Federal agencies are not adequately supporting the authorities of their chief information officer as outlined by law, according to an August 2 Government Accountability Office review of 24 agencies defined in the Chief Financial Officers Act.
“None of the 24 agencies have policies that fully addressed the role of their Chief Information Officers (CIO) consistent with federal laws and guidance. In addition, the majority of the agencies did not fully address the role of their CIOs for any of the six key areas that GAO identified,” the report said.
Of the six authority areas reviewed by GAO — IT leadership and accountability, IT budgeting, information security, IT investment management, IT strategic planning and IT workforce — only three were either fully or substantially supported by at least half of surveyed agencies.
CIO authority has long been an issue of particular interest in the federal government and is a cornerstone of the biannual Federal Information Technology Acquisition Reform Act scorecards released by GAO.
“Shortcomings in agencies' policies are partially attributable to two weaknesses in the Office of Management and Budget's (OMB) guidance. First, the guidance does not comprehensively address all CIO responsibilities, such as those relating to assessing the extent to which personnel meet IT management knowledge and skill requirements and ensuring that personnel are held accountable for complying with the information security program,” the report said.
“Second, OMB guidance does not ensure that CIOs have a significant role in (1) IT planning, programming and budgeting decisions and (2) execution decisions and the management, governance and oversight processes related to IT. In the absence of comprehensive guidance, CIOs will not be positioned to effectively acquire, maintain and secure their IT systems.”
Despite this finding, CIOs told GAO that Office of Management and Budget guidance was a major enabling factor in their ability to effectively manage IT, along with National Institute of Standards and Technology guidance, their position in the agency hierarchy, their coordination with the chief acquisition officer and their legal authority.
Agency CIOs said that financial resources, availability of personnel and staff resources, and the agency’s processes for hiring, recruiting and retaining personnel were major challenging factors.
“Although OMB has issued guidance aimed at addressing the three factors that were identified by at least half of the CIOs as major challenges, the guidance does not fully address those challenges,” the report said. “Until OMB updates its guidance to include a complete definition of the authority that CIOs are to have over IT spending, it will be difficult for OMB to identify any deficiencies in this area and help agencies to make any needed improvements.”
GAO made three recommendations to OMB: issue guidance to address CIO responsibilities not currently included in guidance, update current guidance to explain how agencies need to address the role of CIOs and define the authority CIOs are supposed to have over IT spending.
GAO also recommended that each of the 24 agencies reviewed address any weaknesses related to the six key areas of CIO authority.
Fourteen agencies agreed with the recommendations, while five did not make any comments and the remaining took issue with the selected assessments of CIO responsibilities.
OMB also only partially agreed with the recommendation to issue guidance on those areas not covered by current guidance.
“After GAO provided the draft report to OMB for comment, the president signed an executive order that, among other things, clarified the role that CIOs are to have in the management, governance, and oversight processes related to IT. The executive order is responsive to GAO’s related recommendation. GAO will continue to monitor agencies' implementation of the executive order,” the report said.
Jessie Bur covers federal IT and management.
