Time for Congress to rationalize the c-suite

Fragmented authority for agency modernization is a growing problem. For many of us government reformers, a perfect world would have a modern government that is effective, efficient, transparent and responsive. But decades of legislative efforts to focus high-level attention on technology modernization going back to the CFO Act of 1990 through FITARA and the MGT Act in the past decade, have created a host of new c-suite roles including CIOs, CFOs, CTOs, CDOs, CISOs as well as privacy and acquisition chiefs that are often at odds on use of  IT funding, personnel and authority.

Despite, or maybe because of the proliferation of c-suite roles, the problem of critical mission systems using decades-old, out-of-support technology remains. The Government Accountability Office highlighted this issue in a 2019 report, finding that key government functions may fail because old systems: ”use outdated languages, have unsupported hardware and software, and are operating with known security vulnerabilities.” 

Sen. Maggie Hassan (D-N.H.), a member of the Homeland Security and Government Affairs Committee, has been conducting oversight of agency reliance on legacy systems for the past several years and come up with legislation – the Legacy IT Reduction Act of 2023 – designed to get agency heads to focus on replacing legacy systems.

The legislation reiterates decades-old requirements that CIOs need to have comprehensive systems inventories and agency heads need to ensure that modernization of legacy systems is part of each agency’s strategic information resources management plan. But the details of Hassan's bill points to the fragmentation problem. The Evidence-Based Policymaking Act of 2018 moved responsibility for agency IRM plans from CIOs to chief data officers. The Evidence Act only added to existing departmental infighting on responsibilities over mission-related systems. 

The IRM Plan is the heart of Hassan's legislation. As the CIO role has shifted towards IT and away from improved use of information, a case can be made for CDOs leading efforts to replace legacy systems, at least for data intensive transactional and analytic systems. Where a CIO or CTO would focus on the infrastructure of the processing environment and use in automating workflows, the CDO would likely focus on optimizing how systems collect, process and make data available for decision making. In addition, CDOs are better positioned to understand the binding constraints on modernizing a legacy system related to migrating legacy data and structures to a modern environment. 

However, the Office of Management and Budget has not updated the A-130 circular to reflect the shift in authority from CIO to CDO for the IRM plan, causing confusion and sometimes fights over investment decisions needed to implement the Evidence Act. The most recent CDO Council survey found that few CDOs have authority over information resources management, and that has fallen to well under 30% of cabinet agencies during the Biden administration. At the heart of the issue is that authorities originally tied to CIOs were never embraced by agency heads, which led to Congress creating new positions and roles. But, few agencies have implemented these roles with appropriate powers, resources, and organization positioning such as a CDO would require to create and manage an IRM plan that makes significant changes. 

Back in the day when legacy systems were built, it was much easier to get funding, and every time a program was created, so too was a system. As the number of CXOs grew, many could say “no” but no single person now has the end-to-end authority to create, fund and build a new system. Major new system projects, such as the Electronic Health Record Modernization program at the Department of Veterans Affairs, continue to demonstrate how hard it is replacing a legacy system. So, adding modules, web interfaces and customizations to a legacy system is now the dominant form of modernization. Like a classic car from the 1960s, you can put on new tires and other parts to keep it going, but it’s never going to have the efficiency or security of today’s cars. 

As Hassan's bill moves through Congress, it will be important to watch constituencies who benefit from the expense and complexity of the legacy systems. That’s not trivial given about $80B is spent annually keeping the systems alive. Additional funding will need to be approved, since the legacy systems must be kept alive while new systems are built and migration to new systems completed. Modernizing systems should save money, but cost savings will not come without upfront investment. Indeed, the reason a bill like the Legacy IT Reduction Act is moving forward is that agencies have not used their own or other sources of funding (e.g. the Technology Modernization Fund) to make substantial progress replacing legacy systems. 

Clearly, modernization is as much about agency operations as technology. But, Congress has fragmented authorities to such a degree that modernization of agency processes is most difficult when it involves mission critical legacy systems. Moving forward, Congress needs to clarify how the list of CXOs should work together. Beyond Hassan's bill, Congress should consider rationalizing CXOs and associated responsibilities rather than adding new CXOs to address the government's use of technology.