Idea to reduce the number of CIOs per agency reemerges

Rep. Darrell Issa returned to Congress in January after a brief two-year absence. The California Republican, who was once the chairman of the Oversight and Reform Committee, didn’t take long to jump back on the “one CIO to rule them all” bandwagon.

About 93 minutes into the latest hearing on the Federal IT Acquisition Reform Act (FITARA), for which Issa is the co-author of, he went on a 2:06 soliloquy about why agencies need one person with the title chief information officer.

“Isn’t it time for us to consider looking at stringing together this network of CIOs and, particularly as it relates to cyber, into a single point of accountability? Similarly to the Office of Personnel Management or Office of Management and Budget or any other cabinet head, isn’t it time that the government operations, which is our committee, look at a reorganization that takes that $100-plus billion and creates at least one person accountable directly to the president who has the expertise and the vision to bring together these disparate entities that are spread across the government,” Issa asked the Government Accountability Office’s Carol Harris, the director of IT and cybersecurity issues. “I would ask the chairman to task GAO with some further study on that for the committee.”

Rep Gerry Connolly (D-Va.), chairman of the Government Operations Subcommittee and co-author of FITARA, piled on about the number of CIOs across the government. He reminded that back in 2012 there were at least 250 people with the title CIO across the government.

In 2012, when Connolly and Issa first introduced this idea of having one person with the title CIO per agency, it was disconcerting, maybe even a bit abrupt.

“Both Mr. Issa and I reflect on our private sector experience and look at the federal government and say this is a system that can’t possibly work with that many people with that title,” he said. “We hoped there would be an evolution that somebody would emerge as the ‘primus inter pares,’ and the reason we emphasized this solid line [to the secretary] is because of this proliferation. Someone has to be in charge. Someone has to be designated as the responsible and accountable person who is empowered to make decisions. In bureaucracies, if you don’t report to the boss, everybody knows everything you have to say is ‘ad referendum.’ That is what we are trying to get at it. If there is a better way to get at it, we’d like to hear about it.”

In the end, FITARA didn’t mandate having a single CIO per agency, but Connolly and Issa haven’t given up on that idea.

And nine years later, maybe it’s time to relook at that concept.

Back in 2012, only the departments of Interior and Veterans Affairs had consolidated the CIO titles down to one. The Department of Agriculture followed suit and has been living under this construct.

Interior made the changes in 2010, before FITARA was even an idea, and USDA in 2017 went from having 22 people with the title of CIO down to one.

While few, if any, other agencies followed suit, there is no clear evidence that Interior and USDA are better or worse off due to this change.

At the same time, Issa and Connolly’s belief today — and nine years ago — makes more sense than ever that with the ever-growing cybersecurity threats and the true recognition by non-technology leaders on the dependence of hardware, software and infrastructure to run their agencies, maybe it’s time to consolidate the number of people with the title CIO.

“Congressman Issa is very interested in building off what we’ve learned since the enactment of FITARA, as well as utilizing that knowledge to push for further modernization and improvements. As more data is collected, it’s important for agencies to be working together to ensure they’re not duplicating efforts,” said an Issa spokesman in an email to Federal News Network.

Federal News Network asked four former CIOs in the federal government for their thoughts on Issa and Connolly revving up the “one CIO to rule them all” bandwagon.

Reponses came from:

  • Karen Evans, former CIO at the departments of Energy and Homeland Security, and Office of Justice Programs in the Justice Department, and former administrator for IT and e-government at OMB (Federal CIO).
  • Simon Szykman, former Commerce CIO and now senior vice president for client growth at Maximus
  • Malcolm Jackson, former CIO at the Environment Protection Agency and now principal director for CIO advisory services at Accenture.
  • Rajive Mathur, former CIO at the Social Security Administration and now partner and associate director at the Boston Consulting Group.

Federal News Network: Is it a good idea to have one person with the title CIO for each agency? Why or why not?

Karen Evans is the former CIO for DHS and Energy and former OMB associate administrator for e-government and IT.

Evans: During my first appointment as the CIO of Department of Energy, the secretary and senior leadership (deputy secretary, chief of staff and CFO) supported this approach and program offices’ CIOs were retitled. There was only one CIO for the department. The secretary clearly stated there was only one CIO and I reported to him. It worked to streamline and get handle on the investments and the partnership with the CFO made the implementation possible. I do think having one CIO for cabinet departments is a good idea, because it is the departmental CIO who Congress holds accountable (which is why the FITARA Scorecard is still measuring CIO authorities). Ultimately, it is the head of the agency/department who is responsible for the performance of their department and he/she should have flexibility on the management structure they need to be successful, because this will get to those who are dual reporting, such as DHS where the CIO reports both to the secretary and the undersecretary of management. The person appointed into these situations, such as DHS and State Department, should be able to have the skill set to make this arrangement work to accomplish the goals of the administration and the secretary.

Szykman: On the surface, the idea of having only one person with the CIO title at each agency appears to be aligned with the idea of empowering CIOs to more effectively manage an agency’s IT investments. But in reality, changing or eliminating titles does little to empower an agency CIO if it’s not also accompanied by other organizational, management or policy changes to accomplish that goal. Many cabinet-level agencies are federated organizations with sub-agency components that have their own independently requested and managed budgets, and their own CIOs who report to sub-agency leadership. Historically, one of the challenges faced by top-level agency CIOs is a lack of visibility into, and ability to influence, both budgeting and spending decisions at the sub-agency level. A shift to having only one person with the CIO title can be impactful if it’s made in conjunction with other policy changes, but without also addressing those structural issues, merely stripping the sub-agency CIO of that title could result in a superficial measure that doesn’t necessarily fix the underlying shortcomings.

Jackson: Yes, in my opinion it is a good idea to have one person with the title of CIO at each agency. Having one CIO enables an agency to drive a common approach for technology on such topics as: strategy, operational optimization, technology modernization, cyber resilience, workforce transformation, digitization and service delivery. It also ensures resources can be optimized in a cost-effective manner and best positions an agency for success. Having multiple CIOs can sometimes make it more difficult for an agency to properly align limited resources against the highest priorities.

Mathur: First of all, I am surprised why this question is even being asked! One person with the title of CIO is critical to the success of any agency’s mission and that role should report to the head of the agency. Enabling technology, and more notably, digital technology, is an asset that should be front and center to the C-suite and the head of the agency should consider how he/she can use all the assets at their disposal to meet the agency’s mission in serving taxpayers.

FNN: From your experience, what are some potential unintended consequences of this change?

Malcolm Jackson is a former CIO at the Environmental Protection Agency and currently the principal director for CIO Advisory Services at Accenture Federal Services.

Jackson: Due to the size of some of the federal agencies, one CIO may not have as deep of an understanding of the needs of every sub-agency or bureau. This could cause a mission area to feel as though their needs are not being met. One of the biggest unintended consequences is a mission area going outside the IT organization for technology capabilities. In the past, you have seen this happen in what has been termed as “shadow IT.” A successful CIO needs to take the time to build relationships and learn the needs of all mission areas of the agency. There may be a case where shadow IT can be used to pilot innovation. But managed incorrectly, shadow IT can lead to capability duplicity, increased cost, and present cyber risks to the agency.

Mathur: The role of the central CIO should not be as a gatekeeper to technology, but an enabler for the business to use technology. I viewed my role as CIO at SSA as a general contractor for technology for my business customers, where I would and should be able to lay out the possibilities (the options) to solve the business needs. The options I present should balance technical strength with speed to market and the needs of the business. The options I, as CIO, should present could be to buy/outsource to a vendor or build your own. And the build-your-own model doesn’t have to be “stick built” in the parlance of residential housing construction; it could be modular or prefabricated using low code, no code solutions. In modern software development, the business needs to be presented with credible options and that’s the job of the trusted CIO/GC. By putting in place the right technology and process infrastructure, a modern centralized CIO shop should, for example, be able to accelerate development by allowing business to develop applications using low code no code. This citizen development model is one that we set up at SSA using a well-known low code platform.

Szykman: One unintended consequence of this change is the potential impact on the ability to recruit the most highly qualified IT executives into CIO roles. Among the cabinet-level agencies, it is not uncommon for one or more sub-agency components to have annual IT budgets in hundreds of millions of dollars, sometimes even above the billion dollar level. It is important for the senior-most IT executive in such a role to have an appropriate level of experience managing budgets, organizations, systems and services. Many of the most highly qualified candidates for those roles will come from the ranks of existing CIOs, from both inside and outside of the federal government. It may be a challenge to recruit highly seasoned and experienced CIOs into a position that has a non-CIO title, such as associate CIO, due to the perception that it may be a step down from their past or current roles.

Evans: It is a change management issue and there are some large components who will make the argument they should have their “own” CIO. However, they are a component organization. The head of their organization works for the secretary who works for the President. The concern many component organizations feel is that their priorities are not going to get done because they are competing with the department. Additionally, previous legislation provides exemptions, for example, national security systems, as well as focuses on “information technology” systems, which causes a separation and stove piping of the security for the department and/or agency. The risk management profile needs to include all systems (IT/OT and associated authorities) in order to properly “protect, detect and defend” their enterprise.

FNN: What would be some of benefits of this change?

Szykman: With the right structural changes relating to elevating agency CIO empowerment, this change certainly could help make a more unambiguous statement about who in an agency has the ultimate responsibility and accountability for managing IT-related tradeoffs and risks, and optimizing the expenditure of IT resources, not only within a sub-agency component but across the entire agency IT portfolio.

Rajive Mathur is the former the Social Security Administration’s deputy commissioner and chief information officer, and now is a partner with the Boston Consulting Group.

Mathur: The primary reasons for a single technical leadership are: operational consistency, cost avoidance, cybersecurity and employee/customer experience. Most agencies have complex missions with many operating units which seek to deliver public services through a variety of delivery channels — phone, in-person, online, and even by mail. They also have similar technical and operational needs. Examples of common needs may be workflow systems, technologies to communicate with external advocacy groups, vendor payment technologies, in-office visitor management systems, and many others. Hundreds, if not thousands of managers and employees with staffs have unique roles and geographies, but similar needs that could be consolidated. The underlying information, business rules, and even security that is required for service delivery should be consistent across channels and the CIO’s role should be to identify patterns, develop and implement approaches which are robust across the agency.

Jackson: One CIO can provide clear leadership messages that support an agency with identifying technology needs based on mission criticality and then cascade across the enterprise to ensure the most important projects are funded and being prioritized.

Evans: Consolidation, modernization, reduction of duplication, leveraging existing investments and expertise would accelerate implementation of initiatives. It would assist the department to move as an “enterprise” and it would be beneficial especially as it relates to the risk posture of the department and managing the cybersecurity posture for the department. Additionally, it would benefit the Cybersecurity and Infrastructure Security Agency (CISA) at DHS because they would streamline who they would work with in order for them to accomplish their mission regarding the management of federal networks. There are just not enough people to duplicate functions and the resources should be leveraged to achieve the maximum outcomes.

FNN: What should lawmakers keep in mind as they start down this path once again of considering requiring one person with the title of CIO per agency?

Evans: Regardless of title, it takes the secretary and leadership of the department to recognize their role and support the CIO going forward. The CIO has to have the right skills to make it happen and meet expectations.

Jackson: Lawmakers should ensure they give agency CIOs the power to make decisions and not be marginalized by having them report to a level below the agency lead. Today, this is the case for some federal CIOs. Technology is too important to not be a priority of the agency leader. Consider, for example, how CIOs responded during the COVID-19 pandemic, as well as the spate of recent cyber-attacks. For some, it may have been the first time an agency lead was briefed on telework and cyber capabilities. Technology is critical to an agency’s mission, and the CIO needs to be appropriately positioned to be successful.

Szykman: A change like this shouldn’t be undertaken without considering the impact on recruiting — specifically the ability of sub-agency components to recruit the best talent from inside and outside of government into a position that demands proven CIO experience, but at the same time does not offer candidates the title of CIO. And more importantly, the underlying structural problem that creates a variety of obstacles to more highly effective management of IT in government is not one of tiles, but rather of authority, accountability, visibility and influence. Accordingly, changing titles will likely not produce the intended outcomes unless it is done in conjunction with other measures that address those other factors.

Related Stories

Comments

Sign up for breaking news alerts