Exclusive

White House preparing executive order on CIO authorities

The White House is considering adding one more piece to its IT modernization strategy. The Trump administration is floating a draft executive order focused on, once again, defining the roles and authorities of agency chief information officers.

Federal News Radio has obtained a copy of the draft EO from December, which sources say has been circulated for comment across the federal CIO community.

“Despite multiple legislative mandates, agency chief information officers do not have adequate visibility into, or control over, their agencies’ IT spending, resulting in duplication, waste, and poor service delivery. Enhancing the responsibilities and accountability of agency chief information officers will better position agencies to modernize their IT systems, save taxpayer dollars, reduce cybersecurity risks, and better serve the American people,” the draft EO states.

Advertisement

The EO would cover every CFO Act agency except for the Defense Department.

Why this White House continues to exempt DoD from its IT modernization strategy mandates remains a mystery and is perplexing. The administration did the same thing with the Centers of Excellence initiative.

Yes, DoD is the 800-pound gorilla when it comes to federal IT and has a budget that dwarfs every other department, but it doesn’t mean the Pentagon couldn’t use some outside and independent advice and direction.

Even Congress recognized the need for DoD to add more weight to its CIO. In the 2018 Defense Authorization bill, Congress approved and President Donald Trump signed into law a provision that would make the CIO position presidentially-appointed and Senate-confirmed.

But the decision not to include DoD is a discussion for another time and notebook.

The draft EO didn’t impress any of the former federal IT officials, all of whom spoke on the condition of anonymity in order to talk about a pre-decisional document, who have seen the document, with most saying there is little new or different in the White House’s plans than they’ve seen over the past 15 years.

“As an EO, it signals the administration’s intent to watch this area more closely than before, which is good,” said one former federal IT executive. “It will also help OMB and oversight committees focus more on this area.”

Another former CIO said the EO should cover more than just the CFO Act agencies, but those that run high-valued systems and data, such as the Securities and Exchange Commission or the Federal Communications Commission.

“There is interpretation done at those agencies and they ‘pick’ what is useful and what is not,” said one former CIO. “Clinger-Cohen applies but FITARA [Federal IT Acquisition Reform Act] doesn’t. And the oversight will only come from GAO/IG and NOT OMB because they are NOT a covered agency.”

Well-covered ground for CIOs

Overall, the Trump administration is paving over well-known ground and long-standing challenges that previous laws and policies have come up short trying to solve.

The draft EO’s goal is to improve “the management and oversight of federal IT by designating the chief information officer of each covered agency as the primary point of responsibility and accountability for management of IT resources within that agency. The agency chief information officer should be the key strategic advisor to the agency head concerning the use of IT to accomplish the agency’s mission, reduce cybersecurity risks, and improve efficiency,” the draft EO states. “Consistent with statute, the agency chief information officer should play a central role in all annual and multi-year planning, programming, budgeting, acquisition, and oversight processes related to IT. As such, the agency chief information officer should establish an enterprisewide technology roadmap and govern its execution. This requires the latitude to operate across agency component organizations and to drive the enterprisewide consolidation and modernization of the agency’s IT portfolio.”

One former federal IT executive said while putting the CIO in charge of cyber risk is consistent with Federal Information Security Management Act, it is inconsistent with industry trends and best practices.

Emails to the Office of Management and Budget asking for comment on the draft EO were not returned.

The biggest change the EO is proposing is around hiring authorities for IT staff.

“Within 60 days of the date of this order, the head of the Office of Personnel Management shall grant to each covered agency direct hiring authority for IT employees that meet the qualification standards for positions the agency CIO deems critical, enabling the CIO of each covered agency to hire, in an expedited manner, qualified individuals for a period not to exceed four years,” the draft EO states. “An agency may, at any given time, use this authority for not more than 25 percent of its IT workforce. Employees hired using this authority may not be transferred to positions primarily performing non-IT functions.”

OPM gave agencies in November new hiring authorities for positions such as cloud architecture; solutions architecture; and cloud migration from legacy hardware platforms to the cloud. Additionally, the CIO Council held a hiring fair in November to help address the shortage of qualified IT workers.

But this provision in the EO would expand those efforts both in terms of the types of workers and the length of time to use the authorities.

Several former executives say the administration should enforce the existing laws under the Federal IT Acquisition Reform Act (FITARA) and the Clinger-Cohen Act instead developing new policies.

“The EO fails to address the true problem plaguing CIO authorities, which is how money is appropriated in the first place,” said one of the former IT executives. “If IT dollars are appropriated directly to program accounts and bypass the CIO, then the CIO will remain nothing but a bystander during strategic agency decisions.”

And this brings back the fact that OMB and Congress have tried many times over the last 15 years to consolidate, boost and amplify CIO authorities, yet the systemic problems continue.

For instance, in 1996 the Clinger-Cohen Act codified the role of the CIO and the 2002 E-Government Act further clarified those requirements.

In August 2011, OMB further addressed CIO authorities, focusing on commodity IT purchasing.

President Barack Obama signed FITARA into law as part of the 2015 NDAA, and former Federal CIO Tony Scott issued implementation guidance in June 2015.

Addressing FITARA shortfalls

Despite these efforts, agency progress with FITARA, particularly with CIO authorities, has been inconsistent. In the latest FITARA scorecard, three agencies, including DoD, received a “F” grade on the CIO authorities section, and 12 CIOs still do not report to the secretary or deputy secretary of their agency.

The draft EO attempts to address many of those FITARA scorecard shortfalls, including requiring the “chief information officer of the covered agency [to report] directly to the agency head or the principal deputy of the agency head.”

The first former IT executive said they would’ve liked to have seen stronger language around CIO budget authority and the elimination of the “principal deputy” language in the reporting relationship.

“That preserves some historically awful relationships in places like DoT,” said the executive. “Also it seems like a missed opportunity to say what things the CIO is responsible for.  For example, is the CIO responsible for cybersecurity. What about the CISO role  within the agency?  Is the CIO responsible for data within the agency? What about the chief data officer?”

Additionally, the draft EO would require the department’s CIO to approve any and all bureau or subcomponent level CIO appointment.

The final two sections of the draft EO focus on IT governance and risk management.

First, the proposed order would require the component or agency CIO to have their performance plans aligned with the enterprisewide technology roadmap and be accountable to the CIO for executing on the strategy.

“[T]he head of each covered agency shall ensure that the chief information officer of the covered agency shall, at minimum, fulfill the role of voting member, and, where appropriate, chair, of any IT investment board of the agency, or any board responsible for setting agencywide IT standards,” the draft document states.

It’s unclear if the White House eventually will finalize the EO, and based on what the current draft, it’s unclear how much it even will help.

Reps. Will Hurd (R-Texas) and Gerry Connolly (D-Va.) may have the best approach of hauling non-IT executives before the Oversight and Government Reform Committee and asking them to explain their agency’s approach to IT management.

Read more of the Reporter’s Notebook.