Pivotal policies: 25 years of policy reforms

Looking at some of the key information management-related federal policies of the past two decades is a good way to understand the government’s maturing use of technology and evolving priorities in response to a constantly changing technology market — and world.

In the stories that follow, we see the government struggle to overcome its structural shortcomings to become a more effective technology buyer and user that, as a result, is better able to meet the needs of the American people.

The stories on the Clinger-Cohen Act and George W. Bush’s President’s Management Agenda trace the arc of government’s efforts to rein in its previously less disciplined technology investment practices and replace them with a more coherent, coordinated and accountable approach. Years of spending to automate individual agency operations and business practices yielded many operational benefits but also resulted in vast redundancies across government and a legacy of incompatible systems that were costly to maintain.

Several of those deficiencies were painfully exposed by the 2001 terrorist attacks. Our story about the creation of the Homeland Security Department recounts how some agencies’ inability to collaborate or share threat information limited their effectiveness in protecting the country. It also reminds us of the central role that data sharing and IT continue to play in the ongoing story of DHS’ development, the biggest reorganization of government in more than 50 years.

And our story on the Federal Information Security Management Act illustrates the government's efforts to address the growing risks it faces as it moves more and more of its operations online. Though imperfect, FISMA was the start of official recognition of those risks and the need for a coordinated approach to mitigate them.

None of those policies can be credited with totally fixing the problems they strived to solve, but they are noteworthy milestones in this ongoing journey.

NEXT: The President's Management Agenda

Government as business: George W. Bush's management agenda

George W. Bush took office in 2001 as the first president with an MBA degree, so few people were surprised that the ambitious President’s Management Agenda he announced later that year was aimed at making government operate more like a business.

Bush sought to make the federal government more efficient, results-oriented and accountable with a series of goals that included e-government (divided into 25 initiatives), a new Program Assessment Rating Tool, and plans to improve human resources and financial management.

The agenda built on a series of reforms begun in the 1990s, but there were new areas of emphasis — for example, competitive sourcing, a controversial approach to reducing costs by having federal employees and the private sector compete to perform government activities, and the development of new online services for the public, such as the IRS’ e-filing system for tax returns.

“I think we did really well,” said Karen Evans, former administrator of e-government and IT at the Office of Management and Budget and now a partner at KE&T Partners. “We laid the foundation for a lot of things that the current administration has been able to do. Could we have done better? Absolutely. You’re never done.”

A Government Accountability Office assessment in 2008 identified partial progress on the agenda, saying 33 of the 91 objectives it reviewed had been fully or substantially achieved. In addition, Donald Moynihan, associate director of the La Follette School of Public Affairs at the University of Wisconsin-Madison, concluded that performance-based assessments did not increase federal employees’ strategic use of performance data, based on his review of a series of GAO surveys.

Nevertheless, Evans and other experts said the agenda will have a long-lasting impact. In particular, she cited the enhanced role of departmental CIOs.

“I think the greatest success was in looking at the evolution of the role of CIOs and how the CIOs looked at the enterprise,” Evans said. “That was a huge evolutionary change.” She added that it was a difficult transition in some ways because Congress funds programs rather than departments.

Bob Woods, president of Topside Consulting Group and a former senior executive at the General Services Administration, said Bush’s agenda successfully integrated IT into core missions.

It “forced the leaders of agencies to pay attention to IT,” Woods said. “They could no longer say, ‘That’s IT stuff.’ That was now considered naïve.”

NEXT: The Clinger-Cohen Act

Clinger-Cohen: The birth of the agency CIO

Back in the 1990s, years of frustration over the Tax Systems Modernization effort at the Internal Revenue Service and the poor state of systems at the Federal Aviation Administration, despite an investment of billions of dollars, finally pushed lawmakers to address what many viewed to be a broken federal procurement system.

In the case of air traffic control, Congress’ aptly named “Computer Chaos” report of 1994 found card readers being used to update software and engineers sourcing vacuum tubes from garage sales and Eastern Europe. The convergence of the report’s release, the end of Rep. Jack Brooks’ (D-Texas) dominance over procurement policy on Capitol Hill and the rise of key supporters of procurement reform in the Clinton administration created the willingness to enact sweeping changes.

In the end, the IT Management Reform Act co-authored by Sen. William Cohen (R-Maine) and Rep. William Clinger (R-Pa.) was signed into law as part of the National Defense Authorization Act. That act was later combined with the Federal Acquisition Reform Act and renamed the Clinger-Cohen Act.

Its passage created the authorities and procedures that still shape agency IT investment and management operations today.

The act aimed to update and define how the federal government buys, plans and disposes of IT by replacing the all-too-common decentralized IT spending with a more rigorous capital planning process that required detailed business justification for all new system investments.

Overseeing those new activities and having accountability for them would be the job of the new CIO position that every agency was required to create.

Cost savings were a major motivator behind the act, but more important, Clinger-Cohen ended the practice of buying technology for technology’s sake, said Mark Forman, who served as administrator of e-government and IT at the Office of Management and Budget and is co-founder of Government Transaction Services.

Many agencies were buying IT in the hope that it would magically improve poorly performing business processes. Agencies believed “there would be a cosmic event at deployment and the chronic management issues would go away without managers having to do the tough work,” Forman said.

Now, 16 years later, calls are increasing for an update of Clinger-Cohen that would address changes in the IT market and some shortcomings that were present from the beginning.

“The whole governance structure of Clinger-Cohen was built around IT as a capital investment, not IT as a service,” Forman said. “It worked, and it was good for that generation. But now we’re in a whole new generation of technology, and we need some changes in it.”

