Last December, about 60 people—members of the IT staff at the U.S. Transportation Department and friends—gathered in a large conference room in the agency’s Washington, D.C., headquarters to say goodbye to Dan Matthews, Transportation’s CIO for nearly three years. Matthews was leaving to work for Lockheed Martin. John Flaherty, chief of staff for Transportation Secretary Norman Mineta, stood up to say a few words about Matthews’ accomplishments, pointing out that Matthews was always quick to help Mineta when his BlackBerry wasn’t working.
Flaherty wasn’t kidding.
A number of people present saw Flaherty’s comment as a perfect illustration of why IT at the federal level is so troubled. Government CIOs are still seen as guys who fix BlackBerrys.
"Agency executives know that CIOs provide a vital resource to organizations—they just don’t know what it is," Matthews wrote in an e-mail about the incident.
If you’re thinking there oughta be a law against that kind of antediluvian attitude, there is. The Clinger-Cohen Act, passed in a rare act of bipartisanship 10 years ago, outlined steps that were designed to cast federal CIOs in the role of strategists who could help agencies formulate new business processes to streamline operations, improve the delivery of public services and reduce the risk of system disasters that test citizens’ faith in government—and, from time to time, put their lives in danger. Officially known as the Information Technology Management Reform Act of 1996 (and later renamed the Clinger-Cohen Act after Rep. William Clinger and Sen. William Cohen, who pushed the legislation through), the law demanded that federal agencies follow corporate America’s best practices for managing IT. Agencies were required to hire a CIO, institute investment controls and establish performance goals and metrics to measure progress. The law was hailed as the tool that would finally fix federal IT.
"We really thought we had it nailed," says Paul Brubaker, one of the lead authors of the law when he worked as a Republican staff director for Cohen. "We were going to change the way government managed IT and in doing so, possibly change government."
Obviously, that hasn’t happened.
Roots of the Problem
Federal IT systems are still failing at an alarming rate nearly 10 years after Clinger-Cohen was signed into law by President Clinton. For example, of 16 IT projects in the Federal Aviation Administration’s massive 25-year-old modernization program, 13 are over budget, ranging from $1.1 million to $1.5 billion, according to the Government Accountability Office. The Army’s Future Combat System—a fully integrated set of networks to deliver real-time information to the battlefield through sensors that pinpoint high-tech weapons—could come in as much as $130 billion over its original 2001 budget estimate of $70 billion. The Interior Department’s IT systems have proved so insecure that over the past three years a federal judge has repeatedly ordered the department to shut down all its Internet access. The list goes on, with the IRS’s repeated failures to modernize and the disaster of the FBI’s virtual case file system merely two of the most well-publicized examples.
In all, from January 2004 through March 2006, the GAO issued 98 reports on federal IT management, with almost every blue-covered report finding serious management flaws that increased the risk of IT failures.
The fundamental problem is that no matter how talented the CIOs (and many have been capable, proven executives who moved to the federal government after successful careers in the private sector with the admirable ambition of bringing their skills to bear on bigger and more socially significant problems than the ones they tackled in the corporate world), they have been set up for failure by a political and bureaucratic system that has changed little since the Clinger-Cohen Act became law.
Former federal CIOs say Clinger-Cohen was thoughtfully constructed and highly detailed but fell apart in practice. Lacking any real enforcement mechanisms, its provisions called for changes that could easily be subverted or simply ignored. For example, the centerpiece of the legislation, creating a CIO position for the agencies, quickly fell prey to political maneuvering that in many cases left those CIOs with little real influence over policy-making, where real political power lies.
"The Clinger-Cohen Act was totally bastardized to fit political agendas in both [the Clinton and first Bush] administrations, missing the point of making the CIO a strategic player in an agency rather than just the technology go-to guy," says a frustrated Brubaker. "We have the same basic problems we did 10 years ago."
