Now You See It

062910cioSPOTLIGHTinsNG (Jun. 29) - Veterans Affairs' Roger Baker, Government Executive's CIO of the Year, created a website to warn IT employees about initiatives at risk of being suspended. Chris Flynn

Federal chief information officers always have faced the challenge of balancing information sharing with information protection - all while working to hit project deadlines and budgets. Agencies are being asked to post more data on the Web that will boost services and accountability to taxpayers, but funding and resources are becoming more limited.

The long-term task for CIOs will be finding the means to retain talent, gain scale and reuse existing infrastructure to meet these challenges. One solution being pushed by the Office of Management and Budget is subscribing on a pay-per-use basis to access shared hardware and soft-ware that is hosted on the Web - a setup called cloud computing. Moving to the cloud is part of OMB's strategy for consolidating hundreds of federal data centers nationwide that are sapping energy and money from agency budgets.

Constant online surveillance is magnifying the demands on CIOs. During the next year, OMB and, in many cases, ordinary citizens will be able to monitor the actions of every CIO through websites that continuously track federal information technology investments. Such exposure puts pressure on tech chiefs, especially when so many can see how their work stacks up against other CIOs' output.

"The main business in government these days is the information business," says Alan Balutis, the Commerce Department's first CIO and a founding member of the federal Chief Information Officers Council.

The job of managing information, once the sole jurisdiction of CIOs, now falls to entire departments. The rank-and-file all the way up to the secretary have a say in making government records more understandable and useful to constituents under the rubric of open government. The CIOs' role is to clarify and implement their colleagues' vision online, says Jennifer Kerber, vice president for federal and homeland security policy at industry group TechAmerica.

In the Fishbowl

In many ways, the CIO position is much more important than it was just four years ago, due to agencies' increasing dependence on IT for everything from cutting paychecks to policymaking. OMB informs the public regularly about IT management performance through blogs and the federal IT Dashboard, a project-tracking website.

The dashboard requires agencies to provide updates on the status of major technology investments. "In previous administrations, we reported quarterly at the aggregate level. With the dashboard, we're reporting it on a monthly basis," says Linda Travers, principal deputy assistant administrator for the Office of Environmental Information at the Environmental Protection Agency. In addition, Vivek Kundra, the first-ever governmentwide CIO, almost weekly uses social media to announce new online transparency initiatives.

And so, the business of the CIO is becoming everybody's business. OMB has long had access to the information that powers the IT Dashboard, "but it hasn't been out there for you and I to see, so you want to do a good job and make sure the information is correct," Kerber says. "That move, putting it online, is kind of the peer pressure. Nobody wants to be the CIO of a failing project if you're going to put it up there."

Agencies can alleviate some of the pressure that comes with greater transparency by ensuring their technology is grounded in solid program management, Balutis and Kerber say. Program management refers to the process of defining a program's scope, schedule and cost objectives, and measuring progress toward those goals. "You see these projects where somebody should have pulled the plug on them and no one did - to me the big issue that still needs to be addressed is the program management abilities in government," says Balutis, now director of Cisco's Internet Business Solutions Group. "Pulling the plug is good, but the mission doesn't go away with the canceling of that project."

Tools of the Trade

Balutis says the government must invest more heavily in equipping CIOs to manage IT projects. Kerber adds such investments should include a larger workforce, more funding and more training. "We have to give them the tools to do the job," she says. Program managers, often the successors to CIOs, should be more highly rewarded, which would make the position something to aspire to rather than something one merely falls into, Balutis adds.

But such investments could be hard to come by, says Mark McDonald, a Gartner group vice president. Through workforce or infrastructure consolidation, executives will have to cut costs dramatically. "As the economy comes out of the recession, there's still going to be a high demand for government services, but there is also pressure on the budgets," he says. "If I look at my program budget, part of it is serving the citizen, and maintenance, repair and operations. IT is a significant part of the latter. If I'm looking to increase efficiencies I go after the biggest controllable cost. They can't cut citizen services, but they can cut administrative services."

Agencies will face separate, distinct challenges in the year ahead largely due to the economic downturn. The Social Security Administration, for example, is working to expand IT capacity and speed to manage the oncoming wave of retirees and people in need of financial assistance. "There are dramatically higher numbers of people coming into our office because of the baby boomers and due to the economic recession. We need to find a way to serve them well," says Social Security CIO Franklin H. Baitman. The agency has nearly 1,400 offices nationwide. But given the public's dependence on the Internet, SSA is trying to replicate the experience of an office visit on the Web.

Offering more Web-based services could ward off millions of visits to Social Security's offices, saving money and reducing the paperwork burden on employees and citizens. But one hurdle is confirming the identity of applicants without physical documents. Baitman says the agency plans to have the technological capability to allow people to submit applications and receive notices from SSA using one authentication tool by 2011. And to bolster its single, weakening data center, which is 30 years old, the agency plans to use stimulus money to break ground on a new one in fiscal 2011. For now, SSA is relying on the old location and a co-processing center to manage more than $700 billion in benefits for 60 million beneficiaries in fiscal 2011.

