OMB Redefines Roles for Agency CIOsIT Security Among Four Tasks CIOs Must Lead
Office of Management and Budget Director Jacob Lew issued a memorandum Monday outlining the new responsibilities, first suggested last December, when the administration issued a 25-point plan to reform government IT management (see OMB Unveils Data Center Consolidation, Cloud Plan).
"These reforms were developed to remedy what had become routine in Washington: IT projects running over budget, falling behind schedule, or failing to deliver promised functionality, hampering agency missions and wasting taxpayer dollars," Steven VanRoekel wrote in his first blog as the federal government's new CIO (see Former Bill Gates' Aide New Federal CIO).
"This situation is no longer commonplace," VanRoekel said. "If you take a look at the achievements every CIO has already accomplished under the reform plan, they have fundamentally changed the way the federal government manages information technology. The memorandum will help CIOs deliver on key areas to drive results and yield an even greater impact."
The memo defines four main areas that departmental and agency CIOs will take a lead role: information security, governance, commodity IT and program management.
Lew, who's VanRoekel's boss, said agency CIOs will be held accountable for lowering operational costs, terminating and turning around troubled projects and delivering meaningful functionality at a faster rate while enhancing the security of information systems. "These additional authorities will enable CIOs to reduce the number of wasteful duplicative systems, simplify services for the American people and deliver more effective IT to support their agency's mission," he said.
Federal law already designates CIOs as the official responsible for agencies' IT security, and the memo states that the CIO or a designated senior agency official has the authority and primary responsibility to implement an agency-wide information security program and provide information security for the information collected and maintained by the agency and for the information systems that support its operations, assets and mission.
The memo said part of cybersecurity program will include well-designed, well-managed continuous monitoring and standardized risk assessment processes, to be supported by so-called CyberStat sessions run by the Department of Homeland Security that examine implementation. "Taken together, continuous monitoring and CyberStats will provide essential, near real-time security status information to organizational officials and allow for the development of immediate remediation plans to address any vulnerabilities," Lew said.
As for governance, Lew said CIOs must drive the investment review process for IT investments and have responsibility over the entire agency IT portfolio, working with agencies' chief financial and chief acquisition officers. Under OMB's plan, the agency CIO will lead what it calls TechStat sessions, actionable meetings designed to improve line-of-sight between project teams and senior executives. Outcomes from these sessions must be formalized and followed-up through completion, the memo said, with the goal of terminating or turning around oneÂthird of all underperforming IT investments by June.
The memo, in addressing IT commodities, said agency commodity services often are duplicative and sub-scale and include services such as IT infrastructure - data centers, networks, desktop computers and mobile devices; enterprise IT systems - e-mail, collaboration tools, identity and access management, security and web infrastructure; and business systems - finance, human resources and other administrative functions).
The new plan calls on an agency CIO to pool its purchasing power across their entire organization to drive down costs and improve service for commodity IT. In addition, the memo said, enterprise architects will support the CIO in the alignment of IT resources, to consolidate duplicative investments and applications. "CIOs must show a preference for using shared services as a provider or consumer instead of standing up separate independent services," Lew said.
For their newly defined program management duties, the memo requires agencies to improve the overall management of large, federal IT projects by identifying, recruiting and hiring top IT program management talent. CIOs also will train and provide annual performance reviews for those leading major IT programs as well as conduct formal performance evaluations of component CIOs, such as those overseeing IT in bureaus and sub-agencies. OMB will hold CIOs accountable for the performance of IT program managers based on their governance process and the IT dashboard.
The OMB memo also said the Federal CIO Council's charter will be amended to reflect agencies' CIOs new responsibilities, which Lew said would allow more effective development and management of shared services, cross-agency initiatives and governmentwide policy. "Just as CIOs are tasked to find and eliminate duplicative systems in their agencies," Lew said, "the council will seek opportunities to reduce duplication, improve collaboration and to eliminate waste across agency boundaries."