Skip to Highlights
Highlights

What GAO Found

None of the 24 agencies have policies that fully addressed the role of their Chief Information Officers (CIO) consistent with federal laws and guidance. In addition, the majority of the agencies did not fully address the role of their CIOs for any of the six key areas that GAO identified (see figure 1).

Figure 1: Extent to Which 24 Agencies' Policies Addressed the Role of Their Chief Information Officers, Presented from Most Addressed to Least Addressed Area

Figure 1: Extent to Which 24 Agencies' Policies Addressed the Role of Their Chief Information Officers, Presented from Most Addressed to Least Addressed Area

Among other things, officials from most agencies stated that their CIOs are implementing the responsibilities even when not required in policy. Nevertheless, the 24 selected CIOs acknowledged in their responses to GAO's survey that they were not always very effective in implementing the six information technology (IT) management areas (see figure 2). Until agencies fully address the role of CIOs in their policies, agencies will be limited in addressing longstanding IT management challenges.

Figure 2: Extent to Which Chief Information Officers Reported Effective Implementation of Six Responsibility Areas, Presented from Most Effective to Least Effective Area

Shortcomings in agencies' policies are partially attributable to two weaknesses in the Office of Management and Budget's (OMB) guidance. First, the guidance does not comprehensively address all CIO responsibilities, such as those relating to assessing the extent to which personnel meet IT management knowledge and skill requirements and ensuring that personnel are held accountable for complying with the information security program. Correspondingly, the majority of the agencies' policies did not fully address nearly all of the responsibilities not included in OMB guidance. Second, OMB guidance does not ensure that CIOs have a significant role in (1) IT planning, programming, and budgeting decisions and (2) execution decisions and the management, governance, and oversight processes related to IT. In the absence of comprehensive guidance, CIOs will not be positioned to effectively acquire, maintain, and secure their IT systems.

In GAO's survey, the 24 agency CIOs identified a number of factors that enabled and challenged their ability to effectively manage IT. In particular, five factors were identified by at least half of the 24 CIOs as major enablers and three factors were identified by at least half of the CIOs as major challenges. (see figure 3). Further, GAO noted that agencies continue to lack consistent leadership in the CIO position.

Figure 3: Factors Commonly Identified as Enabling and Challenging Chief Information Officers (CIO) to Effectively Manage Information Technology (IT), Presented from Most Enabling to Least Enabling Factor

Why GAO Did This Study

Agencies plan to spend more than $96 billion on IT in fiscal year 2018; however, they continue to face longstanding challenges in doing so. Congress established the CIO position to serve as an agency focal point for IT to address these challenges.

Recognizing the importance of the CIO position to successful IT management, GAO was asked to conduct a government-wide review of CIO responsibilities. GAO's objectives were to determine (1) the extent to which agencies have addressed the role of the CIO in accordance with federal laws and guidance, and (2) major factors that have enabled and challenged agency CIOs in fulfilling their responsibilities to carry out federal laws and guidance. To do so, GAO reviewed laws and OMB guidance to identify key IT management responsibilities of federal agency CIOs and then compared them to policies of the 24 Chief Financial Officers Act agencies. GAO also administered a survey to 24 CIOs and interviewed current CIOs, as well as OMB officials.

Skip to Recommendations

Recommendations

GAO is making three recommendations to OMB and one recommendation to each of the 24 federal agencies to improve the effectiveness of CIOs' implementation of their responsibilities for each of the six IT management areas. (See the next page for additional information on these recommendations).

GAO is making the following three recommendations to OMB:
 
1.  Issue guidance that addresses theresponsibilities that are notincluded in existing OMBguidance--in particular thoserelating to IT workforce.
 
2.  Update existing guidance toclearly explain how agencies areto address the role of CIOs tocomply with the statutory requirements for CIOs to have a significant role in (1) budgeting decisions and (2) the management, governance, and oversight processes related to IT.
 
3.  Define the authority that CIOs areto have when agencies report onCIO authority over IT spending.
 
GAO is also making a recommendation to each of the 24 federal agencies to address weaknesses related to the six key areas of CIO responsibility.
 
Fourteen agencies agreed with GAO's recommendations, and five agencies had no comments on the recommendations.
 
In addition, five agencies (including OMB) partially agreed with GAO's recommendations and one agency disagreed. In particular, five of these agencies did not agree with select assessments of select CIO responsibilities. GAO subsequently updated two assessments but believes the other assessments and related recommendations are warranted, as discussed in the report. The remaining agency--OMB--partially agreed with GAO's recommendation to issue guidance for responsibilities that are not included in existing OMB guidance. GAO continues to believe that this recommendation is warranted, as discussed in the report.
 
Moreover, after GAO provided the draft report to OMB for comment, the President signed an executive order that, among other things, clarified the role that CIOs are to have in the management, governance, and oversight processes related to IT. The executive order is responsive to GAO's related recommendation. GAO will continue to monitor agencies' implementation of the executive order.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of the Office of Management and Budget should issue guidance that addresses the 12 CIO responsibilities discussed in this report that are not included in existing OMB guidance--in particular those relating to IT workforce matters. (Recommendation 1)
Open
The agency partially agreed with the recommendation, and planned to issue guidance that addressed eight of the 12 CIO responsibilities discussed in this report that were not included in existing OMB guidance. As of July 2020, the agency had not issued such guidance and asserted that its existing Circular A-130 guidance is adequate to address this recommendation. However, the Circular A-130 does not address these 12 CIO responsibilities. We will continue to monitor the steps the agency takes to address these responsibilities.
Office of Management and Budget The Director of the Office of Management and Budget should update existing guidance to clearly explain how agencies are to address the role of CIOs to comply with the statutory requirements for CIOs to have a significant role in (1) budgeting decisions and (2) the management, governance, and oversight processes related to IT. (Recommendation 2)
Closed - Implemented
The agency agreed with the recommendation and the President signed an executive order that addressed this recommendation. In particular, the order requires that agency Chief Information Officers (CIOs) be a member of any investment board with purview over IT, or any board responsible for setting agency-wide information technology standards. Further, the order requires the head of each agency to direct the CIO to chair any such boards, as appropriate and consistent with applicable law. In doing so, the President has ensured that agency CIOs are responsible and accountable for all IT across their respective agencies, and CIOs are more effectively positioned to acquire, operate, maintain, and secure their systems.
Office of Management and Budget The Director of the Office of Management and Budget should define the authority that CIOs are to have when agencies report on CIO authority over IT spending. (Recommendation 3)
Open
The agency agreed with the recommendation to define the authority that Chief Information Officers (CIOs) are to have when agencies report on CIO authority over information technology spending. However, as of November 2020, the agency had not updated its definition. We will continue to monitor the steps the agency takes to address this recommendation.
Department of Agriculture The Secretary of Agriculture should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 4)
Closed - Implemented
The agency agreed with the recommendation and in May 2019 and May 2021, the agency revised its policies to address the 22 responsibility gaps identified in the report. By fully addressing the role of its CIO in the agency's policies, USDA has better positioned itself to address the government's long-standing IT management challenges.
Department of Commerce The Secretary of Commerce should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 5)
Open
The agency agreed with the recommendation and, in October 2018, described a number of steps it planned to take to address the responsibility gaps identified in the report. We will continue to monitor the steps the agency takes to address these requirements.
Department of Defense The Secretary of Defense should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 6)
Open
DOD began taking steps to address the nine responsibility gaps we identified in the report. However, the department has not yet provided policies that establish requirements for the four partially addressed and five unaddressed Chief Information Officer (CIO) responsibilities. As of November 2020, DOD expects to fully address the responsibility gaps by May 2021. We will continue to monitor the steps the agency takes to address these gaps.
Department of Education The Secretary of Education should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 7)
Open
We will provide updated information when we confirm what actions the agency has taken to address this recommendation.
Department of Energy The Secretary of Energy should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 8)
Open
The department planned to complete several steps to address the responsibility gaps identified in the report. Of the 21 responsibilities we identified, Energy addressed six responsibilities and partially addressed five of them. The remaining 10 responsibilities have not been established through agency policy. When we confirm what actions the agency has taken in response to the remaining recommendations, we will provide updated information.
Department of Health and Human Services The Secretary of Health and Human Services should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 9)
Open
The agency agreed with the recommendation and revised its policies to address three of the 23 responsibility gaps identified in the report. In particular, it has addressed the responsibilities for the Chief Information Officer to: (1) report directly to the agency head or that official's deputy; (2) improve the management of the agency's IT through portfolio review (PortfolioStat); and (3) maintain an inventory of data centers. We will continue to monitor the steps the agency takes to address the remaining responsibilities.
Department of Homeland Security The Secretary of Homeland Security should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 10)
Open
The agency agreed with the recommendation and revised its departmental directives and delegations to address 19 of the 21 responsibility gaps identified in the report. The remaining responsibilities are for the Chief Information Officer (CIO) to: (1) review and approve IT contracts, acquisition plans, or strategies; and (2) ensure that all personnel are held accountable for complying with the agency-wide information security program. In particular, while the DHS CIO has the authority to coordinate with the Chief Acquisition Officer on acquisition strategies, coordination is not the same as reviewing and approving. Regarding holding agency personnel accountable for information security, DHS's Sensitive Systems Policy Directive establishes that authority for the heads of DHS's components, rather than the DHS CIO. We will continue to monitor the steps the agency takes to address these requirements.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 11)
Open
The department indicated that it had work underway to address this recommendation, which it had planned to complete in March 2020. However, as of November 2020, the department has not provided updated policies to include the responsibility gaps we identified in the report. When we confirm actions the agency has taken to address these responsibilities, we will provide updated information.
Department of the Interior The Secretary of the Interior should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 12)
Open
The department planned to review its policies and take corrective actions, as necessary. When we confirm actions the agency has taken to address the responsibility gaps identified in the report, we will provide updated information.
Department of Justice The Attorney General should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 13)
Open
Justice concurred with our recommendation and started work to address it. Of the 13 responsibility gaps identified in the report, the agency addressed one responsibility, partially addressed seven of the responsibilities, and has not yet addressed five of them. In particular, the agency addressed the responsibility for the Chief Information Officer (CIO) to have a significant role in IT execution decisions and the management, governance, and oversight processes related to IT. When we confirm additional actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Labor The Secretary of Labor should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 14)
Open
Labor has taken a number of steps in response to this recommendation. Of the 17 responsibility gaps identified in the report, eight responsibilities have been addressed, four have been partially addressed, and five have not yet been addressed. When we confirm additional actions the agency has taken to address this recommendation, we will provide updated information.
Department of State The Secretary of State should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 15)
Open
The department began changing its policies to address this recommendation. As of November 2020, the department had developed a corrective action plan through which it plans to fully address the recommendation by the second quarter of fiscal year 2022. We will continue to monitor the steps the department takes to address the responsibility gaps we identified.
Department of Transportation The Secretary of Transportation should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 16)
Open
DOT agreed with many of the responsibilities in our recommendation and planned to leverage their technical infrastructure modernization initiative to further define the Chief Information Officer (CIO) responsibilities identified in the report. As of November 2020, the agency planned to implement changes based on the recommendation by December 2021. When we confirm what actions the agency has taken, we will provide updated information.
Department of the Treasury The Secretary of the Treasury should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 17)
Open
When we confirm what actions the agency has taken to address this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the department's IT management policies address the role of the CIO for key responsibilities in the four areas we identified. (Recommendation 18)
Open
VA agreed with our recommendation and began working to address it. Of the 21 Chief Information Officer (CIO) responsibilities, one responsibility has been addressed, four have been partially addressed, and 16 have not yet been addressed. In particular, VA established through its policies the CIO responsibility to review high-risk IT investments (TechStat sessions). When we confirm additional actions the agency has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency The Administrator of the Environmental Protection Agency should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 19)
Open
EPA neither agreed nor disagreed with our recommendation, but agreed that CIO authorities should be adequately documented in appropriate policies. EPA officials have stated that they continue to work toward addressing this recommendation and plan to provide an update in mid-FY 2021. When we confirm what actions the agency has taken to address the 20 responsibility gaps identified in the report, we will provide updated information.
General Services Administration The Administrator of the General Services Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 20)
Closed - Implemented
Although the General Services Administration (GSA) partially agreed with our recommendation, it fully addressed the recommendation in September 2019. In particular, it revised its Enterprise Information Technology Management Policy in September 2019 to include the CIO responsibilities we identified in our report. By implementing this recommendation, GSA will be better able to address longstanding federal IT management challenges.
National Aeronautics and Space Administration The Administrator of the National Aeronautics and Space Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 21)
Open
NASA concurred with our recommendation and of the 23 Chief Information Officer (CIO) responsibilities identified in the report, six responsibilities have been addressed, five have been partially addressed, and 12 have not yet been addressed. When we confirm additional actions the agency has taken in response to this recommendation, we will provide updated information.
National Science Foundation The Director of the National Science Foundation should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 22)
Open
NSF agreed with our recommendations, and in February 2020, the agency provided its CIO Authorities Policy and revised other departmental policies to address 22 of the 23 responsibility gaps identified in the report. The remaining responsibility, for the CIO to benchmark agency processes against private and public sector performance, has not been established through the agency's policies. When we confirm what actions the agency has taken in response to the remaining responsibility, we will provide updated information.
Nuclear Regulatory Commission The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 23)
Open
NRC disagreed with our recommendation but generally agreed with our findings, and the agency had departmental policies to address three of the 15 responsibilities identified in the report. In March 2020, the agency stated it was identifying the appropriate agency policy to amend to address the remaining responsibility gaps. The agency had anticipated completing those policy updates by the end of the second quarter of FY 2020. We will continue to monitor the steps the agency takes to address this requirement.
Office of Personnel Management The Director of the Office of Personnel Management should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 24)
Open
OPM agreed with our recommendation. When we confirm what actions the agency has taken to address this recommendation, we will provide updated information.
Small Business Administration The Administrator of the Small Business Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 25)
Open
SBA agreed with most of our recommendations and, in September 2018, the agency said it is revising its departmental policies to address the responsibility gaps identified in the report. SBA's Data Center Optimization Initiative (DCOI) Strategic Plan was revised in 2019 to include two of the 19 responsibility gaps. When we confirm the additional actions the agency has taken in response to this recommendation, we will provide updated information.
Social Security Administration The Commissioner of the Social Security Administration should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified. (Recommendation 26)
Closed - Implemented
SSA agreed with our recommendation and, in 2019 and 2020, the agency revised its departmental policies to address the 16 responsibility gaps identified in the report. Among other things, it revised its Chief Information Officer authorities directive, Incremental Development Policy, CIO Ratings policy, and Capital Planning and Investment Control policy. By implementing this recommendation, SSA will be better able to address longstanding federal IT management challenges.
United States Agency for International Development The Administrator of the U.S. Agency for International Development should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the six areas we identified. (Recommendation 27)
Closed - Implemented
The agency did not state whether it agreed or disagreed with the recommendation. However, in May 2019, June 2019, and April 2020, the agency revised its policies to address the 22 responsibility gaps identified in the report. By fully addressing the role of its CIO in the agency's policies, USAID has better positioned itself to address the government's long-standing IT management challenges.

Full Report

GAO Contacts