Why being on GAO's High Risk List is good for federal IT

The Government Accountability Office finally did it. "Improving the Management of IT Acquisitions and Operations" is now on the High Risk List, and GAO's latest report states that "federal IT investments too frequently fail to be completed or incur cost overruns and schedule slippages while contributing little to mission-related outcomes."

For those outside the federal government, this might appear to be just another auditor's report. But for those of us who served in government and were involved with items on the High Risk List, this is a significant development.

During my government career, I dealt extensively with two items on the list: IRS modernization (now off the list) and the need to strengthen the Department of Homeland Security's management functions. In both cases, there was intense congressional scrutiny, and significant attention shown by the Office of Management and Budget and the agencies that found their programs on the High Risk List.

Although agencies always grouse about it, I have found that having a program on the High Risk List focuses valuable attention and resources on systemic problems. One of the reasons for the grousing is that once a program is on the High Risk list, it is quite difficult to remove it. The IRS spent more than a decade maturing its acquisition and program management, and along the way demonstrated improved capabilities to deliver successful programs, before finally coming off the list in 2014.

And IT acquisition deserves that level of sustained attention. For decades, the government has been underperforming in its delivery of major IT programs. Deeply embedded cultural and skills issues must be addressed if we are to improve the government's score card in delivering IT programs. Those changes, while certainly doable, take sustained leadership over time to have a major positive impact.

In reviewing GAO's report, I was pleased to see that auditors documented a set of concrete evaluation criteria:

• OMB and agencies should, within four years, implement at least 80 percent of GAO's recommendations related to the management of IT acquisitions and operations.
• Agencies should ensure that a minimum of 80 percent of the government's major acquisitions deliver functionality every 12 months.
• Agencies should achieve no less than 80 percent of the more than $6 billion in planned PortfolioStat savings, and 80 percent of the more than $5 billion in savings planned for data center consolidation.

Those are high bars, but GAO is not asking for perfection. And the targets are specific enough that an administration could drive action in each of the areas, set measurements and objectives by year, and track progress. The implied four-year time frame is aggressive but not impossible.

I do not know our new federal CIO, Tony Scott. Having come to the government from the private sector myself, I admire him for wanting to step into government and help. Yet I know how daunting the learning curve is -- core technologies and human nature might be the same, but there are significant differences between government and the private sector.

My advice to Scott is simple: Start by focusing on the proper implementation of the Federal IT Acquisition Reform Act (FITARA) to strengthen CIOs' authorities. If we have weak IT organizations, IT management will not improve. I also recommend focusing on addressing the three evaluation criteria listed above to set the foundation for removing federal IT acquisition from the High Risk List.

Success will likely not be realized for years beyond Scott's tenure. But he has a chance, even so late in the life of this administration, to make a real difference.