STATEMENT OF
DANIEL P. MATTHEWS
CHIEF INFORMATION OFFICER
U.S. DEPARTMENT OF TRANSPORTATION
BEFORE THE
COMMITTEE ON GOVERNMENT REFORM
U.S. HOUSE OF REPRESENTATIVES
April 21, 2005
Mr. Chairman and members of the Committee, thank you for the opportunity to appear today to discuss the Office of Management and Budget’s (OMB) “watch list.”
As the Department’s Chief Information Officer (CIO), I oversee the U.S. Department of Transportation’s (DOT) information technology (IT) investment guidance, cyber security and operational responsibility for the Departmental network and communications infrastructure. I also serve as the vice-chair of the Federal CIO Council.
As I begin my remarks let me stipulate that the OMB “watch list” is a management tool that DOT uses to gauge the effectiveness of our IT investment program. DOT recognizes that to comply with the Clinger-Cohen Act and other statutory requirements, external and internal oversight efforts necessitate creating “watch lists” for IT investments. OMB’s “watch list” happens to be well known throughout the Government, as it uses defined requirements in multiple categories to identify troubled programs and agency-wide challenges. OMB’s use of a published scoring approach creates a level playing field for Federal Agency initiatives. Any individual program in any Departmental Agency may have deficiencies in any one or more measurement categories. Over the last several years, DOT has significantly reduced the number of our programs on OMB’s “watch list.”
To address how OMB’s “watch list” has affected DOT’s operations, I noted that we use it as one of several critical management and oversight tools. DOT also uses Federal Information Security Management Act (FISMA) metrics, Inspector General and Government Accountability Office audit reports, and quarterly earned value management data reports to identify “at risk” programs.
What differentiates the OMB “watch list” and these other tools is that while unique concerns about an individual program may be raised in an audit report, the “watch list” through its use of defined requirements in specific categories provides a “same measure” view from program to program. In short this “same measure” view allows us to see where we perform well and where we need to concentrate our efforts in order to strengthen our stewardship of the IT investments made in DOT.
DOT’s internal IT management and oversight controls, including the OMB “watch list”, are used to designate under-performing investments as “at risk”. Either the Departmental Investment Review Board or the operating administration review board must review any “at risk” program. The reviewing board can direct corrective actions within a required timeframe, and can make a decision to modify, re-baseline, or possibly cancel the program.
Because the criteria for OMB’s “watch list” are applied across the Department’s investments, they help DOT focus on those critical program management issues that warrant agency-wide attention. For example, two years ago a significant number of DOT’s business cases found their way onto the “watch list” due to security weaknesses. DOT could have relied exclusively on FISMA-related metrics to increase management attention on our IT investments. Instead we used an accumulated effect approach, letting the business case scores, FISMA measures, and the weight of the President’s Management Agenda scorecard focus our attention on weaknesses, direct additional resources and guidance to resolve those issues, and ultimately to substantially alleviate the security weaknesses.
The “watch list” provides more than Department level visibility. Programs in and of themselves benefit from the measures inherent in the tool. For example the Department’s largest agency and the one with the most IT expenditures, the FAA, has programs that have been on the “watch list” and have therefore made changes. In particular, on April 18th, the Air Traffic Controllers Association (ATCA) kicked off its annual technical conference with a special session on the OMB Exhibit 300, the basis on which capital programs are assessed and by which they make their way either onto or off of the “watch list”.
At the ATCA meeting, a senior program manager indicated that being on the “watch list” forced him to be clearer about who the program’s customers were and how the program benefited those customers. That manager had to improve program justifications and results. Through the scoring process weaknesses identified in earned value management and life cycle costing required improved budgeting and planning. The manager responded by employing the “useful segments” approach to program planning. In effect, by being on the “watch list,” the program manager was forced to conduct a total program review – not just improve the business case to get off the “watch list.” This is an example of the “watch list” having a positive impact on an individual program manager. If we stack enough of these individual program success stories together we can drive better results from our IT investments across the Government.
As long as I am mentioning stacking these success stories together I offer the following suggestion, which I intend to pursue with OMB and the Federal CIO Council.
The Federal CIO Council can use agency-by-agency and subject area information to identify those agencies excelling, for example, in risk management and use those approaches as best practices. The Federal CIO Council would then focus efforts to help individual agencies struggling in this area implement these best practices. Programs on the “watch list” should be expected, encouraged and directed to reach out for best practices, adapt and implement them, and be therefore more inclined to operate effectively.
In conclusion, DOT believes OMB’s “watch list” is one important component of an overall management and oversight process which is valuable within the individual agencies and for OMB. From its cross agency perspective OMB sees the good and the bad. Let’s keep the “watch list” and capture from that process our best practices. It is my observation and experience at DOT, that OMB has been a willing and useful partner in helping more effectively manage our IT resources.
Again, I thank you for the opportunity to comment on this important topic and I look forward to answering any questions that you may have.