Mark Forman is executive vice president for Enterprise Optimization and Transformation at Dynamic Integrated Services, an information technology and management consulting firm. He was the administrator for the Office of E-Government and Information Technology in the George W. Bush administration.
It seems that every five or six years, there are calls to modernize federal information technology management laws. Information technology and methods evolve rapidly, while federal IT problems are chronic — cybersecurity, high project failure rates, too much money spent on operations and maintenance that choke funding for modernization, and poorly defined requirements in contracts and new development projects.
Having been a senior Senate committee staffer focused on management reform, I often heard complaints about management laws as being too restrictive or out of date with modern management concepts. I learned that those complaining usually do not read the actual laws or understand Congress’s intent. That said, it is fair to ask whether Congress should throw out the laws built across multiple generations of technologies and methods, and instead create new laws that reflect today’s technology and methods.
The heart of federal IT management law is an accountability framework requiring the executive branch to treat IT spending as an investment and information as an asset, while using IT to reduce paperwork burdens and improve cost-effectiveness of government operations. From Paperwork Reduction acts to the 21st century Integrated Digital Experience Act and from Clinger-Cohen to the Federal Information Technology Acquisition Reform Act, IT laws have prescribed a consistent set of authorities and responsibilities for the Office of Management and Budget and Cabinet agencies. For example, Congress said agencies should have a chief information officer so that agencies would have a focal point for modernization and “information resource management.” The Federal CIO Handbook lists and explains the federal IT-related laws.
When you read these laws, you see themes reflecting Congress’s consistent concern that IT funding is not well spent because projects are not well managed, outdated systems consume so much funding that little is left for modernization, and agencies undervalue the importance of cybersecurity. Of course, the quality of IT management varies across agencies, but whether you consider the Solarwinds hack or the shutdown of the $16 billion Veterans Affairs electronic health record modernization program, one cannot ignore the dichotomy here. Congress repeatedly strengthens IT management laws because agencies have not successfully addressed the issues that created the need for the laws, and indeed, agencies continue to fight back on doing what Congress requires, such as the role of the CIO as envisioned by Congress. Moreover, agencies migrate to checklist approaches to do the minimum needed for compliance, rather than focusing on achieving the laws’ intended outcomes.
The Standish Group, a research advisory organization that focuses on software development performance, puts the success of government IT projects at 13%. It used to be about 25%. The Government Accountability Office reports that 21 of 24 Cabinet agencies have not fully implemented the IT reforms needed to improve accountability for IT spending, and IT issues relate to multiple items on the 2021 High Risk Programs list.
The heart of the Clinger Cohen Act was shifting IT management from contract actions, as enshrined in the Brooks Act, to treating IT as an investment using a business case and technical expertise in a CIO organization. The heart of the E-Gov Act of 2002 was to shift agencies from being agency-centric to becoming citizen-centric, reflecting the fact that the public wanted to interact electronically with government like it did in the commercial world. It strengthened the concept of cross agency integration around citizen needs, creating a federal CIO role using the title Administrator to be consistent with other management office titles in OMB. The Government Paperwork Elimination Act of 1999 mandated agencies use electronic signatures and forms, yet the real driver of agency adoption seems to have been the pandemic, not Congress.
The authors of both Clinger-Cohen and the E-Gov Act recognized that transformation projects are difficult to execute because government entities tend to embrace the status quo and fight change. Research done by Daniel Kahneman and others point to a concept called the planning fallacy. Kahneman wrote in “Thinking, Fast and Slow”:
When forecasting the outcomes of risky projects, executives too easily fall victim to the planning fallacy. In its grip, they make decisions based on delusional optimism rather than on rational weighting of gains, losses, and probabilities. They overestimate benefits and underestimate costs. … As a result, they pursue initiatives that are unlikely to come in on budget or on time or to deliver the expected returns — or even to be completed.
So, Congress included requirements for agencies to demonstrate that they could manage successfully both the IT and the business operating changes. People in the IT industry know that it is hard to get a successful product to market on time and budget. But finding companies willing to buy a new system and change their way of doing things is a lot harder than building the product.
A key planning fallacy in government is underestimating the difficulty of overcoming resistance to change. In fact, this issue may be the primary cause of poor requirements definition highlighted in government audit reports on failing projects. While the IT consulting industry has developed many ways to design a better user experience, any modernization initiative must consider how much operational change the agency will accept.
I have talked with many government executives who believe that simply implementing a modern IT system will remove the need to solve an underlying management problem. As the system is rolled-out, people are told to adopt new ways of working. The employees or their unions fight the change, and executives either believe they can force the change on workers or customize the IT to revert to old ways of doing work and, thereby, eliminating planned gains. Kahneman’s research cautions to be aware of the “delusional optimism” that is undoubtedly correlated with the Standish Group’s 13% success data.
Congress will always put controls on agencies when it doesn’t trust they will spend the money wisely. At the heart of the issue is that agencies want to do things their own way, but they do not have a good track record of doing so — and in the end it is not their money to spend as they want. But the IT laws do not specify what method agencies should use. It’s up to agencies to decide whether to use to implement the project waterfall, DevSecOps, Software as a Service, or agile development. Congress is focused on agencies having a robust modernization plan and solid business cases. Congress requires the agency’s technical expert, the CIO, to review and approve the business case.
A strong business case is one element of success that everyone seems to agree is needed for modernization investments. Clinger Cohen and the E-Gov Act were fairly prescriptive about what constitutes a valid business case, with key elements being analysis of alternatives and risk-weighted benefit and cost estimates. The ITDashboard.gov data shows some agencies doing thorough business cases and some barely filling in a form. It’s not hard to guess which projects are over budget. Just to be clear here, if the Technology Modernization Fund’s $1 billion in new funding fits the averages, the government will have only about $130 million worth of success. Beating the planning fallacy of delusional optimism is key and getting back to doing a strong business case is the best way to do this.
I would rather see less law making and more accountability for IT modernization projects having a solid business case. It’s not about the laws or the technology. It’s always about the people who do the work.