INTRODUCTION:The Legislative Basis for Improved IT Management

Initiative is doing the right thing without being told.

—VICTOR HUGO, FRENCH AUTHOR

Capital planning and investment control (CPIC) is a set of practices and procedures for managing the entire set of a government agency’s information technology (IT) resources as if it were a financial portfolio. It is a decision-making process for aligning investments with the agency mission; for selecting investments that are in the best interests of the agency as a whole; and for identifying, managing, and mitigating risk that causes projects to fail. CPIC establishes a mind-set of strategic thinking and stewardship that can, over time, become part of an agency’s organizational culture.

The ultimate objective of the CPIC process is to ensure maximum return on IT investment. The process requires establishing goals for the IT portfolio, ensuring that existing assets are performing well and providing a positive return on investment, and fully scrutinizing potential new investments to determine how they will perform individually and how they will fit in the portfolio as a whole. The CPIC process also ensures that the portfolio is diversified and that the portfolio risk characteristics are consistent with the organization’s risk-tolerance level.

Implementing an effective CPIC process often necessitates changes to an agency’s organizational culture—its long-established ways of doing business—especially with regard to adopting macro-level IT management practices, ensuring the availability of sufficient information for making decisions about each individual investment and the entire set of resources, and raising the level of discussion, dialogue, and decision-making to the agency level.

Federal CPIC Requirements

In the federal government, management reform gained significant attention during the mid-1990s as a series of large-scale IT projects suffered setbacks and, in some cases, turned into major disasters. The Clinger-Cohen Act of 1996 (initially known as the Information Technology Management Reform Act) instituted a number of sweeping changes designed to improve the overall return on investment for federal IT spending. To better align authority and responsibility for IT investments, the Clinger-Cohen Act established chief information officer (CIO) positions and designated the CIO as the senior IT official in each agency. It also mandated approaches for improving IT acquisition and management of large-scale projects.

Several significant factors led to enactment of the Clinger-Cohen Act:

ImagesCongress believed that the chief financial officer (CFO) positions that had been created by the Chief Financial Officers Act of 1990 were effective in improving financial management coordination and accountability within federal agencies, and that creating similar IT senior executive positions would address some underlying IT management problems.

ImagesCongress recognized that private-sector companies had successfully established CIO positions to provide improved IT management coordination and accountability.

ImagesA series of widely publicized cases of troubled large-scale IT projects and acquisitions had galvanized public pressure to improve IT management effectiveness in the federal government.

Appendix A presents a more comprehensive review of the legislation related to management reform.

The Clinger-Cohen Act had positive intentions. Although its origins were rooted in a response to past problems, the Clinger-Cohen Act set out a framework that acknowledged the increasing role and importance of IT as a federal business enabler. Congress recognized that IT had evolved from its early role as a means of making support processes more efficient to a preeminent, mission-critical role. Increased agency reliance on IT meant that it was time to reengineer IT management to ensure that investments aligned with agency missions and program objectives, that program managers were more involved and accountable for the successful use of IT, and that IT risk was managed more effectively so that initiatives could be completed within budget and on schedule—and do what they were intended to do.

Congress also recognized that technology was becoming more diverse and complex. IT stewardship had expanded to encompass a variety of more interconnected and interdependent technologies. IT budgets that had been on the rise for decades were beginning to represent a significant percentage of overall agency budgets and of the cost of doing business. Security and privacy issues also came to the forefront. In short, IT had become so embedded in day-today business operations that proper management required both technical and general business management expertise.

The Clinger-Cohen Act

Congress enacted the Clinger-Cohen Act in 1996. This legislation gained support in large part as a reaction to a series of high-dollar IT project failures that had occurred in the federal government during the late 1980s and early 1990s. Based on hearings, testimony, and analysis, Congress recognized that existing processes and approaches for managing large and complex IT projects were flawed and needed to be addressed to improve the success rates of IT projects.

Clinger-Cohen requires agencies to focus on the results achieved through IT investments by introducing a more rigorous and structured approach for funding and managing IT projects. It requires the establishment of an integrated IT architecture and a rigorous, fact-based decision-making and funding process for IT initiatives.

Congressional Intent: Increased Efficiency

Legislation is best examined by reviewing the intent of Congress when it enacts a law. Congress was determined to halt the string of expensive failed IT projects. It intended to do so by requiring that agencies have increased head-of-agency and senior management support, and that rigorous processes be established for selecting which investments to approve and fund, as well as for monitoring and controlling risk. Congress also expected explicit improvements in efficiency, directing agencies to achieve a 5 percent decrease in operations and maintenance costs and a 5 percent increase in agency operations efficiency each year.

Procurement

Congress also took steps to eliminate barriers and roadblocks to efficient procurement and acquisition. Clinger-Cohen removed the General Services Administration’s (GSA) control of the IT procurement process and transferred acquisition authority to the agencies. It also removed the GSA Board of Contract Appeals’ jurisdiction over IT procurement protests and effectively repealed the Federal Information Resources Management Regulations (FIRMR), which had imposed tight control over IT acquisitions.

Empowerment and Responsibilities

Clinger-Cohen empowers agencies in a variety of ways to “improve the acquisition, use, and disposal of IT by the federal government.” Clinger-Cohen Act, U.S. Public Law 104-208, September 30, 1996. Online at http://www.cio.gov/Documents/it_management_reform_act_Feb_1996.html (accessed December 2007). Each agency is directed to submit an annual report to Congress highlighting the program performance benefits achieved as a result of major capital investments in information systems and explaining how the benefits relate to the achievement of agency goals.

Agencies are required to develop a process for analyzing, tracking, and evaluating the risks and results of all major IT capital investments. The process must cover the life of each investment and include explicit criteria for analyzing projected and actual costs, benefits, and risks. The agencies must also conduct periodic reviews of information management activities to ascertain the efficiency and effectiveness of IT in improving their performance and accomplishing their missions.

Another key element of the legislation is use of the budget to enforce accountability for information resources management and investments in technology. Clinger-Cohen requires OMB to take several specific actions: (1) recommend increases or reductions in an agency’s IT budget, (2) use administrative controls to restrict the availability of agency funds, and (3) designate an executive representative from within the agency to contract with private sources for the agency’s management and acquisition of IT resources.

Agency Responsibilities

Recognizing that senior leadership needs to be actively involved in major IT investments, Clinger-Cohen requires that an agency provide a means for senior management to obtain timely information on the progress of IT investment in terms of cost, the system’s capability to meet requirements, timeliness, and quality. The process must include quantification of projected net risk-adjusted return on investment and specific quantitative and qualitative criteria for comparing and prioritizing alternative information systems projects.

To reinforce the seriousness of IT management reform, agencies are required to integrate the IT investment process with processes for making budget, financial, and program management decisions. They are directed to ensure that performance measures are established and that the measures describe how well IT supports agency programs. Mission-related and administrative processes are to be revised, as appropriate, before making significant IT investments to support those missions (i.e., don’t automate a bad process).

Clinger-Cohen requires that policies and procedures be established, in consultation with the CIO and CFO, to ensure that (1) accounting, financial, and asset management systems and other information systems are developed and used effectively to provide financial information or program performance data for the agency’s financial statements; (2) performance data are reliable and available when needed; and (3) the financial statements support the assessment and revision of agency processes and performance measurement.

Chief Information Officer Responsibilities

Clinger-Cohen instructs agency CIOs to provide advice and assistance to agency heads and senior officials to ensure that IT is acquired and managed in accordance with the act. They are expected to develop, maintain, and facilitate the integration of a sound and integrated IT architecture; to monitor the performance of IT programs and evaluate results based on established performance measures; and to advise the agency head regarding whether to continue, modify, or terminate a program or project.

Other Provisions

Clinger-Cohen includes a series of additional provisions. The Secretary of Commerce is required to set minimum information security standards based on guidelines developed by the National Institute of Standards and Technology (NIST); agencies are also permitted to set standards that are more stringent than the minimum NIST requirements. Agencies, to the maximum extent practicable, are instructed to use modular contracting for acquisitions of major IT systems. Under modular contracting, a major system acquisition is divided into several smaller acquisition increments. This provides several benefits, including easier management, incremental achievement of IT objectives, opportunities to evaluate progress and make go/no-go decisions before proceeding, and an opportunity to take advantage of technological innovation as it emerges and matures.

Implementing Clinger-Cohen: From Law to Regulation

OMB took immediate action following the enactment of the Clinger-Cohen Act. In October 1996 Franklin Raines, then OMB director, issued first an initial brief memorandum and then a more detailed OMB technical memorandum (M-97-02) entitled “Funding Information Systems Investments.” Office of Management and Budget, “Technical Memorandum M-97-02: Funding Information Systems Investments,” October 25, 1996. Online at http://www.whitehouse.gov/omb/memoranda/m97-02.html (accessed December 2007). The contents of the two memos, which provided guidance for agency IT purchases, became known as the “Raines Rules.” The rules provided immediate, albeit brief, guidance for complying with Clinger-Cohen, instructing agencies to do the following:

ImagesSupport core/priority mission functions that must be performed by the federal government

ImagesUndertake an IT project because no alternative private-sector or governmental source can efficiently support the function

ImagesSupport work processes that have been simplified or redesigned to reduce costs, improve effectiveness, and maximize use of commercial off-the-shelf technology

ImagesDemonstrate a projected return on investment that is equal to or better than alternative uses of available resources

ImagesBe consistent with government-wide, agency, and bureau information architecture (which integrates agency work processes and information flow with technology to achieve the agency’s strategic goals) and specify standards that enable information exchange and resource sharing while retaining flexibility in the choice of suppliers and in the design of local work processes

ImagesReduce risk by avoiding or isolating custom-designed components, by using fully tested pilots, simulations, and prototypes, by establishing clear measures and accountability for project progress, and by securing substantial involvement from program officials who use the system

ImagesImplement IT programs in phases as narrow in scope and brief in duration as possible, each of which solves a specific part of an overall mission problem and delivers an independent, measurable net benefit

ImagesEmploy an acquisition strategy that appropriately allocates risk between the government and the contractor, effectively uses competition, ties contract payments to accomplishments, and takes maximum advantage of commercial technology

The Raines Rules provided operative guidance for agencies for four years until OMB developed a more comprehensive and enforceable process. The OMB guidelines were promulgated on November 28, 2000, in OMB Circular A-130, which provided specific guidance for improving IT management and implementing an IT CPIC process. Office of Management and Budget, Circular A-130 (Revised): Management of Federal Information Resources, November 28, 2000. Online at http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html (accessed December 2007).

OMB Circular A-130

OMB Circular A-130 mandated sweeping changes in IT planning and management. Agencies are instructed to perform integrated planning throughout the life cycle of an IT investment. They are also required to use a CPIC process comprising several key elements:

ImagesPerforming effective portfolio and investment planning

ImagesMaking funding decisions using an investment management approach

ImagesMonitoring investment progress and controlling risk throughout the investment life cycle to improve return on investment

ImagesPeriodically evaluating IT investments to assess their effectiveness and efficiency

Circular A-130 includes critical requirements related to implementing an enterprise architecture that aligns with the federal enterprise architecture (FEA), improving information security, and strengthening approaches for acquiring IT resources. The requirement to align the enterprise architecture with the FEA was problematic when A-130 was first published because an FEA had not yet been developed.

Other requirements of A-130 impact IT governance as well. For example, the head of each agency is assigned primary responsibility for managing agency information resources. Agency heads are required to ensure that their agencies implement all appropriate information policies, principles, standards, guidelines, rules, and regulations, and to appoint a CIO to carry out IT regulatory responsibilities. The CIO is directed to:

ImagesBe an active participant during all agency strategic management activities

ImagesAdvise the agency head on information resource implications of strategic planning decisions

ImagesAdvise the agency head on the design, development, and implementation of information resources

ImagesMonitor agency compliance with OMB Circular A-130

ImagesDevelop internal agency information policies and procedures and oversee, evaluate, and periodically review agency information resource management (IRM) activities

ImagesDevelop agency policies and procedures for timely acquisition of required information technology

ImagesMaintain an inventory of the agency’s major information systems, holdings, and dissemination products, an information locator service, a description of the agency’s major information and record locator systems, an inventory of the agency’s other information resources, and a handbook for persons to obtain public information from the agency

ImagesImplement and enforce records management policies and procedures, including requirements for archiving information maintained in electronic format

ImagesEnsure that the agency:

ImagesCooperates with other agencies in the use of IT to improve the productivity, effectiveness, and efficiency of federal programs

ImagesPromotes a coordinated, interoperable, secure, and shared government-wide infrastructure that is provided and supported by a diversity of private sector suppliers

ImagesDevelops a well-trained corps of information resource professionals

ImagesUse OMB Circular A-11 Office of Management and Budget, Circular A-11: Preparation, Submission, and Execution of the Budget, July 2007. Online at http://www.whitehouse.gov/omb/circulars/a11/current_year/a11_toc.html (accessed December 2007). guidance to promote effective and efficient capital planning within the organization

ImagesEnsure that the agency provides budget data pertaining to information resources to OMB

It is easy, when reviewing these requirements, to overlook some of the nuances that OMB intended. When Circular A-130 was issued, many agencies did not fully appreciate the eventual substantial changes and level of effort associated with the new requirements. Years later, some agencies are still working to modify their IT governance approaches and to understand and comply with OMB requirements.

An IT capital planning and investment control process is a set of principles, practices, and procedures used by an organization to comply with OMB requirements. It involves planning and managing information systems using approaches that are similar to those used for other capital assets, such as buildings or equipment. Approaches involve justifying the feasibility of an investment in a new capital asset, identifying alternatives, and analyzing options individually and collectively with cost-benefit analysis methods. CPIC processes also include adjusting the asset cost and timetable for risks and ensuring that an effective, integrated project team (IPT) is assembled to acquire and manage the asset.

OMB Circulars A-130 and A-11 provide a rubric for implementing an effective CPIC process and evaluating progress. Despite implementation challenges, agencies have clear guidance from OMB and other resources, such as this book, to assist their ongoing efforts to ensure that agencies achieve maximum return on IT investments.