OMB’s Recent CIO Memorandum: Clarifying and Reinforcing CIO Primary Responsibilities

Earlier this month, OMB Director Jacob Lew released a memorandum for the heads of all Federal Departments and Agencies, which focused on four areas for which all Federal Chief Information Officers (CIOs) have authority and “a lead role”: Governance, Commodity IT, Program Management, and Information Security.  The Memorandum further reinforced responsibilities of the Federal CIO Council to manage the Federal IT portfolio across agency boundaries.  The OMB action provides impetus for CIOs to leverage Administration initiatives in driving change in their agencies, and represents and important signal of support for the position from the Administration – especially notable in light of its issuance just as the new Federal CIO, Steve Van Roekel, was taking the reigns from Vivek Kundra.

Last December, OMB released its “25-Point Plan” for IT reform.  The plan, which has received significant attention from Government and industry, including in this space, outlined a set of initiatives that agencies and OMB are now implementing in order to improve the management of IT, and technology’s contribution to overall agency mission effectiveness.  The Plan was developed in consultation with current and former Federal CIOs, and gave a very definite push to CIOs to take leadership in carrying out its content.

Historically, the role and authority of CIOs has varied greatly.  The Clinger Cohen Act of 1996 codified the CIO position with certain basic requirements that applied to all agencies; Section 202 of the E-Government Act of 2002 clarified a number of those requirements, supplemented by OMB’s implementing guidance (Sec. 1.B). During and since that time, agencies have implemented the position differently both over time and in comparison to one another.  This is not surprising – agencies differ in size, scope and culture, and until recently have also varied in their dependency on technology to achieve mission goals.

This last point, about agency dependency on technology, has shifted considerably over the last decade.  The advent of social media, massive amounts of data available quickly from many sources, mobile devices everywhere, and cloud computing have increased the importance of technology to the information and services held and delivered by every agency and for every program.  Whereas individuals may have viewed technology as unrelated to their core mission, and may have viewed Clinger Cohen and the E-Gov Act as compliance requirements with little relevance to program delivery, the world has changed in favor of IT as core to every entity – in the government and in the private sector.   Given this change, it is clear that technology leaders must play a leadership role in how agencies carry out their business and serve their constituents.  

This backdrop makes the August 8 OMB Memo quite meaningful.  The Memo creates a common lexicon for CIO authorities, one that is premised on official Administration policy as defined by the 25-Point Plan.  As such, it represents an important step forward for CIOs, and the CIO Council, in exercising their role as part of leadership structures.  While agency specific circumstances will still lead to differences in specific CIO positioning, it is now clear that the Administration will hold CIOs accountable for reducing costs, improving or eliminating problem projects, and accelerating implementation, by leading in five key areas:  

• Governance:  overseeing the agency’s IT portfolio.
• Commodity IT:  consolidating the purchase of commodity services, including using enterprise architecture to identify and consolidate systems – importantly, this criteria also calls for CIOs to use shared services where possible, which builds on the shared services strategies called for in the 25-Point Plan.
• Program Management:  hiring strong managers for major IT programs.
• Information Security:  ensuring, either directly or through a CISO reporting to the CIO, that agencies provide for sufficient security across all of its operations, either internal or done externally on the agency’s behalf – including the increased use of continuous monitoring to improve timely situational awareness and response capabilities.
• Federal CIO Council:  CIOs will work through the Council to manage cross-agency investments and shared services.

A point on information security:  the Memo sets a clear signal that information security is part of the accountability structure for CIOs in their overall IT management role, rather than viewing security as a separate activity – which has led to too many systems being build in a way that does not incorporate security properly during system design.  Since confidentiality of information is a key tenet of security, this also gives CIOs a role in ensuring that data privacy is treated similarly.

None of these responsibilities are new, in and of themselves – CIOs have them as part of their constellation of duties under Clinger Cohen and the E-Government Act.  But they do signify a clear and manageable set of priorities for CIOs to act on – and do so via formal OMB policy, from the Director to Cabinet Secretaries and other Agency Heads.   The Memorandum provides momentum for CIOs and the CIO Council to work with the new OMB leadership in managing IT well – as technology is now a mission critical enabler for every agency and every program.