oversight

Chief Information Officers: Ensuring Strong Leadership and an Effective Council

Published by the Government Accountability Office on 1997-10-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Government Management,
                          Information and Technology, Committee on Government
                          Reform and Oversight, House of Representatives


For Release on Delivery
Expected at
10 a.m.
                          CHIEF INFORMATION
Monday,
October 27, 1997          OFFICERS

                          Ensuring Strong Leadership
                          and an Effective Council
                          Statement of Gene L. Dodaro
                          Assistant Comptroller General
                          Accounting and Information Management Division




GAO/T-AIMD-98-22
Mr. Chairman and Members of the Subcommittee:

I am pleased to be here today to discuss the importance of having strong
Chief Information Officers (CIOs) at major federal agencies1 and ensuring
an effective CIO Council to help bring about much-needed reforms in the
government’s management of information technology (IT). During the last
decade, much attention has been focused on serious problems with federal
information technology projects. The picture that unfolded year after year
was bleak: multimillion dollar and, in some cases, billion dollar system
development efforts routinely came in over cost, behind schedule, and
lacking in promised capabilities. In addition to wasting resources, these
disappointing efforts seriously weakened agencies’ abilities to meet
mission goals and improve operational efficiency.2

To help reverse this trend, GAO embarked on a concerted effort to learn
how leading private and public sector organizations controlled system
development projects and successfully applied technology to improve
their performance. Our resulting study identified a specific set of strategic
practices that these organizations use to improve performance through
information management.3 Based upon our work and that of others, the
Congress, in conjunction with the Administration, crafted two recent
landmark reforms in federal information management: the Paperwork
Reduction Act (PRA) of 1995 and the Clinger-Cohen Act of 1996. These
reforms encompass many important elements identified in our best
practices work, such as establishing more disciplined information
technology investment control processes, developing an overall
information architecture, and defining measures to show how information
technology is contributing to improved program performance.

Central to implementing these reforms is the need to establish effective
leadership at each agency. Under the law, agency heads are directly
responsible for effective information management, but CIOs play a critical
leadership role in driving reforms to help control system development
risks, better manage technology spending, and succeed in achieving real,

1
 In this testimony, we use the term “agencies” to refer to both cabinet-level departments and major
agencies.
2
 For background on these problems see 1995 High-Risk Series: An Overview (GAO/HR-95-1,
February 1995); 1997 High-Risk Series: An Overview (GAO/HR-97-1, February 1997); Paperwork
Reduction Act: Opportunity to Strengthen Government’s Management of Information and Technology
(GAO/T-AIMD/GGD-94-126, May 19, 1994); and Government Reform: Legislation Would Strengthen
Federal Management of Information and Technology (GAO/T-AIMD-95-205, July 25, 1995).
3
 Executive Guide: Improving Mission Performance Through Strategic Information Management and
Technology (GAO/AIMD-94-115, May 1994).



Page 1                                                                           GAO/T-AIMD-98-22
                         measurable improvements in agency performance. Furthermore, the
                         agency CIOs, working collectively as a Council, have a critical leadership
                         role to play in addressing governmentwide technology issues and advising
                         the Office of Management and Budget (OMB) on policies and standards
                         needed to successfully implement legislative reforms.

                         The challenge facing the federal government today is to provide the type
                         of leadership needed to implement information technology reforms as
                         rapidly as possible. Although we are beginning to see some progress,
                         agencies still have a long way to go to translate legislative mandates into
                         day-to-day management reality. The following sections offer our
                         observations on the status of efforts to promote effective CIO leadership
                         and the challenges and opportunities faced by the CIO Council. Our views
                         are based not only on our work in the technology area, but also on our
                         experiences in evaluating the implementation of other major management
                         reforms, such as the Chief Financial Officers (CFO) Act of 1990 and the
                         Government Performance and Results Act (Results Act) of 1993.