To find out what these problems are—and how to address them properly—CIO interviewed dozens of current and former federal CIOs and government officials. We discovered four broad problems: the CIO’s lack of authority, specifically over budgets; cultural and political resistance that derails sound IT practices; poor project management discipline; and paperwork exercises that require CIOs and their staffs to spend huge amounts of time proving that they are adhering to administration directives.
These problems aren’t simply about wasted effort and expense. Lives are at stake:
¿ Federal networks, for example, are more vulnerable to attack from hackers and terrorists than five years ago, according to the GAO.
¿ The FAA’s air traffic control system at Boston’s Logan Airport malfunctioned last October, showing false aircraft icons on radar screens.
¿ Federal communications systems broke down after Hurricane Katrina, hindering rescue attempts.
¿ Army units in Iraq routinely run out of critical supplies because of failures in supply chain systems. The GAO has charged that the Department of Defense’s "substantial long-standing management problems related to business operations and systems have adversely affected the economy, efficiency and effectiveness of its operations; and, in some cases, impacted the morale of our fighting forces that are in harm’s way."
"Ultimately this is a security threat," says John Reece, a former IRS CIO and now a consultant to the federal government. "If we can’t get beyond the legacy systems we have today, while our enemies are starting off with state-of-the-art technology, what’s going to happen is they’re going to absolutely tear us to pieces again. I say this because I, and others like me, give a big damn about what we’ve been trying to do, and we would like to see this stuff get cleaned up before it’s too late."
Problem 1: The CIO’s Lack of Authority
In the private sector, if CIOs don’t report to the CEO (or at least sit in on C-level meetings), IT strategy will suffer or, at best, become predominantly tactical. The CIO’s authority is limited, even if his accountability isn’t. According to CIOs who have tried to bring their private-sector experience to government, at most federal agencies CIOs simply don’t have the authority, or the access, to do their jobs properly.
Steve Cooper, a former CIO at technology company Corning, decided to join the federal government after he witnessed the collapse of the Twin Towers in New York City. A former Naval officer, he had experience with the intricacies of government. But when he became the first CIO at the Department of Homeland Security in 2003 (after spending a year as CIO of the Department’s precursor, the Homeland Security Office), he ran into a culture that viewed the CIO as a technologist, not as a strategist who could help mold an organization’s business processes.
Congress and the Bush administration envisioned that DHS would use IT to gather intelligence and share it among federal agencies to better fight terrorism. With IT playing such a critical role, the agency’s CIO, presumably, would have direct access to the secretary (the CEO equivalent), and be included in strategy sessions for the department’s $37 billion IT budget. But that didn’t happen. In fact, the DHS organizational chart doesn’t even list the CIO position among the agency’s 29 top senior positions. From the beginning, Cooper found himself locked out of key strategy meetings. And his budget requests—such as $39 million for network connections between DHS agencies—were summarily cut, in this case by $28 million, in a closed-door meeting that included Janet Hale, DHS undersecretary of management and Cooper’s direct boss. Cooper maintains he was afforded no opportunity to question the cut. "That one decision jeopardized the department from day one," Cooper says. "In most of the departments where the CIO does not report to the secretary, the CIO is marginalized." (DHS public relations did not respond to repeated requests for an interview with Hale, who resigned in February.)
This issue of access and authority still exists for DHS CIO Scott Charbo today, according to DHS Inspector General Richard Skinner. In his annual departmental report on management performance in December, Skinner stated bluntly that Charbo did not have the authority to do his job. "Despite federal laws and requirements, the CIO is not a member of the senior management team with the authority to strategically manage departmentwide technology assets and programs," Skinner wrote. (DHS public relations did not respond to repeated requests for an interview with Charbo.)
Having the ear of the head of an agency does not, however, automatically guarantee the CIO’s authority. When the IRS’s Reece, a former CIO at Time-Warner, accepted the CIO position in March 2001, he wanted to outfit the 14,500 IRS field agents with laptops in order to untether them from the three PCs on their desks that they needed to access various legacy systems. Although each laptop cost $300 more than a desktop, Reece argued that by allowing the agents to spend more time in the field, the extra cost easily would be recouped in increased productivity.
Reece got $45 million in his fiscal 2002 budget to pay for the upgrades. But because he did not have control over spending, the money was quickly siphoned off by other IT managers to pay for more employees to manage the existing legacy systems and the three desktop PCs needed to access them. Soon, Reece had nothing left for the laptops.
"This shows how little control I had," Reece says. "What laws the government has to oversee IT are totally ineffective, are not heeded and not enforced."
If federal CIOs are going to have a chance to turn around government’s poor IT management record, agencies need to provide them with authority—especially budget authority, says Joel Willemssen, who heads up the IT audit division at the GAO. Though some agencies have given the CIO budget authority today, they are the minority. "The greatest single failure of government IT has been the lack of authority provided CIOs," he says.
Another aspect of authority is tenure. To effectively develop and oversee the implementation of major programs, CIOs need to stick around. Indeed, the tenure of CIOs has been rising steadily in recent years, to an average of four years, 11 months, according to CIO’s "State of the CIO 2006" survey. But the average tenure of a federal CIO today is two years, according to Willemssen. (Willemssen says best practices recommend a minimum three-to-five-year term for federal CIOs.) The reasons for CIOs’ short terms are numerous, including the frustrations of the job, a culture of public service that says two years is enough to give to your country, and the pay. (Federal CIOs cannot earn more than $133,000 a year.) Of course, agency heads have to make good choices if they are going to leave CIOs in place for five years. "All the stature and power in the world is no help when you can’t take an IT agenda and drive it," says Dan Chenok, former branch chief of Information Policy and Technology in the Office of Management and Budget.
Problem 2: Politics as Usual
When the federal CIO role was mandated by the Clinger-Cohen Act in 1996, the job was considered a career position to which anyone could apply. The Bush administration, however, began appointing people to some of these positions, with some requiring Senate confirmation.
All presidents employ appointments as a way to repay political debts, but many present and former federal CIOs believe that government IT has suffered badly under this practice, mostly because so much specialized knowledge is required to do the job effectively. Today, 11 federal CIO positions are appointed (out of dozens of CIOs in the federal government), mostly to larger agencies such as DHS. Of those 11, five positions are vacant, and among the other six, three of the appointees came in with little or no IT management experience. Some IT experts argue that politically appointed CIOs have more clout because their affiliation with the White House means they may be more trusted and respected by the top executives—also politically appointed—in the department.
But many federal CIOs say off the record (none would go on record) that the appointments process has delayed many critical IT projects as the appointees come up to speed on agency processes without having the understanding of IT management that career managers possess.
In 2001, for example, President Bush appointed Vickers Meadows as assistant secretary for administration and CIO for the Department of Housing and Urban Development. Meadows had no previous experience in IT. She had served as Bush’s head of administration while he was governor in Texas, and later she headed up the administrative transition team in the White House. In less than 18 months, Meadows left HUD, and the CIO position reverted to a career post. During her tenure, the HUD inspector general issued numerous critical reports on the department’s IT management practices, including poor security controls, systems open to attack, and IT system projects being started before developing architecture plans, establishing business processes and identifying how systems would function. (Meadows did not respond to CIO’s requests for comment.)
In 2003, Bush appointed Drew Ladner to head up the Treasury Department’s CIO office and its $2.6 billion IT budget. Ladner, a then-34-year-old entrepreneur who had launched two dotcom companies, Clique.com and Ripcord Systems, worked at Treasury for little more than a year before leaving. Today, the Treasury Department CIO is no longer appointed. (Ladner could not be reached for comment.)
In 2004, Bush named Bob McFarland as CIO for the Department of Veterans Affairs. McFarland, who worked as vice president of government relations at Dell Computer and headed up business units for the computer maker, had no CIO experience. Under McFarland, the VA continued to struggle with IT management issues. Its security grade, as issued by Congress, dropped from a C in 2003 to an F in 2004 and again in 2005.
