Federal Chief Information Officers:
Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities
GAO-18-93: Published: Aug 2, 2018. Publicly Released: Aug 2, 2018.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
- Related WatchBlog Post:
Contact:
(202) 512-4456
harriscc@gao.gov
David A. Powner
(202) 512-9286
pownerd@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
None of the 24 agencies have policies that fully addressed the role of their Chief Information Officers (CIO) consistent with federal laws and guidance. In addition, the majority of the agencies did not fully address the role of their CIOs for any of the six key areas that GAO identified (see figure 1).
Figure 1: Extent to Which 24 Agencies' Policies Addressed the Role of Their Chief Information Officers, Presented from Most Addressed to Least Addressed Area
Among other things, officials from most agencies stated that their CIOs are implementing the responsibilities even when not required in policy. Nevertheless, the 24 selected CIOs acknowledged in their responses to GAO's survey that they were not always very effective in implementing the six information technology (IT) management areas (see figure 2). Until agencies fully address the role of CIOs in their policies, agencies will be limited in addressing longstanding IT management challenges.
Figure 2: Extent to Which Chief Information Officers Reported Effective Implementation of Six Responsibility Areas, Presented from Most Effective to Least Effective Area
Shortcomings in agencies' policies are partially attributable to two weaknesses in the Office of Management and Budget's (OMB) guidance. First, the guidance does not comprehensively address all CIO responsibilities, such as those relating to assessing the extent to which personnel meet IT management knowledge and skill requirements and ensuring that personnel are held accountable for complying with the information security program. Correspondingly, the majority of the agencies' policies did not fully address nearly all of the responsibilities not included in OMB guidance. Second, OMB guidance does not ensure that CIOs have a significant role in (1) IT planning, programming, and budgeting decisions and (2) execution decisions and the management, governance, and oversight processes related to IT. In the absence of comprehensive guidance, CIOs will not be positioned to effectively acquire, maintain, and secure their IT systems.
In GAO's survey, the 24 agency CIOs identified a number of factors that enabled and challenged their ability to effectively manage IT. In particular, five factors were identified by at least half of the 24 CIOs as major enablers and three factors were identified by at least half of the CIOs as major challenges. (see figure 3). Further, GAO noted that agencies continue to lack consistent leadership in the CIO position.
Figure 3: Factors Commonly Identified as Enabling and Challenging Chief Information Officers (CIO) to Effectively Manage Information Technology (IT), Presented from Most Enabling to Least Enabling Factor
Why GAO Did This Study
Agencies plan to spend more than $96 billion on IT in fiscal year 2018; however, they continue to face longstanding challenges in doing so. Congress established the CIO position to serve as an agency focal point for IT to address these challenges.
Recognizing the importance of the CIO position to successful IT management, GAO was asked to conduct a government-wide review of CIO responsibilities. GAO's objectives were to determine (1) the extent to which agencies have addressed the role of the CIO in accordance with federal laws and guidance, and (2) major factors that have enabled and challenged agency CIOs in fulfilling their responsibilities to carry out federal laws and guidance. To do so, GAO reviewed laws and OMB guidance to identify key IT management responsibilities of federal agency CIOs and then compared them to policies of the 24 Chief Financial Officers Act agencies. GAO also administered a survey to 24 CIOs and interviewed current CIOs, as well as OMB officials.
What GAO Recommends
GAO is making three recommendations to OMB and one recommendation to each of the 24 federal agencies to improve the effectiveness of CIOs' implementation of their responsibilities for each of the six IT management areas. (See the next page for additional information on these recommendations).
For more information, contact David A. Powner at (202) 512-9286 or pownerd@gao.gov or Carol C. Harris at (202) 512-4456 or harriscc@gao.gov.
Recommendations for Executive Action
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Director of the Office of Management and Budget should update existing guidance to clearly explain how agencies are to address the role of CIOs to comply with the statutory requirements for CIOs to have a significant role in (1) budgeting decisions and (2) the management, governance, and oversight processes related to IT. (Recommendation 2)
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)
Agency Affected: Department of Agriculture
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)
Agency Affected: Department of Commerce
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)
Agency Affected: Department of Defense
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)
Agency Affected: Department of Education
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)
Agency Affected: Department of Energy
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)
Agency Affected: Department of Health and Human Services
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)
Agency Affected: Department of Homeland Security
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)
Agency Affected: Department of Housing and Urban Development
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)
Agency Affected: Department of the Interior
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)
Agency Affected: Department of Justice
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)
Agency Affected: Department of Labor
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)
Agency Affected: Department of State
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)
Agency Affected: Department of Transportation
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)
Agency Affected: Department of the Treasury
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)
Agency Affected: Department of Veterans Affairs
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)
Agency Affected: Environmental Protection Agency
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Administrator of the General Services Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 20)
Agency Affected: General Services Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)
Agency Affected: National Aeronautics and Space Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)
Agency Affected: National Science Foundation
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)
Agency Affected: Nuclear Regulatory Commission
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)
Agency Affected: Office of Personnel Management
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)
Agency Affected: Small Business Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Commissioner of the Social Security Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 26)
Agency Affected: Social Security Administration
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Administrator of the U.S. Agency for International Development should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 27)
Agency Affected: United States Agency for International Development
Explore the full database of GAO's Open Recommendations
»
Dec 13, 2018
-
Open Data:
Treasury Could Better Align USAspending.gov with Key Practices and Search RequirementsGAO-19-72: Published: Dec 13, 2018. Publicly Released: Dec 13, 2018.
Dec 12, 2018
-
Information Technology:
Implementation of Recommendations Is Needed to Strengthen Acquisitions, Operations, and CybersecurityGAO-19-275T: Published: Dec 12, 2018. Publicly Released: Dec 12, 2018.
Dec 11, 2018
-
Information Technology:
Agencies Need Better Information on the Use of Noncompetitive and Bridge ContractsGAO-19-63: Published: Dec 11, 2018. Publicly Released: Dec 11, 2018.
Nov 13, 2018
-
Information Technology:
Departments Need to Improve Chief Information Officers' Review and Approval of IT BudgetsGAO-19-49: Published: Nov 13, 2018. Publicly Released: Nov 13, 2018.
Sep 27, 2018
-
Information Technology:
SSA Has Improved Acquisitions and Operations, but Needs to Fully Address the Role of Its Chief Information OfficerGAO-18-703T: Published: Sep 27, 2018. Publicly Released: Sep 27, 2018.
Jun 13, 2018
-
VA Health Care:
Independent Verification and Validation of Patient Self-Scheduling Systems Was Consistent with the Faster Care for Veterans Act of 2016GAO-18-442R: Published: Jun 13, 2018. Publicly Released: Jun 13, 2018.
May 24, 2018
-
DOD Major Automated Information Systems:
Adherence to Best Practices Is Needed to Better Manage and Oversee Business ProgramsGAO-18-326: Published: May 24, 2018. Publicly Released: May 24, 2018.
May 23, 2018
-
Data Center Optimization:
Continued Agency Actions Needed to Meet Goals and Address Prior RecommendationsGAO-18-264: Published: May 23, 2018. Publicly Released: May 23, 2018. -
Information Technology:
Continued Implementation of High-Risk Recommendations Is Needed to Better Manage Acquisitions Operations and CybersecurityGAO-18-566T: Published: May 23, 2018. Publicly Released: May 23, 2018.
May 22, 2018
-
NASA Information Technology:
Urgent Action Needed to Address Significant Management and Cybersecurity WeaknessesGAO-18-337: Published: May 22, 2018. Publicly Released: May 22, 2018.
Looking for more? Browse all our products here