                         Senior executives in the successful organizations we studied were
Ensuring That CIOs       personally committed to improving the management of technology. The
Fulfill a Critical       PRA and the Clinger-Cohen Act make federal agency heads directly

Leadership Role          responsible for establishing goals and measuring progress in improving the
                         use of information technology to enhance the productivity and efficiency
                         of their agency’s operations. To help them with their major information
                         management responsibilities, the reform legislation directs the heads of
                         the major agencies to appoint CIOs.4 The legislation assigns a wide range of
                         duties and responsibilities to CIOs, foremost of which are

                     •   working with the agency head and senior program managers to implement
                         effective information management to achieve the agency’s strategic goals;
                     •   helping to establish a sound investment review process to select, control,
                         and evaluate spending for information technology;
                     •   promoting improvements to the work processes used by the agency to
                         carry out its programs;




                         4
                          Under the Clinger-Cohen Act, CIO positions were designated at the same 24 agencies where the CFO
                         Act (as amended) established chief financial officer positions. In addition, CIOs were created at the
                         Army, Navy, and Air Force. Together, these 27 agencies account for nearly all fiscal year 1997
                         executive branch outlays of about $1.6 trillion.



                         Page 2                                                                           GAO/T-AIMD-98-22
•   increasing the value of the agency’s information resources by
    implementing an integrated agencywide technology architecture;5 and
•   strengthening the agency’s knowledge, skills, and capabilities to effectively
    manage information resources, deal with emerging technology issues, and
    develop needed systems.

    While there are various approaches on how best to use the CIO position to
    accomplish these duties, the legislative requirements, OMB guidance,6 and
    our best practices experience with leading organizations define common
    tenets for the CIO position. An agency should place its CIO at a senior
    management level, working as a partner with other senior officials in
    decision-making on information management issues. Specifically, agencies
    should

•   appoint a CIO with expertise and practical experience in technology
    management;
•   position the CIO as a senior partner reporting directly to the agency head;
•   ensure that the CIO’s primary responsibilities are for information
    management;
•   have the CIO serve as a bridge between top management, line management,
    and information management support professionals, working with them to
    ensure the effective acquisition and management of the information
    resources needed to support agency programs and missions;
•   task the CIO with developing strategies and specific plans for the hiring,
    training, and professional development of staff in order to build the
    agency’s capability to develop and manage its information resources; and
•   support the CIO position with an effective CIO organization and
    management framework for implementing agencywide information
    technology initiatives.

    Having effective CIOs will make a real difference in building the
    institutional capacity and structure needed to implement the management
    practices embodied in the broad set of reforms set out in the PRA and the
    Clinger-Cohen Act. The CIO must combine a number of strengths, including

    5
     A systems architecture is a blueprint, having both a technical and a logical component, to guide and
    constrain the development and evolution of a collection of related systems. At the logical level, the
    architecture provides a high-level description of the organizational mission being accomplished, the
    business functions being performed and the relationships among the functions, the information needed
    to perform the functions, and the flow of information among functions. At the technical level, the
    architecture provides the rules and standards needed to ensure that the interrelated systems are built
    to be interoperable, portable, and maintainable. These include specifications of critical aspects of
    component systems’ hardware, software, communication, data, security, and performance
    characteristics.
    6
     Memorandum for the President’s Management Council, “What Makes a Good CIO?” June 28, 1996.



    Page 3                                                                          GAO/T-AIMD-98-22
leadership ability, technical skills, an understanding of business
operations, and good communications and negotiation skills. For this
reason, finding an effective CIO can be a difficult task. Agencies faced a
similar difficulty in trying to find qualified chief financial officers to
implement the CFO Act’s financial management reforms. It took time and
concerted effort by the Administration, the CFO Council, and the Congress
to get strong, capable leaders into the CFO positions.

Shortly after the Clinger-Cohen Act went into effect, OMB evaluated the
status of CIO appointments at the 27 agencies. OMB noted that at several
agencies, the CIO’s duties, qualifications, and placement met the
requirements of the Clinger-Cohen Act. According to OMB, these CIOs had
experience, both operationally and technically, in leveraging the use of
information technology, capital planning, setting and monitoring
performance measures, and establishing service levels with technology
users. These CIOs also had exposure to a broad range of technologies, as
well as knowledge of government budgeting and procurement processes
and information management laws, regulations, and policies.

However, OMB had concerns about a number of other agencies that had
acting CIOs, CIOs whose qualifications did not appear to meet the
requirements of the Clinger-Cohen Act, and/or CIOs who did not report
directly to the head of the agency. OMB also raised concerns about agencies
where the CIOs had other major management responsibilities or where it
was unclear whether the CIOs’ primary duty was the information resource
management function. OMB stated that it would reevaluate the situations at
these agencies at a later date, after agencies had time to put permanent
CIOs in place or take corrective actions to have their CIO appointment and
organizational alignment meet the necessary requirements.

