US Education CIO Admits To 'Unacceptable' Behavior
US Department of Education CIO Danny Harris was grilled by lawmakers about possible ethics violations. Meanwhile the department, which has a lending budget the size of Citibank, was still said to be vulnerable to security threats.
Top Priorities For State CIOs: 2016
(Click image for larger view and slideshow.)
Danny Harris, CIO of the US Department of Education, was again before the House Oversight and Government Reform Committee last week, testifying about allegations that he had created side businesses, failed to pay taxes on the income they created, used employees to help support the businesses, and had improperly awarded contracts to a business owned by a friend.
"I fully understand and take responsibility for how some of my actions allowed questions to arise," Harris said in a testimony presented before the House Oversight and Government Reform Committee on Feb. 2. "The actions I took showed that I used poor judgment and I deeply regret those actions."
Harris went on to defend his performance, however, as the DOE's top tech official, and to describe progress that has been made to improve the department's cyber-security position.
In Nov. 2015, Harris testified before the same Committee, under allegations that shoddy leadership had led to vulnerabilities in systems responsible for the personal information, including Social Security numbers, of 139 million Americans.
The department additionally has a student loan budget of $1.2 trillion, which invites comparisons to the fiscal might of Citibank.
"As I stated during my testimony last fall, I am committed to ensuring that the department reaches our goals to continually improve our cyber-security and we continue to make progress on those plans," Harris said Tuesday.
On Nov. 4, 2015, the committee released a scorecard assigning letter grades to each federal agency, based on its implementation of the Federal Information Technology Acquisition Reform Act (FITARA). Enacted in Dec. 2014, FITARA, in the words of the committee, "provides a set of tools and guidelines that ... allow agencies to better manage IT systems and acquisitions."
The DOE received an "F."
DOE Acting Secretary John King, Jr., who "counseled" Harris and met with him monthly throughout 2015 to help manage his progress, testified alongside Harris. According to King, the department has made "significant progress" in implementing two-factor authentication for privileged users, which he called, "one of the most important steps we can take to strengthen our cyber-security."
In that regard, the department's compliance had moved, King testified, from 11% to 95% as of Jan. 31. For privileged users of the department's EDUCATE and VDC environments, compliance is now 100%.
"I have directed the team to undertake a focused and disciplined approach to systemically resolving -- and addressing the root causes behind -- any cyber-security-related findings from both our 2015 FISMA Audit and the 2015 Financial Statement Audit," King testified.
Still, more progress is required. Committee member Will Hurd (R-TX) noted that 54 software programs the department currently uses are no longer supported by the vendor, and asked, "Why is that?"
Harris replied that the department is working to upgrade or retire 90% of the programs by June, and will take responsibility for the remaining programs.
While the two-factor authentication efforts were acknowledged as progress, the committee said it expects to see far more -- and expressed varying degrees of frustration with the situation.
"We should not be saying that implementing one part of a larger strategy is good enough," said Hurd. "I think we should be talking about, when 95% of the recommendations by the [Inspector General] are approved, that's going to be great work. When there are not repeat findings ... that will be good work."
Committee member John Mica (R-FL) added, "I think Congress and the American people have to think that the CIO position stands for chaos, ineptness, and outrage, after what we've learned this morning."
Harris was investigated by the DOE's Office of General Counsel, but not prosecuted. While Harris "displayed certain lapses in judgement," Sandra Bruce, Deputy Inspector General, said in her written testimony, her office "found no violation of law or regulation."
During the committee meeting, Bruce added that, while creating the businesses and not reporting income are violations, they were "not done knowingly and willfully."
"There's no reason why Mr. Harris shouldn't be fired," said Mica. "He's a senior executive service officer, he's failed continually since he took the position. I don't think you could find more ineptness or misconduct with any senior employee that's come before us. ... It's so offensive."
Rising stars wanted. Are you an IT professional under age 30 who's making a major contribution to the field? Do you know someone who fits that description? Submit your entry now for InformationWeek's Pearl Award. Full details and a submission form can be found here.
Michelle Maisto is a writer, a reader, a plotter, a cook, and a thinker whose career has revolved around food and technology. She has been, among other things, the editor-in-chief of Mobile Enterprise Magazine, a reporter on consumer mobile products and wireless networks for ... View Full Bio
Time to Reconsider Enterprise Email StrategyCost, time, and risk. It's the demand trifecta vying for the attention of both technology professionals and attorneys charged with balancing the expectations of their clients and business units with the hard reality of the current financial and regulatory climate. Sometimes, organizations assume high levels of risk as a result of their inability to meet the costs involved in data protection. In other instances, it's time that's of the essence, as with a data breach.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of October 9, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."