This is the accessible text file for GAO report number GAO-02-1083T entitled 'Electronic Government: Proposal Addresses Critical Challenges' which was released on September 18, 2002. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States General Accounting Office: GAO: Testimony: Before the Subcommittee on Technology and Procurement Policy, Committee on Government Reform, House of Representatives: For Release on Delivery: Expected at 2 p.m. EDT: Wednesday, September 18, 2002: Electronic Government: Proposal Addresses Critical Challenges: Statement of Linda D. Koontz: Director, Information Management Issues: GAO-02-1083T: Mr. Chairman and Members of the Subcommittee: Thank you for inviting us to participate in today’s hearing on legislation pertaining to e-government. This is an issue of critical importance to the government and its ability to effectively communicate with the public. Recognizing this, both the Congress and current and past administrations have emphasized the importance of e-government [Footnote 1] and have put forth proposals to address the challenges associated with this issue. Moreover, earlier this year, the Senate passed by unanimous consent S. 803, the E-Government Act of 2002, [Footnote 2] which was introduced by Senator Lieberman and 14 co- sponsors. [Footnote 3] As you are well aware, advances in the use of IT and the Internet are continuing to change the way that federal agencies communicate, use and disseminate information, deliver services, and conduct business. E- government has the potential to help build better relationships between government and the public by facilitating timely and efficient interaction with citizens. The government has not yet fully reached this potential, although substantial progress has been made. Specifically, federal agencies have implemented an array of e- government applications, including using the Internet to collect and disseminate information and forms, buy and pay for goods and services, submit bids and proposals, and apply for licenses, grants, and benefits. In response to your request, in my remarks today, I will: * briefly describe the background of the federal government’s current information resources and technology management framework, discuss the challenges facing the federal government in effectively managing information resources and technology; * discuss the significant legislative provisions intended to address these challenges, and; * comment on proposed structural changes in OMB to enhance its e-government efforts. In summary, we strongly support the goal of enhancing the management and promotion of e-government. To accomplish this goal, S. 803 addresses many of the substantive information resource and management challenges facing the federal government today. Initiatives contained in this bill represent important steps in creating a government that is more efficient, effective, and focused on citizens’ needs. For example, the bill’s provisions would (1) secure the transmission of sensitive information in e-government transactions by promoting the development of electronic signatures, (2) protect individuals’ privacy by requiring agencies to conduct privacy impact assessments, and (3) make government information more accessible to the public. A strength of S. 803’s provision to establish an administrator of a new Office of Electronic Government is that it would provide the benefit of a high-level executive position within OMB to focus full time on promoting and implementing e-government. However, a complicating factor is that the federal government’s information resources and technology management leadership would be shared between two offices: the proposed new office and OMB’s Office of Information and Regulatory Affairs. Background: The need for strong leadership and an integrated approach to information management has long been recognized as critical. The Paperwork Reduction Act of 1980 established a single policy framework for federal management of information resources and formalized information resources management (IRM) as the approach governing information activities. The Act also gave responsibility to the director of OMB for developing IRM policy and overseeing its implementation. The Clinger- Cohen Act of 1996 amended the Paperwork Reduction Act to give the OMB director significant leadership responsibilities in supporting agencies’ actions to improve their IT management practices. These laws created an IRM “umbrella” to govern the management of virtually all federal information activities and to coordinate other laws governing specific information functions such as privacy, security, records management, and information access and dissemination. These other laws include: the Federal Records Act, the Privacy Act of 1974, the Computer Security Act of 1987, [Footnote 4] and the Government Paperwork Elimination Act of 1998. Under this statutory framework, OMB has important responsibilities for providing direction on managing governmentwide information resources and technology and overseeing agency activities in these areas. Among OMB’s responsibilities are: * ensuring agency integration of information resources management plans, program plans, and budgets for acquisition and use of IT and the efficiency and effectiveness of interagency IT initiatives; * developing, as part of the budget process, a mechanism for analyzing, tracking, and evaluating the risks and results of all major capital investments made by an executive agency for information systems; [Footnote 5]; * directing and overseeing implementation of policy, principles, standards, and guidelines for disseminating and accessing public information; * encouraging agency heads to develop and use best practices in IT acquisitions; and; * developing and overseeing implementation of privacy and security policies, principles, standards, and guidelines. While OMB’s director is responsible for these functions, by statute they are delegated to