OMB  called for updated information on the status of governmentwide CIO
appointments in its April 1997 data request on individual agency efforts to
implement provisions of the Clinger-Cohen Act.7 OMB has not yet issued a
status report based on this information and subsequent follow-up. In a
recent discussion, OMB officials stated that they will provide feedback on
individual CIO appointments as part of the fiscal year 1999 budget review
process. On the basis of preliminary observations, however, OMB officials
stated that they still have some of the same concerns that they had a year
ago about CIO positions that have not been filled, have not been properly
positioned, or have multiple responsibilities.

7
 OMB Memorandum M-97-12, “Evaluation of Agency Implementation of Capital Planning and
Investment Control Processes,” April 25, 1997.



Page 4                                                                    GAO/T-AIMD-98-22
    It is very important for OMB to follow through on its efforts to assess CIO
    appointments and resolve outstanding issues. Information technology
    reforms simply will not work without effective CIO leadership in place. We
    will continue to monitor this situation to provide our suggestions on
    actions that need to be taken.

    One area that we will focus on during the coming year is CIOs who have
    major responsibilities in addition to information management. The
    Clinger-Cohen Act clearly calls for CIOs to have information resources
    management as their primary duty. We have stressed the importance of
    this principle in testimonies and, most recently, in our February 1997
    high-risk report, in which we emphasized that the CIO’s duties should focus
    sharply on strategic information management issues and not include other
    major responsibilities.8 In addition to the escalating demands of rapidly
    evolving technologies, CIOs are faced with many serious information
    management issues, any one of which would be a formidable task to
    address. Taken together, these issues create a daunting body of work for
    any full-time CIO, much less for one whose time and attention is divided by
    other responsibilities. As you know, Mr. Chairman, we have reported
    extensively on a number of these compelling challenges. The following are
    just a few of these challenges.

•   Ensuring that federal operations will not be disrupted by the Year 2000
    problem is one of the foremost and most pressing issues facing
    agencies—one that we have designated as a governmentwide high-risk
    area. Efforts by this Subcommittee have underscored repeatedly that many
    agencies are seriously behind schedule in resolving this problem during
    the next 2 years.9
•   Poor security management is putting billions of dollars worth of assets at
    risk of loss and vast amounts of sensitive data at risk of unauthorized
    disclosure, making it another of our governmentwide high-risk areas.
    Agencies need to make much better progress in designing and
    implementing security programs and getting skilled staff in place to


    8
     Government Reform: Legislation Would Strengthen Federal Management of Information and
    Technology (GAO/T-AIMD-95-205, July 25, 1995); Managing Technology: Best Practices Can Improve
    Performance and Produce Results (GAO/T-AIMD-97-38, January 31, 1997); and High-Risk Series:
    Information Management and Technology (GAO/HR-97-9, February 1997).
    9
     Year 2000 Computing Crisis: Success Depends Upon Strong Management and Structured Approach
    (GAO/T-AIMD-97-173, September 25, 1997). Among other Year 2000 reports are: Defense Computers:
    DFAS Faces Challenges in Solving the Year 2000 Problem (GAO/AIMD-97-117, August 11, 1997);
    Veterans Benefits Computer Systems: Uninterrupted Delivery of Benefits Depends on Timely
    Correction of Year-2000 Problems (GAO/T-AIMD-97-114, June 26, 1997); and Year 2000 Computing
    Crisis: National Credit Union Administration’s Efforts to Ensure Credit Union Systems Are Year 2000
    Compliant (GAO/T-AIMD-98-20, October 22, 1997).



    Page 5                                                                          GAO/T-AIMD-98-22
    manage them.10 This extreme vulnerability has been given added emphasis
    by the recent Presidential commission report on the growing exposure of
    U.S. computer networks to exploitation and terrorism.11
•   Agencies need to develop, maintain, and facilitate integrated systems
    architectures to guide their system development efforts. We have seen
    major modernization efforts handicapped by incomplete architectures,
    such as at the Federal Aviation Administration (FAA) and the Internal
    Revenue Service (IRS), as well as the departments of Veterans Affairs and
    Education.12
•   Agencies need to establish sound information management investment
    review processes that provide top executives with a systematic,
    data-driven means to select and control how technology funds are spent.
    Our reviews of system development and modernization projects, such as
    the Medicare Transaction System and the four high-risk efforts included in
    our 1997 High-Risk Series, continue to show the crucial importance of
    structured investment oversight.13
•   In our 1997 High-Risk Series we identified 25 high-risk areas covering a
    wide array of key federal activities, ranging from Medicare fraud to
    financial management at the Department of Defense. Resolving the
    problems in these areas depends heavily on improved information
    management.
•   Agencies need to integrate strategic information planning with the overall
    strategic plan that they must prepare under the Results Act. Our review of
    recent attempts by agencies to develop sound strategic plans showed very
    weak linkages between the strategic goals and the information technology
    needed to support those goals.14



