While CIOs claim the “chief” title, in many cases their hands have been tied by sprawling bureaucratic structures and a lack of institutional heft.
In the wake of the massive breach of federal records at the Office of Personnel Management, the agency’s chief information officer, Donna Seymour, faced intense criticism over her handling of IT security.
Unpatched critical vulnerabilities had languished, sensitive information was left unencrypted and basic measures, such as two-factor authentication, were unimplemented, according to findings from the agency’s inspector general.
But another finding went less noticed: For years, individual program offices had managed their own IT systems, and agency leadership had never clearly defined which elements of IT security were the responsibility of the CIO and which would be handled by program offices.
The truth is that while CIOs at federal agencies claim the “chief” title, in many cases their hands have been tied by sprawling bureaucratic structures and a lack of institutional heft.
The good news is that Congress has already attempted to amend this with the passage last December of the bipartisan Federal IT Acquisition Reform Act, which seeks to fix how government buys and builds IT projects. The so-called crown jewel of the new law is amping up the authority of agency CIOs, giving them significantly more power over all agency IT spending. For too long, advocates of the legislation argued, agency CIOs had been cut off full-blown decision-making power when it comes to IT spending -- which tops $80 billion annually governmentwide.
Interior CIO: FITARA is 'Pivotal'
But if you needed a case study in the dysfunction and disempowerment that agency CIO shops are up against, look no further than the Interior Department.
The agency is one of those large, decentralized agencies -- 70,000 employees spread out across nearly a dozen bureaus and offices and more than 2,400 “operating locations” -- that FITARA was specifically designed to address.
But of more than $1 billion in agency IT spending, the department’s CIO directly controls barely $200 million, CIO Sylvia Burns told members of the House Oversight and Government Reform Committee on Wednesday during a hearing on the agency’s cybersecurity practices.
"So, you're the CIO of the entire department and you have access to less than $200 million?” Rep. Will Hurd, R-Texas, chairman of the Oversight IT subcommittee asked, incredulous. “Isn't that a problem?"
Burns explained: "I think one of the biggest challenges that the department has is the fact that you have all the different, separate operating environments for IT.” The various bureaus and offices don’t operate under a “single presence of mind,” she added, namely hers. Instead, officials at the various bureaus -- assistant directors for information resources -- are responsible for managing IT at the operational level.
That leaves agency employees “in far-flung places in the country who are doing whatever they're doing because it's the best way they know to do their job,” Burns said. “But they're not getting any direction, central direction, from their bureau and from the department.”
FITARA is “pivotal legislation,” Burns added, “that helps us to drive the consolidation and centralization of the things that we're talking about today.”
But for Burns -- ostensibly the top tech official at the department -- some pretty big blind spots remain.
For example, when asked by a member of the committee how many breaches Interior components had suffered in 2015, Burns, citing the agency’s “distributed IT environment,” said she was unable to answer and would have to do “research” on her own to determine that information.
Interior is tied up in the massive breach of million of federal employee personnel records stored by OPM, in which hackers believed to be from China pillaged an OPM database containing personnel files that happened to be stored in an Interior data center.
Burns was asked to answer for Interior’s security practices as well as the results of a new inspector general report that turned up some 3,000 critical vulnerabilities in public-facing websites at three Interior bureaus.
One Agency Bureau Forced Off the Internet
The department first began taking steps in 2010 to centralize more authority under the agency CIO, said former CIO Bernie Mazer, who left the post last year and now works for the agency’s inspector general.
When he became CIO earlier that year, “the CIO's office was a policy shop,” he told lawmakers. “The CIO's office would promulgate policy to the respective bureaus and offices to assure that they were taking care of things,” such as security and capital planning.
The Interior’s IT management structure may be more fragmented than elsewhere in the federal government.
The Bureau of Indian Affairs, a key Interior component, was forcibly unplugged from the Internet early in the last decade for nearly seven years -- by a court order -- amid a class-action lawsuit that the department had mismanaged Indian trust data and the systems storing data were insecure. The bureau finally reconnected in 2008 and the government finalized a $3.4 billion settlement in 2011.
As for the federal IT overhaul, it's now in the implementation stage. The Office of Management and Budget issued marching orders to agencies this spring, setting out a “common baseline” of roles and responsibilities for agency CIOs.
By next month, agencies are required to complete a self-assessment of their CIOs’ current responsibilities. For example, how much control do they have over total agency IT spending? Can they pull funding for an underperforming project?
Agencies need to roll out the new CIO authorities by the end of 2016.