decisions and policies and guidance so that we can stay current with how the world is evolving,” Carey said.
Agility is his goal, but Carey still owns all the accountability that has accumulated with the CIO. In addition to his CIO hat, which includes managing about 12,000 people in the Navy IT workforce, he also serves as the Navy’s critical infrastructure assurance officer; its senior military component official for privacy, or chief privacy officer; and its senior information assurance officer, a cybersecurity position.
It’s a lot of responsibility but not unmanageable. “Being a CIO is a full contact sport,” Carey said.
The compliance duties can reveal another fact of life for many government CIOs: the disconnect between responsibility and authority when CIOs don’t control IT budgets.
Jim Flyzik, who was Treasury Department CIO until 2002 and is now a consultant, remembers his frustration when the FISMA reports he submitted for the department indicated security deficiencies.
“I know the problem, I know how to fix it, I’m responsible to fix it, yet I don’t have the authority to allocate the dollars to the program,” Flyzik recalled. “It’s a tough situation to be in.”
Far too many government CIOs still live with this Catch-22 today, he said.
Authority means more than deciding where to spend money on new programs and technologies. It also means being able to pull the plug on systems and projects that aren’t delivering what’s needed.
Older IT systems and applications often take a disproportionate share of agency IT spending. Coleman said GSA directs more than 80 percent of its IT spending to the operation and maintenance of existing systems, leaving only the remainder to invest in new technologies. She wants to increase spending on new technology to 40 percent.
But shuttering or downsizing government operations can be easier said than done, especially for a CIO who doesn’t have strong say over the IT budget. VA's Baker said that while he was at Commerce, he was more of a recommender. Shutting down programs there involved extensive deliberation and negotiation with many stakeholders.
At VA and armed with ultimate IT budget authority, Baker last year halted 45 IT projects deemed to be underperforming, eventually canceling 12 of them. “I sent out an e-mail, ‘This is what we’re going to do, so we need to make it happen,’” he said.
The other key to his empowerment is his direct relationship with VA Secretary Eric Shinseki. “I see the secretary every morning at 8 a.m.,” Baker said, though pointing out that he works more frequently with the deputy secretary, chief of staff and other assistant secretaries.
Clinger-Cohen called for this kind of relationship, and although agencies have codified it on paper, reality can be another story. “Just because an organizational chart shows a box and line that you’re supposed to be at the table with the secretary doesn’t necessarily mean that people value what you have to say,” Evans said.
CIOs are divided about whether politically appointed CIOs have more clout than career ones. Some argue that political appointees will have an inside track and receive more support from the department and agency leaders, which is invaluable when making difficult changes. Others say that careerists are equally capable of receiving such access and support.
The CIO’s credibility and influence is based as much on his or her skills and ability as whether or not the agency leadership views IT as a strategic tool and investment, Flyzik and others said.
Another factor that affects CIO authority is the degree to which the department or agency is centralized or decentralized. Baker said the decentralized nature of the Commerce Department when he was there allowed Census leaders to exclude the bureau’s CIO from the ill-fated handheld program.
“The internal politics at Census was determined to keep the CIO out of the decennial [census], and even with the [Commerce] CIO putting all of his weight behind getting that program to be part of what reported to the Census CIO, it didn’t happen,” Baker said.
Where It Stands Now
Government CIOs who want to move quickly to take advantage of the latest, greatest new technologies, from social media to mobile wireless and cloud computing, couldn’t have wished for a better supporter in the White House than Vivek Kundra, the federal CIO and Evans' successor as administrator for electronic government and IT at OMB.
Kundra’s accomplishments as chief technology officer for the District of Columbia included the adoption of many of these new technologies. He has continued to push along the same path since joining the federal government, with the agenda expanded to include technologies that can facilitate President Barack Obama’s desires for greater government transparency and accountability.
Navy CIO Carey said he believes that Kundra wants to make the department and major agency CIOs the responsible, accountable and empowered officials that Clinger-Cohen envisioned. OMB officials did not reply to interview requests for this story.
In terms of concrete steps that might let CIOs be more chief innovation than chief compliance officers, OMB revised the capital planning process in June 2009 to lower the reporting burden on agencies, reducing the number of data elements requested from agencies from 58 to 24.
“Rather than annually collecting a massive array of information that might not be used, we shifted to the monthly collection of focused information that informs better decision-making,” Kundra told the Senate Budget Committee Task Force on Government Performance in December.
Meanwhile, GSA CIO Coleman said other compliance requirements, such as FISMA, are becoming less burdensome as agencies become better at collecting the required security information.
Progress in other areas is still a matter of time and continuing effort. For example, Census CIO McGrath is working to institutionalize the use of earned value management for all of the bureau's IT projects. EVM helps managers keep projects on track by providing early warning signs of possible schedule delays and cost overruns.
OMB has required agencies to use EVM for large IT projects since 2005, but for some agencies, it remains yet another half-hearted compliance exercise. A Government Accountability Office review in October found that 13 of 16 major IT projects at eight agencies failed to follow key practices necessary for sound EVM execution, though all the agencies had EVM policies in place.
Ditto for enterprise architecture, which most agencies comply with on paper, but in practice, they have had mixed results. GAO continues to churn out reports that detail the failure of many departments and agencies to complete the most basic of enterprise architecture implementation steps, let alone to achieve a more mature use of enterprise architecture to routinely guide strategic IT investments, achieve standardization and eliminate redundancy.
For example, as of June 2009, the Food and Drug Administration was still building out some basic elements of its enterprise architecture models and lacked sufficient depth in the elements it already had, according to a GAO report. Attempting to define and build major IT systems without first completing an enterprise architecture and more detailed segment architectures for specific systems is risky, GAO said. FDA has more than a dozen IT modernization projects under way.
There will surely be other new requirements pushed onto the CIO’s desk in the future and, as before, not all will be accompanied by funding. They will just become another ball in the air for the juggling act that CIOs have always been asked to perform.
Many CIOs believe the answer to meeting these challenges and delivering innovative and cost-effective IT solutions for government is to continue pushing on the path of standardization and centralization.
“There’s a huge demand on the CIO to rein in and create some more centralized solutions to optimize the spend,” Carey said. “We can’t afford to have 20 different ways to do something.”
Baker said his goal at VA is to lead by example and show the rest of the government that consolidating appropriation and decision-making authority with the CIO is the answer to the problems of decentralized IT.
It remains to be seen if VA’s CIO strongman model becomes the way of the future across government or if it was just the answer to one department’s particular shortcomings.