Trouble Spots

CIOs also must answer to a tougher boss this year. Kundra has pledged the White House will step up oversight of IT investments through a new review process dubbed TechStat. OMB officials meet with CIOs to assess the status of projects using data from the IT Dashboard. Troubled projects will be scaled back, overhauled or scrapped. "We've made some tough decisions across the board," Kundra says. "We've actually as a result of these sessions halted modernizations." And with a forthcoming refresh of the IT Dashboard, "we're getting deeper into the investments" using advanced analytics and direct feeds from agencies, he adds.

Some CIOs seem to be responding well to the stricter supervision. Veterans Affairs Department CIO Roger Baker halted 45 underperforming projects in 2009, using his own review process, before TechStat meetings even started. He cut 12 of the projects. At EPA, Travers is conducting internal TechStat meetings on certain large projects that are in the development stage. Her first session looked at the document management system for Superfund, a program that compels parties responsible for abandoned hazardous waste sites to clean them up or reimburse the government for cleanups. EPA is upgrading and consolidating the systems that handle data collection, reporting and tracking for the program.

Meanwhile, President Obama's declaration that the U.S. digital infrastructure is now a national security priority has raised the profile of federal cybersecurity. In the past, agencies were required to certify compliance with security procedures through an annual paper-based reporting process. But White House officials recently announced a shift to real-time data feeds that alert them monthly to gaps in agency networks.

The new procedures for cybersecurity will give the White House greater insight into the security posture of agency systems. Recognizing that not all agencies are performing the same missions and functions, Howard Schmidt, the first-ever White House cybersecurity coordinator, says federal security specialists will be "interviewing each of the agencies to understand the qualitative nature of the threat that we face."

Regardless of heightened oversight, CIOs will have the same core responsibilities, Balutis notes. "A CIO is to do what he or she is always supposed to do, which is to be responsible for disseminating information and also protecting the information and ensuring privacy," he says. "I don't know that anything has changed other than that these now have become much more important and to some extent the degree of difficulty has increased a little bit."

Force of the Future

The new crop of potential CIOs, the so-called millennial generation of people born after 1980, is likely to change the dynamic of managing technology. And that could happen sooner than expected as agencies start to confront the realities of an aging workforce. "The brain drain that didn't happen three years ago, which was imminent, may actually be happening now," Gartner's McDonald explains. State-level government employees already are taking early retirement packages, he notes.

"Those millennials are going to put pressure on the IT delivery model to be more transparent, to be shorter cycle and more rapid response. The notion of a multiyear government program they're going to question," he says.

Those native to the world of instant online connections who have grown up in a world of information sharing, could shun bureaucratic management processes and put stronger emphasis on serving the citizen. "They'll have an interesting influence on the pace and tenor of IT management and IT execution in the federal government," McDonald says.

Roger Baker

Chief Information Officer

Veterans Affairs Department

When Roger Baker came back to government in 2009 after almost a decade in the private sector, he told senators at his confirmation hearing he was aware he would inherit security and managerial difficulties. In recent years, there had been high-profile gaffes such as the loss of personal data on 26 million veterans and failed multimillion-dollar information technology projects.

As CIO at Veterans Affairs, Baker continued to confront information security and program management fiascos. For example, software bugs led to instances of doctors retrieving the wrong patient data and the department's IT portfolio was found to include 45 underperforming projects. Instead of kicking these embarrassments under the carpet, Baker went public about the medical information system flaw and halted those projects last summer.

Such moves could rile some advocates of health IT innovation and federal contractors, but Baker contends they were in the best interest of veterans. "We know we have saved $54 million in fiscal 2010 from those 45 projects, and we've moved those dollars to increase the probability of success in other projects," he says.

VA still has a long way to go toward providing timely access to benefits and turning around projects mired in wasteful spending, but Baker seems to be up to the challenge. He has made continuity of care through electronic health records a main concern. "Our ability to create for each veteran and each service member a complete record of their service, of their health interactions, of everything necessary to provide them with quality care . . . is really one of the absolute top priorities for us," he says.

A former Commerce Department CIO, Baker initiated a project management system at VA that suspends initiatives after they miss three milestones. Of the 45 projects on hold, 12 were cut and an online training system for employees remains in limbo. The others were restarted after undergoing substantial changes, such as an overhaul of the basic approach or replacement of the program manager, contractors or government staff. "If there are better systems out there or better approaches to it, I think we owe it to everybody inside VA to explore those," he says.

Baker is creating an internal project-tracking website to warn employees about initiatives at risk of suspension and has made some of that information available to the public as a stoplight-style chart. "If a project is trending red and it's missing [milestone] dates, it's pretty easy to see that it's going to come under some heavy scrutiny for whether it should be stopped or not," he says.

He owns up to the fact that security vulnerabilities continue to jeopardize veterans' and military members' data. "It's still the case that the bulk of the risk is internal. The issues that we see that cause information breaches in the VA tend to be things that employees are doing primarily inadvertently," he says. "The area where VA has made the most progress is VA is a model for how you treat and analyze potential privacy breaches."

Although Baker says he is committed to being open with the public and the VA workforce, he also seems wary of violating his employees' trust by revealing too much about department operations online. "It turns out that transparency is a little tough to do in government," he says. "I am both the CIO and the chief privacy officer of this organization. As we talk about doing things like putting performance information up on the Web we have to be very careful."