Agency Policies Fall Short in CIO Authorities

The GAO recently released a report with a rigorous review of CIO responsibilities to determine the extent agencies have addressed the role compared to existing laws and guidance and the key factors that have enabled and restricted CIOs in doing their jobs. Of the 24 CFO Act agencies, none fully defined their CIO’s responsibilities in IT management, hindering CIOs to establish their role effectively.

The report begins by identifying 35 CIO responsibilities laid out in various federal laws and guidance to manage IT. Legislation ranges from the 1980 Paperwork Reduction Act and 1996 Clinger-Cohen Act to recent FISMA enactments and the 2014 FITARA law. Moreover, OMB has designated two offices, the Office of Information and Regulatory Affairs (OIRA) and the Office of EGovernment and Information Technology to provide guidance to agencies and their CIOs in managing IT. Recently, the administration issued an executive order in May 2018, Enhancing the Effectiveness of Agency Chief Information Officers, to place emphasis on the CIO role in modernizing IT systems, better managing IT investments and reducing cyber vulnerabilities. The 35 responsibilities can be summed up under six main categories:

• Information technology leadership and accountability
• IT strategic planning
• IT workforce
• IT budgeting
• IT investment management
• Information Security

While the GAO did find that none of the 24 CFO Act agencies completely addressed all responsibilities, a majority of agencies fully covered the role of their CIOs in the leadership and accountability category. Additionally, IT budgeting and information security were also covered by most agencies’ policies. Information management and strategic planning, however, were only partially addressed and IT workforce was minimally addressed or completely unaddressed by many of the agencies.

Nevertheless, the GAO found that of the 35 responsibilities evaluated, OMB guidance does not address 12 of them. Of those 12, agency policies did not fully address 10 of them, correlating the importance of OMB guidance on CIO role implementations.

In the second half of the report, the watchdog agency asked CIOs what factors most enabled them to do their jobs and which hindered them the most. The CIOs identified 25 factors ranging from NIST guidance to organizational culture at the agency. Of all the factors, five were ranked by at least half as being a major enabler to managing IT and three were commonly selected by CIOs as being challenges:

With regards to the top challenges in recruiting and retaining IT personnel, CIOs explained the difficulty in competing with private sector recruitment due to government’s long hiring process and inability to offer higher salaries. Another contributing factor to this challenge is the median tenure for permanent and acting agency CIOs, averaging 20-32 months, hindering any type of influence within the organization. When it comes to financial resources, reasons for this challenge ranged from having underfunded budgets to modernize IT systems or the operational funds to manage new projects to not even having the visibility or control over their agencies’ IT spending! Finally, the availability of personnel and staff resources is a challenge for many CIOs for many of the same reasons as the financial resources challenge.

Again, the GAO found that OMB lacked in complete guidance connected with many of these grievances, particularly in outlining all CIO responsibilities related to IT personnel and only recently requiring agencies to provide data on CIO authority in IT spending.

In its conclusion, the GAO states, “until OMB improves its guidance to clearly address all CIO responsibilities and agencies fully address the role of CIOs in their policies, CIOs will be limited in effectively managing IT and addressing long-standing IT management challenges.” As a result of its findings, the GAO made three recommendations to OMB which include issuing guidance on the 12 CIO responsibilities lacking definition as well as updating existing guidance to clearly define a CIO’s role in budget decisions, and management and oversight processes of IT.