CIO Authority 'Still a Major Issue' Across Government

Half of all Chief Financial Officers Act agency chief information officers aren’t reporting to the secretary or deputy secretary, a fact Congress and the Government Accountability Office aren't going to let go of anytime soon.

That much was clear during Tuesday’s House Oversight and Government Reform Committee hearing, which featured the third batch of Federal Information Technology Acquisition Reform Act scorecards that showed continued improvement among agencies at implementing the law spearheaded by Reps. Gerry Connolly, D-Va., and Darrell Issa, R-Calif., two years ago.

The inclusion of a new category in the scorecard—a simple plus sign if a CIO reports to the secretary or deputy secretary of the agency or a minus sign if the CIO reports elsewhere—drove the majority of the conversation as the hearing unfolded.

According to Dave Powner, GAO’s director of IT management issues and one of the oversight committee’s most frequent testifiers, CIOs who report to the top of the chain of command give better self-assessments. GAO has ongoing work in the arena of CIO authorities that will likely lead to a 2017 report to Congress.

“Agency CIO self-assessments to the Office of Management and Budget are higher on average if they report to the agency head,” Powner said, belaboring a point he’s made several times in prior testimony. “Clearly, CIO authorities is still a major issue at departments and agencies. CIOs are telling us their authorities are stronger the higher they report.”

Neither of the CIOs called to testify before the House committee—Luke McCormack at the Homeland Security Department and Frontis Wiggins of the State Department—report to the top two positions within their agencies. Both were accompanied by a budget director or a CFO from their agencies and prodded to explain what they are and aren’t authorized to do.

McCormack and Wiggins both said they had the power to halt or kill troubled IT projects at various points of an acquisition, and McCormack said he’d stopped a troubled project more than once. Yet, Rep. Will Hurd, R-Texas, chairman of IT subcommittee, thoroughly probed the witnesses, seizing on questionable practices and comparing them to private-sector counterparts.

In one exchange, Hurd asked McCormack, who oversees a $6 billion IT budget, how often he met with the Homeland Security secretary.

“About once a month,” McCormack answered, later adding it wasn’t uncommon for him to meet with the secretary more often than that, especially regarding cybersecurity.

“That seems a little low,” Hurd said. He suggested private-sector CIOs meet more frequently with the C-suite because technology forms the backbone for many companies' services.

“I do believe one of the most important things FITARA is giving us is strengthening CIO authorities,” Hurd said. “The goal of our two committees is to make sure you have all tools you need.”

McCormack said “goal congruence with other CXOs” was also a key barometer for FITARA implementation, and suggested the next batch of scorecards somehow reflect measurements for various activities like the Federal Information Security Management Act, digital transformation efforts and others.

In another exchange, Hurd pressed Wiggins about the State Department’s $1.9 billion budget, of which Wiggins only oversees approximately half. A quarter of that budget is dedicated to the Bureau of Consular Affairs, which issues visas and passports, and operates a large IT investment to which Wiggins assigned a medium-risk rating

“You’ve assigned a medium-risk rating for an IT investment, yet you have no budgetary control over this,” Hurd said.

Wiggins responded by saying he had “budgetary collaboration” on the investment, but not full control. Nor did Doug Pitkin, director of the State Department’s Bureau of Budget and Planning.

“I would not make a unilateral decision” to terminate a risky investment, Pitkin said. Instead—based on feedback from his CIO—he would alert the assistant secretary of the Bureau of Consular Affairs.

That is not, as Hurd and others noted, a prime example of a CIO exercising authority.

“It’s got to come from the top, and that person has got to understand the transformative nature of IT and the other side, what could go wrong if this goes bad,” Connolly said.

Connolly vowed to continue to sound IT oversight in the next Congress, and warned agencies that “compliance with FITARA and reporting under FITARA is not a voluntary activity.” Because CIO authority is at the core of FITARA, expect agencies that opt not to revisit their CIO reporting structures to receive an extra dose of scrutiny.

To emphasize the importance, Hurd said the committee might bring in some agency heads to testify at the next scorecard-related hearing.

In short, it’s CIO authority or bust for Congress.

“When CIOs attempt to interject themselves, if they can interject appropriately, then you have authority,” Powner said. “We don’t have that across the board.”