What Keeps Fed CIOs Busy? Infosec
More Time Spent on IT Security Than Any Other TaskFederal chief information officers spent as much time on the job on cybersecurity matters than any other of their responsibilities, according to a Government Accountability Office report made public on Monday.
GAO, on the request of the Senate Homeland Security and Governmental Affairs Committee, surveyed 30 CIOs from major departments and agencies and discovered that, on average, they spent 14 percent of their time on IT security matters, more than any other function. They also averaged 14 percent of their time on responsibilities not dictated by federal law.
Information security is one of 13 responsibilities federal law requires departmental and agency CIOs to perform. Though each federal agency has a chief information security officer, a combination of three laws - Paperwork Reduction Act, Federal Information Security Management Act and Clinger-Cohen Act - make CIOs the executive responsible for IT security.
IT security is a responsibility all the surveyed CIOs believe they should have. Not so with another of the 13 responsibilities: privacy. The Paperwork Reduction Act tasks CIOs with ensuring agencies comply with the Privacy Act and related laws.
But only 60 percent of the CIOs survey said they were responsible for privacy compliance, down from 63 percent in 2004. The less than unanimous view about leading privacy initiatives can be attributed to the fact that privacy responsibilities are often shared with other agency officials. And, only 57 percent of the CIOs felt they should be held responsible. Sixty percent felt privacy was very important; 37 percent judged privacy as important.
The 13 areas federal laws say CIOs are in charge of: IT strategic planning; IT workforce planning; capital planning and investment management; information security; information collection/paperwork reduction; information dissemination; information disclosure; statistical policy and coordination; records management; privacy; enterprise architecture; e-government initiatives; and systems acquisition, development, and integration.
Budgeting Authority, or Lack Thereof
The GAO report also points out that CIOs don't always have sufficient control over IT investments, and often they have limited influence over the IT workforce, such as in hiring and firing decisions and the performance of component-level CIOs.
That's a fact that bothers the leaders of the Senate committee with IT oversight, who urged federal agencies to hand over more responsibility to their CIOs.
"We cannot continue to have schedule slips, poor mission-related results and millions of dollars in cost overruns," Sen. Susan Collins, R-Maine, Homeland Security and Governmental Affairs' ranking member, said in a statement. "The effectiveness of a CIO can make a significant difference on decisions regarding IT investments and issues. The vision of the Clinger-Cohen reforms has, in some cases, been subverted by bureaucratic maneuvering and turf battles."
Added committee Chairman Joseph Lieberman, ID-Conn.: "With the weakened state of the economy and the battle over the federal budget, missing any opportunity to operate government in a smarter, more efficient way is unacceptable."
