You're IT: New policies, new opportunities for federal CIOs

CIOs can use hard data to help add value to the modernization discussion.

business opportunity (Khakimullin Aleksandr/

Now that the Office of Management and Budget has updated federal IT policies, you might say federal CIOs charged with enacting those policies are "it."

The updates emphasize artificial intelligence, data and data analytics, cloud (with "smart" now succeeding "first") and workforce skills. The most recent guidance update came in September, when the White House updated the Trusted Internet Connection strategy, now known as TIC 3.0. An updated data policy will arrive soon.

As CIOs work to implement these updates, they must resolve the question of whether the CIO job is one of ensuring order and reducing risk as they work to modernize the IT infrastructure or one of modernizing government processes to deliver services. There is a Catch-22 in trying to do both. CIOs will not be successful driving mission modernization merely by forcing programs to comply with new rules and regulations.

Recall that under the landmark Clinger-Cohen Act, CIOs were envisioned as change agents, bringing insights on how technology can improve government service delivery. It's the right role for today.

CIOs have some -- but not absolute -- say over budgets, which mostly reside in programs. They have a lot of say over technology infrastructure. And in theory they have a seat at the agency's management table, where -- if they listen -- they can understand what mission owners need. But agencies are missing an element to connect technology modernization with mission delivery modernization.

That missing element is a modern governance model, a set of proven practices that enable CIOs to take advantage of the flexibility in Cloud Smart and the other guidance elements while catalyzing government modernization. The right model would spur innovation but mitigate risk. Applied skillfully, the model would ensure IT dollars are spent so they best contribute to agency success.

Hard to argue in theory. But where do you find such a model?

CIOs should look at a model from the Information Systems Audit and Control Association called Control Objectives for Information and Related Technology (COBIT). IDG defines COBIT as "an IT management framework … to help businesses develop, organize and implement strategies around information management and governance."

Boiled down, the COBIT consists of four basic processes:

  • Planning and organization: Discovering how new technologies impact the agency operating model, including customer experience, managing risks and required skills.
  • Acquiring and deploying systems: Including requirements setting, procurement approaches and testing.
  • Delivery and support of IT services: Covering both staff and contractor managed services.
  • Monitoring and evaluation: Describing how to track progress and risk.

A detailed COBIT handbook guides CIOs through specific activities to master, including establishing and meeting metrics, aligning spending with agency needs and getting the most mission bang for the dollar.

Also in the new federal policies, CIOs must use Technology Business Management. The two frameworks, COBIT and TBM, actually complement one another. COBIT focuses on risk management and governance, while TBM focuses on IT spending transparency.

Used together, they enable CIOs to drive a structured discussion that includes operating and implementation considerations to determine the worthiness of an IT investment -- including the cost and risk of doing nothing. In the context of the President's Management Agenda, CIOs can use hard data to help add value to the modernization discussion. Data is far more convincing in the long run than personality or title.

The updated Data Center Optimization Initiative is an example of how using proven technology governance practices can work. The common perception is that 75% of federal IT spending is trapped in operations and maintenance, whereby government employs brute force to keep its technology systems running.

Agencies are required to consider serverless computing, DevOps and DevSecOps along with other Cloud Smart approaches to reduce CapEx spending. The theory is that more dollars will free up for innovation.

Agencies as diverse as the Air Force, the Food and Drug Administration and U.S. Citizenship and Immigration Services have seen results from integrating data from operations monitoring into their project investment, development and deployment decisions.

Now it's time to bring this thinking to the cabinet department level. CIOs should grab hold of COBIT as a proven approach.

The Brooks Act era's approaches to IT governance may have ended a generation ago, but the government has hardly become an agile, nimble, world-class technology user. Let's not wait for the next law. Those seeking to make their agencies better already have the policy and guidance framework in which to initiate change.