Furthermore, the act failed to fully empower CIOs from the start, said Ben Coit, chairman of the Acquisition Management Shared Interest Group at the American Council for Technology/Industry Advisory Council and a senior manager at Sapient. “Many CIOs have been given this authority under the Clinger-Cohen Act, and yet they don’t have full-on control over budget,” he said.

Incomplete CIO authority has been a problem, agreed Paul Brubaker, who was involved in drafting the legislation as Republican staff director of a subcommittee led by Cohen. Brubaker is now president of Silver Lining.

“The [chief financial officers] have always resented the intrusion into what they see as their turf,” Brubaker said. “Right after Clinger-Cohen, there was a huge power play by the CFOs to assume the CIO role, too. It didn't happen, and several have been downright hostile to the CIOs. It's a turf battle that has now become a part of the bureaucratic tradition of a number of federal agencies.”

NEXT: Department of Homeland Security forms

DHS: How terrorist attacks launched the largest government reorganization in 50 years

If the terrorist attacks of Sept. 11, 2001, showed anything, it was the almost complete lack of communication between the entities that were meant to protect America. The shock of that realization was one of the main reasons for the formation of the Homeland Security Department.

“Information sharing [before DHS] was completely fragmented,” said Charles Allen, a principal at the Chertoff Group and a former undersecretary for intelligence and analysis at DHS. “It was not at all structured or organized.”

President George W. Bush signed the Homeland Security Act, which created DHS, on Nov. 25, 2002. It would be the biggest reorganization of government in more than 50 years, since the formation of the Defense Department in the late 1940s, and it initially included 22 agencies.

Subsequent legislation, in particular the Intelligence Reform and Terrorism Prevention Act of 2004, would outline more specific roles and responsibilities for improving information sharing and mandate the creation of an information-sharing environment for passing information among federal, state, local, tribal and private-sector organizations.

That law made it clear that DHS should have a strong information sharing responsibility, Allen said. It established a program manager for the information-sharing environment, which in turn helped focus much of the decision-making. “That allowed us, for example, to set the standard for putting out information that was sensitive but unclassified information to law enforcement, and that also allowed us to get classified information to people as they needed it,” he said.

There were certainly challenges for the new department, said Ira Sachs, senior technical director of DRC’s High Performance Technologies Group. For instance, each of the 22 agencies had their own technology and processes for capturing and transmitting information.

Since its formation, however, DHS has developed an information-sharing architecture and has published a strategy for long-term improvements in technology and integration of information systems.

The creation in 2007 of DHS’ Information Sharing Coordinating Council, a working group composed of action officers from all the department’s components, was a particularly notable milestone. “That and the information sharing architecture have been major influences on the success DHS has had to date,” Sachs said.

Rick Nelson, director of the Homeland Security and Counterterrorism Program at the Center for Strategic and International Studies, agreed that DHS has made remarkable progress but said there are still areas for improvement.

Specifically, he said, DHS must develop a cadre of officials who understand the department’s mission and procurement needs. And although it has made progress on sharing information among national data fusion centers and establishing trust in data sharing with private industry, more needs to be done.

“My view is that DHS is still a very young department and will probably take another decade to get to where it needs to be,” Allen said. “But compared to where we were in 2003, I think we have remarkably robust information sharing.”

NEXT: Federal Information Security Management Act

Tightening Cybersecurity: FISMA sought to sharpen security in an new world of threats

When the Federal Information Security Management Act was signed into law as part of the E-Government Act of 2002, it signaled the adoption of a comprehensive framework to protect government information and systems.

At the time, the government’s still relatively new embrace of the Internet and distributed computing had exposed it to unprecedented and growing levels of cyber threats. FISMA took the Government Information Security Reform Act of 2000 a step further by codifying a governmentwide plan that for the first time made agencies and their leaders responsible for demonstrating compliance with minimum security requirements and procedures.

Among its successes, FISMA provided sorely needed best practices for agencies to use in developing their security programs and created clear metrics for assessing their effectiveness, said Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation whose previous work at the Government Accountability Office involved auditing IT security and management controls at government agencies.

FISMA has also promoted better collaboration across sectors, said Ron Ross, senior computer scientist and information security researcher at the National Institute of Standards and Technology. For example, the Joint Task Force Transformation Initiative, which creates some of NIST’s guidance on information security, is a partnership with the Defense Department and the intelligence community and reflects another fulfillment of FISMA.

But 10 years after the act’s passage, there is growing support for what some say is a long-overdue update to the legislation.

“In theory, [FISMA] is a road map for developing a strong cybersecurity program at each agency,” Castro said. “In practice, agencies often focus on achieving compliance rather than effectiveness. FISMA unfortunately encourages a ‘teach to the test’ mentality, which at best promotes inefficiency and at worst results in poor security.”

Alan Paller, director of research at the SANS Institute, said FISMA’s predecessor, the Government Information Security Reform Act, had a positive impact because it forced agencies to create security programs and policies. But as soon as FISMA was passed, “it was all downhill,” he said.

“The bottom line on FISMA is that it led to waste of over $3 billion and an ineffective federal cybersecurity program,” Paller said.

During a March 2010 House hearing, then-Federal CIO Vivek Kundra was one of the experts who shared his concerns about the act, saying that it led agencies to focus on compliance and “we will never get to security through compliance alone.”

Ross is well aware of those concerns. Accordingly, in February 2012, NIST released a draft revision of Special Publication 800-53, which offers guidance to help agencies combat insider threats, better protect industrial control systems and reduce exposure to so-called advanced persistent threats. Agencies are also developing the capability to continuously monitor security controls to facilitate quicker responses to new threats.

“We’ve made tremendous progress,” Ross said. “Sometimes it looks like we’re not making progress and gaining ground, but you have to keep in mind that the technology and the threat space have evolved very rapidly, and we’re always keeping up with those two areas.”