the Office of Information and Regulatory Affairs (OIRA), which was created by the Paperwork Reduction Act. The administrator of OIRA reports to OMB’s deputy director for management, described by OMB as the federal chief information officer (CIO). A primary concern we have previously expressed about this structure is that, in addition to their responsibilities for information resources and technology management, the deputy director for management and the OIRA administrator have other significant duties, [Footnote 6] which necessarily restrict the amount of attention that they can give to information resources and technology management issues. [Footnote 7] Under this statutory framework, agencies, in turn, are accountable for the effective and efficient development, acquisition, and use of information technology in their organizations. For example, the Paperwork Reduction Act of 1995 [Footnote 8] and the Clinger-Cohen Act of 1996 require agency heads, acting through agency CIOs, to: * better link their information technology planning and investment decisions to program missions and goals; * develop and implement a sound information technology architecture; * implement and enforce information technology management policies, procedures, standards, and guidelines; * establish policies and procedures for ensuring that information technology systems provide reliable, consistent, and timely financial or program performance data; and; * implement and enforce applicable policies, procedures, standards, and guidelines on privacy, security, disclosure, and information sharing. In addition, in June 2001, OMB established the position of associate director for information technology and e-government. This individual is responsible for (1) working to further the administration’s goal of using the Internet to create a citizen-centric government; (2) ensuring that the federal government take maximum advantage of technology and best practices to improve quality, effectiveness, and efficiency; and (3) leading the development and implementation of federal IT policy. In addition, the associate director is responsible for (1) overseeing implementation of IT throughout the federal government, (2) working with OMB’s deputy director for management to perform a variety of oversight functions statutorily assigned to OMB, and (3) directing the activities of the CIO Council. The CIO Council is another important organization in the federal information resources and technology management framework that was established by the President in July 1996. Specifically, Executive Order 13011 established the CIO Council as the principal interagency forum for improving agency practices on such matters as the design, modernization, use, sharing, and performance of agency information resources. The Council, chaired by OMB’s deputy director for management with a vice chair selected from among its members, is tasked with (1) developing recommendations for overall federal IT management policy, procedures, and standards; (2) sharing experiences, ideas, and promising practices; (3) identifying opportunities, making recommendations for, and sponsoring cooperation in using information resources; (4) assessing and addressing workforce issues; (5) making recommendations and providing advice to appropriate executive agencies and organizations; and (6) seeking the views of various organizations. Because it is essentially an advisory body, the CIO Council must rely on OMB’s support to see that its recommendations are implemented through federal information management policies, procedures, and standards. Regarding Council resources, according to its charter, OMB and the General Services Administration are to provide support and assistance, which can be augmented by other Council members as necessary. Federal Government Faces Significant Challenges in Managing Information Resources and Technology: In executing these broad responsibilities for information resources and technology, the federal government faces significant challenges. [Footnote 9] To the extent that the billions of dollars in planned IT expenditures can be spent more wisely and the management of such technology improved, federal programs—including e-government initiatives—will be better prepared to meet mission goals and support national priorities. These challenges include: * Improving the collection, use, and dissemination of government information. Agencies are increasingly moving to an operational environment in which electronic—rather than paper—records provide comprehensive documentation of their activities and business processes. This transformation has produced a variety of issues related to, for example, records management, privacy, and electronic dissemination of government publications. For example, in July 1999, we reported that the National Archives and Records Administration (NARA) and federal agencies were facing the substantial challenge of preserving electronic records in an era of rapidly changing technology. [Footnote 10] More recently a 2001 NARA study found that although agencies were creating and maintaining records appropriately, the value of most electronic records had not been assessed nor their disposition determined, as required by statute. Further, records of historic value were not being identified and provided to NARA for preservation, and may be at risk of loss. Our review at four agencies confirmed the results of this study, eliciting a collective estimate that more than 90 percent of mission-critical systems were not inventoried and the electronic records in these systems had not been assessed nor their disposition determined. [Footnote 11] Improving records management is particularly important in an e-government environment to ensure the appropriate handling of the potentially large number of electronic records generated by transactions between the government and the public. In addition, the government cannot realize the full potential