TechAmericas Twenty-Third Annual Survey of Federal Chief Information Officers

MAY 2013

Table of Contents

Executive Summary 1 About the survey 3 Budget 4 Policy, Governance, and IT Management 6 Acquisition 10 Human Capital 12 Mobility 15 Cyber Security 18 Conclusion 24 Appendix A: List of CIOs Interviewed 26 Appendix B: List of Interviewers 27

About the Sponsors

TechAmerica TechAmerica is the leading voice for the U.S. technology industry, the driving force behind productivity growth and job creation in the United States, and the foundation of the global innovation economy. Representing approximately 1,200 member companies of all sizes from the public and commercial sectors of the economy, it is the industrys largest advocacy organization and is dedicated to helping members top and bottom lines. TechAmerica is also the technology industrys only grassroots-to-global advocacy network, with offices in state capitals around the United States, Washington, D.C., Europe (Brussels), and Asia (Beijing). Learn more at www.techamerica.org. Grant Thornton LLP Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.GrantThornton.com. Grant Thorntons Global Public Sector, based in Alexandria, Va., is a global management consulting business with the mission of providing responsive and innovative financial, performance management and systems solutions to governments and international organizations. We provide comprehensive, cutting-edge solutions to the most challenging business issues facing government organizations. Our in-depth understanding of government operations and guiding legislation represents a distinct benefit to our clients. Many of our professionals have previous civilian and military public sector experience and understand the operating environment of government. Visit Grant Thorntons Global Public Sector at www.grantthornton.com/publicsector.

Executive Summary
Each year TechAmerica and Grant Thornton LLP survey federal Chief Information Officers (CIO) on issues most affecting the community. CIOs had a lot to say about budget, policy and governance, acquisition, human capital, mobility, and cybersecurity.
agile development, though slowly. CIOs are leveraging PortfolioStat, because they believe it gives them insight into the total scope of their IT. Acquisition Acquisition remains a major management challenge. As a risk to government operations, IT acquisition perennially appears on lists of major management challenges. However, CIOs are hampered by challenges facing the acquisition workforce and its overreliance on inappropriate acquisition strategies. CIOs want a faster process enabled by a workforce collaborating with CIOs and their program management counterparts. Human Capital Just like the budget, human capital remains a top concern. Experienced federal employees are retiring rather than living with no pay raises. Recruitment and retention lags CIO needs. Many CIOs suggest new hiring rules and tools to fix the talent problem. Despite these challenges, most CIOs did not anticipate a change in the nearly equal mix of Federal employees and contractor staff.
CIO Insights: Leading Innovation in a Time of Change 1

Budget The budget is the top concern of CIOs. While budget cuts drive CIOs to improve efficiency and spark innovation, they also hinder investments in modern technologies needed to support the mission. Today, more than 76% of IT spending goes to operations and maintenance (O&M) and infrastructure. As one CIO stated, We should have moved off of legacy systems five years ago but we dont have the money to modernize the way our constituents want. This constraint is driving CIOs to look creatively at ways to save and reinvest by buying services rather than making risky, large, multi-year, capital investments. To do this, CIOs need an effective way to understand and manage IT costs and performance. But CIOs say they are not there yet. Policy and Governance Most CIOs say achieving true efficiencies will be just an aspiration until they have control and oversight over IT budgets, though a few cautioned against giving them complete control. We asked CIOs how they are implementing OMBs 25-point plan. More than 94% of respondents said they have or will deploy cloud services. They are also consolidating data centers and employing

Mobility Mobile devices are standard now, but CIOs are racing to keep up. As we approach the one-year anniversary of OMBs Digital Strategy, CIOs are increasingly relying on mobile platforms to equip their workers. CIOs say they need employees with mobility skills now, though mobility adds security and governance concerns, issues that have yet to be resolved. A number of agencies adopted bring-your-owndevice (BYOD) policies, adding complex policy and governance questions. Cyber Security BOTS, viruses, scareware, trojans, password crackers, phishing, keyloggers and malware are a few of the methods cyber villains use to attack federal agencies. Among the grim findings from CIOs surveyed is the rate at which attacks are replicating and evolving. Cyber security incidents continue to rise and they pose serious risks. Cyber attacks jumped 13% last year alone, so it is not surprising that Federal spending on cyber security would increase by $1 billion in fiscal year 2014 under President Obamas budget. Their magnitude is compounded by increasing sophistication. Among CIOs greatest needs is a trained cyber workforce, exacerbating an already dire human capital situation. Cyber security threats are both external and internal, and while there are three times as many external threats as internal threats, internal threats can be more significant. So, CIOs report they have already begun working with the private sector to combat cyber threats more effectively.

Conclusion IT is essential for every agencys operations, but to get its true benefits, it must be effective, cost efficient, secure, and well supported. CIOs must adapt to rapid and continuous evolution of technology with decreasing budgets, smaller and less prepared workforces, and ineffective acquisition support. Security threats add exponential challenges. Not a job for the faint of heart.