Still, McFarland, who left the VA in April, claims that he was able to make major changes that no career CIO could have. For example, he says he convinced Congress to give the VA CIO control over the department’s $1.6 billion total IT budget (initially, McFarland controlled only $50 million of the total), and pushed through a reorganization supported by VA Secretary James Nicholson that gives the CIO control over all IT personnel and equipment. The VA’s hundreds of field offices, hospitals and clinics previously had control over their own IT budgets, personnel and IT equipment. "To get those kinds of things done, you truly have to be politically appointed with a seat at the [senior management] table," McFarland says. "I don’t have to worry about my next career move. I can be a change agent and not worry about being a good guy and pleasing everyone."
However, some CIOs have obtained full budget authority while holding a career position, such as Zalmai Azmi, CIO at the FBI, who took control over the bureau’s budget last year. More significantly, the GAO concluded in a 2005 report that the government’s most effective CIOs "had [a] background in information technology or related fields, [with] many having previously served as CIOs. Many also had business knowledge related to their agencies, having previously worked either at the agency or in an area related to its mission."
But, as a top federal IT executive currently working for a major agency (speaking on the condition of anonymity) says, "This administration doesn’t like government; it doesn’t like career bureaucrats."
Unfortunately, that aversion to government has not improved the chances for government IT success.
Problem 3: Welcome to the Bureaucracy
The Clinger-Cohen Act was supposed to improve IT project management practices by requiring CIOs to assess the skill sets they had, determine what IT skills they needed to meet mission-critical requirements and then fill in whatever gaps they saw by hiring or training employees. That hasn’t happened. According to present and former federal CIOs, federal oversight inspectors and project management experts, federal project managers routinely do not follow even some of the more basic project management practices, such as conducting ROI analyses, developing thorough business cases or establishing project management offices—the absence of which increases the chances for project failures.
The OMB has tried to instill some discipline, in 2001 requiring agencies to begin submitting business cases for proposed IT systems. These cases must show return on investment, demonstrate that proper project management practices are being followed and articulate how the system will help the agency fulfill its mission. The OMB reported in 2005 that of the 1,200 business cases it received that fiscal year, 621 projects totaling $22 billion did not meet its standards. But the GAO reported in 2005 that the OMB neither created a list of the projects and their weaknesses, nor did it develop a monitoring process to determine if agencies were making progress on addressing those weaknesses, possibly leaving "unattended weak projects consuming significant budget dollars."
"By now," says Bruce McConnell, a former OMB IT official in the Clinton administration and now president of the consulting firm McConnell International, "the business cases have become largely a paper exercise, especially when you match the volume of reports with OMB’s capacity to review them. OMB should focus on results and manage by exception, requiring detailed reports only where there’s a history of problems."
But the reasons that basic project management disciplines are not followed cannot all be ascribed to incompetence, mismanagement or red tape. For example, one of the largest IT transformations in government is occurring in the DoD. The department is modernizing its business management systems, which account for $605 billion a year in operating costs.
Part of the modernization effort consists of developing an ERP system to connect DoD’s business systems. But because DoD operates so many systems across so many entities, each with its own organizational structure, governance and leadership, trying to manage the project is an exercise in futility, says Drew Miller, a consultant with Heartland Management Consulting Group who worked as a program manager on the project in 2005. Miller oversaw the development of architecture requirements for strategic planning and budget systems and policy for the overall program. Miller says anytime a back-end system was altered in any way, interfaces to other systems had to be redone, diverting time from developing new systems. Because the systems (a total of 542 accounting and financial management systems and 665 human resources systems) span the entire DoD enterprise, correlating decisions on software or on configurations is close to impossible, Miller says.
What’s needed is a top-level executive to make enterprisewide decisions, suggests Miller, and the GAO has recommended Congress establish a chief management officer for the DoD business systems modernization effort. The chief management officer would serve for no less than seven years, work in concert with the DoD CIO and top program managers to focus attention at the enterprise level on how systems should be integrated, and act as the liaison between the hundreds of IT program managers.
The people systems in federal IT are also tangled. Hiring practices are mired in decades-old rules and laws that prevent CIOs from quickly reworking staffs to meet needs. For example, the federal government’s backlog for security clearances, which many IT mangers, programmers and contractors need to work on IT systems that handle sensitive and classified information, is estimated to be 300,000 for federal employees and more than half a million for contractors. It can take months to obtain a clearance.
So far, none of these problems have been fixed.
Problem 4: Buried in Paper
Like private-sector CIOs, federal CIOs complain that they don’t have enough time to focus on strategy. But at least private-sector CIOs don’t need to document all their actions. Frustrated by the lack of progress and accountability in major IT projects, Congress and the OMB began in 2002 to increase the demands on CIOs to document just about everything they do.
The cure, however, may be worse than the disease. CIOs are bogged down making sure IT program managers are filing business cases and earned value scores to the OMB, while periodically writing detailed reports to Congress. The CIOs’ chief security officers may have it even worse, spending nearly half their working day (an average of 3.75 hours) documenting their adherence to federal security requirements, according to a survey conducted by Intelligent Decisions, a systems integrator. The result, say IT executives at the agency level, is less time to spend on developing secure systems.
The root of much of this paperwork comes from the 2002 Federal Information Security Management Act, or FISMA, which actually has little to do with measuring how secure systems are, contends Bruce Brody, the head of information security at market research firm Input and former CSO for the departments of Veterans Affairs and Energy. The law requires agencies to file quarterly reports and an annual report each September to Congress and the OMB showing that they are complying with the law—attesting over and over that they have certified and accredited every system, conducted an inventory of systems, and trained employees in security awareness, among other things. "It’s all about writing reports and counting those reports," agrees Alan Paller, director of research at the SANS Institute. "It doesn’t actually measure if systems are secure."
Some CIOs and CSOs view the government’s mandates purely as check-the-boxes exercises—inviting yet more negative attention from Congress. It’s not therefore surprising that the government received a D+ grade from Congress in March on FISMA compliance.
Karen Evans, administrator of e-government in the OMB and the top official in the Bush administration overseeing IT development, defends the quarterly security reports as a way to tell CIOs and their CSOs what to focus on. "To provide that report, you have to know what service you provide, the risk it imposes, how you are managing configuration management, and how that plays into all the other systems and inventories," says Evans, a former CIO at the Department of Energy. "If you don’t know what the lay of the land is, then you are always putting out fires, and there’s no way to proactively manage the risk."
CIOs argue that the landscape is already well known. What they need is time to traverse it. Brody and Paller recommend that OMB establish a better methodology for performance measurements. Instead of asking whether certain actions have been taken, it should ask how agencies have conducted specific exercises that result in more secure systems, such as what authentication processes CIOs have deployed and what processes agencies are using to monitor and patch systems, how quickly patches are disseminated, how often passwords are changed and what convention they use for passwords.
"Those writing the requirements just need to listen to those doing the work," says Brody. "We all want our systems secure." But, he adds, "the government is no more secure today than it was five years ago—and it wasn’t secure then."
The Prescription: Leadership, Not Laws
An axiom in Washington is that Congress does 20 percent of the heavy lifting in policy-making; the other 80 percent is accomplished in federal agencies where policies are interpreted and implemented. The solution to improve government IT management does not lie in more legislation, or a rework of the Clinger-Cohen Act, federal IT experts say.
As in the private sector, the solution lies in leadership. The common thread in all the criticism of the Clinger-Cohen Act will sound familiar to private-sector CIOs: It takes buy-in from top leadership to change how organizations operate, and that includes the use of IT. A good place to start may be with those who are leading the departments and the ultimate agenda setter, the White House, says Paller. "If everyone is failing, then it’s not the pupil’s problem, it’s the teacher’s problem," he says. "And that means the teacher needs to look at what he’s doing wrong."