Top Priorities For State CIOs: 2016

Danny Harris, CIO of the US Department of Education, was again before the House Oversight and Government Reform Committee last week, testifying about allegations that he had created side businesses, failed to pay taxes on the income they created, used employees to help support the businesses, and had improperly awarded contracts to a business owned by a friend.

"I fully understand and take responsibility for how some of my actions allowed questions to arise," Harris said in a testimony presented before the House Oversight and Government Reform Committee on Feb. 2. "The actions I took showed that I used poor judgment and I deeply regret those actions."

Harris went on to defend his performance, however, as the DOE's top tech official, and to describe progress that has been made to improve the department's cyber-security position.

In Nov. 2015, Harris testified before the same Committee, under allegations that shoddy leadership had led to vulnerabilities in systems responsible for the personal information, including Social Security numbers, of 139 million Americans.

The department additionally has a student loan budget of $1.2 trillion, which invites comparisons to the fiscal might of Citibank.

"As I stated during my testimony last fall, I am committed to ensuring that the department reaches our goals to continually improve our cyber-security and we continue to make progress on those plans," Harris said Tuesday.

On Nov. 4, 2015, the committee released a scorecard assigning letter grades to each federal agency, based on its implementation of the Federal Information Technology Acquisition Reform Act (FITARA). Enacted in Dec. 2014, FITARA, in the words of the committee, "provides a set of tools and guidelines that ... allow agencies to better manage IT systems and acquisitions."

The DOE received an "F."

DOE Acting Secretary John King, Jr., who "counseled" Harris and met with him monthly throughout 2015 to help manage his progress, testified alongside Harris. According to King, the department has made "significant progress" in implementing two-factor authentication for privileged users, which he called, "one of the most important steps we can take to strengthen our cyber-security."

In that regard, the department's compliance had moved, King testified, from 11% to 95% as of Jan. 31. For privileged users of the department's EDUCATE and VDC environments, compliance is now 100%.

"I have directed the team to undertake a focused and disciplined approach to systemically resolving -- and addressing the root causes behind -- any cyber-security-related findings from both our 2015 FISMA Audit and the 2015 Financial Statement Audit," King testified.

Still, more progress is required. Committee member Will Hurd (R-TX) noted that 54 software programs the department currently uses are no longer supported by the vendor, and asked, "Why is that?"

Harris replied that the department is working to upgrade or retire 90% of the programs by June, and will take responsibility for the remaining programs.

While the two-factor authentication efforts were acknowledged as progress, the committee said it expects to see far more -- and expressed varying degrees of frustration with the situation.

"We should not be saying that implementing one part of a larger strategy is good enough," said Hurd. "I think we should be talking about, when 95% of the recommendations by the [Inspector General] are approved, that's going to be great work. When there are not repeat findings ... that will be good work."

[Read Government IT: Hot Tech Trends in 2016.]

Committee member John Mica (R-FL) added, "I think Congress and the American people have to think that the CIO position stands for chaos, ineptness, and outrage, after what we've learned this morning."

Harris was investigated by the DOE's Office of General Counsel, but not prosecuted. While Harris "displayed certain lapses in judgement," Sandra Bruce, Deputy Inspector General, said in her written testimony, her office "found no violation of law or regulation."

During the committee meeting, Bruce added that, while creating the businesses and not reporting income are violations, they were "not done knowingly and willfully."

"There's no reason why Mr. Harris shouldn't be fired," said Mica. "He's a senior executive service officer, he's failed continually since he took the position. I don't think you could find more ineptness or misconduct with any senior employee that's come before us. ... It's so offensive."

Rising stars wanted. Are you an IT professional under age 30 who's making a major contribution to the field? Do you know someone who fits that description? Submit your entry now for InformationWeek's Pearl Award. Full details and a submission form can be found here.