2 CIO Insights: Leading Innovation in a Time of Change

About the Survey

Purpose TechAmerica has surveyed federal CIOs for 23 years. Through these surveys, top IT officials, oversight groups, and congressional staff share their views on challenges facing federal CIOs. As in past years, TechAmerica received outstanding support from the federal CIO community and from Grant Thornton LLP, which sponsored and supported this survey. Methodology We conducted this years survey interviews during the late winter and early spring of 2013. This provides the IT community with a point-in-time assessment of the thinking of key federal IT opinion leaders. TechAmericas Federal Committee, through its CIO Survey Task Group, conducted this years in-person interviews. Teams of TechAmerica member firm interviewers met with 41 CIOs, information resources management officials, and congressional oversight committee staff. Throughout this report, we refer to them as CIOs. (See Appendix A for a list of those interviewed and Appendix B for the interviewers.) The CIO survey Task Group selected interviewees based on their involvement in previous surveys, enterprise challenges, and relevance of IT to their organizations mission. This report reflects the thoughts and words of interviewees to the maximum extent possible. However, to preserve anonymity, no responses are attributed to specific individuals. Readers may download copies of this and prior surveys at www.grantthornton.com/publicsector under the heading public sector publications. Top Concerns We asked CIOs to identify their top concerns for 2013. As you can see in Figure 1, CIOs chose budget and people as their top two concerns. This is consistent with views expressed in other Grant Thornton-sponsored surveys. Cyber security ran a close third. While budget is always an issue, recent years have introduced a new threat the never-ending reduction. CIOs were concerned about sequester as far back as 2011, and in 2013 it materialized. But, it is not over. The sequester is a full decade of budget cuts, paring spending through 2021. It does no good for CIOs to develop short-term solutions like deferring training and stretching out replacement cycles. They must completely rethink the way they operate and serve their customers. Figure 1: CIOs Top Concerns

CIO Insights: Leading Innovation in a Time of Change 3

Budget
Figure 2: Federal IT Spending, Presidents Budget, FY 2014

The federal government is adopting fiscal restraint not experienced in a generation. Figure 2 depicts IT spending as reported in the Presidents Budget.

Consolidating applications, renegotiating commodity IT contracts, and eliminating or canceling underperforming projects. CIOs criticized the mindless nature of sequester, which treated critical infrastructure projects and low priority ones the same. CIOs believe they can deal with a future where funding is lower, but they need flexibility to adjust to changes and priorities. We need to increase the emphasis on realistic budget cuts vs. across the board cuts. A number of CIOs identified multi-year appropriations as an easily implemented improvement to IT budgeting. They believe this matches the long timelines many IT projects need if they are to be implemented successfully. Some agencies and CIOs already have multi-year appropriations and they support the additional flexibility and increased certainty they provide. Another CIO promoted the idea of Cut/Keep/ Reinvest. As an alternative to spending one-year money at the end of the fiscal year on things they may not need, why not allow CIOs to keep a portion of their unused budget to reinvest, returning the remainder to Treasury. Many states have done this effectively.

CIOs Deal with Budget Realities...

Permanently smaller budgets motivate creative behaviors among CIOs and other government managers who depend on IT. Instead of treating budget reductions as a disease, CIOs are using cuts to enhance efficiency and spark innovation. Here are some examples: Taking an enterprise view of contracts and infrastructure to reduce redundancy Moving from long term implementation to more agile, focused buying by the drink through shared services Providing tablets to field staff instead of laptops, saving more than $2500 per employee Eliminating travel costs by deploying secure webinar capabilities Virtualization and cloud migration. One CIO said the move to cloud based email saved $20 million Standardizing desktop and laptop configurations in one agency reduced service costs 60% Using segment architecture to cut business intelligence platforms by 67%

4 CIO Insights: Leading Innovation in a Time of Change

...but there is only so much they can do.

Of course, smaller budgets dont always have a silver lining. We asked CIOs about new risks from budget cuts. Here are some things they shared: Less or no seed capital to support consolidation or innovation projects. Sometimes you have to spend money now to save more money later. Increased cyber security attacks or a major, sustained, undetected hack of agency systems. Increased hardware life cycles. The longer hardware goes between replacement, the greater the chance of catastrophic failure. Quality. Sometimes quantity can be maintained with the same or less funding, though quality often suffers. Keeping legacy systems operational. An obvious risk of deferring new systems is the need to operate expensive, higher maintenance legacy systems. Training. When agencies defer or eliminate staff training, it is harder to sustain the skills needed in an IT workforce.

So, where are we headed? CIOs understand the budget environment is in a prolonged no-growth phase, and they can deal with that reality as long as Congress makes reductions strategically and rationally. No one knows whether the next technology innovation will save or cost money; but in the interim, the CIOs are making the best of a bad situation.

CIO Insights: Leading Innovation in a Time of Change 5

Policy, Governance, and IT Management

Do CIOs have enough control over IT Spending?
Especially with declining budgets, most CIOs do not believe they can be responsible for how agencies invest IT funds if they do not control the IT budget. You cannot be effective as a CIO until you have majority control, says one CIO. Yet most CIOs lack direct control over the bulk of IT spending. Figure 3 shows the average percentage of IT spending controlled by the Department CIOs, bureau CIOs, and program offices. CIOs agree these are rough estimates because understanding the true extent of IT spending is elusive. Figure 3: Average Percent of IT Spending Controlled By: OMBs memo, Chief Information Officer Authorities (M-11-29), was designed to enhance CIO authority. But 73% of respondents say it produced no change. One CIO described it as a desired responsibilities memo rather than an authorities one. On the positive side, 92% of respondents say they have a seat at the table when significant agency decisions are made, even if not directly related to IT. Several CIOs support House Committee on Oversight and Government Reform Chairman Darrell Issas draft bill, the Federal Information Technology Acquisition Reform Act (H.R. 1232), because they believe it will do more to enhance the authority of Department CIOs. Released for comment on September 20, 2012, the bill would require CIOs to approve agency spending on IT and the hiring of agency employees with IT responsibilities. The bill would consolidate authority in one CIO per Department. Bureaus, offices, or subordinate agency organizations could not have their own CIOs. The majority of respondents believe the bill would improve efficiency and accountability. The Department of Veterans Affairs CIO, who oversees Departmental IT spending, is a good example of the bills proposed approach. Some respondents, however, do not think, One size fits all where IT budget authority is concerned. This is a politically sensitive issue and many powerful components oppose centralized CIO control. Different agencies have different structures. One respondent suggested a middle ground -- a mix of budget visibility, accountability, and responsibility. Another suggested that Departmental CIOs own infrastructure and spending on enterprise applications and software, while component CIOs and programs controlled spending on their mission applications. The debate over IT governance is just getting started.

6 CIO Insights: Leading Innovation in a Time of Change

How Are CIOs Spending Limited Dollars?

Figure 4 shows the average percent of IT spending by categories reported by the respondents. Figure 4: Average IT Spending by Category protect against cyber threats. Money needed to innovate is not available. Despite attempts to adapt to a constrained budget environment, many CIOs felt stuck in neutral, unable to deliver new, needed services to enhance achievement of agency mission. Over 60% of CIOs do not feel confident in their ability to estimate and track IT expenditures. The cost of IT should not simply be the price of a piece of equipment or a software license. CIOs need cost models that provide the total cost of ownership for IT products and services. A lot of IT spending is embedded in programs, one CIO says, and it also varies by operating divisions. Improving CIO understanding of the total cost of operations and associated performance of IT investments is definitely an area in need of improvement.
CIO Insights: Leading Innovation in a Time of Change 7

We were disappointed to see an average of 76% of IT spending on O&M and infrastructure. This investment to keep the lights on is akin to throwing money down the drain and constrains CIO efforts to modernize and

Takeaways from the 25-Point Plan While the 25-point plan is not driving agency IT priorities, it helped them identify areas of focus. Data center consolidation and cloud computing are two areas with staying power. Ninety-four percent of respondents said their agencies have or will adopt public or private cloud services. Im a big believer in the cloud, said one CIO, because it allows the government to provision services faster and cheaper. Agencies see cloud computing as an opportunity to reduce government-owned data centers and provide hosting services more inexpensively because private sector data center availability and expandability is far superior to governments. Several Departments have or will employ enterprise level cloud contracts with a limited set of vendors. They envision a cloud broker model so customers can go to a web site to procure and access cloud services at will. Respondents acknowledged many challenges to implementing cloud computing: Agencies have not figured out how to procure cloud with strategic sourcing, and most acquisition people do not understand cloud computing. CIOs say: Cloud is a big priority, but there are serious cost and security constraints preventing implementation across government. Some cloud providers new to the federal government are not aware of the impact of legacy applications. Cost cutting is freezing legacy applications, and that makes adopting cloud solutions harder. Right now agencies are moving office tools such as email to the cloud. However, few agencies are moving large systems such as procurement, payroll, or human resources systems to the cloud. And, the reality is that moving to the cloud does not always save money.

PortfolioStat In March 2012, OMB launched PortfolioStat, asking CIOs to examine their IT portfolios, identify common areas of spending, reduce duplication, and drive down costs. Agencies identified more than $2.5 billion in cuts. In its March 27, 2013 memo, Fiscal Year 2013 PortfolioStat Guidance: Strengthening Federal IT Portfolio Management (M-13-09), OMB asked agency heads to embark on PortfolioStat 2.0, which merged 30 reports and data collection requirements into just 3: (1) a progress report on agency strategic IT goals, objectives, and metrics, as well as any cost savings or cost avoidances from these efforts; (2) an Information Resource Management (IRM) Plan; and (3) the Enterprise Roadmap. Some other comments on PortfolioStat: Strongly support PortfolioStat and believe it has potential, but it is too early to tell whether it will accomplish the goals. Agencies have not yet achieved the objectives of Clinger-Cohen to empower the CIO. PortfolioStat is another tool that can empower the CIO. Increased transparency was helpful. However, one thing that was not useful was comparisons with other agencies because those may not be apples-to-apples comparisons when no one has normalized the agency data. It is too early to say if PortfolioStat helps to rationalize IT. It has cut redundancy, but programs do not want to share applications on a functional level. PortfolioStat is establishing transparency and discipline in the acquisition process. It is requiring a culture change and better business cases. There are many holes, but one thing PortfolioStat has done is make us take a critical look at the things we do. Unfortunately, PortfolioStat is not consistent with how agencies report or manage IT acquisitions.

8 CIO Insights: Leading Innovation in a Time of Change

Most agree PortfolioStat puts CIOs on the path to better understanding how they spend and manage IT. We explored whether agencies were using agile development methods, and all respondents said they were, though with varying degrees of maturity and success. Respondents said agile would help them reduce risks of investment in inefficient, long term IT programs. One organization said it developed agile acquisition guidelines to help procurement better understand how to buy IT in a more modular way. Other comments on agile suggested there are challenges to resolve. Our staff lack the skills needed to oversee contractors agile development. Agile is good when an agency knows what its wants, said one respondent, but it doesnt always provide a big picture roadmap needed to gauge progress. Regardless of the challenges, CIOs believe agile is here to stay and represents a move in the right direction. Analytics and Big Data Seventy-eight percent of respondents rated their level of maturity with analytics as 3 or less on a scale of 1 to 5, 5 being the most mature. CIOs cited a need for better approaches to analytics and improved dashboard capabilities. Others reported redundancy in analytic efforts across the enterprise and suggested the concept of a Business Intelligence Center of Excellence to reduce disparate use of analytics across the enterprise. Another CIO said the benefits of analytics were limited by the lack of ability to share data within and across organizations. Many agencies shared common challenges with big data, including (1) how to clean existing data and migrate data silos into one place; (2) lack of a common authoritative source of data; (3) poor data quality; and (4) the need for policies and processes to tag and access data. One CIO said at an enterprise level many executives struggle to know what data we have, why we have it, and how we can use it?

CIO Insights: Leading Innovation in a Time of Change 9

Acquisition
Acquisition and the CIO Acquisition remains a major management challenge and one that is foremost on the minds of CIOs. As a risk to government operations, information technology acquisition appears perennially on GAOs High-Risk List and Inspector General lists of major management challenges. However, concerns about the ability of the acquisition workforce to help CIOs with their major acquisitions and an apparent overreliance on the use of inappropriate acquisition strategies are not helping resolve these challenges. CIOs want a faster process enabled by a competent workforce collaborating with CIOs and their program management counterparts. The Acquisition Workforce Virtually every respondent indicated challenges remain with the acquisition workforce. The key change needed is improvement in the acquisition workforce, one CIO said. That comment is also consistent with a recent survey of acquisition officers, 71% of whom believe acquisition workforce challenges have worsened over the last two years. What needs to change to improve the acquisition workforce differed among respondents. CIOs said the acquisition workforce needed better training, greater understanding of information technology concepts and practices, and an improved partnership between IT and acquisition professionals. They also need to learn how to support the changing needs of IT users where we are moving from building and buying IT systems to buying by the drink. CIOs described several important initiatives to address acquisition workforce challenges. They mentioned as a positive development the fact that the Federal Acquisition Regulation now requires continuing education or refresh training as a condition of maintaining ones Federal Acquisition Certification for Contracting Officers Representatives. The General Services Administration (GSA) is also working to create a comprehensive Acquisition Professional to look at the acquisition structure more holistically. In addition, GSAs Federal Systems Integration and Management Center may offer a model for centralizing the expertise necessary to support more complex IT acquisitions. Acquisition Strategy A key concern of CIOs was the ability of the acquisition workforce to tailor the acquisition strategy to the complexity of the IT project. Generally, CIOs responded that the acquisition workforce and the CIO need to collaborate on the appropriate acquisition strategy, though the previously mentioned weaknesses in the acquisition workforce make this difficult. One CIO said, Acquisition professionals at my agency cannot seem to understand and approve anything out of the ordinary, which proves very frustrating. Many IT procurements are, by their nature, long, complex, and expensive. They also often require highly technical, proven skills to ensure successful implementation. However, there is an increasing reliance on lowest price technically acceptable (LPTA) procurements, which, according to some CIOs, do not give agencies an adequate opportunity to factor value into the procurements. Too often, CIOs reported, LPTA is a default strategy that does not fit all acquisitions. If we are buying a true commodity, LPTA may be appropriate, but otherwise it may not offer CIOs the best value, one CIO said. Another policy maker commented, IT acquisition should be based on capabilities, not price.

10 CIO Insights: Leading Innovation in a Time of Change

The future of IT Acquisition When asked what lies ahead for IT Acquisition, CIOs gave a slight edge to an increased use of strategic sourcing for commodities. A close second was a greater reliance on the use of strategic sourcing for services, though there is a lack of clarity in how this will work. Strategic Sourcing is an initiative of OMBs Office of Federal Procurement Policy in which multiple entities pool their buying power so the buyers get greater value for their contracting dollar. Sixty percent of respondents expected to see continued growth in the use of multi-award blanket purchase agreements (BPAs) for buying IT services. All of these initiatives or activities seek to centralize buying in a select few places so the government can leverage its size and scope to get better value and price from its vendors. A major legislative initiative that colored many CIO responses was legislation under consideration by the House Committee on Oversight and Government Reform. According to the Committee Chairman, Congressman Darrel Issa (R-CA), the legislation would establish a Federal Commodity IT Center to serve as a focal point for coordinated acquisition practices and the management of government-wide IT contracts. It would also designate certain agencies as the go-to centers for complex IT acquisition for other federal agencies, offering streamlined contracts and technical expertise. While not all CIOs were convinced of the need for legislation, many of the provisions address the very concerns many CIOs expressed. Clearly, CIOs want a more nimble, responsive, tailored acquisition system and a talented acquisition workforce with whom they can partner to get the greatest value for the taxpayers IT investment. Shared Services and increased use of BPAs are just a few of the tools that will help CIOs accomplish their mission. In addition, legislation may be coming to clarify lines of authority and enhance acquisition policies and practices.

CIO Insights: Leading Innovation in a Time of Change 11

Human Capital
As noted earlier in this report, CIOs made people, their workforce, as a top concern. This is consistent with previous federal CIO surveys and surveys of other government professionals. IT Workforce Brain Drain In March 2013, the Office of Personnel Management (OPM) released some startling statistics about the federal workforce: more than 10,000 employees, or twice what OPM predicted, had submitted retirement claims the previous month. An IT workforce assessment of more than 22,000 IT professionals by the CIO Council in April 2013 noted that the average age of cyber security employees was between 50 and 55. As one CIO said, Forty percent of the Federal workforce is set to retire soon. How will the government attract the next generation of IT professionals? These statistics provide context for responses to three human capital questions we posed. We asked about recruiting, hiring, and training. One CIO said, The biggest issue facing the federal workforce is that we cannot attract good talent. What college student is going to look at a public service job when salaries can be frozen for years? Another CIO said, We are hiring when we are able to, even with hiring freezes, sequestration, the fiscal cliff, and demotivating negative sentiment from the Hill. However, it is challenging and having a huge impact on morale. A few CIOs said they are working extra hard to try to retain their best people, but it is exceedingly difficult given the budget crisis and indecision in Washington. Government jobs used to offer security in a down economy, but this is no longer the case and having a real impact on CIO recruitment and retention. Many respondents cited problems with USAJobs, the governments primary recruitment website. They did not have resources or know how to use other mechanisms, and a few felt the lack of 21st century recruiting options and challenging federal hiring rules placed a further burden on their ability to recruit and retain the best and brightest. This employment environment is causing CIOs to try new approaches to recruiting and retention. A number of CIOs cited increases in the use of interns through Student Pathways. This program

12 CIO Insights: Leading Innovation in a Time of Change

offers streamlined developmental programs tailored to promote employment opportunities for students and recent graduates. Another approach was the Presidential Innovations Fellows program, which paired top innovators from the private sector, non-profits, and academia with top innovators in government. Together they would collaborate during focused 6-13 month tours of duty to develop innovative solutions to todays business challenges. CIOs also cited the Presidential Management Fellows program as a source of good talent. Necessary Skills We asked CIOs what skills were most important for their workforce and the extent to which their staff possessed those skills. Figure 5: Skills Critical and Possessed

Figure 5 shows that 83% of CIOs rated program management as a critical or very critical skill. When asked whether their workforce possessed this skill, no CIO responded with a top rating, though all believed their workforce had average or slightly better than average program management skills. One agency CIO believed that program management skills and a solid program management office are essential to successful program execution. He advocated creating a Program Management Center of Excellence that could capture and share best practices and tools to support program execution across government. About 75% of respondents ranked problem solving as the second most critical or very critical skill, and

CIO Insights: Leading Innovation in a Time of Change 13

about 72% ranked creativity and innovation as the third most critical or very critical skill. When asked the extent to which their workforce possessed this skill, however, no respondents provided a top score for problem solving and only 14% provided a top score for creativity and innovation. The Future Workforce We asked CIOs for their vision of the skills needed by the future workforce. One CIO said, Innovative, proactive, and strategic with cost awareness from a business perspective. Respondents also indicated that the current mix of federal workers and contractors was nearly equal and they did not expect it to change, even though they are seeing more insourcing due to sequestration. We asked CIOs about their current ratios of federal employees to contractors. The responses ranged from 20% federal employees 80% contractors to about 50 - 50. One respondent suggested that reliance on contractors will and must increase in a managed services model. Another suggested a goal of two-thirds federal workforce and one-third contractor. With this balance, CIOs could manage risk, get the work done, and allow for some discretionary funds to hire talented people. Another CIO cited favorably the flexible support and expertise offered by contractors complemented by the oversight hand implementation by government staff. One CIO stated that program management support from contractors with technical expertise to serve as trusted advisor is in jeopardy. He feared that if this support went away, the government would risk a bigger total cost expenditure resulting from schedule delays or execution risk. He was concerned that, when contractors depart, the federal workforce does not necessarily have the skills to oversee complex IT projects, which increases risks substantially. Another CIO noted that agencies lacked the skills to oversee contractors agile development. Agencies must solve this shortfall if they are to move from large, expensive multi-year IT modernization efforts to more modular projects that produce results quickly and manage costs effectively.
14 CIO Insights: Leading Innovation in a Time of Change

Dealing with Workforce Challenges Respondents agreed with the need to reform federal hiring tools and rules to make it easier to recruit workers. Rules must offer pay and bonus flexibility, as well, so government can compete with industry for technical workers. Respondents noted that pay satisfaction is at its lowest level since 2004 based on the 2012 Federal Employee Viewpoint Survey. Other options noted by respondents included (1) building on the success of Student Pathways to expand the number of entrants into the program; (2) developing human capital strategy and IT career paths; (3) integrating agile certificate classes into the CIO staff job series; and (4) creating program management centers of excellence to support various program management disciplines.

Mobility
In 2011, for the first time, global smartphone shipments exceeded personal computers. By March 2012, 46% of American adults were smartphone owners, an increase from 35% in May 2011. According to GAO, while U.S. government agencies are not responsible for ensuring the security of individual mobile devices, several agencies are involved in activities designed to address and promote mobile security. Furthermore, with the premise of providing better services to the American people, in May 2012 OMB released a Digital Government Strategy to enable a mobile federal workforce to provide access to services, anywhere, anytime, on any device. Because of technological advances and increases in mobile services, mobile IT has risen to one of the top priorities and issues facing CIOs. Encompassing smartphones, tablets, and other devices, mobility has changed the way people access and use information, especially in the workplace. From inspecting public and governmental housing, to conducting the Census, to administrative mobile apps such as those used to record time and attendance, agencies are increasingly using this technology to achieve their missions. With the goal of ultimately providing improved information and services to the American citizen, mobility is in the forefront of federal CIO agendas. Specifically, with the next generation of mobile networks and services entering the federal workspace, the respondents noted that they are facing increasing challenges in deploying and securing mobile services and devices.

CIO Insights: Leading Innovation in a Time of Change 15

The Next-Generation of Mobility Services As the next generation of mobile services emerge, CIOs are determining the resources and expertise they need to develop and support widespread deployment. A number of respondents noted the need for expertise in mobile application development. Respondents said that this need included personnel with the right skill sets, with an understanding of the agencys mission, in order to make decisions on which apps to pursue. A number of respondents also indicated the need for agency level mobile strategies to govern the deployment of mobile services. One respondent said that while the agency has been actively using mobile devices for conducting work, a flexible mobile strategy would help the agency define ways that employees and customers can access systems. That strategy could also help identify how agencies can deliver public facing information on mobile devices. In January 2012, the Federal CIO kicked off a campaign to solicit input from across government and industry to determine which areas should be included in a government-wide federal mobile strategy. The results gathered from this online public dialogue, combined with other efforts, such as a mobile strategy cross-government working group, resulted in OMBs Digital Government Strategy. In February 2013, the Federal CIO blogged that GSA was developing a government-wide mobile device management program.

With the increasing use of mobile devices and services, identifying potential and perceived security challenges and addressing those challenges has become increasingly important. Respondents described how they are working to overcome these challenges. For example, two respondents with large mobile workforces stated that employees use the same security policy they would use if they were connected to the agency network via desktop computers. The respondents acknowledged, however, their ongoing concern for data security on mobile devices. One respondent said that his agency was pursuing a container approach, with the focus on protecting the data rather than the mobile device. They could achieve this by data virtualization. Other respondents pointed to the use of built-in security on mobile devices, for example requiring passwords and having the ability to remotely wipe devices if stolen. While some respondents said that they have deployed mobile device management, others said that they were working to develop a

16 CIO Insights: Leading Innovation in a Time of Change

policy or were meeting with mobile vendors and their own IT security staff to determine the best mitigation strategy. One CIO said that they were currently piloting a bring-your-own-device policy that required use of mobile device management software to ensure proper security controls. In September 2012, GAO reported that the Federal Communications Commission had also worked with mobile companies on several initiatives aimed at addressing mobile security vulnerabilities. Bring-Your-Own-Device (BYOD) Policies and Governance In addition to determining how best to secure mobile devices and services, CIOs have had to consider the impact on policy and governance procedures. This includes whether or not to implement BYOD policies and further expanding or creating new governance processes to encompass mobile application development. Figure 6: Does your agency have a BYOD policy?

in the process of implementing one. A few respondents noted that their agencies are not yet at a point where mobile application development governance was applicable. One respondent said that like any other software development, if an office wants to create a mobile application, they must first develop and submit a business case. Increased Use of Mobile Applications While agencies are still defining mobile IT policies and governance, most respondents agreed that security was the greatest barrier to the increased use of mobile applications. In addition to security concerns, some respondents pointed to outdated technology or infrastructure as hindrances, as well as rapidly changing mobile technology. While there are obstacles to taking full advantage of mobile devices and applications, agencies have already been able to expand services and improve mission success. For example, one respondent said that, with mobile technology the agency was able to put out sensors that automatically sent information on an ongoing basis, rather than having personnel go out to a site and retrieve the information monthly. Another respondent pointed out that when they hit infrastructure limitations, they were able to continue meeting their mission objectives by providing mobile solutions, such as license plate readers or passport screening equipment.

As you can see in Figure 6, about 52% of respondents said their agencies do not have BYOD policies; however, a number reported they were developing them. One respondent said current policy has been effective because of the generic way it was written. This accommodated the rapid pace of technological change without the policy becoming obsolete. This respondent also noted that the initiatives success hinged on up-front buy-in from unions. While some CIOs were able to implement a BYOD policy, others noted obstacles, in particular the inadequacy of security and the lack of device uniformity. In order to better govern the use of mobile devices, many respondents said that they either do not have a mobile application development process in place or are

CIO Insights: Leading Innovation in a Time of Change 17

Cybersecurity
Technological innovations are expanding to every element of life. Exploding at an even faster rate are cyber criminals lurking on the Internet, attacking everything from financial institutions, utilities, transportation, and government. Emerging Threats Does cyber security remain a leading challenge for federal CIOs? Absolutely! According to GAO, the number of incidents reported to the U.S. Computer Emergency Readiness Team by federal agencies increased by 782% from 2006 to 2012. This is not surprising because of the emphasis placed on technology; as a result, mobile platforms, BYOD, and social media are attractive targets for cyber villains. Figure 7 shows that 70% of respondents said in the last year alone they have seen as much as a 25% increase in cyber security threats. According to one CIO, There are many parallels between right now and the time right after 9/11 with all of the security threats. Cyber security is the new fundamental terrorism target. GAO and Inspector General reports have identified a number of key challenge areas in the federal governments approach to cyber security, including those related to protecting the nations critical infrastructure. Figure 7: Extent that threats increased in the last year (Based on number of incidents)

As cyber security evolves, so do the challenges facing cyber professionals. They must adapt and perform at a high level that allows them to identify and initiate quick responses to threats that change frequently in terms of scope and complexity. The government is acting quickly to understand cyber risk and vulnerability and hire staff to protect networks and systems. The need is now for a well-trained federal cyber security workforce to keep the U.S. safe. The CIO Councils 2012 Information Technology Workforce Assessment for Cyber Security, which provided a snapshot of governments cyber security workforce, reported the majority of the federal civilian cyber security professional population is above the age of 40. Some other key findings included information about the level of proficiency and training: Proficiency: participants who had the lowest percentage meeting/exceeding optimal proficiency were in Digital Forensics, and participants who had the lowest percentage

18 CIO Insights: Leading Innovation in a Time of Change

with advanced or expert proficiency were in Cyber Operations. Training: participants indicated a training need in Information Assurance compliance, Vulnerability Assessment, and Management and Knowledge Management. Exposing the Source Are the majority of the attacks coming from external or internal sources? Two-thirds of the CIOs said external attacks are the most prevalent. However, just as troubling are those attacks that occur based on internal weaknesses by those who accidently let these cyber villains into the network. One CIO said, Spear-phishing is the top Figure 8: Percent of threats that are external vs. internal

concern and the complexity is increasing. Another said that a majority of the attacks are anonymous hacking as opposed to social engineering. One CIO summed it up by saying, The key issue is not compliance but commitment; people supersede technology. Another CIO commented, An intelligence agency pointed out our vulnerability, and that was good work! Figure 8 shows the allocation of external and internal threats according to CIOs.

CIO Insights: Leading Innovation in a Time of Change 19

Anatomy of Effectiveness We asked CIOs what they were doing to reduce internal threats. While half of the respondents were neutral about the effectiveness of education and training and communication, the other half of respondents believed that they were effective or very effective, as depicted in Figure 9. Figure 9: Effectiveness to improve/reduce internal threats

Here is what CIOs are doing to manage the risks: Education and communication is the best tool to deal with it; I used it to create awareness through did you know-type blog entries in my former CIO job, and we have an annual National Institute of Standards and Technology (NIST) awareness day. Employees just click through the training and are not really paying attention. It is just a check the box exercise. This year we improved the graphics and animation to keep peoples attention. We conducted a phishing exercise on employees; those who fell for it were directed to a page and told they had been phished. Then we provided some on-the-spot training and education. The reaction was actually very positive. About 1520% of those receiving the e-mail took the bait. We also provide a fair bit of role-based training for those with security-related responsibilities. Were the only agency besides DoD that we know of
20 CIO Insights: Leading Innovation in a Time of Change

who mandates professional certifications. Other methods include locking people out of systems if their training is not complete. The system lockout is effective in terms of getting the users attention, but if a person with a high caseload, administrative rights, sensitive information processing rights, highly timesensitive duties etc. gets locked out, it may cause problems and interruptions to daily duties. Also, executives who get locked out are not especially pleased when this happens. In addition to continuous monitoring, we are rolling out Trusted Internet Connections (TIC). The majority of our traffic will be going through TIC by the end of the year. We are also rolling out Einstein. We use Homeland Security Presidential Directive-12 (HSPD-12), but that can vary by departments with some so diverse that effective use is difficult. Im a firm believer that two-factor authentication is the key, and we need to drive towards that department-wide for key systems. One CIO said that virtualization has enabled them to reduce the number of security incidents they faced by 98%, and they are rated as the most secure/compliant component in their Department. Our contracts contain lengthy security clauses to ensure companies take steps to minimize risks to security.

Cost of Cyber Unveiled Is current spending trending in the same direction as the number of attacks? Sixty-three percent of CIOs say spending has increased by up to 10% (Figure 10). According to one CIO, OMB holds regular Cyber Stat meetings and is aware of the increased costs of security. Another said at their agency, Nine percent of all IT spending is on cyber. One CIO commented, If Congress wants cyber security to be a priority it should set the right messages from the perspective of appropriating funds, because I dont control all the funding and I cannot direct it to this area. CIOs want legislation that authorizes the appropriation of funds for cyber security and provides it in the mission budgets. They also want to have control of the entire agency IT budget. CIOs want less oversight and paperwork compliance, and more funding for mandated initiatives. Figure 10: Agency Percent increased spending on cyber security

CIO Insights: Leading Innovation in a Time of Change 21

New Rules of Engagement Recently, the President signed Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which created a framework for government and private sector intelligence gathering on cyber attacks and threats to privately owned, critical national infrastructure. These are systems and assets injury or destruction of which would have a debilitating impact on security, national economic security, national public health, or safety. The Secretary of Homeland Security should use a risk-based approach to identify critical infrastructure where a cyber security incident could occur and cause catastrophic effects. However, commercial IT products and consumer IT services such as Microsoft, Google, Facebook, and Twitter are excluded. Working

together, government and stakeholders who own and operate critical infrastructure need to produce a preliminary framework that meets the expectations of government and private industry and protects privacy and civil liberties. What agencies require is a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.

22 CIO Insights: Leading Innovation in a Time of Change

We asked CIOs if Congress should modify policies to strengthen CIOs cyber security posture. One CIO commented, Representative Darrell Issa has recently submitted the Federal Information Technology Acquisition Reform Act (FITARA) that would take component CIOs away from the operational organization and move them under the Department CIO. All of FITARA is not bad, but this takes some authorities and focus away from the operators, by not having them reporting to component leadership. I dont think this part is a good idea. Cyber security has changed a lot over the last 11 years since so it makes sense for Federal Information Security Management Act (FISMA) to evolve, as well. One CIO said, FISMA needs to match new legislation. CIOs recommend getting rid of FISMA or updating it to focus on risk versus compliance of standards and guidelines (counting widgets or paperbased checklist) -- less about the procedures and more about whether they are effective. Many CIOs spoke about the importance of automated, continuous monitoring of security controls for real-time risk management.

CIOs recognize that things shift and change from a technology perspective, so it is important to focus on securing the information vs. securing devices. Some are using a secure container approach on mobile devices, said one CIO. Containerization creates an encrypted data store on a device so that access to data requires secure authentication, independent of any other device setting or restriction. The contents remain inaccessible even if a device has no unlock passcode, no whole-device encryption, and no security policies. Securing data in a container also allows IT to wipe all business data from a personal device without affecting personal data or applications contain the data, not the device. While cyber threats increase, policy and practice is racing to keep up. There is no greater imperative, but it remains to be seen whether we are up to the task.

CIO Insights: Leading Innovation in a Time of Change 23

Conclusion
Not surprisingly, the budget continues to be one of the top concerns of CIOs. The surprising message, a year after we heard that across-the-board budget cuts are thought to be the most feasible but least effective way to control costs, is that budget are the impetus for trimming costs in areas where money was not allocated efficiently. For example, in the past, CIOs had a hard time consolidating data centers because, in many instances, program offices owned the data centers and funded them with appropriations beyond the CIOs reach. With the emphasis on cost cutting, those program offices enlist the CIO to help with data center consolidation so they can save money and redirect it to mission delivery. Acquisition is a continuing challenge. CIOs cannot address major acquisition problems without an acquisition workforce up to the challenge. Acquisitions overreliance on the use of inappropriate acquisition strategies also affects CIOs. Although the Federal Acquisition Regulations have served agencies well for decades, it is time to take a fresh look at how agencies can access the talent of small, innovative firms. These firms have the needed technology to address an agencys mission, and agencies can procure this technology in days or weeks, rather than months or years. CIOs can also help agencies reduce the risk of complex IT acquisitions and streamline the procurement process so as not to burden companies, especially small ones, with complex and expensive responses to solicitations that may preclude the most qualified firms. CIOs can help their agencies leverage flexible contract vehicles adapted to agile development. One area where Congress could assist CIOs is with the budget and governance. Because Congress appropriates the vast majority of IT funds directly to programs, CIOs have little control over how the money is spent. In some large Cabinet-level agencies, CIOs control as little as one percent of known IT dollars. By creating an IT Fund for IT infrastructure costs across agencies, or by appropriating IT infrastructure and cyber security costs to the agency CIO, Congress could help the reduction of duplication. This could also spur the consolidation of IT and prevent from making duplicative IT investments. Cyber security continues to be a top CIO concern, and will likely always be. Nonetheless, it is refreshing to hear cyber security concerns are not severely impacting progress in the adoption of mobile technology. Mobile devices are increasingly used by government workers. CIOs recognize the need to leverage mobility to better deliver the agencys mission, attract the best employees, now connected at all times, and gain the appreciation of an increasingly tech-savvy citizenry that is demanding a dialogue with government in real-time.

24 CIO Insights: Leading Innovation in a Time of Change

There can be no doubt CIOs lead in challenging times. However, the silver lining is that CIOs are at the executive table and part of strategic agency decisions; they are becoming more and more trusted advisors in solving mission-critical, rather than just classic IT issues. By collaborating with Chief Operating Officers, Chief Financial Officers, Senior Procurement Executives, and the leadership in the program offices, CIOs are providing the value envisioned when the job was created almost two decades ago. There has been progress, but challenges remain!

CIO Insights: Leading Innovation in a Time of Change 25

Appendix A - List of CIOs Interviewed

Note: The titles and positions of the government officials listed below were current at the time they were interviewed

26 CIO Insights: Leading Innovation in a Time of Change

Appendix B - List of Interviewers

Note: The organizations and companies of those listed below were current at the time the interviews were conducted.

CIO Insights: Leading Innovation in a Time of Change 27

Acknowledgements
We thank federal CIOs for participating in this years survey. We also acknowledge the support and contributions of the sponsoring organizations and the time and expertise of the individuals listed below. To obtain copies of this report and the survey questionnaires, go to any of the websites listed below. TechAmerica 601 Pennsylvania Ave, NW, North Building, Suite 600 Washington, DC 20004 www.TechAmerica.org Trey Hodgkins, Senior Vice President, Global Public Sector Government Affairs Grant Thornton LLP Global Public Sector 333 John Carlyle Street, Suite 400, Alexandria, VA 22314 T 703.837.4400 www.GrantThornton.com/publicsector George DelPrete, Principal

28 CIO Insights: Leading Innovation in a Time of Change

TechAmerica 601 Pennsylvania Ave, NW, North Building, Suite 600 Washington, DC 20004 www.TechAmerica.org

Grant Thornton LLP 333 John Carlyle Street, Suite 400 Alexandria, VA 22314 www.GrantThornton.com/publicsector Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd.