Federal IT Flunks Out

1 2 Page 2
Page 2 of 2

In 2001, for example, President Bush appointed Vickers Meadows as assistant secretary for administration and CIO for the Department of Housing and Urban Development. Meadows had no previous experience in IT. She had served as Bush’s head of administration while he was governor in Texas, and later she headed up the administrative transition team in the White House. In less than 18 months, Meadows left HUD, and the CIO position reverted to a career post. During her tenure, the HUD inspector general issued numerous critical reports on the department’s IT management practices, including poor security controls, systems open to attack, and IT system projects being started before developing architecture plans, establishing business processes and identifying how systems would function. (Meadows did not respond to CIO’s requests for comment.)

In 2003, Bush appointed Drew Ladner to head up the Treasury Department’s CIO office and its $2.6 billion IT budget. Ladner, a then-34-year-old entrepreneur who had launched two dotcom companies, Clique.com and Ripcord Systems, worked at Treasury for little more than a year before leaving. Today, the Treasury Department CIO is no longer appointed. (Ladner could not be reached for comment.)

In 2004, Bush named Bob McFarland as CIO for the Department of Veterans Affairs. McFarland, who worked as vice president of government relations at Dell Computer and headed up business units for the computer maker, had no CIO experience. Under McFarland, the VA continued to struggle with IT management issues. Its security grade, as issued by Congress, dropped from a C in 2003 to an F in 2004 and again in 2005.

Still, McFarland, who left the VA in April, claims that he was able to make major changes that no career CIO could have. For example, he says he convinced Congress to give the VA CIO control over the department’s $1.6 billion total IT budget (initially, McFarland controlled only $50 million of the total), and pushed through a reorganization supported by VA Secretary James Nicholson that gives the CIO control over all IT personnel and equipment. The VA’s hundreds of field offices, hospitals and clinics previously had control over their own IT budgets, personnel and IT equipment. "To get those kinds of things done, you truly have to be politically appointed with a seat at the [senior management] table," McFarland says. "I don’t have to worry about my next career move. I can be a change agent and not worry about being a good guy and pleasing everyone."

However, some CIOs have obtained full budget authority while holding a career position, such as Zalmai Azmi, CIO at the FBI, who took control over the bureau’s budget last year. More significantly, the GAO concluded in a 2005 report that the government’s most effective CIOs "had [a] background in information technology or related fields, [with] many having previously served as CIOs. Many also had business knowledge related to their agencies, having previously worked either at the agency or in an area related to its mission."

But, as a top federal IT executive currently working for a major agency (speaking on the condition of anonymity) says, "This administration doesn’t like government; it doesn’t like career bureaucrats."

Unfortunately, that aversion to government has not improved the chances for government IT success.

Problem 3: Welcome to the Bureaucracy

The Clinger-Cohen Act was supposed to improve IT project management practices by requiring CIOs to assess the skill sets they had, determine what IT skills they needed to meet mission-critical requirements and then fill in whatever gaps they saw by hiring or training employees. That hasn’t happened. According to present and former federal CIOs, federal oversight inspectors and project management experts, federal project managers routinely do not follow even some of the more basic project management practices, such as conducting ROI analyses, developing thorough business cases or establishing project management offices—the absence of which increases the chances for project failures.

The OMB has tried to instill some discipline, in 2001 requiring agencies to begin submitting business cases for proposed IT systems. These cases must show return on investment, demonstrate that proper project management practices are being followed and articulate how the system will help the agency fulfill its mission. The OMB reported in 2005 that of the 1,200 business cases it received that fiscal year, 621 projects totaling $22 billion did not meet its standards. But the GAO reported in 2005 that the OMB neither created a list of the projects and their weaknesses, nor did it develop a monitoring process to determine if agencies were making progress on addressing those weaknesses, possibly leaving "unattended weak projects consuming significant budget dollars."

"By now," says Bruce McConnell, a former OMB IT official in the Clinton administration and now president of the consulting firm McConnell International, "the business cases have become largely a paper exercise, especially when you match the volume of reports with OMB’s capacity to review them. OMB should focus on results and manage by exception, requiring detailed reports only where there’s a history of problems."

But the reasons that basic project management disciplines are not followed cannot all be ascribed to incompetence, mismanagement or red tape. For example, one of the largest IT transformations in government is occurring in the DoD. The department is modernizing its business management systems, which account for $605 billion a year in operating costs.

Part of the modernization effort consists of developing an ERP system to connect DoD’s business systems. But because DoD operates so many systems across so many entities, each with its own organizational structure, governance and leadership, trying to manage the project is an exercise in futility, says Drew Miller, a consultant with Heartland Management Consulting Group who worked as a program manager on the project in 2005. Miller oversaw the development of architecture requirements for strategic planning and budget systems and policy for the overall program. Miller says anytime a back-end system was altered in any way, interfaces to other systems had to be redone, diverting time from developing new systems. Because the systems (a total of 542 accounting and financial management systems and 665 human resources systems) span the entire DoD enterprise, correlating decisions on software or on configurations is close to impossible, Miller says.

What’s needed is a top-level executive to make enterprisewide decisions, suggests Miller, and the GAO has recommended Congress establish a chief management officer for the DoD business systems modernization effort. The chief management officer would serve for no less than seven years, work in concert with the DoD CIO and top program managers to focus attention at the enterprise level on how systems should be integrated, and act as the liaison between the hundreds of IT program managers.

The people systems in federal IT are also tangled. Hiring practices are mired in decades-old rules and laws that prevent CIOs from quickly reworking staffs to meet needs. For example, the federal government’s backlog for security clearances, which many IT mangers, programmers and contractors need to work on IT systems that handle sensitive and classified information, is estimated to be 300,000 for federal employees and more than half a million for contractors. It can take months to obtain a clearance.

So far, none of these problems have been fixed.

Problem 4: Buried in Paper

Like private-sector CIOs, federal CIOs complain that they don’t have enough time to focus on strategy. But at least private-sector CIOs don’t need to document all their actions. Frustrated by the lack of progress and accountability in major IT projects, Congress and the OMB began in 2002 to increase the demands on CIOs to document just about everything they do.

The cure, however, may be worse than the disease. CIOs are bogged down making sure IT program managers are filing business cases and earned value scores to the OMB, while periodically writing detailed reports to Congress. The CIOs’ chief security officers may have it even worse, spending nearly half their working day (an average of 3.75 hours) documenting their adherence to federal security requirements, according to a survey conducted by Intelligent Decisions, a systems integrator. The result, say IT executives at the agency level, is less time to spend on developing secure systems.

The root of much of this paperwork comes from the 2002 Federal Information Security Management Act, or FISMA, which actually has little to do with measuring how secure systems are, contends Bruce Brody, the head of information security at market research firm Input and former CSO for the departments of Veterans Affairs and Energy. The law requires agencies to file quarterly reports and an annual report each September to Congress and the OMB showing that they are complying with the law—attesting over and over that they have certified and accredited every system, conducted an inventory of systems, and trained employees in security awareness, among other things. "It’s all about writing reports and counting those reports," agrees Alan Paller, director of research at the SANS Institute. "It doesn’t actually measure if systems are secure."

Some CIOs and CSOs view the government’s mandates purely as check-the-boxes exercises—inviting yet more negative attention from Congress. It’s not therefore surprising that the government received a D+ grade from Congress in March on FISMA compliance.

Karen Evans, administrator of e-government in the OMB and the top official in the Bush administration overseeing IT development, defends the quarterly security reports as a way to tell CIOs and their CSOs what to focus on. "To provide that report, you have to know what service you provide, the risk it imposes, how you are managing configuration management, and how that plays into all the other systems and inventories," says Evans, a former CIO at the Department of Energy. "If you don’t know what the lay of the land is, then you are always putting out fires, and there’s no way to proactively manage the risk."

CIOs argue that the landscape is already well known. What they need is time to traverse it. Brody and Paller recommend that OMB establish a better methodology for performance measurements. Instead of asking whether certain actions have been taken, it should ask how agencies have conducted specific exercises that result in more secure systems, such as what authentication processes CIOs have deployed and what processes agencies are using to monitor and patch systems, how quickly patches are disseminated, how often passwords are changed and what convention they use for passwords.

"Those writing the requirements just need to listen to those doing the work," says Brody. "We all want our systems secure." But, he adds, "the government is no more secure today than it was five years ago—and it wasn’t secure then."

The Prescription: Leadership, Not Laws

An axiom in Washington is that Congress does 20 percent of the heavy lifting in policy-making; the other 80 percent is accomplished in federal agencies where policies are interpreted and implemented. The solution to improve government IT management does not lie in more legislation, or a rework of the Clinger-Cohen Act, federal IT experts say.

As in the private sector, the solution lies in leadership. The common thread in all the criticism of the Clinger-Cohen Act will sound familiar to private-sector CIOs: It takes buy-in from top leadership to change how organizations operate, and that includes the use of IT. A good place to start may be with those who are leading the departments and the ultimate agenda setter, the White House, says Paller. "If everyone is failing, then it’s not the pupil’s problem, it’s the teacher’s problem," he says. "And that means the teacher needs to look at what he’s doing wrong."

Related:

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The CIO Fall digital issue is here! Learn how CIO100 award-winning organizations are reimagining products and services for a new era of customer and employee engagement.