INTRODUCTION:The Legislative Basis for Improved IT Management
Initiative is doing the right thing without being told.
—VICTOR HUGO, FRENCH AUTHOR
Capital planning and investment control (CPIC) is a set of practices and procedures for managing the entire set of a government agency’s information technology (IT) resources as if it were a financial portfolio. It is a decision-making process for aligning investments with the agency mission; for selecting investments that are in the best interests of the agency as a whole; and for identifying, managing, and mitigating risk that causes projects to fail. CPIC establishes a mind-set of strategic thinking and stewardship that can, over time, become part of an agency’s organizational culture.
The ultimate objective of the CPIC process is to ensure maximum return on IT investment. The process requires establishing goals for the IT portfolio, ensuring that existing assets are performing well and providing a positive return on investment, and fully scrutinizing potential new investments to determine how they will perform individually and how they will fit in the portfolio as a whole. The CPIC process also ensures that the portfolio is diversified and that the portfolio risk characteristics are consistent with the organization’s risk-tolerance level.
Implementing an effective CPIC process often necessitates changes to an agency’s organizational culture—its long-established ways of doing business—especially with regard to adopting macro-level IT management practices, ensuring the availability of sufficient information for making decisions about each individual investment and the entire set of resources, and raising the level of discussion, dialogue, and decision-making to the agency level.
Federal CPIC Requirements
In the federal government, management reform gained significant attention during the mid-1990s as a series of large-scale IT projects suffered setbacks and, in some cases, turned into major disasters. The Clinger-Cohen Act of 1996 (initially known as the Information Technology Management Reform Act) instituted a number of sweeping changes designed to improve the overall return on investment for federal IT spending. To better align authority and responsibility for IT investments, the Clinger-Cohen Act established chief information officer (CIO) positions and designated the CIO as the senior IT official in each agency. It also mandated approaches for improving IT acquisition and management of large-scale projects.
Several significant factors led to enactment of the Clinger-Cohen Act:
Congress believed that the chief financial officer (CFO) positions that had been created by the Chief Financial Officers Act of 1990 were effective in improving financial management coordination and accountability within federal agencies, and that creating similar IT senior executive positions would address some underlying IT management problems.
Congress recognized that private-sector companies had successfully established CIO positions to provide improved IT management coordination and accountability.
A series of widely publicized cases of troubled large-scale IT projects and acquisitions had galvanized public pressure to improve IT management effectiveness in the federal government.
Appendix A presents a more comprehensive review of the legislation related to management reform.
The Clinger-Cohen Act had positive intentions. Although its origins were rooted in a response to past problems, the Clinger-Cohen Act set out a framework that acknowledged the increasing role and importance of IT as a federal business enabler. Congress recognized that IT had evolved from its early role as a means of making support processes more efficient to a preeminent, mission-critical role. Increased agency reliance on IT meant that it was time to reengineer IT management to ensure that investments aligned with agency missions and program objectives, that program managers were more involved and accountable for the successful use of IT, and that IT risk was managed more effectively so that initiatives could be completed within budget and on schedule—and do what they were intended to do.
Congress also recognized that technology was becoming more diverse and complex. IT stewardship had expanded to encompass a variety of more interconnected and interdependent technologies. IT budgets that had been on the rise for decades were beginning to represent a significant percentage of overall agency budgets and of the cost of doing business. Security and privacy issues also came to the forefront. In short, IT had become so embedded in day-today business operations that proper management required both technical and general business management expertise.
The Clinger-Cohen Act
Congress enacted the Clinger-Cohen Act in 1996. This legislation gained support in large part as a reaction to a series of high-dollar IT project failures that had occurred in the federal government during the late 1980s and early 1990s. Based on hearings, testimony, and analysis, Congress recognized that existing processes and approaches for managing large and complex IT projects were flawed and needed to be addressed to improve the success rates of IT projects.
Clinger-Cohen requires agencies to focus on the results achieved through IT investments by introducing a more rigorous and structured approach for funding and managing IT projects. It requires the establishment of an integrated IT architecture and a rigorous, fact-based decision-making and funding process for IT initiatives.
Congressional Intent: Increased Efficiency
Legislation is best examined by reviewing the intent of Congress when it enacts a law. Congress was determined to halt the string of expensive failed IT projects. It intended to do so by requiring that agencies have increased head-of-agency and senior management support, and that rigorous processes be established for selecting which investments to approve and fund, as well as for monitoring and controlling risk. Congress also expected explicit improvements in efficiency, directing agencies to achieve a 5 percent decrease in operations and maintenance costs and a 5 percent increase in agency operations efficiency each year.
Procurement
Congress also took steps to eliminate barriers and roadblocks to efficient procurement and acquisition. Clinger-Cohen removed the General Services Administration’s (GSA) control of the IT procurement process and transferred acquisition authority to the agencies. It also removed the GSA Board of Contract Appeals’ jurisdiction over IT procurement protests and effectively repealed the Federal Information Resources Management Regulations (FIRMR), which had imposed tight control over IT acquisitions.
Empowerment and Responsibilities
Clinger-Cohen empowers agencies in a variety of ways to “improve the acquisition, use, and disposal of IT by the federal government.” Each agency is directed to submit an annual report to Congress highlighting the program performance benefits achieved as a result of major capital investments in information systems and explaining how the benefits relate to the achievement of agency goals.
Agencies are required to develop a process for analyzing, tracking, and evaluating the risks and results of all major IT capital investments. The process must cover the life of each investment and include explicit criteria for analyzing projected and actual costs, benefits, and risks. The agencies must also conduct periodic reviews of information management activities to ascertain the efficiency and effectiveness of IT in improving their performance and accomplishing their missions.
Another key element of the legislation is use of the budget to enforce accountability for information resources management and investments in technology. Clinger-Cohen requires OMB to take several specific actions: (1) recommend increases or reductions in an agency’s IT budget, (2) use administrative controls to restrict the availability of agency funds, and (3) designate an executive representative from within the agency to contract with private sources for the agency’s management and acquisition of IT resources.
Agency Responsibilities
Recognizing that senior leadership needs to be actively involved in major IT investments, Clinger-Cohen requires that an agency provide a means for senior management to obtain timely information on the progress of IT investment in terms of cost, the system’s capability to meet requirements, timeliness, and quality. The process must include quantification of projected net risk-adjusted return on investment and specific quantitative and qualitative criteria for comparing and prioritizing alternative information systems projects.
To reinforce the seriousness of IT management reform, agencies are required to integrate the IT investment process with processes for making budget, financial, and program management decisions. They are directed to ensure that performance measures are established and that the measures describe how well IT supports agency programs. Mission-related and administrative processes are to be revised, as appropriate, before making significant IT investments to support those missions (i.e., don’t automate a bad process).
Clinger-Cohen requires that policies and procedures be established, in consultation with the CIO and CFO, to ensure that (1) accounting, financial, and asset management systems and other information systems are developed and used effectively to provide financial information or program performance data for the agency’s financial statements; (2) performance data are reliable and available when needed; and (3) the financial statements support the assessment and revision of agency processes and performance measurement.
Chief Information Officer Responsibilities
Clinger-Cohen instructs agency CIOs to provide advice and assistance to agency heads and senior officials to ensure that IT is acquired and managed in accordance with the act. They are expected to develop, maintain, and facilitate the integration of a sound and integrated IT architecture; to monitor the performance of IT programs and evaluate results based on established performance measures; and to advise the agency head regarding whether to continue, modify, or terminate a program or project.
Other Provisions
Clinger-Cohen includes a series of additional provisions. The Secretary of Commerce is required to set minimum information security standards based on guidelines developed by the National Institute of Standards and Technology (NIST); agencies are also permitted to set standards that are more stringent than the minimum NIST requirements. Agencies, to the maximum extent practicable, are instructed to use modular contracting for acquisitions of major IT systems. Under modular contracting, a major system acquisition is divided into several smaller acquisition increments. This provides several benefits, including easier management, incremental achievement of IT objectives, opportunities to evaluate progress and make go/no-go decisions before proceeding, and an opportunity to take advantage of technological innovation as it emerges and matures.
Implementing Clinger-Cohen: From Law to Regulation
OMB took immediate action following the enactment of the Clinger-Cohen Act. In October 1996 Franklin Raines, then OMB director, issued first an initial brief memorandum and then a more detailed OMB technical memorandum (M-97-02) entitled “Funding Information Systems Investments.” The contents of the two memos, which provided guidance for agency IT purchases, became known as the “Raines Rules.” The rules provided immediate, albeit brief, guidance for complying with Clinger-Cohen, instructing agencies to do the following:
Support core/priority mission functions that must be performed by the federal government
Undertake an IT project because no alternative private-sector or governmental source can efficiently support the function
Support work processes that have been simplified or redesigned to reduce costs, improve effectiveness, and maximize use of commercial off-the-shelf technology
Demonstrate a projected return on investment that is equal to or better than alternative uses of available resources
Be consistent with government-wide, agency, and bureau information architecture (which integrates agency work processes and information flow with technology to achieve the agency’s strategic goals) and specify standards that enable information exchange and resource sharing while retaining flexibility in the choice of suppliers and in the design of local work processes
Reduce risk by avoiding or isolating custom-designed components, by using fully tested pilots, simulations, and prototypes, by establishing clear measures and accountability for project progress, and by securing substantial involvement from program officials who use the system
Implement IT programs in phases as narrow in scope and brief in duration as possible, each of which solves a specific part of an overall mission problem and delivers an independent, measurable net benefit
Employ an acquisition strategy that appropriately allocates risk between the government and the contractor, effectively uses competition, ties contract payments to accomplishments, and takes maximum advantage of commercial technology
The Raines Rules provided operative guidance for agencies for four years until OMB developed a more comprehensive and enforceable process. The OMB guidelines were promulgated on November 28, 2000, in OMB Circular A-130, which provided specific guidance for improving IT management and implementing an IT CPIC process.
OMB Circular A-130
OMB Circular A-130 mandated sweeping changes in IT planning and management. Agencies are instructed to perform integrated planning throughout the life cycle of an IT investment. They are also required to use a CPIC process comprising several key elements:
Performing effective portfolio and investment planning
Making funding decisions using an investment management approach
Monitoring investment progress and controlling risk throughout the investment life cycle to improve return on investment
Periodically evaluating IT investments to assess their effectiveness and efficiency
Circular A-130 includes critical requirements related to implementing an enterprise architecture that aligns with the federal enterprise architecture (FEA), improving information security, and strengthening approaches for acquiring IT resources. The requirement to align the enterprise architecture with the FEA was problematic when A-130 was first published because an FEA had not yet been developed.
Other requirements of A-130 impact IT governance as well. For example, the head of each agency is assigned primary responsibility for managing agency information resources. Agency heads are required to ensure that their agencies implement all appropriate information policies, principles, standards, guidelines, rules, and regulations, and to appoint a CIO to carry out IT regulatory responsibilities. The CIO is directed to:
Be an active participant during all agency strategic management activities
Advise the agency head on information resource implications of strategic planning decisions
Advise the agency head on the design, development, and implementation of information resources
Monitor agency compliance with OMB Circular A-130
Develop internal agency information policies and procedures and oversee, evaluate, and periodically review agency information resource management (IRM) activities
Develop agency policies and procedures for timely acquisition of required information technology
Maintain an inventory of the agency’s major information systems, holdings, and dissemination products, an information locator service, a description of the agency’s major information and record locator systems, an inventory of the agency’s other information resources, and a handbook for persons to obtain public information from the agency
Implement and enforce records management policies and procedures, including requirements for archiving information maintained in electronic format
Ensure that the agency:
Cooperates with other agencies in the use of IT to improve the productivity, effectiveness, and efficiency of federal programs
Promotes a coordinated, interoperable, secure, and shared government-wide infrastructure that is provided and supported by a diversity of private sector suppliers
Develops a well-trained corps of information resource professionals
Use OMB Circular A-11 guidance to promote effective and efficient capital planning within the organization
Ensure that the agency provides budget data pertaining to information resources to OMB
It is easy, when reviewing these requirements, to overlook some of the nuances that OMB intended. When Circular A-130 was issued, many agencies did not fully appreciate the eventual substantial changes and level of effort associated with the new requirements. Years later, some agencies are still working to modify their IT governance approaches and to understand and comply with OMB requirements.
An IT capital planning and investment control process is a set of principles, practices, and procedures used by an organization to comply with OMB requirements. It involves planning and managing information systems using approaches that are similar to those used for other capital assets, such as buildings or equipment. Approaches involve justifying the feasibility of an investment in a new capital asset, identifying alternatives, and analyzing options individually and collectively with cost-benefit analysis methods. CPIC processes also include adjusting the asset cost and timetable for risks and ensuring that an effective, integrated project team (IPT) is assembled to acquire and manage the asset.
OMB Circulars A-130 and A-11 provide a rubric for implementing an effective CPIC process and evaluating progress. Despite implementation challenges, agencies have clear guidance from OMB and other resources, such as this book, to assist their ongoing efforts to ensure that agencies achieve maximum return on IT investments.