GAO-05-1017T, Veterans Affairs: The Critical Role of the Chief Information Officer Position in Effective Information Technology Management


This is the accessible text file for GAO report number GAO-05-1017T 
entitled 'Veterans Affairs: The Critical Role of the Chief Information 
Officer Position in Effective Information Technology Management' which 
was released on September 14, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 

GAO: 

Testimony before the Committee on Veterans' Affairs, House of 
Representatives: 

For Release on Delivery: 

Expected at 10:00 a.m. EDT September 14, 2005: 

Veterans Affairs: 

The Critical Role of the Chief Information Officer Position in 
Effective Information Technology Management: 

Statement of Linda D. Koontz: 

Director, Information Management Issues: 

GAO-05-1017T: 

GAO Highlights: 

Highlights of GAO-05-1017T, a testimony before the Committee on 
Veterans' Affairs, House of Representatives

Why GAO Did This Study: 

In carrying out VA’s mission of serving the nation’s veterans and their 
dependents, the agency relies extensively on information technology 
(IT), for which it is requesting about $2.1 billion in fiscal year 
2006. VA’s vision is to integrate its IT resources and streamline 
interactions with customers, so that it can provide services and 
information to veterans more quickly and effectively. 

Fully exploiting the potential of IT to improve performance is a 
challenging goal for VA, as it is throughout government. The Clinger-
Cohen Act of 1996 addressed this challenge by, among other things, 
establishing the position of chief information officer (CIO) to serve 
as the focal point for information and technology management within 
departments and agencies. 

The Committee requested that GAO discuss the role of CIOs in the 
federal government, as well as provide a historical perspective on the 
roles and responsibilities of VA’s CIO. In developing this testimony, 
GAO relied on its previous work at VA as well as on the CIO role across 
government, including a 2004 review of CIOs at major departments and 
agencies. 

What GAO Found: 

CIOs play a critical role in managing information and technology within 
federal agencies. According to GAO’s 2004 review, CIOs generally held 
wide responsibilities and reported to their agency heads or other top 
level managers. In general, CIOs reported that they were responsible 
for key information and technology management areas; for example, all 
the CIOs were responsible for five key areas (capital planning and 
investment management, enterprise architecture, information security, 
strategic planning for information technology and information resource 
management, and information technology workforce planning). However, in 
carrying out their responsibilities, the tenure of federal CIOs was 
often less than the length of time that some experts consider necessary 
for them to be effective and implement changes: the median tenure was 
about 2 years, and the most common response regarding time required to 
be effective was 3 to 5 years. In contrast, CIOs were generally helped 
in carrying out their responsibilities by the background and experience 
they brought to the job: most had background in information technology 
(IT) or related fields, and many also had business knowledge related to 
their agencies. Other factors that help CIOs meet their 
responsibilities include (1) being supported by senior executives who 
recognize the importance to their missions of IT and an effective CIO; 
(2) playing an influential role in applying IT to business needs; and 
(3) being able to structure their organizations appropriately. At the 
same time, CIOs cited several challenges, of which the two most 
frequently mentioned were implementing effective IT management and 
obtaining sufficient and relevant resources. 

Over time, the CIO position at VA, as well as information and 
technology management as a whole, has received increased attention at 
the department. After several years with CIOs whose primary duty was 
not information and technology management or who were serving in an 
acting capacity, the department appointed a full-time permanent CIO in 
August 2001. In 2002, the department proposed further strengthening the 
position and centralizing IT management, recognizing that aspects of 
its computing environment were particularly challenging and required 
substantial management attention. In particular, the department’s 
information systems and services were highly decentralized, and a large 
proportion of the department’s IT budget was controlled by the VA’s 
administrations and staff offices. To address these challenges, the 
Secretary issued a memo in 2002 announcing that IT functions, programs, 
and funding would be centralized under the department-level CIO. This 
realignment held promise for improving accountability and enabling the 
department to accomplish its mission. The additional oversight afforded 
the CIO could have a significant impact on the department’s ability to 
more effectively account for and manage its IT spending. 

www.gao.gov/cgi-bin/getrpt?GAO-05-1017T. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Linda Koontz at (202) 512-
6240 or koontzl@gao.gov. 

[End of section] 

Mr. Chairman and Members of the Committee: 

Thank you for inviting us to take part in your discussion of the 
information technology organization at the Department of Veterans 
Affairs (VA) and the role of the Chief Information Officer (CIO). In 
carrying out its mission of serving our nation's veterans, the 
department relies heavily on information technology, for which it is 
requesting about $2.1 billion in funding for fiscal year 2006. The CIO 
will play a vital role in ensuring that this money is well spent and 
that information technology is managed effectively. As we have 
previously reported, an effective CIO can make a significant difference 
in building the institutional capacity that is needed to improve an 
agency's ability to manage information and technology and thus enhance 
program performance. 

At your request, we will discuss the role of CIOs in the federal 
government, as well as providing a historical perspective on the roles 
and responsibilities of VA's CIO. 

In developing this testimony, we reviewed our previous work in this 
area. All work covered in this testimony was performed in accordance 
with generally accepted auditing standards. 

Results in Brief: 

Since the Clinger-Cohen act established the CIO position in 1996, 
federal CIOs have played a central role in managing information and 
technology within federal agencies. According to CIOs at major 
departments and agencies, they generally held wide responsibilities and 
reported to their agency heads or other top level managers.[Footnote 1] 
In general, CIOs reported that they were responsible for key 
information and technology management areas; for example, all the CIOs 
were responsible for five key areas (capital planning and investment 
management, enterprise architecture, information security, strategic 
planning for information technology and information resource 
management, and information technology workforce planning). In carrying 
out these responsibilities, the tenure of federal CIOs was often less 
than the length of time that some experts consider necessary for them 
to be effective and implement changes: the median tenure was about 2 
years, and the most common response regarding time required to be 
effective was 3 to 5 years. In contrast, CIOs were generally helped in 
carrying out their responsibilities by the background and experience 
they brought to the job. Although their background was varied, most had 
background in information technology (IT) or related fields, many 
having previously served as CIOs; many also had business knowledge 
related to their agencies, having previously either worked at the 
agency or in an area related to its mission. Other factors that help 
CIOs meet their responsibilities effectively are described in 
guidance[Footnote 2] that we have issued; key among these are (1) being 
supported by senior executives who recognize the importance to their 
missions of IT and an effective CIO; (2) playing an influential role in 
applying IT to business needs; and (3) being able to structure their 
organizations appropriately. At the same time, CIOs cited several 
challenges, of which the two most frequently mentioned were 
implementing effective IT management and obtaining sufficient and 
relevant resources. 

Over time, VA has devoted increased attention to the CIO position and 
to IT management. After going for 2½ years after the passage of the 
Clinger-Cohen Act without a CIO, followed by 2 years with an executive 
whose time was divided among CIO and other major duties, and then 1 
year with an acting CIO, the department appointed a full-time permanent 
CIO in August 2001. Since then, the department proposed further 
strengthening the position and centralizing IT management, recognizing 
that aspects of its computing environment were particularly challenging 
and required substantial management attention. In particular, the 
department's information systems and services were highly 
decentralized, and a large proportion of the department's IT budget was 
controlled by the VA's administrations and staff offices. To address 
these challenges, the Secretary issued a memo in 2002 announcing that 
IT functions, programs, and funding would be centralized under the 
department-level CIO. In our view, this realignment held promise for 
improving IT accountability and enabling the department to accomplish 
its mission. The additional oversight afforded the CIO could have a 
significant impact on the department's ability to more effectively 
account for and manage its approximately $2.1 billion in planned IT 
spending. 

Background: 

VA comprises three major components: the Veterans Benefits 
Administration (VBA), the Veterans Health Administration (VHA), and the 
National Cemetery Administration (NCA).[Footnote 3] VA's mission is 
summed up in its mission statement, a quotation from Abraham Lincoln: 
"to care for him who shall have borne the battle and for his widow and 
his orphan." VA carries out this mission by providing benefits and 
other services to veterans and dependents. 

The department's vision is to be a more customer-focused organization, 
functioning as "One VA." This vision stemmed from the recognition that 
veterans think of VA as a single entity, but often encountered a 
confusing, bureaucratic maze of uncoordinated programs that put them 
through repetitive and frustrating administrative procedures and 
delays. The "One VA" vision is to create versatile new ways for 
veterans to obtain services and information by streamlining 
interactions with customers and integrating IT resources to enable VA 
employees to help customers more quickly and effectively. This vision 
will require modifying or replacing separate information systems with 
integrated systems using common standards to share information across 
VA programs and with external partner organizations, such as the 
Department of Defense. Accordingly, effective management of its IT 
programs is vital to VA's successful achievement of its vision and 
mission. 

Table 1 shows a breakdown of VA's approximately $2.1 billion IT budget 
request for fiscal year 2006. Of the total, VHA accounted for 
approximately $1.8 billion, VBA approximately $150 million, and the 
National Cemetery Administration (NCA) approximately $11 million. The 
remaining $84 million was allocated to the department level. 

Table 1: Breakdown of VA's Fiscal Year 2006 Information Technology 
Budget Request (in millions): 

Organization: VHA; 
Request: $1835; 
Request: 88%. 

Organization: VBA; 
Request: $150; 
Request: 7%. 

Organization: NCA; 
Request: $11; 
Request: <1%. 

Organization: Department; 
Request: $84; 
Request: 4%. 

Total; 
Request: $2080. 

Source: GAO analysis of VA data. 

[End of table]

CIO Plays Major Role in IT Management: 

The Congress has long recognized that IT has the potential to enable 
federal agencies to accomplish their missions more quickly, 
effectively, and economically. However, fully exploiting this potential 
presents challenges to agencies. Despite substantial IT investments, 
the federal government's management of information resources has 
produced mixed results. One of the ways in which the Congress has 
addressed this issue was to establish the CIO position; an agency's CIO 
serves as the focal point for information and technology management 
within an agency. 

Legislative Evolution of Agency CIO Role: 

For more than 20 years, federal law has structured the management of IT 
and information-related activities under the umbrella of information 
resources management (IRM).[Footnote 4] The IRM approach was first 
enacted into law in the Paperwork Reduction Act of 1980.[Footnote 5] 
The intention of the Congress was to provide for a coordinated approach 
to managing federal agencies' information resources, addressing the 
entire information life cycle, from collection through disposition, 
with the ultimate goal of improving the efficiency and effectiveness of 
government while reducing the "paperwork burden" on the 
public.[Footnote 6]

The 1980 Paperwork Reduction Act centralized governmentwide IRM 
responsibilities in the Office of Management and Budget (OMB), giving 
OMB specific policy-setting and oversight duties regarding individual 
IRM areas, such as records management, privacy, and the acquisition and 
use of IT.[Footnote 7] Agencies were given responsibility for carrying 
out their IRM activities in an efficient, effective, and economical 
manner in compliance with OMB policies and guidelines. The law also 
required that each agency head designate a senior official, reporting 
directly to the agency head, to carry out the agency's responsibilities 
under the law. 

In 1996, the Clinger-Cohen Act established the position of agency CIO 
by giving this title to the "senior IRM official" mentioned in the 
Paperwork Reduction Act and specifying additional responsibilities for 
this position.[Footnote 8] Among these responsibilities, the Clinger- 
Cohen act required that the CIOs in the 24 major departments and 
agencies[Footnote 9] have IRM as their "primary duty."[Footnote 10]

The view of the Congress as reflected in current law is thus that CIOs 
should play a key leadership role in ensuring that agencies manage 
their information functions in a coordinated and integrated fashion in 
order to improve the efficiency and effectiveness of government 
programs and operations. 

CIO Responsibilities and Reporting Relationships: 

Besides their statutory responsibilities, CIOs have other 
responsibilities that can contribute significantly to the successful 
implementation of information systems and processes. In July 2004, we 
interviewed 27 CIOs at major agencies[Footnote 11] on their roles, 
responsibilities, and challenges, among other things. For this report, 
we identified major areas of CIO responsibilities that were either 
statutory requirements or critical to effective information and 
technology management.[Footnote 12] Altogether, we identified the 13 
areas shown in table 2. 

Table 2: Major Areas of CIO Responsibility: 

Area of responsibility: IT/IRM strategic planning; 
Description: Performing strategic planning for all information and 
information technology management functions; 
Applicable laws: 44 U.S.C. 3506(b)(2). 

Area of responsibility: IT capital planning and investment management; 
Description: Planning and management of IT capital investments; 
Applicable laws: 44 U.S.C. 3506(h), 40 U.S.C. 11312 & 11313. 

Area of responsibility: Information security; 
Description: Ensuring agency compliance with the requirement to protect 
information and systems; 
Applicable laws: 44 U.S.C. 3506(g) and 3544(a)(3). 

Area of responsibility: IT/IRM human capital; 
Description: Helping agency meet IT/IRM workforce needs; 
Applicable laws: 44 U.S.C. 3506(b), 40 U.S.C. 11315(c). 

Area of responsibility: Information collection/paperwork reduction; 
Description: Reviewing agency information collection proposals to 
maximize the utility and minimize public paperwork burden; 
Applicable laws: 44 U.S.C. 3506(c). 

Area of responsibility: Information dissemination; 
Description: Ensuring that information dissemination activities meet 
policy goals such as timely and equitable public access to information; 
Applicable laws: 44 U.S.C. 3506(d). 

Area of responsibility: Records management; 
Description: Ensuring that agency implements and enforces records 
management policies and procedures under the Federal Records Act; 
Applicable laws: 44 U.S.C. 3506(f). 

Area of responsibility: Privacy; 
Description: Ensuring agency compliance with the Privacy Act and 
related laws; 
Applicable laws: 44 U.S.C. 3506(g). 

Area of responsibility: Statistical policy and coordination; 
Description: Performing statistical policy and coordination functions, 
including ensuring the relevance, accuracy, and timeliness of 
information collected or created for statistical purposes; 
Applicable laws: 44 U.S.C. 3506(e). 

Area of responsibility: Information disclosure; 
Description: Ensuring appropriate information access under the Freedom 
of Information Act; 
Applicable laws: 44 U.S.C. 3506(g). 

Area of responsibility: Enterprise architecture[A]; 
Description: Developing and maintaining the enterprise architecture 
defining the agency's mission and the information and IT needed to 
perform it; 
Applicable laws: OMB guidance. 

Area of responsibility: Systems acquisition, development, and 
integration[A]; 
Description: Controlling the acquisition, development, and integration 
of IT systems; 
Applicable laws: 44 U.S.C. 3506(h)(5), 40 U.S.C. 11312. 

Area of responsibility: E-government initiatives[A]; 
Description: Supporting initiatives to use IT to improve government 
services to the public and internal operations; 
Applicable laws: 44 U.S.C. 3506(h)(3), E-Government Act of 2002, other 
laws and guidance. 

Source: GAO analysis. 

[A] The last three areas of responsibility--enterprise architecture; 
systems acquisition, development, and integration; and e-government 
initiatives--are not assigned to CIOs by statute; they are assigned to 
the agency heads by law or guidance. However, in virtually all 
agencies, the agency heads have delegated these areas of responsibility 
to their CIOs. 

[End of table]

According to our report, CIOs were generally responsible for the key 
information and technology management areas shown in the table, 
although not all CIOs were completely responsible for all 
areas.[Footnote 13] For example: 

* All the CIOs were responsible for five areas (capital planning and 
investment management, enterprise architecture, information security, 
IT/IRM strategic planning, and IT workforce planning). 

* More than half had responsibility for six additional areas (systems 
acquisition, major e-government initiatives, information 
collection/paperwork reduction, records management, information 
dissemination, and privacy). 

* Fewer than half were responsible for two areas (information 
disclosure and statistics). 

It was common for CIOs to share responsibility for certain functions, 
and in some cases responsibilities were assigned to other offices. For 
example, systems acquisition responsibility could be shared among the 
CIO and other officials, such as a procurement executive or program 
executive; disclosure could be assigned to general counsel and public 
affairs, while statistical policy could be assigned to offices that 
deal with the agency's data analysis.[Footnote 14] Nevertheless, even 
for areas of responsibility that were not assigned to CIOs, agency CIOs 
generally reported that they contributed to the successful execution of 
the agency's overall responsibilities in that area. 

In carrying out their responsibilities, CIOs generally reported to 
their agency heads. The Paperwork Reduction Act--as well as our 
guidance[Footnote 15]--generally calls for CIOs to report to their 
agency heads,[Footnote 16] forging relationships that ensure high 
visibility and support for far-reaching information management 
initiatives. For 19 of the agencies in our review, the CIOs stated that 
they had this reporting relationship. In the other 8 agencies, the CIOs 
stated that they reported instead to another senior official, such as a 
deputy secretary, under secretary, or assistant secretary. In addition, 
8 of the 19 CIOs who said they had a direct reporting relationship with 
the agency head noted that they also reported to another senior 
executive, usually the deputy secretary or under secretary for 
management, on an operational basis. According to members of our 
Executive Council on Information Management and Technology,[Footnote 
17] what is most critical is for the CIO to report to a top level 
official. 

Tenure and Backgrounds of CIOs: 

Federal CIOs often remained in their positions for less than the length 
of time that some experts consider necessary for them to be effective 
and implement changes. At the major departments and agencies included 
in our review, the median time in the position of permanent CIOs whose 
time in office had been completed was about 23 months.[Footnote 18] For 
career CIOs, the median was 32 months; the median for political 
appointees was 19 months. To the question of how long a CIO needed to 
stay in office to be effective, the most common response of the CIOs 
(and former agency IT executives whom we consulted) was 3 to 5 years. 
Between February 10, l996, and March 1, 2004, only about 35 percent of 
the permanent CIOs who had completed their time in office reportedly 
had stayed in office for a minimum of 3 years. The gap between actual 
time in office and the time needed to be effective is consistent with 
the view of many agency CIOs that the turnover rate was high, and that 
this rate was influenced by the political environment, the pay 
differentials between the public and private sectors, and the 
challenges that CIOs face. 

In contrast, the CIOs interviewed for our report were generally helped 
in carrying out their responsibilities by the background and experience 
they brought to the job. The background of the CIOs varied in that they 
had previously worked in the government, the private sector, or 
academia, and they had a mix of technical and management experience. 
However, virtually all had work experience or educational backgrounds 
in IT or IT-related fields; 12 agency CIOs had previously served in a 
CIO or deputy CIO capacity. Moreover, most of the them had business 
knowledge related to their agencies because they had previously worked 
at the agency or had worked in an area related to the agency's mission. 

Success Factors and Challenges of CIOs: 

To allow CIOs to serve effectively in the key leadership role 
envisioned by the Congress, federal agencies must use the full 
potential of CIOs as information and technology management leaders and 
active participants in the development of the agency's strategic plans 
and policies. The CIOs, in turn, must meet the challenges of building 
credible organizations and developing and organizing information and 
technology management capabilities to meet mission needs. 

In February 2001, we issued guidance[Footnote 19] on the effective use 
of CIOs, which describes the following three factors as key 
contributors to CIO success: 

* Supportive senior executives embrace the central role of technology 
in accomplishing mission objectives and include the CIO as a full 
participant in senior executive decision making. 

* Effective CIOs have legitimate and influential roles in leading top 
managers to apply IT to business problems and needs. Placement of the 
position at an executive management level in the organization is 
important, but in addition, effective CIOs earn credibility and produce 
results by establishing effective working relationships with business 
unit heads. 

* Successful CIOs structure their organizations in ways that reflect a 
clear understanding of business and mission needs. Along with knowledge 
of business processes, market trends, internal legacy structures, and 
available IT skills, this understanding is necessary to ensure that the 
CIO's office is aligned to best serve agency needs. 

The CIO study that we reported on in July 2004 also provides 
information on the major challenges that federal CIOs face in 
fulfilling their duties.[Footnote 20] In particular, CIOs view IT 
governance processes, funding, and human capital as critical to their 
success, as indicated by two challenges that were cited by over 80 
percent of the CIOs: implementing effective information technology 
management and obtaining sufficient and relevant resources. 

* Effective IT management. 

Leading organizations execute their information technology management 
responsibilities reliably and efficiently. A little over 80 percent of 
the CIOs reported that they faced one or more challenges related to 
implementing effective IT management practices at their agencies. This 
is not surprising given that, as we have previously reported, the 
government has not always successfully executed the IT management areas 
that were most frequently cited as challenges by the CIOs--information 
security, enterprise architecture, investment management, and e- 
gov.[Footnote 21]

* Sufficient and relevant resources. 

One key element in ensuring an agency's information and technology 
success is having adequate resources. Virtually all agency CIOs cited 
resources, both in dollars and staff, as major challenges. The funding 
issues cited generally concerned the development and implementation of 
agency IT budgets and whether certain IT projects, programs, or 
operations were being adequately funded. 

We have previously reported that the way agency initiatives are 
originated can create funding challenges that are not found in the 
private sector.[Footnote 22] For example, certain information systems 
may be mandated or legislated, so the agency does not have the 
flexibility to decide whether to pursue them. Additionally, there is a 
great deal of uncertainty about the funding levels that may be 
available from year to year. 

The government also faces long-standing and widely recognized 
challenges in maintaining a high-quality IT workforce. In 1994 and 
2001, we reported on the importance that leading organizations placed 
on making sure they had the right mix of skills in their IT 
workforce.[Footnote 23] About 70 percent of the agency CIOs reported on 
a number of substantial IT human capital challenges, including, in some 
cases, the need for additional staff. Other challenges included 
recruiting, retention, training and development, and succession 
planning. 

In addition, two other commonly cited challenges were communicating and 
collaborating (both internally and externally) and managing change. 

* Communicating and collaborating. 

Our prior work has shown the importance of communication and 
collaboration, both within an agency and with its external partners. 
For example, one of the critical success factors we identified in our 
guide focuses on the CIO's ability to establish his or her organization 
as a central player in the enterprise.[Footnote 24] Ten agency CIOs 
reported that communication and collaboration were challenges. Examples 
of internal communication and collaboration challenges included (1) 
cultivating, nurturing, and maintaining partnerships and alliances 
while producing results in the best interest of the enterprise and (2) 
establishing supporting governance structures that ensure two-way 
communication with the agency head and effective communication with the 
business part of the organization and component entities. Other CIOs 
cited activities associated with communicating and collaborating with 
outside entities as challenges, including sharing information with 
partners and influencing the Congress and OMB. 

* Managing change. 

Top leadership involvement and clear lines of accountability for making 
management improvements are critical to overcoming an organization's 
natural resistance to change, marshaling the resources needed to 
improve management, and building and maintaining organizationwide 
commitment to new ways of doing business. Some CIOs reported challenges 
associated with implementing both changes originating from their own 
initiative and changes from outside forces. Implementing major IT 
changes can involve not only technical risks but also nontechnical 
risks, such as those associated with people and the organization's 
culture. Six CIOs cited dealing with the government's culture and 
bureaucracy as challenges to implementing change. Former agency IT 
executives also cited the need for cultural changes as a major 
challenge facing CIOs. Accordingly, in order to effectively implement 
change, it is important that CIOs build understanding, commitment, and 
support among those who will be affected by the change. 

Effectively tackling these reported challenges can improve the 
likelihood of a CIO's success. Until these challenges are overcome, 
federal agencies are unlikely to optimize their use of information and 
technology, which can affect an organization's ability to effectively 
and efficiently implement its programs and missions. 

Roles and Responsibilities of the CIO Position at VA Have Evolved over 
Time: 

Since enactment of the Clinger-Cohen Act in 1996, the roles and 
responsibilities of VA's Chief Information Officer have evolved.From 
lacking a CIO entirely, the department has taken steps to address the 
challenges posed by its multiple widespread components and its 
decentralized information technology and services. 

In June 1998, VA assigned CIO responsibility to a top manager.[Footnote 
25] However, we reported in July 1998[Footnote 26] that the person 
holding the CIO position at VA had multiple additional major 
responsibilities, as this person also served as Assistant Secretary for 
Management, Chief Financial Officer, and Deputy Assistant Secretary for 
Budget. According to the act, the CIO's primary responsibility should 
be information and technology management. Noting that VA's structure 
was decentralized, its IT budget was large, and its CIO faced serious 
information and technology management issues, we recommended that the 
Secretary appoint a CIO with full-time responsibilities for IRM. 
Concurring with the recommendation, VA established the position of 
Assistant Secretary for Information and Technology to serve as its CIO. 

As of May 2000, however, the position of Assistant Secretary for 
Information and Technology was vacant, and as we reported at the 
time,[Footnote 27] it had been unfilled since its creation in 1998. The 
Secretary then created and filled the position of Principal Deputy 
Assistant Secretary for Information and Technology, designating that 
person as VA's acting CIO until an Assistant Secretary could be 
appointed. The Secretary also realigned IRM functions within VA under 
this position, which reported directly to the Secretary. 

As we reported,[Footnote 28] the Principal Deputy Assistant Secretary 
was involved in IT planning issues across the department. In addition 
to advising the Secretary on IT issues, he served as chair of the 
department's CIO Council and as a member of the department's Capital 
Investment Board, and he worked with the CIOs in VBA and VHA (at the 
time, NCA had no CIO). According to this official, one of his 
priorities was to ensure that IT activities in VBA and VHA were in 
concert with VA's departmentwide efforts. 

In August 2001, VA filled the CIO position. In March 2002,[Footnote 29] 
we testified that this hiring was one of the important strides that the 
Secretary of Veterans Affairs had made to improve the department's IT 
leadership and management, along with making a commitment to reform the 
department's use of IT. 

On June 29, 2003, the CIO retired after a tenure of almost 2 years 
(about the median length of tenure for federal CIOs, as discussed 
above); the current CIO was confirmed in January 2004. 

Figure 1 is a time line showing the history of the CIO position at VA 
since the passage of the Clinger-Cohen Act. 

Figure 1: Time Line of CIO Tenure at VA: 

[See PDF for image]

Source: GAO. 

[End of figure]

VA Proposed to Realign its IT Organization in Response to IT Management 
Challenges: 

Our prior work highlighted some of the challenges that the CIO faced as 
a result of the way the department was organized to carry out its IT 
mission.[Footnote 30] Among these challenges was that information 
systems and services were highly decentralized, and the VA 
administrations and staff offices controlled a majority of the 
department's IT budget. For example, in VA's information technology 
budget for fiscal year 2002 of approximately $1.25 billion, VHA 
controlled about $1.02 billion (over 80 percent), whereas the 
department level controlled about $60.2 million (less than 5 percent). 

In addition, we noted that there was neither direct nor indirect 
reporting to VA's cyber security officer--the department's senior 
security official--thus raising questions about this person's ability 
to enforce compliance with security policies and procedures and ensure 
accountability for actions taken throughout the department. The more 
than 600 information security officers in VA's three administrations 
and its many medical facilities throughout the country were responsible 
for ensuring the department's information security, although they 
reported only to their facility's director or to the chief information 
officer of their administration. 

Given the large annual funding base and decentralized management 
structure, we testified that it was crucial for the departmental CIO to 
ensure that well-established and integrated processes for leading, 
managing, and controlling investments are commonplace and followed 
throughout the department. This is consistent with the finding in our 
CIO review that implementation of IT management practices was a 
challenge; over half of federal CIOs identified IT investment 
management specifically. 

Recognizing weaknesses in accountability for the department's IT 
resources and the need to reorganize IT management and financing, the 
Secretary announced a realignment of the department's IT operations in 
a memorandum dated August 2002. According to the memorandum, the 
realignment would centralize IT functions, programs, workforce 
personnel, and funding into the office of the department-level CIO. In 
particular, several significant changes were described: 

* The CIOs in each of the three administrations--VHA, VBA, and NCA-- 
were to be designated deputy CIOs and were to report directly to the 
department-level CIO. Previously, these officials served as component- 
level CIOs who reported only to their respective administrations' under 
secretaries. 

* All administration-level cyber security functions were to be 
consolidated under the department's cyber security office, and all 
monies earmarked by VA for these functions were to be placed under the 
authority of the cyber security officer. Information security officers 
previously assigned to VHA's 21 veterans integrated service 
networks[Footnote 31] would report directly to the cyber security 
officer, thus extending the responsibilities of the cyber security 
office to the field. 

* Beginning in fiscal year 2003, the department-level CIO would assume 
executive authority over VA's IT funding. 

In September 2002,[Footnote 32] we testified that in pursuing these 
reforms, the Secretary demonstrated the significance of establishing an 
effective management structure for building credibility in the way IT 
is used, and took a significant step toward achieving a "One VA" 
vision. The Secretary's initiative was also a bold and innovative step 
by the department--one that has been undertaken by few other federal 
agencies. For example, of 17 agencies contacted in 2002, 8 reported 
having component-level CIOs, none of which reported to the department- 
level CIO. Only one agency with component-level CIOs reported that its 
department-level CIO had authority over all IT funding. 

We also noted that the CIO's success in managing IT operations under 
the realignment would hinge on effective collaboration with business 
counterparts to guide IT solutions that meet mission needs, and we 
pointed out the importance of the three key contributors to CIO success 
described in our 2001 guidance (discussed earlier).[Footnote 33]

Although we have not reviewed the current status of this proposed 
realignment or VA's current organizational structure, it remains our 
view that the proposed realignment held promise for building a more 
solid foundation for investing in and improving the department's 
accountability over IT resources. Specifically, under the realignment 
the CIO would assume budget authority over all IT funding, including 
authority to veto proposals submitted from subdepartment levels. This 
could have a significant effect on VA's accountability for how 
components are spending money.[Footnote 34]

To sum up, the CIO plays a vital role in ensuring that VA's funds are 
well spent and in managing information technology to serve our nation's 
veterans. In our view, the realignment of VA's IT organization proposed 
in 2002 held promise for improving accountability and enabling the 
department to accomplish its mission. The additional oversight afforded 
the CIO could have a significant impact on the department's ability to 
more effectively account for and manage its proposed $2.1 billion in 
planned IT spending. 

Mr. Chairman, this concludes my statement. I would be pleased to 
respond to any questions that you or other members of this Committee 
may have at this time. 

Contacts and Acknowledgements: 

For information about this testimony, please contact Linda D. Koontz, 
Director, Information Management Issues, at (202) 512-6240 or at 
koontzl@gao.gov. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
statement. Individuals making key contributions to this testimony 
include Barbara Collier, Lester Diamond, Barbara Oliver, and Eric 
Trout. 

FOOTNOTES

[1] GAO, Federal Chief Information Officers: Responsibilities, 
Reporting Relationships, Tenure, and Challenges, GAO-04-823 (July 21, 
2004). 

[2] GAO, Maximizing the Success of Chief Information Officers: Learning 
from Leading Organizations, GAO-01-376G (Washington, D.C.: February 
2001). 

[3] VBA provides nonmedical benefits to veterans and their dependents; 
VHA provides services through the nation's largest health-care system; 
and NCA provides burial services in 115 national cemeteries. 

[4] IRM is the process of managing information resources to accomplish 
agency missions and to improve agency performance. 

[5] Pub. L. 96-511 (Dec. 11, 1980). 

[6] That is, the burden of responding to government information 
collections: forms, surveys, and questionnaires. 

[7] The 1980 Paperwork Reduction Act referred to this as "automatic 
data processing and telecommunications equipment," a term that has 
since been replaced by "IT."

[8] Pub. L. 104-106, February 10, 1996. The law, initially entitled the 
Information Technology Management Reform Act, was subsequently renamed 
the Clinger-Cohen Act in Pub. L. 104-208, September 30, 1996. 

[9] The 24 major departments and agencies are specified in 31 U.S.C. 
901. 

[10] The E-Government Act of 2002 reiterated agency responsibility for 
information resources management. Pub. L. 107-347, December 17, 2002. 

[11] The 27 agencies covered by our report were the Departments of 
Agriculture, the Air Force, the Army, Commerce, Defense, Education, 
Energy, Health and Human Services, Homeland Security, Housing and Urban 
Development, the Interior, Justice, Labor, the Navy, State, 
Transportation, the Treasury, and Veterans Affairs; and the 
Environmental Protection Agency, General Services Administration, 
National Aeronautics and Space Administration, National Science 
Foundation, Nuclear Regulatory Commission, Office of Personnel 
Management, Small Business Administration, Social Security 
Administration, and U.S. Agency for International Development. 

[12] GAO, Federal Chief Information Officers: Responsibilities, 
Reporting Relationships, Tenure, and Challenges, GAO-04-823 (July 21, 
2004). 

[13] The acting CIO at VA at the time of the review responded that the 
CIO was responsible for all the activities except for statistical 
policy and coordination. 

[14] This is particularly the case in agencies that contain Principal 
Statistical Agencies, such as the Bureau of Economic Analysis 
(Department of Commerce), Bureau of Justice Statistics (Department of 
Justice), Bureau of Labor Statistics (Department of Labor), and others. 

[15] GAO, Maximizing the Success of Chief Information Officers: 
Learning from Leading Organizations, GAO-01-376G (Washington, D.C.: 
February 2001). 

[16] The Homeland Security Act of 2002 states that the CIO for the 
Department of Homeland Security shall report to the Secretary of 
Homeland Security or to another official as directed by the Secretary. 
As allowed by the law, the Secretary has directed the CIO to report to 
the Under Secretary for Management. 

[17] This panel of industry, state government, and academic experts 
provides outside expertise to GAO on information technology issues. 

[18] We did not include acting CIOs in this calculation, unless the 
acting CIO was later put in the permanent position. We calculated 
tenure since the enactment of the Clinger-Cohen Act (1996). 

[19] GAO, Maximizing the Success of Chief Information Officers: 
Learning from Leading Organizations, GAO-01-376G (Washington, D.C.: 
February 2001). 

[20] GAO, Federal Chief Information Officers: Responsibilities, 
Reporting Relationships, Tenure, and Challenges, GAO-04-823 
(Washington, D.C.: July 21, 2004). 

[21] See, for example, GAO, High-Risk Series: Protecting Information 
Systems Supporting the Federal Government and the Nation's Critical 
Infrastructures; GAO-03-121 (Washington, D.C.: Jan. 1, 2003); 
Information Technology Management: Governmentwide Strategic Planning, 
Performance Measurement, and Investment Management Can Be Further 
Improved, GAO-04-49 (Washington, D.C.: Jan. 12, 2004); Information 
Technology: Leadership Remains Key to Agencies Making Progress on 
Enterprise Architecture Efforts, GAO-04-40 (Washington, D.C.: Nov. 17, 
2003); and Major Management Challenges and Program Risks: A 
Governmentwide Perspective, GAO-03-95 (Washington, D.C.: January 2003). 

[22] GAO, Chief Information Officers: Implementing Effective CIO 
Organizations, GAO/T-AIMD-00-128 (Washington, D.C.: Mar. 24, 2000). 

[23] GAO, Executive Guide: Improving Mission Performance through 
Strategic Information Management and Technology, GAO/AIMD-94-115 
(Washington, D.C.: May 1, 1994) and GAO-01-376G. 

[24] GAO-01-376G. 

[25] Section 5604 of the Clinger-Cohen Act specifically created the 
position of Chief Information Officer at VA effective August 8, 1996. 
See 38 U.S.C. § 310. 

[26] GAO, VA Information Technology: Improvements Needed to Implement 
Legislative Reforms, GAO/AIMD-98-154 (Washington, D.C.: July 7, 1998). 

[27] GAO, Information Technology: Update on VA Actions to Implement 
Critical Reforms, GAO/AIMD-00-74 (Washington, D.C.: May 11, 2000). 

[28] GAO, Information Technology: Update on VA Actions to Implement 
Critical Reforms, GAO/AIMD-00-74 (Washington, D.C.: May 11, 2000). 

[29] GAO, Progress Made, but Continued Management Attention Is Key to 
Achieving Results, GAO-02-369T (Washington, D.C.: Mar. 13, 2002). 

[30] GAO, VA Information Technology: Important Initiatives Begun, Yet 
Serious Vulnerabilities Persist, GAO-01-550T (Washington, D.C.: Apr. 4, 
2001) and VA Information Technology: Progress Made, but Continued 
Management Attention Is Key to Achieving Results, GAO-02-369T 
(Washington, D.C.: Mar. 13, 2002). 

[31] The veterans integrated service network (VISN) is the basic 
budgetary and planning unit of the veterans health care system. Funding 
and other resources are distributed through the VISN. Each VISN covers 
a geographic area that encompasses a population of veteran 
beneficiaries. 

[32] GAO, VA Information Technology: Management Making Important 
Progress in Addressing Key Challenges, GAO-02-1054T (Washington, D.C.: 
Sept. 26, 200s). 

[33] GAO, Maximizing the Success of Chief Information Officers: 
Learning from Leading Organizations, GAO-01-376G (Washington, D.C.: 
February 2001). 

[34] GAO, VA Information Technology: Progress Continues Although 
Vulnerabilities Remain, GAO/T-AIMD-00-321 (Washington, D.C.: Sept. 21, 
2000).