of the Internet until people are confident that the government will protect their privacy when they visit its Web sites. In September 2000, we reported that most principal Web sites we reviewed (67 of 70) had posted privacy policies that were clearly labeled and easily accessed. [Footnote 12] However, we also found that of 31 high-impact agencies, [Footnote 13] most did not post a privacy policy on all Web pages that collected personal information, as required by OMB. In addition, of 101 on-line forms that we reviewed, 44 did not have a privacy policy posted on the Web page. We have made recommendations to strengthen governmentwide privacy guidance and oversight of agency practices that OMB has not yet implemented. Another important issue involves the use of the Internet and other IT to disseminate government information to the public. Such electronic dissemination offers the opportunity to reduce the costs of dissemination and make government information more usable and accessible—an important aspect of e-government. However, as we reported in March of last year, to move to an environment in which documents are disseminated solely in electronic format, the government would have to ensure that these documents are (1) authentic, (2) permanently maintained, and (3) equally accessible to all individuals. [Footnote 14] In addition, certain cost issues—including shifting printing costs to libraries and other users—would need to be addressed. * Strengthening agency information security. Dramatic increases in computer interconnectivity, especially in the use of the Internet, continue to revolutionize the way our government, our nation, and much of the world communicate and conduct business. However, this widespread connectivity also poses significant risks to our computer systems and, more important, to the critical operations and infrastructure they support, such as telecommunications, public heath, and national defense. Further, the events of September 11, 2001, underscored the need to protect America’s cyberspace against potentially disastrous cyber attacks. Finally, as we reported last year, security concerns present one of the toughest challenges to extending the reach of e- government. [Footnote 15] The rash of hacker attacks, Web page defacing, and credit card information being posted on electronic bulletin boards can make many federal agency officials—as well as the general public—reluctant to conduct sensitive government transactions involving personal or financial data over the Internet. Since September 1996, we have reported that poor information security is a widespread federal problem with potentially devastating consequences. [Footnote 16] Subsequently, in 1997, 1999, and 2001, we designated information security as a governmentwide high-risk area because growing evidence indicated that controls over computerized federal operations were not effective and because the related risks were escalating, in part due to increasing reliance on the Internet. Although agencies have taken steps to redesign and strengthen their information system security programs, our analyses of information security at major federal agencies have shown that federal systems were not being adequately protected from computer-based threats. [Footnote 17] Effective information security is essential to the expansion of e- government. As the government moves toward providing citizens with the capability to conduct the full range of their government business— including sensitive transactions such as benefits applications—on-line, citizens must be assured that these transactions are secure. In addition, unless security features are properly implemented, electronic transactions can be more susceptible to fraud and abuse than traditional paper-based transactions. A key piece of the solution to the Internet-based security problem will be the development and implementation of the Public Key Infrastructure or PKI technology. A PKI is a system of computers, software and data that relies on certain sophisticated cryptographic techniques to secure on-line messages by attaching so-called “digital signatures” to them. Digital signatures are a special kind of encrypted electronic signature that vouch for senders’ identities and establish authenticity of the message to which they are attached. Properly implemented, PKIs can provide the level of security needed to protect the transmission of sensitive transactions, such as those involving personal, financial, and health-related data. As we reported in February 2001, progress has been made in implementing PKI technology throughout the government. [Footnote 18] However, because federal agencies are adopting different and potentially incompatible implementations of PKI technology, the development of a Federal Bridge Certification Authority is critical. The federal bridge is being developed to link disparate agency PKI systems and promote interoperability of digital signatures within and outside the federal government. Without a successfully functioning bridge, agencies will need to individually make arrangements to interoperate with other specific agencies in order to share secure information or transactions. This process could prove to be tedious and impractical and, thereby, hamper the expansion of e-government. Consequently, our recommendations for facilitating the adoption of PKI technology in the federal government included one to the Director, OMB, to prepare a program plan spelling out, among other things, when the federal bridge would be implemented, what resources would be required, and what roles and responsibilities participating agencies would assume. While progress has been made in implementing the bridge, OMB has not yet developed such a plan. * Constructing sound enterprise architectures. Our experience with federal agencies has shown that attempts to modernize IT environments without blueprints—models simplifying the complexities of how agencies operate today, how they want to operate in the future, and how they will get there—often result in unconstrained investment and systems that are duplicative and ineffective. Enterprise architectures offer such blueprints. Our February report on the federal government’s use of enterprise architectures found that agencies’ use of enterprise architectures was a work in progress, with much to be accomplished. [Footnote 19] In addition, in our testimony before you earlier this year, we noted that the success of the Administration’s e-government initiatives hinges in large part on whether they are pursued within the context of enterprise architectures. [Footnote 20] However, at the time of our testimony, approved architectures for most of these initiatives did not exist. Overcoming this obstacle would be a formidable undertaking even if federal agencies were now successfully using enterprise architectures to manage their respective operational and technological environments, but unfortunately this is not the case. At stake is the ability of federal agencies to not only effectively transform their respective operations and supporting systems environments, and thus elevate their performance, but also to effectively work together in implementing integrated e-government solutions. * Fostering mature systems acquisition, development, and operational practices. High-quality software is essential for agencies’ information systems to provide reliable management, financial, and administrative information and to support agencies’ many programs. The quality of software is governed largely by the quality of the processes involved in developing or acquiring it and in maintaining it. Using models and methods that define and determine organizations’ software process maturity that were developed by Carnegie Mellon University’s Software Engineering Institute, which is recognized for its expertise in software processes, we have evaluated several agencies’ software development or acquisition processes. We have found that these agencies’ processes do not meet the criteria to be considered at the “repeatable” level of process maturity, which is the second level on the Software Engineering Institute’s five-level scale. [Footnote 21] An organization at the repeatable level of process maturity has the necessary process discipline in place to repeat earlier successes on similar projects. Organizations that do not satisfy the requirements for the repeatable level are by default judged to be at the “initial” level of maturity. This means that their processes are immature, ad hoc, and sometimes even chaotic, with few of the processes defined and success dependent mainly on the heroic efforts of individuals. In the government’s rush to provide greater electronic service delivery, it is essential for agency executives to remember that fundamental principles and practices of good IT planning and management apply equally to effective customer-centric Web-based applications. As we noted in May 2000, [Footnote 22] some of these fundamentals include: - developing a well-defined project purpose and scope and realistic, measurable expectations; - understanding and improving business processes before applying technology; - performing risk assessments and developing appropriate risk mitigation strategies; - using industry standard technology and solutions, where appropriate; - adopting and abiding by pertinent data standards; - thoroughly training and supporting users; and; - reviewing and evaluating performance metrics. * Ensuring effective agency IT investment practices. According to OMB, in fiscal year 2003, federal agencies plan to invest about $53 billion to build, operate, and maintain automated systems. If managed effectively, these investments can vastly improve government performance and accountability. If not, however, they can result in wasteful spending and lost opportunities for improving delivery of services to the public. The Clinger-Cohen Act of 1996 requires agency heads to implement a process for maximizing the value and assessing and managing the risks of its IT investments. In support of these requirements, in May 2000 we issued the Information Technology Investment Management maturity framework, [Footnote 23] which identified critical processes for successful IT investment and organizes these processes into an assessment framework. Using this model, our evaluations of selected agencies found that while some processes have been put in place to help them effectively manage their planned and ongoing IT investments, more work remains. [Footnote 24] The importance of effective investment management practices is demonstrated by the government’s longstanding problems in developing or acquiring major IT systems. For example, since 1995 we have reported three agency IT modernization efforts as high risk. [Footnote 25] In some cases, we have seen improvement in the federal government’s implementation of major IT investments. For example, earlier this year we reported that the Internal Revenue Service and the U.S. Customs Service had made progress in implementing our past recommendations related to their system modernization projects, although significant work remains.[Footnote 26] * Developing IT human capital strategies. The challenges facing the government in maintaining a high-quality IT workforce are long-standing and widely recognized. As far back as 1994, our study of leading organizations revealed that strengthening the skills of IT professionals is a critical aspect of strategic information management. [Footnote 27] Moreover, less than a year ago, we reported that, notwithstanding the recent economic slowdown, employers from every sector, including the federal government, are still finding it difficult to meet their needs for highly skilled IT workers. [Footnote 28] Without fully developing staff capabilities, agencies stand to miss out on the potential customer service benefits presented by technology and the expansion of e-government. Employees must have the training and tools they need to do their jobs. The process of adopting a new system can be made much less difficult by offering well-designed, user- oriented training sessions that demonstrate not only how the system works, but also how it fits into the larger work picture and “citizen as customer” orientation. A significant challenge for all agencies is providing internal incentives for customer service, reducing employee complaints, and cutting the time that employees spend on non-customer- related activities. S. 803 Provisions Are Important to Addressing Challenges: Recognizing the magnitude of the information management and technology challenges facing the federal government, S. 803 seeks to address many of these challenges through its individual provisions. Next, I would like to comment on significant provisions of the bill concerning improving the collection, use, and dissemination of government information; strengthening information security; meeting IT human capital needs; and establishing the CIO Council in statute. * Improving the collection, use, and dissemination of government information. S. 803 emphasizes that an important goal is using the Internet and other IT to make government information better organized and more accessible to the public. The bill seeks to accomplish this goal first by establishing an interagency committee to make recommendations to OMB on how government information can be better organized, preserved, and made available to public. In turn, OMB is required to issue policies on (1) standards for the organization and categorization of information, (2) the categories of government information to be classified, and (3) priorities and schedules for the initial agency implementation of these standards. The proposal for an interagency committee appears to be a reasonable first step to addressing this complex issue; however, we caution that previous attempts to categorize government information have been difficult to implement across federal agencies. For example, the Senate report accompanying the bill concludes that a similar effort to develop the Government Information Locator System (GILS)—required by the Paperwork Reduction Act of 1995—never achieved its goal of facilitating public and agency access to government information. More specifically, a 1997 contractor study done for the General Services Administration reported that while the concept of GILS was sound, its implementation suffered because of many factors including (1) a lack of clarity as to the purpose and benefits of the system, (2) insufficient governmentwide leadership, oversight, and guidance; and (3) inadequate senior agency management attention and allocation of resources.29 An important role of the interagency committee proposed by the bill would be to consider such “lessons learned” and incorporate them into its recommendations. S. 803 also recognizes the need to make government information and services available to all citizens, including those without access to the Internet. It requires that when promulgating policies and implementing programs related to providing government information and services over the Internet, agency heads (1) ensure that the availability of government information and services not be diminished for individuals who do not have access to the Internet and (2) pursue alternative modes of delivery. We agree that an important policy consideration governments face is how to provide services and access to segments of the population with limited Internet access and ensure their participation in this new electronic environment. Although a February report by the Department of Commerce found that American’s use of the Internet has been impressive—with the percentage of individuals using the Internet more than doubling in about 4 years—in September 2001, about 46 percent of the population was not using the Internet.30 In addition, more than 60 percent of certain segments of the population were not using the Internet—including Hispanics, individuals without a high school diploma, persons over 50 years old, and those with a family income of less than $25,000. As a result, multiple access methods to government services and processes may be essential to supplement Internet use (e.g., in person, by phone, via fax, using public kiosks). Regarding privacy, S. 803 also requires agencies to conduct privacy impact assessments before developing or procuring IT, or initiating a new collection of information, that includes any identifier permitting the physical or on-line contacting of a specific individual. Such assessments would include what information is being collected, why it is being collected, and its intended use. Many agencies across government—including the Postal Service and the Internal Revenue Service—are already using privacy impact assessments and have found them useful. This requirement should focus needed agency attention on the privacy implications of collecting personal information and ensure that the use of these assessments continues. In addition, conducting these assessments may help achieve one of the goals of the Privacy Act, to reduce the amount of information that agencies collect, by discouraging agencies from collecting unnecessary personal information and encouraging them to destroy personal information that is no longer necessary. However, one issue with the privacy impact assessment provision is that S. 803 limits the requirement for these assessments to information systems and collections that include an “identifier permitting the physical or online contacting of a specific individual.” We note that the Senate committee report accompanying this bill describes such identifiers broadly as including a first and last name; a home or other physical address; an e-mail address; a telephone number; a social security number; a credit card number; or a birth date, birth certificate number, or place of