Culture

NSA chief information officer role remains ‘ambiguous’

Failure to clarify the position's authorities and responsibilities means the agency might not be getting the most out of its IT, according to NSA OIG.

By Dave Nyczepir

January 24, 2020

The National Security Agency still hasn’t clearly defined its chief information officer’s authorities and responsibilities, according to an Office of the Inspector General report released Thursday.

While the OIG decided the issue didn’t warrant immediate reporting to the NSA director and Congress, the office did include an audit of CIO authorities in a list of significant problems, abuses or deficiencies for the spy agency. The analysis was part of the OIG’s broader semiannual report to Congress.

Federal agencies are required to appoint CIOs in compliance with the Clinger-Cohen Act of 1996 (CCA) and Office of Management and Budget’s 2011 memo outlining the role’s authorities. Generally speaking, CIOs are responsible for the oversight and management of their agency’s information technology.

“The issues identified in this audit increase the risk that the agency may continue to not fully meet the obligations of CCA and OMB M-11-29 and, therefore, may not be maximizing its effectiveness and efficiency in designing, investing in, acquiring, managing, and maintaining the full range of its IT,” reads the NSA report.

From April through September, NSA OIG found both the agency and CIO made “substantial progress” in implementing the “full scope” of authorities, but additional actions were needed to ensure proper IT oversight and decision rights. Greg Smithberger is the current CIO and also serves as head of the agency’s Capabilities Directorate.

The following things all contributed to the “ambiguous” nature of the role, OIG found:

• Dual-hatting functions of the CIO’s office with the Capabilities Directorate.
• A lack of documentation delegating authorities.
• Failing to include the position in organizational charts.
• Primarily communicating about the role’s information security responsibilities and not its other IT duties.

The NSA CIO is responsible for the IT budget, program management — including workforce — and information security, as well as implementing the Enterprise IT Architecture program. NSA OIG recommended the CIO develop a strategy addressing these “highly interrelated” aspects of IT.

The agency has been reorganizing some of its components as it adjusts to new geopolitical challenges. Last year it created a new Cybersecurity Directorate to focus on foreign hackers.