This is the accessible text file for GAO report number GAO-11-634 entitled 'Federal Chief Information Officers: Opportunities Exist to Improve Role in Information Technology Management' which was released on October 17, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Committee on Homeland Security and Governmental Affairs, U.S. Senate: September 2011: Federal Chief Information Officers: Opportunities Exist to Improve Role in Information Technology Management: GAO-11-634: GAO Highlights: Highlights of GAO-11-634, a report to the Committee on Homeland Security and Governmental Affairs, U.S. Senate. Why GAO Did This Study: The federal government invests billions in information technology (IT) each year to help agencies accomplish their missions. Federal law, particularly the Clinger-Cohen Act of 1996, has defined the role of Chief Information Officer (CIO) as the focal point for IT management within agencies. Given the longstanding challenges the government faces in managing IT and the continued importance of the CIO, GAO was asked to (1) determine the current roles and responsibilities of CIOs, (2) determine what potential modifications to the Clinger-Cohen Act and related laws could be made to enhance CIOs’ authority and effectiveness, and (3) identify key lessons learned by CIOs in managing IT. To do this, GAO administered a questionnaire to 30 CIOs, compared responses to legislative requirements and the results of a 2004 GAO study, interviewed current CIOs, convened a panel of former agency CIOs, and spoke with the Office of Management and Budget’s (OMB) Federal CIO. What GAO Found: CIOs do not consistently have responsibility for 13 major areas of IT and information management as defined by law or deemed as critical to effective IT management, but they have continued to focus more attention on IT management-related areas. Specifically, most CIOs are responsible for seven key IT management areas: capital planning and investment management; enterprise architecture; information security; IT strategic planning, “e-government” initiatives; systems acquisition, development, and integration; and IT workforce planning. By contrast, CIOs are less frequently responsible for information management duties such as records management and privacy requirements, which they commonly share with other offices or organizations within the agency. In this regard, CIOs report spending over two-thirds of their time on IT management responsibilities, and less than one-third of their time on information management responsibilities. CIOs also report devoting time to other responsibilities such as addressing infrastructure issues and identifying emerging technologies. Further, many CIOs serve in positions in addition to their role as CIO, such as human capital officer. In addition, tenure at the CIO position has remained at about 2 years. Finally, just over half of the CIOs reported directly to the head of their respective agencies, which is required by law. The CIOs and others have stressed that a variety of reporting relationships in an agency can be effective, but that CIOs need to have access to the agency head and form productive working relationships with senior executives across the agency in order to carry out their mission. Federal law provides CIOs with adequate authority to manage IT for their agencies; however, some limitations exist that impede their ability to exercise this authority. Current and former CIOs, as well as the Federal CIO, did not identify legislative changes needed to enhance CIOs’ authority and generally felt that existing law provides sufficient authority. Nevertheless, CIOs do face limitations in exercising their influence in certain IT management areas. Specifically, CIOs do not always have sufficient control over IT investments, and they often have limited influence over the IT workforce, such as in hiring and firing decisions and the performance of component-level CIOs. More consistent implementation of CIOs’ authority could enhance their effectiveness in these areas. OMB has taken steps to increase CIOs’ effectiveness, but it has not established measures of accountability to ensure that responsibilities are fully implemented. CIOs identified a number of best practices and lessons learned for more effectively managing IT at agencies, and the Federal CIO Council has established a website to share this information among agencies. Agencies have begun to share information in the areas of vendor communication and contract management; the consolidation of multiple systems into an enterprise solution through the use of cloud services; and program manager development. However, CIOs have not implemented structured agency processes for sharing lessons learned. Doing so could help CIOs share ideas across their agencies and with their successors for improving work processes and increasing cost effectiveness. What GAO Recommends: GAO is recommending that OMB update its guidance to establish measures of accountability for ensuring that CIOs’ responsibilities are fully implemented and encourage agencies to establish internal processes for documenting lessons learned. In commenting on a draft of this report, OMB officials generally agreed with GAO’s findings and stated that OMB had taken actions that they believed addressed the recommendations. View [hyperlink, http://www.gao.gov/products/GAO-11-634] or key components. For more information, contact Valerie C. Melvin at (202) 512-6304 or melvinv@gao.gov. [End of section] Contents: Letter: Background: Current Agency CIOs Do Not Have Responsibility for All Assigned Areas: Federal Law Provides Adequate Authority, but Limitations Exist in Implementation for IT Management: A Structured Process Could Improve Sharing of Lessons Learned within Agencies: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Chief Information Officers Interviewed: Appendix III: Former Agency CIO Panel Participants: Appendix IV: Summary of CIOs' Information Management and Technology Responsibilities: Appendix V: CIO Tenure at Each Agency: Appendix VI: Comments from the Department of Defense: Appendix VII: Comments from the Department of Homeland Security: Appendix VIII: Comments from the Office of Personnel Management: Appendix IX: GAO Contact and Staff Acknowledgments: Tables: Table 1: Major Areas of CIO Responsibility in IT Management and Information Management: Table 2: Time Allocated as Reported by CIOs: Table 3: Comparison of Current CIO Backgrounds with Those of CIOs in 2004: Table 4: Comparison of CIO Tenure During 1996-2004 and 2004-2011: Table 5: Former Agency Chief Information Officer Panel: Table 6: Summary of CIO Responses to Questions on IT Strategic Planning: Table 7: Summary of CIO Responses to Questions for IT Workforce Planning: Table 8: Summary of CIO Responses to Questions for Capital Planning and Investment Management: Table 9: Summary of CIO Responses to Questions for Information Security: Table 10: Summary of CIO Responses to Questions for Enterprise Architecture: Table 11: Summary of CIO Responses to Questions on Systems Acquisition, Development, and Integration: Table 12: Summary of CIO Responses to Questions for E-government Initiatives: Table 13: Summary of CIO Responses to Questions on Information Collection/Paperwork Reduction: Table 14: Summary of CIO Responses to Questions for Information dissemination: Table 15: Summary of CIO Responses to Questions on Information Disclosure: Table 16: Summary of CIO Responses to Questions for Statistical Policy and Coordination: Table 17: Summary of CIO Responses to Questions for Records Management: Table 18: Summary of CIO Responses to Questions for Privacy: Table 19: Statistical Analysis of CIO Tenure (2004-2011): Figures: Figure 1: Comparison of Number of CIOs Assigned Responsibility for IT Management and Information Management Areas between 2004 and 2011: Figure 2: CIO Tenure--Acting and Permanent: Figure 3: CIO Tenure--Career and Political Appointees: Abbreviations: CIO: Chief Information Officer: FISMA: Federal Information Security Management Act: FOIA: Freedom of Information Act: IRM: information resources management: IT: information technology: OMB: Office of Management and Budget: [End of section] United States Government Accountability Office: Washington, DC 20548: September 15, 2011: The Honorable Joseph I. Lieberman: Chairman: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Susan M. Collins: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: In fiscal year 2011, the federal government estimates spending approximately $79 billion for information technology (IT) investments. Although the government makes these substantial annual investments, it faces longstanding problems in its management of IT. Our most recent high-risk series update[Footnote 1] continues to identify high-risk modernization efforts and governmentwide IT management challenges. Further, our recent report on opportunities to reduce potential duplication in government programs identified numerous areas in which IT programs could be consolidated or better managed to save taxpayer dollars and help agencies provide more efficient and effective services.[Footnote 2] Over the years, Congress has enacted various laws in an attempt to improve the government's performance in IT management. One of these laws--the Clinger-Cohen Act of 1996[Footnote 3]--required agency heads to designate Chief Information Officers (CIO) to lead reforms that would help control system development risks; better manage technology spending; and achieve real, measurable improvements in agency performance. Additionally, we have long been proponents of having strong agency CIOs in place to lead federal agencies in managing IT. Recognizing the key role of CIOs in helping agencies achieve better results through IT, in July 2004, we reported our findings from a congressionally requested study that examined federal agency CIOs' roles and responsibilities, reporting relationships, tenure, and challenges.[Footnote 4] That study, undertaken about 8 years following the enactment of the Clinger-Cohen Act, noted a number of findings regarding the extent to which CIOs had responsibilities for key IT management and other areas we identified as required by statute or as critical to IT management.[Footnote 5] For example, we reported that few CIOs were responsible for all key IT and information management areas and generally reported to their agency heads or other top-level managers. Also, the CIOs had cited challenges in implementing effective IT management and obtaining sufficient and relevant resources, among others. It has now been 15 years since enactment of the Clinger-Cohen Act, and recognizing the continued importance of the CIO position to achieving better results through IT management, you requested that we conduct a follow-up study of federal agency CIOs. As agreed, our objectives were to (1) determine the current roles and responsibilities of CIOs, (2) determine what potential modifications to the Clinger-Cohen Act and related laws could be made to enhance CIOs' authority and effectiveness, and (3) identify key lessons learned by CIOs in managing information technology. To address these objectives, we administered a questionnaire to the CIOs of 30 federal departments and agencies (24 entities identified in the Chief Financial Officers Act, the 3 military departments, and 3 independent federal agencies).[Footnote 6] We asked CIOs about their roles and responsibilities, reporting relationships with the agency head, and changes needed to their authority and effectiveness in addressing areas of IT management. We also inquired about any experiences of these CIOs that could potentially serve as lessons learned in managing information technology. We then compared the questionnaire responses to statutory requirements for CIO roles and responsibilities. Further, we compared the overall findings with those in our 2004 report to identify any differences or trends in CIOs' responses. Subsequently, we conducted semi-structured interviews with each of the CIOs who were in office at the time of our review to corroborate and supplement information we received in the survey. In addition, we convened a panel of nine former federal CIOs to obtain their views on the roles and responsibilities of federal CIOs, based on their prior experiences serving in the position. Finally, we met with the Federal CIO to discuss IT reform initiatives being undertaken by the Office of Management and Budget (OMB) to enhance and clarify the roles of federal CIOs. We conducted this performance audit at the 30 agencies and OMB from June 2010 to September 2011 in the Washington, D.C., metropolitan area in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. A more complete description of our objectives, scope, and methodology is provided in appendix I. The 30 CIOs and 9 former CIOs included in our study are identified in appendixes II and III, respectively. Background: Congress has long recognized that IT has the potential to enable federal agencies to accomplish their missions more quickly, effectively, and economically. However, fully exploiting this potential has presented longstanding challenges to agencies, and despite substantial IT investments, the federal government's management of IT has produced mixed results. The CIO position was established by Congress to serve as a focal point for IT within an agency to address these challenges. Legislative Evolution of Agency CIO Roles and Responsibilities: Since l980, federal law has placed the management of IT under the umbrella of information resources management (IRM).[Footnote 7] Originating in a l977 recommendation to Congress from the Commission on Federal Paperwork, the IRM approach was first enacted into law in the Paperwork Reduction Act of l980.[Footnote 8] This act required OMB to oversee federal agency IRM areas, which combined IT with information management areas, including information collection, records management, and privacy.[Footnote 9] The law also gave agencies a more general responsibility to carry out their IRM activities in an efficient, effective, and economical manner and to comply with OMB policies and guidelines. To assist in this effort, the law required that each agency head designate a senior official who would report directly to the agency head to carry out the IRM responsibilities of the agency under the law. Amendments to the Paperwork Reduction Act in l986 and l995 were designed to strengthen agency and OMB implementation of the law. [Footnote 10] Most particularly, the act's 1995 amendments provided detailed agency requirements for each IRM area, to match the specific OMB provisions.[Footnote 11] In addition, these amendments required agencies to develop, for the first time, processes to select, control, and evaluate the results of major information systems initiatives.[Footnote 12] Under the Paperwork Reduction Act, as amended through 1995, senior IRM officials were required to carry out the responsibilities of their agencies with respect to IRM and report directly to the head of the agency. In l996, the Clinger-Cohen Act supplemented the information technology management provisions of the Paperwork Reduction Act with detailed requirements for IT capital planning and investment control and performance and results-based management.[Footnote 13] The Clinger- Cohen Act also established the position of agency CIO by amending the Paperwork Reduction Act to rename the senior IRM officials "chief information officers" and specifying additional responsibilities for them.[Footnote 14] Accordingly, agency CIOs are required by law to carry out the responsibilities of their agencies with respect to: * information collection and control of paperwork; * information dissemination; * statistical policy and coordination; * records management; * privacy, including compliance with the Privacy Act;[Footnote 15] * information security, including compliance with the Federal Information Security Management Act (FISMA);[Footnote 16] * information disclosure, including compliance with the Freedom of Information Act (FOIA);[Footnote 17] and: * information technology management. Specifically, with regard to IT management, the CIO is responsible for: * implementing and enforcing applicable governmentwide and agency IT management policies, principles, standards, and guidelines; * assuming responsibility and accountability for IT investments; * assuming responsibility for maximizing the value and assessing and managing the risks of IT acquisitions through a process that, among other things, is integrated with budget, financial, and program management decisions, and provides for the selection, management, and evaluation of IT investments; * establishing goals for improving the efficiency and effectiveness of agency operations through the effective use of IT; * developing, maintaining, and facilitating the implementation of a sound, secure, and integrated IT architecture; and: * monitoring the performance of IT programs and advising the agency head whether to continue, modify, or terminate such programs. Together, these statutory responsibilities require CIOs to be key leaders in managing IT and other information functions in a coordinated fashion in order to improve the efficiency and effectiveness of programs and operations. Prior Reports on CIOs' Roles and Responsibilities: We have previously reported on the status of agency CIOs, including their roles and responsibilities, reporting relationships, backgrounds, and challenges. We have also reported on private-sector CIO roles and responsibilities and challenges and compared them with those of federal CIOs. In October l997, we testified on an OMB evaluation of the status of agency CIO appointments at 27 federal agencies shortly after enactment of the Clinger-Cohen Act.[Footnote 18] In that testimony, we noted that OMB had identified several agencies where the CIO's duties, qualifications, and placement met the requirements of the Clinger- Cohen Act. According to OMB, these CIOs had experience, both operationally and technically, in leveraging the use of information technology, capital planning, setting and monitoring performance measures, and establishing service levels with technology users. However, OMB had expressed concerns about the number of other agencies that had acting CIOs, and about CIOs whose qualifications did not appear to meet the requirements of the Clinger-Cohen Act or who did not report directly to the head of the agency. We pointed out that OMB had also raised concerns about agencies where the CIOs had other major management responsibilities or where it was unclear whether the CIO's primary duty was the IRM function. Our testimony emphasized the importance of OMB following through on its efforts to assess CIO appointments and resolve outstanding issues. We noted that, despite the urgent need to deal with major challenges, including poor security management, and the need to develop, maintain, and facilitate integrated systems architectures to guide agencies' system development efforts, there were many instances of CIOs who had responsibilities beyond IRM. While some of these CIOs' additional responsibilities were minor, in many cases they included major duties, such as financial operations, human resources, procurement, and grants management. We stressed that asking the CIO to shoulder a heavy load of responsibilities would make it extremely difficult, if not impossible, for that individual to devote full attention to IRM issues. In July 2004, we reported the results of our study, based on a questionnaire and interviews with CIOs at the same 27 major departments and agencies that OMB had previously evaluated.[Footnote 19] Our study examined 13 major areas of CIO responsibilities--7 areas predominantly in IT management and 6 areas predominantly in information management, as defined by the relevant laws or deemed critical to the effective management of IT. These areas are described in table 1, along with the relevant source. Table 1: Major Areas of CIO Responsibility in IT Management and Information Management: IT management areas: CIO responsibility: IT strategic planning; Description: CIOs are responsible for strategic planning for all information and information technology management functions [Paperwork Reduction Act]. CIO responsibility: IT workforce planning; Description: CIOs are responsible for assessing agency information and IT workforce needs and developing strategies and plans for meeting those needs [Paperwork Reduction Act and Clinger-Cohen Act]. CIO responsibility: Capital planning and investment management; Description: CIOs are responsible for a process for selecting, controlling, and evaluating IT investments to produce business value, reduce investment-related risks, and increase accountability and transparency in the investment decision-making process [Paperwork Reduction Act and Clinger-Cohen Act]. CIO responsibility: Information security; Description: CIOs are responsible for ensuring agency compliance with requirements to protect information and systems [Paperwork Reduction Act, Federal Information Security Management Act, and Clinger-Cohen Act]. CIO responsibility: Enterprise architecture; Description: CIOs are responsible for developing and maintaining an enterprise architecture--the business and technology blueprint that links an agency's strategic plan to IT programs and supporting system implementations [Clinger-Cohen Act].[A]. CIO responsibility: Systems acquisition, development, and integration; Description: CIO IT management responsibilities should include a primary role in developing and enforcing policies for systems acquisition, development, and integration with existing systems [Paperwork Reduction Act and Clinger-Cohen Act]. CIO responsibility: E-government initiatives; Description: CIOs are responsible for promoting the use of IT, including the Internet and emerging technologies, to improve the productivity, efficiency, and effectiveness of agency operations, programs, and services [Paperwork Reduction Act, Clinger-Cohen Act, E- Government Act]. Information management areas: CIO responsibility: Information collection/paperwork reduction; Description: CIOs are responsible for the review of agency information collection proposals to maximize utility and minimize public paperwork burdens [Paperwork Reduction Act]. CIO responsibility: Information dissemination; Description: CIOs are responsible for ensuring that the agency's information dissemination activities meet policy goals, such as timely and equitable public access to information [Paperwork Reduction Act]. CIO responsibility: Information disclosure; Description: CIOs are responsible for ensuring appropriate information disclosure under the Freedom of Information Act [Paperwork Reduction Act]. CIO responsibility: Statistical policy and coordination; Description: CIOs are responsible for agency statistical policy and coordination functions, including ensuring the relevance, accuracy, and timeliness of information collected or created for statistical purposes [Paperwork Reduction Act]. CIO responsibility: Records management; Description: CIOs are responsible for ensuring that the agency implements and enforces the records management policies and procedures required by the Federal Records Act [Paperwork Reduction Act]. CIO responsibility: Privacy; Description: CIOs are responsible for ensuring agency compliance with the Privacy Act and related laws [Paperwork Reduction Act]. Source: GAO analysis of applicable legislation. [A] The Clinger-Cohen Act mandate for CIOs to develop and implement agencywide information technology architectures has been implemented under OMB guidance (consistent with GAO best practices) for the development and implementation of enterprise architectures. [End of table] Our study found that CIOs were not responsible for all of the information and IT management areas. Specifically, all CIOs were responsible for only 5 of the 13 areas, while less than half of the CIOs were assigned responsibility for information disclosure and statistical policy and coordination. Overall, the views of these CIOs were mixed as to whether they could be effective leaders without having responsibility for each individual area. The 2004 study also examined the backgrounds and tenure of CIOs, noting that they had a wide variety of prior experiences, but generally had work or educational backgrounds in IT or IT-related fields, as well as business knowledge related to their agencies. The CIOs and former agency IT executives in the study believed it was necessary for a CIO to stay in office for 3 to 5 years to be effective. However, at the time of our study, the median tenure of permanent CIOs whose time in office had been completed was about 2 years. Based on the study, we also reported on major challenges that the federal CIOs said they faced in fulfilling their duties. In this regard, over 80 percent of the CIOs had cited implementing effective IT management and obtaining sufficient and relevant resources as challenges. We stressed that effectively tackling these reported challenges could improve the likelihood of a CIO's success. Further, we highlighted the opportunity for Congress to consider whether the existing statutory requirements related to CIO responsibilities and reporting to the agency head reflected the most effective assignment of information and technology management responsibilities and reporting relationships. In September 2005,[Footnote 20] we reported on the results of our study of 20 CIOs of leading private-sector companies.[Footnote 21] We noted that most of the private-sector CIOs had full or shared responsibility for 9 of 12 functional areas that we had explored. [Footnote 22] For the most part, the responsibilities assigned to these private-sector CIOs were similar to those assigned to federal CIOs. In only three areas (information dissemination and disclosure, information collection, and statistical policy) did half or fewer of the CIOs have responsibility. In 4 of the 12 functional areas, the difference between the private-sector CIOs and federal CIOs was greater.[Footnote 23] Fewer of the private-sector CIOs had these responsibilities in each case. We also reported that private-sector CIOs faced challenges related to increasing IT's contribution to their organization's bottom line--such as controlling IT costs, increasing IT efficiencies, and using technology to improve business processes. Prior GAO Reports Identified Challenges within IT and Information Management: Although agencies have taken constructive steps to improve IT and information management policies and practices, including through activities of CIOs, we have continued to identify and report on long- standing challenges in the key areas addressed in this report. Information Technology Management: IT strategic planning: In January 2004,[Footnote 24] we reported on the status of agencies' plans for applying information resources to improve the productivity, efficiency, and effectiveness of government programs. At that time, we noted that agencies generally had IT strategic plans that addressed elements such as information security and enterprise architecture, but did not cover key areas specified in the Paperwork Reduction Act. Agencies cited a variety of reasons for not having addressed these areas, including that the CIO position had been vacant, that not including a requirement in guidance was an oversight, or that the process was being revised. We pointed out that, not only are these practices based on law, executive orders, OMB policies, and our guidance, but they are also important ingredients for ensuring effective strategic planning, performance measurement, and investment management, which, in turn, make it more likely that the billions of dollars in government IT investments will be wisely spent. We made a number of recommendations, including that each agency take action to address IT strategic planning, performance measurement, and investment management practices that were not fully in place. IT workforce planning: In 1994 and 2001,[Footnote 25] we reported on the importance that leading organizations placed on making sure they had the right mix of skills in their IT workforce. In our 2004 report on CIOs' roles and responsibilities,[Footnote 26] about 70 percent of the agency CIOs reported on a number of substantial IT human capital challenges, including, in some cases, the need for additional staff. Other challenges included recruiting, retention, training and development, and succession planning. In February 2011, we identified strategic human capital management as a governmentwide high-risk area after finding that the lack of attention to strategic human capital planning had created a risk to the federal government's ability to serve the American people effectively.[Footnote 27] As our previous reports have made clear, the widespread lack of attention to strategic human capital management in the past has created a fundamental weakness in the federal government's ability to perform its missions economically and efficiently. Capital planning and investment management: Since 2002, using our investment management framework,[Footnote 28] we have reported on the varying extents to which federal agencies have implemented sound practices for managing their IT investments. In this regard, we identified agencies that have made significant improvements by using the framework in implementing capital planning processes. In contrast, however, we have continued to identify weaknesses at agencies in many areas, including immature management processes to support both the selection and oversight of major IT investments and the measurement of actual versus expected performance in meeting established performance measures.[Footnote 29] For example, in 2007, we reported that two agencies did not have the processes in place to effectively select and oversee their major investments.[Footnote 30] In June 2009,[Footnote 31] we reported that about half of the projects we examined at 24 agencies did not receive selection reviews (to confirm that they support mission needs) or oversight reviews (to ensure that they were meeting expected cost and schedule targets). Specifically, 12 of the 24 reviewed projects that were identified by OMB as being poorly planned did not receive a selection review, and 13 of 28 poorly performing projects we examined had not received an oversight review by a department-level oversight board. Accordingly, we made recommendations to multiple agencies to ensure that the projects identified in the report as not having received oversight reviews received them. Information security: Our reviews have noted significant information security control deficiencies that place agency operations and assets at risk. In addition, over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, or information. An underlying cause for information security weaknesses identified at federal agencies is that they have not yet fully or effectively implemented key elements for an agencywide information security program, as required by FISMA. To address these and other challenges, we have recommended that agencies fully implement comprehensive, agencywide information security programs by correcting shortcomings in risk assessments, information security policies and procedures, security planning, security training, system tests and evaluations, and remedial actions. Due to the persistent nature of information security vulnerabilities and the associated risks, we continue to designate information security as a governmentwide high-risk issue in our most recent biennial report to Congress,[Footnote 32] a designation we have made in each report since 1997. Enterprise architecture: We have reported on the status of major federal department and agency enterprise architecture efforts. [Footnote 33] We found that the state of the enterprise architecture programs at the major federal departments and agencies was mixed, with several having very immature programs, several having more mature programs, and most being somewhere in between. Collectively, agencies faced barriers or challenges in implementing their enterprise architectures, such as overcoming organizational parochialism and cultural resistance, having adequate resources (human capital and funding), and fostering top management understanding. To assist the agencies in addressing these challenges, we have made numerous recommendations aimed at ensuring that their respective enterprise architecture programs develop and implement plans for fully satisfying each of the conditions in our enterprise architecture management maturity framework.[Footnote 34] In addition, in our most recent high- risk update report[Footnote 35] we identified possible areas where enterprise architecture could help to alleviate some challenges. For example, we suggested that one agency align its corporate architecture and its component organization architectures to avoid investments that provide similar but duplicative functionality. Systems acquisition, development, and integration: Our work has shown that applying rigorous practices to the acquisition or development of IT systems or the acquisition of IT services can improve the likelihood of success. In addition, we have identified leading commercial practices for outsourcing IT services that government entities could use to enhance their acquisition of IT systems and services.[Footnote 36] We have evaluated several agencies' software development or acquisition processes and reported that agencies are not consistently using rigorous or disciplined system management practices.[Footnote 37] For example, after reviewing the Department of Homeland Security's Atlas investment,[Footnote 38] we recommended that the agency implement effective management controls and capabilities by, among other things, revising and updating its cost-benefit analysis; making the program office operational; developing and implementing rigorous performance program management practices; and ensuring plans fully disclose the system capabilities, schedule, cost, and benefits to be delivered. In addition, ensuring that effective system acquisition management controls are implemented on each agency business system investment remains a formidable challenge, as our recent reports on management weaknesses associated with individual programs have demonstrated. For example, we recently reported that the Department of Defense's large-scale software-intensive system acquisitions continued to fall short of cost, schedule, and performance expectations.[Footnote 39] Specifically, our report noted that six of the department's nine enterprise resource planning systems had experienced schedule delays ranging from 2 to 12 years, and five had incurred cost increases ranging from $530 million to $2.4 billion. E-government initiatives: In December 2004, we reported the results of our review of the implementation status of major provisions from the E- Government Act of 2002,[Footnote 40] which required a wide range of activities across the federal government aimed at promoting electronic government, such as providing the public with access to government information and services. We found that, although the government had made progress in implementing the act, the act's requirements were not always fully addressed. Specifically, OMB had not (1) ensured that a study on using IT to enhance crisis preparedness and response had been conducted that addressed the content specified by the act, (2) established a required program to encourage contractor innovation and excellence in facilitating the development and enhancement of electronic government services and processes, or (3) ensured the development and maintenance of a required repository and website of information about research and development funded by the federal government. We made recommendations to OMB aimed at ensuring more consistent implementation of the act's requirements. Information Management: We have also reported on various challenges agencies faced in meeting information management requirements, including in the areas of privacy, information collection, records management, information disclosure, and information dissemination. In 2002 and 2003, we reported on agencies' handling of the personal information they collect and whether this handling conforms to the Privacy Act and other laws and guidance. In the 2002 report, we made recommendations to selected agencies aimed at strengthening their compliance with privacy requirements.[Footnote 41] In the 2003 report, we made recommendations to OMB, which included directing agencies to correct compliance deficiencies, monitoring agency compliance, and reassessing OMB guidance.[Footnote 42] In 2005, we reviewed agency compliance with information collection clearance requirements under the Paperwork Reduction Act.[Footnote 43] In an analysis of 12 case studies, we found that while CIOs generally reviewed information collections and certified that they met the standards in the act, in a significant number of instances, agencies did not provide support for the certifications, as the law requires. We recommended that OMB and the agencies take steps to improve review processes and compliance with the act. In 2008, we reviewed the management of e-mail records at four agencies and found agency practices did not always conform to requirements. We recommended that the National Archives and Records Administration develop and implement an oversight approach that provides adequate assurance that agencies are following its guidance, including both regular assessments of agency records and records management programs and reporting on these assessments.[Footnote 44] Also in 2008, we reported on trends in Freedom of Information Act processing and agencies' progress in addressing backlogs of overdue FOIA requests.[Footnote 45] We found weaknesses in agency reporting on FOIA processing and recommended, among other things, that guidance be improved for agencies to track and report on overdue requests and plans to meet future backlog goals. In July 2010, we identified and described current uses of web 2.0 technologies by federal agencies to disseminate information.[Footnote 46] Specifically, we found that the federal government may face challenges in determining how to appropriately limit collection and use of personal information as agencies utilize these technologies and how and when to extend privacy protections to information collected and used by third-party providers of web 2.0 services. In July 2011, we identified ways agencies are using social media to interact with the public and assessed the extent to which they had policies in place for managing and identifying records, protecting personal information, and ensuring the security of federal information and systems. We made recommendations to 21 agencies to improve their development and implementation of social media policies.[Footnote 47] OMB Has Several Initiatives Under Way to Improve the Oversight and Management of IT, Including Changing the Role of Federal Agency CIOs: On March 5, 2009, President Obama designated the Administrator of OMB's Office of Electronic Government and Information Technology as the first Federal Chief Information Officer. The Federal CIO was given responsibility for directing the policy and strategic planning of federal information technology investments as well as for overseeing federal technology spending. Toward this end, in December 2010, the Federal CIO issued a 25 Point Implementation Plan to Reform Federal Information Technology Management. This 18-month plan specified five major goals: strengthening program management, streamlining governance and improving accountability, increasing engagement with industry, aligning the acquisition process with the technology cycle, and applying "light technology" and shared solutions.[Footnote 48] As part of this plan, OMB has initiatives under way to, among other things, strengthen agencies' investment review boards and to consolidate federal data centers. The plan stated that OMB will work with Congress to consolidate commodity IT spending (e.g., e-mail, data centers, content management systems, web infrastructure) under agency CIOs. Further, the plan called for the role of federal agency CIOs to focus more on IT portfolio management. In March 2011, we testified on the efforts of OMB and the Federal CIO to improve the oversight and management of IT investments in light of the problems that agencies have continued to experience with establishing IT governance processes to manage such investments. [Footnote 49] These initiatives included increasing the accountability of agency CIOs through the use of the IT Dashboard, a public website established in June 2009 that provides detailed information, including performance ratings, for over 800 major IT investments at federal agencies. Each investment's performance data are updated monthly, which is a major improvement from the quarterly reporting cycle used by OMB's prior oversight mechanisms. However, in a series of reviews, we have found that the data on the Dashboard were not always accurate. Specifically, we found that the Dashboard ratings were not always consistent with agency performance data.[Footnote 50] OMB has also initiated efforts to improve the management of IT investments needing attention. In particular, in January 2010, the Federal CIO began leading TechStat sessions--a review of selected IT investments between OMB and agency leadership to increase accountability and transparency and improve performance. We noted that the full implementation of OMB's 18-month roadmap should result in more effective IT management and delivery of mission-critical systems, as well as further reduction in wasteful spending on poorly managed investments.[Footnote 51] Current Agency CIOs Do Not Have Responsibility for All Assigned Areas: Similar to 2004, we found that the CIOs are not consistently responsible for all of the 13 areas assigned by statute or identified as critical to effective IT management; however, they are more focused on IT management than on the management of agency information. The majority of CIOs (between 23 and 27)[Footnote 52] reported they are responsible for the seven areas of IT management. In this regard, the CIOs reported being responsible for activities in managing IT that include the following: * managing capital planning and investment management processes to ensure that they were successfully implemented and integrated with the agency's budget, acquisition, and planning processes; * developing, maintaining, and facilitating the implementation of sound and integrated enterprise architectures; * designating a senior department official who will have responsibility for departmentwide information security; * developing IT strategic plans to emphasize the role that IT can play in effectively supporting the department's operations and goals; * developing, maintaining, and improving systems acquisition processes; * managing e-government requirements and ensuring compliance with legislation; and: * developing strategies for development of a skilled IT workforce combined with strong succession planning. Fewer CIOs (between 6 and 22) reported being responsible for the six areas predominantly related to information management (information collection/paperwork reduction, records management, privacy, information dissemination, information disclosure, and statistical policy and coordination). Even those CIOs who indicated they had been assigned responsibility for these six information management areas reported they assigned a higher priority to their IT management responsibilities. CIOs who reported they were not responsible for their agencies' information management functions said they provided input or other assistance to the organizational units within their agencies that were primarily responsible for these areas. The units with which they shared responsibilities varied, as did the roles the CIO played. For example, in the area of records management, one CIO reported working closely with the agency's data manager and making recommendations regarding records management. In the privacy area,[Footnote 53] one CIO reported coordinating with the agency's Chief Information Security Officer, general counsel, and human resources offices to address any privacy issues. To ensure accuracy of information disseminated, one CIO reported collaborating with the agency's Office of Public Affairs. The areas in which the least number of CIOs reported they were responsible were statistical policy and coordination and information disclosure. In this regard, 21 CIOs stated that statistical policy and coordination was handled by other offices within their agencies, such as a policy or research office. This included components functioning as Principal Statistical Agencies.[Footnote 54] Eighteen CIOs reported that responsibility for information disclosure rested with another office, such as an agency's FOIA office. In comparison to 2004, the number of CIOs assigned responsibility for each of the areas remained the same for all but five areas (systems acquisition, development, and integration; IT workforce planning; records management; information dissemination; and statistical policy and coordination). In each of these areas, the number of CIOs assigned responsibility decreased from 2004 to 2011. Figure 1 shows the number of CIOs with responsibility for the 13 areas in 2011 and 2004. Figure 1: Comparison of Number of CIOs Assigned Responsibility for IT Management and Information Management Areas between 2004 and 2011: [Refer to PDF for image: horizontal bar graph] Number of CIOs responsible: Responsibility: Capital planning and investment management; 2011 CIO responsibility: 27; 2004 CIO responsibility: 27. Responsibility: Enterprise architecture; 2011 CIO responsibility: 27; 2004 CIO responsibility: 27. Responsibility: Information security; 2011 CIO responsibility: 27; 2004 CIO responsibility: 27. Responsibility: IT strategic planning; 2011 CIO responsibility: 27; 2004 CIO responsibility: 27. Responsibility: E-Gov initiatives; 2011 CIO responsibility: 25; 2004 CIO responsibility: 25. Responsibility: Systems acquisitions, development and integration; 2011 CIO responsibility: 24; 2004 CIO responsibility: 25. Responsibility: IT workforce planning; 2011 CIO responsibility: 23; 2004 CIO responsibility: 27. Responsibility: Information collection/paperwork reduction; 2011 CIO responsibility: 22; 2004 CIO responsibility: 22. Responsibility: Records management; 2011 CIO responsibility: 18; 2004 CIO responsibility: 21. Responsibility: Privacy; 2011 CIO responsibility: 17; 2004 CIO responsibility: 17. Responsibility: Information dissemination; 2011 CIO responsibility: 15; 2004 CIO responsibility: 20. Responsibility: Information disclosure; 2011 CIO responsibility: 9; 2004 CIO responsibility: 9. Responsibility: Statistical policy and coordination; 2011 CIO responsibility: 6; 2004 CIO responsibility: 8. Source: GAO analysis of agency-provided data. Note: Excludes three small, independent agencies that were not included in our 2004 review. [End of figure] CIOs Spend the Majority of Their Time Managing Information Technology: The amount of time that CIOs spend in various areas of responsibility reflects their greater emphasis on IT management compared with the management of agency information. Specifically, CIOs reported they devote over two-thirds of their time to the seven IT management areas, which they generally viewed as more important to accomplishing their mission. Moreover, the majority of the CIOs were responsible for each of the areas. By contrast, the CIOs reported spending less than one-fifth of their time in the six information management areas. Specifically, CIOs reported spending 6 percent or less of their time on average in each of the areas of privacy, e-government initiatives, records management, information dissemination, information collection/paperwork reduction, information disclosure, and statistical policy and coordination. As discussed previously, most CIOs reported they were not responsible for all of these areas and indicated they did not always place a high priority on them. This is consistent with the views held by the panel of former federal CIOs, which generally did not place high priority on the information management areas. Table 2 shows the percentage of time CIOs reported allocating to the 13 areas. Table 2: Time Allocated as Reported by CIOs: IT management and information management areas: Information security; Average time allocated (% of time per week): 14%. IT management and information management areas: Areas of responsibility outside the 13 areas; Average time allocated (% of time per week): 14%. IT management and information management areas: Capital planning and investment management; Average time allocated (% of time per week): 13%. IT management and information management areas: IT strategic planning; Average time allocated (% of time per week): 11%. IT management and information management areas: Systems acquisition, development, and integration; Average time allocated (% of time per week): 11%. IT management and information management areas: Enterprise architecture; Average time allocated (% of time per week): 9%. IT management and information management areas: IT workforce planning; Average time allocated (% of time per week): 7%. IT management and information management areas: Privacy; Average time allocated (% of time per week): 6%. IT management and information management areas: E-government initiatives; Average time allocated (% of time per week): 5%. IT management and information management areas: Records management; Average time allocated (% of time per week): 4%. IT management and information management areas: Information dissemination; Average time allocated (% of time per week): 3%. IT management and information management areas: Information collection/paperwork reduction; Average time allocated (% of time per week): 2%. IT management and information management areas: Information disclosure; Average time allocated (% of time per week): 2%. IT management and information management areas: Statistical policy and coordination; Average time allocated (% of time per week): 1%. Source: GAO analysis of CIO responses. Note: Percentages may not sum to 100 due to rounding. [End of table] The CIOs also reported they spend a significant amount of time outside the 13 areas of responsibility. Specifically, CIOs indicated they spend about 14 percent of their time on other responsibilities outside these 13 areas--the same amount of time as they spend on information security, the area where CIOs reported spending the most time. These additional areas of responsibility included addressing infrastructure issues,[Footnote 55] participating in agencywide boards, or participating in external organizations, such as the federal CIO Council.[Footnote 56] In addition, CIOs reported they have begun to focus on emerging areas within IT such as cloud computing,[Footnote 57] data center consolidation, and commodity services.[Footnote 58] This is consistent with the recent emphasis of the Federal CIO on reforming IT, as reflected in OMB's IT Reform Plan. As technology continues to evolve, CIOs are likely to be challenged in ensuring that agencies use new technologies efficiently and effectively. Many CIOs Serve in Multiple Positions: An element that may potentially influence the likely success of an agency CIO is whether the CIO serves in any other agency position. According to the Clinger-Cohen Act, the CIO's statutory information and IT management functions should be that official's primary duties. We[Footnote 59] and members of Congress[Footnote 60] have previously expressed concern about agency CIOs having responsibilities beyond their primary duties and have questioned whether split duties allow a CIO to deal effectively with an agency's IT challenges. Despite the importance of focusing on their primary duties, the CIOs in our review reported holding a number of official agency job functions in addition to being CIO. Specifically, 14 of 30 CIOs reported serving in another position within their agency besides that of CIO. Of these, 11 reported that serving as CIO was their primary job function. Six of the 14 CIOs reported holding two or more positions besides CIO, with one holding five positions, including CIO. These positions included Chief Acquisition Officer and Chief Human Capital Officer. Six of the 14 CIOs felt their other agency job positions were having a positive and helpful impact on their role as CIO. For example, one CIO, who also served as Deputy Chief of Staff, explained that holding the two positions showed staff a link between agency policy and operational implementation. According to another CIO, also holding the position of Chief Human Capital Officer provided insight into problems the agency had with a new personnel system. As a result, the CIO believed he was able to address these problems more quickly. The 8 remaining CIOs reported that their additional job functions had neither a positive nor negative impact on their role as a CIO, with one exception. Specifically, one CIO explained that having multiple positions had put a greater strain on the CIO's ability to adequately perform all required responsibilities. Holding other positions is contrary to the federal law requiring that IT and information management be the CIO's primary function and distracts from the responsibility to ensure that agencies carry out their IT and information management activities in an efficient, effective, and economical manner. CIOs Generally Report Directly to the Agency Head: Federal law calls for agency CIOs to report to the head of their agency. With regard to this requirement, we reported in 2004 that only 19 of 27 CIOs reported to their agency head, and views were mixed about whether such a direct reporting relationship was important. In our current study, even fewer--17 of 30--CIOs indicated that they report to their agency head, although 23 thought it was important to do so. Despite this, the views of agency CIOs and others suggested that a variety of reporting relationships between an agency head and the CIO can be effective. CIOs generally agreed that access to the agency head was important, but that they did not necessarily require a formal reporting relationship. One said that it was important to have a "seat at the table" allowing for direct interaction with the agency head in order to articulate any problems or issues in IT. However, other CIOs stated that it was important for the CIO to report to whomever is in charge of running the daily operations of the agency. One CIO did not believe it was ideal to report directly to the agency head because the agency head has too many other responsibilities. This CIO was able to meet with the agency's deputy secretary frequently and felt this resulted in more input into decision making. Another CIO, who reported to the agency head, believed there was not one ideal reporting relationship for the entire federal government because of the differences in size and mission among the agencies. Two CIOs in our review indicated they did not have sufficient access to their agency head, even though they thought it was important to have such access. Accordingly, the CIOs felt they did not have sufficient influence on IT management decisions in their agency. The CIOs stated they had worked to gain greater influence over IT by establishing relationships with peers in their agencies such as the Chief Financial Officer or Chief Operating Officer. Overall, regardless of the reporting relationship between agency heads and agency CIOs, 28 of the CIOs reported they had adequate access to their agency head. Additionally, many of the agency CIOs who did not report directly to the agency head indicated having influence on IT management decisions within their agency because they had relationships with other senior agency officials. These included direct reporting relationships with an assistant secretary or the Chief Operating Officer. Based on their experiences, members of the panel of former CIOs stated that it was important to report to the agency head on key issues, but also to work with other senior officials for day-to-day activities. In this regard, the former CIOs believed it was essential for the CIO to forge relationships with other senior officials in an agency, such as the Chief Financial Officer and members of the Office of General Counsel. Further, in discussing this matter, the Federal CIO stated that reporting relationships should be determined on an agency-by- agency basis, noting that agencies should determine how best to meet this requirement depending on how the agency is structured. Given the varying responsibilities of agency heads and other senior officials, some degree of flexibility in CIOs' reporting relationships may be appropriate as long as CIO effectiveness is not impeded. CIOs' Education and Work Experiences Remain Diverse, although More Have Previously Served as a CIO or Deputy CIO: Although the qualifications of a CIO can help determine whether he or she is likely to be successful, there is no general agreement on the optimal background (e.g., education, experience) that a prospective agency CIO should have. The conference report accompanying the Clinger- Cohen Act stated that CIOs should possess knowledge of and practical experience in the information and IT management practices of business or government.[Footnote 61] We found that when compared to CIOs in 2004, more current CIOs had served previously as a CIO or deputy CIO. As shown in table 3 below, 18 of the CIOs in our review had experience as either a CIO or deputy CIO, an increase of 6 compared to the CIOs that participated in our 2004 review. Also, 21 current CIOs had previously worked for the federal government, 14 had worked in private industry, 4 had been in academia, and 4 had worked in state and local government. Fifteen CIOs had worked in some combination of two or more of these sectors. Further, all of the current CIOs had work experience in IT or IT-related fields. Table 3: Comparison of Current CIO Backgrounds with Those of CIOs in 2004: Description: Number of CIOs who had served previously as a CIO or deputy CIO; 2004 CIOs: 12; 2011 CIOs: 18. Description: Number of CIOs with federal government experience; 2004 CIOs: 24; 2011 CIOs: 21. Description: Number of CIOs with private sector experience; 2004 CIOs: 16; 2011 CIOs: 14. Source: GAO analysis of agency data. Note: This comparison does not include CIOs from the three small, independent agencies as they were not part of our 2004 review. [End of table] We asked current and former CIOs what key attributes they had found necessary to be an effective CIO. In response, they noted the need for IT experience and an understanding of how IT can be used to transform agencies and improve mission performance. Of most importance, however, were leadership skills and the ability to communicate effectively. The Federal CIO noted that he valued CIOs who thought about the future of the agency and demonstrated an ability to successfully manage IT programs or projects. Median CIO Tenure Remains at About 2 Years: We noted previously that one element that influences the likely success of an agency CIO is the length of time the individual in the position has to implement change. For example, our prior work has noted that it can take 5 to 7 years to fully implement major change initiatives in large public and private sector organizations and to transform related cultures in a sustainable manner. Nonetheless, when we reported on this matter in 2004, the median tenure for permanent CIOs who had completed their time in office was just under 2 years. [Footnote 62] Tenure at the CIO position has remained almost the same since we last reported. Specifically, the median tenure for permanent federal agency CIOs was about 25 months for those who served between 2004 and 2011. However, the number of CIOs who stayed in office at least 3 years declined from 35 percent in 2004 to 25 percent in 2011.[Footnote 63] (See table 4 for a comparison of CIO tenures from 1996 to 2004 and 2004 to 2011; see appendix V for figures depicting the tenure for each of the CIOs at the agencies in our review between 2004 and 2011 and a table showing various statistical analyses on CIO tenure.) Table 4: Comparison of CIO Tenure During 1996-2004 and 2004-2011: Description: Median tenure of CIOs (including current CIOs); 1996-2004: 23 months; 2004-2011: 25 months. Description: Percentage of CIOs who stayed in office for at least 3 years (excluding current CIOs); 1996-2004: 35%; 2004-2011: 25%. Description: Difference in median tenure between political and career CIOs (excluding current CIOs); 1996-2004: 13 months; 2004-2011: 4 months. Source: GAO analysis of agency data. [End of table] We previously reported on factors that affected the tenure of CIOs, which included the stressful nature of the position and whether or not CIOs were political or career appointees. The panel of former CIOs for our current study agreed that high stress levels can lead to CIOs leaving the position, as can factors such as retirement and the opportunity to serve as a CIO at a larger agency. However, we found that during the period covered by our current review, political appointees stayed only 4 months less than those in career civil service positions, compared to 13 months less in our 2004 review. Federal Law Provides Adequate Authority, but Limitations Exist in Implementation for IT Management: As previously discussed, a major goal of the Clinger-Cohen Act was to establish CIOs to advise and assist agency heads in managing IT investments. In this regard, the agency CIO was given the authority to administer a process to ensure that IT investments are selected, controlled, and evaluated in a manner that increases the likelihood they produce business value and reduce investment-related risk. As part of this process, CIOs are responsible for advising the agency head on whether IT programs and projects should be continued, modified, or terminated. In order to carry out these responsibilities, CIOs should be positioned within their agencies to successfully exercise their authority. Specifically, we have previously noted that CIOs should have a key role in IT investment decision making and budget control.[Footnote 64] In addition, CIOs require visibility into and influence over programs, resources, and decisions related to the management of IT throughout the agency. Our study did not find convincing evidence that specific legislative changes are needed to improve CIOs' effectiveness. Rather, we found that CIOs' ability to carry out their roles, as prescribed in law, has been limited by certain factors that have led to challenges. Specifically, CIOs reported they were hindered in exercising their authority over agency IT budgets, component IT spending, and staff, which our prior work has shown can lead to an inefficient use of funds. IT Budget authority: Although assigned by law with the authority to be accountable for IT management, we found that CIOs faced limitations in their ability to influence IT investment decision making at their agencies. For example, only 9 CIOs responded that their approval was required for the inclusion of all IT investments in their agency's budget. The remaining 21 CIOs indicated that their explicit approval either was not required or it was required for major IT investments only.[Footnote 65] Ten of those 21 CIOs indicated they would be more effective if their explicit approval for IT investment decisions was sought by their agency head. CIOs said having this ability would reduce the number of unknown or "rogue" systems (i.e., systems not vetted by the CIO office), allow the CIO to identify and eliminate duplicative systems, and resolve technology and security issues earlier in an investment's lifecycle. Further, 13 of the CIOs in our study did not have the power to cancel funding for IT investments. CIOs that did not have this power told us they would be more effective if they were able to cancel funding for investments because they would then be in a better position to consolidate investments and cut wasteful spending on failing projects. In our previous reviews, we have noted limitations in CIOs' ability to influence IT investments, which have contributed to long-standing challenges in agencies' management of IT. For instance, we previously reported that one agency did not provide the department's CIO with the level of IT spending control that our research at leading organizations and past work at federal departments and agencies have shown is important for effective integration of systems across organizational components.[Footnote 66] We noted that control over the department's IT budget was vested primarily with the CIO organizations within each of its component organizations. Consequently, there was an increased risk that component agencies' ongoing investments would need to be reworked to be effectively integrated and maximize departmentwide value. Component-level IT spending: A significant portion of an agency's IT funding can be allocated and spent at the component level on commodity IT systems--systems used to carry out routine tasks (e.g., e-mail, data centers, web infrastructure)--in addition to mission-specific systems. Multiple CIOs faced limitations in their ability to influence agency decisions on integrating commodity IT systems throughout their agencies because they did not have control over funding for these systems at the component level. According to CIOs, more control over component-level IT funding, including commodity IT and mission- specific systems, could help ensure greater visibility into and influence on the effective acquisition and use of IT. Further, the Federal CIO has called for agencies to place all commodity IT purchases under the purview of the agency CIO, while component mission- specific systems should remain with the component CIO. OMB included centralization of commodity funding under agency CIOs as part of its current IT reform initiatives. Consistent with this, we have reported on the importance of agency CIOs having adequate oversight to ensure that funds being spent on component agency investments will fulfill mission needs.[Footnote 67] Specifically, at one agency, we found a structured mechanism was not in place for ensuring that component agencies defined and implemented investment management processes that were aligned with those of the department. Because such processes, including reviews of component agency IT investments, were not in place, the agency CIO did not have visibility into a majority of the agency's discretionary investments and could not ensure the agency's IT investments were maximizing returns. IT workforce: CIOs also face limitations in their ability to provide input into hiring component-level senior IT managers and other IT staff. Many CIOs in our study faced limitations in performing certain workforce planning activities, such as having direct hiring capability for IT staff, providing input into the hiring of component CIOs, and influencing component agency CIOs' performance ratings. For example, some CIOs indicated they did not have any input into the hiring of their own staff. In addition, CIOs did not always participate in selections for candidate component CIOs. Further, for a majority of the agencies with component CIOs, the agency CIO did not participate in the component CIOs' performance reviews. Without sufficient influence over the hiring of IT staff or component CIOs' performance, agency CIOs are limited in their ability to ensure appropriate IT staff are being hired to meet mission needs or component accountability for overall agency priorities and objectives. We have also previously reported on CIOs' challenges related to IT workforce planning, noting there has been a lack of attention in this area, which has created weaknesses in the federal government's ability to perform its missions economically, efficiently, and effectively. [Footnote 68] In addition, in our previous review of CIOs' roles and responsibilities, we found that about 70 percent of CIOs reported IT workforce planning challenges within their agency. Without addressing CIOs' lack of influence over IT workforce planning, the government will continue to face challenges in this area, risking further inefficiencies. Most CIOs included in our study and the panel of former CIOs agreed that legislative changes were not needed to improve effectiveness in IT management. However, several CIOs told us their agencies have completed or initiated efforts to increase the influence of the CIO. For example, one agency gave its CIO complete control over the entire IT budget and all IT staff. This CIO told us that this has allowed for rapid, effective changes to be made when necessary on IT issues. Another agency began an agencywide consolidation effort so that the CIO's responsibility will be delegated to one person to centrally manage IT assets instead of multiple agency CIOs. This agency recently implemented a policy that has given one individual the title of CIO and stated that the CIO will assume oversight, management, ownership, and control of all departmental IT infrastructure assets. Another agency was centralizing decision-making authority in the office of the CIO for addressing troubled IT investments. In addition, one agency conducted a reorganization that placed component CIOs under the agency CIO. According to the CIO of that agency, the change has been a great asset to the organization, because it allowed the CIO office to work as a unit, created camaraderie among component CIOs, and reduced duplication of IT investments. In April 2011, the Federal CIO told us that agency CIOs should provide input to the component agency CIOs' performance review. In addition to these agency-specific efforts, OMB has issued guidance to reaffirm and clarify the organizational, functional, and operational governance framework required within the executive branch for managing and optimizing the effective use of IT.[Footnote 69] More recently, OMB has taken additional steps to increase the effectiveness of agency CIOs by clarifying their roles and authorities under the current law. For example, its 25 Point Implementation Plan to Reform Federal Information Technology Management called for agency CIOs to shift their focus from policy making and maintaining IT infrastructure to IT portfolio management. According to the plan, agency CIOs will be responsible for identifying unmet agency needs to be addressed by new projects, holding TechStat reviews, and improving or terminating poorly performing projects. After we sent a draft of this report to agencies for comment, OMB issued a memorandum[Footnote 70] outlining the primary areas of responsibility for federal agency CIOs. The guidance outlines four areas in which the CIO should have a lead role: IT governance, program management, commodity services, and information security. It emphasizes the role of the CIO in driving the investment review process and the CIO's responsibility over the entire IT portfolio for an agency. In a web log post about the memorandum, the Federal CIO stated that, next year, the administration will ask agencies to report through the President's Management Council[Footnote 71] and the CIO Council on implementation of the memo.[Footnote 72] In our view, the guidance is a positive step in reaffirming the importance of the role of CIOs in improving agency IT management. Nonetheless, this guidance does not address the implementation weaknesses we have identified in this and our prior reviews-- specifically that CIOs face significant limitations in their ability to influence IT investment decision making at their agencies and to exercise their statutory authority. The guidance generally instructs agency heads regarding the policies and priorities for CIOs in managing IT that we and others have stressed. However, the guidance does not state a specific requirement for agency heads to empower CIOs to carry out these responsibilities. Additionally, it does not require them to measure and report the progress of CIOs in carrying out these responsibilities and achieving the overall objectives of the IT Reform Plan. Such a requirement is essential to agencies empowering their CIOs to fully and effectively exercise their authority, and ultimately, ensuring that the CIOs are best positioned to be effective leaders in IT management. Without additional clarification and specific measures of accountability in OMB's guidance, agency CIOs are likely to continue to be hindered in carrying out their responsibilities and achieving successful outcomes in IT management, thus increasing the risk that IT spending will continue to produce mixed results, as we have long reported. A Structured Process Could Improve Sharing of Lessons Learned within Agencies: OMB guidance[Footnote 73] requires and best practices suggest that agencies document lessons learned, and we have previously reported on the importance of their collection and dissemination.[Footnote 74] The use of lessons learned is a principal component of an organizational culture committed to continuous improvement. Sharing such information serves to communicate acquired knowledge more effectively and to ensure that beneficial information is factored into planning, work processes, and activities. Lessons learned can be based on positive experiences or on negative experiences that result in undesirable outcomes. Documenting lessons learned can provide a powerful method of sharing successful ideas for improving work processes and increasing cost-effectiveness by aligning them to be utilized in the future. To facilitate the sharing of best practices and lessons learned relating to IT management across the federal government, the CIO Council established the Management Best Practices Committee. The committee works to identify successful information technology best practices being implemented in industry, government, and academia and shares them with agency CIOs. As part of its mission, in April 2011, the committee launched a best practices information-sharing platform in the form of a website to which agencies can contribute case studies of best practices. Federal agencies have begun to contribute by submitting examples depicting best practices relating to a range of topics including vendor communication and contract management; the consolidation of multiple systems into an enterprise solution through the use of cloud services; and program manager development. As of July 2011, the CIO Council website featured 10 case studies submitted by 10 agencies describing best practices. For example, one agency faced challenges with distributing technical support to 27 organizational units. After the agency head directed the consolidation of IT support services under the CIO, the agency gained a better understanding of spending on services and equipment needed to provide IT support. In another example, an agency had been operating under separate e-mail systems, which prevented it from maximizing operational efficiency and productivity. Specifically, the agency faced high costs for maintaining individual systems; difficulty sending broadcast e-mails across the entire department, thus preventing the e-mails from being received in a timely fashion; difficulty obtaining accurate and complete contact information for all employees in one global address list; and difficulty operating calendar appointments. In order to address these challenges, the agency utilized a cloud-based service solution, which the agency explained would result in lower costs per user, an improved security posture, and a unified communication strategy. In addition, agency CIOs told us their agency had implemented changes based upon lessons learned that have improved the effectiveness of the CIO. For example, while several CIOs implemented investment review boards or similar governance mechanisms, three CIOs explained that at their agency, senior-level officials, including deputy secretaries, and in one instance, an undersecretary, chaired these boards, which provided higher visibility over the selection, control, and evaluation of IT investments. Additionally, one CIO explained that implementing an enterprisewide licensing solution to optimize the agency's buying power resulted in a savings of $200 million. One told us about improved effectiveness in information security through the use of a centralized information security center. Specifically, this CIO stated that all agency information went through this center, which provides real-time monitoring throughout agency systems. This CIO explained that the security center has helped to reduce the impact of intrusions to the agency's systems. Nonetheless, although the CIO Council has established the management best practices committee and corresponding information-sharing platform to identify lessons learned, 19 CIOs said their agency did not have a process in place for capturing and documenting lessons learned and best practices. Two CIOs indicated that their agency did not have such a process due to a shortage of resources or because they did not see the development of such a process as being their responsibility. Without structured processes for capturing and documenting these lessons learned, agencies risk both losing the ability to share knowledge acquired with CIOs' experience and increasing the time required for newly hired CIOs to become effective. Additionally, the lack of internal documented processes for capturing lessons learned within agencies has the potential to inhibit the Management Best Practices Committee's ability to effectively identify, document, and disseminate individual agencies' lessons learned and best practices throughout the federal government. By effectively identifying, documenting, and disseminating lessons learned internally and externally, agencies can mitigate risk and track successful ideas for improving work processes and cost-effectiveness that can be utilized in the future. Conclusions: As in 2004, federal agency CIOs currently are not consistently responsible for all of the 13 areas assigned by statute or identified as critical to effective IT management. While the majority of CIOs are primarily responsible for key IT management areas, they are less likely to have primary responsibility for information management duties. In this regard, CIOs spend two-thirds or more of their time in the IT management areas and attach greater importance to these areas compared with the information management areas. Notwithstanding the focus on IT management, CIOs have not always been empowered to be successful. Despite the broad authority given to CIOs in federal law, these officials face limitations that hinder their ability to effectively exercise this authority, which has contributed to many of the long-standing IT management challenges we have found in our work. These limitations, which include control and influence over IT budgets, commodity IT investments, and staffing decisions, are consistent with issues we have previously identified that prevented CIOs from advising and influencing their agencies in managing IT for successful outcomes. While OMB's guidance reaffirms CIO authorities and responsibilities to influence IT outcomes, it does not establish measures of accountability. Having actionable measures would help ensure that CIOs are empowered to successfully carry out their responsibilities under the law and enable them to successfully carry out their responsibilities under the IT Reform Plan. Finally, while agency CIOs told us they had implemented practices they believed have improved the management of IT, they had not established processes to document agency-specific lessons learned that could be shared within the agency. Not doing so increases the likelihood of new CIOs making the same mistakes as those they are replacing, while establishing such a mechanism could better enable succession planning and knowledge transfer between CIOs. Recommendations for Executive Action: To ensure that CIOs are better able to carry out their statutory role as key leaders in managing IT, we recommend the Director of OMB take the following three actions: * Issue guidance to agencies requiring that CIOs' authorities and responsibilities, as defined by law and by OMB, are fully implemented, taking into account the issues raised in this report. * Establish deadlines and metrics that require agencies to demonstrate the extent to which their CIOs are exercising the authorities and responsibilities provided by law and OMB's guidance. * Require agencies to identify and document internal lessons learned and best practices for managing information technology. Agency Comments and Our Evaluation: We received comments on a draft of this report from OMB and from 5 of the 30 agencies included in our study. In oral comments, OMB's Deputy Administrator for e-Gov and its Policy Analyst for e-Gov, within the Office of Electronic Government and Information Technology, generally agreed with our findings and stated that the agency had taken actions that addressed our recommendations. Specifically, with regard to our first recommendation, the officials said they believed OMB's August 8, 2011, memorandum discussing CIOs' authorities aligned with, and reflected the beginning of a process that would help address, the concerns noted in our report. Thus, they believed our recommendation had been addressed with OMB's issuance of the memorandum. With regard to our second recommendation that called for OMB to establish an appropriate reporting mechanism to ensure compliance with the guidance, the officials pointed to a recent web log post about the August memorandum. In the post, the Federal CIO stated that, in 2012, the administration will ask agencies to report through the President's Management Council and the CIO Council on implementation of the memorandum. We believe the guidance reflected in OMB's August 2011 memorandum is a positive step in reaffirming the importance of the role of CIOs in improving agency IT management and toward addressing the concerns that are the basis for our first recommendation. It highlights the responsibilities of CIOs in the four areas of IT governance, program management, commodity services, and information security. These responsibilities are consistent with requirements in law and best practices. Further, OMB's planned use of the councils for agency reporting on implementation of the memorandum could be a useful mechanism for helping to ensure CIOs' accountability for effectively managing IT. However, neither the guidance nor the planned use of the councils, as referenced, identify requirements that would hold agencies accountable for ensuring effective CIO leadership in the four IT management areas. Specifically, as pointed out earlier in this report, the guidance does not articulate a requirement for agencies to measure and report the progress of CIOs in carrying out their responsibilities and authorities. Such a requirement is essential to ensuring that agency CIOs are best positioned to be effective leaders in IT management. As such, we stand by our second recommendation but have revised it to more explicitly highlight the need for OMB to establish deadlines and metrics that require agencies to demonstrate the extent to which CIOs are exercising their authorities and responsibilities. With regard to our third recommendation, that OMB require agencies to establish processes for documenting internal lessons learned and best practices, the officials believed this recommendation was addressed by existing guidance[Footnote 75] requiring agencies to document lessons learned for post-implementation reviews of IT projects. However, as discussed earlier, most of the agencies in our study reported that they had not established processes for documenting internal lessons learned. Further, the guidance to which OMB's officials referred is limited to lessons learned for post-implementation reviews of specific IT projects and does not include the broader spectrum of IT management areas, such as program management and information security. As such, we continue to believe that agencies could benefit from having established internal processes for documenting lessons learned across the broader spectrum of IT management areas and, therefore, believe our recommendation is warranted. Although we made no specific recommendations to the 30 agencies included in our review, we sent each agency a draft of the report for comment. Twenty-five of the agencies told us they had no comments on the draft report, while five agencies provided e-mail or written comments on the report, as follows. * In written comments from the Department of Defense CIO, the department concurred with our recommendations to OMB. However, the CIO also stated that, while our report did not identify legislative changes needed to enhance current CIOs' authority and generally felt that existing law provides sufficient authority, the department believes there are legislative opportunities to clarify and strengthen CIO authorities that should be pursued, such as overlap in responsibilities between the CIO and other officials. The department stated that it was taking actions to address this issue internally. As discussed earlier in this report, the effectiveness of agency CIOs depends in large measure on their having clear roles and authorities. As noted, however, we found no evidence indicating that legislative changes are needed to achieve this. Rather, our study results determined that these officials face limitations that hinder their ability to effectively exercise their current authorities. Accordingly, agencies have an important opportunity to address these limitations by empowering the CIOs to fully and effectively exercise their authority and ensuring that the CIOs are best positioned to be effective leaders in managing IT. Our recommendations to OMB are aimed at ensuring that CIOs effectively exercise the authority and responsibilities that they have been given. DOD's comments are reprinted in appendix VI. * The Department of Homeland Security's Director of Departmental GAO/ Office of Inspector General (OIG) Liaison Office provided written comments in which the department indicated agreement with our findings and recommendations. In the comments, the department said it is committed to working with OMB to address the challenges agency CIOs face and increase the effectiveness of its efforts. These comments are reproduced in appendix VII. * In written comments from the CIO, the Office of Personnel Management agreed with our recommendations. The agency included examples of actions the agency has taken to elevate the CIO position and bring it into greater alignment with the Clinger-Cohen Act. The Office of Personnel Management's written comments are reproduced in appendix VIII. * In an e-mail response from the Office of the Chief Information Officer, the United States Agency for International Development said the recommendations were sound and would assist agencies in ensuring that CIOs are better able to carry out their statutory role as key leaders in managing IT. * In an e-mail response from the Deputy CIO, the Department of Commerce stated that it had no major issues with the recommendations and conclusions and described the report as an informative assessment of the practices and challenges faced by federal agency CIOs. Beyond the aforementioned comments, two agencies--the Social Security Administration and the Department of Health and Human Services-- provided technical comments on the report, which we incorporated as appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies of this report to other interested congressional committees, the Director of the Office of Management and Budget, and the Secretaries of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General; the administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the commissioners of the Nuclear Regulatory Commission and the Social Security Administration; the directors of the National Science Foundation and Office of Personnel Management; the Chief Executive Officer of the Corporation for National and Community Service; and the chairmen of the Federal Labor Relations Authority and Commodity Futures Trading Commission. In addition, this report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions concerning this report, please contact me at (202) 512-6304 or by e-mail at melvinv@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs are on the last page of this report. Key contributors to this report are listed in appendix IX. Signed by: Valerie C. Melvin: Director, Information Management and Human Capital Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Our objectives were to (1) determine the current roles and responsibilities of federal agency Chief Information Officers (CIO) in managing information and technology; (2) determine what potential modifications to the Clinger-Cohen Act and related laws could be made to enhance CIOs' authority and effectiveness; and (3) identify key lessons learned by federal agency CIOs in managing information and technology. To address the objectives of this review, we collected and reviewed previous GAO reports, including our 2004 report on CIOs' roles and responsibilities,[Footnote 76] as well as various other reports that discussed the status of agency CIOs' roles and responsibilities. This included reports from Gartner[Footnote 77] and Deloitte[Footnote 78] on the role of federal CIOs and OMB's 25 Point Implementation Plan to Reform Federal Information Technology Management.[Footnote 79] We also interviewed the Partnership for Public Service's Director of the Strategic Advisors to Government Executives Program for mentoring federal executives, including agency CIOs. We then developed and administered a questionnaire to the CIOs of 27 major departments and agencies in our 2004 review and of three small, independent agencies. We selected the three independent agencies based on whether they had a CIO in place when our review began and the size of the agency's 2011 budget estimates.[Footnote 80] Using the questionnaire, we requested information on whether each CIO was responsible for each of 13 information technology (IT) and information management areas that we identified as either required by statute or critical to effective IT management in our 2004 report.[Footnote 81] In addition, we asked about CIOs' reporting relationships, professional and educational backgrounds, tenure, and lessons learned in managing information and technology. In addition, we collected and reviewed written position descriptions for each agency's CIO, deputy CIO, and other key officials responsible for the 13 IT and information management areas; the resumes or curricula vitae of the current CIOs; each agency's current organization chart(s) depicting the CIO's position relative to the head of the agency, other senior officials, and component CIOs, if applicable; and functional statements for offices that have responsibilities in IT and information management. We also asked each agency to supply the name, beginning and ending dates in office, and circumstances (e.g., whether they were in an acting or permanent position) of each of the individuals who had served as CIO at the agency since 2003. Further, we also collected and reviewed any supporting documentation of recent departmental changes. We then interviewed each of the CIOs who were in place at the time of our review (see appendix II for a list of the CIOs) in order to validate responses from the questionnaire and to obtain an understanding of their views on the 13 IT and information management areas including roles and responsibilities, changes needed to enhance authority and effectiveness, and lessons learned for managing information and technology. From the questionnaire and interview responses, we analyzed CIOs' responses to determine their current roles and responsibilities and reporting relationships with agency heads. We then compared the responses to those identified in our 2004 report.[Footnote 82] Additionally, we assessed the CIOs' reported time spent in the 13 IT and information management areas of responsibility and the importance of each area to them, as well as their views on changes needed to improve their authority and effectiveness. We also reviewed CIOs' qualifications and current and former CIOs' tenure. Further, we analyzed CIO responses to questions concerning changes needed to improve their authority and effectiveness and compared them to the authority described in federal IT laws. We supplemented our analysis by reviewing our prior reports related to agency CIO authority and IT management challenges.[Footnote 83] We also analyzed CIOs' comments related to lessons learned that they have used to improve IT management at their agency. Further, we analyzed OMB IT management reform efforts, including its August 2011 memorandum on CIO authorities, and status updates related to agency CIOs and lessons learned initiatives. To complement information we obtained from current CIOs, we held a panel discussion with nine former CIOs of federal agencies. The purpose of this discussion was to elicit views regarding the statutory responsibilities given to federal CIOs, lessons learned by CIOs in managing information and technology, and areas in which current legislation could be revised to enhance CIOs' authority and effectiveness. Appendix III lists these panelists. Finally, we met with the Federal CIO to obtain his views on priorities and responsibilities for CIOs and to discuss potential modifications to the Clinger-Cohen Act and related laws that could enhance CIOs' authority and effectiveness. We conducted our work at the 30 agencies from June 2010 to September 2011 in the greater Washington, D.C., area, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Chief Information Officers Interviewed: Agency/department: Commodity Futures Trading Commission (CFTC); CIO: John Rogers. Agency/department: Corporation For National and Community Service (CNCS); CIO: Phillip Clark. Agency/department: Department of Agriculture; CIO: Christopher Smith. Agency/department: Department of Commerce; CIO: Simon Szykman. Agency/department: Department of Defense; CIO: Teresa M. Takai. Agency/department: Department of the Air Force; CIO: Lieutenant General William T. Lord. Agency/department: Department of the Army; CIO: Michael E. Krieger[A]. Agency/department: Department of the Navy; CIO: Terry Halverson. Agency/department: Department of Education; CIO: Danny Harris. Agency/department: Department of Energy; CIO: Michael W. Locatis III. Agency/department: Department of Health and Human Services (HHS); CIO: Michael W. Carleton. Agency/department: Department of Homeland Security (DHS); CIO: Richard Spires. Agency/department: Department of Housing and Urban Development (HUD); CIO: Jerry E. Williams. Agency/department: Department of the Interior; CIO: Bernard Mazer. Agency/department: Department of Justice; CIO: Vance Hitch. Agency/department: Department of Labor; CIO: T. Michael Kerr. Agency/department: Department of State; CIO: Susan Swart. Agency/department: Department of Transportation (DOT); CIO: Nitin Pradhan. Agency/department: Department of the Treasury; CIO: Diane Litman[A]. Agency/department: Department of Veterans Affairs (VA); CIO: Roger W. Baker. Agency/department: Environmental Protection Agency (EPA); CIO: Malcolm D. Jackson. Agency/department: Federal Labor Relations Authority (FLRA); CIO: Chris Webber. Agency/department: General Services Administration (GSA); CIO: Casey Coleman. Agency/department: National Aeronautics and Space Administration (NASA); CIO: Linda Y. Cureton. Agency/department: National Science Foundation (NSF); CIO: Andrea T. Norris. Agency/department: Nuclear Regulatory Commission (NRC); CIO: Darren B. Ash. Agency/department: Office of Personnel Management (OPM); CIO: Matthew Perry. Agency/department: Small Business Administration (SBA); CIO: Paul Christy. Agency/department: Social Security Administration (SSA); CIO: Franklin Baitman. Agency/department: U.S. Agency for International Development (USAID); CIO: Jerry Horton. Source: GAO: [A] These CIOs were in their position during the time of our review, but left their position prior to the end of our review. [End of table] [End of section] Appendix III: Former Agency CIO Panel Participants: In March 2011, we convened a panel of former federal agency chief information officers, during which we discussed CIOs' roles and responsibilities, reporting relationships, and any potential changes needed to legislation. Table 5 provides the former and current titles of these officials. Table 5: Former Agency Chief Information Officer Panel: Name: Alan Balutis; Former agency/positions: Department of Commerce/CIO; Current organization/position: Cisco Systems' Business Solutions Group/Senior Director of North American Public Sector. Name: John Gilligan; Former agency/positions: Department of the Air Force/CIO; Department of Energy/CIO; Current organization/position: The Gilligan Group/President. Name: Thomas Hughes; Former agency/positions: Social Security Administration/CIO; Current organization/position: CSC Corporation/Partner in Strategy Services. Name: Daniel Matthews; Former agency/positions: Department of Transportation/CIO; Current organization/position: Triple-I Corporation/Senior Vice President of Strategic Programs. Name: Molly O'Neil; Former agency/positions: U.S. Environmental Protection Agency/CIO; Current organization/position: CGI Group/VP Consulting. Name: Gloria Parker; Former agency/positions: Department of Housing and Urban Development/CIO; Department of Education/Deputy CIO; Current organization/position: Parker Group Consulting/CEO and Senior Partner. Name: Patrick Pizzella; Former agency/positions: Department of Labor/Assistant Secretary for Administration and Management and CIO; Current organization/position: Patrick Pizzella, LLC. Name: W. Hord Tipton; Former agency/positions: Department of the Interior/CIO; Current organization/position: International Information Systems Security Certification Consortium (ISC)/Executive Director and member of the Board of Directors. Name: Barry West; Former agency/positions: Department of Commerce/CIO; Federal Emergency Management Agency/CIO; Current organization/position: SE Solutions/Executive Vice President. Source: GAO. [End of table] [End of section] Appendix IV: Summary of CIOs' Information Management and Technology Responsibilities: The following summarizes information gathered from CIOs related to their responsibilities in the 13 information management and information technology management areas discussed in this report. IT Strategic Planning: CIOs are responsible for strategic planning for all information and information technology management functions [Paperwork Reduction Act]. * Of the 30 CIOs we surveyed, all CIOs indicated they were responsible for ensuring compliance with laws related to IT strategic planning within their agency. In 2004, all 27 CIOs surveyed also indicated responsibility for IT strategic planning. * All CIOs reported they thought the CIO should be responsible for IT strategic planning. Twenty-nine of the 30 CIOs reported that IT strategic planning was important to carrying out their mission. The CIO who reported that IT strategic planning was not important said this area was being executed properly and it did not require much attention or guidance. Table 6 provides a summary of CIO responses regarding IT strategic planning. Table 6: Summary of CIO Responses to Questions for IT Strategic Planning: CIOs responsible for IT strategic planning: 2011 - CIOs responsible: 100%. 2004 - CIOs responsible: 100%. CIOs who felt they should be responsible: 100%. CIOs who felt they should not be responsible: 0. Importance of IT strategic planning: Very important: 83%. Important: 13%. Somewhat important:0. Not very important: 3%. Not at all important: 0. N/A: 0. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] IT Workforce Planning: CIOs are responsible for assessing agency information and IT workforce needs and developing strategies and plans for meeting those needs [Paperwork Reduction Act and Clinger-Cohen Act]. * Twenty-six of the 30 CIOs indicated they were responsible for strategically assessing IT workforce needs and using IT staff in order to achieve mission goals in the most efficient ways. In 2004, we reported that all 27 CIOs responded they were responsible for helping the agency meet its IT workforce or human capital needs. * Of the 30 CIOs that provided responses, 24 reported that they thought the CIO should be responsible by law for IT workforce planning. All of the 30 CIOs reported that workforce planning was "very important" or "important" to carrying out their mission. Table 7 provides a summary of CIO responses regarding IT workforce planning. Table 7: Summary of CIO Responses to Questions for IT Workforce Planning: CIOs responsible for IT workforce planning: 2011 - CIOs responsible: 87%. 2004 - CIOs responsible: 100%. CIOs who felt they should be responsible: 80%. CIOs who felt they should not be responsible: 20%. Importance of IT workforce planning: Very important: 63%. Important: 37%. Somewhat important: 0. Not very important: 0. Not at all important: 0. N/A: 0. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] Capital Planning and Investment Management: CIOs are responsible for a process for selecting, controlling, and evaluating IT investments to produce business value, reduce investment- related risks, and increase accountability and transparency in the investment decision-making process [Paperwork Reduction Act and Clinger-Cohen Act]. Of the 30 CIOs we surveyed, all of them indicated they were responsible for capital planning and investment management activities at their agency. This is consistent with the results of our 2004 report, which found that all 27 CIOs also indicated responsibility for capital planning and investment management. All 30 of the CIOs reported they thought the CIO should be responsible for capital planning and investment management. All 30 CIOs reported that capital planning and investment management was "very important" or "important" to carrying out their mission. Table 8 provides a summary of CIO responses regarding capital planning and investment management. Table 8: Summary of CIO Responses to Questions for Capital Planning and Investment Management: CIOs responsible for capital planning and investment management: 2011 - CIOs responsible: 100%. 2004 - CIOs responsible: 100%. CIOs who felt they should be responsible: 100%. CIOs who felt they should not be responsible: 0. Importance of capital planning and investment management: Very important: 97%. Important: 3%. Somewhat important: 0. Not very important: 0. Not at all important: 0. N/A: 0. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] Information Security: CIOs are responsible for ensuring agency compliance with requirements to protect information and systems [Paperwork Reduction Act, Federal Information Security Management Act, and Clinger-Cohen Act]. All 30 CIOs indicated they were responsible for ensuring compliance with information security best practices and related laws at their agency. This is consistent with the results of our 2004 report, which found that all of the 27 CIOs surveyed indicated being responsible for information security. Of the 30 agencies that provided responses, all 30 CIOs reported that they thought the CIO should be responsible by law for information security. Twenty-nine of the 30 CIOs reported that information security was "very important" to carrying out their mission. Only one CIO ranked information security as "somewhat important" because his goal is to move the agency toward a risk-based approach that uses secure, reliable, and cost-effective technology. Table 9 provides a summary of CIO responses regarding information security. Table 9: Summary of CIO Responses to Questions for Information Security: CIOs responsible for information security: 2011 - CIOs responsible: 100%. 2004 - CIOs responsible: 100%. CIOs who felt they should be responsible: 100%. CIOs who felt they should not be responsible: 0. Importance of information security: Very important: 97%. Important: 0. Somewhat important: 3%. Not very important: 0. Not at all important: 0. N/A: 0. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] Enterprise Architecture: CIOs are responsible for developing and maintaining the business and technology blueprint that links an agency's strategic plan to IT programs and supporting system implementations [Clinger-Cohen Act]. Of the 30 CIOs we surveyed, all 30 indicated they were responsible for enterprise architecture-related activities at their agency. This is consistent with the results of our 2004 report, which found that 27 of 27 CIOs also indicated responsibility for enterprise architecture. All 30 CIOs interviewed reported that they believed the CIO should be responsible for enterprise architecture. Twenty-eight of the 30 CIOs reported that enterprise architecture was "important" or "very important" to carrying out their mission with one of the remaining two identifying it as being "somewhat important" and the other labeling it as being "not very important." For example, one CIO ranked enterprise architecture as being very important based on the maturity of the agency's abilities within the area. The CIO explained that, since their enterprise architecture was not as mature as they would like it to be, they viewed it as being currently very important. The CIO who reported that enterprise architecture was somewhat important for his mission clarified that this was because the existing activities related to enterprise architecture were being properly executed and therefore required less focus. The remaining CIO who responded that enterprise architecture was "not very important" explained that enterprise architecture was not essential to completing the agency's mission and therefore having a formal enterprise architecture was less important at the agency. Table 10 provides a summary of CIO responses regarding enterprise architecture. Table 10: Summary of CIO Responses to Questions for Enterprise Architecture: CIOs responsible for enterprise architecture: 2011 - CIOs responsible: 100%. 2004 - CIOs responsible: 100%. CIOs who felt they should be responsible: 100%. CIOs who felt they should not be responsible: 0. Importance of enterprise architecture: Very important: 77%. Important: 17%. Somewhat important: 3%. Not very important: 3%. Not at all important: 0. N/A: 0. Source: CIO responses to GAO questionnaire: Note: Percentages may not sum to 100 due to rounding. [End of table] Systems Acquisition, Development, and Integration: CIO IT management responsibilities should include a primary role in developing and enforcing policies for systems acquisition, their development, and integration with existing systems [Paperwork Reduction Act and Clinger-Cohen Act]. Of the 30 CIOs we surveyed, 27 indicated they were responsible for ensuring compliance with systems acquisitions, development, and integration-related best practices. This is generally consistent with our 2004 study, when 25 of 27 CIOs reported responsibility for systems acquisition, development, and integration. Almost all (28 of 30) CIOs reported that they thought the CIO should be responsible for systems acquisition, development, and integration. All of the 30 CIOs reported that systems acquisition, development, and integration was "very important" or "important" to carrying out their mission. Table 11 provides a summary of CIO responses regarding this area. Table 11: Summary of CIO Responses to Questions for Systems Acquisition, Development, and Integration: CIOs responsible for systems acquisition, development, and integration: 2011 - CIOs responsible: 90%. 2004 - CIOs responsible: 93%. CIOs who felt they should be responsible: 93%. CIOs who felt they should not be responsible: 7%. Importance of systems acquisition, development, and integration: Very important: 77%. Important: 23%. Somewhat important: 0. Not very important: 0. Not at all important: 0. N/A: 0. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] E-government Initiatives: CIOs are responsible for promoting the use of IT, including the Internet and emerging technologies, to improve the productivity, efficiency, and effectiveness of agency operations, programs, and services [Paperwork Reduction Act, Clinger-Cohen Act, and E-Government Act of 2002]. Of the 30 CIOs we surveyed, 28 indicated they were responsible for ensuring compliance with the E-government Act of 2002 and related e- government initiatives at their agency. This is generally consistent with the results of our 2004 report, which found that 25 of 27 CIOs indicated responsibility for the e-government initiatives. Twenty-six of 30 CIOs reported that they thought the CIO should be responsible for e-government initiatives. Eighteen of the 30 CIOs reported that the e-government initiatives were "important" or "very important" to carrying out their mission. However, a number of CIOs felt that the e-government initiatives were not important to their mission. For example, one CIO said the only persons who cared whether they respond to the e-government initiatives are outside of the agency and this CIO considered these initiatives a paperwork exercise. Another CIO felt this area was only "somewhat important" because they already had established mature systems that did not require effort on the CIOs part to maintain. Table 12 provides a summary of CIO responses regarding e-government. Table 12: Summary of CIO Responses to Questions for E-government Initiatives: CIOs responsible for e-government initiatives: 2011 - CIOs responsible: 93%. 2004 - CIOs responsible: 93%. CIOs who felt they should be responsible: 87%. CIOs who felt they should not be responsible: 13%. Importance of e-government initiatives: Very important: 23%. Important: 37%. Somewhat important: 23%. Not very important: 10%. Not at all important: 7%. N/A: 0. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] Information Collection/Paperwork Reduction: CIOs are responsible for the review of agency information collection proposals to maximize utility and minimize public paperwork burdens [Paperwork Reduction Act]. Twenty-two of 30 CIOs indicated that they were responsible for information collection/paperwork reduction at their agency. This is generally consistent with the results of our 2004 study, which found that 22 of 27 CIOs indicated responsibility for information collection/paperwork reduction. Eighteen of the 30 CIOs reported they thought the CIO should be responsible for information collection/paperwork reduction. Fourteen of the 30 CIOs reported that information collection/paperwork reduction was "very important" or "important" to carrying out their mission. Fifteen CIOs ranked it as "somewhat important" or "not very important." Four CIOs reported that information collection/paperwork reduction was "not very important," with one stating that this area was either handled by his staff or he felt it was being executed properly and did not require a lot of attention and guidance. Several of the remaining CIOs reported that information collection/paperwork reduction was "somewhat important" because they were either not responsible for this area or it was not mission critical. Table 13 provides a summary of CIO responses regarding this area. Table 13: Summary of CIO Responses to Questions for Information Collection/Paperwork Reduction: CIOs responsible for information collection/paperwork reduction: 2011 - CIOs responsible: 73%; 2004 - CIOs responsible: 81%. CIOs who felt they should be responsible: 60%. CIOs who felt they should not be responsible: 40%. Importance of information collection/paperwork reduction: Very important: 17%. Important: 30%. Somewhat important: 37%. Not very important: 13%. Not at all important: 0. N/A: 3%. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] Information Dissemination: CIOs are responsible for ensuring that the agency's information dissemination activities meet policy goals, such as timely and equitable public access to information [Paperwork Reduction Act]. Of the 30 CIOs we surveyed, 16 indicated they were responsible for information dissemination-related activities at their agency. This represents a decrease since our 2004 report when 20 of 27 CIOs reported they held this responsibility. Thirteen of the 30 CIOs reported that they thought the CIO should be responsible for information dissemination. Eighteen of the 30 CIOs reported that information dissemination was "very important" or "important" to carrying out their mission, while 11 CIOs ranked it as being either "somewhat important" or "not very important" to carrying out their mission. Several CIOs explained they ranked information dissemination as being less than "important" because responsibilities in the area were being executed properly by other designated officials, they were not directly responsible, or it was not a priority and did not require a lot of time. Table 14 provides a summary of CIO responses regarding information dissemination. Table 14: Summary of CIO Responses to Questions for Information Dissemination: CIOs responsible for information dissemination: 2011 - CIOs responsible: 53%. 2004 - CIOs responsible: 74%. CIOs who felt they should be responsible: 43%. CIOs who felt they should not be responsible: 57%. Importance of information dissemination: Very important: 17%. Important: 43%. Somewhat important: 30%. Not very important: 7%. Not at all important: 0. N/A: 3%. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] Information Disclosure: CIOs are responsible for ensuring appropriate information disclosure under the Freedom of Information Act [Paperwork Reduction Act]. Of the 30 CIOs we surveyed, 9 indicated that they were responsible for information disclosure at their agency. This is generally consistent with our 2004 findings in which 9 of 27 CIOs indicated responsibility for information disclosure. Of the 30 CIOs surveyed, 10 reported that they thought the CIO should be responsible for information disclosure. Fourteen of the 30 CIOs reported that it was "very important" or "important" to carrying out their mission. In contrast, 14 of the 30 CIOs reported that information disclosure was either "somewhat important" or "not very important" to carrying out their mission. CIOs who ranked information disclosure as either being "somewhat important" or "not very important" commonly explained they did so because the area was either a low priority, did not require a lot of time, was executed properly or, as CIO, they were not primarily responsible for information disclosure. One CIO explained that he ranked the area as being "somewhat important" because his agency does not disclose a majority of its information. Of the remaining 2 CIOs who responded that this question was not applicable, one explained that they ranked the area as "not applicable" because they were not directly responsible and felt uncomfortable providing a metric regarding its importance. Table 15 provides a summary of CIO responses regarding information disclosure. Table 15: Summary of CIO Responses to Questions for Information Disclosure: CIOs responsible for information disclosure: 2011 - CIOs responsible: 30%. 2004 - CIOs responsible: 33%. CIOs who felt they should be responsible: 33%. CIOs who felt they should not be responsible: 67%. Importance of information disclosure: Very important: 17%. Important: 30%. Somewhat important: 37%. Not very important 10%. Not at all important: 0. N/A: 7%. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] Statistical Policy and Coordination: CIOs are responsible for agency statistical policy and coordination functions, including ensuring the relevance, accuracy, and timeliness of information collected or created for statistical purposes [Paperwork Reduction Act]. Seven of 30 CIOs indicated they had responsibility for performing statistical policy and coordination functions, including ensuring the relevance, accuracy, and timeliness of information collected or created for statistical purposes at their agency. Similarly, in our 2004 study, 8 of 27 CIOs reported responsibility for statistical policy and coordination. Twenty-three CIOs reported that someone other than the CIO should be responsible for statistical policy and coordination. In comparison to the other areas of information and IT management, CIOs viewed statistical policy and coordination as the least important to accomplishing the CIO's mission. Specifically, 15 CIOs ranked statistical policy as "somewhat important," "not very important," or "not at all important." Many of these CIOs explained that they were not responsible for statistical policy at the agency because a designated official performed these activities. Table 16 provides a summary of CIO responses regarding statistical policy and coordination. Table 16: Summary of CIO Responses to Questions for Statistical Policy and Coordination: CIOs responsible for statistical policy and coordination: 2011 - CIOs responsible: 23%. 2004 - CIOs responsible: 30%. CIOs who felt they should be responsible: 20%. CIOs who felt they should not be responsible: 80%. Importance of statistical policy and coordination: Very important: 13%. Important: 13%. Somewhat important: 23%. Not very important: 20%. Not at all important: 6%. N/A: 23%. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] Records Management: CIOs are responsible for ensuring that the agency implements and enforces the records management policies and procedures required by the Federal Records Act [Paperwork Reduction Act]. Of the 30 CIOs we surveyed, 18 indicated they were responsible for ensuring compliance with the Federal Records Act and related laws at their agency. In our 2004 study, 21 of 27 CIOs indicated responsibility for records management. Of the 30 CIOs surveyed, 18 reported that they thought the CIO should be responsible for records management. Twenty-one of the 30 CIOs reported that records management was "important" or "very important" to carrying out their mission. However, 8 CIOs felt that records management was "somewhat important" or "not very important" to their mission. Of these, one CIO said this area was either handled by his staff or he felt it was being executed properly and did not require a lot of attention or guidance. Another CIO felt this area was "somewhat important" because it did not have a lot of impact and was of minimal importance. Table 17 provides a summary of CIO responses regarding records management. Table 17: Summary of CIO Responses to Questions for Records Management: CIOs responsible for records management: 2011 - CIOs responsible: 60%. 2004 - CIOs responsible: 78%. CIOs who felt they should be responsible: 60%. CIOs who felt they should not be responsible: 40%. Importance of records management: Very important: 27%. Important: 43%. Somewhat important: 23%. Not very important: 3%. Not at all important: 0. N/A: 3%. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] Privacy: CIOs are responsible for ensuring agency compliance with the Privacy Act and related laws [Paperwork Reduction Act]. Eighteen of 30 CIOs indicated they were responsible for ensuring compliance with the Privacy Act and related laws at their agency. In our 2004 study, 17 of 27 CIOs were responsible for privacy. Seventeen CIOs reported that they thought the CIO should be responsible for privacy. Twenty-nine of the 30 CIOs reported that privacy was "important" or "very important" to carrying out their mission. The CIO who reported that this question was not applicable clarified that because he was not responsible for privacy, he was not comfortable assessing its importance. Table 18 provides a summary of CIO responses regarding privacy. Table 18: Summary of CIO Responses to Questions for Privacy: CIOs responsible for privacy: 2011 - CIOs responsible: 60%. 2004 - CIOs responsible: 63%. CIOs who felt they should be responsible: 57%. CIOs who felt they should not be responsible: 43%. Importance of privacy: Very important 60%. Important: 37%. Somewhat important: 0. Not very important: 0. Not at all important: 0. N/A: 3%. Source: CIO responses to GAO questionnaire. Note: Percentages may not sum to 100 due to rounding. [End of table] [End of section] Appendix V CIO Tenure at Each Agency: Figures 2 and 3 depict the tenure of CIOs at each agency in our review from 2004 to 2011. In addition, figure 2 shows whether CIOs were acting or permanent, while figure 3 shows whether they were career employees or political appointees. Table 19 presents further analysis related to acting and permanent CIO tenure. Figure 2: CIO Tenure--Acting and Permanent: [Refer to PDF for image: horizontal bar graph] Agency: HUD; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent (half-year); Acting (half-year); 2008: Acting (half-year); Permanent (half-year); 2009: Acting (half-year); Permanent (half-year); 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 8. Agency: CNCS; CIO Tenure: 2004: Permanent; 2005: Permanent (half-year); Acting (half-year); 2006: Acting (half-year); Permanent (half-year); 2007: Permanent; 2008: Permanent (half-year); Acting (half-year); 2009: Permanent (half-year); Acting (half-year); 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 7. Agency: DHS; CIO Tenure: 2004: Permanent; 2005: Permanent (one-third-year); Acting (two-thirds-year); 2006: Permanent; 2007: Permanent; 2008: Acting (one-third-year); Permanent (two-thirds-year); 2009: Permanent (half-year); Acting (half-year); 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 7. Agency: Interior; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Acting (half-year); Permanent (half-year); 2008: Permanent (one-third-year); Acting (two-thirds-year); 2009: Permanent; 2010: Permanent (half-year); Acting (half-year); 2011: Permanent. Number of different CIOs[A]: 7. Agency: Treasury; CIO Tenure: 2004: Permanent (two-thirds-year); Acting (one-third-year); 2005: Permanent; 2006: Permanent; 2007: Permanent (half-year); Acting (half-year); 2008: Permanent; 2009: Permanent; 2010: Permanent (half-year); Acting (half-year); 2011: Acting; Number of different CIOs[A]: 6. Agency: USAID; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent (half-year); Acting (half-year); 2007: Acting (half-year); Permanent (half-year); 2008: Permanent (one-third-year); Acting (two-thirds-year); 2009: Acting (one-third-year); Permanent (two-thirds-year); 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 6. Agency: VA; CIO Tenure: 2004: Acting (one-fourth-year); Permanent (three-fourths-year); 2005: Permanent; 2006: Permanent (half-year); Acting (half-year); 2007: Permanent; 2008: Permanent; 2009: Acting (one-third-year); Permanent (two-thirds-year); 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 6. Agency: Air Force; CIO Tenure: 2004: Permanent; 2005: Permanent (one-third-year); Acting (two-thirds-year); 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 5. Agency: Army; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent (two-thirds-year); Acting (one-third-year); 2008: Permanent; 2009: Permanent; 2010: Permanent (two-thirds-year); Acting (one-third-year); 2011: Acting (one-fourth-year); Permanent (one-fourth-year); Number of different CIOs[A]: 5. Agency: Commerce; CIO Tenure: 2004: Permanent; 2005: Permanent (two-thirds-year); Acting (one-third-year); 2006: Acting (half-year); Permanent (half-year); 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 5. Agency: Defense; CIO Tenure: 2004: Permanent (one-fourth-year); Acting (three-fourths-year); 2005: Acting (three-fourths-year); Permanent (one-fourth-year); 2006: Permanent; 2007: Permanent; 2008: Permanent (one-third-year); Acting (two-thirds-year); 2009: Acting; 2010: Acting (three-fourths-year); None (one-fourth-year); Permanent (one-fourth-year); 2011: Permanent; Number of different CIOs[A]: 5. Agency: DOT; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Acting (one-third-year); Permanent (two-thirds-year); 2007: Permanent; 2008: Permanent; 2009: Acting (one-third-year); None (one-fourth-year); Permanent (one- half-year); 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 5. Agency: EPA; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Acting; 2007: Permanent; 2008: Permanent; 2009: Acting; 2010: Acting (half-year); Permanent (half-year); 2011: Permanent; Number of different CIOs[A]: 5. Agency: NASA; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent (half-year); Acting (half-year); 2007: Acting (one-fourth-year); Permanent (three-fourths-year); 2008: Permanent; 2009: Permanent (one-third-year); Acting (two-thirds-year); 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 5. Agency: SBA; CIO Tenure: 2004: Permanent (half-year); Acting (half-year); 2005: Acting (half-year); None (half-year); 2006: None (one-third-year); Permanent (two-thirds-year); 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 5. Agency: State; CIO Tenure: 2004: Acting; 2005: Acting; 2006: Permanent; 2007: Permanent (nine-tenths-year); Acting (one-tenth-year); 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 5. Agency: Agriculture; CIO Tenure: 2004: Permanent; 2005: Permanent (half-year); None (half-year); 2006: Permanent; 2007: Permanent (nine-tenths-year); None (one-tenth-year); 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 4. Agency: CFTC; CIO Tenure: 2004: Permanent; 2005: Acting (two-thirds-year); Permanent (one-third-year); 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 4. Agency: Education; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 4. Agency: Energy; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Acting (two-thirds-year); Permanent (one-third-year); 2011: Permanent; Number of different CIOs[A]: 4. Agency: HHS; CIO Tenure: 2004: Acting (one-third-year); Permanent (two-thirds-year); 2005: Permanent; 2006: Permanent; 2007: Acting (one-third-year); Permanent (two-thirds-year); 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 4. Agency: Navy; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent (nine-tenths-year); Acting (one-tenth-year); 2011: Permanent; Number of different CIOs[A]: 4. Agency: Labor; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Acting (one-third-year); Permanent (two-thirds-year); 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 3. Agency: NRC; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 3. Agency: SSA; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Acting (one-half-year); Permanent (one-half-year); 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 3. Agency: FLRA[B]; CIO Tenure: 2004: None; 2005: None; 2006: None; 2007: None; 2008: None; 2009: None (one-third-year); Permanent (two-thirds-year); 2010: None (one-third-year); Permanent (two-thirds-year); 2011: Permanent; Number of different CIOs[A]: 2. Agency: GSA; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 2. Agency: NSF; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Acting; 2011: Acting; Number of different CIOs[A]: 2. Agency: OPM; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 2. Agency: Justice; CIO Tenure: 2004: Permanent; 2005: Permanent; 2006: Permanent; 2007: Permanent; 2008: Permanent; 2009: Permanent; 2010: Permanent; 2011: Permanent; Number of different CIOs[A]: 1. Source: GAO analysis of agency data. [A] The number of bar elements for an agency may not add up to the total in this column because some individual CIOs are shown more than once, as their circumstances changed (e.g., an acting CIO that became a permanent CIO). [B] FLRA did not have a CIO until 2009. It is one of the independent agencies that was not required to have a CIO under the Clinger-Cohen Act. [End of figure] Figure 3: CIO Tenure--Career and Political Appointees: [Refer to PDF for image: horizontal bar graph] Agency: HUD; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 8. Agency: CNCS; CIO Tenure: 2004: Appointed; 2005: Appointed; 2006: Career (one-third year); Appointed (two-thirds year); 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 7. Agency: DHS; CIO Tenure: 2004: Appointed; 2005: Career (one-third year); Appointed (two-thirds year); 2006: Appointed; 2007: Appointed; 2008: Career (one-third year); Appointed (two-thirds year); 2009: Career (one-third year); Appointed (two-thirds year); 2010: Appointed; 2011: Appointed; Number of different CIOs[A]: 7. Agency: Interior; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 7. Agency: Treasury; CIO Tenure: 2004: Appointed (one-third year); Career (two-thirds year); 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 6. Agency: USAID; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 6. Agency: VA; CIO Tenure: 2004: Career (one-tenth year); Appointed (nine-tenths year); 2005: Appointed; 2006: Appointed; 2007: Appointed; 2008: Appointed; 2009: Career (one-third year); Appointed (two-thirds year); 2010: Appointed; 2011: Appointed; Number of different CIOs[A]: 6. Agency: Air Force; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 5. Agency: Army; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career (one-fourth year); Appointed (one-fourth year); Number of different CIOs[A]: 5. Agency: Commerce; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 5. Agency: Defense; CIO Tenure: 2004: Appointed (one-fourth year); Career (three-fourths year); 2005: Career (three-fourths year); Career (one-fourth year); 2006: Appointed; 2007: Appointed; 2008: Appointed (one-third year); Career (two-thirds year); 2009: Career; 2010: Career (nine-tenths year); None (one-tenth year); 2011: Career; Number of different CIOs[A]: 5. Agency: DOT; CIO Tenure: 2004: Appointed; 2005: Appointed; 2006: Career (one-third year); Appointed (two-thirds year); 2007: Appointed; 2008: Appointed; 2009: Career (one-third year); None (one-tenth year); Appointed (two- thirds year); 2010: Appointed; 2011: Appointed; Number of different CIOs[A]: 5. Agency: EPA; CIO Tenure: 2004: Appointed; 2005: Appointed; 2006: Career; 2007: Appointed; 2008: Appointed; 2009: Career; 2010: Career (one-half year); Appointed (one-half year); 2011: Appointed; Number of different CIOs[A]: 5. Agency: NASA; CIO Tenure: 2004: Career; 2005: Career; 2006: Career (one-half year); Appointed (one-half year); 2007: Appointed (one-fourth year); Career (three-fourths year); 2008: Career; 2009: Career (one-third year); Appointed (two-thirds year); 2010: Career; 2011: Career; Number of different CIOs[A]: 5. Agency: SBA; CIO Tenure: 2004: Appointed (one-third year); Career (two-thirds year); 2005: Career (one-half year); None (one-half year); 2006: None (one-third year); Career (two-thirds year); 2007: Career; 2008: Career; 2009: Career (one-half year); Appointed (one-half year); 2010: Career (one-half year); Appointed (one-half year); 2011: Career; Number of different CIOs[A]: 5. Agency: State; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: None (one-tenth year); Career (nine-tenths year); 2010: Career; 2011: Career; Number of different CIOs[A]: 5. Agency: Agriculture; CIO Tenure: 2004: Appointed; 2005: Appointed (one-half year); None (one-half year); 2006: Appointed; 2007: Appointed (nine-tenths year); None (one-tenth year); 2008: Appointed; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 4. Agency: CFTC; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 4. Agency: Education; CIO Tenure: 2004: Appointed; 2005: Appointed; 2006: Appointed (one-half year); Career (one-half year); 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 4. Agency: Energy; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 4. Agency: HHS; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 4. Agency: Navy; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Appointed (one-tenth year); Career (nine-tenths year); 2011: Career; Number of different CIOs[A]: 4. Agency: Labor; CIO Tenure: 2004: Appointed; 2005: Appointed; 2006: Appointed; 2007: Appointed; 2008: Appointed; 2009: Career (one-third year); Appointed (two-thirds year); 2010: Appointed; 2011: Appointed; Number of different CIOs[A]: 3. Agency: NRC; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 3. Agency: SSA; CIO Tenure: 2004: Appointed; 2005: Appointed; 2006: Appointed; 2007: Appointed; 2008: Appointed; 2009: Career (two-thirds year); Appointed (one-third year); 2010: Appointed; 2011: Appointed; Number of different CIOs[A]: 3. Agency: FLRA[B]; CIO Tenure: 2004: None; 2005: None; 2006: None; 2007: None; 2008: None; 2009: None (one-third year); Career (two-thirds year); 2010: None (one-third year); Career (two-thirds year); 2011: Career; Number of different CIOs[A]: 2. Agency: GSA; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 2. Agency: NSF; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 2. Agency: OPM; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 2. Agency: Justice; CIO Tenure: 2004: Career; 2005: Career; 2006: Career; 2007: Career; 2008: Career; 2009: Career; 2010: Career; 2011: Career; Number of different CIOs[A]: 1. Source: GAO analysis of agency data. [A] The number of bar elements for an agency may not add up to the total in this column because some individual CIOs are shown more than once, as their circumstances changed (e.g., an acting CIO that became a permanent CIO). [B] FLRA did not have a CIO until 2009. It is one of the independent agencies that was not required to have a CIO under the Clinger-Cohen Act. [End of figure] Table 19: Statistical Analysis of CIO Tenure (2004-2011): Mean: Permanent and acting CIOs including current CIOs: 23; Permanent and acting CIOs excluding current CIOs: 23; Permanent CIOs including current CIOs: 31; Permanent CIOs excluding current CIOs: 33; Acting CIOs including current CIOs: 9; Acting CIOs excluding current CIOs: 9; Only current permanent CIOs: 25. Median: Permanent and acting CIOs including current CIOs: 18; Permanent and acting CIOs excluding current CIOs: 17; Permanent CIOs including current CIOs: 27; Permanent CIOs excluding current CIOs: 30; Acting CIOs including current CIOs: 7; Acting CIOs excluding current CIOs: 7; Only current permanent CIOs: 21. Minimum (in months): Permanent and acting CIOs including current CIOs: 0.3; Permanent and acting CIOs excluding current CIOs: 0.3; Permanent CIOs including current CIOs: 2; Permanent CIOs excluding current CIOs: 3; Acting CIOs including current CIOs: 0; Acting CIOs excluding current CIOs: 0; Only current permanent CIOs: 2. Maximum (in months): Permanent and acting CIOs including current CIOs: 160; Permanent and acting CIOs excluding current CIOs: 160; Permanent CIOs including current CIOs: 160; Permanent CIOs excluding current CIOs: 160; Acting CIOs including current CIOs: 74; Acting CIOs excluding current CIOs: 74; Only current permanent CIOs: 109. Number of CIOs in this population: Permanent and acting CIOs including current CIOs: 134; Permanent and acting CIOs excluding current CIOs: 104; Permanent CIOs including current CIOs: 86; Permanent CIOs excluding current CIOs: 60; Acting CIOs including current CIOs: 44; Acting CIOs excluding current CIOs: 41; Only current permanent CIOs: 26. Number of CIOs in office less than 3 years: Permanent and acting CIOs including current CIOs: 107; Permanent and acting CIOs excluding current CIOs: 83; Permanent CIOs including current CIOs: 60; Permanent CIOs excluding current CIOs: 40; Acting CIOs including current CIOs: 43; Acting CIOs excluding current CIOs: 40; Only current permanent CIOs: 20. Number of CIOs in office between 3 and 5 years: Permanent and acting CIOs including current CIOs: 20; Permanent and acting CIOs excluding current CIOs: 15; Permanent CIOs including current CIOs: 20; Permanent CIOs excluding current CIOs: 15; Acting CIOs including current CIOs: 0; Acting CIOs excluding current CIOs: 0; Only current permanent CIOs: 5. Percentage of CIOs in office greater than 5 years: Permanent and acting CIOs including current CIOs: 7%; Permanent and acting CIOs excluding current CIOs: 6%; Permanent CIOs including current CIOs: 6%; Permanent CIOs excluding current CIOs: 5%; Acting CIOs including current CIOs: 1%; Acting CIOs excluding current CIOs: 1%; Only current permanent CIOs: 1%. Percentage of CIOs in office at least 3 years: Permanent and acting CIOs including current CIOs: 15%; Permanent and acting CIOs excluding current CIOs: 14%; Permanent CIOs including current CIOs: 23%; Permanent CIOs excluding current CIOs: 25%; Acting CIOs including current CIOs: 0%; Acting CIOs excluding current CIOs: 0%; Only current permanent CIOs: 19%. Source: GAO analysis of agency data. Note: CIOs who moved from acting to permanent status have been treated as if they were permanent the entire time, and calculations were performed on their aggregated time as one length of service. Also, these acting CIOs who became permanent were not included in the acting calculations above. [End of table] [End of section] Appendix VI: Comments from the Department of Defense: Department Of Defense: Chief Information Officer: 6000 Defense Pentagon: Washington. D.C. 20301-6000: August 18, 2011: Ms. Cynthia Scott: Assistant Director: U.S. Government Accountability Office: Washington, D.C. 20548: Dear Ms. Scott: The following are the DoD CIO's comments the GAO draft report GAO-I I - 634, "Federal Chief Information Officers: Opportunities Exist to Improve Role in Information Technology Management" dated July 19, 2011 (GAO Code 310951). The Department concurs with the GAO recommendation that the Director OMB issue guidance to agencies, requiring that CIOs' responsibilities and authority, as defined in law, are fully implemented and that appropriate reporting mechanisms are established to validate that this has been accomplished. The Department further notes that Director OMB has taken the first steps in addressing the importance of these issues in his August 8, 2011, memo, "Chief Information Officer Authorities." Further, while current and former CIOs, as well as the Federal CIO, did not identify legislative changes needed to enhance CIOs' authority and generally felt that existing law provides sufficient authority, the Department (DoD CIO) believes there are legislative opportunities to clarify and strengthen CIO responsibilities and authorities that should be pursued. The most helpful of these would be a deconfliction of potentially overlapping responsibilities between the CIO and various other statutory officials, such as Chief Management Officers, Chief Performance Officers, Chief Acquisition Officers, and Chief Privacy Officers. The Department is currently revising the DoD CIO charter and other policies to address this issue internally, but there would be great value in having a clarified legislative basis for these CIO responsibilities and authorities. Sincerely, Signed by: Teresa M. Takai: [End of section] Appendix VII: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: August 19, 2011: Valerie C. Melvin: Director, Information Management and Human Capital Issues: 441 G Street, NW: U.S. Government Accountability Office: Washington, DC 20548: Re: Draft Report GAO-11-634, "Federal Chief Information Officers: Opportunities Exist to Improve Role in Information Technology Management" Dear Ms. Melvin: Thank you for the opportunity to review and comment on this draft report. The U.S. Department of Homeland Security (DHS) appreciates the U.S. Government Accountability Office's (GAO's) work in planning and conducting its review and issuing this report. Although the report does not contain any recommendations directed at DHS, the Department remains committed to working with the Office of Management and Budget and other relevant stakeholders to address the challenges agency Chief Information Officers face and increase the effectiveness of their efforts. Again, thank you for the opportunity to review and comment on this draft report. We look forward to working with you on future Homeland Security issues. Sincerely, Signed by: Jim H. Crumpacker: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix VIII: Comments from the Office of Personnel Management: United States Office of Personnel Management: Chief Information Officer: Washington, DC 20415: July 28, 2011: Cynthia Scott, Assistant Director: Information Management and Human Capital Issues: U.S. Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: OPM appreciates the opportunity to comment on the draft report, Federal Chief Information Officers, Opportunities Exist to Improve Role in Information Technology Management, GAO-11-634 regarding the role of Federal CIOs in meeting agency Information Resource Management (IRM) and Information Technology (IT) responsibilities. As you point out, "IT has the potential to enable federal agencies to accomplish their missions more quickly, effectively and economically...The CIO position was established by Congress to serve as a focal point for IT within an agency." OPM agrees that the CIO plays a critical, strategic role in ensuring every agency serves the American people well. Under this Administration, OPM has elevated the CIO position and brought it more in line with the original vision of the Clinger-Cohen Act (CCA). Previously, the CIO was buried beneath multiple layers of management, giving the Director little visibility into the health of OPM's many IT investments. Also, several areas of CIO responsibility under CCA - including some IT infrastructure functions - were managed by other parts of the agency. Director Berry consolidated these functions during reorganization early in his tenure and made the CIO a direct report. As a result, IT is better managed, more accountable and the CIO is a strategic player with a seat at the executive table. Today, all areas of IT and IRM fall within the CIO's purview at OPM. The one exception is that the statistical policy and coordination is primarily handled by OPM's Planning and Policy Analysis organization but with strong links to the CIO's office for technical direction and support. We have seen dramatic improvements in the way IT and IRM are managed and our IT investments are in better shape than ever before. Because of our own experience, we concur with your recommendation that OMB ensure that all agencies fully implement the organizational changes necessary to make the CIO role function the way it was designed. We also concur that establishing processes for documenting internal lessons learned and best practices regarding the management of IT and IRM would benefit the federal government as a whole. We look forward to OMB's concurrence on these items. Signed by: Matthew E. Perry: Chief Information Officer: [End of section] Appendix IX: GAO Contact and Staff Acknowledgments: GAO Contact: Valerie C. Melvin (202) 512-6304 or melvinv@gao.gov: Staff Acknowledgments: In addition to the contact named above, key contributions were made to this report by Cynthia J. Scott (Assistant Director); Michael Alexander; Cortland Bradford; Virginia Chanley; James Crimmer, Jr.; Neil Doherty; Ashfaq Huda; Lee McCracken; David Plocher; David A. Powner; Meredith R. Raymond; John M. Resser; Eric Trout; Christy Tyson; Walter Vance; and Merry Woo. [End of section] Footnotes: [1] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [2] GAO, Opportunities to Reduce Potential Duplication in Government Programs, Save Tax Dollars, and Enhance Revenue, [hyperlink, http://www.gao.gov/products/GAO-11-318SP] (Washington, D.C.: Mar. 1, 2011). An interactive, web-based version of the report is available at: [hyperlink, http://www.gao.gov/ereport/gao-11-318SP]. [3] Div. E, P.L. 104-106, (Feb. 10, 1996); 40 U.S.C 11101, et seq. The law, initially titled the Information Technology Management Reform Act, was subsequently renamed the Clinger-Cohen Act in P.L. 104-208, (Sept. 30, 1996). [4] GAO, Federal Chief Information Officers: Responsibilities, Reporting Relationships, Tenure, and Challenges, [hyperlink, http://www.gao.gov/products/GAO-04-823] (Washington, D.C.: July 21, 2004). [5] These areas are IT strategic planning; IT workforce planning; capital planning and investment management; information security; information collection/paperwork reduction; information dissemination; information disclosure; statistical policy and coordination; records management; privacy; enterprise architecture; e-government initiatives; and systems acquisition, development, and integration. [6] The 30 agencies covered by this report were the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and the U.S. Agency for International Development; the Air Force, the Army, and the Navy; and the Corporation for National and Community Service, the Commodity Futures Trading Commission, and the Federal Labor Relations Authority. [7] IRM is the process of managing information resources to accomplish agency missions and to improve agency performance. [8] P.L. 96-511 (Dec. 11, 1980). [9] The act required OMB to oversee the acquisition and use of automatic data processing and telecommunications equipment (which later came to be known as IT). [10] Title VIII, P.L. 99-591 (Oct. 30, 1986); P.L. 104-13 (May 22, 1995). [11] 44 U.S.C. 3506. [12] 44 U.S.C. 3506 (h)(5). [13] 40 U.S.C. 11312 and 11313. [14] 40 U.S.C. 11315 and 44 U.S.C. 3506(a). The Clinger-Cohen Act requirement that agency CIOs have IRM as their primary duty applies to the 24 major departments and agencies listed in 31 U.S.C. 901(b). The E-Government Act of 2002 reiterated agency responsibility for information resources management. P.L. 107-347 (Dec. 17, 2002). [15] 5 U.S.C. 552a. [16] 44 U.S.C. 3541, et seq. [17] 5 U.S.C. 552. [18] GAO, Chief Information Officer: Ensuring Strong Leadership and an Effective Council, [hyperlink, http://www.gao.gov/products/GAO/T-AIMD-98-22] (Washington D.C.: Oct. 27, 1997). [19] [hyperlink, http://www.gao.gov/products/GAO-04-823]. [20] GAO, Chief Information Officers: Responsibilities and Information Technology Governance at Leading Private-Sector Companies, [hyperlink, http://www.gao.gov/products/GAO-05-986] (Washington, D.C: September 14, 2005). [21] We visited companies recognized as leaders in IT management. In addition, we chose companies that performed activities similar to those performed by federal agencies (e.g. supply chain management, education, and income security). The companies visited included Walmart, International Business Machines, and General Motors. [22] We reduced the 13 areas reviewed in the federal CIO study to 12 in the private-sector study by combining information dissemination and information disclosure into a single function. In addition, we treated e-government in the public sector as equivalent to e-business/e- commerce in the private sector. [23] These areas were enterprise architecture, strategic planning, information collection, and information dissemination and disclosure. [24] GAO, Information Technology Management: Governmentwide Strategic Planning, Performance Measurement, and Investment Management Can Be Further Improved, [hyperlink, http://www.gao.gov/products/GAO-04-49] (Washington, D.C.: Jan. 12, 2004). [25] GAO, Executive Guide: Improving Mission Performance through Strategic Information Management and Technology, GAO/AIMD-94-115 (Washington, D.C.: May 1, 1994); and Executive Guide: Maximizing the Success of Chief Information Officers: Learning From Leading Organizations, [hyperlink, http://www.gao.gov/products/GAO-01-376G] (Washington, D.C.: Feb. 1, 2001). [26] [hyperlink, http://www.gao.gov/products/GAO-04-823]. [27] [hyperlink, http://www.gao.gov/products/GAO-11-278]. [28] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 2004). [29] For example, GAO, Information Technology: Treasury Needs to Strengthen Its Investment Board Operations and Oversight, [hyperlink, http://www.gao.gov/products/GAO-07-865] (Washington, D.C.: Jul. 23, 2007); Information Technology: DHS Needs to Fully Define and Implement Policies and Procedures for Effectively Managing Investments, [hyperlink, http://www.gao.gov/products/GAO-07-424] (Washington, D.C.: Apr. 27, 2007); Information Technology: Centers for Medicare & Medicaid Services Needs to Establish Critical Investment Management Capabilities, [hyperlink, http://www.gao.gov/products/GAO-06-12] (Washington, D.C.: Oct. 28, 2005); Information Technology: Departmental Leadership Crucial to Success of Investment Reforms at Interior, [hyperlink, http://www.gao.gov/products/GAO-03-1028] (Washington, D.C.: Sept. 12, 2003); and United States Postal Service: Opportunities to Strengthen IT Investment Management Capabilities, [hyperlink, http://www.gao.gov/products/GAO-03-3] (Washington, D.C.: Oct. 15, 2002). [30] [hyperlink, http://www.gao.gov/products/GAO-07-424] and [hyperlink, http://www.gao.gov/products/GAO-07-865]. [31] GAO, Information Technology: Federal Agencies Need to Strengthen Investment Board Oversight of Poorly Planned and Performing Projects, [hyperlink, http://www.gao.gov/products/GAO-09-566] (Washington, D.C.: June 30, 2009). [32] [hyperlink, http://www.gao.gov/products/GAO-11-278]. [33] GAO, Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation, [hyperlink, http://www.gao.gov/products/GAO-06-831] (Washington, D.C.: Aug. 14, 2006). [34] GAO, Organizational Transformation: A Framework for Assessing and Improving Enterprise Architecture Management (Version 2.0), [hyperlink, http://www.gao.gov/products/GAO-10-846G] (Washington, D.C.: August 2010). [35] [hyperlink, http://www.gao.gov/products/GAO-11-278]. [36] GAO, Information Technology: Leading Commercial Practices for Outsourcing of Services, [hyperlink, http://www.gao.gov/products/GAO-02-214] (Washington, D.C.: Nov. 30, 2001). [37] For example, see GAO, Information Technology: Inconsistent Software Acquisition Processes at the Defense Logistics Agency Increase Project Risks, [hyperlink, http://www.gao.gov/products/GAO-02-9] (Washington, D.C.: Jan. 10, 2002); and HUD Information Systems: Immature Software Acquisition Capability Increases Project Risks, [hyperlink, http://www.gao.gov/products/GAO-01-962] (Washington, D.C.: Sept. 14, 2001). [38] GAO, Information Technology: Management Improvements Needed on Immigration and Customs Enforcement's Infrastructure Modernization Program, [hyperlink, http://www.gao.gov/products/GAO-05-805] (Washington, D.C.: Sept. 7, 2005). [39] [hyperlink, http://www.gao.gov/products/GAO-11-278]. [40] GAO, Electronic Government: Federal Agencies Have Made Progress Implementing the E-Government Act of 2002, [hyperlink, http://www.gao.gov/products/GAO-05-12 (Washington, D.C.: Dec. 10, 2004). [41] GAO, Information Management: Selected Agencies' Handling of Personal Information, [hyperlink, http://www.gao.gov/products/GAO-02-1058] (Washington, D.C.: September 30, 2002). [42] GAO, Privacy Act: OMB Leadership Needed to Improve Agency Compliance, [hyperlink, http://www.gao.gov/products/GAO-03-304] (Washington, D.C.: June 30, 2003). [43] GAO, Paperwork Reduction Act: New Approach May Be Needed to Reduce Government Burden on Public, [hyperlink, http://www.gao.gov/products/GAO-05-424] (Washington, D.C.: May 2005). [44] GAO, Federal Records: National Archives and Selected Agencies Need to Strengthen E-Mail Management, [hyperlink, http://www.gao.gov/products/GAO-08-742] (Washington, D.C.: June 13, 2008). [45] GAO, Freedom Of Information Act: Agencies Are Making Progress in Reducing Backlog, but Additional Guidance Is Needed, [hyperlink, http://www.gao.gov/products/GAO-08-344] (Washington, D.C.: March 14, 2008). [46] GAO, Information Management: Challenges in Federal Agencies' Use of Web 2.0 Technologies, [hyperlink, http://www.gao.gov/products/GAO-10-872T] (Washington, D.C.: July 22, 2010). [47] GAO, Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate, [hyperlink, http://www.gao.gov/products/GAO-11-605] (Washington, D.C.: Jun. 28, 2011). [48] This refers to services that can be deployed rapidly and solutions that will result in substantial cost savings, allowing agencies to optimize spending and reinvest in their most critical mission needs. [49] GAO, Information Technology: Investment Oversight and Management Have Improved but Continued Attention is Needed, [hyperlink, http://www.gao.gov/products/GAO-11-454T] (Washington, D.C.: Mar. 17, 2011). [50] GAO, Information Technology: OMB's Dashboard Has Increased Transparency and Oversight, but Improvements Needed, [hyperlink, http://www.gao.gov/products/GAO-10-701] (Washington, D.C.: July 16, 2010) and Information Technology: OMB Has Made Improvements to Its Dashboard, but Further Work Is Needed by Agencies and OMB to Ensure Data Accuracy, [hyperlink, http://www.gao.gov/products/GAO-11-262] (Washington, D.C.: Mar. 15, 2011). [51] [hyperlink, http://www.gao.gov/products/GAO-11-454T]. [52] For comparison to our 2004 report, we did not include the three small, independent agencies in this count. [53] OMB Memorandum M-05-08 required agencies to designate a senior official who has the overall agencywide responsibility for information privacy issues. It further indicated that if the CIO is not designated as responsible for privacy, the agency may designate another senior official (at the Assistant Secretary or equivalent level) with agencywide responsibility for information privacy issues. [54] Principal Statistical Agencies include the Bureau of Economic Analysis (Department of Commerce), Bureau of Justice Statistics (Department of Justice), Bureau of Labor Statistics (Department of Labor), Bureau of Transportation Statistics (Department of Transportation), Economic Research Service (Department of Agriculture), Energy Information Administration (Department of Energy), Environmental Protection Agency, Internal Revenue Service's Statistics of Income Division (Department of the Treasury), National Agricultural Statistics Service (Department of Agriculture), National Center for Education Statistics (Department of Education), National Center for Health Statistics (Department of Health and Human Services), Science Resources Statistics (National Science Foundation), Office of Program Development and Research (Social Security Administration), Office of Management and Budget (Executive Office of the President), and the U.S. Census Bureau (Department of Commerce). [55] Infrastructure issues could refer to any problems with keeping an agency's core IT functions running, such as e-mail. [56] The federal CIO Council is the principal interagency forum to improve agency practices on such matters as the design, modernization, use, sharing, and performance of agency information resources. [57] Cloud computing is an emerging form of computing where users have access to scalable, on-demand capabilities that are provided through Internet-based technologies. [58] This refers to systems used to carry out routine tasks (e.g., e- mail, data centers, web infrastructure). [59] [hyperlink, http://www.gao.gov/products/GAO/T-AIMD-98-22]. [60] U.S. Senate Committee on Governmental Affairs, Paperwork Reduction Act of 1995, Senate Report 104-8 (Washington, D.C.: Jan. 30, 1995). [61] House of Representatives, National Defense Authorization Act for Fiscal Year 1996, Conference Report to Accompany S.1124, House Report 104-450 (Washington, D.C.: Jan. 22, 1996). [62] Our last review included CIOs who were in office between February 10, 1996, and March 1, 2004. This review included CIOs who were in office between January 15, 2004, and March 15, 2011. [63] This only included CIOs who had completed their time in office. [64] [hyperlink, http://www.gao.gov/products/GAO/T-AIMD-98-22]. [65] This is referring to investments requiring an OMB exhibit 300. Each year, agencies submit to OMB a Capital Asset Plan and Business Case--the exhibit 300--to justify each request for a major information technology investment. [66] GAO, Information Technology: Homeland Security Should Better Balance Need for System Integration Strategy with Spending for New and Enhanced Systems, [hyperlink, http://www.gao.gov/products/GAO-04-509] (Washington, D.C.: May 21, 2004). [67] [hyperlink, http://www.gao.gov/products/GAO-06-11]. [68] [hyperlink, http://www.gao.gov/products/GAO-04-823]. [69] OMB, Memorandum for the Heads of Executive Departments and Agencies, M-09-02 (Washington, D.C.: Oct. 21, 2008). [70] OMB, Memorandum for Heads of Executive Departments and Agencies, M-11-29 (Washington, D.C.: Aug. 8, 2011). [71] The Council advises and assists the President in ensuring that government reform is implemented throughout the executive branch. The Council's functions include improving overall executive branch management; coordinating management-related efforts to improve government; ensuring the adoption of new management practices in agencies; and identifying examples of, and providing mechanisms for, interagency exchange of information about best management practices. [72] OMB, Statement by Steven VanRoekel, Federal CIO, August 8, 2011, [hyperlink, http://www.whitehouse.gov/blog/2011/08/08/changing-role- federal-chief-information-officer]. [73] OMB Circular A-130 requires agencies to conduct postimplementation reviews to assess the project's impact on mission performance and document lessons learned. [74] GAO, NASA: Better Mechanisms Needed for Sharing Lessons Learned, [hyperlink, http://www.gao.gov/products/GAO-02-195] (Washington, D.C.: Jan. 30, 2002). [75] OMB, Circular No. A-130 (Washington, D.C.: Nov. 28, 2000). [76] GAO, Federal Chief Information Officers: Responsibilities, Reporting Relationships, Tenure, and Challenges, [hyperlink, http://www.gao.gov/products/GAO-04-823] (Washington, D.C.: July 21, 2004). [77] Gartner, The Role of Federal Government CIOs Must Evolve, ID Number: G00130848 (Sept. 28, 2005); 2011 Predicts: Government CIOs Must Balance Cost Containment With IT Innovation, ID Number: G00208687 (Nov. 17, 2010); and Private-Turned-Public CIOs Must Acquire Different Political and Interpersonal Skills, ID Number G00127518 (July 1, 2005). [78] Deloitte, CIO 2.0: The Changing Role of the CIO in Government (2004); and Top Ten Challenges for CIOs in 2010: Tough Growth, Tough Decisions (2010). [79] OMB, 25 Point Implementation Plan to Reform Federal Information Technology Management (Dec. 9, 2010). [80] We selected agencies to represent a range of 2011 IT budget estimates of approximately $25 million to $860 million. [81] [hyperlink, http://www.gao.gov/products/GAO-04-823]. [82] When comparing results between this report and our 2004 review, we did not include information from the three small, independent agencies, as they were not involved in our 2004 review. [83] GAO, Information Technology: Homeland Security Should Better Balance Need for System Integration Strategy with Spending for New and Enhanced Systems, [hyperlink, http://www.gao.gov/products/GAO-04-509] (Washington, D.C.: May 21, 2004); Information Technology: HHS Has Several Investment Management Capabilities in Place but Needs to Address Key Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-06-11] (Washington, D.C.: Oct. 28, 2005); DOD Business Transformation: Improved Management Oversight of Business Systems Modernization Efforts Needed, [hyperlink, http://www.gao.gov/products/GAO-11-53] (Washington, D.C.: Oct. 7, 2010); and [hyperlink, http://www.gao.gov/products/GAO-04-823]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: