This is the accessible text file for GAO report number GAO-04-823 
entitled 'Federal Chief Information Officers: Responsibilities, 
Reporting Relationships, Tenure, and Challenges' which was released on 
July 21, 2004.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to Congressional Requesters: 

July 2004: 

FEDERAL CHIEF INFORMATION OFFICERS: 

Responsibilities, Reporting Relationships, Tenure, and Challenges: 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-823]: 

GAO Highlights: 

Highlights of GAO-04-823, a report to congressional committees

Why GAO Did This Study: 

Although the federal government has invested substantially in 
information technology (IT), its success in managing information 
resources has varied. Agencies have taken steps to implement modern 
strategies, systems, and management policies and practices, but they 
still face significant information and technology management 
challenges. Recognizing the key role of the chief information officer 
(CIO) in helping an agency to achieve better results through IT, 
congressional requesters asked GAO to study the current status of CIOs 
at major departments and agencies. Among the topics this report 
describes are (1) CIOs’ responsibilities and reporting relationships, 
and (2) current CIOs’ professional backgrounds and the tenures of all 
of the CIOs since enactment of the Clinger-Cohen Act.

What GAO Found: 

GAO administered a questionnaire and interviewed CIOs at 27 major 
departments and agencies, finding that respondents were responsible for 
most of the 13 areas we identified as either required by statute or 
critical to effective information and technology management (see figure 
below). All of the CIOs had responsibility for five areas, including 
enterprise architecture and IT investment management. However, two of 
these areas—information disclosure and statistics—were outside the 
purview of more than half of the officers. Although the CIOs generally 
did not think placing responsibility for some areas in separate units 
presented a problem, having these responsibilities performed by 
multiple officials could make the integration of various information 
and tech bcnology management areas, as envisioned by law, more 
difficult to achieve. Given these results, it may be time to revisit 
whether the current statutory framework of responsibilities reflects 
the most effective assignment of information and technology management 
responsibilities. The law also generally requires that CIOs report 
directly to their agency heads, and 19 of the 27 said that they did. 
However, views were mixed among current and former officers on whether 
such a direct reporting relationship was important.

Agency CIOs come from a wide variety of professional and educational 
backgrounds, but they almost always have IT or IT-related work or 
educational experience. Since enactment of the Clinger-Cohen Act, the 
median tenure of a federal CIO has been about 2 years; in contrast, 
both current CIOs and former agency IT executives most commonly cited 3 
to 5 years as the time they needed to become effective. According to 
some current CIOs, high turnover is a problem because it can limit 
CIOs’ ability to put their agendas in place. Various mechanisms, such 
as human capital flexibilities, are available for agencies to use to 
help them try to reduce CIO turnover or mitigate its effect. 

Number of CIOs with Responsibility for Information and Technology 
Management Areas: 

[See PDF for image]

[End of figure]

What GAO Recommends: 

As Congress holds hearings on and introduces legislation related to 
information and technology management, GAO suggests that Congress 
consider the results of this review and whether the existing statutory 
requirements related to CIO responsibilities and reporting to the 
agency head reflect the most effective assignment of information and 
technology management responsibilities and reporting relationships. In 
responding to a draft of this report, most agencies stated that they 
had no comment.

www.gao.gov/cgi-bin/getrpt?GAO-04-823.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact David A. Powner, 
202-512-9286 or pownerd@gao.gov.

[End of section]

Contents: 

Letter: 

Results in Brief: 

Background: 

Scope and Methodology: 

CIOs Responsible for Most Areas and Generally Reported to Agency Heads: 

CIOs Have Diverse Backgrounds and Generally Remained in Office about 2 
Years: 

Major Challenges Facing Agency CIOs: 

Conclusions: 

Matter for Congressional Consideration: 

Agency Comments and Our Evaluation: 

Appendixes: 

Appendix I: Chief Information Officers (CIO) Interviewed: 

Appendix II: Former Agency Senior Information Technology (IT) Executive 
Panels: 

Appendix III: Summary of CIOs' Information Management and Technology 
Responsibilities at Major Departments and Agencies: 

Appendix IV: CIO Tenure at Each Department and Agency: 

Appendix V: Comments from the Department of Agriculture: 

Appendix VI: Comments from the Department of Defense (including the 
Departments of the Air Force, Army, and Navy): 

GAO Comments: 

Appendix VII: Comments from the Department of the Interior: 

GAO Comments: 

Appendix VIII: Comments from the Office of Personnel Management: 

GAO Comments: 

Appendix IX: Comments from the Department of the Treasury: 

Appendix X: Comments from the U.S. Agency for International 
Development: 

Appendix XI: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Staff Acknowledgments: 

Tables: 

Table 1: Former Agency Senior IT Executive Panels: 

Table 2: Statistical Analysis of CIO Tenure: 

Figures: 

Figure 1: Number of CIOs Reporting That They Were Responsible for Each 
Information and Technology Management Area: 

Figure 2: Major Challenges Facing Agency CIOs: 

Figure 3: Time Line of CIO Tenure at Each Department and Agency: 

Abbreviations: 

CIO: chief information officer: 

EA: enterprise architecture: 

e-gov: electronic government: 

FOIA: Freedom of Information Act: 

IRM: information resources management: 

IT: information technology: 

OMB: Office of Management and Budget: 

PRA: Paperwork Reduction Act: 

Letter July 21, 2004: 

The Honorable Susan M. Collins: 
Chairman, Committee on Governmental Affairs: 
United States Senate: 

The Honorable Tom Davis: 
Chairman, Committee on Government Reform: 
House of Representatives: 

The Honorable Adam H. Putnam: 
Chairman, Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census: 
Committee on Government Reform:
House of Representatives: 

Our work and that of others has shown that the federal government has 
had long-standing information and technology management problems. 
Various laws have been enacted to improve the government's performance 
in this area. For example, the Clinger-Cohen Act of 1996 requires 
agency heads to designate Chief Information Officers (CIO) to lead 
reforms to help control system development risks, better manage 
technology spending, and achieve real, measurable improvements in 
agency performance through better management of information resources.

We have long been proponents of having strong agency CIOs and a central 
federal government CIO in order to address the government's many 
information and technology management challenges.[Footnote 1] Eight 
years after the passage of the Clinger-Cohen Act, our work[Footnote 2] 
illustrates that despite the government's expenditure of billions of 
dollars annually on information technology (IT), its management of 
these resources has produced mixed results. Although agencies have 
taken constructive steps to implement modern strategies, systems, and 
management policies and practices, our most recent high-risk and 
performance and accountability series identified continuing high-risk 
modernization efforts and governmentwide information and technology 
management challenges. As we have previously reported, an effective CIO 
can make a significant difference in building the institutional 
capacity needed to implement improvements to an agency's information 
and technology management capabilities which, among other things, 
should result in technology solutions that improve program performance.

Recognizing the continued importance of the CIO position to achieving 
better results through information and technology management, you have 
asked us to perform two reviews in this area. First, this report will 
discuss the current status of federal CIOs at major departments and 
agencies. Second, we are beginning work on the development of a set of 
CIO best practices, based on the practices of leading organizations in 
the private sector. Along with our earlier work addressing the high-
level organization and support of the CIO position in the private 
sector,[Footnote 3] these reports are expected to provide the Congress 
and others with an understanding of the current status of the role, 
responsibilities, and reporting relationships of agency CIOs and to 
describe opportunities to improve their status.

In this report, our objectives are to describe (1) the responsibilities 
of agency CIOs and their reporting relationships, (2) the current CIOs' 
professional backgrounds and the tenures of all of the CIOs in office 
since enactment of the Clinger-Cohen Act, and (3) what the CIOs viewed 
as their major challenges. To address these objectives, we administered 
a questionnaire--covering 13 information and technology management 
areas, specifically IT/IRM strategic planning, IT capital planning and 
investment management, information security, IT/IRM human capital, 
information collection/paperwork reduction, information dissemination, 
records management, privacy, statistical policy and coordination, 
information disclosure, enterprise architecture, systems acquisition, 
development and integration, and e-government initiatives[Footnote 4]-
-to the CIOs of the 27 major federal departments and agencies (23 
entities identified in 31 U.S.C. 901,[Footnote 5] the Department of 
Homeland Security, and the 3 military services).[Footnote 6] In 
addition, we conducted interviews with each of these CIOs to 
corroborate information we had already received in the questionnaire 
and to obtain more specific information.

We conducted our work at the 27 agencies during November 2003 through 
May 2004 in accordance with generally accepted government auditing 
standards.

Results in Brief: 

Generally, CIOs were responsible for most of the 13 areas we identified 
as either required by statute or critical to effective information and 
technology management, and about 70 percent of them reported directly 
to the agency heads. All of the CIOs were assigned responsibility for 
five information and technology management areas--such as enterprise 
architecture and IT investment management--although they sometimes 
reported that they shared responsibility for these areas with other 
organizational units. In contrast, two of the information and 
technology management areas--information disclosure and statistics--
were the responsibility of fewer than half of the CIOs. While this 
alternative assignment of responsibility is not consistent with the 
statutes, the CIOs generally believed--in large part because other 
organizational units were assigned these duties--that not being 
responsible for certain information and technology management areas did 
not present a problem. Nevertheless, having these responsibilities 
performed by multiple officials could make the integration of various 
information and technology management areas, as envisioned by law, more 
difficult to achieve. Regarding the statutory requirements that certain 
CIOs have the management of information resources as their primary 
duty[Footnote 7] and that CIOs report directly to the agency 
head,[Footnote 8] only a few said that they had other major duties and 
19 said they reported directly to their agency heads. Views were mixed 
among current CIOs and former agency IT executives on whether a direct 
reporting relationship was crucial to the success of the CIO.

Current CIOs come from a wide variety of professional and educational 
backgrounds, and--since the enactment of the Clinger-Cohen Act--the 
permanent CIOs who had completed their time in office had a median 
tenure of about 2 years. Regarding their backgrounds, the current CIOs 
had worked in various sectors, almost always had IT or IT-related work 
or educational experience, and generally had business knowledge related 
to their agencies. Such variety is not unexpected, because a CIO should 
be selected based on the specific needs of an agency and the type of 
role he or she is expected to play. Agency CIOs' average time in 
office, however, was less than the 3 to 5 years that was most commonly 
cited by both current CIOs and former agency IT executives as the time 
needed for a CIO to be effective. In particular, in the 8 years since 
the enactment of the Clinger-Cohen Act, only about 35 percent of the 
permanent CIOs who had completed their time in office reportedly stayed 
in office for a minimum of 3 years. A high turnover rate is a problem, 
according to some current CIOs, because it can negatively impact their 
effectiveness. For example, they may not have time to put their agenda 
in place or form close working relationships with agency leadership. 
Various mechanisms, such as human capital flexibilities, are available 
to agencies to help them try to reduce CIO turnover or mitigate its 
effect.

Current CIOs reported that they faced several major challenges, 
particularly in implementing effective IT management, obtaining 
sufficient and relevant resources, communicating and collaborating 
internally and externally, and managing change. These challenges are 
not new--we have previously reported on some of them. Nevertheless, the 
extent to which CIOs effectively tackle such challenges can contribute 
to their ability to achieve success. To support their efforts, we have 
issued guidance related to many of the reported challenges.

We are suggesting that, as it holds hearings on and introduces 
legislation related to information and technology management, Congress 
consider whether the existing statutory requirements related to CIO 
responsibilities and reporting to the agency head reflect the most 
effective assignment of information and technology management 
responsibilities and reporting relationship. The results of this 
review--in conjunction with our ongoing work on best practices for 
CIOs' roles and responsibilities that are based on leading 
organizations in the private sector--may provide insights to contribute 
to that process.

Based on their reviews of a draft of this report, OMB and all of the 27 
agencies that were included in our review sent us responses. Most of 
the agencies stated that they had no comment. Of those that provided 
specific comments, OMB noted that they were unclear on the correlation 
between, or conclusions drawn about, who holds responsibility for the 
13 areas we reviewed, and they questioned the need to include 3 
responsibilities not required by statute to be the responsibility of 
the CIO. First, we did not attempt to draw conclusions regarding the 
relationship between the assignment of specific responsibilities and an 
agency's success in achieving desired outcomes in those areas. Second, 
the importance of the 3 areas questioned by OMB is borne out by the 
fact that over 90 percent of the CIOs have been assigned responsibility 
for them. The Departments of Defense and the Interior disagreed with 
the part of our Matter for Congressional Consideration that suggested 
that the Congress consider the results of this review that are related 
to CIO reporting relationships when holding hearings and introducing 
legislation on information and technology management. Although having 
CIOs report to agency heads can help provide strong support for CIOs in 
executing their responsibilities, the participants in our review 
offered a number of alternative reporting arrangements that could also 
provide CIOs with such support and that also warrant consideration. 
Accordingly, we continue to believe that, as the Congress holds 
hearings or considers legislation related to CIOs' responsibilities or 
reporting, it consider the results of our review in its deliberations. 
Finally, the Office of Personnel Management provided examples of 
actions the agency has taken to encourage the use of human capital 
management flexibilities, but it was outside the scope of this work to 
review these actions. We address these comments more fully in the 
Agency Comments and Our Evaluation section of this report.

Background: 

Despite a substantial investment in IT, the federal government's 
management of information resources has produced mixed results. 
Although agencies have taken constructive steps to implement modern 
strategies, systems, and management policies and practices, our work 
continues to find that agencies face significant challenges. These 
challenges can be addressed with strong and committed leadership by the 
agency CIOs--a position that was established by the Congress to serve 
as the focal point for information and technology management issues 
within an agency.

Major Information and Technology Management Challenges Facing Agency 
CIOs: 

Our most recent high-risk and performance and accountability series 
identified continuing high-risk system modernization efforts and 
governmentwide information and technology management 
challenges,[Footnote 9] namely,

* pursuing opportunities for e-government;

* improving the collection, use, and dissemination of government 
information;

* strengthening information security;

* constructing and enforcing sound enterprise architectures;

* employing IT system and service management practices; and: 

* using effective agency IT investment management practices.

Unless and until these challenges are overcome, federal agencies are 
unlikely to optimize their use of information and technology, which can 
affect an organization's ability to effectively and efficiently 
implement its programs and missions.

Agency CIOs are key leaders in addressing these challenges. To allow 
them to serve effectively in this role, federal agencies must utilize 
the full potential of CIOs as information and technology management 
leaders and active participants in the development of the agency's 
strategic plans and policies. The CIOs, in turn, must meet the 
challenges of building credible organizations and developing and 
organizing information and technology management capabilities to meet 
mission needs.

Legislative Evolution of Agency CIO Roles and Responsibilities: 

For more than 20 years, federal law has structured the management of 
information technology and information-related activities under the 
umbrella of information resources management (IRM).[Footnote 10] 
Originating in the 1977 recommendations of the Commission on Federal 
Paperwork, the IRM approach was first enacted into law in the Paperwork 
Reduction Act of 1980 (PRA).[Footnote 11] The 1980 Act focused 
primarily on centralizing governmentwide responsibilities in the Office 
of Management and Budget (OMB). The law gave OMB specific policy-
setting and oversight duties regarding individual IRM areas--for 
example: records management, privacy, and the acquisition and use of 
automatic data processing and telecommunications equipment (which was 
later renamed information technology). The law also gave agencies a 
more general responsibility to carry out their IRM activities in an 
efficient, effective, and economical manner and to comply with OMB 
policies and guidelines. To assist in this effort, the law required 
that each agency head designate a senior official who would report 
directly to the agency head to carry out the responsibilities of the 
agency under the law.

Together these requirements were intended to provide for a coordinated 
approach to managing federal agencies' information resources. The 
requirements addressed the entire information life cycle, from 
collection through disposition, in order to reduce information 
collection burdens on the public and to improve the efficiency and 
effectiveness of government.

Amendments to the PRA in 1986 and in 1995 were designed to strengthen 
agency and OMB implementation of the law. Most particularly, the PRA of 
1995 provided detailed agency requirements for each IRM area, to match 
the specific OMB provisions. The 1995 Act also required agencies to 
develop, for the first time, processes to select, control, and evaluate 
the results of major information systems initiatives.

In 1996, the Clinger-Cohen Act supplemented the information technology 
management provisions of the PRA with detailed CIO requirements for IT 
capital planning and investment control and performance and results-
based management.[Footnote 12] The 1996 Act also established the 
position of agency CIO by amending the PRA to rename the senior IRM 
officials CIOs and specifying additional responsibilities for them. 
Among these responsibilities, the act required that the CIOs in the 24 
major departments and agencies specified in 31 U.S.C. 901 have IRM as 
their "primary duty." Accordingly, under current law,[Footnote 13] 
agency CIOs are required to carry out the responsibilities of their 
agencies with respect to information resources management, including: 

* information collection and the control of paperwork;

* information dissemination;

* statistical policy and coordination;

* records management;

* privacy, including compliance with the Privacy Act;

* information security, including compliance with the Federal 
Information Security Management Act;

* information disclosure, including compliance with the Freedom of 
Information Act; and: 

* information technology.

Together, these legislated roles and responsibilities embody the policy 
that CIOs should play a key leadership role in ensuring that agencies 
manage their information functions in a coordinated and integrated 
fashion in order to improve the efficiency and effectiveness of 
government programs and operations.

Scope and Methodology: 

To address the objectives of this review, we first identified and 
reviewed major information and technology management legislative 
requirements. Specifically, we reviewed: 

* the Paperwork Reduction Act of 1995,

* the Clinger-Cohen Act of 1996,

* the E-Government Act of 2002,

* the Federal Information Security Management Act of 2002,

* the Federal Records Act,

* the Freedom of Information Act, and: 

* the Privacy Act of 1974.

We identified the following 13 major areas of CIO responsibilities as 
either statutory requirements or critical to effective information and 
technology management.[Footnote 14]

* IT/IRM strategic planning. CIOs are responsible for strategic 
planning for all information and information technology management 
functions--thus, the term IRM strategic planning [44 U.S.C. 
3506(b)(2)].

* IT capital planning and investment management. CIOs are responsible 
for IT capital planning and investment management [44 U.S.C. 3506(h) 
and 40 U.S.C. 11312 & 11313].

* Information security. CIOs are responsible for ensuring compliance 
with the requirement to protect information and systems [44 U.S.C. 
3506(g) and 3544(a)(3)].

* IT/IRM workforce planning. CIOs have responsibilities for helping the 
agency meet its IT/IRM workforce or human capital needs [44 U.S.C. 
3506(b) and 40 U.S.C. 11315(c)].

* Information collection/paperwork reduction. CIOs are responsible for 
the review of agency information collection proposals to maximize the 
utility and minimize public "paperwork" burdens [44 U.S.C. 3506(c)].

* Information dissemination. CIOs are responsible for ensuring that the 
agency's information dissemination activities meet policy goals such as 
timely and equitable public access to information [44 U.S.C. 3506(d)].

* Records management. CIOs are responsible for ensuring that the agency 
implements and enforces records management policies and procedures 
under the Federal Records Act [44 U.S.C. 3506(f)].

* Privacy. CIOs are responsible for compliance with the Privacy Act and 
related laws [44 U.S.C. 3506(g)].

* Statistical policy and coordination. CIOs are responsible for the 
agency's statistical policy and coordination functions, including 
ensuring the relevance, accuracy, and timeliness of information 
collected or created for statistical purposes [44 U.S.C. 3506(e)].

* Information disclosure. CIOs are responsible for information access 
under the Freedom of Information Act [44 U.S.C. 3506(g)].

* Enterprise architecture. Federal laws and guidance direct agencies to 
develop and maintain enterprise architectures as blueprints to define 
the agency mission, and the information and IT needed to perform that 
mission.

* Systems acquisition, development, and integration. We have found that 
a critical element of successful IT management is effective control of 
systems acquisition, development and integration [44 U.S.C. 3506(h)(5) 
and 40 U.S.C. 11312].

* E-government initiatives. Various laws and guidance direct agencies 
to undertake initiatives to use IT to improve government services to 
the public and internal operations [44 U.S.C. 3506(h)(3) and the E-
Government Act of 2002].

We then developed and administered a questionnaire to the CIOs of the 
27 major departments and agencies requesting information on whether 
these officials were responsible for each of these areas, their 
reporting relationships, their professional and educational 
backgrounds, and their challenges.[Footnote 15] We also asked each 
agency to supply the name, beginning and ending dates in office, and 
circumstances (e.g., whether they were in an acting or permanent 
position) of each of the individuals who had served as CIO at the 
agency since the enactment of the Clinger-Cohen Act. We subsequently 
interviewed each of the CIOs who were in place at the time of our 
review (see app. I for the list of the CIOs) in order to corroborate 
their responses and obtain more detailed explanations of these 
responses. In addition, as applicable, we collected and reviewed the 
resumes or biographies of the current CIOs.

In analyzing CIOs comments on their challenges, two GAO analysts 
reviewed the responses and arrived at agreement for the broad 
categories. Each comment was then placed into one or more of the 
resulting categories, and agreement regarding each placement was 
reached between the two analysts. We also conducted two panel 
discussions with former agency IT executives (six in each panel), 
including former CIOs, that addressed their experiences and challenges. 
Appendix II lists these panelists. Finally, we discussed our findings 
with representatives of OMB's Office of Information and Regulatory 
Affairs and the members of our Executive Council of Information 
Management and Technology--a preexisting panel of outside industry, 
state government, and academic experts--to obtain their views.

We conducted our work at the 27 agencies during November 2003 through 
May 2004 in greater Washington, D.C. in accordance with generally 
accepted government auditing standards.

CIOs Responsible for Most Areas and Generally Reported to Agency Heads: 

CIOs generally were responsible for most of the 13 key areas we had 
identified as either required by statute or among those critical to 
effective information and technology management, and most reported 
directly to their agency heads. All 27 CIOs had responsibility for 5 of 
the 13 areas, such as information security and IT capital planning. Of 
the other eight areas, two of them--information disclosure and 
statistics--were the responsibility of fewer than half of the CIOs. 
This assignment of responsibilities is not consistent with the law. 
However, in those cases where the CIOs were not assigned the expected 
responsibilities and expressed an opinion about this 
situation,[Footnote 16] more than half of the CIOs' responses were that 
the applicable information and technology management areas are 
appropriately held by some other organizational entity. Moreover, 
virtually all of the responses indicated that the CIOs were comfortable 
with their roles. Nevertheless, having these responsibilities performed 
by multiple officials could make the integration of various information 
and technology management areas, as envisioned by the law, more 
difficult to achieve.

In addition to requiring that federal agency CIOs have many specific 
responsibilities, federal law also generally requires that these CIOs 
report directly to their agency heads. This requirement establishes an 
identifiable line of accountability and recognizes the importance of 
CIOs' being full participants in the executive team in order to 
successfully carry out their responsibilities. Nineteen of the CIOs we 
interviewed have a direct reporting relationship to their agency head 
as required by the statute. The other eight have various reporting 
relationships, often through their agencies' senior administrative or 
management executives. While reporting to the agency heads may be a 
means to ensure that the CIO has sufficient stature to "have a seat at 
the table," only about a third of those who did not report to their 
agency heads expressed a concern with their reporting relationships.

Given these results, it is clear that questions arise about whether the 
current statutory framework of roles and responsibilities reflects the 
most effective assignment of information and technology management 
responsibilities. Our work developing a set of best practices for CIOs' 
roles and responsibilities, based on leading organizations in the 
private sector, may shed additional light on this issue.

Agency CIOs Generally Responsible for Most Areas: 

The Congress has assigned a number of responsibilities to the CIOs of 
federal agencies. In addition, we have identified other areas of 
information and technology management that can contribute significantly 
to the successful implementation of information systems and processes.

Figure 1 lists the 13 areas of responsibility and the number of CIOs 
who are assigned responsibility for each (app. III contains additional 
information on each of these areas). Five of the 13 areas of 
responsibility were assigned to every agency CIO. These areas are 
capital planning and investment management, enterprise architecture, 
information security, IT/IRM strategic planning, and IT workforce 
planning. Two of these areas--enterprise architecture and capital 
planning--were mentioned by several CIOs as the mechanisms they use for 
integrating responsibilities across some of the other areas, because, 
for example they can provide a checkpoint where the CIO has the 
opportunity to review proposals and investments before they are funded. 
The governance processes used in implementing enterprise architecture 
and capital planning can also provide the opportunity to ascertain that 
other responsibilities are being executed as required. For example, 
these processes can require that plans for new systems meet security or 
records management standards before they are allowed to progress to the 
next stage of development or funding.

Figure 1: Number of CIOs Reporting That They Were Responsible for Each 
Information and Technology Management Area: 

[See PDF for image] 

[End of figure] 

The next six areas of responsibility shown on the chart--systems 
acquisition, major electronic government (e-gov) initiatives, 
information collection/paperwork reduction, records management, 
information dissemination, and privacy--were assigned to CIOs at 
between 17 and 25 agencies. Although these responsibilities were 
formally assigned to the CIO, it was not uncommon for CIOs to report 
that multiple units contributed to carrying out the activities 
associated with these responsibilities. For example,

* in the management of e-gov initiatives, several CIOs said that they 
managed the overall effort and share responsibility with the functional 
unit;

* in systems acquisition, several agencies reported that responsibility 
is shared among the CIO and other officials, such as a procurement 
executive or program executive. In addition, many CIOs mentioned that 
they provided metrics and measures of ongoing work, while the 
procurement or program executive managed the contractor relationship;

* for records management, several CIOs described execution of 
responsibilities as a cooperative effort with administrative or program 
employees to collect, aggregate, and store the volumes of records;

* responsibility for information dissemination at a few agencies was 
described as being coordinated with the public affairs office, as this 
unit performs quality reviews and the CIO provides technical support; 
and: 

* responsibility for privacy at a few agencies was described as being 
coordinated with the general counsel, as these officials provide high 
level guidance and the CIO implements it.

Finally, information disclosure/Freedom of Information Act and 
statistical policy, both statutory responsibilities of the CIO, are the 
areas least often assigned to the CIO. In these areas, fewer than 10 of 
the CIOs hold responsibility as specified by the PRA. Disclosure is a 
responsibility that has frequently been assigned to offices such as 
general counsel and public affairs in the agencies we reviewed, while 
statistical policy is often the responsibility of separate offices that 
are responsible for agency data analysis, particularly in agencies that 
contain Principal Statistical Agencies.[Footnote 17]

Even for those areas of responsibility that were not assigned to them, 
several CIOs reported that they contributed to the successful execution 
of agency responsibility. For example, a few mentioned that they 
provide technical support for the responsible units, such as assisting 
with Web services for information dissemination or maintaining 
electronic archives for electronic records management. In addition, 
five CIOs mentioned that they supported the unit responsible for 
records management by providing, for example, specific support for the 
design of systems compatible with electronic records management or by 
serving in an oversight or coordination role.

Most CIOs told us they were comfortable with the existing assignment of 
responsibilities, although only five CIOs at the 27 major departments 
and agencies were responsible or shared responsibility for all 13 
information and technology management areas. In fact, one of the panels 
of former agency IT executives suggested that not all 13 areas were 
equally important to CIOs. A few of the former agency IT executives 
even called some of the areas relating to information management 
distractions from the CIO's primary responsibilities. However, this is 
not consistent with the law, which envisioned that having a single 
official responsible for the various information and technology 
functions would provide integrated management. Specifically, one 
purpose of the PRA is to coordinate, integrate, and--to the extent 
practicable and appropriate--make federal information resources 
management policies and practices uniform as a means to improve the 
productivity, efficiency, and effectiveness of government programs by, 
for example, reducing information collection burdens on the public and 
improving service delivery to the public. Moreover, the House Committee 
Report accompanying this act in 1980 described that aligning IRM 
activities under a single authority should provide for greater 
coordination among an agency's information activities as well as 
greater visibility within the agency.[Footnote 18]

Although many agencies did not have the CIO responsible for all IRM 
activities, a number of CIOs described alternative mechanisms that 
their agencies used to coordinate or integrate at least some of the 
activities. Examples of such integrating mechanisms included IRM plans, 
enterprise architecture processes, and IT capital planning processes. 
We agree that such mechanisms can provide elements of integration, but 
we have repeatedly reported that agencies have not effectively 
implemented such activities.[Footnote 19] For example, in January 2004, 
we reported that agencies IRM plans often did not address information 
functions such as information collection, records management, and 
privacy or their coordinated management.[Footnote 20] Accordingly, we 
recommended that OMB develop and disseminate to agencies additional 
guidance on developing their strategic IRM plans.

In addition to specifying areas of responsibility for the CIOs of major 
departments and agencies, the Clinger-Cohen Act calls for certain CIOs 
to have IRM as their primary duty.[Footnote 21] All but a few of the 
agencies complied with this requirement. The other significant duties 
reported by some CIOs generally related to other administrative or 
management areas, such as procurement and human capital. We[Footnote 
22] and Members of Congress[Footnote 23] have previously expressed 
concern about agency CIOs having responsibilities beyond information 
and technology management and have questioned whether split duties 
allow a CIO to deal effectively with an agency's IT challenges. For 
example, we previously recommended that one agency, which had a CIO who 
was also the chief financial officer, appoint a CIO with full-time 
responsibilities for IRM.[Footnote 24] This agency later implemented 
our recommendation, thereby taking a significant step toward addressing 
critical and long-standing information and technology management 
weaknesses.

CIOs Generally Reported to Agency Head: 

Federal law--and our guide on CIOs of leading private sector 
organizations--generally calls for CIOs to report to their agency 
heads,[Footnote 25] forging relationships that ensure high visibility 
and support for far-reaching information management initiatives. 
Nineteen of the CIOs in our review stated that they had this type of 
reporting relationship. In the other eight agencies, the CIOs stated 
that they reported instead to another senior official, for example, a 
deputy secretary, under secretary, or assistant secretary.

Current CIOs and former agency IT executives had mixed views about 
whether it is important for the CIO to report to the agency head. For 
example, of the eight CIOs who did not report directly to their agency 
heads, (1) three indicated that it was important or critical, (2) two 
stated that it was not important, (3) two noted that it was generally 
important but that the current reporting structure at their agencies 
worked well, and (4) one stated that it was very important that a CIO 
report to at least a deputy secretary. In contrast, 15 of the CIOs who 
reported to their agency heads stated that this reporting relationship 
was important. (One agency CIO stated that reporting to the CIO was not 
important, one CIO did not clearly address the question, and this issue 
was not discussed with two CIOs.) For example, one of them stated that 
a direct reporting relationship to the agency head was crucial because 
top management support is essential for CIOs to carry out their 
responsibilities; another CIO pointed out that it is difficult to 
influence IT budget and policy decisions without reporting to the 
agency head. Eight of the 19 CIOs who said that they had a direct 
reporting relationship with the agency head noted that they also report 
to another senior executive, usually the Deputy Secretary or 
Undersecretary for Management, on an operational basis. Finally, 
members of our Executive Council on Information Management and 
Technology, which is composed of noted IT experts, told us that what is 
most critical is for the CIO to report to a top level official.

The members of our panels of former agency IT executives also had 
various views on whether it was important that the CIO report to the 
agency head. For example, one former IT executive stated that such a 
reporting relationship was extremely important, another emphasized that 
organizational placement was not important if the CIO had credibility, 
and others suggested that the CIO could be effective while reporting to 
a chief operating officer. We have explored the application of the 
chief operating officer concept to the federal government environment 
in a roundtable and forum that included participants with current or 
recent executive or management experience.[Footnote 26] While 
participants expressed a range of views on the chief operating officer 
concept and its application to the federal government, there was 
general agreement that there is a need to elevate attention and 
integrate various key management and transformation efforts, as well as 
to institutionalize accountability for addressing them.

As the Congress holds hearings on and introduces legislation related to 
information and technology management, there may be an opportunity to 
consider the results of this review and whether the existing statutory 
framework related to CIO responsibilities and reporting to the agency 
head is the most effective structure. Our work developing a set of best 
practices for CIO roles and responsibilities, based on leading 
organizations in the private sector, may shed additional light on this 
issue.

CIOs Have Diverse Backgrounds and Generally Remained in Office about 2 
Years: 

At the major departments and agencies included in our review, the 
current CIOs had diverse backgrounds, and since the enactment of the 
Clinger-Cohen Act, the median tenure of permanent CIOs whose time in 
office had been completed was about 2 years.[Footnote 27] Both of these 
factors can significantly influence whether a CIO is likely to be 
successful. First, the background of the current CIOs varied in that 
they had previously worked in the government, the private sector, and 
academia, and they had a mix of technical and management experience. 
Because a CIO should be selected based on the specific needs of the 
agency and the type of role that he or she is expected to play, it was 
not unexpected to see such diverse backgrounds. Second, the median time 
in position for agencies' permanent CIOs was 23 months in office. When 
asked how long a CIO needed to stay in office to be effective, the most 
common response of current CIOs and former agency IT executives was 3 
to 5 years. This gap is consistent with the views of many agency CIOs, 
who believed that the turnover rate was high and that the political 
environment, the pay differentials between the public and private 
sectors, and the challenges that CIOs face contributed to this rate. 
Various mechanisms, such as human capital flexibilities, are available 
for agencies to use to help reduce CIO turnover or mitigate its affect.

Current CIOs Have Varied Work and Educational Backgrounds: 

Although the qualifications of a CIO can help determine whether he or 
she is likely to be successful, there is no general agreement on the 
optimal background that a prospective agency CIO should have. The 
conference report accompanying the Clinger-Cohen Act, which established 
the agency CIO position, requires them to possess knowledge of--and 
practical experience in--the information and IT management practices of 
business or government.[Footnote 28] While people like current CIOs and 
former agency IT executives also echoed the need for the CIO to have IT 
experience, other types of background, such as business knowledge, and 
an understanding of how IT can be used to transform agencies and 
improve mission performance were also seen as critical.

The personal attributes of a CIO, such as leadership, communication, 
and political skills can also be key factors in the selection and 
success of a CIO. For example, members of our Executive Council on 
Information Management and Technology, which is composed of noted IT 
experts, told us that a CIO needs personal attributes like leadership 
ability to succeed in aligning the business and IT sides of the 
organization. In particular, he or she must be able to work as a 
partner with other business or program executives and build credibility 
with them, in order to be accepted as a full participant in the 
development of new systems and processes and to achieve successful 
outcomes with IT investments. According to our CIO guide, the degree of 
importance that senior executives place on the various attributes that 
are considered in selecting a CIO depends on the information leadership 
model and the needs of the enterprise.[Footnote 29]

This lack of a standard set of qualifications for CIOs is reflected in 
the varied work and educational backgrounds of current agency CIOs. For 
example, 24 of the CIOs had previously worked for the federal 
government, 16 had worked in private industry, 8 had worked in state 
and local government, 2 had been in academia. Seventeen CIOs had worked 
in some combination of two or more of these sectors. Further, virtually 
all of them had work experience and/or educational backgrounds in IT or 
IT-related fields. For example, 12 current agency CIOs had previously 
served in a CIO or deputy CIO capacity. Those who did not have an IT or 
IT-related professional or educational background had significant non-
IRM responsibilities, and their backgrounds were more specific to their 
other roles (e.g., human capital management). Moreover, most of the 
CIOs had business knowledge related to their agencies because they had 
previously worked at the agency or had worked in an area related to the 
agency's mission. As the diversity of the current CIOs demonstrates, 
there is no single template for a CIO's background; this illustrates 
that an agency head should select someone based on the specific needs 
of the agency and the type of role that he or she is expected to play.

Median Tenure of Agency CIOs Was about 2 Years: 

Another element that influences the likely success of an agency CIO is 
the length of time the individual has to implement change. For example, 
our prior work has noted that the experiences of successful major 
change management initiatives in large private and public sector 
organizations suggest that it can often take at least 5 to 7 years 
until such initiatives are fully implemented and the related cultures 
are transformed in a sustainable manner.[Footnote 30] The need for 
major changes in federal information and technology management is 
demonstrated by our high-risk and performance and accountability series 
reports, which show that there are long-term information and technology 
management problems and challenges facing federal agencies that will 
take years of sustained attention and continuity to resolve.[Footnote 
31]

When asked how long a CIO needed to stay in office to be effective, 
current CIOs and former agency IT executives most commonly responded 3 
to 5 years. In particular, some cited the budget cycle as a reason why 
a CIO needed to be in place for a while in order to allow sufficient 
time for the CIO's vision and priorities to be reflected in the 
agency's budget requests and subsequent appropriations.

Nevertheless, since February 10, 1996 (the date the Clinger-Cohen Act 
was enacted), the median tenure of agencies' permanent CIOs who had 
completed their time in office was about 23 months (see app. IV for a 
chart that illustrates the tenure of each permanent and acting CIO and 
a table that presents further statistical analysis of the tenure 
data).[Footnote 32] Moreover, between February 10, 1996, and March 1, 
2004, only about 35 percent of the permanent CIOs who had completed 
their time in office reportedly stayed in office for a minimum of 3 
years. This is consistent with the views of many agency CIOs, who 
believed that the turnover rate was high. A high turnover rate is a 
problem, according to some current CIOs, because it can negatively 
impact their effectiveness. For example, CIOs may not have time to put 
their agenda in place or form close working relationships with agency 
leadership. Echoing this view, one former agency IT executive stated 
that with too much turnover nothing really substantial is accomplished 
by a CIO.

Among the reasons cited for a high turnover rate were the challenges 
that CIOs face, the political environment, and the pay differentials 
between the public and private sectors. For example, among the 
challenges cited by current CIOs were being perceived as an adversary 
by others in the agency, the complexity of the issues, and the high-
stress nature and long hours typical of the position. Another factor 
affecting the turnover rate is the number of CIOs who were political 
appointees; they stayed about 13 months less than those in career civil 
service positions. Specifically, the median time in position for career 
CIOs who had completed their time in office was about 32 months, while 
the median for political appointees was about 19 months. Nevertheless, 
there was a lack of consensus among the current CIOs and former agency 
IT executives about whether CIOs should be political appointees or not. 
For example, some believed that political CIOs could be more effective 
because they might have more access to, and influence with, the agency 
head. Others believed that CIOs in career positions could be more 
effective because, for example, they would be more likely to understand 
the agency, including its culture and work environment.

A number of mechanisms could be used to ensure continuity in the face 
of frequent CIO changes in agencies. For example, we have previously 
reported that results-oriented performance agreements can help to 
maintain a consistent focus on a set of broad programmatic priorities 
during changes in leadership.[Footnote 33] This can help to reduce 
significant discontinuities in objectives as new CIOs step in. One 
mechanism that came to our attention through our interviews is the 
establishment of a deputy CIO position. A deputy CIO can help to ensure 
continued attention to ongoing objectives when there is a hiatus 
between one CIO and the next. A deputy CIO can also increase the 
effectiveness of the CIO organization by providing skills and work 
experiences that are complementary to those of the CIO. Moreover, the 
appointment of deputy CIOs was anticipated by the Congress when the 
Clinger-Cohen Act was passed. The conference report accompanying the 
act states "the conferees also intend that deputy chief information 
officers be appointed by agency heads that have additional experience 
[in specific technical areas]."[Footnote 34] At the time of our review, 
24 departments and agencies had deputy CIO positions, of which 22 were 
filled. The establishment of this position at almost all of the 
agencies is important because successful information and technology 
management rests on the skills and performance of the entire CIO 
organization within the department and agency--not just the CIO as an 
individual.

In addition to taking action to help ensure continuity, agencies may 
also be able to use human capital flexibilities--which represent the 
policies and practices that an agency has the authority to implement in 
managing its workforce--to help retain its CIOs. For example, our model 
on strategic human capital management notes that recruiting bonuses, 
retention allowances, and skill-based pay can attract and retain 
critical skills needed for mission accomplishment.[Footnote 35] 
Similarly, two members of our panels of former agency IT executives 
stated that the government should examine its rewards systems and learn 
from the private sector's incentive programs. Other panelists asserted 
that additional money is not key to attracting and retaining CIOs; 
instead they cited the importance of nonmonetary incentives, such as 
offering an attractive package of authorities and responsibilities. We 
have previously identified six key practices for the effective use of 
human capital flexibilities, including planning strategically and 
making targeted investments and educating managers and employees on the 
availability and use of flexibilities.[Footnote 36] In addition, we 
have reported that although the Office of Personnel Management has 
taken several actions to assist agencies in the identification and use 
of human capital flexibilities, additional actions by this agency could 
further facilitate the use of flexibilities.[Footnote 37]

Major Challenges Facing Agency CIOs: 

Current CIOs reported that they faced major challenges in fulfilling 
their duties (see fig. 2). In particular, two challenges were cited by 
over 80 percent of the CIOs: implementing effective IT management and 
obtaining sufficient and relevant resources. This indicates that CIOs 
view IT governance processes, funding, and human capital as critical to 
their success. Other common challenges cited were communicating and 
collaborating internally and externally and managing change. 
Effectively tackling these reported challenges can also improve the 
likelihood of CIOs' success. To aid them in addressing the multitude of 
challenges that they face, we have issued guidance that address several 
of the problems they cited.

Figure 2: Major Challenges Facing Agency CIOs: 

[See PDF for image] 

[End of figure] 

Implementing Effective IT Management: 

Leading organizations execute their IT management responsibilities 
reliably and efficiently. A little over 80 percent of the CIOs reported 
that they faced one or more challenges related to implementing 
effective IT management practices at their agencies. This is not 
surprising given that, as we have previously reported, the government 
has not always successfully carried out its responsibilities in the IT 
management areas that were most frequently cited as challenges by the 
CIOs; information security, enterprise architecture, investment 
management, and e-gov.[Footnote 38]

* Fifteen agency CIOs cited managing and improving information security 
as a challenge. For example, one agency CIO cited a challenge of 
increasing the security maturity of his agency while dealing with 
increased security risks and threats; another discussed 
institutionalizing information security policies in the management, 
planning, and operation of over 200 systems. We have previously issued 
guidance addressing security best practices to help agencies with their 
information security challenges.[Footnote 39]

* Fifteen CIOs discussed challenges associated with IT investment 
management, including strengthening an agency's process to help ensure 
that investments are in line with its mission, business needs, and 
enterprise architecture and implementing appropriate IT performance 
measures. For example, one CIO reported a challenge in developing a 
capital planning process that will ensure that the agency's IT 
investments are selected, resourced, and acquired to optimize mission 
accomplishment. This individual further elaborated that the agency's 
capital planning process was unwieldy and, therefore, not a good fit in 
an IT environment that requires agility to deal with a rapid rate of 
change. Another CIO reported problems with performance measurement--
such as a lack of baseline data--and planned to introduce a balanced 
scorecard approach and a portfolio management tool to address this 
challenge. We have previously issued guidance related to IT investment 
management including, most recently, a new version of our framework, 
which offers organizations a road map for improving their IT investment 
management processes in a systematic and organized manner.[Footnote 40]

* Eleven agency CIOs emphasized the building and enforcement of an 
enterprise architecture as challenging. For example, one CIO noted that 
keeping the agency's enterprise architecture up-to-date was a challenge 
in light of evolving federal enterprise architecture guidelines. In 
April 2003, we issued a framework that provides agencies with a common 
benchmarking tool for planning and measuring their efforts to improve 
their enterprise architecture management.[Footnote 41]

* Seven CIOs mentioned that they faced challenges related to 
implementing e-government; two of them citing addressing the e-
government element of the President's Management Agenda as a challenge. 
Other challenges associated with e-government included (1) meeting the 
requirements of the E-Government Act of 2002 (P.L. 107-347), (2) 
needing more comprehensive modernization and/or migration plans that 
incorporate governmentwide solutions, and (3) balancing and integrating 
rapidly evolving e-government initiatives with the need to provide 
responsive ongoing operational support.

In addition to managing IT, agency CIOs also reported challenges 
associated with specific technological solutions. In particular, eight 
CIOs reported dealing with integration and consolidation issues as a 
challenge. Other specific technological challenges included ensuring 
adequate bandwidth and network connectivity.

Obtaining Sufficient and Relevant Resources: 

One key element in ensuring an agency's information and technology 
success is having adequate resources available. Virtually all agency 
CIOs cited resources, both in dollars and staff, as major challenges. 
The funding issues cited generally concerned the development and 
implementation of agency IT budgets and whether certain IT projects, 
programs, or operations were being adequately funded. We have 
previously reported that the way agency initiatives are originated can 
create funding challenges that are not found in the private 
sector.[Footnote 42] For example, certain information systems may be 
mandated or legislated, so the agency does not have the flexibility to 
decide whether or not to pursue them. Additionally, there is a great 
deal of uncertainty over the funding levels that may be available from 
year to year. The multitude of players in the budget process can also 
lead to unexpected changes in funding. The CIOs cited similar 
challenges. They observed some specific budgetary or funding challenges 
such as (1) technology moving faster than the budget process, (2) 
systems requirements not always accompanied by funding, (3) ensuring 
adequate and stable funding to support Office of CIO operations, and 
(4) difficulty prioritizing IT initiatives within the budget to ensure 
that the agency meets Presidential and Secretarial priorities and 
mission.

The government also faces long-standing and widely recognized 
challenges in maintaining a high-quality IT workforce. In 1994 and 
again in 2001, we reported the importance that leading organizations 
placed on making sure they had the right skill mix in their IT 
workforce.[Footnote 43] About 70 percent of the agency CIOs reported on 
a number of substantial IT human capital challenges, including, in some 
cases, the need for additional staff. Examples of specific comments 
follow.

* Recruiting. Seven CIOs named recruiting as a challenge. For example, 
one CIO stated that the hiring process takes too long and that good 
candidates are no longer available by the time the hiring process is 
completed. Another CIO noted that turnover in technical positions is 
high and that that government cannot fill openings as fast as they 
occur.

* Training and development. Seven CIOs listed training and development 
as a challenge. One CIO noted that training funds were inadequate. In 
addition, several CIOs pointed to project management as a particular 
area in need of enhancement.

* Retention. Four CIOs listed retention of high quality skilled staff 
as a challenge. One CIO commented that, as staff become more skilled 
and obtain certifications, they become more difficult to retain and 
that more flexibility in retaining staff was needed.

* Succession planning. Three CIOs cited succession planning as a 
challenge; succession planning can help an organization identify, 
develop, and select human capital to ensure that successors are the 
right people, with the right skills, available at the right time for 
leadership and other key positions.

We have previously reported that many of these same issues exist for 
the government as a whole, not just for information and technology 
management. As a result, in January 2001 and again in January 2003, we 
designated strategic human capital management as a governmentwide high-
risk area.[Footnote 44] Moreover, in June 2004, we reported that within 
the government and the private sector it has been widely recognized 
that the federal government's hiring process is lengthy and cumbersome 
and hampers agencies' ability to hire high-quality people.[Footnote 45] 
We have issued several reports that discuss these issues in more depth 
and provide possible solutions and recommendations.[Footnote 46]

Communicating and Collaborating Internally and Externally: 

Our prior work has shown the importance of communication and 
collaboration, both within an agency and with its external partners. 
For example, one of the critical success factors we identified in our 
CIO guide focuses on the CIO's ability to establish his or her 
organization as a central player in the enterprise.[Footnote 47] 
Specifically, effective CIOs--and their supporting organizations--seek 
to bridge the gap between technology and business by networking 
informally, forming alliances, and building friendships that help 
ensure support for information and technology management. In addition, 
earlier this year we reported that to be a high-performing 
organization, a federal agency must effectively manage and influence 
relationships with organizations outside of its direct 
control.[Footnote 48]

Ten agency CIOs reported that communication and collaboration were 
challenges. For example, one CIO stated that it is a challenge for him 
to deal with the sheer diversity and volume of interactions within and 
outside the agency and with the need to align these organizations' 
agendas with his agency's objectives. Examples of internal 
communication and collaboration challenges included (1) cultivating, 
nurturing, and maintaining partnerships and alliances while producing 
results in the best interest of the enterprise and (2) establishing 
supporting governance structures that ensure two-way communication with 
the agency head and effective communication with the business part of 
the organization and component entities. Other CIOs cited activities 
associated with communicating and collaborating with outside entities 
challenging, including sharing information with partners and 
influencing the Congress and OMB. Although communication and 
collaboration can be problematic, our work on the Year 2000 computing 
challenge demonstrated their value.[Footnote 49] Both effective 
communication and partnering were cited by agencies and others as 
lessons learned that contributed to the government's success in this 
critical effort. Specifically, for the Year 2000 effort, government 
actions went beyond the boundaries of individual programs or agencies 
and involved governmentwide oversight; interagency cooperation; and 
cooperation among federal, state, and local governments; private sector 
entities; and foreign countries.

Managing Change: 

Top leadership involvement and clear lines of accountability for making 
management improvements are critical to overcoming an organization's 
natural resistance to change, marshalling the resources needed to 
improve management, and building and maintaining organizationwide 
commitment to new ways of doing business. Some CIOs reported challenges 
associated with implementing changes--those originating both from 
outside forces and at their own initiative. For example, one CIO found 
it a challenge to maintain compliance with changing regulations and 
ever-increasing executive direction and data calls. Another CIO cited 
dealing with resistance to the use of a rigorous IT methodology as a 
challenge.

Implementing major IT changes can involve not only technical risks, but 
also nontechnical risks, such as those associated with people and the 
organization's culture. Six CIOs cited dealing with the government's 
culture and bureaucracy as challenges to implementing change. For 
example, one CIO reported that there was institutional resistance to 
departmentwide changes. Another noted that one of his challenges was 
breaking down long-standing stovepipes that make no sense in a global 
information environment. Former agency IT executives also cited the 
need for cultural changes as a major challenge facing CIOs. 
Accordingly, in order to effectively implement change, it is important 
that CIOs build understanding, commitment, and support among those who 
will be affected by the change.

In 2002, we convened a forum to identify useful practices and lessons 
learned from major private and public sector organizational mergers, 
acquisitions, and transformations that agencies could implement to 
successfully transform their cultures.[Footnote 50] Examples of the 
nine key practices identified are (1) ensuring that top leadership 
drives the transformation, (2) setting implementation goals and a time 
line to build momentum and show progress, and (3) using the performance 
management system to define responsibility and ensuring accountability 
for change.

Conclusions: 

Agency CIOs generally reported that they had most of the 
responsibilities and reporting relationships required by law or 
critical to effective information and technology management, but there 
were notable exceptions. In particular, contrary to requirements in the 
law, some agency CIOs reported that they were not responsible for 
certain areas, such as records management, and that they did not report 
to their agency heads. However, views were mixed as to whether CIOs 
could be effective leaders without having responsibility for each 
individual area.

The success of the CIO position also hinges, at least in part, on 
whether the individuals placed in this role have the background and 
attributes necessary to assume an agency's IT leadership mantle and 
whether they spend sufficient time in office to implement changes. 
Current agency CIOs have had a wide variety of prior experiences; but 
they generally have work and/or educational backgrounds in IT or IT-
related fields, as well as business knowledge related to their 
agencies. However, most CIOs did not stay in office for 3 to 5 years, 
which was the most common response when we asked current CIOs and 
former agency IT executives how long a CIO needed to be in office to be 
effective. Agencies' use of various mechanisms, such as human capital 
flexibilities, could help reduce the turnover rate or mitigate its 
effect. Reducing turnover among CIOs is important because the length of 
time CIOs are in office can affect their ability to successfully 
address the major challenges they face. Some of these challenges--such 
as how IT projects are originated--may not be wholly within their 
control. Other challenges--such as improved IT management--are more 
likely to be overcome if a CIO has sufficient time to more effectively 
address these issues.

Matter for Congressional Consideration: 

As it holds hearings on and introduces legislation related to 
information and technology management, we suggest that the Congress 
consider the results of this review and whether the existing statutory 
requirements related to CIO responsibilities and reporting to the 
agency heads reflect the most effective assignment of information and 
technology management responsibilities and reporting relationships.

Agency Comments and Our Evaluation: 

We received written or oral responses on a draft of this report from 
OMB and from all 27 of the agencies that were included in our 
review.[Footnote 51] In particular, OMB and three agencies made 
specific comments on the report. These comments and our analysis are 
summarized below: 

* Oral comments were provided by representatives of OMB's Office of 
Information and Regulatory Affairs, Office of Electronic Government and 
Information Technology, and Office of General Counsel. Representatives 
of these offices noted that, although this report focused on the extent 
to which CIOs reported that the areas of responsibility assigned to 
them are consistent with 13 areas that GAO identified as critical to 
effective information and technology management, they were unclear on 
the correlation between or conclusions drawn about who in the agency is 
responsible and whether the agency achieves intended outcomes or 
results. The objective of this review was to determine which 
responsibilities were assigned to current agency CIOs. We did not 
attempt to draw conclusions regarding the relationship between the 
assignment of specific responsibilities and an agency's success in 
achieving desired outcomes in those areas. The OMB representatives also 
noted that only 10 of the 13 areas surveyed by GAO are mandated by 
statute, and they questioned the need to include 3 nonstatutorily-
mandated areas of CIO responsibility in this report. We continue to 
believe that the 3 additional responsibilities included in this report-
-systems acquisition, development, and integration; major e-government 
initiatives; and enterprise architecture--can contribute significantly 
to the successful implementation of information systems and processes. 
Furthermore, these responsibilities are assigned to agencies by statute 
(though not to the CIO explicitly), the President's Management Agenda, 
and OMB's own guidance. The importance of these three areas to CIOs was 
borne out by the fact that over 90 percent of the CIOs have been 
assigned responsibility for them. Finally, the representatives had no 
opinion about whether these areas or the agency official designated to 
be responsible for them are "critical" to effective information and 
technology management, and they drew no conclusions about the adequacy 
or effectiveness of the current statutory framework of CIO 
responsibilities.

* The Department of Defense's Deputy Assistant Secretary of Defense 
(Deputy CIO) agreed with the findings of the report but did not concur 
with our suggestion that the Congress consider the results of our 
review when it holds hearings on and introduces legislation related to 
information and technology management. In particular, Defense 
recommended that either we make no suggestion to the Congress or that 
we suggest that the Congress consider ways to strengthen the CIOs' 
authority and to focus on specific responsibilities for congressional 
review. We agree that strengthening the authority of CIOs can be 
crucial to their success and to the effectiveness of information and 
technology management in their agencies. Nevertheless, with respect to 
reporting to the agency head, the participants in our review offered a 
number of alternative arrangements. These alternatives included 
reporting to a deputy secretary or to a chief operating officer or 
equally high-level official, or maintaining a dual reporting 
relationship that includes the agency head. Such reporting 
relationships may provide the authority and accountability necessary 
for CIOs to be effective in their organizations. Accordingly, we 
continue to believe that such alternatives deserve consideration if the 
Congress holds hearings or introduces legislation related to CIOs' 
reporting relationships. With respect to being more specific in our 
suggestions for changes to CIO responsibilities, we do not want to 
suggest that the Congress constrain the scope of its deliberations 
should it choose to take another look at the responsibilities of the 
CIO. The Department of Defense also provided a technical comment that 
we addressed, as appropriate. Defense's written comments--along with 
our responses--are reproduced in appendix VI.

* The Department of the Interior's Assistant Secretary for Policy, 
Management and Budget provided comments suggesting that the Congress 
consider the impact of continuing changes on the ability of agencies to 
effect those changes. While we recognize that agencies require time to 
implement major changes, we also note that most of the statutory 
requirements considered in our report have been law since 1996. The 
Assistant Secretary also recommended that the CIO continue to be 
required to report to the agency head, which is the reporting 
relationship at Interior. Interior's CIO reporting relationship is 
consistent with the law and potentially provides strong support for the 
CIO in executing his or her responsibilities. However, as we previously 
noted, the participants in our review offered a number of alternative 
reporting arrangements that could provide the CIO with the necessary 
support. We believe that these alternatives deserve consideration. 
Interior's written comments, along with our responses, are reproduced 
in appendix VII.

* The director of the Office of Personnel Management provided written 
comments in which she included several examples of actions the agency 
has taken to encourage the use of human capital management 
flexibilities to recruit and retain a high quality workforce. It was 
outside the scope of this report to review the Office of Personnel 
Management's actions to encourage the use of human capital 
flexibilities. The Office of Personnel Management's written comments, 
and our response, are reproduced in appendix VIII.

With respect to the other agencies in our review, most generally agreed 
with our findings or declined to comment specifically. The agencies' 
responses are as follows: 

* The Department of Agriculture's CIO thanked GAO for the opportunity 
to review the report but provided no further comments. The department's 
written comments are reproduced in appendix V.

* The Department of Commerce's GAO Liaison e-mailed a response in which 
she thanked GAO for the opportunity to review the report but provided 
no further comments.

* A management and program analyst from the Office of the Secretary at 
the Department of Education e-mailed a response in which the department 
provided no comments.

* A program analyst from the Office of the CIO at the Department of 
Energy e-mailed a response in which the department provided no 
comments.

* The Environmental Protection Agency's GAO Liaison Officer e-mailed a 
response in which the agency offered no comments.

* A management analyst at the General Services Administration e-mailed 
a response in which the agency provided no comments.

* The Department of Health and Human Services' E-Gov Program 
Coordinator and CIO provided an e-mail response in which the department 
provided no comments.

* The Department of Homeland Security's GAO Liaison provided an e-mail 
response in which the department offered no comments.

* The director of Department of Housing and Urban Development's Office 
of Management and Planning, Office of Administration, e-mailed a 
response in which the department offered no comments.

* The Department of Justice's Justice Management Division Audit Liaison 
at the Department of Justice provided an e-mail response in which she 
thanked GAO for the opportunity to review the report but provided no 
further comments.

* A senior accountant in the Office of the Chief Financial Officer at 
the Department of Labor e-mailed a response in which the department 
generally agreed with GAO's findings and conclusions. In particular, 
they concurred on the challenges a CIO faces and on other general 
conclusions.

* The National Aeronautics and Space Administration's GAO/OIG Audit 
Liaison Team Leader e-mailed a response in which the agency offered no 
comments.

* The CIO at the National Science Foundation provided e-mail comments 
in which he described the report as very informative and well organized 
and presented. He commented that it is certain to be of use as the 
foundation considers the role of the CIO in the future. He did not have 
any further comments or suggestions.

* The Special Assistant to the CIO at the Nuclear Regulatory Commission 
provided an e-mail response in which he thanked GAO for the opportunity 
to review the report but provided no further comments.

* The Assistant Administrator for Congressional and Legislative Affairs 
at the Small Business Administration provided an e-mail response in 
which he thanked GAO for the opportunity to review the report but 
provided no further comments.

* The audit liaison at the Social Security Administration provided an 
e-mail response in which he thanked GAO for the opportunity to review 
the report but provided no further comments.

* A program analyst at the Department of State provided e-mail comments 
in which she thanked GAO for the opportunity to comment on the report 
and described it as a useful tool for supporting the advancement of 
information technology throughout the federal government. She also 
provided technical comments that we incorporated, as appropriate.

* The Department of Transportation's Director of Audit Relations e-
mailed that the department had no comments.

* The Department of the Treasury's CIO provided written comments in 
which he agreed with the report's identification of the major 
challenges a CIO faces. Treasury's written comments are reproduced in 
appendix IX.

* The U.S. Agency for International Development's Assistant 
Administrator, Bureau for Management, provided written comments in 
which he concurred with the content of the report. The U.S. Agency for 
International Development's written comments are reproduced in 
appendix X.

* The Department of Veterans Affairs' Acting Director of the 
Congressional Reports and Correspondence Service in the Office of 
Congressional and Legislative Affairs provided an e-mail response in 
which he agreed with the information presented in our report.

We are sending copies of this report to the secretaries of the 
Departments of Agriculture, the Air Force, the Army, Commerce, Defense, 
Education, Energy, Health and Human Services, Homeland Security, 
Housing and Urban Development, the Interior, Justice, Labor, the Navy, 
State, Transportation, the Treasury, and Veterans Affairs; the 
administrators of the Environmental Protection Agency, General Services 
Administration, National Aeronautics and Space Administration, Small 
Business Administration, and U.S. Agency for International Development; 
the commissioners of the Nuclear Regulatory Commission and the Social 
Security Administration; and the directors of the National Science 
Foundation, Office of Management and Budget, and Office of Personnel 
Management. We will also make copies available to others upon request. 
In addition, this report will be available at no charge on the GAO Web 
site at [Hyperlink, http://www.gao.gov].

If you have any questions on matters discussed in this report, please 
contact me at (202) 512-9286 or Lester Diamond, Assistant Director, at 
(202) 512-7957. We can also be reached by e-mail at [Hyperlink, 
pownerd@gao.gov] and [Hyperlink, diamondl@gao.gov], respectively. 
Other key contributors to this report are listed in appendix XI.

Signed by: 

David A. Powner: 
Director, Information Technology Management Issues: 

[End of section]

Appendixes: 

Appendix I: Chief Information Officers (CIO) Interviewed: 

Department/agency: Department of Agriculture; 
Chief information officer[A]: Lawrence Scott Charbo.

Department/agency: Department of Commerce; 
Chief information officer[A]: Tom Pyke.

Department/agency: Department of Defense; 
Chief information officer[A]: John P. Stenbit.

Department/agency: Department of the Air Force; 
Chief information officer[A]: John M. Gilligan.

Department/agency: Department of the Army; 
Chief information officer[A]: Lieutenant General Steven W. Boutelle.

Department/agency: Department of the Navy; 
Chief information officer[A]: David Martin Wennergren.

Department/agency: Department of Education; 
Chief information officer[A]: William J. Leidinger.

Department/agency: Department of Energy; 
Chief information officer[A]: Rosita Ortiz Parkes.

Department/agency: Department of Health and Human Services; 
Chief information officer[A]: Kathleen D. Heuer.

Department/agency: Department of Homeland Security; 
Chief information officer[A]: Steve Cooper.

Department/agency: Department of Housing and Urban Development; 
Chief information officer[A]: Vickers B. Meadows.

Department/agency: Department of the Interior; 
Chief information officer[A]: W. Hord Tipton.

Department/agency: Department of Justice; 
Chief information officer[A]: Vance Hitch.

Department/agency: Department of Labor; 
Chief information officer[A]: Patrick Pizzella.

Department/agency: Department of State; 
Chief information officer[A]: Bruce Morrison.

Department/agency: Department of Transportation; 
Chief information officer[A]: Daniel P. Matthews.

Department/agency: Department of the Treasury; 
Chief information officer[A]: Drew Ladner.

Department/agency: Department of Veterans Affairs; 
Chief information officer[A]: Edward Francis Meagher.

Department/agency: Environmental Protection Agency; 
Chief information officer[A]: Kimberly T. Nelson.

Department/agency: General Services Administration; 
Chief information officer[A]: Michael W. Carleton.

Department/agency: National Aeronautics and Space Administration; 
Chief information officer[A]: Patricia Lee Dunnington.

Department/agency: National Science Foundation; 
Chief information officer[A]: Dr. George O. Strawn.

Department/agency: Nuclear Regulatory Commission; 
Chief information officer[A]: Ellis W. Merschoff.

Department/agency: Office of Personnel Management; 
Chief information officer[A]: Janet L. Barnes.

Department/agency: Small Business Administration; 
Chief information officer[A]: Stephen D. Galvan.

Department/agency: Social Security Administration; 
Chief information officer[A]: Thomas P. Hughes.

Department/agency: U.S. Agency for International Development; 
Chief information officer[A]: John Marshall.

Source: GAO.

[A] These CIOs were in their positions during the time of our review, 
but some are no longer the CIOs at their agencies.

[End of table]

[End of section]

Appendix II: Former Agency Senior Information Technology (IT) Executive 
Panels: 

In March 2004, we held two panels of former agency senior IT 
executives, during which we discussed CIOs' roles and responsibilities, 
reporting relationships, and challenges. Table 1 provides the former 
and current titles of these officials.

Table 1: Former Agency Senior IT Executive Panels: 

Name: First panel, held March 2, 2004.

Name: Mayi Canales; 
Former agency/positions: Department of the Treasury/Acting Deputy 
Assistant Secretary (Information Systems) and CIO; 
Current organization/position: M Squared Strategies, Inc./Chief 
Executive Officer.

Name: Dr. Renato A. DiPentima; 
Former agency/positions: Social Security Administration/Deputy 
Commissioner for Systems; 
Current organization/position: SRA International, Inc./President and 
Chief Operating Officer.

Name: James J. Flyzik; 
Former agency/positions: Department of the Treasury/Deputy Assistant 
Secretary for Information Systems and CIO; 
Current organization/position: Guerra, Kiviat, Flyzik, and Associates, 
Inc./Partner.

Name: Norman E. Lorentz; 
Former agency/positions: U.S. Postal Service/Chief Technology Officer; 
Office of Management and Budget/Chief Technology Officer; 
Current organization/ position: DigitalNet./Senior Vice President, 
Intergovernmental Solutions.

Name: William C. Piatt; 
Former agency/positions: General Services Administration/CIO; 
U.S. Peace Corps/ CIO; 
Current organization/position: Unisys Corporation/Partner, U.S. Federal 
Government Group.

Name: Daniel E. Porter; 
Former agency/positions: Department of the Navy/CIO; 
Current organization/ position: CACI International Inc./ Senior Vice 
President, Navy Account, Defense & Intelligence Business Group.

Name: Second panel, held March 4, 2004.

Name: Roger W. Baker; 
Former agency/positions: Department of Commerce/CIO; 
Current organization/position: General Dynamics Network Systems/Vice 
President, Federal Civilian Operations.

Name: Paul Brubaker; 
Former agency/positions: Department of Defense/Deputy Assistant 
Secretary and Deputy CIO; 
Current organization/position: SI International/Executive Vice 
President and Chief Marketing Officer.

Name: Spain (Woody) Hall, Jr; 
Former agency/positions: Department of Homeland Security/Assistant 
Commissioner and CIO of Customs and Border Protection; 
U.S. Customs Service/Assistant Commissioner and CIO; 
and Department of Energy/ Deputy Assistant Secretary and CIO; 
Current organization/position: Science Applications International 
Corporation/ Enterprise and Infrastructure Solutions Group/Corporate 
Vice President for Project Management.

Name: George R. Molaski; 
Former agency/positions: Department of Transportation/CIO; 
Current organization/ position: e-Associates, LLC/President and Chief 
Executive Officer.

Name: Alvin M. Pesachowitz; 
Former agency/positions: Environmental Protection Agency/Associate 
Assistant Administrator, Office of Environmental Information and CIO; 
Current organization/position: Grant Thornton LLP/Global Government 
Group/Director of IT Consulting.

Name: Debra Stouffer; 
Former agency/positions: Department of Housing and Urban Development/
Deputy CIO for IT Reform; 
Environmental Protection Agency/Chief Technology Officer; 
Current organization/position: DigitalNet./Vice President, Strategic 
Consulting Services.

Source: GAO.

[End of table]

[End of section]

Appendix III: Summary of CIOs' Information Management and Technology 
Responsibilities at Major Departments and Agencies: 

Capital Planning and Investment Management--Federal laws and guidance 
direct agencies to develop and implement processes for IT capital 
planning and investment management. 44 U.S.C. 3506(h) and 40 U.S.C. 
11312 & 11313.

Results; Yes: 27; No: 0.

Summary: 

* Although all the CIOs had primary responsibility for this area, 
several said that other organizational units supported the execution of 
this responsibility, often through diverse membership on an IT 
investment board, which virtually all agencies had in place. At a 
majority of agencies, the CIO chaired this IT investment board. Other 
mechanisms CIOs used to ensure that their responsibilities were being 
executed included making sure appropriate policies and guidance were 
in place, conducting periodic investment reviews, and building strong 
relationships with other officials; 
* Working within the constraints of the federal budget cycle, including 
responding to evolving budget exhibit requirements, was perceived as a 
challenge by almost half of the CIOs, as was working with the business 
side of the agency. Capturing sufficient attention from top management 
to build an effective process was mentioned as a challenge by several 
CIOs. Another challenge was how to exert influence over IT investments 
within agency components. Prioritizing investments and cutting projects 
due to budget constraints was also mentioned by several CIOs.

Enterprise Architecture (EA)--Federal laws and guidance direct agencies 
to develop and maintain enterprise architectures as blueprints to guide 
IT modernization.

Results; Yes: 27; No: 0.

Summary: 

* The CIOs used a variety of mechanisms to address their EA 
responsibilities, such as participating on investment review boards to 
ensure compliance with EA requirements and chairing or participating in 
committees that review and approve EA development activities. Several 
CIOs also said that they promote EA awareness and ensure that the EA 
include key business processes and requirements. Finally, some CIOs 
commented that understanding of and support for the agency EA are 
improving; 
* CIOs said they faced challenges with the activities related to the 
development and implementation of the EA. These challenges included 
documenting the "as is" architecture, including interdependencies and 
interoperability, compliance with the agency EA and the federal 
enterprise architecture, and implementation and transition issues. Of 
the CIOs who reported challenges pertaining to EA activities, among 
other things, they identified obtaining staff buy-in and building 
relationships with business components and field offices as another 
key challenges; 
* Of the CIOs who responded to a question about changes they would 
recommend, 13 commented that no changes were needed to their role, and 
some CIOs described EA legislation and guidance as being adequate. 
However, seven identified the need for changes in other areas, 
including increased support from management and staff, discipline, 
oversight, and improvements in managers' and staff's knowledge and 
skills. Two reported that CIOs needed to play a greater role in EA 
activities.

Information Security--The agency CIO is responsible for protecting 
information and systems. 44 U.S.C. 3506(g) and 3544(a)(3).

Results; Yes: 27; No: 0.

Summary: 

* CIOs described several mechanisms for ensuring that their information 
security responsibilities were being carried out, including periodic 
meetings to review agency security performance, Federal Information 
Security Management Act reporting, vulnerability and intrusion 
detection testing, and risk mitigation strategies. All of the agencies 
had senior information security positions to take direct responsibility 
for this area. Many CIOs mentioned that they followed Federal 
Information Security Management Act guidance and were satisfied with 
it; 
* Challenges in this area included institutionalizing strong security 
practices throughout the agency and reducing the number of networks 
and systems to be secured. In addition, five CIOs mentioned that it was 
difficult to find qualified staff for the security function; 
* Many CIOs expressed concern with the criteria used to score 
information security performance at their agencies. Seven CIOs 
mentioned the need for greater clarity in the definition of information 
security success or progress, and five CIOs suggested that it would be 
helpful if the various oversight bodies could develop a consistent set 
of criteria. Finally, two CIOs suggested that quicker turnaround 
between measuring and reporting performance would present a more 
accurate picture of the actual security condition.

IT/IRM Strategic Planning--The agency CIO is responsible for strategic 
planning for all information and technology management functions--thus, 
the term information resources management (IRM) strategic planning. 44 
U.S.C. 3506(b)(2).

Results; Yes: 27; No: 0.

Summary: 

* In describing how they ensure that this responsibility is being 
carried out, many said they made sure that appropriate policies, 
procedures, or processes were in place. Seven CIOs mentioned using the 
investment management process to ensure that strategic priorities were 
enforced; 
* Nearly half of the CIOs mentioned that coordination across various 
stakeholders was a challenge in this area. Several CIOs also cited 
measuring performance as a challenge; 
* Several CIOs suggested any changes in this area, although three 
mentioned that additional guidance would be beneficial.

IT/IRM Workforce Planning--CIOs have responsibilities for helping the 
agency meet its IT/IRM workforce or human capital needs [44 U.S.C. 
3506(b) and 40 U.S.C. 11315(c)].

Results; Yes: 27; No: 0.

Summary: 

* Responsibility for this area is often shared. Most CIOs worked with 
other organizational units to identify agency workforce needs and 
define gaps in available staff. The process of addressing these gaps - 
through hiring, training, or contracting - was carried out by most CIOs 
in collaboration with the human resources or procurement units of the 
agency; 
* Most CIOs identified personnel management as a key challenge in this 
area, including the ability to attract staff with specific skills 
required, ensure personnel retention, and keep adequate numbers of 
personnel in the IT leadership pipeline. Additionally, several CIOs 
described hiring processes as cumbersome and a factor that tends to 
hinder workforce planning activities.

Major electronic government (e-gov) initiatives--Various laws and 
guidance have directed agencies to undertake a variety of e-gov 
initiatives relating to using IT to improve government services to the 
public, as well as operations within the government.

Results; Yes: 25; No: 2.

Summary: 

* At agencies where CIOs have been given responsibility for major e-gov 
initiatives, CIOs have adopted a number of mechanisms to ensure that 
their responsibilities were being carried out adequately. Several 
agencies have established an e-gov program management office and/or 
have assigned project managers. Several CIOs reported that they use a 
scorecard, or other grading system, to identify strengths and 
weaknesses in their e-gov initiatives. Even when the CIOs have been 
assigned primary responsibility, they sometimes share responsibility 
with the functional unit; 
* A few agencies have assigned responsibility for major e-gov 
initiatives to a senior-level political appointee to raise the 
visibility of the initiatives; 
* Challenges in this area included managing projects of the scale of 
the major e-gov initiatives.

Systems Acquisition, Development, and Integration--GAO found that a 
critical element of successful IT management is effective control of 
systems acquisition, development, and integration.

Results; Yes: 25; No: 2.

Summary: 

* Several CIOs who had responsibility for this area shared that 
responsibility with other officials, including the senior acquisition 
official and system owners. Most CIOs reported that they utilized 
various control processes, such as system review boards and investment 
management boards, to provide oversight of systems acquisition and 
development activities. The enterprise architecture was also mentioned 
as a mechanism to guide these activities and ensure interoperability of 
systems; 
* The two CIOs who did not have responsibility for this area reported 
that they contributed to the successful execution of responsibilities 
by ensuring that systems comply with the EA or other standards. Where 
the CIO did not have primary responsibility, the senior acquisition or 
procurement official usually had that responsibility; 
* Several CIOs mentioned that coordinating activities related to 
systems acquisition was a challenge. Monitoring activities to ensure 
adherence to standards was also mentioned as a challenge. A few CIOs 
also reported that attracting and retaining individuals with expertise 
in acquisition and development was difficult.

Information Collection/Paperwork Reduction--The agency CIO is 
responsible for overseeing a process to review agency information 
collection proposals in order to maximize the utility and minimize the 
public "paperwork" burdens associated with the agency's collection of 
information. 44 U.S.C. 3506(c).

Results; Yes: 22; No: 5.

Summary: 

* Most CIOs said that they focused on statutory and Office of 
Management and Budget (OMB) requirements in meeting their 
responsibilities in this area, and several CIOs noted that they 
developed reports for OMB in this area. Several CIOs specifically 
mentioned the use of internal systems and databases to produce 
automated reports. A few CIOs mentioned using agency Web sites as a 
mechanism to support information collection and paperwork reduction, 
for example, by allowing for public comment on collections. Several 
CIOs described this function as largely administrative and not a 
priority; 
* In most agencies where the CIO did not have this responsibility, 
administrative units carried out these activities; 
* A general lack of understanding of the area and its terminology was 
mentioned as a challenge by a few CIOs. CIOs at a few agencies also 
mentioned that coordinating and implementing their responsibilities 
was difficult when they dealt with large and complex collections.

Records Management--The agency CIO is responsible for ensuring that 
the agency implements and enforces records management policies and 
procedures. 44 U.S.C. 3506(f).

Results; Yes: 21; No: 6.

Summary: 

* Most CIOs with responsibility for records management felt that they 
were the most appropriate official to have that responsibility. Several 
also stated that their involvement in the area has been made more 
important since agencies began maintaining records electronically. Most 
of the CIOs stated that they have developed policies and procedures to 
make sure records management activities are carried out appropriately, 
and a few mentioned they also use OMB and NARA reporting to oversee 
activities in the area; 
* In agencies where the CIO was not responsible for records management, 
various other officials held responsibility, including senior 
administrative officials and General Counsel; 
* A few CIOs mentioned that NARA guidance was continuing to evolve, 
particularly in the area of electronic records. A few CIOs also 
described the need for agencies to become more aware of the value of 
records management and begin to use it to manage the agency's records 
as an asset.

Information Dissemination--The agency CIO is responsible for ensuring 
that the agency's information dissemination activities meet policy 
goals, such as timely and equitable public access to information. 44 
U.S.C. 3506(d).

Results; Yes: 20; No: 7.

Summary: 

* Several CIOs reported that they participate in internal review 
activities to determine compliance with requirements. Five CIOs develop 
policies, procedures, and guidance for information dissemination 
activities. Several CIOs also reported that they shared information 
dissemination responsibilities with other agency staff to fulfill the 
department's information dissemination responsibilities; 
* In those agencies in which the CIO was not responsible for this area, 
responsibility was most often held by the Office of Public Affairs; 
* One CIO said that transitioning from traditional information 
dissemination methods to digital information delivery was presenting 
challenges, including developing appropriate access controls and 
updating policies. A few CIOs also identified challenges in balancing 
security and/or privacy with access to information. Another challenge 
was ensuring consistency in information dissemination activities across 
the agency.

Privacy--The agency CIO is responsible for compliance with the Privacy 
Act and related laws. 44 U.S.C. 3506(g).

Results; Yes: 17; No: 10.

Summary: 

* Of the CIOs holding this responsibility, their responsibilities 
included activities to ensure compliance with privacy laws, such as 
developing privacy policies, conducting privacy impact assessments, and 
monitoring their agency's Web sites. Two CIOs said that they have 
centralized persons or units reporting directly to them that perform 
all information privacy responsibilities. In order to increase staff 
awareness of privacy requirements, a few CIOs conducted training 
programs to address privacy issues; 
* In the agencies in which the CIO did not have responsibility for 
privacy, the responsibility was most often held by the Office of 
General Counsel and various FOIA and Privacy Offices. Only one CIO 
expressed some concern with this assignment of responsibility; 
* A few CIOs reported challenges in distinguishing privacy concerns 
from security concerns and in balancing privacy with requests for 
information. This ambiguity sometimes made it difficult to understand 
if information should be released, or not.

Information Disclosure/Freedom of Information Act (FOIA)--The agency 
CIO is responsible for information access requirements, such as those 
of the FOIA and related laws. 44 U.S.C. 3506(g).

Results; Yes: 9; No: 18.

Summary: 

* Most CIOs with this responsibility reported that it was executed in 
concert with other units. Departmental and component-level FOIA offices 
were most often cited as partners in this area; 
* Where the CIO did not have responsibility for this area, 
responsibility was assigned to units such as department-and component-
level FOIA offices, offices of public affairs, and offices of general 
counsel; 
* Several CIOs reported that the interplay among FOIA, privacy, records 
management, and security sometimes created challenges, such as whether 
to release specific information and under what conditions. Other CIOs 
stated that it is difficult to anticipate the volume and nature of 
requests and to plan accordingly. Coordination of activities with and 
ensuring adherence to standards by component-level organizations was 
also cited as a challenge by a few CIOs.

Statistical Policy and Coordination--The agency CIO is responsible for 
the agency's statistical policy and coordination functions. 44 U.S.C. 
3506(e).

Results; Yes: 8; No: 19.

Summary: 

* CIOs used various mechanisms to ensure that their responsibilities 
were being carried out, including guidance, tools, assessments and 
performance reviews, and information quality reports to OMB. Only 3 
agencies with 1 of the 15 Principal Statistical Agencies[A] had 
assigned responsibility to the CIO; 
* Over half of the CIOs who did not have responsibility for this area 
reported that this function was appropriately assigned to other units. 
No CIOs expressed concern that they should have responsibility if they 
did not. Nine of the agencies where the CIO did not have responsibility 
for this function were home to 1 of the 15 Principal Statistical 
Agencies. 

Source: GAO.

[End of table]

[A] Principal Statistical Agencies include the Bureau of Economic 
Analysis (Department of Commerce), Bureau of Justice Statistics 
(Department of Justice), Bureau of Labor Statistics (Department of 
Labor), Bureau of Transportation Statistics (Department of 
Transportation), Economic Research Service (Department of 
Agriculture), Energy Information Administration (Department of 
Energy), Environmental Protection Agency, Internal Revenue Service's 
Statistics of Income Division (Department of the Treasury), National 
Agricultural Statistics Service (Department of Agriculture), National 
Center for Education Statistics (Department of Education), National 
Center for Health Statistics (Department of Health and Human Services), 
Science Resources Statistics (National Science Foundation), Office of 
Policy (Social Security Administration), Office of Management and 
Budget (Executive Office of the President), and the U.S. Census Bureau 
(Department of Commerce).

[End of section]

Appendix IV: CIO Tenure at Each Department and Agency: 

Agencies provided us with the start and end dates of the tenure of each 
of their CIOs since the passage of the Clinger-Cohen Act in February 
1996. These data are represented in figure 1.

Figure 3: Time Line of CIO Tenure at Each Department and Agency: 

[See PDF for image] 

[End of figure] 

[A] The number of bar elements for an agency may not add up to the 
total in this column because some individual CIOs are shown more than 
once, as their circumstances changed (e.g., an acting CIO that became 
a permanent CIO).

[B] The Department of Defense named this individual as a Senior 
Civilian Official during this time; he had been nominated to the CIO 
position but not yet confirmed by the Senate. However, because the 
department stated that he was serving in the role of the CIO, we 
classified him as an Acting CIO until he was confirmed.

[C] The first CIO for the National Aeronautics and Space Administration 
was in this position prior to the enactment of the Clinger-Cohen Act 
and left in February 1996, the same month that the second CIO was 
named.

[D] The current Department of State CIO was made permanent on February 
25, 2004.

Table 1 contains statistical analysis of the data presented in figure 
1. Computations have been provided both including and excluding the 
current CIOs. In cases where the current CIOs are included, the end of 
their tenure was established as of March 1, 2004, the ending date of 
data collection for this report.

Table 2: Statistical Analysis of CIO Tenure: 

Mean (in months); 
Permanent and acting CIOs including current CIOs: 21; 
Permanent and acting CIOs excluding current CIOs: 21; 
Permanent CIOs including current CIOs: 27; 
Permanent CIOs excluding current CIOs: 30; 
Acting CIOs including current CIOs: 9; 
Acting CIOs excluding current CIOs: 9; 
Only current permanent CIOs: 21.

Median (in months); 
Permanent and acting CIOs including current CIOs: 15; 
Permanent and acting CIOs excluding current CIOs: 15; 
Permanent CIOs including current CIOs: 23; 
Permanent CIOs excluding current CIOs: 23; 
Acting CIOs including current CIOs: 7; 
Acting CIOs excluding current CIOs: 7; 
Only current permanent CIOs: 16.

Minimum (in months); 
Permanent and acting CIOs including current CIOs: 1[A]; 
Permanent and acting CIOs excluding current CIOs: 1[A]; 
Permanent CIOs including current CIOs: 1[A]; 
Permanent CIOs excluding current CIOs: 3[A]; 
Acting CIOs including current CIOs: 1; 
Acting CIOs excluding current CIOs: 1; 
Only current permanent CIOs: 1.

Maximum (in months); 
Permanent and acting CIOs including current CIOs: 94; 
Permanent and acting CIOs excluding current CIOs: 75; 
Permanent CIOs including current CIOs: 94; 
Permanent CIOs excluding current CIOs: 75; 
Acting CIOs including current CIOs: 26; 
Acting CIOs excluding current CIOs: 26; 
Only current permanent CIOs: 94.

Number of CIOs in this population; 
Permanent and acting CIOs including current CIOs: 108; 
Permanent and acting CIOs excluding current CIOs: 81; 
Permanent CIOs including current CIOs: 74; 
Permanent CIOs excluding current CIOs: 49; 
Acting CIOs including current CIOs: 34; 
Acting CIOs excluding current CIOs: 32; 
Only current permanent CIOs: 25.

Number of CIOs in office less than 3 years; 
Permanent and acting CIOs including current CIOs: 89; 
Permanent and acting CIOs excluding current CIOs: 64; 
Permanent CIOs including current CIOs: 55; 
Permanent CIOs excluding current CIOs: 32; 
Acting CIOs including current CIOs: 34; 
Acting CIOs excluding current CIOs: 32; 
Only current permanent CIOs: 23.

Number of CIOs in office greater than 5 years; 
Permanent and acting CIOs including current CIOs: 4; 
Permanent and acting CIOs excluding current CIOs: 3; 
Permanent CIOs including current CIOs: 4; 
Permanent CIOs excluding current CIOs: 3; 
Acting CIOs including current CIOs: 0; 
Acting CIOs excluding current CIOs: 0; 
Only current permanent CIOs: 1.

Number of CIOs in office between 3 and 5 years; 
Permanent and acting CIOs including current CIOs: 15; 
Permanent and acting CIOs excluding current CIOs: 14; 
Permanent CIOs including current CIOs: 15; 
Permanent CIOs excluding current CIOs: 14; 
Acting CIOs including current CIOs: 0; 
Acting CIOs excluding current CIOs: 0; 
Only current permanent CIOs: 1.

Percentage of CIOs in office at least 3 years; 
Permanent and acting CIOs including current CIOs: 18%; 
Permanent and acting CIOs excluding current CIOs: 21%; 
Permanent CIOs including current CIOs: 26%; 
Permanent CIOs excluding current CIOs: 35%; 
Acting CIOs including current CIOs: 0%; 
Acting CIOs excluding current CIOs: 0%; 
Only current permanent CIOs: 8%. 

Source: GAO.

Note: CIOs who moved from acting to permanent status have been treated 
as if they were permanent the entire time, and calculations were 
performed on their aggregated time as one length of service. Also, 
these acting CIOs who became permanent were not included in the acting 
calculations above.

[A] The first CIO for the National Aeronautics and Space Administration 
was in the CIO position prior to the enactment of the Clinger-Cohen Act 
and left in February 1996, the same month that the second CIO was 
named. The numbers listed for minimum tenure are the next shortest 
tenure.

[End of table]

[End of section]

Appendix V: Comments from the Department of Agriculture: 

USDA:

June 29, 2004:

David A. Powner, Director:
Information Technology Management Issues: 
U.S. General Accounting Office:
441 G. Street, N.W.: 
Washington, D.C. 20548:

Dear Mr. Powner:

The U.S Department of Agriculture has reviewed draft report number GAO-
04-823 entitled "Federal Chief Information Officers: Responsibilities, 
Reporting Relationships, Tenure, and Challenges."

We thank you for the opportunity to review the report. Based on our 
review, we have no comments.

If additional information is needed, please have a member of your staff 
contact Sherry Linkins, Office of the Chief Information Officer audit 
liaison, on (202) 720-9293.

Sincerely,

Signed by: 

Scott Charbo:
Chief Information Officer:

[End of section]

Appendix VI: Comments from the Department of Defense (including the 
Departments of the Air Force, Army, and Navy): 

DEPARTMENT OF DEFENSE:

6000 DEFENSE PENTAGON: 
WASHINGTON, DC 20301-6000:

CHIEF INFORMATION OFFICER:

July 1, 2004:

FAX TRANSMITTAL:

Mr. David Powner: 
Director: 
Information Technology Management Issues: 
U.S. General Accounting Office: 
Washington, DC 20548:

Dear Mr. Powner.

The Department of Defense (DOD) appreciates the opportunity to respond 
to the GAO draft report on "FEDERAL CHIEF INFORMATION OFFICERS: 
Responsibilities, Reporting Relationships, Tenure, and Challenges," 
dated July 2004 (GAO Code 310455/GAO-04-823).

The Department agrees with the findings in the report. However, we non-
concur with GAO's recommendation/suggestion that Congress consider the 
legislative requirements related to the Chief Information Officer (CIO) 
responsibilities and the requirement for CIOs to report directly to the 
agency head. The Department's comments and supporting rationale are 
enclosed.

My point of contact for this matter is Ms. Joyce France. You may 
contact her at (703) 604-1489 ext. 114 or by email 
joyce.france@osd.mil.

Sincerely,

Signed by: 

Priscilla E. Cruthrie: 
Deputy Assistant Secretary of Defense (Deputy CIO):

Enclosure As Stated:

Department of Defense Comments/Rationale:

(1) GAO Recommendation/Suggestion: Review Statutory Requirements of 
CIOs Reporting to the Agency Head:

FIndings/Justification: The GAO report reviewed whether CIOs were 
reporting to the agency head as required. by law. Twenty-one of the 27 
(77%) agencies stated that reporting to the agency head was important 
or critical. In contrast, only two CIOs (who do not currently report 
directly to the agency head) stated that it was not important. 
Accordingly, these numbers indicate that most CIOs think it is 
important or critical that the CIO report to the agency head or at 
least, the deputy. Moreover, members of GAO's Executive Council and 
members of GAO's panels of former agency information technology 
executives expressed views that support this finding. However, the 
report discounts the views expressed by the two thirds of the current 
CIOs who replied that the reporting relationship to the agency head was 
important. The above statistics should be reflected in GAO's 
conclusion, which alters the recommendation contained in the report.

Recommendation: In light of this finding, no recommendation should be 
made at all; or a recommendation that Congressional consideration 
should be given as to how to strengthen the CIO's reporting 
relationship and authority given today's environment where information 
and information technology are paramount in carrying out an Agency's 
mission.

(2) GAO Recommendation/Suggestion: Review Statutory Requirements 
Related to CIO Responsibilities:

Findings/Justification: During the study, GAO reviewed 13 statutory 
responsibilities and interviewed 27 Agency CIOs. The discussion on 
pages 11-16 found that all 27 CIOs had responsibility for IT capital 
planning, architecture, security, strategic planning and IT workforce. 
Twenty-five CIOs had some responsibility (albeit shared) for e-Gov 
initiatives, system acquisition, development and integration. In 
contrast, only approximately one-third had responsibility for 
information disclosure/freedom of information act (FOIA) and 
statistical policy.

Recommendation: Consistent with the GAO findings, we propose if there 
is to be a GAO recommendation/suggestion in this area, it be expanded 
to focus on specific CIO responsibilities that Congress should review 
in light of the findings above, i.e., few COs had information 
disclosure/FOIA and statistical policy responsibilities. The 
recommendation should be more focused vice an open-ended 
recommendation.

Technical Comment: Appendix IV, Figure 1: Dr. Wells is neither a career 
civil servant nor a political appointee. He is a "Schedule C" employee. 

The following are GAO's comments on the Department of Defense's letter 
dated July 1, 2004.

GAO Comments: 

1. We agree with the Department of Defense that strengthening the 
authority of CIOs in many of the areas for which they have 
responsibility can be crucial to their success and to the effectiveness 
of information and technology management in their agencies. However, we 
do not agree that there was an overall consensus that CIOs should 
report to their agency heads. The participants in our review offered a 
number of alternative reporting arrangements, including reporting to a 
deputy secretary or to a chief operating officer or equally high-level 
official, or maintaining a dual reporting relationship that includes 
the agency head. While such reporting relationships are not necessarily 
directly to the agency head, they may provide the authority and 
accountability necessary for CIOs to be effective in their 
organizations. We believe these alternatives deserve consideration if 
the Congress holds hearings or introduces legislation related to CIOs' 
reporting relationships.

2. We disagree that our Matter for Congressional Consideration should 
be more specific. While the two responsibilities mentioned by the 
Department of Defense clearly differ from the others in the number of 
CIOs reporting that they hold responsibility, the Congress has 
established a coordinated approach to managing federal agencies' 
information resources. As the Congress considers future statutory 
frameworks, this same coordinated approach may well be critical in its 
deliberations. Given the broad range of the Congress's purview, we do 
not want to suggest that the Congress constrain the scope of its 
deliberations should it choose to take another look at the 
responsibilities of the CIO.

3. We believe that we accurately characterized Dr. Wells's status. The 
Office of Personnel Management has used the term "political appointees" 
in various documents to describe Schedule C appointees.

[End of section]

Appendix VII: Comments from the Department of the Interior: 

United States Department of the Interior:
OFFICE OF THE ASSISTANT SECRETARY: 
POLICY, MANAGEMENT AND BUDGET: 
Washington, DC 20240:

JUL 06 2004:

David A. Powner: 
Director: 
Information Technology Management Issues: 
U. S. General Accounting Office:
441 G Street, NW, Room 2T23: 
Washington, DC 20548:

Dear Mr. Powner:

Thank you for the opportunity to review and provide comments on the 
General Accounting Office (GAO) draft report entitled, "Federal Chief 
Information Officers: Responsibilities, Reporting Relationships, 
Tenure, and Challenges" (GAO-04-823). While the report makes no direct 
recommendation to change laws governing infornation technology (IT), it 
appears to imply the need for changes. The report correctly notes the 
time required to implement new changes, and that all agencies have not 
yet fully implemented the current requirements. This would strongly 
argue the need for stability in the laws rather than changes. In 
considering changes to the laws governing IT, please consider the 
impact of continuing changes to the ability of agencies to affect those 
changes.

In one particular area, the Department of the Interior (DOI) recommends 
the requirements remain constant: the Chief Information Officer reports 
directly to the Secretary. This level of attention to IT needs is 
critical to being able to accomplish all the other requirements. The 
Secretary's personal involvement in IT at DOI, along with the personal 
involvement of her management team, are key factors in the evolutionary 
improvements we have made.

For additional information, please contact W. Hord Tipton at (202) 208 
6194.

Sincerely:

Signed by: 

P. Lynn Scarlett: 
Assistant Secretary: 
Policy Management and Budget: 

The following are GAO's comments on the Department of the Interior's 
letter dated July 6, 2004.

GAO Comments: 

1. While we recognize that agencies require time to implement major 
changes, most of the statutory requirements considered in our report 
have been law since 1996. Since the findings of our report indicate 
that opinions are mixed on whether the current statutory framework is 
the most appropriate, we continue to believe that if the Congress holds 
hearings or introduces legislation related to the CIOs' reporting 
relationships, the findings of this report should be considered.

2. We believe it is critical for CIOs to have the authority and 
accountability that they need in order to be effective in their 
organizations. The Department of the Interior's approach, with the CIO 
reporting to the Secretary, is consistent with the law and potentially 
provides strong support for the CIO in executing his responsibilities. 
However, the participants in our review offered a number of alternative 
reporting arrangements that could provide the CIO with the necessary 
support; these included reporting to a deputy secretary, to a chief 
operating officer, or equally high level official, or maintaining a 
dual reporting relationship that includes the agency head. We believe 
these alternatives deserve consideration if the Congress holds hearings 
or introduces legislation related to the CIOs' reporting relationships.

[End of section]

Appendix VIII: Comments from the Office of Personnel Management: 

UNITED STATES OFFICE OF PERSONNEL MANAGEMENT: 
WASHINGTON, DC 20415-1000: 

OFFICE OF THE DIRECTOR: 

David Powner: 
Director, Information Technology Management Issues: 
General Accounting Office: 
Washington, DC: 

July 6, 2004:

[See PDF for page 1 of letter]

Furthermore, in just the last few months, OPM has:

* On June 29, 2004, hosted a training symposium for 230 agency Chief 
Human Capital Officers (CHCO) and human resources professionals from 30 
Federal agencies on hiring flexibilities currently available to improve 
the federal hiring process. The all-day symposium featured sessions on 
various hiring flexibilities. including sessions on veterans hiring and 
student and excepted service employment authorities. as well as a 
review of re-engineering efforts by the Air Force to improve hiring 
processes and reduce the lapse rate in filling jobs.

* At our June 17, 2004, CHCO Academy meeting offered a review of hiring 
authorities and flexibilities applicable to veterans. students and 
recent college graduates. The meeting included a detailed discussion of 
the appointing authorities agency managers and HR officials have at 
their disposal to hire qualified veterans, including those with 
service-connected disabilities, reviewed the Veterans' Recruitment 
Appointment (VRA), Veterans Employment Opportunities Act (VEOA) 
Appointment, and the hiring authority for veterans with a 30 percent or 
more service-connected disability rating. The meeting also focused on 
Direct-Hire Authority and Category Rating, human resources tools OPM 
has made available to agencies to expedite the hiring of highly 
qualified individuals. The meeting also sparked dialogue about the 
government's Presidential Management Fellows (PMF) Program, which 
attracts people with post-graduate degrees in public administration and 
a variety of other disciplines, and prepares them for ascension into 
top leadership posts. The new Senior Presidential Management Fellows 
Program, a component of the PMF Program, is designed to attract mid-
level, private-sector employees for appointment to the upper 
professional ranks.

* On June 15, 2004, hosted a Best Practices Showcase featuring NASA's 
strategic human capital initiatives for over 200 agency senior human 
capital leaders, senior executives and managers, and human resource 
professionals. The objective of the showcase was to highlight proven 
practices that other Federal agencies can adopt to improve human 
capital systems. The showcase included presentations by several of 
NASA's senior management, and breakout sessions on performance culture, 
leadership and knowledge management, and talent - the key drivers in 
transforming Federal agencies into results-oriented employers that 
attract, retain and reward a highly performing workforce. During a 
panel discussion, NASA fielded questions on how they obtained the NASA 
Workforce Flexibilities Act of 2004, how they plan to use the various 
employment flexibilities provided by OPM and this legislation, and 
their expected results in revitalizing their workforce.

* Recently hosted a briefing on the results of our Federal hiring 
survey to inform interest groups about progress being made in the on-
going effort to streamline the Federal Government's hiring process. 
Attending the briefing were representatives from the Partnership for 
Public Service, National Academy of Public Administration. National 
Hispanic Association of Federal Executives and the Society for Human 
Resource Management. During the briefing, OPM Senior Policy Advisor to 
the Director, Dr. Doris L. Hausser highlighted the critical role that 
the managers who are selecting among applicants, as well as human 
resources professionals, play within federal agencies. The briefing 
included discussion on existing hiring flexibilities, expediting the 
hiring process, and using the available appointing authorities, 
including those for veterans and students. At the conclusion of the 
meeting, pertinent materials on the results of the survey and other 
aspects of the federal hiring process were distributed.

* On May 26, 2004, hosted a special Veteran Employment Symposium at the 
Ronald Reagan Building and International Trade Center for agency human 
capital leaders, human resources specialists. and program managers on 
veterans' preference and recruitment. The all-day event focused on 
advancing existing policies and strategies to recruit veterans into the 
Federal work force, and to reiterate that veterans preference is the 
law and not a courtesy.

* On May 25, 2004, convened a meeting of the Chief Human Capital 
Officers Council and the leaders of America's Veterans Service 
Organizations at Walter Reed Army Medical Center. Attendees were 
reminded that there are no longer any excuses for not using the many 
hiring authorities available to Federal agencies to bring veterans into 
the Federal service.

OPM is very aware that recruitment and retention is a critical human 
capital issue for the Federal Government, whether it be Chief 
Information Officers, IT specialists or any other occupation important 
to mission accomplishment, and we continue to take steps to assist 
agencies in ensuring they have a workforce capable of meeting their 
strategic goals. At the same time, Federal agencies must, and are, 
increasing acknowledging their role in utilizing available 
flexibilities to recruit and retain a quality workforce.

In summary, this report refers to previous GAO report recommendations 
from 2002 and 2003 citing the need for additional actions to further 
facilitate the use of human resources management flexibilities. 
Numerous actions have, in fact, been taken.

Sincerely,

Signed by: 

Kay Coles James: 
Director:  

[End of section]

Appendix IX: Comments from the Department of the Treasury: 

DEPARTMENT OF THE TREASURY: 
WASHINGTON, D.C. 20220:

JUL 2 2004: 

Mr. Lester Diamond: 
Assistant Director: 
Information Technology Management Issues: 
General Accounting Office: 
441 G Street, NW Room 5T37: 
Washington, DC 20548:

Re: Comments on Draft Report--"Federal ChiefInformation Officers: 
Responsibilities Reporting Relationships, Tenure, and Challenges" 
(Report #GAO-040-823):

Dear Mr. Diamond:

I would like to thank the Government Accounting Office for allowing 
Treasury to participate in the development of this report including 
commenting on the initial draft. The overall draft report correctly 
identifies the major challenges facing agency CIO's such as 
implementing effective IT management, obtaining sufficient and relevant 
resources, communicating and collaborating internally and externally, 
and managing change.

I am confident GAO's final report will provide valuable information on 
the importance of the CIO and their role as information technology 
leaders. Furthermore, the final report is critical to underscore the 
challenges we face, particularly in transitioning to on-line business 
and environments through E-government initiatives. 

I look forward to reviewing the final report when issued. If you have 
any questions, please feel free to contact me at 202-622-1200 or via 
email at ira.hobbs@do.treas.gov.

Sincerely, 

Signed by: 

Ira L. Hobbs:

Chief Information Officer: 

[End of section]

Appendix X: Comments from the U.S. Agency for International 
Development: 

USAID:

U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT:

June 25, 2004:

David Powner: 
Director: 
Information Technology Management Issues:
U.S. General Accounting Office:
441 G Street, N.W.:
Washington, D.C. 20548:

Dear Mr. Powner:

I am pleased to provide the U.S. Agency for International Development's 
(USAID's) formal response on the draft GAO report entitled "Federal 
Chief Information Officers: Responsibilities, Reporting, 
Relationships, Tenure, and Challenges" (June 2004).

We concur in the content of the report and have no comments.

Thank you for the opportunity to respond to the GAO draft report and 
for the courtesies extended by your staff in the conduct of this 
review.

Sincerely,

Signed by: 

John Marshall: 
Assistant Administrator:
Bureau for Management: 

[End of section]

Appendix XI: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Lester Diamond, 202-512-7957 or [Hyperlink, diamondl@gao.gov] 

Staff Acknowledgments: 

Neha Bhavsar, Margaret W. Davis, Neil J. Doherty, Joanne Fiorino, Evan 
B. Gilman, Peggy A. Hegg, Ashfaq M. Huda, Robert G. Kershaw, Linda J. 
Lambert, Mary Beth McClanahan, David F. Plocher, and Cynthia J. Scott 
made key contributions to this report.

(310455): 

FOOTNOTES

[1] U.S. General Accounting Office, Improving Government: Actions 
Needed to Sustain and Enhance Management Reforms, GAO/T-OCG-94-1 
(Washington, D.C.: Jan. 27, 1994), Government Reform: Using 
Reengineering and Technology to Improve Government Performance, GAO/T-
OCG-95-2 (Washington, D.C.: Feb. 2, 1995), and Government Reform: 
Legislation Would Strengthen Federal Management of Information and 
Technology, GAO/T-AIMD-95-205 (Washington, D.C.: July 25, 1995).

[2] U.S. General Accounting Office, High-Risk Series: An Update, GAO-
03-119 (Washington, D.C.: January 2003) and Major Management Challenges 
and Program Risks: A Governmentwide Perspective, GAO-03-95 (Washington, 
D.C.: January 2003).

[3] U.S. General Accounting Office, Maximizing the Success of Chief 
Information Officers: Learning from Leading Organizations, GAO-01-376G 
(Washington, D.C.: February 2001).

[4] These areas are further defined in the Scope and Methodology 
section of this report.

[5] This section of the U.S. Code requires 24 departments and agencies 
to establish chief financial officers. We did not include the Federal 
Emergency Management Agency in our review, even though it is 1 of the 
24 departments and agencies, because this agency has been transferred 
to the Department of Homeland Security. 

[6] The 27 agencies covered by this report are the Departments of 
Agriculture, the Air Force, the Army, Commerce, Defense, Education, 
Energy, Health and Human Services, Homeland Security, Housing and Urban 
Development, the Interior, Justice, Labor, the Navy, State, 
Transportation, the Treasury, and Veterans Affairs; and the 
Environmental Protection Agency, General Services Administration, 
National Aeronautics and Space Administration, National Science 
Foundation, Nuclear Regulatory Commission, Office of Personnel 
Management, Small Business Administration, Social Security 
Administration, and U.S. Agency for International Development.

[7] The Clinger-Cohen Act requirement that agency CIOs have IRM as 
their primary duty applies to the major departments and agencies listed 
in 31 U.S.C. 901(b), which does not include the Department of Homeland 
Security, or the military departments of the Air Force, the Army, and 
the Navy.

[8] The Homeland Security Act of 2002 states that the CIO for the 
Department of Homeland Security shall report to the Secretary of 
Homeland Security or to another official as directed by the Secretary. 
As allowed by the law, the Secretary has directed the CIO to report to 
the Under Secretary of Management.

[9] GAO-03-119 and GAO-03-95. 

[10] IRM is the process of managing information resources to accomplish 
agency missions and to improve agency performance. 

[11] P.L. 96-511, December 11, 1980.

[12] P.L. 104-106, February 10, 1996. The law, initially entitled the 
Information Technology Management Reform Act (ITMRA), was subsequently 
renamed the Clinger-Cohen Act in P.L. 104-208, September 30, 1996.

[13] The E-Government Act of 2002 reiterated agency responsibility for 
information resources management. P.L. 107-347, December 17, 2002.

[14] Three areas of responsibility--enterprise architecture, systems 
acquisition, development and integration, and e-government 
initiatives--are not assigned to CIOs by statute; they are assigned to 
the agency heads by law or guidance. However, in virtually all 
agencies, the agency heads have delegated these areas of responsibility 
to their CIOs.

[15] The 23 major departments and agencies identified in 31 U.S.C. 901, 
the Department of Homeland Security, and the 3 military services (see 
footnote 6 for a list of agencies).

[16] Out of a total of 69 possible responses (instances of CIOs without 
responsibility for one or more of the 13 information and technology 
management areas), CIOs expressed an opinion on whether they had any 
concerns with their agency's assignment in 42 instances.

[17] Principal Statistical Agencies include the Bureau of Economic 
Analysis (Department of Commerce), Bureau of Justice Statistics 
(Department of Justice), Bureau of Labor Statistics (Department of 
Labor), Bureau of Transportation Statistics (Department of 
Transportation), Economic Research Service (Department of 
Agriculture), Energy Information Administration (Department of 
Energy), Environmental Protection Agency, Internal Revenue Service's 
Statistics of Income Division (Department of the Treasury), National 
Agricultural Statistics Service (Department of Agriculture), National 
Center for Education Statistics (Department of Education), National 
Center for Health Statistics (Department of Health and Human Services), 
Science Resources Statistics (National Science Foundation), Office of 
Policy (Social Security Administration), Office of Management and 
Budget (Executive Office of the President), and the U.S. Census Bureau 
(Department of Commerce).

[18] U.S. House of Representatives, Paperwork Reduction Act of 1980, 
House Report 96-835, (Washington, D.C.: Mar. 19, 1980).

[19] See, for example, U.S. General Accounting Office, Information 
Technology Management: Governmentwide Strategic Planning, Performance 
Measurement, and Investment Management Can Be Further Improved, GAO-04-
49 (Washington, D.C.: Jan. 12, 2004) and Information Technology: 
Leadership Remains Key to Agencies Making Progress on Enterprise 
Architecture Efforts, GAO-04-40 (Washington, D.C.: Nov. 17, 2003).

[20] GAO-04-49. 

[21] The Clinger-Cohen Act requirement that agency CIOs have IRM as 
their primary duty applies to the major departments and agencies listed 
in 31 U.S.C. 901(b), which does not include the Department of Homeland 
Security, or the military departments of the Air Force, the Army, and 
the Navy.

[22] U.S. General Accounting Office, Chief Information Officers: 
Ensuring Strong Leadership and an Effective Council, GAO/T-AIMD-98-22 
(Washington, D.C.: Oct. 27, 1997).

[23] U.S. Senate Committee on Governmental Affairs, Paperwork Reduction 
Act of 1995, Senate Report 104-8 (Washington, D.C.: Jan. 30, 1995).

[24] U.S. General Accounting Office, VA Information Technology: 
Improvements Needed to Implement Legislative Reforms, GAO/AIMD-98-154 
(Washington, D.C.: July 7, 1998). 

[25] The Homeland Security Act of 2002 states that the CIO for the 
Department of Homeland Security shall report to the Secretary of 
Homeland Security or to another official as directed by the Secretary. 
As allowed by the law, the Secretary has directed the CIO to report to 
the Under Secretary for Management.

[26] U.S. General Accounting Office, Highlights of a GAO Roundtable: 
The Chief Operating Officer Concept: A Potential Strategy to Address 
Federal Governance Challenges, GAO-03-192SP (Washington, D.C.: Oct. 4, 
2002) and Comptroller General's Forum: High-Performing Organizations: 
Metrics, Means, and Mechanisms for Achieving High Performance in the 
21ST Century Public Management Environment, GAO-04-343SP (Washington, 
D.C.: Feb. 13, 2004). 

[27] We did not include acting CIOs in this calculation, unless the 
acting CIO later was put in the permanent position. Further analysis of 
tenure data is provided in appendix IV.

[28] House of Representatives, National Defense Authorization Act for 
Fiscal Year 1996, Conference Report to Accompany S.1124, House Report 
104-450 (Washington, D.C.: Jan. 22, 1996). 

[29] GAO-01-376G.

[30] U.S. General Accounting Office, Results-Oriented Cultures: 
Implementation Steps to Assist Mergers and Organizational 
Transformations, GAO-03-669 (Washington, D.C.: July 2, 2003).

[31] For the most recent reports, see GAO-03-119 and GAO-03-95.

[32] We did not include acting CIOs in this calculation--unless the 
acting CIO was later put in the permanent position--but about three-
quarters of the agencies had acting CIOs at some time since the 
inception of the Clinger-Cohen Act. The median tenure of acting CIOs 
who had completed their time in office was about 7 months. 

[33] U.S. General Accounting Office, Managing For Results: Emerging 
Benefits From Selected Agencies' Use of Performance Agreements, GAO-01-
115 (Washington, D.C.: Oct. 30, 2000).

[34] House Report 104-450.

[35] U.S. General Accounting Office, A Model of Strategic Human Capital 
Management, GAO-02-373SP, Exposure Draft (Washington, D.C.: Mar. 15, 
2002). 

[36] U.S. General Accounting Office, Human Capital: Effective Use of 
Flexibilities Can Assist Agencies in Managing Their Workforces, GAO-03-
2 (Washington, D.C.: Dec. 6, 2002). 

[37] U.S. General Accounting Office, Human Capital: OPM Can Better 
Assist Agencies in Using Personnel Flexibilities, GAO-03-428 
(Washington, D.C.: May 9, 2003). 

[38] See, for example, U.S. General Accounting Office, High-Risk 
Series: Protecting Information Systems Supporting the Federal 
Government and the Nation's Critical Infrastructures; GAO-03-121 
(Washington, D.C.: Jan. 1, 2003); GAO-04-49; GAO-04-40; and GAO-03-95.

[39] U.S. General Accounting Office, Executive Guide: Information 
Security Management: Learning from Leading Organizations, GAO/AIMD-98-
68 (Washington, D.C.: May 1, 1998) and Information Security Risk 
Assessment: Practices of Leading Organizations, GAO/AIMD-00-33 
(Washington, D.C.: Nov. 1, 1999).

[40] U.S. General Accounting Office, Information Technology Investment 
Management: A Framework for Assessing and Improving Process Maturity, 
Version 1.1, GAO-04-394G (Washington, D.C.: Mar. 1, 2004). See also, 
U.S. General Accounting Office, Executive Guide: Measuring Performance 
and Demonstrating Results of Information Technology Investments, GAO/
AIMD-98-89 (Washington, D.C.: Mar. 1, 1998).

[41] U.S. General Accounting Office, Information Technology: A 
Framework for Assessing and Improving Enterprise Architecture 
Management (Version 1.1), GAO-03-584G (Washington, D.C.: April 1, 
2003). 

[42] U.S. General Accounting Office, Chief Information Officers: 
Implementing Effective CIO Organizations, GAO/T-AIMD-00-128 
(Washington, D.C.: Mar. 24, 2000). 

[43] U.S. General Accounting Office, Executive Guide: Improving Mission 
Performance Through Strategic Information Management and Technology, 
GAO/AIMD-94-115 (Washington, D.C.: May 1, 1994) and GAO-01-376G.

[44] U.S. General Accounting Office, High-Risk Series: An Update, GAO-
01-263 (Washington, D.C.: January 1, 2001) and High-Risk Series: 
Strategic Human Capital Management, GAO-03-120 (Washington, D.C.: 
January 2003). 

[45] U.S. General Accounting Office, Human Capital: Additional 
Collaboration Between OPM and Agencies Is Key to Improved Federal 
Hiring, GAO-04-797 (Washington, D.C.: June 7, 2004).

[46] See U.S. General Accounting Office, Human Capital: A Guide for 
Assessing Strategic Training and Development Efforts in the Federal 
Government, GAO-04-546G (Washington, D.C.: Mar. 1, 2004); Human 
Capital: Selected Agencies' Experiences and Lessons Learned in 
Designing Training and Development Programs, GAO-04-291 (Washington, 
D.C.: Jan. 30, 2004); Human Capital: Key Principles for Effective 
Strategic Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11, 
2003); Human Capital: Insights for U.S. Agencies from Other Countries 
Succession Planning and Management Initiatives, GAO-03-914 
(Washington, D.C.: Sept. 15 , 2003); Human Capital: Opportunities to 
Improve Executive Agencies' Hiring Processes, GAO-03-450 (Washington, 
D.C.: May 30, 2003); Human Capital: OPM Can Better Assist Agencies in 
Using Personnel Flexibilities, GAO-03-428 (Washington, D.C.: May 9, 
2003); and Information Technology Training: Practices of Leading 
Private-Sector Companies, GAO-03-390 (Washington, D.C.: Jan. 31, 2003).

[47] GAO-01-376G. 

[48] GAO-04-343SP. 

[49] U.S. General Accounting Office, Year 2000 Computing Challenge: 
Lessons Learned Can Be Applied to Other Management Challenges, GAO/
AIMD-00-290 (Washington, D.C.: Sept. 12, 2000).

[50] U.S. General Accounting Office, Highlights of a GAO Forum: Mergers 
and Transformation: Lessons Learned for a Department of Homeland 
Security and Other Federal Agencies, GAO-03-293SP (Washington, D. C.: 
Nov. 14, 2002), Results-Oriented Cultures: Implementation Steps to 
Assist Mergers and Organizational Transformation, GAO-03-669 
(Washington, D.C.: July 2, 2003).

[51] DOD submitted a single letter that included comments from the 
Departments of the Air Force, Army, and Navy.

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548: 

To order by Phone: 



Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: