This is the accessible text file for GAO report number GAO-11-634 
entitled 'Federal Chief Information Officers: Opportunities Exist to 
Improve Role in Information Technology Management' which was released 
on October 17, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to the Committee on Homeland Security and Governmental Affairs, 
U.S. Senate: 

September 2011: 

Federal Chief Information Officers: 

Opportunities Exist to Improve Role in Information Technology 
Management: 

GAO-11-634: 

GAO Highlights: 

Highlights of GAO-11-634, a report to the Committee on Homeland 
Security and Governmental Affairs, U.S. Senate. 

Why GAO Did This Study: 

The federal government invests billions in information technology (IT) 
each year to help agencies accomplish their missions. Federal law, 
particularly the Clinger-Cohen Act of 1996, has defined the role of 
Chief Information Officer (CIO) as the focal point for IT management 
within agencies. Given the longstanding challenges the government 
faces in managing IT and the continued importance of the CIO, GAO was 
asked to (1) determine the current roles and responsibilities of CIOs, 
(2) determine what potential modifications to the Clinger-Cohen Act 
and related laws could be made to enhance CIOs’ authority and 
effectiveness, and (3) identify key lessons learned by CIOs in 
managing IT. To do this, GAO administered a questionnaire to 30 CIOs, 
compared responses to legislative requirements and the results of a 
2004 GAO study, interviewed current CIOs, convened a panel of former 
agency CIOs, and spoke with the Office of Management and Budget’s 
(OMB) Federal CIO. 

What GAO Found: 

CIOs do not consistently have responsibility for 13 major areas of IT 
and information management as defined by law or deemed as critical to 
effective IT management, but they have continued to focus more 
attention on IT management-related areas. Specifically, most CIOs are 
responsible for seven key IT management areas: capital planning and 
investment management; enterprise architecture; information security; 
IT strategic planning, “e-government” initiatives; systems 
acquisition, development, and integration; and IT workforce planning. 
By contrast, CIOs are less frequently responsible for information 
management duties such as records management and privacy requirements, 
which they commonly share with other offices or organizations within 
the agency. In this regard, CIOs report spending over two-thirds of 
their time on IT management responsibilities, and less than one-third 
of their time on information management responsibilities. CIOs also 
report devoting time to other responsibilities such as addressing 
infrastructure issues and identifying emerging technologies. Further, 
many CIOs serve in positions in addition to their role as CIO, such as 
human capital officer. In addition, tenure at the CIO position has 
remained at about 2 years. Finally, just over half of the CIOs 
reported directly to the head of their respective agencies, which is 
required by law. The CIOs and others have stressed that a variety of 
reporting relationships in an agency can be effective, but that CIOs 
need to have access to the agency head and form productive working 
relationships with senior executives across the agency in order to 
carry out their mission. 

Federal law provides CIOs with adequate authority to manage IT for 
their agencies; however, some limitations exist that impede their 
ability to exercise this authority. Current and former CIOs, as well 
as the Federal CIO, did not identify legislative changes needed to 
enhance CIOs’ authority and generally felt that existing law provides 
sufficient authority. Nevertheless, CIOs do face limitations in 
exercising their influence in certain IT management areas. 
Specifically, CIOs do not always have sufficient control over IT 
investments, and they often have limited influence over the IT 
workforce, such as in hiring and firing decisions and the performance 
of component-level CIOs. More consistent implementation of CIOs’ 
authority could enhance their effectiveness in these areas. OMB has 
taken steps to increase CIOs’ effectiveness, but it has not 
established measures of accountability to ensure that responsibilities 
are fully implemented. 

CIOs identified a number of best practices and lessons learned for 
more effectively managing IT at agencies, and the Federal CIO Council 
has established a website to share this information among agencies. 
Agencies have begun to share information in the areas of vendor 
communication and contract management; the consolidation of multiple 
systems into an enterprise solution through the use of cloud services; 
and program manager development. However, CIOs have not implemented 
structured agency processes for sharing lessons learned. Doing so 
could help CIOs share ideas across their agencies and with their 
successors for improving work processes and increasing cost 
effectiveness. 

What GAO Recommends: 

GAO is recommending that OMB update its guidance to establish measures 
of accountability for ensuring that CIOs’ responsibilities are fully 
implemented and encourage agencies to establish internal processes for 
documenting lessons learned. In commenting on a draft of this report, 
OMB officials generally agreed with GAO’s findings and stated that OMB 
had taken actions that they believed addressed the recommendations. 

View [hyperlink, http://www.gao.gov/products/GAO-11-634] or key 
components. For more information, contact Valerie C. Melvin at (202) 
512-6304 or melvinv@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Current Agency CIOs Do Not Have Responsibility for All Assigned Areas: 

Federal Law Provides Adequate Authority, but Limitations Exist in 
Implementation for IT Management: 

A Structured Process Could Improve Sharing of Lessons Learned within 
Agencies: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Chief Information Officers Interviewed: 

Appendix III: Former Agency CIO Panel Participants: 

Appendix IV: Summary of CIOs' Information Management and Technology 
Responsibilities: 

Appendix V: CIO Tenure at Each Agency: 

Appendix VI: Comments from the Department of Defense: 

Appendix VII: Comments from the Department of Homeland Security: 

Appendix VIII: Comments from the Office of Personnel Management: 

Appendix IX: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Major Areas of CIO Responsibility in IT Management and 
Information Management: 

Table 2: Time Allocated as Reported by CIOs: 

Table 3: Comparison of Current CIO Backgrounds with Those of CIOs in 
2004: 

Table 4: Comparison of CIO Tenure During 1996-2004 and 2004-2011: 

Table 5: Former Agency Chief Information Officer Panel: 

Table 6: Summary of CIO Responses to Questions on IT Strategic 
Planning: 

Table 7: Summary of CIO Responses to Questions for IT Workforce 
Planning: 

Table 8: Summary of CIO Responses to Questions for Capital Planning 
and Investment Management: 

Table 9: Summary of CIO Responses to Questions for Information 
Security: 

Table 10: Summary of CIO Responses to Questions for Enterprise 
Architecture: 

Table 11: Summary of CIO Responses to Questions on Systems 
Acquisition, Development, and Integration: 

Table 12: Summary of CIO Responses to Questions for E-government 
Initiatives: 

Table 13: Summary of CIO Responses to Questions on Information 
Collection/Paperwork Reduction: 

Table 14: Summary of CIO Responses to Questions for Information 
dissemination: 

Table 15: Summary of CIO Responses to Questions on Information 
Disclosure: 

Table 16: Summary of CIO Responses to Questions for Statistical Policy 
and Coordination: 

Table 17: Summary of CIO Responses to Questions for Records Management: 

Table 18: Summary of CIO Responses to Questions for Privacy: 

Table 19: Statistical Analysis of CIO Tenure (2004-2011): 

Figures: 

Figure 1: Comparison of Number of CIOs Assigned Responsibility for IT 
Management and Information Management Areas between 2004 and 2011: 

Figure 2: CIO Tenure--Acting and Permanent: 

Figure 3: CIO Tenure--Career and Political Appointees: 

Abbreviations: 

CIO: Chief Information Officer: 

FISMA: Federal Information Security Management Act: 

FOIA: Freedom of Information Act: 

IRM: information resources management: 

IT: information technology: 

OMB: Office of Management and Budget: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

September 15, 2011: 

The Honorable Joseph I. Lieberman: 
Chairman: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Susan M. Collins: 
Ranking Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

In fiscal year 2011, the federal government estimates spending 
approximately $79 billion for information technology (IT) investments. 
Although the government makes these substantial annual investments, it 
faces longstanding problems in its management of IT. Our most recent 
high-risk series update[Footnote 1] continues to identify high-risk 
modernization efforts and governmentwide IT management challenges. 
Further, our recent report on opportunities to reduce potential 
duplication in government programs identified numerous areas in which 
IT programs could be consolidated or better managed to save taxpayer 
dollars and help agencies provide more efficient and effective 
services.[Footnote 2] 

Over the years, Congress has enacted various laws in an attempt to 
improve the government's performance in IT management. One of these 
laws--the Clinger-Cohen Act of 1996[Footnote 3]--required agency heads 
to designate Chief Information Officers (CIO) to lead reforms that 
would help control system development risks; better manage technology 
spending; and achieve real, measurable improvements in agency 
performance. Additionally, we have long been proponents of having 
strong agency CIOs in place to lead federal agencies in managing IT. 
Recognizing the key role of CIOs in helping agencies achieve better 
results through IT, in July 2004, we reported our findings from a 
congressionally requested study that examined federal agency CIOs' 
roles and responsibilities, reporting relationships, tenure, and 
challenges.[Footnote 4] That study, undertaken about 8 years following 
the enactment of the Clinger-Cohen Act, noted a number of findings 
regarding the extent to which CIOs had responsibilities for key IT 
management and other areas we identified as required by statute or as 
critical to IT management.[Footnote 5] For example, we reported that 
few CIOs were responsible for all key IT and information management 
areas and generally reported to their agency heads or other top-level 
managers. Also, the CIOs had cited challenges in implementing 
effective IT management and obtaining sufficient and relevant 
resources, among others. 

It has now been 15 years since enactment of the Clinger-Cohen Act, and 
recognizing the continued importance of the CIO position to achieving 
better results through IT management, you requested that we conduct a 
follow-up study of federal agency CIOs. As agreed, our objectives were 
to (1) determine the current roles and responsibilities of CIOs, (2) 
determine what potential modifications to the Clinger-Cohen Act and 
related laws could be made to enhance CIOs' authority and 
effectiveness, and (3) identify key lessons learned by CIOs in 
managing information technology. 

To address these objectives, we administered a questionnaire to the 
CIOs of 30 federal departments and agencies (24 entities identified in 
the Chief Financial Officers Act, the 3 military departments, and 3 
independent federal agencies).[Footnote 6] We asked CIOs about their 
roles and responsibilities, reporting relationships with the agency 
head, and changes needed to their authority and effectiveness in 
addressing areas of IT management. We also inquired about any 
experiences of these CIOs that could potentially serve as lessons 
learned in managing information technology. We then compared the 
questionnaire responses to statutory requirements for CIO roles and 
responsibilities. Further, we compared the overall findings with those 
in our 2004 report to identify any differences or trends in CIOs' 
responses. Subsequently, we conducted semi-structured interviews with 
each of the CIOs who were in office at the time of our review to 
corroborate and supplement information we received in the survey. In 
addition, we convened a panel of nine former federal CIOs to obtain 
their views on the roles and responsibilities of federal CIOs, based 
on their prior experiences serving in the position. Finally, we met 
with the Federal CIO to discuss IT reform initiatives being undertaken 
by the Office of Management and Budget (OMB) to enhance and clarify 
the roles of federal CIOs. 

We conducted this performance audit at the 30 agencies and OMB from 
June 2010 to September 2011 in the Washington, D.C., metropolitan area 
in accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe 
that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. A more 
complete description of our objectives, scope, and methodology is 
provided in appendix I. The 30 CIOs and 9 former CIOs included in our 
study are identified in appendixes II and III, respectively. 

Background: 

Congress has long recognized that IT has the potential to enable 
federal agencies to accomplish their missions more quickly, 
effectively, and economically. However, fully exploiting this 
potential has presented longstanding challenges to agencies, and 
despite substantial IT investments, the federal government's 
management of IT has produced mixed results. The CIO position was 
established by Congress to serve as a focal point for IT within an 
agency to address these challenges. 

Legislative Evolution of Agency CIO Roles and Responsibilities: 

Since l980, federal law has placed the management of IT under the 
umbrella of information resources management (IRM).[Footnote 7] 
Originating in a l977 recommendation to Congress from the Commission 
on Federal Paperwork, the IRM approach was first enacted into law in 
the Paperwork Reduction Act of l980.[Footnote 8] This act required OMB 
to oversee federal agency IRM areas, which combined IT with 
information management areas, including information collection, 
records management, and privacy.[Footnote 9] The law also gave 
agencies a more general responsibility to carry out their IRM 
activities in an efficient, effective, and economical manner and to 
comply with OMB policies and guidelines. To assist in this effort, the 
law required that each agency head designate a senior official who 
would report directly to the agency head to carry out the IRM 
responsibilities of the agency under the law. 

Amendments to the Paperwork Reduction Act in l986 and l995 were 
designed to strengthen agency and OMB implementation of the law. 
[Footnote 10] Most particularly, the act's 1995 amendments provided 
detailed agency requirements for each IRM area, to match the specific 
OMB provisions.[Footnote 11] In addition, these amendments required 
agencies to develop, for the first time, processes to select, control, 
and evaluate the results of major information systems 
initiatives.[Footnote 12] Under the Paperwork Reduction Act, as 
amended through 1995, senior IRM officials were required to carry out 
the responsibilities of their agencies with respect to IRM and report 
directly to the head of the agency. 

In l996, the Clinger-Cohen Act supplemented the information technology 
management provisions of the Paperwork Reduction Act with detailed 
requirements for IT capital planning and investment control and 
performance and results-based management.[Footnote 13] The Clinger- 
Cohen Act also established the position of agency CIO by amending the 
Paperwork Reduction Act to rename the senior IRM officials "chief 
information officers" and specifying additional responsibilities for 
them.[Footnote 14] 

Accordingly, agency CIOs are required by law to carry out the 
responsibilities of their agencies with respect to: 

* information collection and control of paperwork; 

* information dissemination; 

* statistical policy and coordination; 

* records management; 

* privacy, including compliance with the Privacy Act;[Footnote 15] 

* information security, including compliance with the Federal 
Information Security Management Act (FISMA);[Footnote 16] 

* information disclosure, including compliance with the Freedom of 
Information Act (FOIA);[Footnote 17] and: 

* information technology management. 

Specifically, with regard to IT management, the CIO is responsible for: 

* implementing and enforcing applicable governmentwide and agency IT 
management policies, principles, standards, and guidelines; 

* assuming responsibility and accountability for IT investments; 

* assuming responsibility for maximizing the value and assessing and 
managing the risks of IT acquisitions through a process that, among 
other things, is integrated with budget, financial, and program 
management decisions, and provides for the selection, management, and 
evaluation of IT investments; 

* establishing goals for improving the efficiency and effectiveness of 
agency operations through the effective use of IT; 

* developing, maintaining, and facilitating the implementation of a 
sound, secure, and integrated IT architecture; and: 

* monitoring the performance of IT programs and advising the agency 
head whether to continue, modify, or terminate such programs. 

Together, these statutory responsibilities require CIOs to be key 
leaders in managing IT and other information functions in a 
coordinated fashion in order to improve the efficiency and 
effectiveness of programs and operations. 

Prior Reports on CIOs' Roles and Responsibilities: 

We have previously reported on the status of agency CIOs, including 
their roles and responsibilities, reporting relationships, 
backgrounds, and challenges. We have also reported on private-sector 
CIO roles and responsibilities and challenges and compared them with 
those of federal CIOs. 

In October l997, we testified on an OMB evaluation of the status of 
agency CIO appointments at 27 federal agencies shortly after enactment 
of the Clinger-Cohen Act.[Footnote 18] In that testimony, we noted 
that OMB had identified several agencies where the CIO's duties, 
qualifications, and placement met the requirements of the Clinger-
Cohen Act. According to OMB, these CIOs had experience, both 
operationally and technically, in leveraging the use of information 
technology, capital planning, setting and monitoring performance 
measures, and establishing service levels with technology users. 
However, OMB had expressed concerns about the number of other agencies 
that had acting CIOs, and about CIOs whose qualifications did not 
appear to meet the requirements of the Clinger-Cohen Act or who did 
not report directly to the head of the agency. We pointed out that OMB 
had also raised concerns about agencies where the CIOs had other major 
management responsibilities or where it was unclear whether the CIO's 
primary duty was the IRM function. Our testimony emphasized the 
importance of OMB following through on its efforts to assess CIO 
appointments and resolve outstanding issues. We noted that, despite 
the urgent need to deal with major challenges, including poor security 
management, and the need to develop, maintain, and facilitate 
integrated systems architectures to guide agencies' system development 
efforts, there were many instances of CIOs who had responsibilities 
beyond IRM. While some of these CIOs' additional responsibilities were 
minor, in many cases they included major duties, such as financial 
operations, human resources, procurement, and grants management. We 
stressed that asking the CIO to shoulder a heavy load of 
responsibilities would make it extremely difficult, if not impossible, 
for that individual to devote full attention to IRM issues. 

In July 2004, we reported the results of our study, based on a 
questionnaire and interviews with CIOs at the same 27 major 
departments and agencies that OMB had previously evaluated.[Footnote 
19] Our study examined 13 major areas of CIO responsibilities--7 areas 
predominantly in IT management and 6 areas predominantly in 
information management, as defined by the relevant laws or deemed 
critical to the effective management of IT. These areas are described 
in table 1, along with the relevant source. 

Table 1: Major Areas of CIO Responsibility in IT Management and 
Information Management: 

IT management areas: 

CIO responsibility: IT strategic planning; 
Description: CIOs are responsible for strategic planning for all 
information and information technology management functions [Paperwork 
Reduction Act]. 

CIO responsibility: IT workforce planning; 
Description: CIOs are responsible for assessing agency information and 
IT workforce needs and developing strategies and plans for meeting 
those needs [Paperwork Reduction Act and Clinger-Cohen Act]. 

CIO responsibility: Capital planning and investment management; 
Description: CIOs are responsible for a process for selecting, 
controlling, and evaluating IT investments to produce business value, 
reduce investment-related risks, and increase accountability and 
transparency in the investment decision-making process [Paperwork 
Reduction Act and Clinger-Cohen Act]. 

CIO responsibility: Information security; 
Description: CIOs are responsible for ensuring agency compliance with 
requirements to protect information and systems [Paperwork Reduction 
Act, Federal Information Security Management Act, and Clinger-Cohen 
Act]. 

CIO responsibility: Enterprise architecture; 
Description: CIOs are responsible for developing and maintaining an 
enterprise architecture--the business and technology blueprint that 
links an agency's strategic plan to IT programs and supporting system 
implementations [Clinger-Cohen Act].[A]. 

CIO responsibility: Systems acquisition, development, and integration; 
Description: CIO IT management responsibilities should include a 
primary role in developing and enforcing policies for systems 
acquisition, development, and integration with existing systems 
[Paperwork Reduction Act and Clinger-Cohen Act]. 

CIO responsibility: E-government initiatives; 
Description: CIOs are responsible for promoting the use of IT, 
including the Internet and emerging technologies, to improve the 
productivity, efficiency, and effectiveness of agency operations, 
programs, and services [Paperwork Reduction Act, Clinger-Cohen Act, E-
Government Act]. 

Information management areas: 

CIO responsibility: Information collection/paperwork reduction; 
Description: CIOs are responsible for the review of agency information 
collection proposals to maximize utility and minimize public paperwork 
burdens [Paperwork Reduction Act]. 

CIO responsibility: Information dissemination; 
Description: CIOs are responsible for ensuring that the agency's 
information dissemination activities meet policy goals, such as timely 
and equitable public access to information [Paperwork Reduction Act]. 

CIO responsibility: Information disclosure; 
Description: CIOs are responsible for ensuring appropriate information 
disclosure under the Freedom of Information Act [Paperwork Reduction 
Act]. 

CIO responsibility: Statistical policy and coordination; 
Description: CIOs are responsible for agency statistical policy and 
coordination functions, including ensuring the relevance, accuracy, 
and timeliness of information collected or created for statistical 
purposes [Paperwork Reduction Act]. 

CIO responsibility: Records management; 
Description: CIOs are responsible for ensuring that the agency 
implements and enforces the records management policies and procedures 
required by the Federal Records Act [Paperwork Reduction Act]. 

CIO responsibility: Privacy; 
Description: CIOs are responsible for ensuring agency compliance with 
the Privacy Act and related laws [Paperwork Reduction Act]. 

Source: GAO analysis of applicable legislation. 

[A] The Clinger-Cohen Act mandate for CIOs to develop and implement 
agencywide information technology architectures has been implemented 
under OMB guidance (consistent with GAO best practices) for the 
development and implementation of enterprise architectures. 

[End of table] 

Our study found that CIOs were not responsible for all of the 
information and IT management areas. Specifically, all CIOs were 
responsible for only 5 of the 13 areas, while less than half of the 
CIOs were assigned responsibility for information disclosure and 
statistical policy and coordination. Overall, the views of these CIOs 
were mixed as to whether they could be effective leaders without 
having responsibility for each individual area. 

The 2004 study also examined the backgrounds and tenure of CIOs, 
noting that they had a wide variety of prior experiences, but 
generally had work or educational backgrounds in IT or IT-related 
fields, as well as business knowledge related to their agencies. The 
CIOs and former agency IT executives in the study believed it was 
necessary for a CIO to stay in office for 3 to 5 years to be 
effective. However, at the time of our study, the median tenure of 
permanent CIOs whose time in office had been completed was about 2 
years. 

Based on the study, we also reported on major challenges that the 
federal CIOs said they faced in fulfilling their duties. In this 
regard, over 80 percent of the CIOs had cited implementing effective 
IT management and obtaining sufficient and relevant resources as 
challenges. We stressed that effectively tackling these reported 
challenges could improve the likelihood of a CIO's success. Further, 
we highlighted the opportunity for Congress to consider whether the 
existing statutory requirements related to CIO responsibilities and 
reporting to the agency head reflected the most effective assignment 
of information and technology management responsibilities and 
reporting relationships. 

In September 2005,[Footnote 20] we reported on the results of our 
study of 20 CIOs of leading private-sector companies.[Footnote 21] We 
noted that most of the private-sector CIOs had full or shared 
responsibility for 9 of 12 functional areas that we had explored. 
[Footnote 22] For the most part, the responsibilities assigned to 
these private-sector CIOs were similar to those assigned to federal 
CIOs. In only three areas (information dissemination and disclosure, 
information collection, and statistical policy) did half or fewer of 
the CIOs have responsibility. In 4 of the 12 functional areas, the 
difference between the private-sector CIOs and federal CIOs was 
greater.[Footnote 23] Fewer of the private-sector CIOs had these 
responsibilities in each case. We also reported that private-sector 
CIOs faced challenges related to increasing IT's contribution to their 
organization's bottom line--such as controlling IT costs, increasing 
IT efficiencies, and using technology to improve business processes. 

Prior GAO Reports Identified Challenges within IT and Information 
Management: 

Although agencies have taken constructive steps to improve IT and 
information management policies and practices, including through 
activities of CIOs, we have continued to identify and report on long- 
standing challenges in the key areas addressed in this report. 

Information Technology Management: 

IT strategic planning: In January 2004,[Footnote 24] we reported on 
the status of agencies' plans for applying information resources to 
improve the productivity, efficiency, and effectiveness of government 
programs. At that time, we noted that agencies generally had IT 
strategic plans that addressed elements such as information security 
and enterprise architecture, but did not cover key areas specified in 
the Paperwork Reduction Act. Agencies cited a variety of reasons for 
not having addressed these areas, including that the CIO position had 
been vacant, that not including a requirement in guidance was an 
oversight, or that the process was being revised. We pointed out that, 
not only are these practices based on law, executive orders, OMB 
policies, and our guidance, but they are also important ingredients 
for ensuring effective strategic planning, performance measurement, 
and investment management, which, in turn, make it more likely that 
the billions of dollars in government IT investments will be wisely 
spent. We made a number of recommendations, including that each agency 
take action to address IT strategic planning, performance measurement, 
and investment management practices that were not fully in place. 

IT workforce planning: In 1994 and 2001,[Footnote 25] we reported on 
the importance that leading organizations placed on making sure they 
had the right mix of skills in their IT workforce. In our 2004 report 
on CIOs' roles and responsibilities,[Footnote 26] about 70 percent of 
the agency CIOs reported on a number of substantial IT human capital 
challenges, including, in some cases, the need for additional staff. 
Other challenges included recruiting, retention, training and 
development, and succession planning. In February 2011, we identified 
strategic human capital management as a governmentwide high-risk area 
after finding that the lack of attention to strategic human capital 
planning had created a risk to the federal government's ability to 
serve the American people effectively.[Footnote 27] As our previous 
reports have made clear, the widespread lack of attention to strategic 
human capital management in the past has created a fundamental 
weakness in the federal government's ability to perform its missions 
economically and efficiently. 

Capital planning and investment management: Since 2002, using our 
investment management framework,[Footnote 28] we have reported on the 
varying extents to which federal agencies have implemented sound 
practices for managing their IT investments. In this regard, we 
identified agencies that have made significant improvements by using 
the framework in implementing capital planning processes. In contrast, 
however, we have continued to identify weaknesses at agencies in many 
areas, including immature management processes to support both the 
selection and oversight of major IT investments and the measurement of 
actual versus expected performance in meeting established performance 
measures.[Footnote 29] For example, in 2007, we reported that two 
agencies did not have the processes in place to effectively select and 
oversee their major investments.[Footnote 30] In June 2009,[Footnote 
31] we reported that about half of the projects we examined at 24 
agencies did not receive selection reviews (to confirm that they 
support mission needs) or oversight reviews (to ensure that they were 
meeting expected cost and schedule targets). Specifically, 12 of the 
24 reviewed projects that were identified by OMB as being poorly 
planned did not receive a selection review, and 13 of 28 poorly 
performing projects we examined had not received an oversight review 
by a department-level oversight board. Accordingly, we made 
recommendations to multiple agencies to ensure that the projects 
identified in the report as not having received oversight reviews 
received them. 

Information security: Our reviews have noted significant information 
security control deficiencies that place agency operations and assets 
at risk. In addition, over the last several years, most agencies have 
not implemented controls to sufficiently prevent, limit, or detect 
access to computer networks, systems, or information. An underlying 
cause for information security weaknesses identified at federal 
agencies is that they have not yet fully or effectively implemented 
key elements for an agencywide information security program, as 
required by FISMA. To address these and other challenges, we have 
recommended that agencies fully implement comprehensive, agencywide 
information security programs by correcting shortcomings in risk 
assessments, information security policies and procedures, security 
planning, security training, system tests and evaluations, and 
remedial actions. Due to the persistent nature of information security 
vulnerabilities and the associated risks, we continue to designate 
information security as a governmentwide high-risk issue in our most 
recent biennial report to Congress,[Footnote 32] a designation we have 
made in each report since 1997. 

Enterprise architecture: We have reported on the status of major 
federal department and agency enterprise architecture efforts. 
[Footnote 33] We found that the state of the enterprise architecture 
programs at the major federal departments and agencies was mixed, with 
several having very immature programs, several having more mature 
programs, and most being somewhere in between. Collectively, agencies 
faced barriers or challenges in implementing their enterprise 
architectures, such as overcoming organizational parochialism and 
cultural resistance, having adequate resources (human capital and 
funding), and fostering top management understanding. To assist the 
agencies in addressing these challenges, we have made numerous 
recommendations aimed at ensuring that their respective enterprise 
architecture programs develop and implement plans for fully satisfying 
each of the conditions in our enterprise architecture management 
maturity framework.[Footnote 34] In addition, in our most recent high- 
risk update report[Footnote 35] we identified possible areas where 
enterprise architecture could help to alleviate some challenges. For 
example, we suggested that one agency align its corporate architecture 
and its component organization architectures to avoid investments that 
provide similar but duplicative functionality. 

Systems acquisition, development, and integration: Our work has shown 
that applying rigorous practices to the acquisition or development of 
IT systems or the acquisition of IT services can improve the 
likelihood of success. In addition, we have identified leading 
commercial practices for outsourcing IT services that government 
entities could use to enhance their acquisition of IT systems and 
services.[Footnote 36] We have evaluated several agencies' software 
development or acquisition processes and reported that agencies are 
not consistently using rigorous or disciplined system management 
practices.[Footnote 37] For example, after reviewing the Department of 
Homeland Security's Atlas investment,[Footnote 38] we recommended that 
the agency implement effective management controls and capabilities 
by, among other things, revising and updating its cost-benefit 
analysis; making the program office operational; developing and 
implementing rigorous performance program management practices; and 
ensuring plans fully disclose the system capabilities, schedule, cost, 
and benefits to be delivered. In addition, ensuring that effective 
system acquisition management controls are implemented on each agency 
business system investment remains a formidable challenge, as our 
recent reports on management weaknesses associated with individual 
programs have demonstrated. For example, we recently reported that the 
Department of Defense's large-scale software-intensive system 
acquisitions continued to fall short of cost, schedule, and 
performance expectations.[Footnote 39] Specifically, our report noted 
that six of the department's nine enterprise resource planning systems 
had experienced schedule delays ranging from 2 to 12 years, and five 
had incurred cost increases ranging from $530 million to $2.4 billion. 

E-government initiatives: In December 2004, we reported the results of 
our review of the implementation status of major provisions from the E-
Government Act of 2002,[Footnote 40] which required a wide range of 
activities across the federal government aimed at promoting electronic 
government, such as providing the public with access to government 
information and services. We found that, although the government had 
made progress in implementing the act, the act's requirements were not 
always fully addressed. Specifically, OMB had not (1) ensured that a 
study on using IT to enhance crisis preparedness and response had been 
conducted that addressed the content specified by the act, (2) 
established a required program to encourage contractor innovation and 
excellence in facilitating the development and enhancement of 
electronic government services and processes, or (3) ensured the 
development and maintenance of a required repository and website of 
information about research and development funded by the federal 
government. We made recommendations to OMB aimed at ensuring more 
consistent implementation of the act's requirements. 

Information Management: 

We have also reported on various challenges agencies faced in meeting 
information management requirements, including in the areas of 
privacy, information collection, records management, information 
disclosure, and information dissemination. 

In 2002 and 2003, we reported on agencies' handling of the personal 
information they collect and whether this handling conforms to the 
Privacy Act and other laws and guidance. In the 2002 report, we made 
recommendations to selected agencies aimed at strengthening their 
compliance with privacy requirements.[Footnote 41] In the 2003 report, 
we made recommendations to OMB, which included directing agencies to 
correct compliance deficiencies, monitoring agency compliance, and 
reassessing OMB guidance.[Footnote 42] 

In 2005, we reviewed agency compliance with information collection 
clearance requirements under the Paperwork Reduction Act.[Footnote 43] 
In an analysis of 12 case studies, we found that while CIOs generally 
reviewed information collections and certified that they met the 
standards in the act, in a significant number of instances, agencies 
did not provide support for the certifications, as the law requires. 
We recommended that OMB and the agencies take steps to improve review 
processes and compliance with the act. 

In 2008, we reviewed the management of e-mail records at four agencies 
and found agency practices did not always conform to requirements. We 
recommended that the National Archives and Records Administration 
develop and implement an oversight approach that provides adequate 
assurance that agencies are following its guidance, including both 
regular assessments of agency records and records management programs 
and reporting on these assessments.[Footnote 44] 

Also in 2008, we reported on trends in Freedom of Information Act 
processing and agencies' progress in addressing backlogs of overdue 
FOIA requests.[Footnote 45] We found weaknesses in agency reporting on 
FOIA processing and recommended, among other things, that guidance be 
improved for agencies to track and report on overdue requests and 
plans to meet future backlog goals. 

In July 2010, we identified and described current uses of web 2.0 
technologies by federal agencies to disseminate information.[Footnote 
46] Specifically, we found that the federal government may face 
challenges in determining how to appropriately limit collection and 
use of personal information as agencies utilize these technologies and 
how and when to extend privacy protections to information collected 
and used by third-party providers of web 2.0 services. In July 2011, 
we identified ways agencies are using social media to interact with 
the public and assessed the extent to which they had policies in place 
for managing and identifying records, protecting personal information, 
and ensuring the security of federal information and systems. We made 
recommendations to 21 agencies to improve their development and 
implementation of social media policies.[Footnote 47] 

OMB Has Several Initiatives Under Way to Improve the Oversight and 
Management of IT, Including Changing the Role of Federal Agency CIOs: 

On March 5, 2009, President Obama designated the Administrator of 
OMB's Office of Electronic Government and Information Technology as 
the first Federal Chief Information Officer. The Federal CIO was given 
responsibility for directing the policy and strategic planning of 
federal information technology investments as well as for overseeing 
federal technology spending. 

Toward this end, in December 2010, the Federal CIO issued a 25 Point 
Implementation Plan to Reform Federal Information Technology 
Management. This 18-month plan specified five major goals: 
strengthening program management, streamlining governance and 
improving accountability, increasing engagement with industry, 
aligning the acquisition process with the technology cycle, and 
applying "light technology" and shared solutions.[Footnote 48] As part 
of this plan, OMB has initiatives under way to, among other things, 
strengthen agencies' investment review boards and to consolidate 
federal data centers. The plan stated that OMB will work with Congress 
to consolidate commodity IT spending (e.g., e-mail, data centers, 
content management systems, web infrastructure) under agency CIOs. 
Further, the plan called for the role of federal agency CIOs to focus 
more on IT portfolio management. 

In March 2011, we testified on the efforts of OMB and the Federal CIO 
to improve the oversight and management of IT investments in light of 
the problems that agencies have continued to experience with 
establishing IT governance processes to manage such investments. 
[Footnote 49] These initiatives included increasing the accountability 
of agency CIOs through the use of the IT Dashboard, a public website 
established in June 2009 that provides detailed information, including 
performance ratings, for over 800 major IT investments at federal 
agencies. Each investment's performance data are updated monthly, 
which is a major improvement from the quarterly reporting cycle used 
by OMB's prior oversight mechanisms. However, in a series of reviews, 
we have found that the data on the Dashboard were not always accurate. 
Specifically, we found that the Dashboard ratings were not always 
consistent with agency performance data.[Footnote 50] 

OMB has also initiated efforts to improve the management of IT 
investments needing attention. In particular, in January 2010, the 
Federal CIO began leading TechStat sessions--a review of selected IT 
investments between OMB and agency leadership to increase 
accountability and transparency and improve performance. We noted that 
the full implementation of OMB's 18-month roadmap should result in 
more effective IT management and delivery of mission-critical systems, 
as well as further reduction in wasteful spending on poorly managed 
investments.[Footnote 51] 

Current Agency CIOs Do Not Have Responsibility for All Assigned Areas: 

Similar to 2004, we found that the CIOs are not consistently 
responsible for all of the 13 areas assigned by statute or identified 
as critical to effective IT management; however, they are more focused 
on IT management than on the management of agency information. The 
majority of CIOs (between 23 and 27)[Footnote 52] reported they are 
responsible for the seven areas of IT management. In this regard, the 
CIOs reported being responsible for activities in managing IT that 
include the following: 

* managing capital planning and investment management processes to 
ensure that they were successfully implemented and integrated with the 
agency's budget, acquisition, and planning processes; 

* developing, maintaining, and facilitating the implementation of 
sound and integrated enterprise architectures; 

* designating a senior department official who will have 
responsibility for departmentwide information security; 

* developing IT strategic plans to emphasize the role that IT can play 
in effectively supporting the department's operations and goals; 

* developing, maintaining, and improving systems acquisition processes; 

* managing e-government requirements and ensuring compliance with 
legislation; and: 

* developing strategies for development of a skilled IT workforce 
combined with strong succession planning. 

Fewer CIOs (between 6 and 22) reported being responsible for the six 
areas predominantly related to information management (information 
collection/paperwork reduction, records management, privacy, 
information dissemination, information disclosure, and statistical 
policy and coordination). Even those CIOs who indicated they had been 
assigned responsibility for these six information management areas 
reported they assigned a higher priority to their IT management 
responsibilities. 

CIOs who reported they were not responsible for their agencies' 
information management functions said they provided input or other 
assistance to the organizational units within their agencies that were 
primarily responsible for these areas. The units with which they 
shared responsibilities varied, as did the roles the CIO played. For 
example, in the area of records management, one CIO reported working 
closely with the agency's data manager and making recommendations 
regarding records management. In the privacy area,[Footnote 53] one 
CIO reported coordinating with the agency's Chief Information Security 
Officer, general counsel, and human resources offices to address any 
privacy issues. To ensure accuracy of information disseminated, one 
CIO reported collaborating with the agency's Office of Public Affairs. 

The areas in which the least number of CIOs reported they were 
responsible were statistical policy and coordination and information 
disclosure. In this regard, 21 CIOs stated that statistical policy and 
coordination was handled by other offices within their agencies, such 
as a policy or research office. This included components functioning 
as Principal Statistical Agencies.[Footnote 54] Eighteen CIOs reported 
that responsibility for information disclosure rested with another 
office, such as an agency's FOIA office. 

In comparison to 2004, the number of CIOs assigned responsibility for 
each of the areas remained the same for all but five areas (systems 
acquisition, development, and integration; IT workforce planning; 
records management; information dissemination; and statistical policy 
and coordination). In each of these areas, the number of CIOs assigned 
responsibility decreased from 2004 to 2011. Figure 1 shows the number 
of CIOs with responsibility for the 13 areas in 2011 and 2004. 

Figure 1: Comparison of Number of CIOs Assigned Responsibility for IT 
Management and Information Management Areas between 2004 and 2011: 

[Refer to PDF for image: horizontal bar graph] 

Number of CIOs responsible: 

Responsibility: Capital planning and investment management; 
2011 CIO responsibility: 27; 
2004 CIO responsibility: 27. 

Responsibility: Enterprise architecture; 
2011 CIO responsibility: 27; 
2004 CIO responsibility: 27. 

Responsibility: Information security; 
2011 CIO responsibility: 27; 
2004 CIO responsibility: 27. 

Responsibility: IT strategic planning; 
2011 CIO responsibility: 27; 
2004 CIO responsibility: 27. 

Responsibility: E-Gov initiatives; 
2011 CIO responsibility: 25; 
2004 CIO responsibility: 25. 

Responsibility: Systems acquisitions, development and integration; 
2011 CIO responsibility: 24; 
2004 CIO responsibility: 25. 

Responsibility: IT workforce planning; 
2011 CIO responsibility: 23; 
2004 CIO responsibility: 27. 

Responsibility: Information collection/paperwork reduction; 
2011 CIO responsibility: 22; 
2004 CIO responsibility: 22. 

Responsibility: Records management; 
2011 CIO responsibility: 18; 
2004 CIO responsibility: 21. 

Responsibility: Privacy; 
2011 CIO responsibility: 17; 
2004 CIO responsibility: 17. 

Responsibility: Information dissemination; 
2011 CIO responsibility: 15; 
2004 CIO responsibility: 20. 

Responsibility: Information disclosure; 
2011 CIO responsibility: 9; 
2004 CIO responsibility: 9. 

Responsibility: Statistical policy and coordination; 
2011 CIO responsibility: 6; 
2004 CIO responsibility: 8. 

Source: GAO analysis of agency-provided data. 

Note: Excludes three small, independent agencies that were not 
included in our 2004 review. 

[End of figure] 

CIOs Spend the Majority of Their Time Managing Information Technology: 

The amount of time that CIOs spend in various areas of responsibility 
reflects their greater emphasis on IT management compared with the 
management of agency information. Specifically, CIOs reported they 
devote over two-thirds of their time to the seven IT management areas, 
which they generally viewed as more important to accomplishing their 
mission. Moreover, the majority of the CIOs were responsible for each 
of the areas. 

By contrast, the CIOs reported spending less than one-fifth of their 
time in the six information management areas. Specifically, CIOs 
reported spending 6 percent or less of their time on average in each 
of the areas of privacy, e-government initiatives, records management, 
information dissemination, information collection/paperwork reduction, 
information disclosure, and statistical policy and coordination. As 
discussed previously, most CIOs reported they were not responsible for 
all of these areas and indicated they did not always place a high 
priority on them. This is consistent with the views held by the panel 
of former federal CIOs, which generally did not place high priority on 
the information management areas. Table 2 shows the percentage of time 
CIOs reported allocating to the 13 areas. 

Table 2: Time Allocated as Reported by CIOs: 

IT management and information management areas: Information security; 
Average time allocated (% of time per week): 14%. 

IT management and information management areas: Areas of 
responsibility outside the 13 areas; 
Average time allocated (% of time per week): 14%. 

IT management and information management areas: Capital planning and 
investment management; 
Average time allocated (% of time per week): 13%. 

IT management and information management areas: IT strategic planning; 
Average time allocated (% of time per week): 11%. 

IT management and information management areas: Systems acquisition, 
development, and integration; 
Average time allocated (% of time per week): 11%. 

IT management and information management areas: Enterprise 
architecture; 
Average time allocated (% of time per week): 9%. 

IT management and information management areas: IT workforce planning; 
Average time allocated (% of time per week): 7%. 

IT management and information management areas: Privacy; 
Average time allocated (% of time per week): 6%. 

IT management and information management areas: E-government 
initiatives; 
Average time allocated (% of time per week): 5%. 

IT management and information management areas: Records management; 
Average time allocated (% of time per week): 4%. 

IT management and information management areas: Information 
dissemination; 
Average time allocated (% of time per week): 3%. 

IT management and information management areas: Information 
collection/paperwork reduction; 
Average time allocated (% of time per week): 2%. 

IT management and information management areas: Information disclosure; 
Average time allocated (% of time per week): 2%. 

IT management and information management areas: Statistical policy and 
coordination; 
Average time allocated (% of time per week): 1%. 

Source: GAO analysis of CIO responses. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

The CIOs also reported they spend a significant amount of time outside 
the 13 areas of responsibility. Specifically, CIOs indicated they 
spend about 14 percent of their time on other responsibilities outside 
these 13 areas--the same amount of time as they spend on information 
security, the area where CIOs reported spending the most time. These 
additional areas of responsibility included addressing infrastructure 
issues,[Footnote 55] participating in agencywide boards, or 
participating in external organizations, such as the federal CIO 
Council.[Footnote 56] 

In addition, CIOs reported they have begun to focus on emerging areas 
within IT such as cloud computing,[Footnote 57] data center 
consolidation, and commodity services.[Footnote 58] This is consistent 
with the recent emphasis of the Federal CIO on reforming IT, as 
reflected in OMB's IT Reform Plan. As technology continues to evolve, 
CIOs are likely to be challenged in ensuring that agencies use new 
technologies efficiently and effectively. 

Many CIOs Serve in Multiple Positions: 

An element that may potentially influence the likely success of an 
agency CIO is whether the CIO serves in any other agency position. 
According to the Clinger-Cohen Act, the CIO's statutory information 
and IT management functions should be that official's primary duties. 
We[Footnote 59] and members of Congress[Footnote 60] have previously 
expressed concern about agency CIOs having responsibilities beyond 
their primary duties and have questioned whether split duties allow a 
CIO to deal effectively with an agency's IT challenges. 

Despite the importance of focusing on their primary duties, the CIOs 
in our review reported holding a number of official agency job 
functions in addition to being CIO. Specifically, 14 of 30 CIOs 
reported serving in another position within their agency besides that 
of CIO. Of these, 11 reported that serving as CIO was their primary 
job function. Six of the 14 CIOs reported holding two or more 
positions besides CIO, with one holding five positions, including CIO. 
These positions included Chief Acquisition Officer and Chief Human 
Capital Officer. 

Six of the 14 CIOs felt their other agency job positions were having a 
positive and helpful impact on their role as CIO. For example, one 
CIO, who also served as Deputy Chief of Staff, explained that holding 
the two positions showed staff a link between agency policy and 
operational implementation. According to another CIO, also holding the 
position of Chief Human Capital Officer provided insight into problems 
the agency had with a new personnel system. As a result, the CIO 
believed he was able to address these problems more quickly. The 8 
remaining CIOs reported that their additional job functions had 
neither a positive nor negative impact on their role as a CIO, with 
one exception. Specifically, one CIO explained that having multiple 
positions had put a greater strain on the CIO's ability to adequately 
perform all required responsibilities. Holding other positions is 
contrary to the federal law requiring that IT and information 
management be the CIO's primary function and distracts from the 
responsibility to ensure that agencies carry out their IT and 
information management activities in an efficient, effective, and 
economical manner. 

CIOs Generally Report Directly to the Agency Head: 

Federal law calls for agency CIOs to report to the head of their 
agency. With regard to this requirement, we reported in 2004 that only 
19 of 27 CIOs reported to their agency head, and views were mixed 
about whether such a direct reporting relationship was important. In 
our current study, even fewer--17 of 30--CIOs indicated that they 
report to their agency head, although 23 thought it was important to 
do so. 

Despite this, the views of agency CIOs and others suggested that a 
variety of reporting relationships between an agency head and the CIO 
can be effective. CIOs generally agreed that access to the agency head 
was important, but that they did not necessarily require a formal 
reporting relationship. One said that it was important to have a "seat 
at the table" allowing for direct interaction with the agency head in 
order to articulate any problems or issues in IT. 

However, other CIOs stated that it was important for the CIO to report 
to whomever is in charge of running the daily operations of the 
agency. One CIO did not believe it was ideal to report directly to the 
agency head because the agency head has too many other 
responsibilities. This CIO was able to meet with the agency's deputy 
secretary frequently and felt this resulted in more input into 
decision making. Another CIO, who reported to the agency head, 
believed there was not one ideal reporting relationship for the entire 
federal government because of the differences in size and mission 
among the agencies. 

Two CIOs in our review indicated they did not have sufficient access 
to their agency head, even though they thought it was important to 
have such access. Accordingly, the CIOs felt they did not have 
sufficient influence on IT management decisions in their agency. The 
CIOs stated they had worked to gain greater influence over IT by 
establishing relationships with peers in their agencies such as the 
Chief Financial Officer or Chief Operating Officer. 

Overall, regardless of the reporting relationship between agency heads 
and agency CIOs, 28 of the CIOs reported they had adequate access to 
their agency head. Additionally, many of the agency CIOs who did not 
report directly to the agency head indicated having influence on IT 
management decisions within their agency because they had 
relationships with other senior agency officials. These included 
direct reporting relationships with an assistant secretary or the 
Chief Operating Officer. 

Based on their experiences, members of the panel of former CIOs stated 
that it was important to report to the agency head on key issues, but 
also to work with other senior officials for day-to-day activities. In 
this regard, the former CIOs believed it was essential for the CIO to 
forge relationships with other senior officials in an agency, such as 
the Chief Financial Officer and members of the Office of General 
Counsel. Further, in discussing this matter, the Federal CIO stated 
that reporting relationships should be determined on an agency-by- 
agency basis, noting that agencies should determine how best to meet 
this requirement depending on how the agency is structured. Given the 
varying responsibilities of agency heads and other senior officials, 
some degree of flexibility in CIOs' reporting relationships may be 
appropriate as long as CIO effectiveness is not impeded. 

CIOs' Education and Work Experiences Remain Diverse, although More 
Have Previously Served as a CIO or Deputy CIO: 

Although the qualifications of a CIO can help determine whether he or 
she is likely to be successful, there is no general agreement on the 
optimal background (e.g., education, experience) that a prospective 
agency CIO should have. The conference report accompanying the Clinger-
Cohen Act stated that CIOs should possess knowledge of and practical 
experience in the information and IT management practices of business 
or government.[Footnote 61] We found that when compared to CIOs in 
2004, more current CIOs had served previously as a CIO or deputy CIO. 

As shown in table 3 below, 18 of the CIOs in our review had experience 
as either a CIO or deputy CIO, an increase of 6 compared to the CIOs 
that participated in our 2004 review. Also, 21 current CIOs had 
previously worked for the federal government, 14 had worked in private 
industry, 4 had been in academia, and 4 had worked in state and local 
government. Fifteen CIOs had worked in some combination of two or more 
of these sectors. Further, all of the current CIOs had work experience 
in IT or IT-related fields. 

Table 3: Comparison of Current CIO Backgrounds with Those of CIOs in 
2004: 

Description: Number of CIOs who had served previously as a CIO or 
deputy CIO; 
2004 CIOs: 12; 
2011 CIOs: 18. 

Description: Number of CIOs with federal government experience; 
2004 CIOs: 24; 
2011 CIOs: 21. 

Description: Number of CIOs with private sector experience; 
2004 CIOs: 16; 
2011 CIOs: 14. 

Source: GAO analysis of agency data. 

Note: This comparison does not include CIOs from the three small, 
independent agencies as they were not part of our 2004 review. 

[End of table] 

We asked current and former CIOs what key attributes they had found 
necessary to be an effective CIO. In response, they noted the need for 
IT experience and an understanding of how IT can be used to transform 
agencies and improve mission performance. Of most importance, however, 
were leadership skills and the ability to communicate effectively. The 
Federal CIO noted that he valued CIOs who thought about the future of 
the agency and demonstrated an ability to successfully manage IT 
programs or projects. 

Median CIO Tenure Remains at About 2 Years: 

We noted previously that one element that influences the likely 
success of an agency CIO is the length of time the individual in the 
position has to implement change. For example, our prior work has 
noted that it can take 5 to 7 years to fully implement major change 
initiatives in large public and private sector organizations and to 
transform related cultures in a sustainable manner. Nonetheless, when 
we reported on this matter in 2004, the median tenure for permanent 
CIOs who had completed their time in office was just under 2 years. 
[Footnote 62] 

Tenure at the CIO position has remained almost the same since we last 
reported. Specifically, the median tenure for permanent federal agency 
CIOs was about 25 months for those who served between 2004 and 2011. 
However, the number of CIOs who stayed in office at least 3 years 
declined from 35 percent in 2004 to 25 percent in 2011.[Footnote 63] 
(See table 4 for a comparison of CIO tenures from 1996 to 2004 and 
2004 to 2011; see appendix V for figures depicting the tenure for each 
of the CIOs at the agencies in our review between 2004 and 2011 and a 
table showing various statistical analyses on CIO tenure.) 

Table 4: Comparison of CIO Tenure During 1996-2004 and 2004-2011: 

Description: Median tenure of CIOs (including current CIOs); 
1996-2004: 23 months; 
2004-2011: 25 months. 

Description: Percentage of CIOs who stayed in office for at least 3 
years (excluding current CIOs); 
1996-2004: 35%; 
2004-2011: 25%. 

Description: Difference in median tenure between political and career 
CIOs (excluding current CIOs); 
1996-2004: 13 months; 
2004-2011: 4 months. 

Source: GAO analysis of agency data. 

[End of table] 

We previously reported on factors that affected the tenure of CIOs, 
which included the stressful nature of the position and whether or not 
CIOs were political or career appointees. The panel of former CIOs for 
our current study agreed that high stress levels can lead to CIOs 
leaving the position, as can factors such as retirement and the 
opportunity to serve as a CIO at a larger agency. However, we found 
that during the period covered by our current review, political 
appointees stayed only 4 months less than those in career civil 
service positions, compared to 13 months less in our 2004 review. 

Federal Law Provides Adequate Authority, but Limitations Exist in 
Implementation for IT Management: 

As previously discussed, a major goal of the Clinger-Cohen Act was to 
establish CIOs to advise and assist agency heads in managing IT 
investments. In this regard, the agency CIO was given the authority to 
administer a process to ensure that IT investments are selected, 
controlled, and evaluated in a manner that increases the likelihood 
they produce business value and reduce investment-related risk. As 
part of this process, CIOs are responsible for advising the agency 
head on whether IT programs and projects should be continued, 
modified, or terminated. In order to carry out these responsibilities, 
CIOs should be positioned within their agencies to successfully 
exercise their authority. Specifically, we have previously noted that 
CIOs should have a key role in IT investment decision making and 
budget control.[Footnote 64] In addition, CIOs require visibility into 
and influence over programs, resources, and decisions related to the 
management of IT throughout the agency. 

Our study did not find convincing evidence that specific legislative 
changes are needed to improve CIOs' effectiveness. Rather, we found 
that CIOs' ability to carry out their roles, as prescribed in law, has 
been limited by certain factors that have led to challenges. 
Specifically, CIOs reported they were hindered in exercising their 
authority over agency IT budgets, component IT spending, and staff, 
which our prior work has shown can lead to an inefficient use of funds. 

IT Budget authority: Although assigned by law with the authority to be 
accountable for IT management, we found that CIOs faced limitations in 
their ability to influence IT investment decision making at their 
agencies. For example, only 9 CIOs responded that their approval was 
required for the inclusion of all IT investments in their agency's 
budget. The remaining 21 CIOs indicated that their explicit approval 
either was not required or it was required for major IT investments 
only.[Footnote 65] Ten of those 21 CIOs indicated they would be more 
effective if their explicit approval for IT investment decisions was 
sought by their agency head. CIOs said having this ability would 
reduce the number of unknown or "rogue" systems (i.e., systems not 
vetted by the CIO office), allow the CIO to identify and eliminate 
duplicative systems, and resolve technology and security issues 
earlier in an investment's lifecycle. Further, 13 of the CIOs in our 
study did not have the power to cancel funding for IT investments. 
CIOs that did not have this power told us they would be more effective 
if they were able to cancel funding for investments because they would 
then be in a better position to consolidate investments and cut 
wasteful spending on failing projects. 

In our previous reviews, we have noted limitations in CIOs' ability to 
influence IT investments, which have contributed to long-standing 
challenges in agencies' management of IT. For instance, we previously 
reported that one agency did not provide the department's CIO with the 
level of IT spending control that our research at leading 
organizations and past work at federal departments and agencies have 
shown is important for effective integration of systems across 
organizational components.[Footnote 66] We noted that control over the 
department's IT budget was vested primarily with the CIO organizations 
within each of its component organizations. Consequently, there was an 
increased risk that component agencies' ongoing investments would need 
to be reworked to be effectively integrated and maximize 
departmentwide value. 

Component-level IT spending: A significant portion of an agency's IT 
funding can be allocated and spent at the component level on commodity 
IT systems--systems used to carry out routine tasks (e.g., e-mail, 
data centers, web infrastructure)--in addition to mission-specific 
systems. Multiple CIOs faced limitations in their ability to influence 
agency decisions on integrating commodity IT systems throughout their 
agencies because they did not have control over funding for these 
systems at the component level. According to CIOs, more control over 
component-level IT funding, including commodity IT and mission-
specific systems, could help ensure greater visibility into and 
influence on the effective acquisition and use of IT. Further, the 
Federal CIO has called for agencies to place all commodity IT 
purchases under the purview of the agency CIO, while component mission-
specific systems should remain with the component CIO. OMB included 
centralization of commodity funding under agency CIOs as part of its 
current IT reform initiatives. 

Consistent with this, we have reported on the importance of agency 
CIOs having adequate oversight to ensure that funds being spent on 
component agency investments will fulfill mission needs.[Footnote 67] 
Specifically, at one agency, we found a structured mechanism was not 
in place for ensuring that component agencies defined and implemented 
investment management processes that were aligned with those of the 
department. Because such processes, including reviews of component 
agency IT investments, were not in place, the agency CIO did not have 
visibility into a majority of the agency's discretionary investments 
and could not ensure the agency's IT investments were maximizing 
returns. 

IT workforce: CIOs also face limitations in their ability to provide 
input into hiring component-level senior IT managers and other IT 
staff. Many CIOs in our study faced limitations in performing certain 
workforce planning activities, such as having direct hiring capability 
for IT staff, providing input into the hiring of component CIOs, and 
influencing component agency CIOs' performance ratings. For example, 
some CIOs indicated they did not have any input into the hiring of 
their own staff. In addition, CIOs did not always participate in 
selections for candidate component CIOs. Further, for a majority of 
the agencies with component CIOs, the agency CIO did not participate 
in the component CIOs' performance reviews. Without sufficient 
influence over the hiring of IT staff or component CIOs' performance, 
agency CIOs are limited in their ability to ensure appropriate IT 
staff are being hired to meet mission needs or component 
accountability for overall agency priorities and objectives. 

We have also previously reported on CIOs' challenges related to IT 
workforce planning, noting there has been a lack of attention in this 
area, which has created weaknesses in the federal government's ability 
to perform its missions economically, efficiently, and effectively. 
[Footnote 68] In addition, in our previous review of CIOs' roles and 
responsibilities, we found that about 70 percent of CIOs reported IT 
workforce planning challenges within their agency. Without addressing 
CIOs' lack of influence over IT workforce planning, the government 
will continue to face challenges in this area, risking further 
inefficiencies. 

Most CIOs included in our study and the panel of former CIOs agreed 
that legislative changes were not needed to improve effectiveness in 
IT management. However, several CIOs told us their agencies have 
completed or initiated efforts to increase the influence of the CIO. 
For example, one agency gave its CIO complete control over the entire 
IT budget and all IT staff. This CIO told us that this has allowed for 
rapid, effective changes to be made when necessary on IT issues. 
Another agency began an agencywide consolidation effort so that the 
CIO's responsibility will be delegated to one person to centrally 
manage IT assets instead of multiple agency CIOs. This agency recently 
implemented a policy that has given one individual the title of CIO 
and stated that the CIO will assume oversight, management, ownership, 
and control of all departmental IT infrastructure assets. Another 
agency was centralizing decision-making authority in the office of the 
CIO for addressing troubled IT investments. In addition, one agency 
conducted a reorganization that placed component CIOs under the agency 
CIO. According to the CIO of that agency, the change has been a great 
asset to the organization, because it allowed the CIO office to work 
as a unit, created camaraderie among component CIOs, and reduced 
duplication of IT investments. In April 2011, the Federal CIO told us 
that agency CIOs should provide input to the component agency CIOs' 
performance review. 

In addition to these agency-specific efforts, OMB has issued guidance 
to reaffirm and clarify the organizational, functional, and 
operational governance framework required within the executive branch 
for managing and optimizing the effective use of IT.[Footnote 69] More 
recently, OMB has taken additional steps to increase the effectiveness 
of agency CIOs by clarifying their roles and authorities under the 
current law. For example, its 25 Point Implementation Plan to Reform 
Federal Information Technology Management called for agency CIOs to 
shift their focus from policy making and maintaining IT infrastructure 
to IT portfolio management. According to the plan, agency CIOs will be 
responsible for identifying unmet agency needs to be addressed by new 
projects, holding TechStat reviews, and improving or terminating 
poorly performing projects. 

After we sent a draft of this report to agencies for comment, OMB 
issued a memorandum[Footnote 70] outlining the primary areas of 
responsibility for federal agency CIOs. The guidance outlines four 
areas in which the CIO should have a lead role: IT governance, program 
management, commodity services, and information security. It 
emphasizes the role of the CIO in driving the investment review 
process and the CIO's responsibility over the entire IT portfolio for 
an agency. In a web log post about the memorandum, the Federal CIO 
stated that, next year, the administration will ask agencies to report 
through the President's Management Council[Footnote 71] and the CIO 
Council on implementation of the memo.[Footnote 72] In our view, the 
guidance is a positive step in reaffirming the importance of the role 
of CIOs in improving agency IT management. 

Nonetheless, this guidance does not address the implementation 
weaknesses we have identified in this and our prior reviews-- 
specifically that CIOs face significant limitations in their ability 
to influence IT investment decision making at their agencies and to 
exercise their statutory authority. The guidance generally instructs 
agency heads regarding the policies and priorities for CIOs in 
managing IT that we and others have stressed. However, the guidance 
does not state a specific requirement for agency heads to empower CIOs 
to carry out these responsibilities. Additionally, it does not require 
them to measure and report the progress of CIOs in carrying out these 
responsibilities and achieving the overall objectives of the IT Reform 
Plan. Such a requirement is essential to agencies empowering their 
CIOs to fully and effectively exercise their authority, and 
ultimately, ensuring that the CIOs are best positioned to be effective 
leaders in IT management. Without additional clarification and 
specific measures of accountability in OMB's guidance, agency CIOs are 
likely to continue to be hindered in carrying out their 
responsibilities and achieving successful outcomes in IT management, 
thus increasing the risk that IT spending will continue to produce 
mixed results, as we have long reported. 

A Structured Process Could Improve Sharing of Lessons Learned within 
Agencies: 

OMB guidance[Footnote 73] requires and best practices suggest that 
agencies document lessons learned, and we have previously reported on 
the importance of their collection and dissemination.[Footnote 74] The 
use of lessons learned is a principal component of an organizational 
culture committed to continuous improvement. Sharing such information 
serves to communicate acquired knowledge more effectively and to 
ensure that beneficial information is factored into planning, work 
processes, and activities. Lessons learned can be based on positive 
experiences or on negative experiences that result in undesirable 
outcomes. Documenting lessons learned can provide a powerful method of 
sharing successful ideas for improving work processes and increasing 
cost-effectiveness by aligning them to be utilized in the future. 

To facilitate the sharing of best practices and lessons learned 
relating to IT management across the federal government, the CIO 
Council established the Management Best Practices Committee. The 
committee works to identify successful information technology best 
practices being implemented in industry, government, and academia and 
shares them with agency CIOs. As part of its mission, in April 2011, 
the committee launched a best practices information-sharing platform 
in the form of a website to which agencies can contribute case studies 
of best practices. 

Federal agencies have begun to contribute by submitting examples 
depicting best practices relating to a range of topics including 
vendor communication and contract management; the consolidation of 
multiple systems into an enterprise solution through the use of cloud 
services; and program manager development. As of July 2011, the CIO 
Council website featured 10 case studies submitted by 10 agencies 
describing best practices. For example, one agency faced challenges 
with distributing technical support to 27 organizational units. After 
the agency head directed the consolidation of IT support services 
under the CIO, the agency gained a better understanding of spending on 
services and equipment needed to provide IT support. In another 
example, an agency had been operating under separate e-mail systems, 
which prevented it from maximizing operational efficiency and 
productivity. Specifically, the agency faced high costs for 
maintaining individual systems; difficulty sending broadcast e-mails 
across the entire department, thus preventing the e-mails from being 
received in a timely fashion; difficulty obtaining accurate and 
complete contact information for all employees in one global address 
list; and difficulty operating calendar appointments. In order to 
address these challenges, the agency utilized a cloud-based service 
solution, which the agency explained would result in lower costs per 
user, an improved security posture, and a unified communication 
strategy. 

In addition, agency CIOs told us their agency had implemented changes 
based upon lessons learned that have improved the effectiveness of the 
CIO. For example, while several CIOs implemented investment review 
boards or similar governance mechanisms, three CIOs explained that at 
their agency, senior-level officials, including deputy secretaries, 
and in one instance, an undersecretary, chaired these boards, which 
provided higher visibility over the selection, control, and evaluation 
of IT investments. Additionally, one CIO explained that implementing 
an enterprisewide licensing solution to optimize the agency's buying 
power resulted in a savings of $200 million. One told us about 
improved effectiveness in information security through the use of a 
centralized information security center. Specifically, this CIO stated 
that all agency information went through this center, which provides 
real-time monitoring throughout agency systems. This CIO explained 
that the security center has helped to reduce the impact of intrusions 
to the agency's systems. 

Nonetheless, although the CIO Council has established the management 
best practices committee and corresponding information-sharing 
platform to identify lessons learned, 19 CIOs said their agency did 
not have a process in place for capturing and documenting lessons 
learned and best practices. Two CIOs indicated that their agency did 
not have such a process due to a shortage of resources or because they 
did not see the development of such a process as being their 
responsibility. Without structured processes for capturing and 
documenting these lessons learned, agencies risk both losing the 
ability to share knowledge acquired with CIOs' experience and 
increasing the time required for newly hired CIOs to become effective. 
Additionally, the lack of internal documented processes for capturing 
lessons learned within agencies has the potential to inhibit the 
Management Best Practices Committee's ability to effectively identify, 
document, and disseminate individual agencies' lessons learned and 
best practices throughout the federal government. By effectively 
identifying, documenting, and disseminating lessons learned internally 
and externally, agencies can mitigate risk and track successful ideas 
for improving work processes and cost-effectiveness that can be 
utilized in the future. 

Conclusions: 

As in 2004, federal agency CIOs currently are not consistently 
responsible for all of the 13 areas assigned by statute or identified 
as critical to effective IT management. While the majority of CIOs are 
primarily responsible for key IT management areas, they are less 
likely to have primary responsibility for information management 
duties. In this regard, CIOs spend two-thirds or more of their time in 
the IT management areas and attach greater importance to these areas 
compared with the information management areas. 

Notwithstanding the focus on IT management, CIOs have not always been 
empowered to be successful. Despite the broad authority given to CIOs 
in federal law, these officials face limitations that hinder their 
ability to effectively exercise this authority, which has contributed 
to many of the long-standing IT management challenges we have found in 
our work. These limitations, which include control and influence over 
IT budgets, commodity IT investments, and staffing decisions, are 
consistent with issues we have previously identified that prevented 
CIOs from advising and influencing their agencies in managing IT for 
successful outcomes. While OMB's guidance reaffirms CIO authorities 
and responsibilities to influence IT outcomes, it does not establish 
measures of accountability. Having actionable measures would help 
ensure that CIOs are empowered to successfully carry out their 
responsibilities under the law and enable them to successfully carry 
out their responsibilities under the IT Reform Plan. 

Finally, while agency CIOs told us they had implemented practices they 
believed have improved the management of IT, they had not established 
processes to document agency-specific lessons learned that could be 
shared within the agency. Not doing so increases the likelihood of new 
CIOs making the same mistakes as those they are replacing, while 
establishing such a mechanism could better enable succession planning 
and knowledge transfer between CIOs. 

Recommendations for Executive Action: 

To ensure that CIOs are better able to carry out their statutory role 
as key leaders in managing IT, we recommend the Director of OMB take 
the following three actions: 

* Issue guidance to agencies requiring that CIOs' authorities and 
responsibilities, as defined by law and by OMB, are fully implemented, 
taking into account the issues raised in this report. 

* Establish deadlines and metrics that require agencies to demonstrate 
the extent to which their CIOs are exercising the authorities and 
responsibilities provided by law and OMB's guidance. 

* Require agencies to identify and document internal lessons learned 
and best practices for managing information technology. 

Agency Comments and Our Evaluation: 

We received comments on a draft of this report from OMB and from 5 of 
the 30 agencies included in our study. In oral comments, OMB's Deputy 
Administrator for e-Gov and its Policy Analyst for e-Gov, within the 
Office of Electronic Government and Information Technology, generally 
agreed with our findings and stated that the agency had taken actions 
that addressed our recommendations. Specifically, with regard to our 
first recommendation, the officials said they believed OMB's August 8, 
2011, memorandum discussing CIOs' authorities aligned with, and 
reflected the beginning of a process that would help address, the 
concerns noted in our report. Thus, they believed our recommendation 
had been addressed with OMB's issuance of the memorandum. With regard 
to our second recommendation that called for OMB to establish an 
appropriate reporting mechanism to ensure compliance with the 
guidance, the officials pointed to a recent web log post about the 
August memorandum. In the post, the Federal CIO stated that, in 2012, 
the administration will ask agencies to report through the President's 
Management Council and the CIO Council on implementation of the 
memorandum. 

We believe the guidance reflected in OMB's August 2011 memorandum is a 
positive step in reaffirming the importance of the role of CIOs in 
improving agency IT management and toward addressing the concerns that 
are the basis for our first recommendation. It highlights the 
responsibilities of CIOs in the four areas of IT governance, program 
management, commodity services, and information security. These 
responsibilities are consistent with requirements in law and best 
practices. Further, OMB's planned use of the councils for agency 
reporting on implementation of the memorandum could be a useful 
mechanism for helping to ensure CIOs' accountability for effectively 
managing IT. 

However, neither the guidance nor the planned use of the councils, as 
referenced, identify requirements that would hold agencies accountable 
for ensuring effective CIO leadership in the four IT management areas. 
Specifically, as pointed out earlier in this report, the guidance does 
not articulate a requirement for agencies to measure and report the 
progress of CIOs in carrying out their responsibilities and 
authorities. Such a requirement is essential to ensuring that agency 
CIOs are best positioned to be effective leaders in IT management. As 
such, we stand by our second recommendation but have revised it to 
more explicitly highlight the need for OMB to establish deadlines and 
metrics that require agencies to demonstrate the extent to which CIOs 
are exercising their authorities and responsibilities. 

With regard to our third recommendation, that OMB require agencies to 
establish processes for documenting internal lessons learned and best 
practices, the officials believed this recommendation was addressed by 
existing guidance[Footnote 75] requiring agencies to document lessons 
learned for post-implementation reviews of IT projects. However, as 
discussed earlier, most of the agencies in our study reported that 
they had not established processes for documenting internal lessons 
learned. Further, the guidance to which OMB's officials referred is 
limited to lessons learned for post-implementation reviews of specific 
IT projects and does not include the broader spectrum of IT management 
areas, such as program management and information security. As such, 
we continue to believe that agencies could benefit from having 
established internal processes for documenting lessons learned across 
the broader spectrum of IT management areas and, therefore, believe 
our recommendation is warranted. 

Although we made no specific recommendations to the 30 agencies 
included in our review, we sent each agency a draft of the report for 
comment. Twenty-five of the agencies told us they had no comments on 
the draft report, while five agencies provided e-mail or written 
comments on the report, as follows. 

* In written comments from the Department of Defense CIO, the 
department concurred with our recommendations to OMB. However, the CIO 
also stated that, while our report did not identify legislative 
changes needed to enhance current CIOs' authority and generally felt 
that existing law provides sufficient authority, the department 
believes there are legislative opportunities to clarify and strengthen 
CIO authorities that should be pursued, such as overlap in 
responsibilities between the CIO and other officials. The department 
stated that it was taking actions to address this issue internally. As 
discussed earlier in this report, the effectiveness of agency CIOs 
depends in large measure on their having clear roles and authorities. 
As noted, however, we found no evidence indicating that legislative 
changes are needed to achieve this. Rather, our study results 
determined that these officials face limitations that hinder their 
ability to effectively exercise their current authorities. 
Accordingly, agencies have an important opportunity to address these 
limitations by empowering the CIOs to fully and effectively exercise 
their authority and ensuring that the CIOs are best positioned to be 
effective leaders in managing IT. Our recommendations to OMB are aimed 
at ensuring that CIOs effectively exercise the authority and 
responsibilities that they have been given. DOD's comments are 
reprinted in appendix VI. 

* The Department of Homeland Security's Director of Departmental GAO/ 
Office of Inspector General (OIG) Liaison Office provided written 
comments in which the department indicated agreement with our findings 
and recommendations. In the comments, the department said it is 
committed to working with OMB to address the challenges agency CIOs 
face and increase the effectiveness of its efforts. These comments are 
reproduced in appendix VII. 

* In written comments from the CIO, the Office of Personnel Management 
agreed with our recommendations. The agency included examples of 
actions the agency has taken to elevate the CIO position and bring it 
into greater alignment with the Clinger-Cohen Act. The Office of 
Personnel Management's written comments are reproduced in appendix 
VIII. 

* In an e-mail response from the Office of the Chief Information 
Officer, the United States Agency for International Development said 
the recommendations were sound and would assist agencies in ensuring 
that CIOs are better able to carry out their statutory role as key 
leaders in managing IT. 

* In an e-mail response from the Deputy CIO, the Department of 
Commerce stated that it had no major issues with the recommendations 
and conclusions and described the report as an informative assessment 
of the practices and challenges faced by federal agency CIOs. 

Beyond the aforementioned comments, two agencies--the Social Security 
Administration and the Department of Health and Human Services-- 
provided technical comments on the report, which we incorporated as 
appropriate. 

As agreed with your offices, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. At that time, we will send copies of this report 
to other interested congressional committees, the Director of the 
Office of Management and Budget, and the Secretaries of Agriculture, 
the Air Force, the Army, Commerce, Defense, Education, Energy, Health 
and Human Services, Homeland Security, Housing and Urban Development, 
the Interior, Labor, the Navy, State, Transportation, the Treasury, 
and Veterans Affairs; the Attorney General; the administrators of the 
Environmental Protection Agency, General Services Administration, 
National Aeronautics and Space Administration, Small Business 
Administration, and U.S. Agency for International Development; the 
commissioners of the Nuclear Regulatory Commission and the Social 
Security Administration; the directors of the National Science 
Foundation and Office of Personnel Management; the Chief Executive 
Officer of the Corporation for National and Community Service; and the 
chairmen of the Federal Labor Relations Authority and Commodity 
Futures Trading Commission. In addition, this report will be available 
at no charge on the GAO website at [hyperlink, http://www.gao.gov]. 

If you or your staff have any questions concerning this report, please 
contact me at (202) 512-6304 or by e-mail at melvinv@gao.gov. Contact 
points for our Offices of Congressional Relations and Public Affairs 
are on the last page of this report. Key contributors to this report 
are listed in appendix IX. 

Signed by: 

Valerie C. Melvin: 
Director, Information Management and Human Capital Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Our objectives were to (1) determine the current roles and 
responsibilities of federal agency Chief Information Officers (CIO) in 
managing information and technology; (2) determine what potential 
modifications to the Clinger-Cohen Act and related laws could be made 
to enhance CIOs' authority and effectiveness; and (3) identify key 
lessons learned by federal agency CIOs in managing information and 
technology. 

To address the objectives of this review, we collected and reviewed 
previous GAO reports, including our 2004 report on CIOs' roles and 
responsibilities,[Footnote 76] as well as various other reports that 
discussed the status of agency CIOs' roles and responsibilities. This 
included reports from Gartner[Footnote 77] and Deloitte[Footnote 78] 
on the role of federal CIOs and OMB's 25 Point Implementation Plan to 
Reform Federal Information Technology Management.[Footnote 79] We also 
interviewed the Partnership for Public Service's Director of the 
Strategic Advisors to Government Executives Program for mentoring 
federal executives, including agency CIOs. 

We then developed and administered a questionnaire to the CIOs of 27 
major departments and agencies in our 2004 review and of three small, 
independent agencies. We selected the three independent agencies based 
on whether they had a CIO in place when our review began and the size 
of the agency's 2011 budget estimates.[Footnote 80] Using the 
questionnaire, we requested information on whether each CIO was 
responsible for each of 13 information technology (IT) and information 
management areas that we identified as either required by statute or 
critical to effective IT management in our 2004 report.[Footnote 81] 
In addition, we asked about CIOs' reporting relationships, 
professional and educational backgrounds, tenure, and lessons learned 
in managing information and technology. 

In addition, we collected and reviewed written position descriptions 
for each agency's CIO, deputy CIO, and other key officials responsible 
for the 13 IT and information management areas; the resumes or 
curricula vitae of the current CIOs; each agency's current 
organization chart(s) depicting the CIO's position relative to the 
head of the agency, other senior officials, and component CIOs, if 
applicable; and functional statements for offices that have 
responsibilities in IT and information management. We also asked each 
agency to supply the name, beginning and ending dates in office, and 
circumstances (e.g., whether they were in an acting or permanent 
position) of each of the individuals who had served as CIO at the 
agency since 2003. Further, we also collected and reviewed any 
supporting documentation of recent departmental changes. 

We then interviewed each of the CIOs who were in place at the time of 
our review (see appendix II for a list of the CIOs) in order to 
validate responses from the questionnaire and to obtain an 
understanding of their views on the 13 IT and information management 
areas including roles and responsibilities, changes needed to enhance 
authority and effectiveness, and lessons learned for managing 
information and technology. 

From the questionnaire and interview responses, we analyzed CIOs' 
responses to determine their current roles and responsibilities and 
reporting relationships with agency heads. We then compared the 
responses to those identified in our 2004 report.[Footnote 82] 
Additionally, we assessed the CIOs' reported time spent in the 13 IT 
and information management areas of responsibility and the importance 
of each area to them, as well as their views on changes needed to 
improve their authority and effectiveness. We also reviewed CIOs' 
qualifications and current and former CIOs' tenure. Further, we 
analyzed CIO responses to questions concerning changes needed to 
improve their authority and effectiveness and compared them to the 
authority described in federal IT laws. We supplemented our analysis 
by reviewing our prior reports related to agency CIO authority and IT 
management challenges.[Footnote 83] We also analyzed CIOs' comments 
related to lessons learned that they have used to improve IT 
management at their agency. Further, we analyzed OMB IT management 
reform efforts, including its August 2011 memorandum on CIO 
authorities, and status updates related to agency CIOs and lessons 
learned initiatives. 

To complement information we obtained from current CIOs, we held a 
panel discussion with nine former CIOs of federal agencies. The 
purpose of this discussion was to elicit views regarding the statutory 
responsibilities given to federal CIOs, lessons learned by CIOs in 
managing information and technology, and areas in which current 
legislation could be revised to enhance CIOs' authority and 
effectiveness. Appendix III lists these panelists. Finally, we met 
with the Federal CIO to obtain his views on priorities and 
responsibilities for CIOs and to discuss potential modifications to 
the Clinger-Cohen Act and related laws that could enhance CIOs' 
authority and effectiveness. 

We conducted our work at the 30 agencies from June 2010 to September 
2011 in the greater Washington, D.C., area, in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings 
and conclusions based on our audit objectives. We believe that the 
evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

[End of section] 

Appendix II: Chief Information Officers Interviewed: 

Agency/department: Commodity Futures Trading Commission (CFTC); 
CIO: John Rogers. 

Agency/department: Corporation For National and Community Service 
(CNCS); 
CIO: Phillip Clark. 

Agency/department: Department of Agriculture; 
CIO: Christopher Smith. 

Agency/department: Department of Commerce; 
CIO: Simon Szykman. 

Agency/department: Department of Defense; 
CIO: Teresa M. Takai. 

Agency/department: Department of the Air Force; 
CIO: Lieutenant General William T. Lord. 

Agency/department: Department of the Army; 
CIO: Michael E. Krieger[A]. 

Agency/department: Department of the Navy; 
CIO: Terry Halverson. 

Agency/department: Department of Education; 
CIO: Danny Harris. 

Agency/department: Department of Energy; 
CIO: Michael W. Locatis III. 

Agency/department: Department of Health and Human Services (HHS); 
CIO: Michael W. Carleton. 

Agency/department: Department of Homeland Security (DHS); 
CIO: Richard Spires. 

Agency/department: Department of Housing and Urban Development (HUD); 
CIO: Jerry E. Williams. 

Agency/department: Department of the Interior; 
CIO: Bernard Mazer. 

Agency/department: Department of Justice; 
CIO: Vance Hitch. 

Agency/department: Department of Labor; 
CIO: T. Michael Kerr. 

Agency/department: Department of State; 
CIO: Susan Swart. 

Agency/department: Department of Transportation (DOT); 
CIO: Nitin Pradhan. 

Agency/department: Department of the Treasury; 
CIO: Diane Litman[A]. 

Agency/department: Department of Veterans Affairs (VA); 
CIO: Roger W. Baker. 

Agency/department: Environmental Protection Agency (EPA); 
CIO: Malcolm D. Jackson. 

Agency/department: Federal Labor Relations Authority (FLRA); 
CIO: Chris Webber. 

Agency/department: General Services Administration (GSA); 
CIO: Casey Coleman. 

Agency/department: National Aeronautics and Space Administration 
(NASA); 
CIO: Linda Y. Cureton. 

Agency/department: National Science Foundation (NSF); 
CIO: Andrea T. Norris. 

Agency/department: Nuclear Regulatory Commission (NRC); 
CIO: Darren B. Ash. 

Agency/department: Office of Personnel Management (OPM); 
CIO: Matthew Perry. 

Agency/department: Small Business Administration (SBA); 
CIO: Paul Christy. 

Agency/department: Social Security Administration (SSA); 
CIO: Franklin Baitman. 

Agency/department: U.S. Agency for International Development (USAID); 
CIO: Jerry Horton. 

Source: GAO: 

[A] These CIOs were in their position during the time of our review, 
but left their position prior to the end of our review. 

[End of table] 

[End of section] 

Appendix III: Former Agency CIO Panel Participants: 

In March 2011, we convened a panel of former federal agency chief 
information officers, during which we discussed CIOs' roles and 
responsibilities, reporting relationships, and any potential changes 
needed to legislation. Table 5 provides the former and current titles 
of these officials. 

Table 5: Former Agency Chief Information Officer Panel: 

Name: Alan Balutis; 
Former agency/positions: Department of Commerce/CIO; 
Current organization/position: Cisco Systems' Business Solutions 
Group/Senior Director of North American Public Sector. 

Name: John Gilligan; 
Former agency/positions: Department of the Air Force/CIO; 
Department of Energy/CIO; 
Current organization/position: The Gilligan Group/President. 

Name: Thomas Hughes; 
Former agency/positions: Social Security Administration/CIO; 
Current organization/position: CSC Corporation/Partner in Strategy 
Services. 

Name: Daniel Matthews; 
Former agency/positions: Department of Transportation/CIO; 
Current organization/position: Triple-I Corporation/Senior Vice 
President of Strategic Programs. 

Name: Molly O'Neil; 
Former agency/positions: U.S. Environmental Protection Agency/CIO; 
Current organization/position: CGI Group/VP Consulting. 

Name: Gloria Parker; 
Former agency/positions: Department of Housing and Urban 
Development/CIO; 
Department of Education/Deputy CIO; 
Current organization/position: Parker Group Consulting/CEO and Senior 
Partner. 

Name: Patrick Pizzella; 
Former agency/positions: Department of Labor/Assistant Secretary for 
Administration and Management and CIO; 
Current organization/position: Patrick Pizzella, LLC. 

Name: W. Hord Tipton; 
Former agency/positions: Department of the Interior/CIO; 
Current organization/position: International Information Systems 
Security Certification Consortium (ISC)/Executive Director and member 
of the Board of Directors. 

Name: Barry West; 
Former agency/positions: Department of Commerce/CIO; 
Federal Emergency Management Agency/CIO; 
Current organization/position: SE Solutions/Executive Vice President. 

Source: GAO. 

[End of table] 

[End of section] 

Appendix IV: Summary of CIOs' Information Management and Technology 
Responsibilities: 

The following summarizes information gathered from CIOs related to 
their responsibilities in the 13 information management and 
information technology management areas discussed in this report. 

IT Strategic Planning: 

CIOs are responsible for strategic planning for all information and 
information technology management functions [Paperwork Reduction Act]. 

* Of the 30 CIOs we surveyed, all CIOs indicated they were responsible 
for ensuring compliance with laws related to IT strategic planning 
within their agency. In 2004, all 27 CIOs surveyed also indicated 
responsibility for IT strategic planning. 

* All CIOs reported they thought the CIO should be responsible for IT 
strategic planning. Twenty-nine of the 30 CIOs reported that IT 
strategic planning was important to carrying out their mission. The 
CIO who reported that IT strategic planning was not important said 
this area was being executed properly and it did not require much 
attention or guidance. Table 6 provides a summary of CIO responses 
regarding IT strategic planning. 

Table 6: Summary of CIO Responses to Questions for IT Strategic 
Planning: 

CIOs responsible for IT strategic planning: 

2011 - CIOs responsible: 100%.
2004 - CIOs responsible: 100%.
CIOs who felt they should be responsible: 100%.
CIOs who felt they should not be responsible: 0. 

Importance of IT strategic planning: 

Very important: 83%.
Important: 13%.
Somewhat important:0.
Not very important: 3%.
Not at all important: 0.
N/A: 0. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

IT Workforce Planning: 

CIOs are responsible for assessing agency information and IT workforce 
needs and developing strategies and plans for meeting those needs 
[Paperwork Reduction Act and Clinger-Cohen Act]. 

* Twenty-six of the 30 CIOs indicated they were responsible for 
strategically assessing IT workforce needs and using IT staff in order 
to achieve mission goals in the most efficient ways. In 2004, we 
reported that all 27 CIOs responded they were responsible for helping 
the agency meet its IT workforce or human capital needs. 

* Of the 30 CIOs that provided responses, 24 reported that they 
thought the CIO should be responsible by law for IT workforce 
planning. All of the 30 CIOs reported that workforce planning was 
"very important" or "important" to carrying out their mission. Table 7 
provides a summary of CIO responses regarding IT workforce planning. 

Table 7: Summary of CIO Responses to Questions for IT Workforce 
Planning: 

CIOs responsible for IT workforce planning: 

2011 - CIOs responsible: 87%.
2004 - CIOs responsible: 100%.
CIOs who felt they should be responsible: 80%.
CIOs who felt they should not be responsible: 20%. 

Importance of IT workforce planning: 

Very important: 63%.
Important: 37%.
Somewhat important: 0.
Not very important: 0.
Not at all important: 0.
N/A: 0. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Capital Planning and Investment Management: 

CIOs are responsible for a process for selecting, controlling, and 
evaluating IT investments to produce business value, reduce investment-
related risks, and increase accountability and transparency in the 
investment decision-making process [Paperwork Reduction Act and 
Clinger-Cohen Act]. 

Of the 30 CIOs we surveyed, all of them indicated they were 
responsible for capital planning and investment management activities 
at their agency. This is consistent with the results of our 2004 
report, which found that all 27 CIOs also indicated responsibility for 
capital planning and investment management. 

All 30 of the CIOs reported they thought the CIO should be responsible 
for capital planning and investment management. All 30 CIOs reported 
that capital planning and investment management was "very important" 
or "important" to carrying out their mission. Table 8 provides a 
summary of CIO responses regarding capital planning and investment 
management. 

Table 8: Summary of CIO Responses to Questions for Capital Planning 
and Investment Management: 

CIOs responsible for capital planning and investment management: 

2011 - CIOs responsible: 100%.
2004 - CIOs responsible: 100%.
CIOs who felt they should be responsible: 100%.
CIOs who felt they should not be responsible: 0. 

Importance of capital planning and investment management: 

Very important: 97%.
Important: 3%.
Somewhat important: 0.
Not very important: 0. 
Not at all important: 0.
N/A: 0. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Information Security: 

CIOs are responsible for ensuring agency compliance with requirements 
to protect information and systems [Paperwork Reduction Act, Federal 
Information Security Management Act, and Clinger-Cohen Act]. 

All 30 CIOs indicated they were responsible for ensuring compliance 
with information security best practices and related laws at their 
agency. This is consistent with the results of our 2004 report, which 
found that all of the 27 CIOs surveyed indicated being responsible for 
information security. 

Of the 30 agencies that provided responses, all 30 CIOs reported that 
they thought the CIO should be responsible by law for information 
security. Twenty-nine of the 30 CIOs reported that information 
security was "very important" to carrying out their mission. Only one 
CIO ranked information security as "somewhat important" because his 
goal is to move the agency toward a risk-based approach that uses 
secure, reliable, and cost-effective technology. Table 9 provides a 
summary of CIO responses regarding information security. 

Table 9: Summary of CIO Responses to Questions for Information 
Security: 

CIOs responsible for information security: 

2011 - CIOs responsible: 100%.
2004 - CIOs responsible: 100%.
CIOs who felt they should be responsible: 100%.
CIOs who felt they should not be responsible: 0. 

Importance of information security: 

Very important: 97%.
Important: 0.
Somewhat important: 3%.
Not very important: 0.
Not at all important: 0.
N/A: 0. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Enterprise Architecture: 

CIOs are responsible for developing and maintaining the business and 
technology blueprint that links an agency's strategic plan to IT 
programs and supporting system implementations [Clinger-Cohen Act]. 

Of the 30 CIOs we surveyed, all 30 indicated they were responsible for 
enterprise architecture-related activities at their agency. This is 
consistent with the results of our 2004 report, which found that 27 of 
27 CIOs also indicated responsibility for enterprise architecture. 

All 30 CIOs interviewed reported that they believed the CIO should be 
responsible for enterprise architecture. Twenty-eight of the 30 CIOs 
reported that enterprise architecture was "important" or "very 
important" to carrying out their mission with one of the remaining two 
identifying it as being "somewhat important" and the other labeling it 
as being "not very important." For example, one CIO ranked enterprise 
architecture as being very important based on the maturity of the 
agency's abilities within the area. The CIO explained that, since 
their enterprise architecture was not as mature as they would like it 
to be, they viewed it as being currently very important. The CIO who 
reported that enterprise architecture was somewhat important for his 
mission clarified that this was because the existing activities 
related to enterprise architecture were being properly executed and 
therefore required less focus. The remaining CIO who responded that 
enterprise architecture was "not very important" explained that 
enterprise architecture was not essential to completing the agency's 
mission and therefore having a formal enterprise architecture was less 
important at the agency. Table 10 provides a summary of CIO responses 
regarding enterprise architecture. 

Table 10: Summary of CIO Responses to Questions for Enterprise 
Architecture: 

CIOs responsible for enterprise architecture: 

2011 - CIOs responsible: 100%.
2004 - CIOs responsible: 100%.
CIOs who felt they should be responsible: 100%.
CIOs who felt they should not be responsible: 0. 

Importance of enterprise architecture: 

Very important: 77%.
Important: 17%.
Somewhat important: 3%.
Not very important: 3%.
Not at all important: 0.
N/A: 0. 

Source: CIO responses to GAO questionnaire: 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Systems Acquisition, Development, and Integration: 

CIO IT management responsibilities should include a primary role in 
developing and enforcing policies for systems acquisition, their 
development, and integration with existing systems [Paperwork 
Reduction Act and Clinger-Cohen Act]. 

Of the 30 CIOs we surveyed, 27 indicated they were responsible for 
ensuring compliance with systems acquisitions, development, and 
integration-related best practices. This is generally consistent with 
our 2004 study, when 25 of 27 CIOs reported responsibility for systems 
acquisition, development, and integration. 

Almost all (28 of 30) CIOs reported that they thought the CIO should 
be responsible for systems acquisition, development, and integration. 
All of the 30 CIOs reported that systems acquisition, development, and 
integration was "very important" or "important" to carrying out their 
mission. Table 11 provides a summary of CIO responses regarding this 
area. 

Table 11: Summary of CIO Responses to Questions for Systems 
Acquisition, Development, and Integration: 

CIOs responsible for systems acquisition, development, and integration: 

2011 - CIOs responsible: 90%.
2004 - CIOs responsible: 93%.
CIOs who felt they should be responsible: 93%.
CIOs who felt they should not be responsible: 7%. 

Importance of systems acquisition, development, and integration: 

Very important: 77%.
Important: 23%.
Somewhat important: 0.
Not very important: 0.
Not at all important: 0.
N/A: 0. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

E-government Initiatives: 

CIOs are responsible for promoting the use of IT, including the 
Internet and emerging technologies, to improve the productivity, 
efficiency, and effectiveness of agency operations, programs, and 
services [Paperwork Reduction Act, Clinger-Cohen Act, and E-Government 
Act of 2002]. 

Of the 30 CIOs we surveyed, 28 indicated they were responsible for 
ensuring compliance with the E-government Act of 2002 and related e- 
government initiatives at their agency. This is generally consistent 
with the results of our 2004 report, which found that 25 of 27 CIOs 
indicated responsibility for the e-government initiatives. 

Twenty-six of 30 CIOs reported that they thought the CIO should be 
responsible for e-government initiatives. Eighteen of the 30 CIOs 
reported that the e-government initiatives were "important" or "very 
important" to carrying out their mission. However, a number of CIOs 
felt that the e-government initiatives were not important to their 
mission. For example, one CIO said the only persons who cared whether 
they respond to the e-government initiatives are outside of the agency 
and this CIO considered these initiatives a paperwork exercise. 
Another CIO felt this area was only "somewhat important" because they 
already had established mature systems that did not require effort on 
the CIOs part to maintain. Table 12 provides a summary of CIO 
responses regarding e-government. 

Table 12: Summary of CIO Responses to Questions for E-government 
Initiatives: 

CIOs responsible for e-government initiatives: 

2011 - CIOs responsible: 93%.
2004 - CIOs responsible: 93%.
CIOs who felt they should be responsible: 87%.
CIOs who felt they should not be responsible: 13%. 

Importance of e-government initiatives: 

Very important: 23%.
Important: 37%.
Somewhat important: 23%.
Not very important: 10%.
Not at all important: 7%.
N/A: 0. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Information Collection/Paperwork Reduction: 

CIOs are responsible for the review of agency information collection 
proposals to maximize utility and minimize public paperwork burdens 
[Paperwork Reduction Act]. 

Twenty-two of 30 CIOs indicated that they were responsible for 
information collection/paperwork reduction at their agency. This is 
generally consistent with the results of our 2004 study, which found 
that 22 of 27 CIOs indicated responsibility for information 
collection/paperwork reduction. 

Eighteen of the 30 CIOs reported they thought the CIO should be 
responsible for information collection/paperwork reduction. Fourteen 
of the 30 CIOs reported that information collection/paperwork 
reduction was "very important" or "important" to carrying out their 
mission. Fifteen CIOs ranked it as "somewhat important" or "not very 
important." Four CIOs reported that information collection/paperwork 
reduction was "not very important," with one stating that this area 
was either handled by his staff or he felt it was being executed 
properly and did not require a lot of attention and guidance. Several 
of the remaining CIOs reported that information collection/paperwork 
reduction was "somewhat important" because they were either not 
responsible for this area or it was not mission critical. Table 13 
provides a summary of CIO responses regarding this area. 

Table 13: Summary of CIO Responses to Questions for Information 
Collection/Paperwork Reduction: 

CIOs responsible for information collection/paperwork reduction: 

2011 - CIOs responsible: 73%; 
2004 - CIOs responsible: 81%.
CIOs who felt they should be responsible: 60%.
CIOs who felt they should not be responsible: 40%. 

Importance of information collection/paperwork reduction: 

Very important: 17%.
Important: 30%.
Somewhat important: 37%.
Not very important: 13%.
Not at all important: 0.
N/A: 3%. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Information Dissemination: 

CIOs are responsible for ensuring that the agency's information 
dissemination activities meet policy goals, such as timely and 
equitable public access to information [Paperwork Reduction Act]. 

Of the 30 CIOs we surveyed, 16 indicated they were responsible for 
information dissemination-related activities at their agency. This 
represents a decrease since our 2004 report when 20 of 27 CIOs 
reported they held this responsibility. 

Thirteen of the 30 CIOs reported that they thought the CIO should be 
responsible for information dissemination. Eighteen of the 30 CIOs 
reported that information dissemination was "very important" or 
"important" to carrying out their mission, while 11 CIOs ranked it as 
being either "somewhat important" or "not very important" to carrying 
out their mission. Several CIOs explained they ranked information 
dissemination as being less than "important" because responsibilities 
in the area were being executed properly by other designated 
officials, they were not directly responsible, or it was not a 
priority and did not require a lot of time. Table 14 provides a 
summary of CIO responses regarding information dissemination. 

Table 14: Summary of CIO Responses to Questions for Information 
Dissemination: 

CIOs responsible for information dissemination: 

2011 - CIOs responsible: 53%.
2004 - CIOs responsible: 74%.
CIOs who felt they should be responsible: 43%.
CIOs who felt they should not be responsible: 57%. 

Importance of information dissemination: 

Very important: 17%.
Important: 43%.
Somewhat important: 30%.
Not very important: 7%.
Not at all important: 0.
N/A: 3%. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Information Disclosure: 

CIOs are responsible for ensuring appropriate information disclosure 
under the Freedom of Information Act [Paperwork Reduction Act]. 

Of the 30 CIOs we surveyed, 9 indicated that they were responsible for 
information disclosure at their agency. This is generally consistent 
with our 2004 findings in which 9 of 27 CIOs indicated responsibility 
for information disclosure. 

Of the 30 CIOs surveyed, 10 reported that they thought the CIO should 
be responsible for information disclosure. Fourteen of the 30 CIOs 
reported that it was "very important" or "important" to carrying out 
their mission. In contrast, 14 of the 30 CIOs reported that 
information disclosure was either "somewhat important" or "not very 
important" to carrying out their mission. CIOs who ranked information 
disclosure as either being "somewhat important" or "not very 
important" commonly explained they did so because the area was either 
a low priority, did not require a lot of time, was executed properly 
or, as CIO, they were not primarily responsible for information 
disclosure. One CIO explained that he ranked the area as being 
"somewhat important" because his agency does not disclose a majority 
of its information. Of the remaining 2 CIOs who responded that this 
question was not applicable, one explained that they ranked the area 
as "not applicable" because they were not directly responsible and 
felt uncomfortable providing a metric regarding its importance. Table 
15 provides a summary of CIO responses regarding information 
disclosure. 

Table 15: Summary of CIO Responses to Questions for Information 
Disclosure: 

CIOs responsible for information disclosure: 

2011 - CIOs responsible: 30%.
2004 - CIOs responsible: 33%.
CIOs who felt they should be responsible: 33%.
CIOs who felt they should not be responsible: 67%. 

Importance of information disclosure: 

Very important: 17%.
Important: 30%.
Somewhat important: 37%.
Not very important 10%.
Not at all important: 0.
N/A: 7%. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Statistical Policy and Coordination: 

CIOs are responsible for agency statistical policy and coordination 
functions, including ensuring the relevance, accuracy, and timeliness 
of information collected or created for statistical purposes 
[Paperwork Reduction Act]. 

Seven of 30 CIOs indicated they had responsibility for performing 
statistical policy and coordination functions, including ensuring the 
relevance, accuracy, and timeliness of information collected or 
created for statistical purposes at their agency. Similarly, in our 
2004 study, 8 of 27 CIOs reported responsibility for statistical 
policy and coordination. 

Twenty-three CIOs reported that someone other than the CIO should be 
responsible for statistical policy and coordination. In comparison to 
the other areas of information and IT management, CIOs viewed 
statistical policy and coordination as the least important to 
accomplishing the CIO's mission. Specifically, 15 CIOs ranked 
statistical policy as "somewhat important," "not very important," or 
"not at all important." Many of these CIOs explained that they were 
not responsible for statistical policy at the agency because a 
designated official performed these activities. Table 16 provides a 
summary of CIO responses regarding statistical policy and coordination. 

Table 16: Summary of CIO Responses to Questions for Statistical Policy 
and Coordination: 

CIOs responsible for statistical policy and coordination: 

2011 - CIOs responsible: 23%.
2004 - CIOs responsible: 30%.
CIOs who felt they should be responsible: 20%.
CIOs who felt they should not be responsible: 80%. 

Importance of statistical policy and coordination: 

Very important: 13%.
Important: 13%.
Somewhat important: 23%.
Not very important: 20%.
Not at all important: 6%.
N/A: 23%. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Records Management: 

CIOs are responsible for ensuring that the agency implements and 
enforces the records management policies and procedures required by 
the Federal Records Act [Paperwork Reduction Act]. 

Of the 30 CIOs we surveyed, 18 indicated they were responsible for 
ensuring compliance with the Federal Records Act and related laws at 
their agency. In our 2004 study, 21 of 27 CIOs indicated 
responsibility for records management. 

Of the 30 CIOs surveyed, 18 reported that they thought the CIO should 
be responsible for records management. Twenty-one of the 30 CIOs 
reported that records management was "important" or "very important" 
to carrying out their mission. However, 8 CIOs felt that records 
management was "somewhat important" or "not very important" to their 
mission. Of these, one CIO said this area was either handled by his 
staff or he felt it was being executed properly and did not require a 
lot of attention or guidance. Another CIO felt this area was "somewhat 
important" because it did not have a lot of impact and was of minimal 
importance. Table 17 provides a summary of CIO responses regarding 
records management. 

Table 17: Summary of CIO Responses to Questions for Records Management: 

CIOs responsible for records management: 

2011 - CIOs responsible: 60%.
2004 - CIOs responsible: 78%.
CIOs who felt they should be responsible: 60%.
CIOs who felt they should not be responsible: 40%. 

Importance of records management: 

Very important: 27%.
Important: 43%.
Somewhat important: 23%.
Not very important: 3%.
Not at all important: 0.
N/A: 3%. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

Privacy: 

CIOs are responsible for ensuring agency compliance with the Privacy 
Act and related laws [Paperwork Reduction Act]. 

Eighteen of 30 CIOs indicated they were responsible for ensuring 
compliance with the Privacy Act and related laws at their agency. In 
our 2004 study, 17 of 27 CIOs were responsible for privacy. 

Seventeen CIOs reported that they thought the CIO should be 
responsible for privacy. Twenty-nine of the 30 CIOs reported that 
privacy was "important" or "very important" to carrying out their 
mission. The CIO who reported that this question was not applicable 
clarified that because he was not responsible for privacy, he was not 
comfortable assessing its importance. Table 18 provides a summary of 
CIO responses regarding privacy. 

Table 18: Summary of CIO Responses to Questions for Privacy: 

CIOs responsible for privacy: 

2011 - CIOs responsible: 60%.
2004 - CIOs responsible: 63%.
CIOs who felt they should be responsible: 57%.
CIOs who felt they should not be responsible: 43%. 

Importance of privacy: 

Very important 60%.
Important: 37%.
Somewhat important: 0.
Not very important: 0.
Not at all important: 0.
N/A: 3%. 

Source: CIO responses to GAO questionnaire. 

Note: Percentages may not sum to 100 due to rounding. 

[End of table] 

[End of section] 

Appendix V CIO Tenure at Each Agency: 

Figures 2 and 3 depict the tenure of CIOs at each agency in our review 
from 2004 to 2011. In addition, figure 2 shows whether CIOs were 
acting or permanent, while figure 3 shows whether they were career 
employees or political appointees. Table 19 presents further analysis 
related to acting and permanent CIO tenure. 

Figure 2: CIO Tenure--Acting and Permanent: 

[Refer to PDF for image: horizontal bar graph] 

Agency: HUD; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent (half-year); Acting (half-year); 
2008: Acting (half-year); Permanent (half-year); 
2009: Acting (half-year); Permanent (half-year); 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 8. 

Agency: CNCS; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent (half-year); Acting (half-year); 
2006: Acting (half-year); Permanent (half-year); 
2007: Permanent; 
2008: Permanent (half-year); Acting (half-year); 
2009: Permanent (half-year); Acting (half-year); 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 7. 

Agency: DHS; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent (one-third-year); Acting (two-thirds-year); 
2006: Permanent; 
2007: Permanent; 
2008: Acting (one-third-year); Permanent (two-thirds-year); 
2009: Permanent (half-year); Acting (half-year); 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 7. 

Agency: Interior; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Acting (half-year); Permanent (half-year); 
2008: Permanent (one-third-year); Acting (two-thirds-year); 
2009: Permanent; 
2010: Permanent (half-year); Acting (half-year); 
2011: Permanent. 
Number of different CIOs[A]: 7. 

Agency: Treasury; 
CIO Tenure: 
2004: Permanent (two-thirds-year); Acting (one-third-year); 
2005: Permanent; 
2006: Permanent; 
2007: Permanent (half-year); Acting (half-year); 
2008: Permanent; 
2009: Permanent; 
2010: Permanent (half-year); Acting (half-year); 
2011: Acting; 
Number of different CIOs[A]: 6. 

Agency: USAID; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent (half-year); Acting (half-year); 
2007: Acting (half-year); Permanent (half-year); 
2008: Permanent (one-third-year); Acting (two-thirds-year); 
2009: Acting (one-third-year); Permanent (two-thirds-year); 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 6. 

Agency: VA; 
CIO Tenure: 
2004: Acting (one-fourth-year); Permanent (three-fourths-year); 
2005: Permanent; 
2006: Permanent (half-year); Acting (half-year); 
2007: Permanent; 
2008: Permanent; 
2009: Acting (one-third-year); Permanent (two-thirds-year); 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 6. 

Agency: Air Force; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent (one-third-year); Acting (two-thirds-year); 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 5. 

Agency: Army; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent (two-thirds-year); Acting (one-third-year); 
2008: Permanent; 
2009: Permanent; 
2010: Permanent (two-thirds-year); Acting (one-third-year); 
2011: Acting (one-fourth-year); Permanent (one-fourth-year); 
Number of different CIOs[A]: 5. 

Agency: Commerce; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent (two-thirds-year); Acting (one-third-year); 
2006: Acting (half-year); Permanent (half-year); 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 5. 

Agency: Defense; 
CIO Tenure: 
2004: Permanent (one-fourth-year); Acting (three-fourths-year); 
2005: Acting (three-fourths-year); Permanent (one-fourth-year); 
2006: Permanent; 
2007: Permanent; 
2008: Permanent (one-third-year); Acting (two-thirds-year); 
2009: Acting; 
2010: Acting (three-fourths-year); None (one-fourth-year); Permanent 
(one-fourth-year); 
2011: Permanent; 
Number of different CIOs[A]: 5. 

Agency: DOT; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Acting (one-third-year); Permanent (two-thirds-year); 
2007: Permanent; 
2008: Permanent; 
2009: Acting (one-third-year); None (one-fourth-year); Permanent (one-
half-year); 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 5. 

Agency: EPA; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Acting; 
2007: Permanent; 
2008: Permanent; 
2009: Acting; 
2010: Acting (half-year); Permanent (half-year); 
2011: Permanent; 
Number of different CIOs[A]: 5. 

Agency: NASA; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent (half-year); Acting (half-year); 
2007: Acting (one-fourth-year); Permanent (three-fourths-year); 
2008: Permanent; 
2009: Permanent (one-third-year); Acting (two-thirds-year); 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 5. 

Agency: SBA; 
CIO Tenure: 
2004: Permanent (half-year); Acting (half-year); 
2005: Acting (half-year); None (half-year); 
2006: None (one-third-year); Permanent (two-thirds-year); 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 5. 

Agency: State; 
CIO Tenure: 
2004: Acting; 
2005: Acting; 
2006: Permanent; 
2007: Permanent (nine-tenths-year); Acting (one-tenth-year); 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 5. 

Agency: Agriculture; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent (half-year); None (half-year); 
2006: Permanent; 
2007: Permanent (nine-tenths-year); None (one-tenth-year); 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 4. 

Agency: CFTC; 
CIO Tenure: 
2004: Permanent; 
2005: Acting (two-thirds-year); Permanent (one-third-year); 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 4. 

Agency: Education; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 4. 

Agency: Energy; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Acting (two-thirds-year); Permanent (one-third-year); 
2011: Permanent; 
Number of different CIOs[A]: 4. 

Agency: HHS; 
CIO Tenure: 
2004: Acting (one-third-year); Permanent (two-thirds-year); 
2005: Permanent; 
2006: Permanent; 
2007: Acting (one-third-year); Permanent (two-thirds-year); 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 4. 

Agency: Navy; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent (nine-tenths-year); Acting (one-tenth-year); 
2011: Permanent; 
Number of different CIOs[A]: 4. 

Agency: Labor; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Acting (one-third-year); Permanent (two-thirds-year); 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 3. 

Agency: NRC; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 3. 

Agency: SSA; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Acting (one-half-year); Permanent (one-half-year); 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 3. 

Agency: FLRA[B]; 
CIO Tenure: 
2004: None; 
2005: None; 
2006: None; 
2007: None; 
2008: None; 
2009: None (one-third-year); Permanent (two-thirds-year); 
2010: None (one-third-year); Permanent (two-thirds-year); 
2011: Permanent; 
Number of different CIOs[A]: 2. 

Agency: GSA; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 2. 

Agency: NSF; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Acting; 
2011: Acting; 
Number of different CIOs[A]: 2. 

Agency: OPM; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 2. 

Agency: Justice; 
CIO Tenure: 
2004: Permanent; 
2005: Permanent; 
2006: Permanent; 
2007: Permanent; 
2008: Permanent; 
2009: Permanent; 
2010: Permanent; 
2011: Permanent; 
Number of different CIOs[A]: 1. 

Source: GAO analysis of agency data. 

[A] The number of bar elements for an agency may not add up to the 
total in this column because some individual CIOs are shown more than 
once, as their circumstances changed (e.g., an acting CIO that became 
a permanent CIO). 

[B] FLRA did not have a CIO until 2009. It is one of the independent 
agencies that was not required to have a CIO under the Clinger-Cohen 
Act. 

[End of figure] 

Figure 3: CIO Tenure--Career and Political Appointees: 

[Refer to PDF for image: horizontal bar graph] 

Agency: HUD; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 8. 

Agency: CNCS; 
CIO Tenure: 
2004: Appointed; 
2005: Appointed; 
2006: Career (one-third year); Appointed (two-thirds year); 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 7. 

Agency: DHS; 
CIO Tenure: 
2004: Appointed; 
2005: Career (one-third year); Appointed (two-thirds year); 
2006: Appointed; 
2007: Appointed; 
2008: Career (one-third year); Appointed (two-thirds year); 
2009: Career (one-third year); Appointed (two-thirds year); 
2010: Appointed; 
2011: Appointed; 
Number of different CIOs[A]: 7. 

Agency: Interior; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 7. 

Agency: Treasury; 
CIO Tenure: 
2004: Appointed (one-third year); Career (two-thirds year); 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 6. 

Agency: USAID; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 6. 

Agency: VA; 
CIO Tenure: 
2004: Career (one-tenth year); Appointed (nine-tenths year); 
2005: Appointed; 
2006: Appointed; 
2007: Appointed; 
2008: Appointed; 
2009: Career (one-third year); Appointed (two-thirds year); 
2010: Appointed; 
2011: Appointed; 
Number of different CIOs[A]: 6. 

Agency: Air Force; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 5. 

Agency: Army; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career (one-fourth year); Appointed (one-fourth year); 
Number of different CIOs[A]: 5. 

Agency: Commerce; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 5. 

Agency: Defense; 
CIO Tenure: 
2004: Appointed (one-fourth year); Career (three-fourths year); 
2005: Career (three-fourths year); Career (one-fourth year); 
2006: Appointed; 
2007: Appointed; 
2008: Appointed (one-third year); Career (two-thirds year); 
2009: Career; 
2010: Career (nine-tenths year); None (one-tenth year); 
2011: Career; 
Number of different CIOs[A]: 5. 

Agency: DOT; 
CIO Tenure: 
2004: Appointed; 
2005: Appointed; 
2006: Career (one-third year); Appointed (two-thirds year); 
2007: Appointed; 
2008: Appointed; 
2009: Career (one-third year); None (one-tenth year); Appointed (two-
thirds year); 
2010: Appointed; 
2011: Appointed; 
Number of different CIOs[A]: 5. 

Agency: EPA; 
CIO Tenure: 
2004: Appointed; 
2005: Appointed; 
2006: Career; 
2007: Appointed; 
2008: Appointed; 
2009: Career; 
2010: Career (one-half year); Appointed (one-half year); 
2011: Appointed; 
Number of different CIOs[A]: 5. 

Agency: NASA; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career (one-half year); Appointed (one-half year); 
2007: Appointed (one-fourth year); Career (three-fourths year); 
2008: Career; 
2009: Career (one-third year); Appointed (two-thirds year); 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 5. 

Agency: SBA; 
CIO Tenure: 
2004: Appointed (one-third year); Career (two-thirds year); 
2005: Career (one-half year); None (one-half year); 
2006: None (one-third year); Career (two-thirds year); 
2007: Career; 
2008: Career; 
2009: Career (one-half year); Appointed (one-half year); 
2010: Career (one-half year); Appointed (one-half year); 
2011: Career; 
Number of different CIOs[A]: 5. 

Agency: State; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: None (one-tenth year); Career (nine-tenths year); 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 5. 

Agency: Agriculture; 
CIO Tenure: 
2004: Appointed; 
2005: Appointed (one-half year); None (one-half year); 
2006: Appointed; 
2007: Appointed (nine-tenths year); None (one-tenth year); 
2008: Appointed; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 4. 

Agency: CFTC; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 4. 

Agency: Education; 
CIO Tenure: 
2004: Appointed; 
2005: Appointed; 
2006: Appointed (one-half year); Career (one-half year); 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 4. 

Agency: Energy; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 4. 

Agency: HHS; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 4. 

Agency: Navy; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Appointed (one-tenth year); Career (nine-tenths year); 
2011: Career; 
Number of different CIOs[A]: 4. 

Agency: Labor; 
CIO Tenure: 
2004: Appointed; 
2005: Appointed; 
2006: Appointed; 
2007: Appointed; 
2008: Appointed; 
2009: Career (one-third year); Appointed (two-thirds year); 
2010: Appointed; 
2011: Appointed; 
Number of different CIOs[A]: 3. 

Agency: NRC; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 3. 

Agency: SSA; 
CIO Tenure: 
2004: Appointed; 
2005: Appointed; 
2006: Appointed; 
2007: Appointed; 
2008: Appointed; 
2009: Career (two-thirds year); Appointed (one-third year); 
2010: Appointed; 
2011: Appointed; 
Number of different CIOs[A]: 3. 

Agency: FLRA[B]; 
CIO Tenure: 
2004: None; 
2005: None; 
2006: None; 
2007: None; 
2008: None; 
2009: None (one-third year); Career (two-thirds year); 
2010: None (one-third year); Career (two-thirds year); 
2011: Career; 
Number of different CIOs[A]: 2. 

Agency: GSA; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 2. 

Agency: NSF; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 2. 

Agency: OPM; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 2. 

Agency: Justice; 
CIO Tenure: 
2004: Career; 
2005: Career; 
2006: Career; 
2007: Career; 
2008: Career; 
2009: Career; 
2010: Career; 
2011: Career; 
Number of different CIOs[A]: 1. 

Source: GAO analysis of agency data. 

[A] The number of bar elements for an agency may not add up to the 
total in this column because some individual CIOs are shown more than 
once, as their circumstances changed (e.g., an acting CIO that became 
a permanent CIO). 

[B] FLRA did not have a CIO until 2009. It is one of the independent 
agencies that was not required to have a CIO under the Clinger-Cohen 
Act. 

[End of figure] 

Table 19: Statistical Analysis of CIO Tenure (2004-2011): 

Mean: 
Permanent and acting CIOs including current CIOs: 23; 
Permanent and acting CIOs excluding current CIOs: 23; 
Permanent CIOs including current CIOs: 31; 
Permanent CIOs excluding current CIOs: 33; 
Acting CIOs including current CIOs: 9; 
Acting CIOs excluding current CIOs: 9; 
Only current permanent CIOs: 25. 

Median: 
Permanent and acting CIOs including current CIOs: 18; 
Permanent and acting CIOs excluding current CIOs: 17; 
Permanent CIOs including current CIOs: 27; 
Permanent CIOs excluding current CIOs: 30; 
Acting CIOs including current CIOs: 7; 
Acting CIOs excluding current CIOs: 7; 
Only current permanent CIOs: 21. 

Minimum (in months): 
Permanent and acting CIOs including current CIOs: 0.3; 
Permanent and acting CIOs excluding current CIOs: 0.3; 
Permanent CIOs including current CIOs: 2; 
Permanent CIOs excluding current CIOs: 3; 
Acting CIOs including current CIOs: 0; 
Acting CIOs excluding current CIOs: 0; 
Only current permanent CIOs: 2. 

Maximum (in months): 
Permanent and acting CIOs including current CIOs: 160; 
Permanent and acting CIOs excluding current CIOs: 160; 
Permanent CIOs including current CIOs: 160; 
Permanent CIOs excluding current CIOs: 160; 
Acting CIOs including current CIOs: 74; 
Acting CIOs excluding current CIOs: 74; 
Only current permanent CIOs: 109. 

Number of CIOs in this population: 
Permanent and acting CIOs including current CIOs: 134; 
Permanent and acting CIOs excluding current CIOs: 104; 
Permanent CIOs including current CIOs: 86; 
Permanent CIOs excluding current CIOs: 60; 
Acting CIOs including current CIOs: 44; 
Acting CIOs excluding current CIOs: 41; 
Only current permanent CIOs: 26. 

Number of CIOs in office less than 3 years: 
Permanent and acting CIOs including current CIOs: 107; 
Permanent and acting CIOs excluding current CIOs: 83; 
Permanent CIOs including current CIOs: 60; 
Permanent CIOs excluding current CIOs: 40; 
Acting CIOs including current CIOs: 43; 
Acting CIOs excluding current CIOs: 40; 
Only current permanent CIOs: 20. 

Number of CIOs in office between 3 and 5 years: 
Permanent and acting CIOs including current CIOs: 20; 
Permanent and acting CIOs excluding current CIOs: 15; 
Permanent CIOs including current CIOs: 20; 
Permanent CIOs excluding current CIOs: 15; 
Acting CIOs including current CIOs: 0; 
Acting CIOs excluding current CIOs: 0; 
Only current permanent CIOs: 5. 

Percentage of CIOs in office greater than 5 years: 
Permanent and acting CIOs including current CIOs: 7%; 
Permanent and acting CIOs excluding current CIOs: 6%; 
Permanent CIOs including current CIOs: 6%; 
Permanent CIOs excluding current CIOs: 5%; 
Acting CIOs including current CIOs: 1%; 
Acting CIOs excluding current CIOs: 1%; 
Only current permanent CIOs: 1%. 

Percentage of CIOs in office at least 3 years: 
Permanent and acting CIOs including current CIOs: 15%; 
Permanent and acting CIOs excluding current CIOs: 14%; 
Permanent CIOs including current CIOs: 23%; 
Permanent CIOs excluding current CIOs: 25%; 
Acting CIOs including current CIOs: 0%; 
Acting CIOs excluding current CIOs: 0%; 
Only current permanent CIOs: 19%. 

Source: GAO analysis of agency data. 

Note: CIOs who moved from acting to permanent status have been treated 
as if they were permanent the entire time, and calculations were 
performed on their aggregated time as one length of service. Also, 
these acting CIOs who became permanent were not included in the acting 
calculations above. 

[End of table] 

[End of section] 

Appendix VI: Comments from the Department of Defense: 

Department Of Defense: 
Chief Information Officer: 
6000 Defense Pentagon: 
Washington. D.C. 20301-6000: 

August 18, 2011: 

Ms. Cynthia Scott: 
Assistant Director: 
U.S. Government Accountability Office: 
Washington, D.C. 20548: 

Dear Ms. Scott: 

The following are the DoD CIO's comments the GAO draft report GAO-I I -
634, "Federal Chief Information Officers: Opportunities Exist to 
Improve Role in Information Technology Management" dated July 19, 2011 
(GAO Code 310951). 

The Department concurs with the GAO recommendation that the Director 
OMB issue guidance to agencies, requiring that CIOs' responsibilities 
and authority, as defined in law, are fully implemented and that 
appropriate reporting mechanisms are established to validate that this 
has been accomplished. The Department further notes that Director OMB 
has taken the first steps in addressing the importance of these issues 
in his August 8, 2011, memo, "Chief Information Officer Authorities." 

Further, while current and former CIOs, as well as the Federal CIO, 
did not identify legislative changes needed to enhance CIOs' authority 
and generally felt that existing law provides sufficient authority, 
the Department (DoD CIO) believes there are legislative opportunities 
to clarify and strengthen CIO responsibilities and authorities that 
should be pursued. The most helpful of these would be a deconfliction 
of potentially overlapping responsibilities between the CIO and 
various other statutory officials, such as Chief Management Officers, 
Chief Performance Officers, Chief Acquisition Officers, and Chief 
Privacy Officers. The Department is currently revising the DoD CIO 
charter and other policies to address this issue internally, but there 
would be great value in having a clarified legislative basis for these 
CIO responsibilities and authorities. 

Sincerely, 

Signed by: 

Teresa M. Takai: 

[End of section] 

Appendix VII: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

August 19, 2011: 

Valerie C. Melvin: 
Director, Information Management and Human Capital Issues: 
441 G Street, NW: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Re: Draft Report GAO-11-634, "Federal Chief Information Officers:
Opportunities Exist to Improve Role in Information Technology 
Management" 

Dear Ms. Melvin: 

Thank you for the opportunity to review and comment on this draft 
report. The U.S. Department of Homeland Security (DHS) appreciates the 
U.S. Government Accountability Office's (GAO's) work in planning and 
conducting its review and issuing this report. 

Although the report does not contain any recommendations directed at 
DHS, the Department remains committed to working with the Office of 
Management and Budget and other relevant stakeholders to address the 
challenges agency Chief Information Officers face and increase the 
effectiveness of their efforts. 

Again, thank you for the opportunity to review and comment on this 
draft report. We look forward to working with you on future Homeland 
Security issues. 

Sincerely, 

Signed by: 

Jim H. Crumpacker: 
Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix VIII: Comments from the Office of Personnel Management: 

United States Office of Personnel Management: 
Chief Information Officer: 
Washington, DC 20415: 

July 28, 2011: 

Cynthia Scott, Assistant Director: 
Information Management and Human Capital Issues: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, DC 20548: 

OPM appreciates the opportunity to comment on the draft report, 
Federal Chief Information Officers, Opportunities Exist to Improve 
Role in Information Technology Management, GAO-11-634 regarding the 
role of Federal CIOs in meeting agency Information Resource Management 
(IRM) and Information Technology (IT) responsibilities. As you point 
out, "IT has the potential to enable federal agencies to accomplish 
their missions more quickly, effectively and economically...The CIO
position was established by Congress to serve as a focal point for IT 
within an agency." OPM agrees that the CIO plays a critical, strategic 
role in ensuring every agency serves the American people well. 

Under this Administration, OPM has elevated the CIO position and 
brought it more in line with the original vision of the Clinger-Cohen 
Act (CCA). Previously, the CIO was buried beneath multiple layers of 
management, giving the Director little visibility into the health of 
OPM's many IT investments. Also, several areas of CIO responsibility 
under CCA - including some IT infrastructure functions - were managed 
by other parts of the agency. Director Berry consolidated these 
functions during reorganization early in his tenure and made the CIO a 
direct report. As a result, IT is better managed, more accountable and 
the CIO is a strategic player with a seat at the executive table. 

Today, all areas of IT and IRM fall within the CIO's purview at OPM. 
The one exception is that the statistical policy and coordination is 
primarily handled by OPM's Planning and Policy Analysis organization 
but with strong links to the CIO's office for technical direction and 
support. We have seen dramatic improvements in the way IT and IRM are 
managed and our IT investments are in better shape than ever before. 

Because of our own experience, we concur with your recommendation that 
OMB ensure that all agencies fully implement the organizational 
changes necessary to make the CIO role function the way it was 
designed. We also concur that establishing processes for documenting 
internal lessons learned and best practices regarding the management 
of IT and IRM would benefit the federal government as a whole. We look 
forward to OMB's concurrence on these items. 

Signed by: 

Matthew E. Perry: 
Chief Information Officer: 

[End of section] 

Appendix IX: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Valerie C. Melvin (202) 512-6304 or melvinv@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, key contributions were made to 
this report by Cynthia J. Scott (Assistant Director); Michael 
Alexander; Cortland Bradford; Virginia Chanley; James Crimmer, Jr.; 
Neil Doherty; Ashfaq Huda; Lee McCracken; David Plocher; David A. 
Powner; Meredith R. Raymond; John M. Resser; Eric Trout; Christy 
Tyson; Walter Vance; and Merry Woo. 

[End of section] 

Footnotes: 

[1] GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 
2011). 

[2] GAO, Opportunities to Reduce Potential Duplication in Government 
Programs, Save Tax Dollars, and Enhance Revenue, [hyperlink, 
http://www.gao.gov/products/GAO-11-318SP] (Washington, D.C.: Mar. 1, 
2011). An interactive, web-based version of the report is available 
at: [hyperlink, http://www.gao.gov/ereport/gao-11-318SP]. 

[3] Div. E, P.L. 104-106, (Feb. 10, 1996); 40 U.S.C 11101, et seq. The 
law, initially titled the Information Technology Management Reform 
Act, was subsequently renamed the Clinger-Cohen Act in P.L. 104-208, 
(Sept. 30, 1996). 

[4] GAO, Federal Chief Information Officers: Responsibilities, 
Reporting Relationships, Tenure, and Challenges, [hyperlink, 
http://www.gao.gov/products/GAO-04-823] (Washington, D.C.: July 21, 
2004). 

[5] These areas are IT strategic planning; IT workforce planning; 
capital planning and investment management; information security; 
information collection/paperwork reduction; information dissemination; 
information disclosure; statistical policy and coordination; records 
management; privacy; enterprise architecture; e-government 
initiatives; and systems acquisition, development, and integration. 

[6] The 30 agencies covered by this report were the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Health and Human 
Services, Homeland Security, Housing and Urban Development, the 
Interior, Justice, Labor, State, Transportation, the Treasury, and 
Veterans Affairs; the Environmental Protection Agency, General 
Services Administration, National Aeronautics and Space 
Administration, National Science Foundation, Nuclear Regulatory 
Commission, Office of Personnel Management, Small Business 
Administration, Social Security Administration, and the U.S. Agency 
for International Development; the Air Force, the Army, and the Navy; 
and the Corporation for National and Community Service, the Commodity 
Futures Trading Commission, and the Federal Labor Relations Authority. 

[7] IRM is the process of managing information resources to accomplish 
agency missions and to improve agency performance. 

[8] P.L. 96-511 (Dec. 11, 1980). 

[9] The act required OMB to oversee the acquisition and use of 
automatic data processing and telecommunications equipment (which 
later came to be known as IT). 

[10] Title VIII, P.L. 99-591 (Oct. 30, 1986); P.L. 104-13 (May 22, 
1995). 

[11] 44 U.S.C. 3506. 

[12] 44 U.S.C. 3506 (h)(5). 

[13] 40 U.S.C. 11312 and 11313. 

[14] 40 U.S.C. 11315 and 44 U.S.C. 3506(a). The Clinger-Cohen Act 
requirement that agency CIOs have IRM as their primary duty applies to 
the 24 major departments and agencies listed in 31 U.S.C. 901(b). The 
E-Government Act of 2002 reiterated agency responsibility for 
information resources management. P.L. 107-347 (Dec. 17, 2002). 

[15] 5 U.S.C. 552a. 

[16] 44 U.S.C. 3541, et seq. 

[17] 5 U.S.C. 552. 

[18] GAO, Chief Information Officer: Ensuring Strong Leadership and an 
Effective Council, [hyperlink, 
http://www.gao.gov/products/GAO/T-AIMD-98-22] (Washington D.C.: Oct. 
27, 1997). 

[19] [hyperlink, http://www.gao.gov/products/GAO-04-823]. 

[20] GAO, Chief Information Officers: Responsibilities and Information 
Technology Governance at Leading Private-Sector Companies, [hyperlink, 
http://www.gao.gov/products/GAO-05-986] (Washington, D.C: September 
14, 2005). 

[21] We visited companies recognized as leaders in IT management. In 
addition, we chose companies that performed activities similar to 
those performed by federal agencies (e.g. supply chain management, 
education, and income security). The companies visited included 
Walmart, International Business Machines, and General Motors. 

[22] We reduced the 13 areas reviewed in the federal CIO study to 12 
in the private-sector study by combining information dissemination and 
information disclosure into a single function. In addition, we treated 
e-government in the public sector as equivalent to e-business/e- 
commerce in the private sector. 

[23] These areas were enterprise architecture, strategic planning, 
information collection, and information dissemination and disclosure. 

[24] GAO, Information Technology Management: Governmentwide Strategic 
Planning, Performance Measurement, and Investment Management Can Be 
Further Improved, [hyperlink, http://www.gao.gov/products/GAO-04-49] 
(Washington, D.C.: Jan. 12, 2004). 

[25] GAO, Executive Guide: Improving Mission Performance through 
Strategic Information 

Management and Technology, GAO/AIMD-94-115 (Washington, D.C.: May 1, 
1994); and Executive Guide: Maximizing the Success of Chief 
Information Officers: Learning From Leading Organizations, [hyperlink, 
http://www.gao.gov/products/GAO-01-376G] (Washington, D.C.: Feb. 1, 
2001). 

[26] [hyperlink, http://www.gao.gov/products/GAO-04-823]. 

[27] [hyperlink, http://www.gao.gov/products/GAO-11-278]. 

[28] GAO, Information Technology Investment Management: A Framework 
for Assessing and Improving Process Maturity, [hyperlink, 
http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 
2004). 

[29] For example, GAO, Information Technology: Treasury Needs to 
Strengthen Its Investment Board Operations and Oversight, [hyperlink, 
http://www.gao.gov/products/GAO-07-865] (Washington, D.C.: Jul. 23, 
2007); Information Technology: DHS Needs to Fully Define and Implement 
Policies and Procedures for Effectively Managing Investments, 
[hyperlink, http://www.gao.gov/products/GAO-07-424] (Washington, D.C.: 
Apr. 27, 2007); Information Technology: Centers for Medicare & 
Medicaid Services Needs to Establish Critical Investment Management 
Capabilities, [hyperlink, http://www.gao.gov/products/GAO-06-12] 
(Washington, D.C.: Oct. 28, 2005); Information Technology: 
Departmental Leadership Crucial to Success of Investment Reforms at 
Interior, [hyperlink, http://www.gao.gov/products/GAO-03-1028] 
(Washington, D.C.: Sept. 12, 2003); and United States Postal Service: 
Opportunities to Strengthen IT Investment Management Capabilities, 
[hyperlink, http://www.gao.gov/products/GAO-03-3] (Washington, D.C.: 
Oct. 15, 2002). 

[30] [hyperlink, http://www.gao.gov/products/GAO-07-424] and 
[hyperlink, http://www.gao.gov/products/GAO-07-865]. 

[31] GAO, Information Technology: Federal Agencies Need to Strengthen 
Investment Board Oversight of Poorly Planned and Performing Projects, 
[hyperlink, http://www.gao.gov/products/GAO-09-566] (Washington, D.C.: 
June 30, 2009). 

[32] [hyperlink, http://www.gao.gov/products/GAO-11-278]. 

[33] GAO, Enterprise Architecture: Leadership Remains Key to 
Establishing and Leveraging Architectures for Organizational 
Transformation, [hyperlink, http://www.gao.gov/products/GAO-06-831] 
(Washington, D.C.: Aug. 14, 2006). 

[34] GAO, Organizational Transformation: A Framework for Assessing and 
Improving Enterprise Architecture Management (Version 2.0), 
[hyperlink, http://www.gao.gov/products/GAO-10-846G] (Washington, 
D.C.: August 2010). 

[35] [hyperlink, http://www.gao.gov/products/GAO-11-278]. 

[36] GAO, Information Technology: Leading Commercial Practices for 
Outsourcing of Services, [hyperlink, 
http://www.gao.gov/products/GAO-02-214] (Washington, D.C.: Nov. 30, 
2001). 

[37] For example, see GAO, Information Technology: Inconsistent 
Software Acquisition Processes at the Defense Logistics Agency 
Increase Project Risks, [hyperlink, 
http://www.gao.gov/products/GAO-02-9] (Washington, D.C.: Jan. 10, 
2002); and HUD Information Systems: Immature Software Acquisition 
Capability Increases Project Risks, [hyperlink, 
http://www.gao.gov/products/GAO-01-962] (Washington, D.C.: Sept. 14, 
2001). 

[38] GAO, Information Technology: Management Improvements Needed on 
Immigration and Customs Enforcement's Infrastructure Modernization 
Program, [hyperlink, http://www.gao.gov/products/GAO-05-805] 
(Washington, D.C.: Sept. 7, 2005). 

[39] [hyperlink, http://www.gao.gov/products/GAO-11-278]. 

[40] GAO, Electronic Government: Federal Agencies Have Made Progress 
Implementing the E-Government Act of 2002, [hyperlink, 
http://www.gao.gov/products/GAO-05-12 (Washington, D.C.: Dec. 10, 
2004). 

[41] GAO, Information Management: Selected Agencies' Handling of 
Personal Information, [hyperlink, 
http://www.gao.gov/products/GAO-02-1058] (Washington, D.C.: September 
30, 2002). 

[42] GAO, Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance, [hyperlink, http://www.gao.gov/products/GAO-03-304] 
(Washington, D.C.: June 30, 2003). 

[43] GAO, Paperwork Reduction Act: New Approach May Be Needed to 
Reduce Government Burden on Public, [hyperlink, 
http://www.gao.gov/products/GAO-05-424] (Washington, D.C.: May 2005). 

[44] GAO, Federal Records: National Archives and Selected Agencies 
Need to Strengthen E-Mail Management, [hyperlink, 
http://www.gao.gov/products/GAO-08-742] (Washington, D.C.: June 13, 
2008). 

[45] GAO, Freedom Of Information Act: Agencies Are Making Progress in 
Reducing Backlog, but Additional Guidance Is Needed, [hyperlink, 
http://www.gao.gov/products/GAO-08-344] (Washington, D.C.: March 14, 
2008). 

[46] GAO, Information Management: Challenges in Federal Agencies' Use 
of Web 2.0 Technologies, [hyperlink, 
http://www.gao.gov/products/GAO-10-872T] (Washington, D.C.: July 22, 
2010). 

[47] GAO, Social Media: Federal Agencies Need Policies and Procedures 
for Managing and Protecting Information They Access and Disseminate, 
[hyperlink, http://www.gao.gov/products/GAO-11-605] (Washington, D.C.: 
Jun. 28, 2011). 

[48] This refers to services that can be deployed rapidly and 
solutions that will result in substantial cost savings, allowing 
agencies to optimize spending and reinvest in their most critical 
mission needs. 

[49] GAO, Information Technology: Investment Oversight and Management 
Have Improved but Continued Attention is Needed, [hyperlink, 
http://www.gao.gov/products/GAO-11-454T] (Washington, D.C.: Mar. 17, 
2011). 

[50] GAO, Information Technology: OMB's Dashboard Has Increased 
Transparency and Oversight, but Improvements Needed, [hyperlink, 
http://www.gao.gov/products/GAO-10-701] (Washington, D.C.: July 16, 
2010) and Information Technology: OMB Has Made Improvements to Its 
Dashboard, but Further Work Is Needed by Agencies and OMB to Ensure 
Data Accuracy, [hyperlink, http://www.gao.gov/products/GAO-11-262] 
(Washington, D.C.: Mar. 15, 2011). 

[51] [hyperlink, http://www.gao.gov/products/GAO-11-454T]. 

[52] For comparison to our 2004 report, we did not include the three 
small, independent agencies in this count. 

[53] OMB Memorandum M-05-08 required agencies to designate a senior 
official who has the overall agencywide responsibility for information 
privacy issues. It further indicated that if the CIO is not designated 
as responsible for privacy, the agency may designate another senior 
official (at the Assistant Secretary or equivalent level) with 
agencywide responsibility for information privacy issues. 

[54] Principal Statistical Agencies include the Bureau of Economic 
Analysis (Department of Commerce), Bureau of Justice Statistics 
(Department of Justice), Bureau of Labor Statistics (Department of 
Labor), Bureau of Transportation Statistics (Department of 
Transportation), Economic Research Service (Department of 
Agriculture), Energy Information Administration (Department of 
Energy), Environmental Protection Agency, Internal Revenue Service's 
Statistics of Income Division (Department of the Treasury), National 
Agricultural Statistics Service (Department of Agriculture), National 
Center for Education Statistics (Department of Education), National 
Center for Health Statistics (Department of Health and Human 
Services), Science Resources Statistics (National Science Foundation), 
Office of Program Development and Research (Social Security 
Administration), Office of Management and Budget (Executive Office of 
the President), and the U.S. Census Bureau (Department of Commerce). 

[55] Infrastructure issues could refer to any problems with keeping an 
agency's core IT functions running, such as e-mail. 

[56] The federal CIO Council is the principal interagency forum to 
improve agency practices on such matters as the design, modernization, 
use, sharing, and performance of agency information resources. 

[57] Cloud computing is an emerging form of computing where users have 
access to scalable, on-demand capabilities that are provided through 
Internet-based technologies. 

[58] This refers to systems used to carry out routine tasks (e.g., e- 
mail, data centers, web infrastructure). 

[59] [hyperlink, http://www.gao.gov/products/GAO/T-AIMD-98-22]. 

[60] U.S. Senate Committee on Governmental Affairs, Paperwork 
Reduction Act of 1995, Senate Report 104-8 (Washington, D.C.: Jan. 30, 
1995). 

[61] House of Representatives, National Defense Authorization Act for 
Fiscal Year 1996, Conference Report to Accompany S.1124, House Report 
104-450 (Washington, D.C.: Jan. 22, 1996). 

[62] Our last review included CIOs who were in office between February 
10, 1996, and March 1, 2004. This review included CIOs who were in 
office between January 15, 2004, and March 15, 2011. 

[63] This only included CIOs who had completed their time in office. 

[64] [hyperlink, http://www.gao.gov/products/GAO/T-AIMD-98-22]. 

[65] This is referring to investments requiring an OMB exhibit 300. 
Each year, agencies submit to OMB a Capital Asset Plan and Business 
Case--the exhibit 300--to justify each request for a major information 
technology investment. 

[66] GAO, Information Technology: Homeland Security Should Better 
Balance Need for System Integration Strategy with Spending for New and 
Enhanced Systems, [hyperlink, http://www.gao.gov/products/GAO-04-509] 
(Washington, D.C.: May 21, 2004). 

[67] [hyperlink, http://www.gao.gov/products/GAO-06-11]. 

[68] [hyperlink, http://www.gao.gov/products/GAO-04-823]. 

[69] OMB, Memorandum for the Heads of Executive Departments and 
Agencies, M-09-02 (Washington, D.C.: Oct. 21, 2008). 

[70] OMB, Memorandum for Heads of Executive Departments and Agencies, 
M-11-29 (Washington, D.C.: Aug. 8, 2011). 

[71] The Council advises and assists the President in ensuring that 
government reform is implemented throughout the executive branch. The 
Council's functions include improving overall executive branch 
management; coordinating management-related efforts to improve 
government; ensuring the adoption of new management practices in 
agencies; and identifying examples of, and providing mechanisms for, 
interagency exchange of information about best management practices. 

[72] OMB, Statement by Steven VanRoekel, Federal CIO, August 8, 2011, 
[hyperlink, http://www.whitehouse.gov/blog/2011/08/08/changing-role-
federal-chief-information-officer]. 

[73] OMB Circular A-130 requires agencies to conduct 
postimplementation reviews to assess the project's impact on mission 
performance and document lessons learned. 

[74] GAO, NASA: Better Mechanisms Needed for Sharing Lessons Learned, 
[hyperlink, http://www.gao.gov/products/GAO-02-195] (Washington, D.C.: 
Jan. 30, 2002). 

[75] OMB, Circular No. A-130 (Washington, D.C.: Nov. 28, 2000). 

[76] GAO, Federal Chief Information Officers: Responsibilities, 
Reporting Relationships, Tenure, and Challenges, [hyperlink, 
http://www.gao.gov/products/GAO-04-823] (Washington, D.C.: July 21, 
2004). 

[77] Gartner, The Role of Federal Government CIOs Must Evolve, ID 
Number: G00130848 (Sept. 28, 2005); 2011 Predicts: Government CIOs 
Must Balance Cost Containment With IT Innovation, ID Number: G00208687 
(Nov. 17, 2010); and Private-Turned-Public CIOs Must Acquire Different 
Political and Interpersonal Skills, ID Number G00127518 (July 1, 2005). 

[78] Deloitte, CIO 2.0: The Changing Role of the CIO in Government 
(2004); and Top Ten Challenges for CIOs in 2010: Tough Growth, Tough 
Decisions (2010). 

[79] OMB, 25 Point Implementation Plan to Reform Federal Information 
Technology Management (Dec. 9, 2010). 

[80] We selected agencies to represent a range of 2011 IT budget 
estimates of approximately $25 million to $860 million. 

[81] [hyperlink, http://www.gao.gov/products/GAO-04-823]. 

[82] When comparing results between this report and our 2004 review, 
we did not include information from the three small, independent 
agencies, as they were not involved in our 2004 review. 

[83] GAO, Information Technology: Homeland Security Should Better 
Balance Need for System Integration Strategy with Spending for New and 
Enhanced Systems, [hyperlink, http://www.gao.gov/products/GAO-04-509] 
(Washington, D.C.: May 21, 2004); Information Technology: HHS Has 
Several Investment Management Capabilities in Place but Needs to 
Address Key Weaknesses, [hyperlink, 
http://www.gao.gov/products/GAO-06-11] (Washington, D.C.: Oct. 28, 
2005); DOD Business Transformation: Improved Management Oversight of 
Business Systems Modernization Efforts Needed, [hyperlink, 
http://www.gao.gov/products/GAO-11-53] (Washington, D.C.: Oct. 7, 
2010); and [hyperlink, http://www.gao.gov/products/GAO-04-823]. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: