Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities

GAO-18-93, Published: Aug 2, 2018. Publicly Released: Aug 2, 2018.


What GAO Found

None of the 24 agencies have policies that fully addressed the role of their Chief Information Officers (CIO) consistent with federal laws and guidance. In addition, the majority of the agencies did not fully address the role of their CIOs for any of the six key areas that GAO identified (see figure 1).

Figure 1: Extent to Which 24 Agencies’ Policies Addressed the Role of Their Chief Information Officers, Presented from Most Addressed to Least Addressed Area

Figure 1: Extent to Which 24 Agencies' Policies Addressed the Role of Their Chief Information Officers, Presented from Most Addressed to Least Addressed Area

Among other things, officials from most agencies stated that their CIOs are implementing the responsibilities even when not required in policy. Nevertheless, the 24 selected CIOs acknowledged in their responses to GAO’s survey that they were not always very effective in implementing the six information technology (IT) management areas (see figure 2). Until agencies fully address the role of CIOs in their policies, agencies will be limited in addressing longstanding IT management challenges.

Figure 2: Extent to Which Chief Information Officers Reported Effective Implementation of Six Responsibility Areas, Presented from Most Effective to Least Effective Area

Shortcomings in agencies’ policies are partially attributable to two weaknesses in the Office of Management and Budget’s (OMB) guidance. First, the guidance does not comprehensively address all CIO responsibilities, such as those relating to assessing the extent to which personnel meet IT management knowledge and skill requirements and ensuring that personnel are held accountable for complying with the information security program. Correspondingly, the majority of the agencies’ policies did not fully address nearly all of the responsibilities not included in OMB guidance. Second, OMB guidance does not ensure that CIOs have a significant role in (1) IT planning, programming, and budgeting decisions and (2) execution decisions and the management, governance, and oversight processes related to IT. In the absence of comprehensive guidance, CIOs will not be positioned to effectively acquire, maintain, and secure their IT systems.

In GAO’s survey, the 24 agency CIOs identified a number of factors that enabled and challenged their ability to effectively manage IT. In particular, five factors were identified by at least half of the 24 CIOs as major enablers and three factors were identified by at least half of the CIOs as major challenges. (see figure 3). Further, GAO noted that agencies continue to lack consistent leadership in the CIO position.

Figure 3: Factors Commonly Identified as Enabling and Challenging Chief Information Officers (CIO) to Effectively Manage Information Technology (IT), Presented from Most Enabling to Least Enabling Factor

Why GAO Did This Study

Agencies plan to spend more than $96 billion on IT in fiscal year 2018; however, they continue to face longstanding challenges in doing so. Congress established the CIO position to serve as an agency focal point for IT to address these challenges.

Recognizing the importance of the CIO position to successful IT management, GAO was asked to conduct a government-wide review of CIO responsibilities. GAO’s objectives were to determine (1) the extent to which agencies have addressed the role of the CIO in accordance with federal laws and guidance, and (2) major factors that have enabled and challenged agency CIOs in fulfilling their responsibilities to carry out federal laws and guidance. To do so, GAO reviewed laws and OMB guidance to identify key IT management responsibilities of federal agency CIOs and then compared them to policies of the 24 Chief Financial Officers Act agencies. GAO also administered a survey to 24 CIOs and interviewed current CIOs, as well as OMB officials.

What GAO Recommends

GAO is making three recommendations to OMB and one recommendation to each of the 24 federal agencies to improve the effectiveness of CIOs’ implementation of their responsibilities for each of the six IT management areas. (See the next page for additional information on these recommendations).

GAO is making the following three recommendations to OMB:
1.  Issue guidance that addresses theresponsibilities that are notincluded in existing OMBguidance–in particular thoserelating to IT workforce.
2.  Update existing guidance toclearly explain how agencies areto address the role of CIOs tocomply with the statutory requirements for CIOs to have a significant role in (1) budgeting decisions and (2) the management, governance, and oversight processes related to IT.
3.  Define the authority that CIOs areto have when agencies report onCIO authority over IT spending.
GAO is also making a recommendation to each of the 24 federal agencies to address weaknesses related to the six key areas of CIO responsibility.
Fourteen agencies agreed with GAO’s recommendations, and five agencies had no comments on the recommendations.
In addition, five agencies (including OMB) partially agreed with GAO’s recommendations and one agency disagreed. In particular, five of these agencies did not agree with select assessments of select CIO responsibilities. GAO subsequently updated two assessments but believes the other assessments and related recommendations are warranted, as discussed in the report. The remaining agency–OMB–partially agreed with GAO’s recommendation to issue guidance for responsibilities that are not included in existing OMB guidance. GAO continues to believe that this recommendation is warranted, as discussed in the report.
Moreover, after GAO provided the draft report to OMB for comment, the President signed an executive order that, among other things, clarified the role that CIOs are to have in the management, governance, and oversight processes related to IT. The executive order is responsive to GAO’s related recommendation. GAO will continue to monitor agencies’ implementation of the executive order.

Article via GAO.gov/Picture via Wikipedia

Posted by Zak Kennedy