birth. However, without this definition in the bill itself, the requirement could be interpreted more narrowly and may result in these assessments being applied to fewer collections and systems than intended. The act also requires OMB to develop guidance for privacy notices on agency Web sites used by the public. This is consistent with our September 2000 recommendation that OMB consider, in consultation with appropriate parties such as the CIO Council, how best to help agencies better ensure that individuals are provided clear and adequate notice about how their personal information is treated when they visit federal Web sites. [Footnote 31] * Strengthening agency information security. S. 803 would repeal the November 29 expiration of the Government Information Security Reform provisions (commonly referred to as “GISRA”) in the National Defense Authorization Act for Fiscal Year 2001. We support the continued authorization of GISRA. As we testified in May, [Footnote 32] based on its first-year implementation, GISRA proved to be a significant step in improving federal agencies’ information security programs and addressing their serious, pervasive information security weaknesses. Agencies have noted benefits from GISRA, such as increased management attention to and accountability for information security. Mr. Chairman, this provision of S. 803 is also consistent with one purpose of the legislation that you have introduced—H.R. 3844, the Federal Information Security Management Act of 2002, which seeks to reauthorize and expand GISRA information security, evaluation and reporting requirements. In our May testimony, we commented on the provisions of H.R. 3844 and supported continued authorization of information security legislation to (1) sustain agency efforts to identify and correct significant weaknesses, (2) reinforce the federal government’s commitment to establishing information security as an integral part of its operations, and (3) help ensure that the administration and the Congress continue to receive the information they need to effectively manage and oversee federal information security. In addition, on the basis of our review of first-year GISRA implementation, we noted a number of additional changes proposed by H.R. 3844 that could further strengthen the implementation and oversight of information security in the federal government, such as requiring the development and promulgation of, and agency compliance with, minimum mandatory management controls for security information and information systems. S. 803 also includes a provision to further interoperability of electronic signatures for use in securing electronic business transactions with the government. The term “electronic signature” refers to the full range of methods for attaching personal identifiers to electronic documents, including PKI technology. We agree with the bill’s support for digital signatures. [Footnote 33] We note that while previous versions of the bill authorized funding exclusively for the development of the Federal Bridge Certification Authority, S. 803 as enacted authorizes this funding for the bridge or other activities to promote interoperability of electronic signatures across the government. * Meeting IT human capital needs. S. 803 addresses this critical issue by requiring that, for IT and information resources management, the Office of Personnel Management, in consultation with OMB, the CIO Council, and the General Services Administration, (1) analyze, on an ongoing basis, the government’s personnel needs; (2) oversee the development of curricula, training methods, and training priorities that correspond to the projected personnel needs of the government; and (3) assess the training of federal employees in IT disciplines, as necessary. This requirement is consistent with our prior work, which found that leading organizations identify existing IT skills and needed future skills, as well as determine the right skill mix. [Footnote 34] Accordingly, we suggested that executives should systematically identify IT skill gaps and targets and integrate skill requirements into performance evaluations. In addition, our February 2001 study of public- and private-sector efforts to build effective CIO organizations found that leading organizations develop IT human capital strategies to assess their skill bases and recruit and retain staff that can effectively implement IT to meet their business needs. [Footnote 35] * Establishing the CIO Council in statute. S. 803 also establishes the existing federal CIO Council in statute. Just as with the Chief Financial Officers’ Council, there are important benefits associated with having a strong statutory base for the CIO Council. Legislative foundations transcend presidential administrations, fluctuating policy agendas, and the frequent turnover of senior appointees in the executive branch. Having congressional consensus and support for the Council helps ensure continuity of purpose over time and allows constructive dialogue between the two branches of government on rapidly changing management and IT issue. Moreover, as a prime user of performance and financial information, the Congress can benefit from having the Council statutorily based, thus providing it with an effective oversight tool in gauging the progress and impact of the Council on advancing effective involvement of agency CIOs in governmentwide IT initiatives. S. 803 Proposes an E-Government Position: To oversee governmentwide implementation of the bill’s provisions and other e-government initiatives, S. 803 would establish an Office of Electronic Government within OMB headed by an administrator appointed by the President with the advice and consent of the Senate. Under the bill, the administrator would be expected to, among other duties: * advise OMB’s director on the resources required to develop and effectively operate and maintain federal information systems; * provide overall leadership and direction to