Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities

GAO-18-93 Published: Aug 02, 2018. Publicly Released: Aug 02, 2018.

Highlights

What GAO Found

None of the 24 agencies have policies that fully addressed the role of their Chief Information Officers (CIO) consistent with federal laws and guidance. In addition, the majority of the agencies did not fully address the role of their CIOs for any of the six key areas that GAO identified (see figure 1).

Figure 1: Extent to Which 24 Agencies' Policies Addressed the Role of Their Chief Information Officers, Presented from Most Addressed to Least Addressed Area

Among other things, officials from most agencies stated that their CIOs are implementing the responsibilities even when not required in policy. Nevertheless, the 24 selected CIOs acknowledged in their responses to GAO's survey that they were not always very effective in implementing the six information technology (IT) management areas (see figure 2). Until agencies fully address the role of CIOs in their policies, agencies will be limited in addressing longstanding IT management challenges.

Figure 2: Extent to Which Chief Information Officers Reported Effective Implementation of Six Responsibility Areas, Presented from Most Effective to Least Effective Area

Shortcomings in agencies' policies are partially attributable to two weaknesses in the Office of Management and Budget's (OMB) guidance. First, the guidance does not comprehensively address all CIO responsibilities, such as those relating to assessing the extent to which personnel meet IT management knowledge and skill requirements and ensuring that personnel are held accountable for complying with the information security program. Correspondingly, the majority of the agencies' policies did not fully address nearly all of the responsibilities not included in OMB guidance. Second, OMB guidance does not ensure that CIOs have a significant role in (1) IT planning, programming, and budgeting decisions and (2) execution decisions and the management, governance, and oversight processes related to IT. In the absence of comprehensive guidance, CIOs will not be positioned to effectively acquire, maintain, and secure their IT systems.

In GAO's survey, the 24 agency CIOs identified a number of factors that enabled and challenged their ability to effectively manage IT. In particular, five factors were identified by at least half of the 24 CIOs as major enablers and three factors were identified by at least half of the CIOs as major challenges. (see figure 3). Further, GAO noted that agencies continue to lack consistent leadership in the CIO position.

Figure 3: Factors Commonly Identified as Enabling and Challenging Chief Information Officers (CIO) to Effectively Manage Information Technology (IT), Presented from Most Enabling to Least Enabling Factor

Although OMB has issued guidance aimed at addressing the three factors that were identified by at least half of the CIOs as major challenges, the guidance does not fully address those challenges. In particular, with respect to the challenges relating to IT personnel, OMB's guidance does not address key CIO responsibilities, as previously noted. Further, regarding the financial resources challenge, OMB recently required agencies to provide data on CIO authority over IT spending; however, OMB's guidance does not provide a complete definition of the authority. In the absence of this guidance from OMB, agencies have created varying definitions of CIO authority. Until OMB updates its guidance to include a complete definition of the authority that CIOs are to have over IT spending, it will be difficult for OMB to identify any deficiencies in this area and help agencies to make any needed improvements.

Why GAO Did This Study

Agencies plan to spend more than $96 billion on IT in fiscal year 2018; however, they continue to face longstanding challenges in doing so. Congress established the CIO position to serve as an agency focal point for IT to address these challenges.

Recognizing the importance of the CIO position to successful IT management, GAO was asked to conduct a government-wide review of CIO responsibilities. GAO's objectives were to determine (1) the extent to which agencies have addressed the role of the CIO in accordance with federal laws and guidance, and (2) major factors that have enabled and challenged agency CIOs in fulfilling their responsibilities to carry out federal laws and guidance. To do so, GAO reviewed laws and OMB guidance to identify key IT management responsibilities of federal agency CIOs and then compared them to policies of the 24 Chief Financial Officers Act agencies. GAO also administered a survey to 24 CIOs and interviewed current CIOs, as well as OMB officials.

Recommendations

GAO is making three recommendations to OMB and one recommendation to each of the 24 federal agencies to improve the effectiveness of CIOs' implementation of their responsibilities for each of the six IT management areas. (See the next page for additional information on these recommendations).

GAO is making the following three recommendations to OMB:

1. Issue guidance that addresses theresponsibilities that are notincluded in existing OMBguidance--in particular thoserelating to IT workforce.

2. Update existing guidance toclearly explain how agencies areto address the role of CIOs tocomply with the statutory requirements for CIOs to have a significant role in (1) budgeting decisions and (2) the management, governance, and oversight processes related to IT.

3. Define the authority that CIOs areto have when agencies report onCIO authority over IT spending.

GAO is also making a recommendation to each of the 24 federal agencies to address weaknesses related to the six key areas of CIO responsibility.

Fourteen agencies agreed with GAO's recommendations, and five agencies had no comments on the recommendations.

In addition, five agencies (including OMB) partially agreed with GAO's recommendations and one agency disagreed. In particular, five of these agencies did not agree with select assessments of select CIO responsibilities. GAO subsequently updated two assessments but believes the other assessments and related recommendations are warranted, as discussed in the report. The remaining agency--OMB--partially agreed with GAO's recommendation to issue guidance for responsibilities that are not included in existing OMB guidance. GAO continues to believe that this recommendation is warranted, as discussed in the report.

Moreover, after GAO provided the draft report to OMB for comment, the President signed an executive order that, among other things, clarified the role that CIOs are to have in the management, governance, and oversight processes related to IT. The executive order is responsive to GAO's related recommendation. GAO will continue to monitor agencies' implementation of the executive order.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Office of Management and Budget	The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)	Open At the issuance of our report, the agency partially agreed with the recommendation and stated that it planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of January 2025, OMB stated that it had actions planned, but not yet underway to address this recommendation. We will continue to monitor the steps the agency takes to implement this recommendation.
Office of Management and Budget	The Director of the Office of Management and Budget should update existing guidance to clearly explain how agencies are to address the role of CIOs to comply with the statutory requirements for CIOs to have a significant role in (1) budgeting decisions and (2) the management, governance, and oversight processes related to IT. (Recommendation 2)	Closed – Implemented The agency agreed with the recommendation and the President signed an executive order that addressed this recommendation. In particular, the order requires that agency Chief Information Officers (CIOs) be a member of any investment board with purview over IT, or any board responsible for setting agency-wide information technology standards. Further, the order requires the head of each agency to direct the CIO to chair any such boards, as appropriate and consistent with applicable law. In doing so, the President has ensured that agency CIOs are responsible and accountable for all IT across their respective agencies, and CIOs are more effectively positioned to acquire, operate, maintain,... and secure their systems. View More
Office of Management and Budget	The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)	Open The agency agreed with the recommendation. In a January 2025 update, OMB stated that it had action planned to address this recommendation, but not yet underway. We will continue to monitor the steps the agency takes to address this recommendation.
Department of Agriculture	The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)	Closed – Implemented The agency agreed with the recommendation and in May 2019 and May 2021, the agency revised its policies to address the 22 responsibility gaps identified in the report. By fully addressing the role of its CIO in the agency's policies, USDA has better positioned itself to address the government's long-standing IT management challenges.
Department of Commerce	The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)	Open The agency agreed with the recommendation and, in October 2018, described a number of steps it planned to take to address the responsibility gaps identified in the report. As of December 2024, of the 16 responsibility gaps we identified, Commerce has partially addressed four. Two of the responsibilities are no longer applicable due to a sunset provision in the law. The remaining 10 responsibilities have not been established through policy. We will continue to monitor the steps agency takes to address these requirements
Department of Defense	The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)	Open – Partially Addressed DOD agreed with the portion of our recommendation related to the IT leadership and accountability responsibilities, partially agreed with the portion of our recommendation related to IT strategic planning, workforce, and information security, and did not agree with the portion of our recommendation regarding investment management. As of January 2025, the department has taken some steps to implement the recommendation. Specifically, of the nine responsibility gaps we identified, DOD has fully addressed two and partially addressed three. The remaining four responsibilities have not been established through agency policy. We will continue to monitor the steps the department takes to address... these requirements. View More
Department of Education	The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)	Open The department agreed with our recommendation. As of May 2025, the department stated the Corrective Action Plan has been developed and the recommendation is being implemented. Education has taken some steps to implement the recommendation. Specifically, of the 17 responsibility gaps we identified, Education has addressed nine and partially addressed two. The remaining six responsibilities have not been established through agency policy. We will continue to monitor the steps the department takes to address these requirements.
Department of Energy	The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)	Closed – Implemented The department agreed with our recommendation. As of January 2024, Energy had addressed the majority of the responsibility gaps we identified in our report. Specifically, the agency had fully addressed 11 responsibility gaps and partially addressed five responsibility gaps. As a result, we believe Energy has met the intent of the recommendation. By addressing the role of its CIO in the agency's policies, Energy has better positioned itself to address the government's long-standing IT management challenges.
Department of Health and Human Services	The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)	Open The agency agreed with the recommendation and revised its policies to address some of responsibility gaps identified in the report. As of December 2024, of the 23 responsibility gaps, the agency had addressed 10 responsibilities and partially addressed three. Two of the responsibilities are no longer applicable due to a sunset provision in the law. The remaining eight responsibilities have not been established through agency policy. We will continue to monitor the steps the agency takes to address the remaining responsibilities.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)	Closed – Implemented The agency agreed with the recommendation, and as of September 2022, DHS had addressed the majority of the responsibility gaps we identified in our report. Specifically, the agency had fully addressed 19 responsibility gaps. In addition, DHS has a policy that partially addresses one other responsibility gap. As a result, we believe DHS has met the intent of the recommendation. By addressing the role of its CIO in the agency's policies, DHS has better positioned itself to address the government's long-standing IT management challenges.
Department of Housing and Urban Development	The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)	Open HUD did not comment on the recommendation, but has started work to address it. As of August 2024, the department has taken steps to implement the recommendation. Specifically, of the 24 responsibility gaps identified in the report, the agency addressed four responsibilities, partially addressed four of the responsibilities, and has not addressed 16 of them. We will continue to monitor the steps the agency takes to address these requirements.
Department of the Interior	The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)	Open The department indicated that it has work underway to address this recommendation, which it originally planned to complete in June 2021. As of December 2024, the department has taken some steps to implement this recommendation. Specifically, of the 17 responsibility gaps identified in the report, the agency addressed three responsibilities, partially addressed two of the responsibilities, and has not addressed 10 of them. Two of the responsibilities are no longer applicable due to a sunset provision in the law. We will continue to monitor the steps the agency takes to address these requirements.
Department of Justice	The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)	Closed – Implemented Justice concurred with our recommendations. As of January 2024, Justice had addressed the majority of the responsibility gaps we identified in our report. Specifically, the agency had fully addressed two responsibilities and partially addressed eight of the responsibilities. As a result, we believe Justice has met the intent of the recommendation. By addressing the role of its CIO in the agency's policies, Justice has better positioned itself to address the government's long-standing IT management challenges.
Department of Labor	The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)	Closed – Implemented Labor did not comment on the recommendation but has taken steps to implement this recommendation. As of February 2024, Labor had addressed the majority of the responsibility gaps we identified in our report. Specifically, the department had fully addressed 10 responsibilities and partially addressed four. As a result, we believe Labor has met the intent of the recommendation. By addressing the role of its CIO in the agency's policies, Labor has better positioned itself to address the government's long-standing IT management challenges.
Department of State	The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)	Open State agreed with the recommendation and has taken steps in response to it. As of February 2025, of the 24 responsibility gaps identified in the report, the agency had addressed 10 responsibilities, partially addressed six, and had not yet addressed eight of them. We will continue to monitor the steps the agency takes to address these requirements.
Department of Transportation	The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)	Open DOT agreed with many of the responsibilities in our recommendation and planned to leverage their technical infrastructure modernization initiative to further define the Chief Information Officer (CIO) responsibilities identified in the report. As of February 2025, of the 18 responsibility gaps identified in the report, the agency addressed one responsibility, partially addressed five of the responsibilities, and has not addressed 10 of them. Two of the responsibilities are no longer applicable due to a sunset provision in the law. When we confirm the actions the agency has taken to address the responsibility gaps identified in the report, we will provide updated information.
Department of the Treasury	The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)	Open The agency did not comment on the report. As of May 2025, Treasury has taken some steps to implement the recommendation. Specifically, of the 28 Chief Information Officer (CIO) responsibility gaps, two responsibilities have been fully addressed, five have been partially addressed, and 19 have not yet been addressed. Two of the responsibilities are no longer applicable due to a sunset provision in the law. We will continue to monitor the steps the agency takes to address these requirements.
Department of Veterans Affairs	The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)	Open VA agreed with our recommendation and began working to address it. As of December 2024, the department has taken steps to implement the recommendation. Specifically, of the 21 Chief Information Officer (CIO) responsibility gaps, three responsibilities have been fully addressed, three have been partially addressed, and 13 have not yet been addressed. Two of the responsibilities are no longer applicable due to a sunset provision in the law. When we confirm additional actions the agency has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency	The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)	Closed – Implemented EPA neither agreed nor disagreed with our recommendation. As of March 2024, we confirmed that, in response to our recommendation, EPA had addressed the majority of the responsibility gaps we identified in our report. Specifically, the agency had fully addressed eleven responsibilities and partially addressed three of the responsibilities. As a result, we believe EPA has met the intent of the recommendation. By addressing the role of its CIO in the agency's policies, EPA has better positioned itself to address the government's long-standing IT management challenges.
General Services Administration	The Administrator of the General Services Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 20)	Closed – Implemented Although the General Services Administration (GSA) partially agreed with our recommendation, it fully addressed the recommendation in September 2019. In particular, it revised its Enterprise Information Technology Management Policy in September 2019 to include the CIO responsibilities we identified in our report. By implementing this recommendation, GSA will be better able to address longstanding federal IT management challenges.
National Aeronautics and Space Administration	The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)	Closed – Implemented NASA concurred with our recommendation, and as of September 2022, NASA had addressed the majority of the responsibility gaps we identified in our report. Specifically, the agency had fully addressed 19 responsibility gaps. In addition, NASA has policies that partially address two other responsibility gaps. As a result, we believe NASA has met the intent of the recommendation. By addressing the role of its CIO in the agency's policies, NASA has better positioned itself to address the government's long-standing IT management challenges.
National Science Foundation	The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)	Closed – Implemented NSF concurred with our recommendation, and as of September 2022, NSF had addressed the majority of the responsibility gaps we identified in our report. Specifically, the agency had fully addressed 22 responsibility gaps. In addition, NSF has efforts underway to address the remaining responsibility gap. As a result, we believe NSF has met the intent of the recommendation. By addressing the role of its CIO in the agency's policies, NSF has better positioned itself to address the government's long-standing IT management challenges.
Nuclear Regulatory Commission	The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)	Closed – Implemented NRC disagreed with our recommendation, but generally agreed with the findings in the report. Even so, as of September 2022, NRC had addressed the majority of the responsibility gaps we identified in our report. Specifically, the agency had fully addressed 13 responsibility gaps. In addition, NRC has a policy that partially addresses one other responsibility gap. As a result, we believe NRC has met the intent of the recommendation. By addressing the role of its CIO in the agency's policies, NRC has better positioned itself to address the government's long-standing IT management challenges.
Office of Personnel Management	The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)	Closed – Implemented OPM concurred with our recommendations. As of February 2024, OPM had addressed the majority of the responsibility gaps we identified in our report. Specifically, the agency had fully addressed thirteen responsibilities and partially addressed two of the responsibilities. As a result, we believe OPM has met the intent of the recommendation. By addressing the role of its CIO in the agency's policies, OPM has better positioned itself to address the government's long-standing IT management challenges.
Small Business Administration	The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)	Closed – Implemented SBA agreed with most of our recommendations and, in January 2022, the agency revised its Standard Operating Procedure to include the CIO responsibilities we identified in our report. By implementing this recommendation, SBA will be better able to address longstanding federal IT management challenges.
Social Security Administration	The Commissioner of the Social Security Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 26)	Closed – Implemented SSA agreed with our recommendation and, in 2019 and 2020, the agency revised its departmental policies to address the 16 responsibility gaps identified in the report. Among other things, it revised its Chief Information Officer authorities directive, Incremental Development Policy, CIO Ratings policy, and Capital Planning and Investment Control policy. By implementing this recommendation, SSA will be better able to address longstanding federal IT management challenges.
U.S. Agency for International Development	The Administrator of the U.S. Agency for International Development should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 27)	Closed – Implemented The agency did not state whether it agreed or disagreed with the recommendation. However, in May 2019, June 2019, and April 2020, the agency revised its policies to address the 22 responsibility gaps identified in the report. By fully addressing the role of its CIO in the agency's policies, USAID has better positioned itself to address the government's long-standing IT management challenges.

See All 27 Recommendations

Full Report

Highlights Page (2 pages)

Full Report (195 pages)

Accessible PDF (248 pages)

GAO Contacts

Carol C. Harris

Director

Information Technology and Cybersecurity

harriscc@gao.gov

David A. Powner

pownerd@gao.gov

Media Inquiries

Sarah Kaczmarek

Managing Director

Office of Public Affairs

media@gao.gov

Public Inquiries

Topics

Information Technology

Chief information officersCybersecurityFederal spendingIT investmentsIT managementIT personnelInformation securityInformation systemsInformation technologyPolicies and proceduresRisk managementCompliance oversight