Agency chief information officers need to take special notice about the grilling their colleague Danny Harris from the Education Department took from the House Oversight and Government Reform Committee Feb. 2. Not so much for the questions about his ethics or even the systemic cybersecurity troubles Education has had for almost a decade, but rather because lawmakers specifically tied Harris’ bonus to his performance around the agency’s cybersecurity.
This was one of the few times in recent memory when members of Congress questioned how a senior executive could have received any sort of bonus when his agency’s Federal Information Security Management Act (FISMA) scores were failing, and progress on the administration’s cyber sprint was less than adequate.
“In every year since 2008, and we’ll take you to 2011, the FISMA audit contained findings of failure of the protection of the records and all of the information you are charged with, that’s correct. And in that time, you’ve received bonuses of $116,000, according to our report,” said Rep. John Mica (R-Fla.). “You received bonuses in 2012 of $17,000, 2013, $17,000 and 2014. During all that time period, the information I have is your performance, the job you were hired for the chief information officer, you had failing evaluations. Is that correct?”
“It is correct to the information we have,” Mica said. “The only information we have is Mr. [John] King, [acting department secretary] mentioned that since January they’ve done better. But it appears that you’ve actually failed in your mission.”
Now it’s one thing when Mica, who is known across the federal community for his drama when on the dais and questioning witnesses, but tying Harris’ bonus to his cyber performance came from several different members.
Rep. Jason Chaffetz (R-Utah), chairman of the committee, and Rep. Mark Meadows (R-N.C.) also brought up the bonus issue as it relates to both Harris’ conduct and his performance.
“You scored an ‘F’ in what you self-reported. The Office of Management and Budget put out a cyber sprint, and you were one of three or four agencies that scored a negative,” Chaffetz said. “In every single metric was negative. The problem is Mr. Harris has been in charge since 2008. It’s not just he just inherited this and he hasn’t had a few months to fix it. What specifically did Mr. Harris do to justify the Congress appropriating people’s money, $15,000?”
King responded that cybersecurity is one aspect of Harris’ performance.
“On cybersecurity, he co-led an effort with our Federal Student Aid CIO that included amending more than 60 contracts in order to ensure that all our of external vendors are at level 4, two-factor authentication. We made dramatic progress there,” King said. “We are resolving FISMA audit findings. We are making progress on cybersecurity. We also have a variety of other technology efforts, replacing outdated technology systems, improving services to employees. The overall performance of the CIO in 2015 was strong. I can’t speak to prior evaluations of Dr. Harris’ performance. But I can speak to the performance since I’ve joined the department in January 2015.”
Chaffetz is only partly right that Education’s cyber efforts are struggling. According to Performance.gov, in the third quarter of fiscal 2015 metrics — OMB hasn’t posted the fourth quarter update yet for cybersecurity — Education had mixed results. A percentage of all employees was using two-factor authentication dropped from 71 percent to 58 percent. But in other areas, such as anti-virus or blended defense capabilities, Education saw definite increases in security capabilities.
Education also earned a failing grade on the first Federal IT Acquisition Reform Act (FITARA) scorecard from the committee in November.
But King and Harris say Education’s use of smart identity cards used by employees to log on to the computer increased to more than 85 percent of all users as of Jan. 31. King said OMB also approved Education’s FITARA plan recently.
Still, the fact is Education has struggled to secure its networks and systems, and lawmakers are warning that with it holding the sensitive data of more than 139 million Americans, a breach would be catastrophic.
Chaffetz told me after the hearing that if Harris is making $183,000 a year and received more than $250,000 in bonuses over the last eight years, why shouldn’t Congress expect him to be outstanding?
“Why should we bonus you up if you aren’t producing results?” he said. “By every metric they are failing. I want the government to understand, for the good hardworking patriotic employees who do good stuff, of course, I think there is room to give bonuses and incentives. But you don’t just automatically give them, and when you are failing both ethically and in your performance, why should taxpayers give you a bonus?
Several current and former government officials also took notice of how much this connection between bonuses and performance, particularly cybersecurity progress, played into the hearing.
One former department CIO said while the entire bonus structure can’t be only about cybersecurity, a mandatory piece of it should. So if a CIO gets a low score — a 1 or 2 — then their entire bonuses would likely be severely impacted.
An agency IT executive said given all that has happened over the last year with the massive data breach sustained by the Office of Personnel Management, followed by the Office of Management and Budget’s cyber sprint and cybersecurity strategy, CIOs should see this as a wake-up call of sorts.
If a CIO is going before Congress to testify on really any subject, they should be prepared for lawmakers to question their progress in securing networks and data, and tying it back to their overall performance ratings and evaluations.
And it’s not just CIOs. CFOs and deputy secretaries also likely will be in the hot seat from Congress when it comes to cybersecurity, as it’s no longer just a back-room or technology issue.