Last December, about 60 people—members of the IT staff at the U.S. Transportation Department and friends—gathered in a large conference room in the agency’s Washington, D.C., headquarters to say goodbye to Dan Matthews, Transportation’s CIO for nearly three years. Matthews was leaving to work for Lockheed Martin. John Flaherty, chief of staff for Transportation Secretary Norman Mineta, stood up to say a few words about Matthews’ accomplishments, pointing out that Matthews was always quick to help Mineta when his BlackBerry wasn’t working.
Flaherty wasn’t kidding.
A number of people present saw Flaherty’s comment as a perfect illustration of why IT at the federal level is so troubled. Government CIOs are still seen as guys who fix BlackBerrys.
"Agency executives know that CIOs provide a vital resource to organizations—they just don’t know what it is," Matthews wrote in an e-mail about the incident.
If you’re thinking there oughta be a law against that kind of antediluvian attitude, there is. The Clinger-Cohen Act, passed in a rare act of bipartisanship 10 years ago, outlined steps that were designed to cast federal CIOs in the role of strategists who could help agencies formulate new business processes to streamline operations, improve the delivery of public services and reduce the risk of system disasters that test citizens’ faith in government—and, from time to time, put their lives in danger. Officially known as the Information Technology Management Reform Act of 1996 (and later renamed the Clinger-Cohen Act after Rep. William Clinger and Sen. William Cohen, who pushed the legislation through), the law demanded that federal agencies follow corporate America’s best practices for managing IT. Agencies were required to hire a CIO, institute investment controls and establish performance goals and metrics to measure progress. The law was hailed as the tool that would finally fix federal IT.
"We really thought we had it nailed," says Paul Brubaker, one of the lead authors of the law when he worked as a Republican staff director for Cohen. "We were going to change the way government managed IT and in doing so, possibly change government."
Obviously, that hasn’t happened.
Roots of the Problem
Federal IT systems are still failing at an alarming rate nearly 10 years after Clinger-Cohen was signed into law by President Clinton. For example, of 16 IT projects in the Federal Aviation Administration’s massive 25-year-old modernization program, 13 are over budget, ranging from $1.1 million to $1.5 billion, according to the Government Accountability Office. The Army’s Future Combat System—a fully integrated set of networks to deliver real-time information to the battlefield through sensors that pinpoint high-tech weapons—could come in as much as $130 billion over its original 2001 budget estimate of $70 billion. The Interior Department’s IT systems have proved so insecure that over the past three years a federal judge has repeatedly ordered the department to shut down all its Internet access. The list goes on, with the IRS’s repeated failures to modernize and the disaster of the FBI’s virtual case file system merely two of the most well-publicized examples.
In all, from January 2004 through March 2006, the GAO issued 98 reports on federal IT management, with almost every blue-covered report finding serious management flaws that increased the risk of IT failures.
The fundamental problem is that no matter how talented the CIOs (and many have been capable, proven executives who moved to the federal government after successful careers in the private sector with the admirable ambition of bringing their skills to bear on bigger and more socially significant problems than the ones they tackled in the corporate world), they have been set up for failure by a political and bureaucratic system that has changed little since the Clinger-Cohen Act became law.
Former federal CIOs say Clinger-Cohen was thoughtfully constructed and highly detailed but fell apart in practice. Lacking any real enforcement mechanisms, its provisions called for changes that could easily be subverted or simply ignored. For example, the centerpiece of the legislation, creating a CIO position for the agencies, quickly fell prey to political maneuvering that in many cases left those CIOs with little real influence over policy-making, where real political power lies.
"The Clinger-Cohen Act was totally bastardized to fit political agendas in both [the Clinton and first Bush] administrations, missing the point of making the CIO a strategic player in an agency rather than just the technology go-to guy," says a frustrated Brubaker. "We have the same basic problems we did 10 years ago."
To find out what these problems are—and how to address them properly—CIO interviewed dozens of current and former federal CIOs and government officials. We discovered four broad problems: the CIO’s lack of authority, specifically over budgets; cultural and political resistance that derails sound IT practices; poor project management discipline; and paperwork exercises that require CIOs and their staffs to spend huge amounts of time proving that they are adhering to administration directives.
These problems aren’t simply about wasted effort and expense. Lives are at stake:
¿ Federal networks, for example, are more vulnerable to attack from hackers and terrorists than five years ago, according to the GAO.
¿ The FAA’s air traffic control system at Boston’s Logan Airport malfunctioned last October, showing false aircraft icons on radar screens.
¿ Federal communications systems broke down after Hurricane Katrina, hindering rescue attempts.
¿ Army units in Iraq routinely run out of critical supplies because of failures in supply chain systems. The GAO has charged that the Department of Defense’s "substantial long-standing management problems related to business operations and systems have adversely affected the economy, efficiency and effectiveness of its operations; and, in some cases, impacted the morale of our fighting forces that are in harm’s way."
"Ultimately this is a security threat," says John Reece, a former IRS CIO and now a consultant to the federal government. "If we can’t get beyond the legacy systems we have today, while our enemies are starting off with state-of-the-art technology, what’s going to happen is they’re going to absolutely tear us to pieces again. I say this because I, and others like me, give a big damn about what we’ve been trying to do, and we would like to see this stuff get cleaned up before it’s too late."