    10
     Information Security: Opportunities for Improved OMB Oversight of Agency Practices
    (GAO/AIMD-96-110, September 24, 1996).
    11
     The President’s Commission on Critical Infrastructure Protection issued its final report to the
    President on October 20, 1997. The report has not yet been released to the public.
    12
     See Air Traffic Control: Complete and Enforced Architecture Needed for FAA Systems Modernization
    (GAO/AIMD-97-30, February 3, 1997); Tax Systems Modernization: Actions Underway But IRS Has Not
    Yet Corrected Management and Technical Weaknesses (GAO/AIMD-96-106, June 7, 1996); Veterans
    Benefits Computer Systems: Risks of VBA’s Year-2000 Efforts (GAO/AIMD-97-79, May 30, 1997); and
    Student Financial Aid Information: Systems Architecture Needed to Improve Programs’ Efficiency
    (GAO/AIMD-97-122, July 29, 1997).
    13
     Medicare Transaction System: Success Depends Upon Correcting Critical Managerial and Technical
    Weaknesses (GAO/AIMD-97-78, May 16, 1997). High-Risk Series: Information Management and
    Technology (GAO/HR-97-9, February 1997). The four modernization projects on GAO’s high-risk list
    are FAA’s air traffic control modernization, the Department of Defense’s Corporate Information
    Management initiative, the National Weather Service modernization, and IRS’ Tax Systems
    Modernization.
    14
     Managing for Results: Critical Issues for Improving Federal Agencies’ Strategic Plans
    (GAO/GGD-97-180, September 16, 1997).


    Page 6                                                                            GAO/T-AIMD-98-22
•   Agencies must build their staffs’ skills and capabilities to react to the rapid
    developments in information technology, develop needed systems, and
    oversee the work of systems contractors. Weaknesses in agencies’
    technology skills bases, especially in the area of software acquisition and
    development, have been a recurring theme in our reviews of federal
    information technology projects.15

    Despite the urgent need to deal with these major challenges, we still see
    many instances of CIOs who have responsibilities beyond information
    management. At present, only 12 agencies have CIOs whose responsibilities
    are focused solely on information management. The other 15 agencies
    have CIOs with multiple responsibilities. Together, these 15 agencies
    account for about $19 billion of the nearly $27 billion dollars in annual
    federal planned obligations for information technology. While some of
    these CIO’s additional responsibilities are minor, in many cases they
    include major duties, such as financial operations, human resources,
    procurement, and grants management. At the Department of Defense, for
    example, the CIO is also the Assistant Secretary for Command, Control,
    Communications and Intelligence. By asking the CIO to also shoulder a
    heavy load of programmatic responsibility, it is extremely difficult, if not
    impossible, for the CIO to devote full attention to information resource
    management issues. Recognizing this problem, the Department’s Task
    Force on Defense Reform is examining the current structure of the CIO
    position to ensure that the person can devote full attention to reforming
    information management within the Department.16

    We are particularly troubled by agencies that have vested CIO and Chief
    Financial Officer responsibilities in one person.17 The challenges facing
    agencies in both financial and information management are monumental.
    Each requires full-time leadership by separate individuals with appropriate
    talent, skills, and experience in these two areas. In financial management,
    for example, most agencies are still years away from their goal of having

    15
     Weather Forecasting: Recommendations to Address New Weather Processing System Development
    Risks (GAO/AIMD-96-74, May 13, 1996); Tax Systems Modernization: Actions Underway But IRS Has
    Not Yet Corrected Management and Technical Weaknesses (GAO/AIMD-96-106, June 7, 1996);
    Medicare Transaction System: Success Depends Upon Correcting Critical Managerial and Technical
    Weaknesses (GAO/AIMD-97-78, May 16, 1997); Air Traffic Control: Complete and Enforced
    Architecture Needed for FAA Systems Modernization (GAO/AIMD-97-30, February 3, 1997); and Air
    Traffic Control: Immature Software Acquisition Processes Increase FAA System Acquisition Risks
    (GAO/AIMD-97-47, March 21, 1997).
    16
     Defense IRM: Poor Implementation of Management Controls Has Put Migration Strategy at Risk
    (GAO/AIMD-98-5, October 20, 1997).
    17
     Commerce, Education, Health and Human Services, Justice, and the Veterans Administration have
    combined CIOs/CFOs.



    Page 7                                                                      GAO/T-AIMD-98-22
reliable, useful, relevant, and timely financial information—an urgently
needed step in making our government fiscally responsible.

Because it may be difficult for the CIO of a large department to adequately
oversee and manage the specific information needs of the department’s
major subcomponents, we have also supported the establishment of a CIO
structure at the subcomponent and bureau levels.18 Such a management
structure is particularly important in situations where the departmental
subcomponents have large information technology budgets or are engaged
in major modernization efforts that require the substantial attention and
oversight of a CIO. In the Conference Report on the Clinger-Cohen Act, the
conferees recognized that agencies may wish to establish CIOs for major
subcomponents and bureaus.19 These subcomponent level CIOs should
have responsibilities, authority, and management structures that mirror
those of the departmental CIO.

We have reported on instances where the subcomponent CIOs were not
organizationally positioned and empowered to discharge key CIO functions.
For example, in our reviews of FAA’s air traffic control (ATC)
modernization, which is expected to cost $34 billion through the year 2003,
we found that FAA’s CIO was not responsible for developing and enforcing
an ATC systems architecture. Instead, FAA had diffused architectural
responsibility across a number of organizations. As a result, FAA did not
have a complete ATC architecture, which in turn has led to incompatible
and unnecessarily expensive and complex ATC systems. Additionally, we
found that while FAA’s CIO was responsible for ATC software acquisition
process maturity and improvement, the CIO lacked the authority to
implement and enforce process change. Consequently, we reported that
(1) FAA’s processes were ad hoc, and sometimes chaotic, and not
repeatable across ATC projects and (2) its improvement efforts have not
produced more disciplined processes. Among other actions, we
recommended that FAA establish an effective management structure for
developing, maintaining, and enforcing a complete systems architecture
and improving software acquisition process improvement and that this




18
 Government Reform: Legislation Would Strengthen Federal Management of Information and
Technology (GAO/T-AIMD-95-205, July 25, 1995).
19
  H. R. Conf. Rep. No. 104-450 at 977 (1996).



Page 8                                                                    GAO/T-AIMD-98-22
management structure be similar to the department-level CIO structure
prescribed by the Clinger-Cohen Act.20

Similarly, in the last few years, we have reported and testified on
management and technical weaknesses associated with IRS’ Tax Systems
Modernization.21 Among other things, we have noted how important it is
for IRS to have a single IRS entity with responsibility for and control over all
information systems efforts. Since we first reported on these problems, IRS
has taken a number of positive steps to address its problems and
consolidate its management control over systems development. However,
as we noted in recent briefings to the acting IRS Commissioner and
congressional committee staffs, neither the CIO nor any other
organizational entity has sufficient authority needed to implement IRS’
Systems Life Cycle—its processes and products for managing information
technology investments—or enforce architectural compliance
agencywide. We will soon be making formal recommendations to IRS to
address this issue.

Finally, as we reported to you earlier this year,22 the problems
encountered by the Health Care Financing Administration (HCFA) in its
development of the Medicare Transaction System provide another
example of the need for strong management over the development and
implementation of information systems. In recent testimony on Medicare
automated systems,23 we reemphasized the importance of establishing CIOs
and involving them and other senior executives in information
management decisions. While HCFA has recently established a CIO and an
Information Technology Investment Review Board, the agency has not yet
implemented an investment process—including senior management roles

20
 Air Traffic Control: Complete and Enforced Architecture Needed for FAA Systems Modernization
(GAO/AIMD-97-30, February 3, 1997); Air Traffic Control: Improved Cost Information Needed to Make
Billion Dollar Modernization Investment Decisions (GAO/AIMD-97-20, January 22, 1997); and Air
Traffic Control: Immature Software Acquisition Processes Increase FAA System Acquisition Risks
(GAO/AIMD-97-47, March 21, 1997).
21
 Tax Administration: IRS’ Fiscal Year 1997 Spending, 1997 Filing Season, and Fiscal Year 1998 Budget
Request (GAO/T-GGD/AIMD-97-66, March 18, 1997); Internal Revenue Service: Business Operations
Need Continued Improvement (GAO/AIMD/GGD-96-152, September 9, 1996); Tax Systems
Modernization: Actions Underway But IRS Has Not Yet Corrected Management and Technical
Weaknesses (GAO/AIMD-96-106, June 7, 1996); and Tax Systems Modernization: Management and
Technical Weaknesses Must Be Corrected If Modernization Is To Succeed (GAO/AIMD-95-156, July 26,
1995).
22
 Medicare Transaction System: Serious Managerial and Technical Weaknesses Threaten
Modernization (GAO/T-AIMD-97-91, May 16, 1997) and Medicare Transaction System: Success Depends
Upon Correcting Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16, 1997).
23
 Medicare Automated Systems: Weaknesses in Managing Information Technology Hinder Fight
Against Fraud and Abuse (GAO/T-AIMD-97-176, September 29, 1997).



Page 9                                                                         GAO/T-AIMD-98-22
                              and responsibilities—that governs the selection, control, and evaluation of
                              IT investments. Consequently, we have recommended that HCFA establish
                              an investment management approach that explicitly links the roles and
                              responsibilities of the CIO and Investment Review Board to relevant
                              legislative mandates and requirements. Such actions are essential to
                              ensure that HCFA’s—or any agency’s—information technology initiatives
                              are cost-effective and serve its mission.


                              Although the Clinger-Cohen Act did not call for the establishment of a
Establishing a                federal CIO Council, the Administration is to be commended for taking the
Strategic Direction for       initiative to establish one through a July 1996 Executive Order.24 Our
the CIO Council               experience with the CFO Act shows the importance of having a central
                              advisory group to help promote the implementation of financial
                              management reform. The CFO Council, which has a statutory underpinning,
                              has played a lead role in creating goals for improving federal financial
                              management practices, providing sound advice to OMB on revisions to
                              executive branch guidance and policy, and building a professional
                              community of governmentwide financial management expertise.

                              The CIO Council, chaired by OMB, can play a similarly useful role. As stated
                              in its charter, the Council’s vision is to be a resource for helping promote
                              the efficient and effective use of agency information resources. The
                              Council serves as the principle forum for agency CIOs to

                          •   develop recommendations for governmentwide information technology
                              management policies, procedures, and standards;
                          •   share experiences, ideas, and promising practices for improving
                              information technology management;
                          •   promote cooperation in using information resources;
                          •   address the federal government’s hiring and professional development
                              needs for information management; and
                          •   make recommendations and provide advice to OMB and the agencies on the
                              governmentwide strategic plan required under the PRA.

                              The CIO Council is currently going through a formative period. Since its
                              first meeting in September 1996, the Council has engaged in a wide variety
                              of activities. It meets on a monthly basis, bringing together CIOs, deputy
                              CIOs, and representatives from major departments and agencies, as well as
                              representatives from other organizations, such as the Small Agency


                              24
                                Executive Order 13011 of July 16, 1996: “Federal Information Technology.”



                              Page 10                                                                       GAO/T-AIMD-98-22
Council, the CFO Council, and the Governmentwide Information
Technology Services Board.

The Council’s activities during its first year have largely revolved around
four major areas.

(1) Council organization: The Council decided how to organize and
created operational procedures.

(2) Committee specialization: The Council created five committees to
focus on selected topics of concern emerging from initial sessions—the
year 2000, capital planning and investment, interoperability, information
resources management training and education, and outreach/strategic
planning. Each committee has pursued agendas that include regular
working group sessions to exchange ideas and identify promising
management practices.

(3) Topical forums: The Council has provided a regular forum for
presentations and discussions of specific topics of shared concern, such as
improving Internet security, enhancing the usefulness of budgetary
reporting on federal information technology, understanding the use of
governmentwide acquisition contracting mechanisms, developing effective
systems architectures, and consolidating data center operations.

(4) Governmentwide policy advice and recommendations: The Council
has responded to OMB’s solicitation for comments on proposed federal
information resources management policy revisions (the Federal
Acquisition Regulations, Freedom of Information Act, the Privacy Act, the
PRA); updates on critical issues such as Year 2000 progress; and guidance
and feedback on agency reporting to meet OMB’s federal oversight
requirements (such as preparing budget submissions for information
assets under OMB Circular A-11).

While these activities have proved useful, the Council does not yet have a
strategic plan to help guide its work and serve as a benchmark for
measuring progress. As we saw in the case of the CFO Council, achieving
accomplishments that have strategic impact requires well-defined goals
and measures. The CFO Council adopted a vision, goals, and strategies for
financial management that have made it a much more productive body.
The CFO Council now regularly reviews activities and, if necessary, revises
Council priorities. In addition, the Council annually reports on its progress
in implementing financial management reforms.



Page 11                                                      GAO/T-AIMD-98-22
    Recognizing the need to focus its efforts, the CIO Council began to reassess
    and redefine its strategic direction this past summer. This October, the
    Council members met at a day-long planning conference to discuss and
    finalize their long-range strategy. They agreed to focus their work on five
    strategic goals:

•   establish sound capital planning and investment processes at the agencies;
•   ensure the implementation of security practices that gain public
    confidence and protect government services, privacy, and sensitive and
    national security information;
•   lead federal efforts to successfully implement the Year 2000 conversions;
•   assist agencies in obtaining access to human resources with the requisite
    skills and competencies to develop, maintain, manage, and utilize
    information technology programs, projects, and systems; and
•   define, communicate, and establish the major elements of a federal
    information architecture, in support of government missions, that is open
    and interoperable.

    We believe that the CIO Council has selected the right set of issues to
    pursue. Several of these coincide with issues we raised in our 1997
    High-Risk Series and recommendations we have formulated in conjunction
    with specific audit work. In addition, they parallel several concerns that
    the Congress—and this Subcommittee in particular—have raised about
    federal IT management. For example, the regular hearings and concerted
    effort by the Subcommittee on the Year 2000 computing crises have
    highlighted the urgency of the problem and helped to increase the
    attention and actions of federal executives. GAO has raised concerns about
    the pace at which federal agencies are moving to effectively address the
    Year 2000 problem.25 In consonance with industry best practices, we have
    also developed and disseminated an assessment guide to help agencies
    plan, manage, and evaluate their Year 2000 programs, and are using this as
    a basis for selected agency audits.26

    In addition, we have strongly recommended that agencies adopt a capital
    planning and investment-oriented approach to information technology
    decision-making.27 It has been a key foundation for recommending

    25
     Year 2000 Computing Crises: Time Is Running Out for Federal Agencies to Prepare for the New
    Millennium (GAO/T-AIMD-97-129, July 10, 1997).
    26
      Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997).
    27
     Information Technology: Best Practices Can Improve Performance and Produce Results
    (GAO/T-AIMD-96-46, February 26, 1996) and Information Management Reform: Effective
    Implementation Is Essential for Improving Federal Performance (GAO/T-AIMD-96-132, July 17, 1996).



    Page 12                                                                       GAO/T-AIMD-98-22
improvements to the management of IRS’ Tax Systems Modernization,
HCFA’s development of the Medicare Transaction System, and FAA’s air
traffic control modernization. We worked with OMB in 1995 to issue
governmentwide guidance on information technology investment
management28 and we have also issued detailed guidance on how agencies
can effectively implement an investment-oriented decision-making
approach to their information technology spending decisions as expected
under the Clinger-Cohen Act.29

Information security is also an issue of paramount importance to the
information maintained and managed by the federal government. We have
highlighted the reality of the government’s vulnerability and the urgent
need to effectively identify and address systemic information security
weaknesses.30 Moreover, in our September 1996 report on information
security, we specifically recommended that the Council adopt information
security as one of its top priorities.31

Also, building federal agencies’ capability to manage information
resources has been a critical problem for years. Several of our recent
reports, for instance, have focused on serious weaknesses in an agency’s
capability to manage major technology initiatives, such as in the area of
software acquisition or development.32 Similarly, our best practices work
has shown the importance of pursuing improvement efforts within the
context of an information architecture in order to maximize the potential
of information technology to support reengineered business processes.

We are encouraged by the Council’s intention to establish a strong
strategic focus for its work and further refine and prioritize the areas
where it can best make a difference. One of the noteworthy aspects of the
Council’s goal-setting process was the members’ desire to move away from

28
   Evaluating Information Technology Investments, A Practical Guide, Version 1.0 (OMB, November
1995).
29
 Assessing Risks and Returns: A Guide for Evaluating Federal Agencies’ IT Investment
Decision-making, Version 1 (GAO/AIMD-10.1.13, February 1997).
30
 Information Security: Computer Attacks at Department of Defense Pose Increasing Risks
(GAO/AIMD-96-84, May 22, 1996) and Information Security: Computer Hacker Information Available
on the Internet (GAO/T-AIMD-96-108, June 5, 1996).
31
 Information Security: Opportunities for Improved OMB Oversight of Agency Practices
(GAO/AIMD-96-110, September 24, 1996).
32
  See, for example, Software Capability Evaluation: VA’s Software Development Process Is Immature
(GAO/AIMD-96-90, June 19, 1996); Air Traffic Control: Immature Software Acquisition Processes
Increase FAA System Acquisition Risks (GAO/AIMD-97-47, March 21, 1997; and Defense Financial
Management: Immature Software Development Processes at Indianapolis Increase Risk
(GAO/AIMD-97-41, June 6, 1997).


Page 13                                                                       GAO/T-AIMD-98-22
earlier draft language that defined the goals in terms of “promoting” and
“supporting.” Instead, the Council is working to frame specific,
outcome-oriented goals. At the conclusion of the conference, the Council
set up committees for each of the goals and charged them to decide on
specific objectives and performance measures. The Council’s aim is to
complete this work quickly and publish its strategic plan in January 1998.

There is great urgency to deal with these major information technology
problems. It is important that the Council demonstrate how CIOs are
helping to make a difference by showing progress this coming year. GAO
and OMB have given the CIO Council a head start by publishing guidance on
information technology capital investments, information security, and best
practices in information technology management.33 By leveraging off this
work, the Council should be able to build momentum quickly. Also, the CIO
Council should follow the example set by the CFO Council, which publishes
a joint report with OMB each year on its progress in meeting financial
management goals. Having a visible yardstick will provide a strong
incentive for both the Council and the agencies to make progress in
meeting their information management goals and demonstrate positive
impact on the agencies’ bottom line performance.

Because it is essentially an advisory body, the CIO Council must rely on
OMB’s support to see that its recommendations are implemented through
federal information management policies, procedures, and standards. In
the coming months, the Congress should expect to see the CIO Council
becoming very active in providing input to OMB on the goals it has chosen.
OMB, in turn, should be expected to take the Council’s recommendations
and formulate appropriate information management polices and guidance
to the agencies. There should be clear evidence that the CIO Council, OMB,
and the individual CIOs are driving the implementation of information
technology reforms at the agencies.

Ultimately, the successful implementation of information management
reforms depends heavily upon the skills and performance of the entire CIO
organization within departments and agencies—not just the CIO as a single
individual. We have emphasized this point in our recent guidance on



33
   Evaluating Information Technology Investments: A Practical Guide, Version 1.0 (OMB, November
1995); Capital Programming Guide, Version 1.0 (OMB, July 1997); Information Security: Opportunities
for Improved OMB Oversight of Agency Practices (GAO/AIMD-96-110, September 24, 1996); Business
Process Reengineering Assessment Guide, Version 3 (GAO/AIMD-10.1.15, April 1997); and Executive
Guide: Improving Mission Performance Through Strategic Information Management and Technology
(GAO/AIMD-94-115, May 1994).



Page 14                                                                        GAO/T-AIMD-98-22
           information technology performance measurement.34 With this in mind, we
           are working to produce an evaluation guide that offers a useful framework
           for assessing the effectiveness of CIO organizations. As with our other
           guidance, we intend to ground this approach in common management
           characteristics and techniques prevalent in leading private and public
           sector organizations. Using this methodology that focuses on both
           management processes and information technology spending results, we
           can provide the Congress and the agencies with in-depth evaluations of CIO
           organizational effectiveness.


           Mr. Chairman, this concludes my statement. I would be happy to answer
           any questions that you and members of the Subcommittee may have.




           34
             Executive Guide: Measuring Performance and Demonstrating Results of Information Technology
           Investments, Exposure Draft (GAO/AIMD-97-163, September 1997).



(511042)   Page 15                                                                     GAO/T-AIMD-98-22
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested