The Need to Improve Government IT: Lessons from Congress' Second Swing

From the processing of tax returns at the IRS, to payment of checks from the Social Security Administration, to advancing the state of science through supercomputers at the Department of Energy, to providing services to more than 10 million veterans at the Department of Veteran’s Affairs, these and many other services from federal government agencies can only be accomplished through IT.  IT is at the core of much of the government’s response to the current COVID-19 efforts.  Federal Chief Information Officers and their teams and colleagues have provided significant leadership in advancing IT, building on the efforts of the forerunners of the modern Internet based on Arpanet, an experimental groundbreaking network developed by DoD to share information amongst scientists.

For those of us that have worked in government IT or supported it as private contractors, we also have experienced the other side of the story.  Consistent and effective management and delivery of IT systems and services has eluded the federal government for decades.  The Government Accountability Office (GAO) and others have done multiple reports about waste and challenges to agencies in modernizing IT.  Troubled IT modernization programs, ranging from IRS modernization Healthcare.gov at CMS, speak to a set of systemic issues in government’s ability to consistently manage and deliver IT systems.

The complexity of stakeholder engagement and its importance in making change - Richard Spires describes this and other lessons learned!

New available technologies (such as cloud computing and in particular SaaS-based applications), and improved management disciplines (such as Agile and DevOps), have offered pathways for improvement.  Yet in 2017, GAO added “Improving the Management of IT Acquisitions and Operations” to its bi-annually updated “High Risk List” -- this add was not targeted at a particular agency, but at the whole of the federal government.  Further, GAO’s list reflects their finding that a number of other “High Risk List” items appear in part due to issues with successfully delivering IT systems and services.

The Root Causes

Much has been written about the issues with government IT.  Reflecting on my experiences as a Federal CIO and industry partner, I focus on a set of dynamics that constrain agencies’ ability to significantly improve their IT performance.

Most government agencies started leveraging IT and developing custom-built systems back in the 1960s and 1970s.  As new technologies and systems approaches became available over time, agencies added new IT components to address new needs, resulting in complex legacy system environments that have continued through mainframe computing, client-server architecture-based systems, and modern internet-based architectures.  Many commercial enterprises underwent the same evolution, but in government the scale and resulting complexity has been daunting.  When I served as the CIO of the IRS from 2004 to 2008, for example, I had responsibility for more than 350 individual IT systems that supported tax administration, and many of these individual systems were large and complex themselves.  This makes the IRS IT environment possibly one of the most complex anywhere in the world.

Layer on to this complexity the fact that most agencies are organized, managed, and funded by mission-oriented area and program, rather than technology function.  This reflects a programmatic perspective, but it also leads to a situation in which each mission area in an agency would work to create its own set of IT systems to meet its needs, resulting in a lack of  use of IT standards, shared IT infrastructure, or following IT best practices in program and project management.

The First Swing:  The Clinger-Cohen Act of 1996

The issue of government IT management needing to be improved has been discussed since the 1990s.  At that time, Representative William Clinger and Senator William Cohen passed a law that addressed the need for an empowered CIO at the agency level, along with other elements of the legislation to improve the overall management of IT (the Act is covered in greater detail in a related Stories post.

When I rejoined government in 2009 (this time as CIO of the Department of Homeland Security) I studied the Clinger-Cohen Act, and it was stunning to me to see the divergence between what the Act listed as CIO authorities versus the reality in the agency.  In many ways, the Act was being largely sidelined across the federal government for two reasons:

• First, while the Act addressed key elements to significantly improve government IT over time, agency cultures and the appropriations process did not change – most Federal CIOs had little practical control of IT investments – the agency CIO’s authority stemmed largely from the agency head’s level of support.
• Second, during 1997, both Senators Clinger and Cohen left Congress, with Representative Clinger retiring and Senator Cohen becoming the Secretary of Defense.The Act’s champions were gone, resulting in less oversight from Congress.

Congress’ Second Swing:  The FITARA Act of 2014

There was meaningful legislation passed during the early 2000s, most notably the E-Government Act of 2002, which authorized a government IT leader position at OMB as well as the Federal CIO Council, and 2002 security legislation (FISMA) that was updated in 2014 to addresses cyber security requirements and reporting – for more detail, see the related Stories post.  However, it took Congress almost two decades to revisit the issue of how to professionalize the management of IT at the agency level.

The leadership this time came from Representatives Darrell Issa (R, CA) and Gerry Connolly (D, VA), both of whom saw the potential for IT to better support government agency missions, as well as the inefficiencies and failures of government IT.  They crafted a bi-partisan bill called the Federal IT Acquisition Reform Act (FITARA), and garnered Senate support via Senators Tom Udall and Jerry Moran to get it passed in 2014.

Rich Beutel, who was at the time a senior staffer to Representative Issa, spearheaded work on the legislation.  He solicited input from numerous individuals and organizations to craft a bill to address many of the agency IT management issues.  At that time, in addition to my role as DHS CIO, I had taken on the role of Vice Chair of the Federal CIO Council.  I met a number of times with Rich, providing both personal input but also representing the collective views of agency CIOs across government.  Rich is a passionate advocate for improving government IT, and his leadership behind the scenes was instrumental in getting FITARA passed.

In early 2015, soon after the passage of FITARA, the Partnership for Public Service, a nonprofit organization that strives for a more effective government, convened a number of evening sessions to provide input to OMB on the guidance being prepared for agencies to implement FITARA.  At the time, Lisa Schlosser was Deputy Federal CIO and Luke McCormack served as Vice Chair of the Federal CIO Council and DHS CIO.  They led the sessions along with support from OMB staff.   A number of us in attendance had held senior leadership roles at OMB and in agencies, to include:  Dan Chenok, John Gilligan, Roger Baker, Jim Williams, Alan Balutis, Robert Shea, Casey Coleman, Dave Wennergren, Doug Criscitello, Pat Tamburrino, Gail Lovelace, and myself.  Dave Powner, who served as the lead IT auditor at GAO at the time, also attended.  There were spirited discussions over a series of meetings, helping to provide perspectives for OMB in crafting practical implementation guidance that was released in June, 2015 (“OMB Directive M-15-14: Management and Oversight of Federal Information Technology”).

FITARA substantially increases the authority of the agency CIO while also working to ensure IT management practices are instilled across an agency.   FITARA has also had consistent and strong Congressional oversight.  Representatives Issa and Connolly, and more recently Representative Will Hurd, have, with the support of GAO, implemented a Congressional FITARA Scorecard.   A letter grade is given to agencies in a number of IT categories, including data center consolidation, use of incremental development, enterprise sourcing, and cyber security.   An overall grade for an agency is then calculated and these scorecards are issued every six months, typically along with a hearing focused on the status of government IT.  These scorecards have had a meaningful impact on driving change as agencies work to improve their grades.  A GAO study issued in April 2019 outlines that more effective practices have improved agencies’ FITARA implementations.

Lessons and Next Steps

The recent improvement in managing government IT is evident as many more agencies consolidate their infrastructures and move to cloud computing, better leverage their enterprise buying power, and deploy applications much more rapidly via strategies including SaaS, Agile, and DevOps.  However, overall progress remains inconsistent, and even agencies with the best FITARA scores have more work to do.  The experience of FITARA shows that government leaders and stakeholders need to fundamentally reform and have agencies adopt best practices in IT management.

The American Council for Technology and Industry Advisory Council (ACT-IAC) is a non-profit government-industry group devoted to improving government through the use of technology.  I became involved in ACT-IAC  at DHS, and have remained so after leaving government service, serving as IAC Chair in 2018-19.   Once FITARA had passed, ACT-IAC undertook a project to augment the OMB guidance (M-15-14) for agency implementation.  I helped lead the group of more than 50 individuals from government and industry that volunteered for this project – including experts from general management, IT, cyber security, finance, human relations, and acquisition.

We developed a Government IT Management Maturity Model, a practical guide to help agencies assess progress in terms of their IT management maturity and what steps they can take to continue to improve.  This model outlines the attributes and best practices in each of six broad functions:

• Governance
• Budget Formulation and Execution
• Acquisition
• Organization and Workforce
• Program Management
• Cyber Security.

Last year, the model was updated to Version 2 with input from a number of agencies, most notably the Department of Agriculture, which has embraced the use of the model as part of its IT modernization initiative.   The model provides a practical resource for agencies moving forward.

Given the success of the Congressional FITARA Scorecard, similar metrics with oversight can continue to strengthen the presence and measurement of additional IT management best practices, such as those presented in the ACT-IAC IT Management Maturity Model.  The lessons of the past three decades and the FITARA experience show that there is no shortcut to improving the government’s ability to effectively manage and leverage IT.  This will take a sustained focus on instilling and maturing good management practices in each agency.