the executive branch on e- government by working with authorized officials to establish management policies and requirements for information resources, and by reviewing the performance of each agency in acquiring, using, and managing information resources; * promote innovative uses of IT by agencies, particularly initiatives involving multi-agency collaboration; and; * sponsor ongoing dialogue among federal, state, local, and tribal government leaders on e-government in the executive, legislative, and judicial branches, as well as with leaders in the private and nonprofit sectors, to encourage collaboration and enhance understanding of best practices and innovative approaches in acquiring, using, and managing information resources. One strength of this approach is that it establishes a high-level executive position within OMB to focus full-time on promoting and implementing e-government. However, a complicating factor is that the federal government’s information resources and technology management leadership would be shared between two offices: the proposed Office of Electronic Government and OIRA. The bill addresses this issue by requiring the administrator of the proposed Office of Electronic Government to work with the administrator of OIRA on a variety of information technology and management issues. For example, the administrators of OIRA and the Office of Electronic Government would be responsible for working together on security; privacy; access to, dissemination of, and preservation of government information; the development of enterprise architectures; and capital planning and investment control for IT. Although a constructive working relationship between the two offices could be established, having the two organizations hold joint responsibility for many information resources and technology management areas may result in a blurring of accountability for addressing critical information management and technology challenges or in significant issues “falling through the cracks.” One possible alternative that could be considered is to create a single governmentwide position devoted exclusively to information resources and technology management functions. There are various ways to accomplish this; one approach would be to establish a federal CIO whose responsibilities include both e-government and the other major IT challenges facing the government. In September 2000, we called for the Congress to consider establishing a formal CIO position for the federal government to provide central leadership and support. [Footnote 36] Consensus has not been reached within the federal community on the structure and authorities of a federal CIO, or even the need for such an office. Regardless of approach, we believe that strong and effective central management leadership for information resources and technology is needed in the federal government to address the wide range of IT challenges, which include but are not limited to e-government. Increasingly, the challenges that the government faces are multidimensional problems that cut across numerous programs, agencies, and governmental tools. Although the respective departments and agencies should have the primary responsibility and accountability to address their own issues, central leadership has the responsibility to keep all focused on the big picture by identifying the agenda of governmentwide issues needing attention and ensuring that related efforts are complementary rather than duplicative. Further, such leadership can fulfill an essential role by serving as a catalyst and strategist to prompt agencies and other critical players to come to the table and take ownership for addressing the agenda of governmentwide information resources and technology management issues. Mr. Chairman, this concludes my statement. I would be pleased to answer any questions that you or other members of the subcommittee may have at this time. Contact: If you should have any questions about this testimony, please contact me at (202) 512-6240 or via e-mail at koontzl@gao.gov. [End of section] Footnotes: [1] S. 803 defines e-government as the use of Web-based Internet applications and other information technologies, combined with processes that implement these technologies, to (1) enhance the access to and delivery of government information and services to the public, other agencies, and other government entities or (2) bring about improvements in government operations such as efficiency, effectiveness, and service quality. [2] S. 803 was introduced in the Senate on May 1, 2001, and a companion bill, H.R. 2458, was introduced in the House of Representatives by Representative Turner on July 11, 2001. [3] Co-sponsors of S.803 are Senators Bingaman, Burns, Carper, Cleland, Daschle, Dayton, Durbin, Fitzgerald, Johnson, Kerry, Leahy, Levin, McCain, and Stabenow. [4] The Computer Security Act is complemented by the Government Information Security Reform provisions of the fiscal year 2001 Defense Authorization Act. [5] This responsibility is in addition to OMB’s role in assisting the President in reviewing agency budget submissions and compiling the President’s budget, as discussed in 31 U.S.C. Chapter 11. [6] For example, OIRA’s other duties include reviewing agency information collection requests under the Paperwork Reduction Act of and reviewing agency rulemaking under presidential executive order. [7] U.S. General Accounting Office, Electronic Government: Challenges Must Be Addressed With Effective Leadership and Management, GAO-01-959T (Washington, D.C.: July 11, 2001). [8] The Paperwork Reduction Act of 1995 revised the information resources management responsibilities established under the Paperwork Reduction Act of 1980, as amended in 1986. [9] U.S. General Accounting Office, Major Management Challenges and Program Risks: A Governmentwide Perspective, GAO-01-241 (Washington, D.C.: Jan. 2001) provides an overview of this series. The 2001 Performance and Accountability Series also contains separate reports on 21 agencies—covering each cabinet department, most major independent agencies, and the U.S. Postal Service. [10] U.S. General Accounting Office, National Archives: Preserving Electronic Records in an Era of Rapidly Changing Technology, GAO/GGD-99- 94 (Washington, D.C.: July 19, 1999). [11] U.S. General Accounting Office, Information Management: Challenges in Managing and Preserving Electronic Records, GAO-02-586 (Washington, D.C.: June 17, 2001). [12] U.S. General Accounting Office, Internet Privacy: Agencies’ Efforts to Implement OMB’s Privacy Policy, GAO/GGD-00-191 (Washington, D.C.: Sept. 5, 2000). [13] The National Partnership for Reinventing Government identified 31 agencies as having high impact—that is, they have 90 percent of the federal government’s contact with the public. [14] U.S. General Accounting Office, Information Management: Electronic Dissemination of Government Publications , GAO-01-428 (Washington, D.C.: Mar. 30, 2001). [15] GAO-01-959T. [16] U.S. General Accounting Office, Information Security: Opportunities for Improved OMB Oversight of Agency Practices, GAO/AIMD- 96-110 (Washington, D.C.: Sept. 24, 1996). [17] For example, see U.S. General Accounting Office, Computer Security: Improvements Needed to Reduce Risk to Critical Federal Operations and Assets, GAO-02-231T (Washington, D.C.: Nov. 9, 2001). [18] U.S. General Accounting Office, Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO-01-277 (Washington, D.C., Feb. 26, 2001). [19] U.S. General Accounting Office, Information Technology: Enterprise Architecture Use across the Federal Government Can Be Improved, GAO-02- 6 (Washington, D.C.: Feb. 19, 2002). [20] U.S. General Accounting Office, Information Technology: OMB Leadership Critical to Making Needed Enterprise Architecture and E- government Progress, GAO-02-389T (Washington, D.C.: Mar. 21, 2002). [21] For example, see U.S. General Accounting Office, HUD Information Systems: Immature Software Acquisition Capability Increases Project Risks, GAO-01-962 (Washington, D.C.: Sept. 14, 2001) and Customs Service Modernization: Ineffective Software Development Processes Increase Customs System Development Risks, GAO/AIMD-99-35 (Washington, D.C.: Feb. 11, 1999). [22] U.S. General Accounting Office, Electronic Government: Federal Initiatives Are Evolving Rapidly But They Face Significant Challenges, GAO/T-AIMD/GGD-00-179 (Washington, D.C.: May 22, 2000). [23] U.S. General Accounting Office, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, Exposure Draft, GAO/AIMD-10.1.23 (Washington, D.C.: May 2000). [24] U.S. General Accounting Office, Information Technology: DLA Needs to Strengthen Its Investment Management Capability, GAO-02-314 (Washington, D.C.: Mar. 15, 2002); Information Technology Management: Social Security Administration Practices Can Be Improved, GAO-01-961 (Washington, D.C.: Aug. 21, 2001); Information Technology: INS Needs to Strengthen Its Investment Management Capability, GAO-01-146, Dec. 29, 2000); and Information Technology Management: Coast Guard Practices Can Be Improved, GAO-01-190 (Washington, D.C.: Dec. 12, 2000). [25] U.S. General Accounting Office, High-Risk Series: An Update, GAO- 01-263 (Washington, D.C.: January 2001); High-Risk Series: An Update, GAO/HR-99-1 (Washington, D.C.: January 1999); High-Risk Series: Information Management and Technology, GAO/HR-97-9 (Washington, D.C.: February 1997); and High Risk Series: An Overview, GAO/HR-95-1 (Washington, D.C.: February 1995). [26] U.S. General Accounting Office, Business Systems Modernization: IRS Needs to Better Balance Management Capacity with Systems Acquisition Workload, GAO-02-356 (Washington, D.C.: Feb. 28, 2002) and Customs Service Modernization: Third Expenditure Plan Meets Legislative Conditions, but Cost Estimating Improvements Needed, GAO-02-908 (Washington, D.C.: Aug. 9, 2002). [27] U.S. General Accounting Office, Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology, GAO/AIMD-94-115 (Washington, D.C.: May 1994). [28] U.S. General Accounting Office, Human Capital: Attracting and Retaining a High-Quality Information Technology Workforce, GAO-02-113T (Washington, D.C.: Oct. 4, 2001). [29] William E. Moen and Charles R. McClure, An Evaluation of the Federal Government’s Implementation of the Government Information Locator Service (GILS), prepared under contract to the General Services Administration (June 30, 1997). [30] U.S. Department of Commerce, A Nation Online: How Americans Are Expanding Their Use of the Internet (February 2002). This report used data from Commerce’s Census Bureau’s September 2001 current population survey of approximately 57,000 households. [31] GAO/GGD-00-191. [32] U.S. General Accounting Office, Information Security: Comments on the Proposed Federal Information Security Management Act of 2002, GAO- 02-677T (Washington, D.C.: May 2, 2002). [33] Digital signatures are a special kind of encrypted electronic signature that vouch for senders’ identities and establish authenticity of the message to which they are attached. [34] GAO/AIMD-94-115. [35] U.S. General Accounting Office, Executive Guide: Maximizing the Success of Chief Information Officers, Learning from Leading Organizations, GAO-01-376G (Washington, D.C.: February 2001). [36] U.S. General Accounting Office, Year 2000 Computing Challenge: Lessons Learned Can Be Applied to Other Management Challenges, GAO/AIMD- 00-290 (Washington, D.C.: Sept. 12, 2000). [End of section] GAO’s Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO’s Web site [hyperlink, http://www.gao.gov] contains abstracts and fulltext files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to [hyperlink, http://www.gao.gov] and select “Subscribe to daily E-mail alert for newly released products” under the GAO Reports heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov: (202) 512-4800: U.S. General Accounting Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: