The Making of the CIO
"The Power of Team: The Making of a CIO," a seminal book written by the Department of the Navy Chief Information Officer (DON CIO) staff in 2002, is used throughout information technology (IT) classrooms across the services, and still remains relevant to the changing world of the CIO. Some fundamental points of the book are that CIO organizations need to stay on the leading edge of change, manage through change, and innovate so initiatives stay aligned to the changing technical environment. A dynamic staff, flexible and energetic, is best to tackle and accomplish the tasks associated with adapting to the ever evolving information environment.
By organizational standards, it was only a short time ago that the Clinger-Cohen Act of 1996 mandated the establishment of federal CIOs, and thus, the DON CIO. Later, the Secretary of the Navy established the two servicelevel DON Deputy CIOs, (Navy and Marine Corps). Several other laws (see the CIO responsibilities box) brought about the requirement to establish clear accountability for information resources management, and service subordinate command information officers (IOs) were created. During the last decade, command IO staffs have worked zealously to become established, grow, and finally, thrive.
The Evolving Role of the Command IO
As organizations continue to define and institute the appropriate workforce structure, they improve in mission effectiveness. It is an ongoing process to understand the organization’s value and seek improvements. The fourth quarter of the calendar year is always a good time for the CIO organization to pause and "take stock" of its accomplishments. Through review of "The Power of Team" (available via the DON CIO website) the command IO can see how the individual organization compares to those standards set back in 2002. In addition to a thorough retrospect, a healthy organization will also envision the future, review its successes and challenges, define its requirements to grow in the future, and look forward to change.
Command IOs have a responsibility to organize, expand and adjust their workforce to meet today's information environment. Because of the DON's increasing dependence on IT and command, control, communications, computers, combat systems and intelligence (C5I), the command IO position is even more relevant today than it was five or six years ago. In today's environment, command IOs may be involved in everything from information systems policy-making to advising on technical aspects of warfighting and mission planning, providing social networking rules, securing the Global Information Grid, protecting personally identifiable data and preparing IT budgets.
Metrics
The interest in metrics related to the services' ability to provide efficient and cost-effective support to the warfighter has never been greater than it is now. From the Federal Information Security Management Act (FISMA) to the White House's mandate for transparency in government, the services are on the verge of moving from monthly reporting to continuous monitoring.
Vivek Kundra, the first White House appointed CIO, has pledged to increase oversight on all agency IT investments. The Department of Defense (DoD) will not be exempt from this new review process. Service command IOs and their staffs are challenged by the need to adjudicate and balance command funding requirements for information sharing, user friendly tools and information assurance initiatives. Additionally, with the Secretary of Defense's direction to move the DoD toward a more efficient, effective and cost conscious way of doing business, service command IOs may be required to address these topics in a more resource-constrained environment.
Given the changing funding environment, service command IOs must take stock of their current efforts to manage their mission needs. The DON has established several enterprise electronic tools, such as the Department of the Navy Application and Database Management System (DADMS) and Department of
Defense IT Portfolio Repository-Department of the Navy (DITPR)-DON to manage IT projects.
However, for individual command initiatives, a clearly defined requirement, cost analysis and measurement toward progress through electronic means will show commanders and commanding officers that the command IO is not only a good steward of the organization, but a skilled IT program and business manager. The functional area managers, teaming with the command IOs, will validate individual program requirements and require extensive documentation to support additional requirements.
Howard Schmidt, the first White House cybersecurity coordinator, has pledged to have greater insight into the cybersecurity architecture of agency systems. Therefore, all CIOs, from the White House and the DoD CIO, to the DON and DON Deputy CIOs, to command IOs, may expect to provide more visibility into the security posture of IT systems.
The Office of Management and Budget guidance released in fiscal year 2010 stated that
FISMA reporting for agencies will follow a three-tiered approach: (1) Data feeds directly from security management tools; (2) Government-wide benchmarking on security posture; and (3) Agency-specific interviews. For DoD, this data will be electronically reported through several different service component electronic systems.
The Federal CIO’s Core Responsibilities
Regardless of heightened congressional oversight, CIOs need to attend to their core responsibilities which are to ensure information and information systems are designed, managed, disseminated, secured and protected to ensure privacy in a cost effective manner. CIOs are required to oversee the education and training of the Cyber/IT Workforce. This oversight comes with the task of ensuring increased training requirements are funded.
One way to reduce expenditures is to leverage strategic partnerships with law enforcement and intelligence communities to combine critical cybersecurity training, and this is being accomplished through an initiative with DON CIO and service staffs. However, command IO staffs will continue to budget for civilian cyber training while military training will be funded by the education and training commands.
Actions to Empower the Command IO
Real world requirements continue to put stress upon our command IOs. As the services continue to focus on cyber and cybersecurity, Congress is also working to determine cyber roles and authorities.
The National Defense Authorization Act for FY 2011 includes language that updates FISMA and establishes a National Office for Cyberspace in the Executive Office of the President. Throughout all of this, one thing is clear: Command IOs will be relied upon to have more stringent IT oversight and make “lean and mean” financial decisions so IT acquisition will go further in buying more capability.
Some tried and true actions which, if taken, can empower organizational command IOs and staffs are:
• Build a strong CIO organization with strategic planning, IT, cybersecurity, budget and workforce expertise;
• Consolidate and reuse IT infrastructure;
• Make metrics and continuous assessments your friend;
• Communicate and use social media to engage the organization;
• Be a good fiscal steward;
• Attract millennial workers to balance the heavily weighed “boomer” workforce;
• Assign everyone an individual development plan to ensure continuous learning; and
• Develop billet structures so civilian 2210s and military IT/C4 professionals are put in career paths that lead to CIO.
Going forward, command IO staffs should expect to continue to take stock of the evolving cyber landscape, embrace change, focus on providing the best value for the money and listen to customers’ needs. It is not enough to expand an organization’s IT business portfolio; command IOs must continuously develop both their own personal knowledge portfolio, as well as that of their staff.
The future DoD funding environment requires tomorrow’s workforce to be well-educated, decisive, and ready to work as a team. Metrics collected electronically will tell the story, and CIOs, while in a rapidly evolving environment, will be more accountable than ever before.
Mary Purdy has a GIAC Security Leadership Certification (GSLC) and is the cybersecurity/IA workforce management, oversight and compliance manager for the DON CIO Cyber/IT Workforce team.
CIO RESPONSIBILITIES
The Goldwater-Nichols Act of 1986
Directed the Secretary of the Navy to establish an office to conduct information management. The bill went on to say “no office or other entity may be established or designated within the Office of the Chief of Naval Operations or the Headquarters Marine Corps to conduct information management.”
Paperwork Reduction Act of 1995
Instructed agencies to designate a senior official responsible for carrying out the agencies’ information resources management activities to improve agency productivity, efficiency and effectiveness.
Clinger-Cohen Act of 1996
Requires processes to be developed for: capital planning, modular contracting, business process reengineering, training and IT workforce competencies, standards and architectures, performance and results-based management and strategic planning. This act establishes chief information officers for executive agencies.
Government Information Security Reform Act of 2000
Reconfirms the role of the CIO as the provider of the agency’s strategic view of architecture and cross-cutting security needs. Among other things, it states that federal agencies must designate a senior information security official.
National Defense Authorization Act for Fiscal Year 2011
Directs updates to the Federal Information Security Management Act (FISMA).