Problem 1: The CIO’s Lack of Authority
In the private sector, if CIOs don’t report to the CEO (or at least sit in on C-level meetings), IT strategy will suffer or, at best, become predominantly tactical. The CIO’s authority is limited, even if his accountability isn’t. According to CIOs who have tried to bring their private-sector experience to government, at most federal agencies CIOs simply don’t have the authority, or the access, to do their jobs properly.
Steve Cooper, a former CIO at technology company Corning, decided to join the federal government after he witnessed the collapse of the Twin Towers in New York City. A former Naval officer, he had experience with the intricacies of government. But when he became the first CIO at the Department of Homeland Security in 2003 (after spending a year as CIO of the Department’s precursor, the Homeland Security Office), he ran into a culture that viewed the CIO as a technologist, not as a strategist who could help mold an organization’s business processes.
Congress and the Bush administration envisioned that DHS would use IT to gather intelligence and share it among federal agencies to better fight terrorism. With IT playing such a critical role, the agency’s CIO, presumably, would have direct access to the secretary (the CEO equivalent), and be included in strategy sessions for the department’s $37 billion IT budget. But that didn’t happen. In fact, the DHS organizational chart doesn’t even list the CIO position among the agency’s 29 top senior positions. From the beginning, Cooper found himself locked out of key strategy meetings. And his budget requests—such as $39 million for network connections between DHS agencies—were summarily cut, in this case by $28 million, in a closed-door meeting that included Janet Hale, DHS undersecretary of management and Cooper’s direct boss. Cooper maintains he was afforded no opportunity to question the cut. "That one decision jeopardized the department from day one," Cooper says. "In most of the departments where the CIO does not report to the secretary, the CIO is marginalized." (DHS public relations did not respond to repeated requests for an interview with Hale, who resigned in February.)
This issue of access and authority still exists for DHS CIO Scott Charbo today, according to DHS Inspector General Richard Skinner. In his annual departmental report on management performance in December, Skinner stated bluntly that Charbo did not have the authority to do his job. "Despite federal laws and requirements, the CIO is not a member of the senior management team with the authority to strategically manage departmentwide technology assets and programs," Skinner wrote. (DHS public relations did not respond to repeated requests for an interview with Charbo.)
Having the ear of the head of an agency does not, however, automatically guarantee the CIO’s authority. When the IRS’s Reece, a former CIO at Time-Warner, accepted the CIO position in March 2001, he wanted to outfit the 14,500 IRS field agents with laptops in order to untether them from the three PCs on their desks that they needed to access various legacy systems. Although each laptop cost $300 more than a desktop, Reece argued that by allowing the agents to spend more time in the field, the extra cost easily would be recouped in increased productivity.
Reece got $45 million in his fiscal 2002 budget to pay for the upgrades. But because he did not have control over spending, the money was quickly siphoned off by other IT managers to pay for more employees to manage the existing legacy systems and the three desktop PCs needed to access them. Soon, Reece had nothing left for the laptops.
"This shows how little control I had," Reece says. "What laws the government has to oversee IT are totally ineffective, are not heeded and not enforced."
If federal CIOs are going to have a chance to turn around government’s poor IT management record, agencies need to provide them with authority—especially budget authority, says Joel Willemssen, who heads up the IT audit division at the GAO. Though some agencies have given the CIO budget authority today, they are the minority. "The greatest single failure of government IT has been the lack of authority provided CIOs," he says.
Another aspect of authority is tenure. To effectively develop and oversee the implementation of major programs, CIOs need to stick around. Indeed, the tenure of CIOs has been rising steadily in recent years, to an average of four years, 11 months, according to CIO’s "State of the CIO 2006" survey. But the average tenure of a federal CIO today is two years, according to Willemssen. (Willemssen says best practices recommend a minimum three-to-five-year term for federal CIOs.) The reasons for CIOs’ short terms are numerous, including the frustrations of the job, a culture of public service that says two years is enough to give to your country, and the pay. (Federal CIOs cannot earn more than $133,000 a year.) Of course, agency heads have to make good choices if they are going to leave CIOs in place for five years. "All the stature and power in the world is no help when you can’t take an IT agenda and drive it," says Dan Chenok, former branch chief of Information Policy and Technology in the Office of Management and Budget.
Problem 2: Politics as Usual
When the federal CIO role was mandated by the Clinger-Cohen Act in 1996, the job was considered a career position to which anyone could apply. The Bush administration, however, began appointing people to some of these positions, with some requiring Senate confirmation.
All presidents employ appointments as a way to repay political debts, but many present and former federal CIOs believe that government IT has suffered badly under this practice, mostly because so much specialized knowledge is required to do the job effectively. Today, 11 federal CIO positions are appointed (out of dozens of CIOs in the federal government), mostly to larger agencies such as DHS. Of those 11, five positions are vacant, and among the other six, three of the appointees came in with little or no IT management experience. Some IT experts argue that politically appointed CIOs have more clout because their affiliation with the White House means they may be more trusted and respected by the top executives—also politically appointed—in the department.
But many federal CIOs say off the record (none would go on record) that the appointments process has delayed many critical IT projects as the appointees come up to speed on agency processes without having the understanding of IT management that career managers possess.