[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



 
                THE U.S. DEPARTMENT OF VETERANS AFFAIRS
                 INFORMATION TECHNOLOGY REORGANIZATION:
                          HOW FAR HAS VA COME?

=======================================================================

                                HEARING

                               before the

                     COMMITTEE ON VETERANS' AFFAIRS

                     U.S. HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 26, 2007

                               __________

                           Serial No. 110-47

                               __________

       Printed for the use of the Committee on Veterans' Affairs


                     U.S. GOVERNMENT PRINTING OFFICE
39-456 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512�091800  
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�090001

                     COMMITTEE ON VETERANS' AFFAIRS

                    BOB FILNER, California, Chairman

CORRINE BROWN, Florida               STEVE BUYER, Indiana, Ranking
VIC SNYDER, Arkansas                 CLIFF STEARNS, Florida
MICHAEL H. MICHAUD, Maine            JERRY MORAN, Kansas
STEPHANIE HERSETH SANDLIN, South     RICHARD H. BAKER, Louisiana
Dakota                               HENRY E. BROWN, Jr., South 
HARRY E. MITCHELL, Arizona           Carolina
JOHN J. HALL, New York               JEFF MILLER, Florida
PHIL HARE, Illinois                  JOHN BOOZMAN, Arkansas
MICHAEL F. DOYLE, Pennsylvania       GINNY BROWN-WAITE, Florida
SHELLEY BERKLEY, Nevada              MICHAEL R. TURNER, Ohio
JOHN T. SALAZAR, Colorado            BRIAN P. BILBRAY, California
CIRO D. RODRIGUEZ, Texas             DOUG LAMBORN, Colorado
JOE DONNELLY, Indiana                GUS M. BILIRAKIS, Florida
JERRY McNERNEY, California           VERN BUCHANAN, Florida
ZACHARY T. SPACE, Ohio
TIMOTHY J. WALZ, Minnesota

                   Malcom A. Shorter, Staff Director

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Veterans' Affairs are also 
published in electronic form. The printed hearing record remains the 
official version. Because electronic submissions are used to prepare 
both printed and electronic versions of the hearing record, the process 
of converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.


                            C O N T E N T S

                               __________

                           September 26, 2007

                                                                   Page
The U.S. Department of Veterans Affairs Information Technology 
  Reorganization: How Far Has VA Come?...........................     1

                           OPENING STATEMENTS

Chairman Bob Filner..............................................     1
    Prepared statement of Chairman Filner........................    55
Hon. Steve Buyer, Ranking Republican Member......................     2
Hon. Stephanie Herseth Sandlin, prepared statement of............    55
Hon. Henry E. Brown, Jr., prepared statement of..................    56
Hon. Ginny Brown-Waite, prepared statement of....................    56
Hon. John T. Salazar, prepared statement of......................    57

                               WITNESSES

U.S. Government Accountability Office:
    Valerie C. Melvin, Director, Human Capital and Management 
      Information Systems Issues.................................     4
    Gregory C. Wilshusen, Director, Information Security Issues..     4
        Prepared statement of Ms. Melvin and Mr. Wilshusen.......    57
U.S. Department of Veterans Affairs:
    Hon. Robert T. Howard, Assistant Secretary for Information 
      and Technology and Chief Information Officer, Office of 
      Information and Technology.................................    21
        Prepared statement of General Howard.....................    71
    Arnaldo Claudio, Executive Director, Office of IT Oversight 
      and Compliance, Office of Information and Technology.......    21
        Prepared statement of Mr. Claudio........................    72
    Paul A. Tibbits, M.D., Deputy Chief Information Officer, 
      Office of Enterprise Development, Office of Information and 
      Technology.................................................    33
        Prepared statement of Dr. Tibbits........................    73
    J. Ben Davoren, M.D., Ph.D., Director of Clinical 
      Informatics, San Francisco Veterans Affairs Medical Center, 
      Veterans Health Administration, U.S. Department of Veterans 
      Affairs....................................................    36
        Prepared statement of Dr. Davoren........................    76

                       SUBMISSIONS FOR THE RECORD

Mitchell, Hon. Harry E., a Representative in Congress from the 
  State of Arizona, statement....................................    78
U.S. Department of Veterans Affairs, Bryan D. Volpp, M.D., 
  Associate Chief of Staff, Clinical Informatics, Veterans 
  Affairs Northern California Healthcare System, Veterans Health 
  Administration, statement......................................    79

                   MATERIAL SUBMITTED FOR THE RECORD

Post Hearing Questions and Responses for the Record:
Hon. Bob Filner, Chairman, Committee on Veterans' Affairs, to 
  Hon. Gordon Mansfield, Acting Secretary, U.S. Department of 
  Veterans Affairs, letter dated October 3, 2007.................    81


                    THE U.S. DEPARTMENT OF VETERANS
                     AFFAIRS INFORMATION TECHNOLOGY
                  REORGANIZATION: HOW FAR HAS VA COME?

                              ----------                              


                     WEDNESDAY, SEPTEMBER 26, 2007

                     U.S. House of Representatives,
                            Committee on Veterans' Affairs,
                                                    Washington, DC.

    The Committee met, pursuant to notice, at 9:58 a.m., in 
Room 334, Cannon House Office Building, Hon. Bob Filner 
[Chairman of the Committee] presiding.
    Present: Representatives Filner, Snyder, Herseth-Sandlin, 
Hare, Salazar, Walz, Buyer, Stearns, Brown of South Carolina, 
Brown-Waite, Bilbray, and Lamborn.

              OPENING STATEMENT OF CHAIRMAN FILNER

    The Chairman. This meeting of the House Committee on 
Veterans' Affairs is called to order. Today, the Committee will 
be looking at the U.S. Department of Veterans Affairs (VA) 
Information Technology (IT) Reorganization: How Far Have We 
Come?
    Obviously, this is a very important issue. And we will be 
looking at the progress of VA in centralizing its IT efforts.
    We want to explore the progress that the VA has made in its 
efforts to be what Secretary Nicholson called the ``gold 
standard'' of information security among Federal agencies, a 
goal that was enunciated in the wake of a data breach last year 
that involved over 25 million veterans and succeeding incidents 
including one recently in Birmingham, Alabama.
    We understand that such a centralization will not happen 
overnight. We are not asking you to do this overnight. But we 
are asking, and our veterans are demanding, that the VA be held 
accountable for getting the job done.
    This past June, the U.S. Government Accountability Office 
(GAO), while praising the commitment from senior leadership, 
found fault with a number of areas in the VA's efforts, efforts 
that hinder the VA's ability to successfully reach its 
reorganization goals.
    These include rejecting the GAO's recommendation that VA 
create a dedicated implementation team responsible for day-to-
day management of major change initiatives. Instead, the VA is 
apparently dividing the responsibility among two organizations 
in this new structure. And the GAO was concerned that this 
approach would not work. Many of us on this Committee share 
that sense.
    More recently, GAO reported that out of 17 recommendations 
made by the VA Inspector General (IG), 16 had not yet been 
implemented. Implementing these recommendations is essential if 
the VA is to protect private information and meet its 
obligations under the Federal Information Security Management 
Act (FISMA).
    In the final analysis, we must remember that IT is merely a 
tool, a tool used by the VA in furtherance of its mission of 
caring for veterans. This Committee has continued to work in a 
bipartisan fashion to encourage the VA to centralize its IT 
efforts. These efforts, we think, will lead to concrete 
benefits for both the VA, taxpayers, and most importantly, our 
veterans.
    Our charge is to ensure that while VA is carrying out its 
mission, it does so with the best and most up-to-date 
technology that the 21st century provides, while securing that 
technology from outside manipulation and preventing improper 
disclosure of our veterans' confidential information.
    We must at the same time foster creativity and innovation 
and the use of electronic medical records and other systems 
that have put VA at the forefront of medical care. These are 
not easy tasks. We are heartened by many of the steps the VA 
has undertaken, but remain concerned that more should be done, 
and could be done, at a faster pace.
    We remain hopeful that the VA can simultaneously provide 
our veterans the greatest security, management, and healthcare. 
Undoubtedly, the efficient and effective management and 
operation of VA IT efforts will result in tangible benefits for 
our veterans.
    I would yield for an opening statement to the Ranking 
Member of our Committee, Mr. Buyer. And you have 5 minutes.
    [The prepared statement of Chairman Filner appears on p. 
55.]

             OPENING STATEMENT OF HON. STEVE BUYER,
                   RANKING REPUBLICAN MEMBER

    Mr. Buyer. Thank you very much, Mr. Chairman. First I would 
like to address the issue regarding the Vietnam Veteran's 
Memorial Wall. I was heartbroken to learn about the callous act 
of vandalism that resulted in the damage to the Vietnam 
Veteran's Memorial Wall on September 7th.
    For every person that has ever stood before that wall, you 
can reflect upon your feelings and emotions as you stood before 
the 147 black granite panels. I could not help but sense and 
feel the humility of a grateful Nation and how small one feels 
standing before the granite.
    What I will say publicly to the vandal is that you are 
nothing but a coward. These are cowardly acts to stand before 
that wall and to throw such a substance and attempt to deface 
the Vietnam Veteran's Memorial Wall.
    The reality is that despite that act, you have no impact 
upon history. You have no impact upon the families who embraced 
their loved ones, that gave their lives for this country.
    So to the coward, you can either step forward and accept 
responsibility for your act or forever crawl back under the 
rock from which you came.
    Right now I would like to thank the Chairman. He and I 
worked together last year along with other Members of the 
Committee. And I want to publicly thank Mr. Evans, in our 
efforts to centralize the IT architecture within the VA.
    Mr. Chairman, I would like to thank you for responding to 
my request. More in particular, I compliment your timeliness in 
holding this hearing, with the exit and retirement now of the 
VA Secretary. I think it is just a wonderful time for us to get 
an update.
    It is important for us to look back over the past year and 
see how the VA has implemented the instructions given in Public 
Law 109-461 and moved its IT infrastructure to a centralized 
model. This is the first step for any large, Federal department 
or agency of government.
    We held a lot of hearings on VA's data breach, Mr. Filner. 
And so as we talk about the centralization of the IT 
infrastructure, it is also about security assurances. And I 
can't--when I think about the challenges that the Chief 
Information Officer (CIO) of the VA has, it is extraordinary.
    And so while I compliment you, Mr. Chairman, for holding 
this hearing and getting the input, we also have to be 
cognizant of the task at hand and how long it is going to take 
to perfect a centralized model.
    And patience is one thing that is going to be very hard for 
us to have, and for me in particular, because of my 7 years of 
interest in the issue. But I recognize how long it is going to 
take.
    The goal of Public Law 109-461 was to provide the means to 
allow growth and development to move forward with a main 
central IT structure in which new, improved technologies and 
methodologies can be encouraged and shared throughout the VA. 
The new law also brought fiscal discipline to VA IT for the 
first time.
    What I am interested in finding out today is how the 
centralized model is being implemented. And whether there has 
been any cultural resistance from local facilities toward 
centralizing.
    I am also interested in learning what new technologies are 
being used. How will these technologies enhance the VA's 
ability to provide faster, better, and safer services to our 
Nation's veterans? What measures are being used to protect the 
identity of our veterans when they seek treatment or benefits 
from the VA?
    I was very concerned when I learned about the 2006 Federal 
Information Security Management Act report being delayed and 
the VA receiving an incomplete in its FISMA reporting 
requirements. I trust that this will not occur again in 2007 
reporting period.
    I am also concerned about the continuing problems in IT 
security, which are detailed in the weekly Network Security 
Operations Center reports received by this Committee.
    The Birmingham VA research breach involves more than a 
million Medicare and Medicaid providers. I would like to know 
how the IT vulnerabilities that we have seen in VA's research 
community are going to be addressed, so that incidents such as 
this no longer occur.
    Last week, the GAO testified before the Senate Veterans' 
Affairs Committee and made 17 recommendations to the Secretary. 
Those recommendations aimed at improving the effectiveness of 
VA's efforts to strengthen information security practices by 
developing and documenting processes, policies, procedures, and 
completing the implementation of key initiatives.
    For instance, why is the Veterans Health Administration's 
(VHA's) waiver for not encrypting physicians' laptops and other 
devices still in effect? I am looking forward to hearing the 
status of each of these recommendations from both the GAO and 
the VA.
    Mr. Chairman, I would like to thank the witnesses for 
coming to testify before the Committee, and General Bob Howard 
who took the reins for the VA IT infrastructure during a wave 
of change.
    I compliment you, sir. It is under his watch that the goals 
and policies set up by Public Law 109-461 are being 
implemented. And I look forward to hearing from you and 
continue to work with you.
    General, I also want you to rely upon your military 
experience, because once you have made your advance, you have 
taken ground. And now that you have someone leaving, i.e., the 
Secretary, as an agent of change, other individuals are seeking 
to take ground back.
    So you are going to have to defend. And I recognize that. 
And at the first moment, please pick up the phone, call the 
Chairman, call me. We want to work with you to make sure that 
you have the ability to implement the law.
    And I would say to the witnesses, I had an opportunity last 
night to read your testimony. I have a Commerce Committee 
hearing on my other issue dealing with counterfeit drugs. And 
so I am going to have to excuse myself.
    But thank you, Mr. Chairman.
    The Chairman. Thank you. Any other opening statements. Dr. 
Snyder? Mr. Walz? Mr. Brown? Mr. Lamborn?
    All Members have 5 legislative days to revise and extend 
their remarks and all written statements will be made part of 
the record. Hearing no objection, so ordered.
    Our first panel this morning is from the U.S. Government 
Accountability Office. Ms. Valerie Melvin is the Director of 
the Human Capital and Management Information Systems Issues 
Office. Mr. Gregory Wilshusen, is the Director of Information 
Security Issues. And accompanying you is Ms. Oliver. If you 
will introduce her, Ms. Melvin. Your written statements will be 
made a part of the record, so if you can keep oral remarks to 
about 5 minutes, that would be great.

 STATEMENTS OF VALERIE C. MELVIN, DIRECTOR, HUMAN CAPITAL AND 
    MANAGEMENT INFORMATION SYSTEMS ISSUES, U.S. GOVERNMENT 
  ACCOUNTABILITY OFFICE; AND GREGORY C. WILSHUSEN, DIRECTOR, 
  INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY 
  OFFICE; ACCOMPANIED BY BARBARA OLIVER, ASSISTANT DIRECTOR, 
 HUMAN CAPITAL AND MANAGEMENT INFORMATION SYSTEMS ISSUES, U.S. 
                GOVERNMENT ACCOUNTABILITY OFFICE

                  STATEMENT OF VALERIE MELVIN

    Ms. Melvin. Mr. Chairman and Members of the Committee, 
thank you for inviting us to discuss VA's information 
technology realignment and actions toward strengthening its 
information security program.
    With me today, as you have noted, is Mr. Greg Wilshusen, 
GAO's Director of Information Security Issues, and Ms. Barbara 
Oliver, Assistant Director for VA IT issues.
    In serving our Nation's veterans, VA relies heavily on 
information technology, for which it spends about $1 billion 
annually.
    However, the Department has long been challenged in IT 
management, having experienced cost, schedule, and performance 
problems in its information systems initiatives, as well as 
security breaches that threaten to compromise sensitive and 
personally identifiable information.
    To provide greater authority and accountability over its 
resources, VA is realigning its organization to centralize IT 
under the Chief Information Officer, relying on a defined set 
of improved management processes to standardize operations. VA 
began this realignment in October 2005 and plans to complete it 
by July 2008.
    Over the past year, we have assessed and reported on the 
realignment. And just last week, as you noted, released a 
report on the Department's information security. At your 
request, our testimony today summarizes our findings in these 
two important areas.
    In short, VA has made progress in moving to a centralized 
structure by fully or partially addressing all but one of six 
critical factors that we identified for a successful 
transformation such as this realignment.
    Among its actions, the Department has ensured top 
leadership commitment to the initiative and established a 
governance structure to manage resources. However, it continues 
to operate without a single dedicated implementation team to 
oversee this important change.
    And in addition, while improved IT management processes are 
a cornerstone of the realignment, VA has not kept to its 
timeline for implementing the processes and thus, has not made 
significant progress, having only piloted two of the thirty-six 
planned processes.
    At the same time, VA has ongoing programs and system 
development initiatives that depend on effective management and 
use of IT resources, the essence of this realignment. Our 
recent studies have noted measures of progress in its efforts. 
But essential work remains, including addressing numerous and 
longstanding information security weaknesses.
    Our report, released last week, notes that although VA has 
made progress in strengthening information security, much work 
remains to resolve its security weaknesses.
    The Department has undertaken several major initiatives to 
strengthen information security practices and secure personally 
identifiable information, including continuing efforts to 
realign its management structure, establishing an information 
protection program, and improving its incident management 
capability.
    Yet while these initiatives have led to progress, their 
implementation has shortcomings. For example, although a new 
security management structure exists, improved security 
management processes have not yet been completely developed and 
implemented.
    In addition, this new security management structure divides 
responsibility for information security functions between two 
organizations, but with no documented process for the two 
offices to coordinate with each other.
    Further, the Department has made limited progress in 
addressing prior recommendations to improve security that we 
and its Inspector General have made. Although VA has taken 
certain steps, it has not yet completed the implementation of 
22 out of 26 prior recommendations.
    In summary, Mr. Chairman, VA is making progress on its IT 
realignment. But important work remains to ensure that 
effective management processes exist and that its IT programs 
and initiatives are fully and successfully implemented.
    In our view, an implementation team and established 
management processes are crucial to the overall success of the 
realignment, without which the Department is in danger of 
missing its 2008 targeted completion date and of not realizing 
the potential benefits of this initiative.
    Similarly, until the Department addresses the shortcomings 
in its IT security program, it will have limited assurance that 
it can protect its systems and information from unauthorized 
disclosure, misuse, or loss.
    This concludes our prepared statement. We would be pleased 
to respond to any questions that you may have.
    [The prepared statement of Ms. Melvin and Mr. Wilshusen 
appears on p. 57.]
    The Chairman. Thank you. There are no other prepared 
statements from the panel?
    Ms. Melvin. No. This is our statement.
    The Chairman. Thank you. And I appreciate you undertaking 
this. It has been very helpful.
    Dr. Snyder, do you have any questions?
    Mr. Snyder. Yes.
    The Chairman. Go ahead. I will wait.
    Mr. Snyder. I think you all make a great contribution in 
these areas.
    I am always struck that somebody like us that can sit on 
these panels and, you know, make--we are prone to make 
accusatory comments about administrative agencies and their 
failures to do certain things.
    I couldn't do this. I don't have the skills to do what we 
are asking the VA. Can you all do this? If you were plucked out 
and put in Secretary Nicholson's slot, could you do this, what 
you are asking this system to do?
    Ms. Melvin. Sir, this initiative is a complicated one.
    Mr. Snyder. Yeah.
    Ms. Melvin. It is one that from its inception, we have 
noted would take a lot of dedication. Was one in which VA was 
stepping out in a way that few other agencies have, in fact, 
done.
    It is an effort that will require tremendous discipline, 
tremendous coordination, and exceptional communication on the 
Department's part to ensure that all of its management is 
involved, all of its users are adequately considered. That 
there is the necessary governance in place and the discipline 
process is in place to ensure that this can be undertaken.
    Mr. Snyder. Was that a no? Regardless of----
    Ms. Melvin. It means that it is a very complicated process 
that----
    Mr. Snyder. I think it is.
    Ms. Melvin [continuing]. Will require a lot of effort on 
the Department's part.
    Mr. Snyder. I think it is. I think the problem with it too 
is it is complicated. It is a challenge. And you outline, I 
think, some kind of hard attributes of the process. But it is 
about leadership, I think, and getting people to buy into it.
    Did you--have you all looked at what the downside for 
veterans' healthcare is if these things are not being done?
    Ms. Melvin. Obviously, this overall initiative, it is in 
place so that the Department can have more effective processes 
for managing all of the initiatives that it is undertaking.
    Certainly one of those, for example, is its veterans health 
information system. All of these initiatives are impacted by 
the efforts that are being undertaken and the sense that VA has 
previously operated in a centralized manner. And in moving--I 
am sorry, in a decentralized manner.
    And in moving to centralization, it will be critical to 
make sure that the processes exist so that requirements can be 
understood effectively, identified effectively, and that 
solutions are in place to address them.
    When you are looking at that, obviously there is the chance 
that if this is not undertaken properly, if it is not put in 
place in a discipline manner that allows all of the 
administration's IT needs to be addressed in a manner that 
supports the veterans, it could, in fact, impact veterans 
through the systems that are either put in place effectively or 
not put in place effectively.
    Mr. Snyder. I spent several hours sitting in an airport 
yesterday, because of something that happened with Memphis 
radar that shut down planes over several States. There was no--
nothing--it was earlier at the Little Rock Airport. Nothing was 
coming in or going out.
    And if you had asked us, I would think most of us would say 
well, there has got to be some redundancy in some system--in 
the system. We can handle whatever kind of technical problem. 
And yet,these kinds of things get so complicated that it can 
be--it can get so complicated it is difficult for a group of 
civilians here to provide that kind of oversight.
    So we count on you all to do that for us. And I always 
struggle a little bit about what exactly do I think is the 
clear next step for them to take. What do I think they should 
be doing.
    And it comes down to me as a matter of almost the personal 
leadership of the people at the top, the people that are at the 
highest position of leadership at the VA. This has got to be a 
number one priority, maybe second only to veterans' healthcare, 
or it is not going to get done.
    Why I sometimes read these reports, they almost get so dry, 
which is I think what your approach is. That is what we want 
you to do. But that we forget about the dynamic leadership that 
can make this kind of thing occur through a big system.
    Thank you for your contribution. I don't have any further 
comments, Mr. Chairman.
    The Chairman. Thank you. Mr. Stearns.
    Mr. Stearns. Thank you, Mr. Chairman. I sort of tend to 
think that we can solve this problem. General Motors, a large 
corporation, is able to keep track of their security. They set 
up a security database with a security chief officer. They are 
able to coordinate with all the plants, not just in the United 
States but around the world.
    IBM, as I understand, is a subcontractor to you folks. And 
IBM has been successful in setting up internally their own IT 
network.
    So I don't think it is without the realm of possibility. In 
fact, if the private sector came in and did this, wholly I 
suspect they could get it done.
    I think Dr. Snyder's probably correct, it is one of 
leadership. But it also inherently difficult with 
bureaucracies, because it has been decentralized. And these 
bureaucracies are not talking to each other. But I am 
optimistic that you can get it done.
    In May 2006, VA experienced the largest data breach in the 
history of the Federal Government. In January 2007, VA 
Birmingham, Alabama, suffered a breach of unbelievable 
magnitude involving any practitioner that has ever billed 
Medicare or Medicaid.
    My question is, is the VA data at risk today? 
Notwithstanding where we are, is the VA data at risk today? Can 
you tell me ``yes'' or ``no'' ?
    Mr. Wilshusen. Yes, it is, sir.
    Mr. Stearns. And is that agreed by all three of you? Was 
that pretty much the unanimous consent of all of you that the 
VA data is at risk?
    Ms. Melvin. Based on my understanding of the work that Mr. 
Wilshusen has done, I would say yes.
    Mr. Stearns. Now, Mr. Wilshusen, why don't you explain why 
you think it is at risk?
    Mr. Wilshusen. Okay, certainly. First of all, I would like 
to note that VA has made important progress in improving its 
information security practices and policies. However, much more 
needs to be done.
    For example, VA has not yet fully implemented two of our 
four prior recommendations, including one to complete a 
department-wide information security program.
    In addition, it has not yet fully implemented 20 of 22 
recommendations made by the Inspector General (IG) with regard 
to improving information security.
    For example, it has not yet completed the activities to 
appropriately restrict access to its information, computer 
systems, and networks. It has not yet implemented appropriate 
physical security safeguards to protect its information 
technology resources and facilities, nor has it ensured that 
all authorized--that only authorized changes and upgrades have 
been made to computer programs.
    Until these recommendations are implemented, unnecessary 
risk exists that personal information of veterans and others, 
including medical providers, such as--or such medical 
providers, will be exposed to data tampering, fraud, and 
unauthorized or inappropriate disclosure.
    Mr. Stearns. Based upon what you said, would you be willing 
to track the VA's progress in implementing their consolidation 
plan and report back to us on a regular basis?
    Mr. Wilshusen. Yes, we would. Yes, I would.
    Mr. Stearns. What are the short-term, mid-term, long-term 
consequences and vulnerabilities for the delay in VA's 
integration and consolidation plan? And I guess--go ahead.
    Ms. Melvin. In terms of VA's centralization, the concerns 
that we have relate to the extent to which the Department 
implements the critical processes that it has identified for 
this initiative.
    The Department has identified 36 processes that are 
critical or the foundation I should say to the overall--having 
an overall discipline process in place that allows it to 
oversee and account for its IT investments.
    In the immediate, we noted that the Department has, in 
fact, put a governance structure in place, so that they have 
some immediate levels of responsibility.
    However, in looking out over the initiative as it continues 
to carry out this implementation, we have concerns from a 
longer term relative to how they are actually--or the progress 
that they are making, I should say, in actually fielding the 
leadership for the positions that it has. The extent or the 
time frame in which it would get its management processes in 
place.
    At the same time that the Department is undertaking this 
realignment, as I mentioned in my statement, its systems 
development initiatives and programs are still being 
undertaken.
    So in the long term, having this system in place and having 
it in place the sooner the better relative to its impact on the 
overall initiatives that it is undertaking and how effectively 
it can continue to move forward with those project for systems 
development.
    Mr. Stearns. Have you seen any bureaucratic or cultural 
push back toward this implementation in the administration?
    Ms. Melvin. We have heard through our assessment that there 
has been concern from the clinicians, for example within the 
Veterans Health Administration, that in doing this, some of 
their innovation will be stifled.
    And I think this is driven by their past experience in the 
initial--the development of the initial VistA system. However, 
what we have stated through our work is that if the Department 
is able to move forward and maintain momentum in terms of 
having an effective communication strategy in place, having the 
overall leadership in place relative to the many offices that 
it has identified.
    For example, they have identified 25 offices that are being 
put in place to implement and execute the 36 management 
processes that will give it a disciplined approach to managing 
its investments and resources.
    However, at the time of our review, those--not all of those 
offices had been filled. I think it is somewhere in the range 
of probably 15 or more either had not been filled or had been 
filled only in an acting capacity.
    Our concern with that is that without the stable 
leadership, the Department does not put itself on a solid and a 
sustainable foundation for being able to carry through with the 
realignment itself. And then certainly to execute all of the 
processes that are necessary to carry out its investments and 
its projects.
    Mr. Stearns. Thank you, Mr. Chairman.
    The Chairman. Thank you. Mr. Walz, your witness.
    Mr. Walz. Thank you, Mr. Chairman. And thank you to each of 
you for being here. It is a very important service that you 
provide. And every time we testify in this Committee, I think 
it is very important for us to always remember the ultimate 
goal here is the service to our veterans and making sure that 
is possible.
    And I think I associate myself with Mr. Snyder--Dr. 
Snyder's comments on this. It is all too easy to point fingers 
at this. And this is a--this is a large task.
    And I also associate myself to a certain degree with my 
colleague, Mr. Stearns, that I believe this can be fixed. 
Although his faith in the private sector, seems to forget the 
letter that I received in June of 2005 when my MasterCard data, 
along with 40 million others, were compromised.
    So it cuts both ways. It is a difficult task. But it is one 
that I think we are hitting on, and some of the questions got 
asked. But I just have two questions that I am concerned about.
    I represent the Southern Minnesota district that includes 
the Mayo Clinic. And I have had a lot of talks on this issue, 
on the VA side of things, on the quality of the VistA system 
and their medical records, which is arguably the best in the 
world.
    My concern is, and you hit on it to a certain degree, do 
you have a concern that any of this is going to be the movement 
forward we have had on the VistA system, the electronic medical 
records, and our push to seamless transition with the U.S. 
Department of Defense (DoD) is going to be affected by this 
realignment? If you could comment on that in your opinion.
    Ms. Melvin. Obviously, in undertaking the realignment, the 
key will be making sure that the Central Office of Information 
and Technology, which is the key point at which the 
centralization is taking place, is in touch, if you will, with 
the administration, in this case the Veterans Benefits 
Administration (VBA). I'm sorry, Veterans Health 
Administration.
    And what we have seen in our work and what we have 
advocated through the success factors that we have emphasized 
as a part of our most recent study, was the need for the 
Department to have adequate communication and a balance 
relative to ensuring that the requirements, the needs of the 
administrations, are adequately identified, heard, and dealt 
with as a part of the overall efforts that are undertaken.
    Obviously, that means that the Department has to get in 
place its main office that is identified to serve as the 
conduit of communication between the administrations and the 
central office.
    At the time of our assessment, that office had not been 
staffed and its leadership had not been put in place. So we 
view that as critical to making sure that they have the 
necessary balance for making--for ensuring that administration 
needs are identified, that solutions are identified to address 
those needs, and that there is a necessary follow up to ensure 
that the delivery takes place in terms of services provided 
through the IT that the central office supports.
    Mr. Walz. And my--just my final question here. And this is 
I guess a bit more subjective. I come from--my background is in 
cultural studies and this issue of culture or what is there. I 
know when the issue came out of the data breach, I also 
received a letter on that as a veteran for my data breach.
    And it seemed like at that point though there was a 
slowness to it, a reluctance to move on this. Do you get a 
feeling, and this as I said is very subjective? I have 
complimented many of the Members who have taken over on this in 
a very difficult time.
    And I feel that there is a--maybe there is a shift in the 
culture of understanding this. And I am convinced that this is 
central before we can move forward, if they really understand 
that. If you may--if you could comment on that.
    Ms. Melvin. I would agree with you. Definitely key to this 
is the cultural transformation that is necessary, along with 
the actual implementation of new processes.
    Key to that, again, as I have mentioned earlier, is 
communication. We do feel that that is one of the critical 
aspects that has to take place. In our work, we found that the 
Department has taken some efforts toward trying to improve its 
communication in dealing with the administrations.
    But there is still more work that can be done through 
ensuring, as I mentioned earlier, that its business 
relationship management office is staffed up. That the 
necessary individuals are in place in positions there to serve 
as the conduit of communication, through actual information 
sharing and making sure that the users understand what it is 
that the Department is trying to accomplish and how they plan 
to do that. And the impact of how that change to centralization 
will affect the Department from the standpoint of identifying 
business requirements, addressing the requirements.
    Only until they have had an opportunity to really 
communicate and reach agreement and understanding on those 
aspects will there be a cultural change, will there be what I 
would say is more user buy into this overall initiative.
    Mr. Wilshusen. And I would just add from an information 
security perspective that the tone at the top has increased 
significantly with regard to taking corrective actions to 
implement effective security controls since the May 2006 data 
theft.
    I think that was a watershed event, which really caused and 
highlighted the need for strong information security control. 
And we have seen a shift throughout the entire organization in 
the terms of--particularly with reporting incidents of 
potential data breaches or loss of information. Just prior to 
and subsequent to that May 2006 event, for example, the number 
of reported incidents doubled over the 5 months following it, 
versus the 5 months preceding that point.
    In addition, the number of initiatives that the VA has 
undertaken to improve security, and they are making progress. 
Many of them have not yet--many of those initiatives have not 
yet been completed. But they are taking steps to implement 
stronger controls.
    Mr. Walz. Great. Well I thank you. I yield back, Mr. 
Chairman.
    The Chairman. Mr. Brown, any questions?
    Mr. Brown of South Carolina. Thank you, Mr. Chairman. And 
thank you to the witnesses for coming this morning. I know this 
is a major concern of mine and of course of all the veterans 
around the country.
    Do you think we are--we are better off today than we were 
back in 2006?
    Mr. Wilshusen. With regard to the----
    Mr. Brown of South Carolina. Security.
    Mr. Wilshusen [continuing]. Security of----
    Mr. Brown of South Carolina. Right.
    Mr. Wilshusen [continuing]. Their personal information, I 
believe VA has taken steps to improve information security. And 
these steps include encrypting the information on thousands of 
laptops, initiating a remedial action plan to identify and to 
take corrective steps to improve the security controls, but 
much more still needs to be done.
    There are still significant and unnecessary risks to 
veterans' information. But I believe that they are taking steps 
in the right direction.
    Mr. Brown of South Carolina. Do we have a system in place 
that we can identify if there is a breach at some point in 
time?
    Mr. Wilshusen. Well there are technical controls that are 
available to look for and to detect anomalous behavior and 
whether or not there have been breaches, if you will, or 
intrusions into the systems in networks of VA.
    VA, I believe, is in the process of acquiring and 
installing intrusion prevention systems on various devices that 
will help prevent and to detect such occurrences.
    Mr. Brown of South Carolina. Well I believe in the past we 
have had like people taking their laptops home and this sort of 
thing. So I was just trying to----
    Mr. Wilshusen. That is correct. And that is why the 
physical security controls and the use of encryption on 
portable media and laptops is so important, because you 
correctly state that many of the or several of the most 
significant security breaches were the result of physical theft 
of equipment.
    And so it is important that VA first inform and train their 
staff on what the proper controls are over that equipment and 
over that information and to put in the appropriate controls to 
prevent them from occurring.
    Mr. Brown of South Carolina. And how long do you think it 
will take to implement a system that we can feel comfortable 
with that our records are secure?
    Mr. Wilshusen. VA, in its remedial action plan, has 
identified over 400 action items in which it is undertaking to 
improve various different aspects of information security.
    Some of those actions extend out to June--or I am sorry, 
out to 2009. Even upon completion of those actions, many of 
which are to develop or update a policy or procedure, the true 
test of determining whether or not the agency has effective 
information security controls is whether or not they 
effectively execute those policies and procedures.
    And, as my father once told me, and I am paraphrasing him 
now, `` The road to insecurity is paved with good intentions.'' 
And developing policies and procedures shows what the 
management's intentions are with regard to securing 
information.
    But it gets down to the detail of actually implementing 
those on a sustainable, ongoing and consistent basis throughout 
the organization.
    Mr. Brown of South Carolina. We don't recognize the 
cultural education we must perform. Is there anything that we 
can do as Members of Congress to help expedite that process?
    Mr. Wilshusen. Well, one, the passage of the Veterans 
Benefits Healthcare and Information Technology Act of 2006, I 
think, was a positive step forward. And in addition to holding 
these types of hearings, holding VA officials accountable for 
their actions and maintaining a dialog with them, with you and 
your staffs with the VA officials to assure that appropriate 
actions are being taken.
    Mr. Brown of South Carolina. Thank you very much.
    Mr. Wilshusen. You're welcome.
    The Chairman. Ms. Herseth Sandlin.
    Ms. Herseth Sandlin. Thank you, Mr. Chairman. Thank you for 
your testimony today. I would like to pick up a little bit 
where Mr. Stearns had asked your willingness, GAO's 
willingness, to track the VA's progress and report back. And 
you had answered ``yes.'' And I appreciate that.
    But let me ask you this, I assume that in doing that, your 
job would be easier if the VA would actually dedicate an 
implementation team to manage the change, so that you had a 
team you were directly working with, which is the team within 
the Department that's supposed to be tracking the progress and 
managing the change.
    So could you confirm for me that the VA has not yet acted 
on that critical success factor?
    Ms. Melvin. As it pertains to the realignment initiative, 
the VA has not put what we would desire to see in terms of a 
single dedicated implementation team to manage that overall 
effort.
    It does have multiple offices designated to oversee the 
realignment effort. Our concern is that there is not a single 
body that is dedicated to ensuring that there is the necessary 
oversight for the--managing, for example, the schedule against 
goals and timeframes for accomplishment. Identifying shortfalls 
and being able to ensure that there is a consistent 
coordination throughout the Department relative to how these 
are handled.
    We feel that it is important also in terms of having some 
consistency through leadership changes that occur so that the 
Department has a voice that speaks for the overall realignment. 
And that ensures, from an oversight perspective, that it is 
occurring as it should.
    Ms. Herseth Sandlin. So I think you answered my other 
question. There is no timetable other than the July 2008 date 
upon which this is to be completed. But there are no quarterly 
objectives. There is no, as you said, single entity in place to 
help set the objectives, track the progress.
    What has been the Department's reaction to your concern 
about the lack of that type of entity that would help 
effectively manage the transformation?
    Ms. Melvin. The Department has stated that it is taking 
some actions, for example, toward business processes in terms 
of identifying timeframes. And they prioritized some of those. 
But we have not seen specific dates attached to those.
    But when it comes to the realignment team in and of itself, 
the Department has effectively stated that it would agree to 
disagree with us on the need for a single dedicated team.
    They have not indicated that they wouldn't have multiple 
teams working. But, again, our desire would be to see a single 
dedicated team that can ensure a coordinated oversight for this 
initiative.
    Ms. Herseth Sandlin. Well, Mr. Chairman, I would just 
suggest that in light of the Secretary's resignation, and of 
course our continued hope that there is the tone at the top 
with the Under Secretary's, the deputy assistant secretaries, 
to improve the system.
    I actually think that given the transition here, the lack 
of stable leadership at the top. And I do think Secretary 
Nicholson, working with this Committee, working with the 
Ranking Member, working with Committee Staff last year when 
this problem presented itself and how we go about the 
information security objectives, I was very committed to it.
    My concern is the transition. And so I think it highlights 
the importance of a single dedicated board, governance board, 
within the VA in light of that transition. And would hope that 
with our oversight that we can, with the testimony we will be 
hearing from the later panels, continue to work with them to--
if you would agree.
    And if the Ranking Member and Mr. Stearns and other Members 
of the Committee agree with the GAO assessment as I do, that a 
single dedicated entity is of the utmost importance in helping 
manage the transformation that we work through our oversight 
and our discussions with the VA to see that that would happen 
to try to stay as on top of the July 2008 deadline as possible.
    And I would yield back.
    The Chairman. Thank you. Just to follow up, I mean, when 
you say you have agreed to disagree, is there a reason? What is 
their reason?
    Ms. Melvin. I think they can best answer that. But in 
talking to them through our assessment, they feel--felt 
strongly that the offices that they are putting in place, and 
they have identified two specific offices, they feel that those 
offices are capable of providing the necessary oversight and 
coordination for this effort.
    Our concern is that this is an extremely large initiative 
that involves many processes, that involves many layers of 
management and the need for solid and extensive communication 
throughout the organization. And certainly established 
timeframes that can be monitored closely and that the 
organization have some consistency in how it measures and 
tracks performance toward achieving its overall goal for 2008.
    The Chairman. And of the two major teams, one of them is--
its top position is vacant, right?
    Ms. Melvin. Yes, that's correct.
    The Chairman. Thank you. Mr. Bilbray.
    Mr. Bilbray. Thank you, Mr. Chairman. You know, Mr. 
Chairman, all the concerns about the information systems kind 
of reminds me of the fact that ever since man started messing 
with technology, there has been a fear of it, and a threat of 
it, and, obviously, an opportunity.
    I mean, fire would be a good example. I think that there 
are a lot of people in Washington if they had been the caveman 
with the first fire, it would have been outlawed, restricted, 
and banished from the world.
    I think the keys we are looking for though is that we first 
of all needed something that is expandable and transformable. 
It has got to be able to adapt to the situations.
    And actually the Chairman and I went through years in local 
government working the same issue, the city of San Diego, 
trying to work out emergency response information systems, the 
county doing the same thing. And Mr. Chairman, I would just 
like to let you know that though you worked hard at the city, 
the city now has accepted that the county system is so much 
more effective and is adopting that system for their emergency 
information system. To have--I can't pass up the chance to take 
a cheap shot.
    My question to you though, the laptop situation was sort of 
interesting. With all the encryption on there, wouldn't it be 
so much more secure if with these mobile information modes, 
that only the person who is authorized to use that or who 
supposedly has it delegated to them, if the technology was 
there to where only they could activate the system, wouldn't 
that be even a step further in securing the information of the 
veterans?
    Mr. Wilshusen. Yes, it is. Certainly that would be like the 
first step in protecting sensitive information is to make sure 
that only those individuals who have a legitimate business need 
for access have access.
    And once that is granted, then to have other controls to 
enforce that level of access. And then also to protect the 
information such as using encryption and other technologies to 
protect it--while it is being stored on laptops and other 
devices.
    Mr. Bilbray. How many of our mobile and how many of our 
stationary now are going or do have biometric access control 
systems?
    Mr. Wilshusen. I don't know the precise number in terms of 
how many of the laptops or other devices have biometric 
capabilities on them at VA.
    Mr. Bilbray. Many laptops have as an option biometric 
access that have had it for over a decade. And after what 
happened with the laptops, I just think it is almost like any 
businessman would say we are going to go to this option now, 
just as a matter of fact.
    And I would really challenge, if we haven't done it, why we 
haven't done it. And really look at the fact that here are 
those simple little things that the private sector would be 
doing at the snap of a hat. But we are always lagging behind in 
the hope that we will go over to that.
    I mean, frankly, I don't know of a major manufacturer of a 
laptop who does not provide the option that a thumbprint can be 
used as the primary access before the machine would even turn 
on. And I would sure like to see if we are moving forward with 
those little things that can really make a difference.
    If somebody steals a laptop and can't even turn the thing 
on, that is even better than encryption control.
    I yield back, Mr. Chairman.
    The Chairman. Thank you. Mr. Hare.
    Mr. Hare. Thank you, Mr. Chairman. I apologize for getting 
here a little bit late. I had another meeting. So if you have 
covered these, I hope you will bear with me. But I am just 
interested in the answers that you might have here.
    What are the main reasons that you found for lack of a 
single integration team to oversee this implementation?
    Ms. Melvin. The main reason was that the Department, as I 
mentioned earlier, just felt that it had the necessary offices 
in place to carry out the oversight and monitoring of the 
implementation.
    But, again, as was stated previously, one of those offices 
is vacant at this time. And our concern is that with the 
magnitude of this overall effort, there is a need for a 
coordinated oversight through a single dedicated implementation 
team.
    Mr. Hare. Do you think there is a correlation between the 
lack of staffing in these key leadership positions and the 
delay in establishing the management processes?
    Ms. Melvin. I think it is certainly--if it has not had an 
impact, will have an impact on the Department's ability to meet 
its timeframes for getting the processes in place. The 
individuals that it has identified and the offices that it has 
identified are the ones that are supposed to implement and 
execute these processes.
    The Department has acknowledged that they are behind in 
doing that. But we do feel strongly that it is important to 
have the staff there to carry out the processes or you are 
unlikely to have a disciplined approach to managing the 
investments and resources.
    Mr. Hare. What other hitches do you think--what are the 
other hitches that are causing the delay in developing the 36 
management processes?
    Ms. Melvin. I am sorry, what are the delays?
    Mr. Hare. What other hitches are causing do you think----
    Ms. Melvin. The issues that are causing it?
    Mr. Hare. Uh-huh.
    Ms. Melvin. What--in talking with VA's management, we were 
told that--and quite frankly they do recognize that they are 
behind in implementing the processes. What they identified were 
some concerns relative to really the definition of the 
processes that the contractor recommended for them. And the 
need to redefine and reassess what those processes were 
relative to their offices in place.
    Also they identified the need to really look at the 
processes relative to responsibilities and ensuring that they 
clearly discerned which offices would be responsible for key 
activities under those processes.
    And in some cases, they are still clarifying who has key 
responsibilities. The Office of Information and Technology 
won't have full responsibility, for example, for all of the 
financial management processes, as the Department has an office 
of management that oversees its overall budget. So they are 
working through those issues.
    And then as you mentioned earlier, a key concern of ours 
was the--that the 25 or so offices that they have identified to 
implement and execute the processes have not yet been fully 
staffed and don't all have full leadership to direct them.
    Mr. Hare. Have they indicated when they would be staffed?
    Ms. Melvin. When they will be staffed?
    Mr. Hare. Mm-hmm.
    Ms. Melvin. We did not get information on when they would 
be staffed.
    Mr. Hare. Okay.
    Ms. Melvin. They did indicate that they were looking into 
the staffing. That they saw this as a difficult process that 
they would need to work through.
    Mr. Hare. Thanks. And my last question is how much 
collaboration and communication did you find that there is or 
is not between the two implementation teams?
    Ms. Melvin. I believe that the implementation teams are 
collaborating with one another. I don't think our assessment 
looked fully at exactly how all of the collaboration is 
occurring.
    We do maintain, however, that there has to be collaboration 
across those. And it has to be extensive relative to the 
processes, relative to the overall staffing of the offices that 
need to take place.
    Again, however, from our standpoint, we would like to see 
more assurance that there is the necessary coordination that 
would be gained through having a single devoted body to 
overseeing this effort.
    Mr. Hare. Okay. Thank you very much. I yield back, Mr. 
Chairman.
    The Chairman. Thank you. Ms. Brown-Waite.
    Ms. Brown-Waite. Thank you very much. I had votes in 
Financial Services. And that is why I was late.
    I don't care which one answers this. And you may or may not 
have the information with you. But I understand the VA says 
that they have encrypted 16,000 laptops. Is that correct?
    Mr. Wilshusen. I am not aware of that particular number. 
But they have an initiative underway where they are encrypting 
thousands of laptops. I don't know if 60,000 is the correct 
number.
    Ms. Brown-Waite. No, 16.
    Mr. Wilshusen. Oh, 16.
    Ms. Brown-Waite. That they have encrypted----
    Mr. Wilshusen. Okay.
    Ms. Brown-Waite [continuing]. 16,000, which brings me to 
the other part of my question. If it is 16,000, that is out of 
how many laptops that the VA has?
    Mr. Wilshusen. Well----
    Ms. Brown-Waite. Do you----
    Mr. Wilshusen [continuing]. The total number of laptops, I 
don't have that information. But I do know there is a sizable 
number of laptops that have not been encrypted. Many of these 
are being considered medical devices.
    And right now the VA's policy is not clear as to which 
devices or laptops should, in fact, be encrypted. And that is 
one of the recommendations that we are making that they clarify 
that policy.
    Ms. Brown-Waite. So medical information may be out there 
without encryption. Is that what you are----
    Mr. Wilshusen. That would be the case.
    Ms. Brown-Waite. Okay, another question. There are many 
instances where there are laptops not owned by the VA but used 
by VA personnel, and/or perhaps contractors, or the VA research 
communities. Are they still unencrypted?
    Mr. Wilshusen. I don't know. Our assessment did not look at 
the encryption of non-VA equipment. But if individuals or 
contractors have sensitive Veterans Administration information 
or sensitive veterans' information on them, on behalf of VA, 
those laptops should be protected to the same level as required 
by VA.
    Under the Federal Information Security Management Act, VA 
is responsible for assuring that the systems and equipment that 
are being operated on its behalf by others, should be protected 
to prevent and protect against unauthorized use, access, and 
disclosure of information.
    Ms. Brown-Waite. Let me ask another question. There is a 
program out there that you can buy. It is called ``Go to My 
PC.'' If a VA employee is at home and uses this kind of a ``Go 
to My PC,'' and there may be confidential information on their 
personal computer (PC) at the VA workplace, can they gain 
access to their PC in the VA workplace from a remote location?
    Mr. Wilshusen. Well I am not familiar with the specific 
program, but--that you mention. But certainly implementing 
appropriate controls over remote access to VA information on VA 
devices is a consideration that VA needs to address and 
implement appropriate controls. Obviously, there are a number 
of individuals within the VA community that do access 
information remotely. And assuring that those--that VA has 
implemented remote controls is very important.
    Ms. Brown-Waite. And you have brought this to their 
attention?
    Mr. Wilshusen. We and the Inspectors General. One of the 
vulnerabilities to VA systems is the access to data systems and 
networks. And that is a vulnerability that has been long 
standing in nature. And VA is taking certain actions to help 
improve its network security. But those actions are still on 
going and underway.
    Ms. Brown-Waite. Thank you very much. I yield back the 
balance of my time.
    The Chairman. Thank you. And, again, thank you for your 
report. You know, we talk with regard to the Iraqi War about 
benchmarks. And I couldn't imagine anybody doing worse than our 
government in meeting those benchmarks in Iraq. Except now you 
have an agency that has done even worse.
    As I read your report, out of the 36 management processes 
that were set out to have been completed, out of the 17 
recommendations of the Inspector General, one has been 
completed.
    I am amazed. Here we are, almost a year and a half after 
this crisis. And it is as if once the crisis passed, everything 
goes back to normal. I still don't understand the lack of 
progress on this. It is as if well, you know, we have had our 
hearings, so they will forget about it. And we don't have to do 
much.
    Again, I don't know what the reason for it is. You talked 
about 25 or so key positions to deal with this. And you 
estimate around 15 are vacant. Two implementation teams that 
have split responsibilities. Security still a major concern.
    I mean, if you had to summarize the reasons for this lack 
of progress, how would you do so? Is it lack of leadership? Is 
it lack of resources? What is going on here that we are, a year 
and 4 months or 5 months after this incredible problem and we 
haven't made very much progress it sounds like?
    Ms. Melvin. I would start by saying that the Department's 
top leadership has certainly committed to this particular 
effort.
    What we found, I think, when we look across VA and our work 
over the agency in the past times, one of the things that we 
have noted has been just overall project management as being an 
issue that the Department has to deal with. It is something 
that they have grappled with over time.
    In this particular case, again, I would say that, you know, 
this is a very complex effort. It does require a lot of 
coordination. It does require a lot of communication on the 
Department's part.
    And I think in terms of the actions that they are taking 
through their overall project management steps to lead this 
effort and to guide it through, there have been things that the 
Department needs to still address. Certainly in getting its 
leadership in place, knowing what resources it has, and to make 
sure that those resources are there to help it carry through 
with the implementation until they get some of those basic 
processes for communication, for leadership addressed and the 
staffing in place, the Department is at risk that it won't be 
able to get its disciplined approach in place through the 36 
processes that it still has to implement.
    The Chairman. Well, it may be complex. But this is not 
rocket science. And Mr. Stearns said it. These are rather 
ordinary problems that every company faces every single day in 
our society, every Nation faces it.
    Has the VA used consultants from the private sector on all 
this? They must have. If I were the Secretary or the President, 
of course we would be better off if that were the case, I would 
call in Bill Gates or somebody from Microsoft and say, ``Look, 
as your contribution to the national security of our Nation, 
fix this for us as a donation.'' I am sure they would do it. I 
think in 90 days they could solve this problem.
    Mr. Stearns. Bill Gates could probably----
    The Chairman. Yes.
    Mr. Stearns [continuing]. Bring in his team. I can't 
resist, Mr. Chairman. Are you recommending immediate 
withdrawal?
    The Chairman. From Iraq or from the VA?
    Mr. Stearns. The VA.
    The Chairman. Immediate redeployment.
    Mr. Stearns. Redeployment, okay.
    Ms. Melvin. Mr. Chairman, in response to your comment, I 
would state that during our assessment, where we saw the 
Department's realignment contractor very much involved with 
this effort and taking a dedicated stand relative to helping 
the Department define its processes and get to a certain point, 
we did feel that the Department was making progress on this 
effort. Our concern is as the Department continues to move 
forward, that it has the necessary leadership in place, that it 
has the necessary staffing and communication in place to 
sustain the effort to not backtrack, if you will, through not 
having a coordinated oversight for this effort.
    So we have seen some progress in the past. But certainly we 
would agree that there is a tremendous amount of effort that is 
still necessary. And it does take sustained and dedicated 
leadership oversight, accountability, and appropriate 
communications to make that happen.
    The Chairman. Mr. Stearns has suggested shock therapy to 
this--to the culture. And I guess we want to know what kind of 
shock can we administer?
    Mr. Stearns. What could we as the Members of Congress here 
do? I mean, we are asking some very difficult questions. And we 
are sort of frustrated, as you can expect here. What could we, 
as Members of Congress, do to sort of expedite this?
    You are alluding to the fact that this culture is--
everybody is protecting their own turf. And this bureaucracy is 
so immense that no one can get through it.
    We don't even know how many laptops there are. So if you 
don't know how many laptops there are, you don't have any idea 
how big the problem is.
    So considering what the GAO found, Chairman Filner's 
correct. Two of six critical success factors identified as 
essential to successful transformation have been accomplished. 
But that leaves four that have not.
    And as mentioned earlier, 22 of the 26 recommendations from 
the Department's Inspector General have not been implemented. 
So only four have.
    And it goes on to even caution its limited assurance that 
it can protect its system and information from the unauthorized 
disclosure, misuse, or loss of personal, identifiable 
information. I mean, that is a pretty strong statement.
    And here we are frustrated, because we have been having 
hearings on this. We talked about it. And so, I mean, is there 
anything that the U.S. Government elected official should do 
that we are not doing?
    Ms. Melvin. I think beyond the oversight, that you should 
continue, obviously, there is room for looking at particular 
cases in terms of how VA actually implements this process.
    And really perhaps taking--making some dedicated case 
studies, if you will, of how this effort really plays out and 
the impact of the realignment efforts on key initiatives that 
the Department might be undertaking would be an approach to 
really getting a handle and a good feel for just how 
effectively the realignment is being executed.
    Mr. Stearns. Thank you, Mr. Chairman.
    The Chairman. As you heard, there are bells for votes that 
we have to take. Just two votes. So we are going to have to 
recess. We do appreciate the expertise of the GAO in this 
matter. We would ask you not to be shy about recommending 
things that we might do in the future.
    And I will say to the next panel, which is the VA, you are 
going to have now 20 minutes before we get back here. Throw 
away your prepared remarks. And deal with these questions in a 
candid way.
    I mean, what is going on with all these vacancies? Why 
can't, if Mr. Bilbray is right, a simple thing like biometrics 
be used? Why has there been slow implementation of all these 
recommendations? What is your reason for these two 
implementation teams? Why is security still a risk?
    These are questions that every veteran has assumed that we 
had taken care of after the crisis. And they--we are the 
representatives of those veterans for assuring them that. And 
now it turns out we can't assure them that that is the case.
    So I would like you to address those issues in just a 
common sense way without hiding behind all the bureaucracy. And 
let us have a conversation when we return in about 15 minutes 
for the second panel.
    Thank you so much for the----
    Ms. Melvin. Thank you, Mr. Chairman.
    [Recess.]
    The Chairman. We will continue this meeting of the House 
Committee on Veterans' Affairs and move on to panel two who we 
thank again for their contributions to this discussion.
    We welcome Assistant Secretary for Information and 
Technology at the Department of Veterans Affairs General 
Howard. And Mr. Claudio is the Executive Director for the 
Office of IT Oversight and Compliance.
    To summarize what I had said earlier, Mr. Howard, you are a 
General. Just give the orders and make it happen. You are on.

 STATEMENTS OF HON. ROBERT T. HOWARD, ASSISTANT SECRETARY FOR 
   INFORMATION AND TECHNOLOGY AND CHIEF INFORMATION OFFICER, 
   OFFICE OF INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF 
  VETERANS AFFAIRS; AND ARNALDO CLAUDIO, EXECUTIVE DIRECTOR, 
 OFFICE OF IT OVERSIGHT AND COMPLIANCE, OFFICE OF INFORMATION 
     AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS; 
  ACCOMPANIED BY ADAIR MARTINEZ, DEPUTY ASSISTANT SECRETARY, 
     INFORMATION PROTECTION AND RISK MANAGEMENT, OFFICE OF 
  INFORMATION AND TECHNOLOGY; AND CHARLES DE SANNO, ASSOCIATE 
   DEPUTY ASSISTANT SECRETARY OF INFRASTRUCTURE ENGINEERING, 
   OFFICE OF INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF 
                        VETERANS AFFAIRS

                 STATEMENT OF ROBERT T. HOWARD

    General Howard. Sir, you had mentioned earlier that you 
didn't want me to give an opening statement, so we can dispense 
with that. You mentioned earlier not to give an opening 
statement so----
    The Chairman. No, I just----
    General Howard [continuing]. I dispensed with that.
    The Chairman. However you feel you can--you want to deal 
with this.
    General Howard. Okay, sir.
    The Chairman. I was just making a suggestion.
    General Howard. Yes, sir. There are two other individuals 
at the table with me this morning, sir: Adair Martinez is my 
Deputy Assistant Secretary for Information Protection and Risk 
Management, and Charlie De Sanno to my far right is the 
Director of Region IV and also Infrastructure Engineering. So 
they are here with us as well.
    I will read my testimony. I can get into addressing the 
issues as you requested. And first, sir, I don't know if you 
noticed or not, when you were giving your opening statement, I 
had to leave the room and my apologies for that. I had to take 
a phone call from the Secretary in fact.
    Sir, where would you like me to begin? I think perhaps a 
good start point would be the issue of the processes, because, 
obviously, that was an issue that the GAO was concerned about, 
and a number of the Members were concerned as well.
    And so I would like to comment a little bit on that. First 
of all, as stated by the GAO, you know, we realize the 
importance of these processes. There is no question about that.
    But they are right. We have--we have not been as speedy as 
we would like in implementing those. There are reasons for 
that. I am going to cover some that we are well on the way on.
    But one of the reasons that has delayed us to some degree 
is this, we created the organization. We moved 6,000-plus 
people in all of that. We have a new appropriation. You know, 
we have things in place now to help make this happen.
    But what we have also inherited are the problems that were 
out there. And there are a number of them. And those have moved 
right up in priority.
    A good example of that is asset management. You know, the 
Oversight Committee had a hearing on that a few weeks ago. That 
is a real problem. We have had to put a lot of energy on that.
    And so my leaders, and I will get to who they are in just a 
minute, are putting a lot of heat on them to fix a number of 
problems that we have uncovered, because what the organization 
has done, in addition to a number of things, it has made more 
clear, you know, what is going on within the VA with respect to 
information and technology.
    It has also provided us better control, you know, over 
fixing these things. And you are right, we are not there yet. 
We have a lot of work to do. And, obviously, the control over 
the appropriation is also very helpful.
    But this issue of visibility has caused us to see a number 
of problems that must be fixed. We have seen, for example, that 
we have the haves and the have-nots. There are some activities 
within the VA that have paid attention to information 
technology in the past and stayed up to date and all of that. 
And there are others that have not. You know, in a 
decentralized operation, if you are a director of a facility, 
it is up to you, you know, where you spend your money and where 
you apply the emphasis.
    And there is a mixed situation out there right now. And you 
know one of the goals of our organization is to try and 
standardize that.
    And so focusing in on the problems has definitely caused a 
slowdown in the implementation of some of these processes.
    However, with that said, let me address a couple of issues. 
First of all, the one issue that we disagreed with the GAO is 
establishing a group to make this happen. We--I disagreed with 
that, because quite frankly, my military experience, you know, 
we have--we have a number of Deputy Assistant Secretaries. I 
have five of them in fact that are responsible for certain 
areas.
    And we want those individuals to implement these processes, 
for example, my Deputy Assistant Secretary for Information 
Protection and Risk Management, Adair Martinez. There is a 
process that we must implement called incident response. This 
is in her area. She has got to do that. She is going to 
implement that, and gain ownership of it, be responsible for 
it, and all of that.
    If you look at the--all the way over to enterprise 
operations and infrastructure, you know, where Charlie De Sanno 
happens to be located, there are a number of processes that 
have to be implemented there.
    Let me give you a perfect example. They are called SLAs, 
service level agreements. We have had a number of meetings so 
far in trying to hone in on what is the service level that we 
agreed to, you know, with the customer? Those have to be 
adjudicated. You know, how long does your computer stay up? The 
pane screen, you know, pane on the screens and all of that. The 
password timeouts, and what have you, all have to be agreed 
with. Downtime, you know, what are we on the hook for with 
respect to downtime.
    These are service level agreements where discussions have 
already taken place. There are two additional offices though. 
So by and large, my key leadership, the monkey is on their 
back, you know, to implement processes that are in their areas. 
And we have divided that up. Each one of my Deputy Assistant 
Secretaries knows of the 36 processes. Thirty-six processes, 
they know the ones that they are responsible for.
    In addition to that, we actually do have an organization 
called Organization Management. It is the remnants of the team 
that actually formed the reorganization itself. That box is 
still there. Unfortunately it is empty. The individual left 
about a week ago. But I intend to fill that. I do need someone 
as my conscience, if you will. I don't necessarily need them 
down into the weeds, you know, doing all of the detail. But I 
do need someone. So that part of it that GAO came up with, I 
don't disagree with.
    Now in addition, we have a Quality and Performance Office. 
The individual in charge of that office right now is Martha 
Orr. She handles the monthly performance reviews and what have 
you. The focus for processes, the focus for all 36 processes is 
out of her office.
    Again, she is not responsible for implementing each one of 
them. But she is responsible for coordinating the activity to 
keeping our eye on how these are going and what have you.
    The Chairman. You may be getting there. But I didn't hear 
the word ``timeline'' or, you know, ``goal''--a timeline for 
any of this or a goal. And the problem I always have with the 
word ``process'' is that a process is always ongoing.
    General Howard. Yes, sir.
    The Chairman. What about the results? What are we getting 
out of this process, and when is the timeframe within which we 
are going to do it?
    General Howard. Sir, let me focus in on a couple of them. 
SLAs, service level agreements. In fact, just several days ago 
the individual in charge of that briefed me on his timeline.
    And, you know, I can't recall the exact dates. But it is 
somewhere in the November, you know, end of November, end of 
October, beginning of November timeframe to come to agreement, 
you know, with VHA, with VBA, on what these are and then start 
implementing them.
    And, in fact, some of them are already implemented. 
Particularly in--like for example, in region four. So there are 
timelines associated with some of those. And that one is an 
example.
    Incident response, sir, we have a process for incident 
response. It is in place. Now what we don't have is a thick 
document explaining all this. But we absolutely have a 
responsive capability to work incidents.
    In fact, Adair Martinez is in charge of that. She actually 
started it herself, organized the teams that meet weekly. She 
personally approves the weekly summary that is sent to 
Congress. Incidents do come in. They come into our NSOC, our 
network and security operations center. It is to the point now 
where this is routine, a routine process.
    The one additional thing that we have to do is make sure we 
are folding in non-security incidents. And we are beginning to 
do that.
    On security management, handbook 6500. It was signed out 
about a week ago. This is the security program for the VA. And, 
you know, I don't know if your Committee has had an opportunity 
to look at it yet or even if we have sent you a copy. But we 
certainly will. But this is now in place. You know, sir, it has 
taken--do you know how many years the VA's been working on this 
thing? How about ten. We have been trying to get this handbook 
called ``6500'' out the door for a long, long time. We have it. 
It has rules of behavior in it.
    In fact, I have already met with the unions on this rules 
of behavior issue. These are very important for employees to 
sign. So the security management process is beginning to 
happen.
    The other one that I would like to mention is the 
compliance management. And, again, we don't necessarily have 
one book that says compliance management. But in a minute I am 
going to ask Arnaldo Claudio to explain the process he has put 
in place, because it is very robust. It is very effective. And 
it is making a difference. It is in compliance.
    The IT strategy, you know, we have completed a draft of our 
IT strategy. It is within several weeks of being approved. The 
other one I would like to mention is IT management. Some 
discussion took place about the governance structure. There is 
a governance structure in place.
    The GAO report, unfortunately it was written at a time 
where we had not implemented that. We have. Those meetings have 
taken place in developing the FY09 budget in fact. We have had 
a number of meetings with all three of the governance boards 
that we have put in place, to include the IT leadership board, 
which I chair along with the Under Secretaries.
    And so I wanted to just--sir, I wanted to paint a picture 
that, you know, we are really not sleeping. I mean, we are 
doing work. We are not there yet. I agree with you. But there 
is a lot of activity going on.
    And one more thing I would like to say, sir, and that is it 
goes back to the problems that I mentioned. I am trying to 
maintain some balance. You know, I can beat the heck out of 
these people and make them focus on processes solely. Or I can 
try to balance their workload and make them solve these 
problems. And at the same time, put the processes in place.
    And that is kind of what we have to do. And, unfortunately, 
it has resulted in a bit of a delay on some of these processes. 
But, again, some of them are already in place.
    [The prepared statements of General Howard and Mr. Claudio 
appear on p. 71 and p. 72.]
    The Chairman. Mr. Bilbray had mentioned earlier, and I 
always can't vouch for his accuracy, but he said it is easy to 
put biometrics on a laptop. Is that in your book there? Is he 
right? And do we----
    General Howard. Sir, we----
    The Chairman [continuing]. Have it in a book?
    General Howard. We have looked--we have looked very hard at 
biometrics. And I can tell you that one of the concerns 
actually comes from the medical community, because sometimes 
these are not perfect. You know, they are not as foolproof as 
you might think. You know, it is pretty close, but it is not 
100 percent.
    We have looked at biometrics. The--it will not work as 
smoothly as you would like with the encryption application that 
we have placed on our laptops. We have Guardian Edge hard drive 
encryption. If a VA laptop is left out on the parking lot, it 
is useless. It has got full hard drive encryption on it. It is 
useless to anybody. You can't get in. You simply can't get in.
    So that part of it is very robust on the laptop side. We do 
have biometric thumb drives. In fact, I have one in my 
briefcase. You know, we have mandated the use of encrypted 
thumb drives across the VA. And one of them happens to be an 
encrypted version. I mean, a biometric version that can be 
used.
    So we have--we have employed that to some degree. In the--
and while I am on this issue of protecting the information or 
what have you, we have had a number of initiatives underway. 
And have worked very hard during this fiscal year to put 
contracts in place for the software as well as the 
implementation of that software, the rollout. I am going to 
mention a few.
    We have put monitoring software now. And I think at an 
earlier meeting I may have mentioned the importance of that. I 
know I did to Jeff and Art. This Port Monitoring software, the 
contract was put in place about a week ago. We are not rolling 
that out.
    That means whatever you stick in a port on a VA laptop, we 
are going to know what it is. And we are going to stop the use 
of it if you don't have a VA approved encrypted thumb drive, 
for example, you can't use it on a--in a VA computer.
    Now, obviously, it is going to take time to roll that out. 
We have enough licenses to cover all of the VA in that 
particular one. Another one is called Rescue, the remove 
enterprise security compliance update environment. This one, if 
you are sitting in your kitchen somewhere, you will not be able 
to download personally identifiable information. We will stop 
that. You can see it if you have authority through a secure 
tunnel, through a virtual private network (VPN) tunnel, you 
will be able to see the information and do your work. But you 
won't be able to download it, because we will stop it with this 
particular product.
    We are monitoring the network for Social Security numbers. 
You know, you read the reports that we send up here every week. 
And you can see that unencrypted emails have been a problem, 
you know, sending Social Security numbers in the clear.
    We are monitoring that now. In fact when we first started 
monitoring it, there were almost 7,000 incidents of likely 
Social Security numbers, you know, trafficking through the 
network. We put a warning sign on the computers. You know, 
boom, it will come up as soon as you try to do that. Give you a 
warning.
    And since that time, it has gone down. We are now blocking 
those messages. We have gradually moved to the point where if 
you try to send a Social Security number in an email it will be 
blocked. On email encryption, you know, right now in the VA to 
include Blackberries, we have PKI, public key infrastructure.
    It is very good. But it is not as robust as the product 
that we are now implementing. In fact, IBM just won the 
contract, I believe, Charlie, right?
    Mr. De Sanno. That is correct.
    General Howard. For RMS, Rights Management System?
    Mr. De Sanno. Yes.
    General Howard. That is a product that will--you can send 
an email in the clear. But the attachment is encrypted. It 
gives you a much better--much more flexible capability to work 
encrypted email in a variety of ways, a very important one.
    We have software in place now for port-to-port 
transmission. You know, the VistA system when it was developed, 
did not take security into consideration as much as we would 
have today. So we now have in place a host-to-host secure 
capability that we have been working on as well. And the final 
one that I would like to mention in this whole area of trying 
to protect information and be more standard about that is the 
Dell Computer contract that we just put in place. And you are 
aware of that, standardized desktops. The Office of Management 
and Budget (OMB) has mandated that desktops will be 
standardized throughout the government agencies.
    This will provide a much better capability. It is a lease 
contract. We will every two or three years refresh the 
equipment. And we will be able to monitor it much better. We 
will be able to put whatever we want on it. The people who are 
working the computer will have much less control over what they 
do.
    This will be enormously helpful to us, not only in terms of 
standardizing things, but helping us with this issue of 
security. It will be very helpful. And, in fact, Charlie just 
this morning showed me the sites that we are likely to start 
rolling this out beginning this particular fiscal year.
    And there are other activities. The one I would like to 
mention also has to do with training and educating the people, 
because as we have mentioned in this Committee before, sir, I 
know the Secretary has, you know, the real key here no matter 
all this--all these tools that we put in place, the bottom line 
is are the people paying attention? Are they using the tools 
the right way? Are they properly educated? Do they care?
    We have seen improvement in that area. We do have a way to 
go. Education programs are better now. They are in place. We--I 
strongly believe that our directors throughout the VA are 
serious about educating and training their people.
    And that is a very key aspect, not just the IT people; it 
is everybody who deals with, you know, personally identifiable 
information. And quite frankly, that is very extensive 
throughout the VA as you can certainly appreciate. I don't know 
if that is helpful, sir. But there is a lot going on. And 
sometimes you don't get the complete picture.
    The Chairman. I appreciate that. You identified Mr. De 
Sanno as head of region four.
    Mr. De Sanno. Northeast, sir.
    The Chairman. Region--what region four?
    Mr. De Sanno. Sir, the----
    The Chairman. I mean, not the Veterans Integrated Services 
Network (VISN) four?
    Mr. De Sanno. No. The regions are numbered from the West 
Coast to the East Coast. So region four is comprised of VISNs 
one through five and VA's central office.
    General Howard. What Charlie is describing, sir, is the way 
we have organized the information technology----
    The Chairman. So we have regions to coordinate the regional 
coordinators.
    Mr. De Sanno. Well, yes. We have--well, you know, in an 
immense healthcare system like the VA, we segment the business 
into various management structures. So we have a regional 
director and chief technology officer responsible for the 
regional activity.
    General Howard. Sir, the reason we have done that refers to 
span and control. When we took over all 6,000 people, the way 
the VISNs are, you know, they are throughout the country and 
they are not regionalized. That is much too big a span and 
control in my opinion.
    So we put down four regions. There are regional directors 
in charge of each one. CIOs at a facility level report to that 
regional director. I meet with them quite often. The four 
regional directors report to my Deputy Assistant Secretary for 
Operations.
    That is how it works. And, in fact, it is a pretty good 
control structure. Communication is very good in that 
structure. The communication problem we see is with our 
customers. You know, that is the part we need to work on 
better.
    But within the IT community, we have visibility about what 
is going on. And I broke the region--the country into those 
regions simply as a matter of better span and control.
    The Chairman. Okay. Let's look at the three measurements 
that were mentioned in the earlier testimony.
    We had 17 recommendations by the IG. We have 36 management 
processes that you were working on. We had 25 key positions of 
which, again, the report that we heard, 15 out of those are 
vacant.
    Only two of the management processes have been fulfilled in 
one of the seventeen recommendations. So what is your timeline 
for completing that process?
    General Howard. Sir, the----
    The Chairman. When are you going to fill these positions? 
When are you----
    General Howard. Sir, quite honestly, I am not sure what 
positions they are referring to. I do know some that are empty. 
But I don't have the list in front of me, all 15. The--one of 
the issues there has to do with the human resources (HR) 
process itself.
    The Chairman. Yeah, that bothers me. Is the GAO still here? 
Is Ms. Melvin still here? The report states there are--that 
there are 25 recognized--that you identified 25 key positions 
for carrying out these processes, and about 15 of them were 
vacant. And you are not even sure which ones she is talking 
about.
    General Howard. Sir----
    The Chairman. So there is a problem there. I mean----
    General Howard. Sir, I don't. I can't get to the number 25. 
What I would like to do, if it is okay with you, sir, is answer 
for the record.
    You know, we can get from GAO exactly those positions and 
tell you----
    The Chairman. Okay. But as I understood it, and my 
understanding may have been wrong, but as I read the report, 
you identified these 25 positions. The GAO didn't make them up. 
They came from you. And so I assume you are aware of your 
organization and how we got to that figure.
    General Howard. Sir, as I sit here today, it is not 25.
    The Chairman. What is it?
    General Howard. Sir, I would like to answer that for the 
record, sir.
    [The information was provided from General Howard is in the 
response to Question 1 in the post-hearing questions for the 
record, which appears on p. 82.]
    The Chairman. Right.
    General Howard. Because I want to match it exactly to what 
appeared in the GAO report, if that is okay with you.
    The Chairman. Okay. Sir, I asked about a timeline on----
    General Howard. And you mentioned--you mentioned what 
difficulties we are having with respect to hiring. Part of it 
is just the HR process itself. This is very time consuming.
    An earlier Member mentioned, you know, the ease with which 
IBM or Microsoft could deal with this. And he is exactly right. 
We are not a private company. I came from a private sector. And 
we can hire and fire at lightning speed in comparison to the 
way we have to work in the government, particularly for senior 
positions.
    For example, one position that we have been struggling with 
is a very, very important one. It is cyber security. We have 
been through iterations. Three lists of people in the last--the 
last list we had actually selected someone. And they declined 
at the last minute to come in.
    We now have the latest list. And we are within weeks of 
making a selection. We got a much--we went out further, 
expanded our search, and we have a much better list. So you 
asked about why are we so slow, that is one of the reasons. It 
simply takes time to hire people in the U.S. Government.
    Sir, the timeline for filling positions, again, I would 
like to look at the detail there and respond for the record, 
because I need to be accurate in what I tell you. Because I 
need to see where we are on the hiring of some of these.
    [The information on timelines for filling positions was 
provided from General Howard is in the response to Question 1 
in the post-hearing questions for the record, which appears on 
p. 82.]
    General Howard. I mentioned cyber security. We were pretty 
close on that. The timeline on that one, for example, is a 
couple of weeks. You know, maybe 4 weeks at the max. We will 
have a name. And then it has got to work--it has got to work 
through the process, because this is a senior position. And it 
has got to work through, you know, our senior leadership and 
Office of Management and Budget and the Office of Personnel 
Management (OPM).
    The Chairman. Well, how about these 36 management 
processes? The----
    General Howard. Sir, I am committed to have implemented 
these by the summer of 2008. You know, that is the--July of 
2008 is when we--is when we complete our reorganization. And 
that is what I am committed to implementing.
    A number of them have already been implemented. We just 
need to capture in written form what we are actually doing, the 
incident response one is a good example. But that is what I am 
on the hook for.
    [The additional information was provided from General 
Howard is in the response to Question 2 in the post-hearing 
questions for the record, which appears on p. 85.]
    The Chairman. Okay. Just for the record, this is from the 
GAO testimony on page 15: ``As part of the new organizational 
structure the Department identified 25 offices whose leaders 
will report to the five deputy assistant secretaries, and are 
responsible for carrying out the new management processes and 
daily operations. However, as of early September, seven of the 
leadership positions for these 25 offices were vacant, and four 
were filled in an acting capacity.''
    So I assume we know what positions we are talking about.
    General Howard. Yes, sir. And some of them, as I said, was 
an acting capacity. And that is why I wouldn't consider those 
as being unfilled.
    For example, my position for Enterprise Strategy Policy 
Plans and Programs is filled right now in a temporary way by 
Scott Craig. He is a very strong person. He has been my 
enterprise architecture guy for years in the VA. So it isn't 
like the position is empty. I do have--I do have someone in 
there.
    The Chairman. You just don't do the same thing as an acting 
as compared to a permanent employee. We had this crisis 
situation now 16 months ago. And, I mean, if I were the 
Secretary, if I were you, I would have been calling us up and 
saying, we've done this or we've done that. It has been only 5 
months since this loss. And we have all the computers 
encrypted; it is now 8 months and we have this reorganization. 
It is now 10 months and so on.
    We don't hear from you until we call you. It is as if you 
say, well, no way around it, I guess we have to tell these guys 
now how many positions we filled. And everything just goes on 
as if it is a normal situation. That's what it looks like to 
me.
    There is not a sense of urgency that we had last year. And 
the fear that was so rampant throughout the veterans' community 
that their personal data may have been stolen or their identity 
may have been compromised was palpable. We simply must have a 
fast response on this stuff.
    If there are things that are getting in the way of doing 
that, just tell us and we will try to make it easier. We are 
working together on this; it is not just grilling you every 3 
months about what is happening. We want to help you accomplish 
this.
    Mr. Bilbray.
    Mr. Bilbray. Thank you, Mr. Chairman. Mr. Howard, I was 
sitting here just--and I made a flippant remark to the Chairman 
about the days when we were in local government. But I just 
realized there was a reason why.
    When we were looking at IT and upgrading systems, we 
finally abandoned doing it in house. And started putting it out 
for bids for private companies to come in and competitively 
bid, because there was a degree of urgency then.
    And I guess the Chairman's concern is the fact that, yeah, 
these things go on and nobody is accountable. Also no one is 
fired. Except maybe you want to get rid of the guy at the top. 
But we all know mid-management is where these things are really 
done.
    I would just like to follow up, and I don't mean to ping on 
this thing, but you made a comment about the fact that 
medical--there were people in the medical field who were 
concerned about the biometric confirmation for access. Why 
would they be concerned about biometric confirmation for 
access?
    Except maybe the fact is do they understand what we are 
talking about? It is access to the--into the computer, not 
necessarily access into the records?
    General Howard. Sir, it is reliability issue. You know, in 
some cases it doesn't work right away. You may have to work 
your thumb a few more times. I mean, it is not as rapid. And in 
the medical community that is a concern.
    Mr. Bilbray. And the laptop--the laptop though, that is not 
where they are using it is it?
    General Howard. Sir, I think you may be referring to the 
laptops associated with medical devices that are not encrypted. 
This is a problem for us. And the issue is this, a lot of your 
medical equipment these days does have integral to it a laptop 
or at least some kind of software. And these devices have to be 
approved through the Food Drug Administration.
    You have to be very careful about what you put on that 
machine. In fact, you can't put some things on.
    Mr. Bilbray. Yeah. I understand that. Let me stop you and 
back up a little bit. We just made a huge leap from the 
medical--basically the veterans' records, not--but the 
veterans' records on laptops that are being carried, being 
taken home, are being carried on airplanes, are being stolen.
    That is a huge leap to go from the equipment at a medical 
facility and the access into that system. I just go back to the 
fact that we have so many of these laptops out there. We don't 
even know how many we have now, because you got----
    General Howard. There are 18,000----
    Mr. Bilbray. Eighteen thousand----
    General Howard [continuing]. VA laptops.
    Mr. Bilbray [continuing]. VA. How many private laptops that 
have VA access?
    General Howard. Sir, I don't know the answer to that.
    Mr. Bilbray. Yeah. And I think we agreed that needs----
    General Howard. It is vulnerable. Yes, sir. However, I will 
say this, there is a directive. In fact, I believe it is 06-5 
or something. I can't remember the number. Where--this is the 
waiver issue.
    That in order for the physicians to continue to do their 
work, we did put a waiver in place with the proviso, with the 
directive, that they have to protect their laptop in the same 
manner that the VA has.
    In other words, we have Guardian Edge full drive--full hard 
drive encryption on VA laptops. If you are a physician in the 
VA using your own personal laptop, you have to have equivalent 
hard drive encryption on your laptop. That is a mandate.
    Let me say one more thing, sir, one of the technical items 
that I mentioned earlier will be helpful to us to prevent you 
from downloading anything on your laptop. And that is being put 
in place right now. You know, that was a very important 
contract that we have been working on for months. We now have 
it.
    We will have help from the private sector. In fact, we have 
help from the private sector at all of these areas. But that 
will not only--not only protect the information. You won't be 
able to put it on your laptop, because we will not allow it. 
And that will be very helpful to us.
    Mr. Bilbray. Okay. Mr. Howard, you know, the Chairman was 
questioning why--you know, about this issue of the biometrics. 
And the way I ran into it, because I have a district with a lot 
of high-tech biotech people that want privacy for their 
information, need security. And they use this as a matter of 
fact.
    And all my point was is that the security of the 
information of a company working on a new substitute for whole 
blood or doing something on cancer research, that information 
being secure is no more important than the right of a veteran 
to have their personal information secure.
    And that is why I brought up this issue of if the private 
sector can do it, if the laptop computer companies are making 
this technology available as an option, it just seems like 
common sense that if we want to talk about truly securing, then 
we don't ever depend on one gatekeeper.
    I mean, those of us that build jails know that you always 
have multiple catch systems so that when they are going through 
one, the other one will catch them down the line.
    And I just ask us, again, the technology is out there. The 
private sector has been doing it. It is available on the 
general market. It is not rocket science. And we still are 
finding arguments to not use technology that the private sector 
has found very effective out there.
    And I just ask us to, again, not to be scared of 
technology, but to embrace it. Not to put out the fire, because 
it may burn somebody. But realize that without it, a whole lot 
of people are going to go cold. I just think that we need to 
tool up on that.
    And I just leave you, again with the argument that maybe 
the problem is, is that we have a system where you can't go in 
and fire people who are not performing and making sure that you 
can come to us with a more effective report.
    General Howard. Yes, sir. Sir, I don't agree--disagree with 
you on the technical issue. I really don't. And as I mentioned, 
we are using biometric in the--particularly in the thumb drive 
area.
    I would ask--in fact, Charlie De Sanno, in addition to 
directing region four, he is my systems engineer. All this 
technical stuff that we are testing and rolling out and all 
that, a lot of that has come out of region four. And I would 
just like--if it would be okay, sir, for Charlie to just 
elaborate a bit on that.
    In fact, right behind him is Jim Breeling. Jim is also up 
in region four. He is actually a physician. And between the two 
of them, they can elaborate quite a bit on some good things 
that are going on.
    Go ahead, Charlie.
    Mr. De Sanno. Thank you, Mr. Howard. Excuse me. I think 
prior Mr. Howard gave you a good run down as to the products 
that the organization has procured.
    And I think the point certainly needs to be made that with 
the reorganization of IT within the VA, certainly the 
infrastructure that Mr. Howard discusses, the haves and the 
have-nots, come into play significantly in a number of ways.
    So we talk about speed to market. We talk about how quickly 
the VA can react to your requirements, to the veterans' 
requirements. And all of that is extremely valid point.
    The problem that we have in the organization is that we 
first need to create a foundation to create our house. And it 
took some time to execute, to design that foundation. So when 
you look at any one technology, like biometrics, and you say 
hey, why isn't the VA using biometrics?
    Well, we have a strategy behind everything we do. What you 
are really talking about is dual factor authentication and 
securing of the personal information that may exist on that 
hard drive.
    The Personal Identity Verification (PIV) initiative with 
smart cards is going to be rolled out. And our architecture, 
given the mandate to use these smart cards, do work very nicely 
with our encryption.
    Furthermore, with the PC lease and the standard desktop, 
the secure desktop image that we are ``architecting'' that is 
in line with standards, government-wide standards for security, 
we don't store any data on these mobile devices. The mobile 
devices and desktops and laptops, those data will be stored in 
a secure data center that is backed up.
    And in addition, Mr. Howard references rescue. And with 
this product, we can ensure that the devices that are attaching 
to the VA network are not only secure but contain no data.
    And if those devices aren't secure, we put them through a 
white room, a clean room, where we ensure that the Microsoft 
patches are up to date, other virus vulnerabilities are 
remediated.
    And if we can't do it, ensuring we give that user a quick 
response time, we segment them. And we put them in a virtual 
environment.
    So I agree as Mr. Howard does overall with the strategy. I 
want you to know that we have thought out this process. And we 
know that protecting veterans' information is absolutely 
critical.
    There is a strategy behind what we are doing. And the 
foundation that we are putting in will be used to build all 
information technology for now and in the future years.
    General Howard. Sir, this fiscal year is a key year for us. 
FY--you know, you asked about timelines. FY08, in fact the GAO 
mentioned this plan we have with 400 actions and all that.
    You know, your guys have copies of that. FY 2008, although 
some of the timelines go beyond--our 2008 really is a key year. 
It really is.
    And we expect to see very dramatic improvements in this 
whole area, because we got the tools in place now to help 
enforce some of this stuff that we did not have before.
    Mr. Bilbray. Do you have the money to pull this off though. 
I worry about the fact that I have seen again and again where 
we have done this. We have the mainframe set up, we get it all 
lined up, and then it doesn't connect. And we end up like the 
IRS did with a billion dollar system that doesn't work.
    General Howard. Sir, we do--we do have the money, unless 
somebody takes it away from me, which they haven't yet. I mean, 
I feel reasonably comfortable. We are okay there.
    The Chairman. Thank you, Mr. Bilbray. We thank you all for 
being here. As you heard, we have another set of votes. We are 
going to recess for 15 minutes. And then we will hear from the 
next panel.
    Please understand our sense of frustration. We want it 
yesterday. None of us underestimates the difficulty. But 
without goals, without timelines, by pointing to the next 
fiscal year, it is always a process and it never gets done. And 
we want it done. If you need more resources to do it, you need 
to ask us.
    Thank you again for being here. And we will start with 
panel 3 in about 15 minutes.
    General Howard. Thank you, sir.
    [Recess.]
    The Chairman. I apologize for having to hold you all 
morning. I appreciate your being here. The third panel is 
comprised of Dr. Paul Tibbits, Deputy Chief Information 
Officer, Office of Enterprise Development, U.S. Department of 
Affairs. And Doctor Ben Davoren, Director of Clinical 
Informatics. Is that right? Is that a new word? You'll have to 
define it for me. At the San Francisco VA Medical Center. 
Please, I appreciate you staying through the afternoon here.

 STATEMENTS OF PAUL A. TIBBITS, M.D., DEPUTY CHIEF INFORMATION 
     OFFICER, OFFICE OF ENTERPRISE DEVELOPMENT, OFFICE OF 
    INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS 
AFFAIRS; AND J. BEN DAVOREN, M.D., PH.D., DIRECTOR OF CLINICAL 
  INFORMATICS, SAN FRANCISCO VETERANS AFFAIRS MEDICAL CENTER, 
  VETERANS HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS 
                            AFFAIRS

                STATEMENT OF PAUL TIBBITS, M.D.

    Dr. Tibbits. Thank you so much for the opportunity to 
testify in the realignment process in the Office of Information 
and Technology (OI&T) and to share with you the progress made 
in VA as a result of the centralization of development 
activities.
    Joining me on this panel is Dr. Ben Davoren, Director of 
Clinical Informatics in San Francisco and Dr. Jim Brieling. You 
have just heard testimony from Assistant Secretary Howard 
regarding our realignment progress and the need for more work 
to transition from a decentralized to a centralized 
organization.
    I would like to share with you our progress establishing an 
IT governance plan, strengthening development processes--
development process improvement efforts, and fostering 
innovation.
    You have heard also General Howard refer to his seven 
priorities or you would have had he used his prepared remarks. 
But in any case, I would like to discuss with you those that 
directly apply to us in development.
    First with respect to establishing a well-led, high-
performing IT organization, we are pursing improvement of the 
development of workforce throughout the Office of Enterprise 
Development.
    To improve the VA IT development workforce, we are 
instituting real-time coaching and mentoring by industry 
experts in best practices in systems development to 
institutionalize these practices in the VA.
    Second, standardizing IT infrastructure and IT business 
processes throughout the VA provides a baseline for measuring 
effectiveness of our development process. It is the first step 
to reduce time to deliver applications, reduce costs to develop 
applications, implement process performance measures, and 
increase productivity of the development of workforce. And it 
is certainly very hard work.
    We are using independent industry consultants to guide us 
through this self-improvement initiative.
    Third, let me address establishing programs that make VA's 
IT system more interoperable and compatible. Interoperability 
begins with a common understanding of terminology.
    The IT development organization will be collaborating more 
closely with the Administrations in the use of business 
modeling to perform--I'm sorry, to provide a uniform basis of 
developing a shared understanding of new ways to serve veterans 
and the information required to do so.
    We are engaging with the administrations and with DoD to 
strengthen and accelerate data standardization activities 
within VA and with DoD. We are exploring ways to focus on high 
priority patient groups, such as traumatic brain injury and 
post traumatic stress disorder, while continuing the hard work 
of semantic analysis, reconciliation, and the consolidation of 
multiple data feeds between VA and DoD. Fourth, we are focused 
on managing the VA IT appropriation to ensure sustainment and 
modernization of our IT infrastructure and more focused 
application development to meet the requirements of our 
business units.
    We are applying life cycle and total cost of ownership 
management practices to all development projects, to account 
for all costs of implementation and operations, as a foundation 
for budget formulation.
    We are moving toward clear line-of-sight alignment with the 
VA strategic plan and the Performance Accountability Report by 
re-shaping OMB 300 exhibits in fiscal year 2010, a creation of 
the first multi-year IT budget in VA, and strengthening our 
relationship with the requirements processes of the 
Administrations and staff offices.
    With respect to governance, we have established a 
participative transparent IT governance process at the senior 
executive level of the VA. We have created a set of 
organizational principles and governance structures and 
practices that surface business strategy; facilitate accurate 
project cost, benefit, and risk estimation, and provided the 
decision-making framework that focuses attention on the most 
critical projects. We are developing management dashboards to 
implement early warnings of issues with system development.
    The single IT appropriation sets a context for competition 
among new ideas, since some are not affordable. This creates 
the perception at the hospital level that many good ideas are 
disregarded despite ``local needs,'' and that the flexibility 
available to VISN and hospital directors to use healthcare 
funds for information technology is constrained.
    This disregards the rest of the story. Solutions developed 
locally, with a few exceptions, were rarely deployed across all 
VA medical centers, resulting in some centers not getting the 
advantage of these IT capabilities.
    Furthermore, many needs were thought of as local, when in 
fact they were enterprise-wide requirements. Under the single 
IT authority and single appropriation, IT appropriation, we 
operate in an environment of financial transparency. Funds 
dedicated to sustainment, extending legacy systems to meet 
urgent needs of returning warriors, and to modernize our 
computing environment are now visible to senior VA executives.
    Unmanaged local innovation makes the implementation of 
enterprise solutions quite difficult. Many IT products are 
operating in various VA medical centers, with no support 
mechanism to proliferate the more successful of them to all 
other medical centers.
    In close collaboration with VHA, we are moving to create a 
process to identify new ideas at the local level, facilitate 
collaboration among field developers and VA medical center 
healthcare professionals, and to develop new software products 
in a non-production environment in an unconstrained manner.
    In order to enter the live production environment and 
assure deployability across VA, certain technical assessments, 
business values, security, and patient safety assessments will 
be made and any remediation necessary applied.
    The migration from the VistA legacy system to the 
HealtheVet platform entails complex development. This form of 
innovation must be centrally managed. It is too large for local 
initiatives alone to accomplish.
    In addition, some forms of new IT support require an 
analysis of end-to-end processes to serve veterans, such as 
transition from DoD to VA, again not necessarily--not easily 
accomplished at the local level given complex data 
standardization and security issues that are involved. We are 
attempting to strike the right balance.
    We have had some problems. But we have also gained valuable 
visibility over unknown IT--heretofore unknown IT activities, a 
definite improvement.
    We also now know more about IT funding details across the 
VA and have a greater ability to protect sensitive veterans' 
information.
    In closing, let me say that we want your ideas. I want to 
assure you, Mr. Chairman, that a successful IT realignment 
activity is a key goal within the VA.
    We have accomplished many things this past year but much 
more remains to be done. I appreciate having this opportunity 
to discuss this with you and will gladly respond to your 
questions.
    [The prepared statement of Dr. Tibbits appears on p. 73.]

            STATEMENT OF J. BEN DAVOREN, M.D., PH.D.

    Dr. Davoren. Medical informatics or clinical informatics is 
the science of information management, including all of 
terminology as well as human computer interfaces and so forth. 
So it is actually quite broad. It is not yet a medical 
specialty but it is being considered for one as we speak.
    Good afternoon, Mr. Chairman, and Members of the Committee. 
I do want to thank you for this opportunity to provide my 
personal perspective of the OIT reorganization that began in 
2005. But the views that I present today are my own and do not 
necessarily represent the views of the VHA.
    By way of training, I am an oncologist. But I have been a 
member of the clinical work group that has helped guide the 
computerized patient record system development in VHA since 
1999.
    In response to the Secretaries proposal for IT realignment, 
many employees at medical centers expressed concerns about the 
details of the plan. And in particular, they felt that the 
regionalization of IT resources would create new points of 
failure that could not be controlled by the sites experiencing 
the impact of those. And that system redundancy required to 
prevent this was never listed as a prerequisite to 
centralization of critical patient care IT resources.
    From my point of view, it was clear to me that the focus of 
reorganization was on technical relationships and not on how 
the missions of VHA could be communicated to the new OIT 
structure. And I communicated this to my facility director and 
VISN director at that time.
    The IT reorganization has had a direct impact on VHA's four 
principal missions: patient care, education, research, and 
supporting the Department of Defense.
    With respect to the primary patient care mission, the good 
news has been that new policies and procedures, in particular 
regarding encryption of sensitive information, have been very 
well-publicized and have heightened the awareness of all care 
providers as to the critical nature of the information that 
they, that we, use everyday.
    The bad news is that centralization of physical IT 
resources to the regional data processing centers has directly 
led to more system downtime for individual medical centers than 
they have ever had before, resulting in hundreds of 
simultaneous threats to the safety of our veteran patients.
    Disagreements about whether new clinical application 
requests are IT or not-IT has delayed implementations. With 
respect to the education mission, the good news, again, is that 
awareness has been heightened for staff and students about the 
information that we use and the need to protect it in all 
settings.
    However, rules on encryption of all portable devices, such 
as thumb drives, rather than just on encrypting sensitive 
information, have made it cumbersome to go about common work, 
such as giving academic talks where no scientific information 
is present. And collaboration by video conferencing has been 
curtailed.
    With respect to the research mission, plan standardization 
of VHA databases may well and should create significant and 
very welcomed research opportunities. Though at this time, I 
don't have any specific progress to be able to report.
    In terms of our role in supporting the Department of 
Defense, I believe that initiatives to enhance electronic data-
sharing between VHA and DoD have proceeded appropriately from 
the field perspective.
    But in my opinion, there has been a lack of transparent 
communication between VHA and the reorganizing OIT structure. 
At present, economies of scale that were a cornerstone of the 
realignment proposal have not been communicated to the facility 
level where the work of VHA occurs.
    The focus on security and data integrity has led to a 
number of new requirements with impacts that generate 
significant concern without a clear pathway to resolution. In 
my view, there also remains a tremendous uncertainty about how 
to work with our longstanding IT colleagues to address local or 
regional clinical care, research, or educational needs.
    These arise on an almost daily basis as the result of new 
mandates from accrediting bodies, VA performance measures 
internally, or Congressional action.
    A word about the down time on August 31st. The new region 
one of OIT-supported facilities experienced the most 
significant technological threat to patient safety VA ever had. 
A 9-hour downtime during standard business hours that crippled 
the clinical and other information systems of 17 different VHA 
medical facilities.
    During the downtime, it became clear that many assumptions 
about the Regional Data Processing Center model were erroneous.
    Specifically, rather than creating a redundancy to protect 
facilities from system problems, a new single point of failure 
caused a problem that could never have been replicated without 
this Regional Data Processing Center model having been created.
    In my view, the OIT realignment process begun in 2005 for 
the right reasons has been focused on technical IT issues and 
the reporting structure of its new 6,000-strong employee force 
and not on linking IT strategic planning with organizational 
strategic planning.
    Mr. Chairman this concludes my statement. And I will be 
pleased to answer any questions you may have.
    [The prepared statement of Dr. Davoren appears on p. 76.]
    The Chairman. I didn't notice a lot of publicity about this 
downtime incident.
    Dr. Davoren. On August 31st?
    The Chairman. I don't remember it. The press didn't cover 
this, did they? Why do you think that was?
    Dr. Davoren. It consumed our day, but I am unclear on what 
the press did or did not cover.
    The Chairman. I mean you call it the most significant 
technological threat to patient safety the VA has ever had. You 
would think somebody would have made a--I think we would have 
had a Congressional hearing on it actually.
    So you are saying that the path that the VA took in terms 
of two different streams was very useful in that situation. Is 
that what you were saying? Phrase it for a layman so I can 
understand it.
    Dr. Davoren. I am not sure I understand the question 
completely.
    The Chairman. You said that we caused--I assume because of 
the centralized nature, a failure led to a very----
    Dr. Davoren. That's right.
    The Chairman [continuing]. Deep problem. And then you 
said--I see. I misunderstood what you said. ``A problem that 
could never have been replicated.''
    Dr. Davoren. Right.
    The Chairman. I don't know what that means.
    Dr. Davoren. In other words, before the regionalization of 
IT resources with individual--the actual systems that contain 
the patient information in a distributed fashion at the medical 
centers, it would have been impossible to have 17 medical 
centers simultaneously have their clinical information systems 
unavailable. But that was the case.
    The Chairman. Okay. So you are saying the centralization 
has ended up with this downside.
    Dr. Davoren. The--yeah. Centralization of the physical IT 
resources.
    The Chairman. Okay. That was the theme of your statement 
that the local kinds of needs may be either overlooked or 
washed out in terms of this.
    Dr. Davoren. That there isn't a clear pathway of 
communication. And----
    The Chairman. How would you remedy that?
    Dr. Davoren. Well, I think--I think there are a few key 
areas. From the facility level, the changes that have occurred 
in terms of our collaboration with our IT colleagues, it is not 
clear exactly what we can and can't do when we approach problem 
solving at the medical center.
    We have a number of--we have a number of internal and 
external bodies that tell us that things need to change as 
medical care evolves. And many of the processes that we have 
involve an IT component.
    So if we have a new discharge process for example, because 
we know our hospitals are very, very full, there may be some 
human resources as a project--a process action team, as we call 
them, typically looks at the causes of a problem. And looks for 
areas where we might be able to solve them.
    So a very, very full hospital trying to improve the 
discharge process is a key item. We may find that we actually 
need to hire a discharge planning nurse or a pharmacist. We may 
need to set aside some physical space. And we may need to make 
some changes or we would like to make some changes to how the 
computer system works, generates output for some of these 
people at the time of discharge.
    In the past, that was--we had a team. They all worked for 
the medical center. And so this whole process would be put 
together. Now that team, on paper for sure, no longer exists. 
So the question is at this point, for our region in particular, 
if we can't make local changes to our internal VistA system, it 
is not clear what the communication method is back to the 
resources that now live in OIT to accomplish that.
    The Chairman. What did you call--you had some coordinator 
of beds. You had a title to help----
    Dr. Davoren. For the discharge planning?
    The Chairman. Yes. What was the title?
    Dr. Davoren. So a number of VAs have looked at this process 
because it is so critical. So there are discharge planners----
    The Chairman. Discharge planners.
    Dr. Davoren [continuing]. Who are frequently----
    The Chairman. You should call them ``ombudsmen.''
    Dr. Davoren. I will make a note of this.
    The Chairman. The only guy who laughed was the guy I pay. I 
am told by the counsel that you have used the chemotherapy 
software as a good example to highlight some of this. Tell us 
about this.
    Dr. Davoren. Right. As a highlight of where the 
communications process is very unclear, it--there is a product 
that happens to be called IntelliDose. I am an oncologist, so I 
do write for chemotherapy.
    And this is a particular software that integrates with the 
VistA system, with the core VA system, for writing chemotherapy 
that the existing VistA system cannot do. And that immediately 
planned VistA systems will not do.
    So there is a system that has been piloted at the San Diego 
VA and integrated with VistA over the last couple of years to 
really work the bugs out in a real-life setting.
    And the--in the VHA structure, the Impaired Decision Making 
Capacity (IDMC) that was referred to earlier this morning, 
would--did make a decision about a year ago that it was ready 
for prime time if you will. The software was mature enough in 
its integration that it could be used at other medical centers 
besides the pilot site.
    We wrote a proposal after reviewing the software for my 
network, VISN 21. We got the clinical buy in. We saw a number 
of demonstrations to be sure this is what we wanted to do. And 
I wrote a proposal for the project.
    It was, by my own interpretation of the rules of what is or 
is not IT, really more of a medical device and not an IT 
expenditure. But that was not agreed with by the VISN CIO 
necessarily. And that as we wrote the proposal and were able to 
get funding, then suddenly a few weeks ago it was determined 
that this really ought to go back to the IDMC for not just 
their review and approval, but for review and approval for 
national funding.
    And the Western States Network Consortium that was--in 
region one, so the West Coast networks decided that perhaps 
this might be one of the pilot projects they would like to do 
at a regional level. So the particular proposal that I put 
together was on hold.
    So what this has the effect of saying is that we had a 
community sense of what needed to be done. We had a pilot 
project that proved--that proof of concept. We were ready to go 
forward for FY08. But now there is a new layer of review that 
is not entirely clear to me what exactly it is that makes this 
looks like it may not be--until 2009 or 2010.
    So it is going back to the IDMC body that originally says 
it was okay to get with a new task for the IDMC. I recognize 
that is very circular. But I am just trying to convey the sense 
that from the field perspective, the communication about what 
really needs to be done to implement something that our 
patients need now is very, very unclear.
    The Chairman. How long have you been with the VA?
    Dr. Davoren. I have been with the VA for 12 years.
    The Chairman. Do you feel secure in your job? I am about to 
do something that has not been done. So I want to make sure I 
get your----
    Dr. Davoren. I have told people I will find out whether or 
not I am a political appointee at this very hearing. So--but 
generally yes I do.
    The Chairman. I should do this. General Howard, can you 
just come back to the table for a second. I am not going to 
have an argument between you. But you have heard us yelling 
about centralization, right? And there have been qualms.
    We went from a very decentralized system, which had 
problems. Now we are moving to a very centralized system. And 
we hear there are problems with this approach. This is not the 
first person to raise these concerns. How do we find the 
balance there?
    General Howard. Yes, sir. Let me----
    The Chairman. And without, you know, reacting to every 
scream, we do one thing, and then we have gone too far, and now 
we have a scream about going the other way. And, you know, it 
is not a helpful process.
    General Howard. No, sir. But I would--I will say that there 
is a process in VHA for elevating requirements to the very 
senior level. I mean, there is. And, in fact, I have actually 
participated in meetings of the Committee that does that.
    I can't recall the individual who chairs that Committee 
right now. But it used to be Dr. Bob Lynch. Lynch has since 
left the VA. But there is a new individual now. I can't recall 
his name.
    But that body is in place. They had functions to 
prioritize, you know, whether an issue is a class three 
requirement that needs to be put in place or any requirement 
from within VHA. That is the Committee that decides how those 
items are prioritized.
    However with that said, there still exists at the facility 
level the capability to try out ideas and that sort of thing. 
And in fact, I will ask Paul Tibbits to describe the process. 
He mentioned it in his testimony that we in VHA are putting in 
place to make sure innovation does occur and continues to occur 
at the facility level.
    But at some point in time, you have to begin to gather that 
up and expand it throughout the VA or else----
    The Chairman. No. I understand that. But as I heard Dr. 
Davoren say--I mean, we have added, for example years, to a 
potentially very helpful therapy to try to test it or use it.
    And so are we adding this level of bureaucracy that will 
take--I mean, clearly you want something to spread good things 
quickly. But----
    General Howard. Mm-hmm.
    The Chairman [continuing]. You want to also balance that 
without having good things coming to the surface without a 
bureaucracy interfering.
    General Howard. Yes, sir. There--from an OIT standpoint, 
there is no--there is no OIT layer between Dr. Davoren and Mike 
Cuspin. We are not in that. We are in our own layer. You know, 
we have our own reporting process. But any requirement within 
VHA does not have to go through OIT. It can go all the way up 
to the top.
    Now at some point in time, obviously we are engaged in the 
examination of that issue to first of all see if it is 
possible, see if there is funding available, and what have you.
    The visibility issues, though, is key. You mentioned, you 
know, the decentralized way of doing business in the past. If I 
was a hospital director, in the past and before the IT 
appropriation, I did what I needed to do, you know, out of the 
medical money available. If I needed to spend it on IT I did. I 
mean, it was actually, if you were a hospital director, was not 
a bad environment. It was pretty good.
    The trouble is it was not very efficient. And the Congress 
actually got pretty upset with that kind of operation. And that 
is what we are trying to standardize. We are not--we are trying 
to standardize this. But at the same time, not kill innovation. 
We definitely do not want to do that.
    We want to put a better process in place to control it a 
little bit more so that the good ideas do bubble to the top and 
get used throughout the VA. And the ones that maybe are not 
very good, are finally just cut off. I mean, that is kind of a 
research environment that has to be----
    The Chairman. Well, but another way to ask about that 
balance, I mean, again, it was mentioned, this region one 
downtime----
    General Howard. Mm-hmm.
    The Chairman [continuing]. That we lost the whole region. I 
mean, is that an example of over-centralization or not?
    General Howard. It is to prevent----
    The Chairman. How are we going to prevent that from 
occurring again?
    General Howard. Sir, actually the--it is the regional data 
processing program. And it actually existed before the IT 
central. It was the VHA initiative that goes back a number of 
years.
    And the idea, the central idea, was to better protect the 
information, you know, in well-protected data centers, tier 
four data centers.
    Obviously at this point in time, we are responsible for 
that program. You know, it came over to us. So everything that 
happened at Sacramento is on our watch. You know, we were 
responsible for that.
    What we are discovering--and just to comment on that, 
clearly, you know, we put a team in to examine what happened. 
The fact is the tiger team is still at work to examine the 
details of all that. I have an independent review that is about 
to get underway, because there is more to this than meets the 
eye.
    We are very concerned about in the design of the program, 
for whatever reason, the proper backup at facility level was 
not adequately considered. We can see that now.
    In other words, some facilities had a better capability to 
read, not write, but read information on their backup system 
than other sites did. You know, why was that dichotomy there?
    And maybe we skimped from a resource standpoint. But we 
have an effort underway now to examine not just Sacramento, but 
the whole program to see exactly what we are doing and build in 
a more robust backup capability at the facility level. We have 
that underway and include the other data centers as well, you 
know, the corporate data centers.
    So we are stepping back to take a hard look at this program 
to see exactly what we are doing. Some aspects of it are good. 
The idea of protecting the information is very good.
    But you can't permit--you know, permit a condition that 
allows a hospital to go down for 8 hours. That is ridiculous. 
We cannot allow that to happen. We understand that. And we are 
going to take steps to do it. It may involve more funding. And 
we just don't know that at this time.
    The Chairman. Any more comments on this issue, Dr. Davoren.
    Dr. Davoren. On the down time?
    The Chairman. Or on any of the issues we just raised.
    Dr. Davoren. Right. I think, you know, ultimately the--if 
the end user needs, my needs and those of the people that I 
work with to directly care for the veteran in front of them, 
are the driver for processes that happen to include IT as a 
part of them. That the structure needs to be in place and more 
transparent to those of us who are in the field for how we 
can--how we can relay our innovative ideas as well as our 
concerns about day-to-day operations through the whole 
structure, through both our own VHA structure as well as the 
communication points to OIT. And from the field from the 
farthest point on the West Coast represented here that that is 
not in place.
    The Chairman. Okay. I hope we keep that in mind as we go 
through this process. And we should bring in more people from 
the field to give us their sense of what is going on.
    So thank you for your candid comments.
    I just--Dr. Tibbits, if I just--this thing about DoD and VA 
just flabbergasts me. You know, in concept, interoperability is 
easy. But we have been talking about it for probably a couple 
of decades. Why is it so difficult?
    I mean, could a General Howard or a Bill Gates come in and 
just say do it? What is so difficult about just ordering these 
two systems to talk to one another? I see some people shaking 
their heads that it couldn't happen that way. But why is that 
so--what am I missing here as a layman?
    Dr. Tibbits. Thank you for the question. It is an excellent 
question. And there are several ways to answer the question. 
And let me step through them quickly. And then allow more time 
for discussion if you wish.
    At the end of the day, the reason it is not so simple to 
just say go do it is the vocabulary problem. The vocabulary 
problem is an intense problem. If you can think of ``Roget's 
Thesaurus'' of the Department of Defense. It has got its--it 
would have its own thesaurus. If you think of ``Roget's 
Thesaurus'' of the VA, it would have its own thesaurus.
    And without putting those two things together, it is 
extremely difficult to get interoperability to happen in the 
way many people want it. So if you back down from that and 
start saying, all right, are there simplifying constructs that 
we can use? So without getting our thesaurus----
    The Chairman. Can't you have the ``Howard Thesaurus'' and--
--
    Dr. Tibbits. The what?
    The Chairman. ``Howard Thesaurus.''
    General Howard. You wouldn't be able to understand it.
    Dr. Tibbits. Well, we could. But what that creates, 
unfortunately, is a third thesaurus. And while, yes, if in 
fact--in fact that is a strategy. And if we got all parties to 
agree to that third one and mapped the third one, that would 
actually be progress.
    But I want to back down from that and say there are 
simplifying constructs. And those simplifying constructs 
involve not going for the full degree of information 
interoperability. So a computer can actually recognize the 
information. But simply transmit electronic information back 
and forth that the computer can't read, but a human being can. 
But it is still in the computer. All right?
    So we have done that. We have gone down to a lesser degree 
of information interoperability. And there is a great deal of 
clinical information that is going back and forth and scheduled 
to be augmented over the next few months between the two 
departments.
    And Mr. Bestor and Mr. Wu are very familiar with many of 
those initiatives, VA Health Information Exchange, Federal 
Health Information Exchange. Lots of information going back and 
forth there.
    The other piece of it is organizational. And let me just 
touch on that.
    The Chairman. I am sorry, go ahead.
    Dr. Tibbits. Let me just touch on that lightly. 
Organizational--I have personally been involved in looking at 
the organizational implications of what you are saying for many 
years, both when I was in DoD I spent a lot of time working on 
VA DoD collaboration. I had 26 years in the Navy Medical 
Department, 18 of which were on medical informatics I might 
add.
    I spent a lot of time on VA DoD collaboration issues. After 
that, I supported the Presidential Task Force and looked at DoD 
collaboration and wrote the chapter actually on seamless 
transition.
    One of the issues then we focused on, and we still focus on 
now, is there are two cabinet level agencies. And who exactly 
is it that is going to tell two cabinet-level agencies on a 
practical day-to-day basis to collaborate with each other?
    And when we go up the executive branch, what do we find? We 
find OMB in the White House. We were never convinced that as a 
practical matter of getting two cabinet agencies to collaborate 
with each other, either OMB or the White House, were really 
very effective management tools in the sense that that actually 
has to be managed. At a policy level, they may be quite 
effective. But to really get that to happen, is very difficult 
circumstance.
    So I guess thirdly I would say requirements are important. 
What are we trying to exchange information for? And there is 
two big buckets here that I want to put in front of you.
    One is to better serve veterans. The other is to save 
money. It is very important to look at those two objectives 
separately and figure out which one or both or which is it we 
are after and in what degree of priority.
    If our primary objective is to serve veterans' needs, a 
program structure would evolve from that and has evolved from 
that, which focuses on the data, the clinical data, what is in 
the record, how the veteran and how the servicemember was 
treated in exchanging that back and forth.
    If one is interested in saving money, then a whole 
different paradigm has to be taken, which looks at software and 
software development. And are we developing software together, 
we, VA and DoD, that would save money, that would allow us to 
reuse the software perhaps between both departments.
    But that in and of itself, would not standardize the data 
so that we could have the information and operability necessary 
to serve veterans' needs.
    So being clear about those objectives between the two 
departments, addressing the issues of how we get two 
departments from an organization perspective to collaborate 
with each other, and then forcing attention and more and more 
attention on the terminology issues to get the two departments 
to speak the same languages, are basically the three levels of 
issues that are relevant to your question.
    The Chairman. If we actually solved this thing, you 
wouldn't have a job anymore. That is the real problem here I 
think. Just kidding, sir.
    Dr. Tibbits. I would be glad to relinquish my job and solve 
that, because I have been after this issue and this job for too 
long. And I can't tell you how much I appreciate your question.
    No, we are solving it.
    The Chairman. Again, as a layman, I mean, you use 
`` Thesaurus I.'' What is the plural of thesaurus, a thesauri? 
Thesauramatics is probably a specialty. There is probably a 
specialty in the study of a thesaurus. You had one and two. And 
you--I suggested a third. Why isn't `` Thesaurus I'' adopted?
    Dr. Tibbits. Well----
    The Chairman. I am told VistA is the best system in the 
world. So why doesn't the DoD adopt VistA?
    Dr. Tibbits. That doesn't solve the terminology problem. 
That is why. And let me try to exemplify that for you in terms 
that perhaps all of you--everyone will be familiar with. And 
let me use email as an example.
    I assume many of you in the room today are familiar with 
Microsoft Exchange and use Microsoft Exchange for email, 
Outlook, Microsoft Outlook. I assume many of you at one time 
may have been familiar or used Lotus Notes. Two very different 
programs. Two very different sets of software. But yet 
information can be exchanged between the two of them, because 
if both users speak English terminology, if both users use the 
same standard protocols for transmission, TCPIP (Transmission 
Control Protocol Internet Protocol), a little techno babble, if 
both of those standards are in place, then information 
interoperability can happen very clearly with the software on 
both ends, sender and receiver being completely different.
    If on the other hand, you use Microsoft Outlook, and you 
attempt to send email to a Frenchman who is also using 
Microsoft Outlook, identical code on both ends, identical 
software, the same computer system, if you will, on both end, 
sender and receiver. You even use the same protocol, so the 
message will get through.
    If you speak only English, and the recipient speaks only 
French, there will be no information interoperability with 
identical code on both ends.
    That is exactly the situation we have now. If you take 
VistA, and the reverse is also true if you take Alta, either 
way. If you take VistA and power shoot it in the Department of 
Defense today, either it will have to be repopulated, the files 
and tables, with the terminology of the Department of Defense 
in order for them to be able to use it. Or they will have to 
change their entire terminology libraries to be able to use it 
with our terminology in it, which would be a massive change in 
policy, how they manage people, how they manage their budgets, 
how they do assignments, how they send people to theater, how 
they order band-aids. All would have to change to the VA's 
terminology model.
    The Chairman. Couldn't I send my English email through a 
translator?
    Dr. Tibbits. Yes. And that is the terminology mapping. And 
to build those--that is--that is the thesaurus work of putting 
the two thesaurus' together. And either----
    The Chairman. But then the Frenchman would understand me, 
right?
    Dr. Tibbits. That is correct. But that is the hard work. 
And that is why it takes so long.
    The Chairman. That is hard. Okay, it just sounds easy to 
me.
    Dr. Tibbits. Very hard. Very--those are very large data 
sets. Imagine every drug. That--when we standardized drugs, 
that is just one domain. When we standardize allergies, that is 
just one domain. When we standardize vital signs, that is just 
one domain. And that is what we are doing.
    And by the way, at the end of the day, we may not have 
necessarily addressed the data for traumatic brain injury. Why 
not? Because if you were to ask me well what have you done by 
way of standardization for traumatic brain injury, my answer 
would be, well, we have standardized drugs, we have 
standardized allergies, and we have standardized vital signs 
for them. Okay, Doc, but can you send the electro encephalogram 
back and forth? Well the answer is no. We didn't quite get to 
the wave form domain yet.
    So my answer is both. Continue with the hard work of the 
thesaurus work. Continue with that. Keep that going. While at 
the same time, we superimpose on it a problem-oriented 
approach.
    Take the big problems first, traumatic brain injury, PTSD, 
amputation, and look at a combination of both structure and 
unstructured data so that we actually have information 
inoperability, some of which is computable, some of which is 
not computable. But a physician can still read and develop our 
data exchange plans that way, so it is a combination of both as 
a simplifying and acceleration technique to address the key 
problems that are important to veterans today.
    The Chairman. Thank you. That was very helpful. I 
appreciate it.
    Mr. Wu, did you have a question? You may. Please.
    Mr. Wu. Chairman Filner, we appreciate the accommodation 
for counsel to ask several questions. I will defer the 
questions to General Howard, since we argue all the time. And 
we don't need to do that here.
    A little history. I don't need to ask Dr. Tibbits any 
questions, because he and I argued about the incompatibility or 
compatibility of DoD and VA for the last 10 years. And I was 
asking the same questions you were asking him before.
    But I will ask Dr. Davoren. I now know who I want to come 
to as a hematology oncologist if I become afflicted. And I 
appreciate that.
    The Chairman. It is oncologomatics is what he is----
    Mr. Wu. But your testimony concerns us. And I think, Mr. 
Bestor, the staff director on the majority side, and I have had 
this conversation before. He says, ``I have pride of 
authorship.'' Since we did the Omnibus Act that did the 
integration consolidation, and Mr. Buyer put 6 years into it.
    It is not that I don't have an appreciation for what you 
are talking about, what you want to do on the software program 
for chemotherapy protocols and so forth. I would just ask you 
this, how many in the VA system of 152 hospitals that deal with 
oncology, that deal with chemotherapy protocols, whether they 
are in clinical trials, that there aren't hospitals that are 
using some software now similar to what was demoed successfully 
in San Diego, not saying which is best, and how are they in the 
queue?
    What if you have five different systems out there doing the 
same thing? Should we have five systems? Should we have one?
    Dr. Davoren. At this point, I can tell you that there 
aren't any other integrated software systems in the VA 
specifically for this application. That is for me, that is what 
makes it such a no-brainer.
    I think the issue for the bake-off, if you will, of 
competing products is very important. I think there are many 
layers to this, however. Every--there is a saying that you have 
heard probably too many times in this room that when you have 
seen one VA, you have seen one VA.
    And that software by itself, does--it can enforce a 
specific clinical business process. But typically it is 
invested in a particular way of doing business.
    So, for example, if you look at the discharge process I 
talked about before, there are some places that may address 
this with some changes in physical space. There are places that 
may address this in changes of personnel and responsibilities, 
hiring nurses, hiring pharmacists, hiring a number of people.
    And they may also feel that there is an IT component that 
needs to be modified in those. And that doesn't mean that the 
IT component that is developed there is actually applicable to 
the way that another VA does business with the same exact 
problem.
    That doesn't mean it doesn't need to be addressed. But in 
way of answering your question, it is not clear at the--at the 
point of care for the veteran in front of you that it matters 
whether or not the exact tool that you use is the same in San 
Francisco as it is in Puget Sound, as it is in New Orleans.
    Mr. Wu. All right. I can appreciate that. On the down time, 
Chairman Filner, it was very disturbing to see a network of 
hospitals down or be without access to clinical information. I 
think that is profound.
    But I would ask you this, and I was relieved when those 
regional process data process centers went into place. Chairman 
Filner, I will tell you that I was detailed to the special 
investigative Committee on Katrina. And that was a good news 
story for the VA, because out of Louisiana State University, 
out of Tulane, out of Baptist Hospital, out of Charity, every 
one of their medical records were destroyed when the flood came 
through. The VA was able to download their medical records, 
which were on servers in the sub-basement.
    What is significant about that is that is where the sub-
basement is located. The front step of the VA hospital is four 
feet below sea level. So I can't imagine how far down further 
the sub-basement was.
    The point of the matter was they brought them, they 
downloaded the tapes, put them on a laundry truck, if I 
remember correctly, took them to the Superdome, and airlifted 
them out of there to Houston, where they were downloaded.
    Houston could not use the tapes, because the VistA system 
was different. It was tweaked locally. I think it was about 3 
to 4 days before they could bring it back up, plus they lost 
all their images, their radiographic images, the x-rays.
    And at that time, the question we had on the special 
Committee was--and it was a good news story and a bad news 
story for the VA--what happened? Why wasn't all the VA data 
available, because what I didn't realize is that all the data 
at each hospital, San Francisco is yours, and resides in San 
Francisco.
    If I am in Walla Walla or I am in San Diego and I have a 
patient that came in from San Francisco to San Diego, I have to 
reach in to the server that is at your hospital to get the data 
on that patient. It is not in any central depository where I 
can go and grab that data as a VA practitioner.
    So they made the regional centers, supposedly I thought, as 
a redundant backup so that if one hospital goes down, you can 
retrieve that information automatically.
    Now something dramatically, intrinsically went wrong with 
this meltdown. And that is unacceptable. You can't let that 
happen again.
    But the question I ask of you is did that regionalization 
and centralization happen before General Howard had to inherit 
that issue? So that was there. That is set up. That 
infrastructure and that internal control and security was in 
place.
    Now what he had to do was mitigate that. If he has 
inherited that mess and if there is a problem with it, he is 
going to have to fix it. And we are going to have to give him 
the money. These members are going to have to vote on that. And 
give him that kind of money to make sure that never happens 
again.
    But the question I have for you is, before centralization, 
how much down time did you have? Every hospital I know has had 
their systems crash. Our system in our Committee has crashed 
for a couple of days at a time where we couldn't retrieve 
anything.
    So when you say that you have more downtime since 
centralization, and these regional data processing systems were 
in before centralization, how do you then address that the 
centralization is the cause of that downtime?
    Dr. Davoren. I am not sure that centralization in terms of 
OIT reorganization is the cause of that. Centralization of the 
resources did create a new point of failure.
    And the local facility understanding was, and we have been 
told this in fact, and there is a memorandum from December of 
2006 that I don't have with me, but I can retrieve, that it 
would be essentially a seamless transition from the Sacramento 
Regional Data Processing Center for us to the Denver Regional 
Data Processing Center.
    So what I would say is that what you have said is exactly 
true. But the control on August 31st of moving the plan that we 
all understood at the field level was that when there was a big 
catastrophe such as what happened, we would be moved over to 
the Denver backup. That did not happen. And we did have the 
longest down--this is the longest unplanned downtime that we 
have ever had in San Francisco since we have had an electronic 
medical record.
    We have had two planned down times during major system 
upgrades, well coordinated, incredibly well set up in advance 
on weekends that were 8 hours in duration. But this was 9 hours 
for us unplanned. The longest that we have ever had.
    Mr. Wu. Are you a researcher also?
    Dr. Davoren. Somewhat. I mostly do clinical work and 
informatics.
    Mr. Wu. Are you familiar with the breach at Birmingham in 
research?
    Dr. Davoren. Yes.
    Mr. Wu. Do you have any idea what that is going to cost the 
VA to mitigate?
    Dr. Davoren. No.
    Mr. Wu. What about $26 million? Do you think there should 
be some personal responsibility of whoever does that?
    Dr. Davoren. I think that the--one of the good news points 
that I said before is that the mentality has been a major--a 
major emphasis of what has gone on with the reorganization in 
terms of the security initiatives to get people to really pay 
attention to the level of detail of knowledge that they have 
about everything that is at our fingertips.
    The same quality that makes sensitive information so 
sensitive is what makes it necessary for us to know it in an 
instant.
    Mr. Wu. I appreciate your testimony about, what doesn't 
need to be encrypted on thumb drives, what is in meetings and 
presentations. But how do the IT security people know what is 
on those unencrypted thumb drives?
    This is the security event report that comes out every week 
to Congress, to this Committee, to Chairman Filner and Mr. 
Buyer. We get them. Not all of them are great. Some are, you 
know, incidental. Some are--I don't even know why they report 
them. But they report everything.
    For your testimony, what should and shouldn't be encrypted? 
Who determines that? And is that on a personal recognizance of 
the physician or the practitioner or the VA employee? How do 
you then know what is on there? What isn't on there?
    We have a report of a cardiologist losing his thumb drive 
in the Midwest, with 26,000 names on it. What should happen, do 
you think, to that individual after they certified that they 
would not do that?
    Dr. Davoren. Well, I am not as familiar enough with the 
actual channels for discipline that might be appropriate in 
such a case. I think that we have made good moves to try and 
keep people from keeping such information on devices. But, 
obviously, it can happen. I think everything is, in fact, a 
risk benefit assessment.
    If you encrypt the desktops as has been proposed, if it 
takes me 25 minutes to get into the data that I need, I am 
going to tell you as a clinician, I don't believe that is worth 
it. But the data is much more secure that way. And you will 
have prevented other people from seeing it even if I can't use 
it for the veteran in front of me.
    So I think everything is about a balance. So I think in 
order to answer your question, the--how does the information 
security officer know everything that is on the thumb drive, 
with current technology, I don't believe there is a way to do 
so. So I believe that there is a certain amount of policy and 
procedure that always exists independent of the actual 
technical action that is taken.
    But I think it is just as important that we have the 
avenues of communication open to be able to discern when those 
become or appear to be punitive at the end result and when they 
appear to be completely justified.
    But I don't know that I am qualified to tell you exactly 
what should happen.
    Mr. Wu. I can appreciate that. And I thank Chairman Filner.
    The Chairman. Thank you, Mr. Wu, for your contributions. I 
just want to give our counsel a couple of questions. And then 
we will----
    Mr. Bestor. I don't have a phone book. So I can't read from 
that. And I wouldn't suggest that Art was doing that either. 
Sorry.
    But actually, Dr. Tibbits, I wanted to ask you a couple of 
questions about the seamless transfer of information between 
DoD and VA, because obviously that is a big issue. There a lot 
of resources being spent on it.
    The first thing about the possibility that VistA could be 
used by DoD, of course, nobody would suggest that you just 
parachute VistA into DoD. Presumably there would have to be 
some kind of development of DoD--of VistA to be--to make it 
possible for DoD to use it.
    Clearly there are requirements that DoD has like readiness 
that the VA--and I keep hearing readiness is the big one. There 
is a chart on my wall of the information systems in DoD. It is 
only eight-and-a-half by eleven. But it has got at least, I 
don't know, 100-150 different little points on it.
    Obviously, there would be a development process that one 
would have to go through. But it is the case that something 
like 75 percent of new docs have had some experience on VistA, 
because they go through a VA rotation during their residencies 
these days.
    And it is also true that a development process might be 
able to address those. The question is why isn't that being 
done? I mean, why--what is it about VistA that makes DoD so 
resistant to even looking at that as the in patient--well, not 
in patient, as the clinical medical record?
    Dr. Tibbits. Well, that is also a very good question. And 
there are probably lots of things. So let me--I guess I am 
going to basically think out loud with you.
    I would also, obviously, encourage you to ask DoD that 
question, because I don't want to speak for them----
    Mr. Bestor. Obviously.
    Dr. Tibbits [continuing]. As to what is in their mind with 
respect to VistA.
    So let me speak about objectives again and start off there. 
Your preamble included, I think, information sharing or 
something or serving veterans in--leading into your question.
    I would say that were we able to do the development work to 
put VistA into the Department of Veterans Affairs in some way, 
shape, or form, might be a very good idea. And I am going to 
come back to that in a minute. It might be a very good idea and 
might be feasible.
    I just want to go back for a moment, however, to my earlier 
discussion about email and the Englishman and the Frenchman. 
Let us not make the mistake that no matter how much development 
works goes on to put VistA into the Department--into DoD. No 
matter how much work goes on and if it is feasible, do not make 
the mistake of believing that that will accomplish information 
interoperability. It will not. It will do other things.
    You mentioned, for example, most doctors who go through 
training today in the United States in some way, shape, or form 
go through the VA. True. Therefore, most of them have used 
VistA. True. And, in fact, most of them like it. True.
    Okay. So what would putting VistA in the Department of 
Defense do today? It would probably reduce the training burden 
for those doctors over there, because they are already familiar 
with VistA. It might improve penetration of information 
technology into healthcare delivery in the Department of--in 
DoD, because VistA has a much higher success rate with respect 
to penetration and to healthcare than Alta does in the 
Department of Defense.
    So some very good things might happen by doing that. Just 
don't put your eggs in that basket with respect to information 
interoperability between the two departments. It won't 
accomplish that.
    The information interoperability between the two 
departments has got to deal with the data and how the data goes 
between the two departments, whether we put VistA over there or 
not.
    Now with respect to some other considerations, let me bring 
you all around to the notion of templates and structured data. 
We in the Department of Veterans Affairs right now are 
beginning more and more to use templates. We are beginning to 
use templates for the assessment of patients for the purpose of 
disability determination. Those are coming largely out of Steve 
Brown in Nashville with the Compensation and Pension Exam 
Program initiative. The acronym explanation, which I don't 
remember. Clinical evaluation, something or other.
    Anyway, lots of good work going on with respect to 
templates there. So we are moving in that direction.
    One of the major stumbling points, there are several, but 
one of the major stumbling points on the Alta side in DoD is 
that over there doctors hate templates. And the very--one of 
the high, high, high design objectives of Alta, irrespective of 
what clinicians in the clinic wanted, was to have machine-
readable concepts captured when the clinician put data into the 
system, the history, the physical, all the unstructured stuff, 
the text. My chief--I got sick 3 days ago when I hit my head on 
the door, and so forth, and so forth.
    To do all that in machine-readable terminology so that the 
system could do two things, automatically read that stuff and 
suggest codes so that the implantable cardioverter-
defibrillator and current procedural terminology coding would 
happen automatically. Could be suggested to the doctor. The 
doctor attests to the legitimacy of the coding. That is for 
productivity measurement.
    And the second thing is for syndromic surveillance with 
respect to bioterrorism. So when all those symptoms, I have 
fever, I have a headache, are in there in machine-readable 
terms that the computer can understand, the computer can then 
begin to do epidemiologic surveillance even if the doctor's 
diagnosis is wrong. It doesn't depend any longer on the 
doctor's diagnosis, incomplete or wrong, because symptoms can 
directly be searched. That requires machine-readable data 
entry, the thesaurus we talked about before.
    Well that creates an incredible imposition on physicians 
with respect to their normal workflow when they are seeing 
patients. They hate it by and large.
    So there is this very interesting sort of debate of 
objectives, I guess, between the two departments where we are 
moving toward templates. DoD is figuring out how to move 
somewhat away from templates. And do a little bit less of it. 
And where that balance is going to fall, I don't know.
    Now let me go to theater. Yes, with respect to military 
support of medical--I'm sorry, medical support of military 
operations that is clearly a unique mission the Department of 
Defense has, which we do not have.
    The human form factors of what a computer looks like. Is it 
a Blackberry? Is it a big machine? Is it a desktop? How big the 
screen is. Does it operate in the mud? Can it operate in the 
rain? All those kind of factors. How screen--how fast the 
screen paint time is.
    Communications, in theater, while communications may not be 
universally available in the United States, it is a whole lot 
more reliable in the United States than it is in Afghanistan.
    So all the applications in Afghanistan have to be modified 
for unreliable communications. That is a mission the Department 
of Veterans Affairs does not have.
    So when applications are being considered in economies of 
scale and all that kind of stuff, are both departments really 
sure that by trying to converge on the application software 
itself, we are making the best economic decision.
    Let me give you an example, a truck. Suppose you had to 
design a truck that had to operate in the mud effectively and 
drive efficiently through downtown Washington, DC. I would 
contend that the form factors on that truck might be such that 
and something had to pass between the two trucks. Let us say 
they're both ambulances, and you had to pass patients between 
the two.
    I would contend that a whole lot of engineering analysis 
would have to go on to determine is one truck with a certain 
bit of modifications the most efficient way to design this new 
vehicle so that it works both in the mud, and Afghanistan, and 
in downtown Washington, DC, or is it cheaper and more 
effectively to simply design two trucks where the back doors 
fit each other and we can pass the patient through it?
    I would contend that is not a foregone conclusion. And it 
has to be thought through.
    The Chairman. Actually, Doctor, I can think of a response 
to that analogy, but I don't want to keep us all here. You and 
I are going to be talking a lot.
    Dr. Tibbits. Great.
    The Chairman. So we can talk about that some more. You 
know, it is really about information exchange. It is not--
wouldn't you want the same size bolts and all that kind of 
stuff. But let us not go there.
    Let me ask you about this interoperability thesaurus. 
Tell--the Clinical Data Repository/Health Data Repository 
(CHDR) the VA is working on, is that the thesaurus work that 
you are talking about, the updated repository?
    Dr. Tibbits. Yes. That is the thesaurus work on our side.
    The Chairman. Right. And the Clinical Data Repository (CDR) 
is the thesaurus work on DoD's side, correct.
    Dr. Tibbits. That is correct.
    The Chairman. And we are looking at timeframes that are 8 
years out?
    Dr. Tibbits. Could possibly be, which is why I am 
suggesting we need a simplifying construct to accelerate that 
work.
    The Chairman. Okay. I am not sure what you mean by ``a 
simplifying construct.'' You can have interim solutions even if 
you are continuing to work toward that long-term goal.
    Dr. Tibbits. Exactly right. And----
    The Chairman. And is that what you mean?
    Dr. Tibbits. Yeah. It is what I mean. And those interim 
solutions, if we focus on information interoperability for the 
purpose of serving veterans----
    The Chairman. Right.
    Dr. Tibbits [continuing]. And don't distract ourselves at 
the application software level and worry about what will work 
in theater and all that stuff. If we don't distract ourselves 
with that question, focus on the information number one. Number 
two, focus on what the high-priority problems are today that we 
need to fix for servicemembers and veterans.
    The Chairman. Right.
    Dr. Tibbits. Traumatic brain injury, PTSD, amputation. What 
is the information exchange that has to go on between the two 
departments to optimally handle those conditions?
    The Chairman. Right.
    Dr. Tibbits. That is a list. Some of that list could, in 
fact, be computable. Some of it may be computable already 
today. Some of that list might not be computable, but 
exchangeable today in non-computable fashion, fine.
    And some of that list might not yet have been addressed. 
But could be addressed in a non-computable fashion, so we don't 
need a thesaurus solution.
    The Chairman. Right.
    Dr. Tibbits. But those layers of composite approaches that 
I just described could be put in place in an organized manner 
and plan that would greatly accelerate the information exchange 
between the two departments. And alleviate as to some extent of 
this critical path thesaurus work that is going to--it is by 
definition going to still take a long time.
    The Chairman. Right.
    Dr. Tibbits. One more comment. I would suggest, and I have 
suggested by the way, the Administration has put a very high 
priority in VA/DoD collaboration. I assume you all know that. 
Both the Deputy Secretaries of both departments meet weekly on 
this subject. I am part of that process with Secretary England 
and Secretary Mansfield. They have their four-stars in the 
building meeting with the Undersecretaries, and so forth, and 
on our side as well.
    I have suggested to that group, and DoD has agreed, that we 
will also undertake another level of assessment with respect to 
interoperability. And you mentioned the two key elements, the 
health data repository and the clinical data repository, which 
today are connected together by a wire over which we transmit 
standardized data called CHDR.
    The Chairman. Right.
    Dr. Tibbits. CHDR.
    The Chairman. Right.
    Dr. Tibbits. My proposition to the Department of Defense is 
why don't we simply put a workgroup together, which we now have 
done by the way. Why don't we put a workgroup together to look 
at the entire constructive Health Data Repository, the entire 
constructive of the CDR? See if we can eliminate those two 
things as two separate constructs and simply create one common 
database under both medical records.
    If we can create one common database under both medical 
records, then the application software doesn't matter anymore.
    The Chairman. Right.
    Dr. Tibbits. DoD can use their Alta. We could use our 
VistA. Indian Health Service, if we wanted to, they could use 
their Indian Health Service applications. If we all put stuff 
in the same database, we will have achieved the information 
interoperability objectives we need to serve veterans. And 
completely end this debate about whose application is better or 
more suited to the target environment.
    The Chairman. Right. And so what is the timeframe? Suppose 
tomorrow they say do it. How long does it take to do it?
    Dr. Tibbits. To put those two databases together?
    The Chairman. Yes.
    Dr. Tibbits. I would say it is going to give--I would say 
it is going to take us probably 6 months to have an answer as 
to whether it is feasible and will save us time.
    My hypothesis is that it will be feasible and it will save 
us time. That is a hypothesis that remains to be confirmed.
    The Chairman. Okay. And is what you just described doing 
testing that hypothesis?
    Dr. Tibbits. Yes. That is the study that is going on.
    The Chairman. Okay.
    Dr. Tibbits. Yes. We have launched that study. Yes.
    The Chairman. Thank you very much. I think we have learned 
a lot. I appreciate your input. You read too much Dr. Seuss, 
will it work in the mud? Will it work on the scud? Will it work 
with a lot of blood? His widow lives in my district. So I am 
going to bring this to her.
    But thank you very much. Thank you very much Mr. Wu. Thank 
you, Mr. Bestor. We have a lot of work. Everybody is impatient. 
So if you need more resources to go faster, let us know please.
    General, do you have anything to add?
    General Howard. Sure. We just appreciate your support. And 
we are in constant communication with your staff. And if we 
need help, rest assured we will come forward.
    The Chairman. Thank you, sir. This hearing is adjourned.
    [Whereupon, the Committee was adjourned.]



                            A P P E N D I X

                              ----------                              

                 Prepared Statement of Hon. Bob Filner,
             Chairman, Full Committee on Veterans' Affairs
    Thank you all for coming here today for this hearing on VA's 
information technology reorganization efforts. We will examine the 
progress the VA has made in centralizing its IT efforts.
    We shall explore the progress the VA has made in its efforts to be 
the ``gold standard'' of information security among Federal agencies, a 
goal enunciated by Secretary Nicholson in the wake of last year's data 
breach involving over 25 million veterans and the incident earlier this 
year in Birmingham, Alabama.
    This Committee understands that IT centralization will not happen 
overnight, nor are we asking it to, but we are asking--and our veterans 
are demanding--that the VA to be held accountable for getting the job 
done.
    This past June, the Government Accountability Office (GAO), while 
praising the commitment from senior leadership, found fault with a 
number of areas in the VA's 
efforts, areas that hinder the VA's ability to successfully reach its re
organization goals.
    They included . . . rejecting GAO's recommendation that VA create a 
dedicated implementation team responsible for day-to-day management of 
major change initiatives. Instead, VA is apparently dividing the 
responsibility among two organizations in the new structure. GAO was 
concerned that this approach would not work, and so is this Committee.
    More recently, GAO reported that of 17 recommendations made by the 
VA Inspector General, 16 had not yet been implemented. Implementing 
these recommendations is essential if the VA is to protect private 
information and meet its obligations under the Federal Information 
Security Management Act (FISMA).
    In the final analysis, we must remember that IT is merely a tool, a 
tool used by the VA in furtherance of its mission of caring for 
veterans. This Committee has continued to work in a bipartisan fashion 
to encourage the VA to centralize its IT efforts. These efforts will 
lead to concrete benefits for both the VA, taxpayers, and most 
importantly our veterans.
    As we look to the VA to better manage its IT efforts, and to take 
the lead in data security efforts, we must also ensure these efforts do 
not unduly harm the VA's mission of providing healthcare and benefits 
to our veterans.
    Our charge is to ensure that while VA is carrying out its mission, 
it does so with the best and most up-to-date technology the 21st 
century provides, while securing that technology from outside 
manipulation and preventing improper disclosure of our veterans' 
confidential information.
    VA, at the same time, must continue the creativity and innovation 
in the use of electronic medical and other systems that has put VA at 
the forefront of medical care. These are not easy tasks. We are 
heartened by many of the steps the VA has undertaken, but remained 
concerned that more should be done, and could be done . . . faster.
    We remain hopeful that the VA can simultaneously provide our 
veterans the greatest security, management and healthcare. Undoubtedly, 
the efficient and effective management and operation of the VA IT 
efforts will realize tangible benefits for our veterans.

                                 
         Prepared Statement of Hon. Stephanie Herseth Sandlin,
      a Representative in Congress from the State of South Dakota
    Thank you Chairman Filner and Ranking Member Buyer for holding 
today's hearing to evaluate the VA's reorganization of its information 
technology infrastructure and management.
    Considering the numerous hearings that this Committee dedicated 
last year to investigating the VA's information technology problems, it 
is only right that we take this opportunity to follow-up on the 
progress of VA's reorganization efforts. This Committee, and Congress 
as a whole, have a responsibility to remain vigilant in its oversight 
role to ensure the VA continues to move forward in its pledge to 
protect the private information of our Nation's veterans.
    I share the frustration of my colleagues regarding the repeated 
failures to change the VA's information organizational structure and 
the recurring instances of lost personal information.
    I thank Mr. Howard and Mr. Claudio for testifying today. I have 
heard good things about your commitment to providing a secure 
information technology environment. In order for this Committee to 
properly conduct its oversight responsibilities we must be able to 
engage in an open and honest discussion. It is extremely valuable for 
the Committee to hear from those of you on the frontline working to 
bring down the institutional barriers of VA's current IT organizational 
structure.
    While the VA has taken important steps toward completing 
information technology realignment, many questions remain unanswered 
and many changes to the VA's policies, regarding the handling of 
sensitive information, will need to be made.
    I hope that today's hearing will shed some light on these 
unanswered questions and lead to better safeguarded information 
security systems at the VA.
    We must work to ensure that the personal information of our 
Nation's veterans is protected and these widely reported security 
incidents never happen again.
    Thank you again Mr. Chairman. I look forward to hearing from 
today's witnesses.

                                 
            Prepared Statement of Hon. Henry E. Brown, Jr.,
     a Representative in Congress from the State of South Carolina
    Mr. Chairman and Ranking Member Buyer, thank you for calling this 
hearing to examine the VA's information technology management 
structure. I hope that this Committee will take a serious step in 
addressing one of the biggest challenges facing the Department today; 
improving the capabilities of VA's information technology system, while 
strengthening security measures.
    As the Congress and this Committee looks at VA's information 
technology reorganization and the progress that they have made as a 
result of establishing a centralized management system, I am hopeful 
that we will do so in a way that focuses on the bipartisan concern we 
have for the wellbeing of our Nation's veterans. I believe that 
improving access to healthcare, providing benefits, and implementing 
information technology go hand-in-hand as we work to ensure that our 
Nation's veterans have all the resources they need to make a seamless 
transition into civilian life.
    In closing, Mr. Chairman, I look forward to hearing from our 
witnesses this morning and the discussion that we will have on this 
important issues. Again, Mr. Chairman, thank you for the time, which I 
now yield back.

                                 
             Prepared Statement of Hon. Ginny Brown-Waite,
         a Representative in Congress from the State of Florida
    Thank you Mr. Chairman,
    I want to thank all of our witnesses here today for testifying 
before this Committee. There has been a great deal of focus placed on 
the use of Information Technology at the Department of Veterans 
Affairs. The VA relies heavily on information technology to carry out 
its important mission of serving our Nation's veterans.
    The VA undertook an ambitious process to recentralize its IT 
functions in 2003 and learned many valuable lessons as a result. This 
has led Secretary Nicholson to approve a federated IT management system 
for the VA. In this new federated system, the VA divided operations and 
maintenance from systems development. Innovative thinking like this is 
needed to ensure that the VA is meeting the needs of veterans in an 
effective and efficient manner.
    Overhauling the IT system at the VA has been a long and difficult 
process and completion of the realignment is scheduled for July 2008. 
However, a June 2007, GAO report states, that the VA risks jeopardizing 
the success of these efforts and may not realize the long-term benefits 
of the realignment if they do not comply with the recommendations made 
by the GAO. I look forward to hearing more about these recommendations 
from both the GAO and the VA here today.
    Once again, I welcome you to the hearing and look forward to 
hearing your thoughts on the issue before us today.

                                 
              Prepared Statement of Hon. John T. Salazar,
        a Representative in Congress from the State of Colorado
    Thank you Mr. Chairman.
    Mr. Chairman, I'm a potato farmer, and in the 30 years that I've 
been farming I've seen how technology has changed farming operations 
all over the world.
    Change and advancement are inevitable when it comes to technology. 
It's the nature of the beasts.
    A farmer can spend hundreds of thousands of dollars on a single 
piece of equipment, but unless that farmer knows how to manage that 
machine and manages it correctly, that tractor will destroy the crops 
the farmer is attempting to harvest.
    We could have the most advanced technology in the world, but it's 
useless if we fail to manage it properly.
    A year ago, we heard about an employee of the VA who had his laptop 
stolen, potentially compromising the personal records of over 2 million 
veterans.
    Since then, important steps have been taken by the VA to minimize 
the possibility of these types of things from happening in the future. 
Some of these steps have been taken voluntarily by the VA and some have 
been mandated by Congress.
    Last year, there were major changes in the management of IT affairs 
at VA, and this hearing is a chance to get a reading on the impact of 
that change.
    This hearing and the multiple hearings we've had in the last few 
years like this one are about more than just the IT department in a 
government agency.
    The records being kept by VA belong to real people; men and women 
who served our country during both times of peace and times of 
conflict.
    I look forward to the testimony from our witnesses. I hope to get a 
better sense of where the Department is and where it plans to go with 
the technology it has in its hands.

                                 
           Prepared Statement of Valerie C. Melvin, Director,
        Human Capital and Management Information Systems Issues,
                 U.S. Government Accountability Office

  Veterans Affairs--Sustained Management Commitment and Oversight are 
    Essential to Completing Information Technology Realignment and 
                   Strengthening Information Security

                             GAO Highlights

Why GAO Did This Study
    The Department of Veterans Affairs (VA) has encountered numerous 
challenges in managing its information technology (IT) and securing its 
information systems. In October 2005, the department initiated a 
realignment of its IT program to provide greater authority and 
accountability over its resources. The May 2006 security incident 
highlighted the need for additional actions to secure personal 
information maintained in the department's systems.
    In this testimony, GAO discusses its recent reporting on VA's 
realignment effort as well as actions to improve security over its 
information systems. To prepare this testimony, GAO reviewed its past 
work on the realignment and on information security, and it updated and 
supplemented its analysis with interviews of VA officials.
What GAO Recommends
    In recent reports, GAO made recommendations aimed at improving VA's 
management of its realignment efforts and information security program.
What GAO Found
    VA has fully addressed two of six critical success factors GAO 
identified as essential to a successful transformation, but it has yet 
to fully address the other four, and it has not kept to its scheduled 
timelines for implementing new management processes that are the 
foundation of the realignment. That is, the department has ensured 
commitment from top leadership and established a governance structure 
to manage resources, both of which are critical success factors. 
However, the department continues to operate without a single, 
dedicated implementation team to manage the realignment; such a 
dedicated team is important to oversee the further implementation of 
the realignment, which is not expected to be complete until July 2008. 
Other challenges to the success of the realignment include delays in 
staffing and in implementing improved IT management processes that are 
to address longstanding weaknesses. The department has not kept pace 
with its schedule for implementing these processes, having missed its 
original scheduled timeframes. Unless VA dedicates a team to oversee 
the further implementation of the realignment, including defining and 
establishing the processes that will enable the department to address 
its IT management weaknesses, it risks delaying or missing the 
potential benefits of the realignment.
    VA has begun or continued several major initiatives to strengthen 
information security practices and secure personally identifiable 
information within the department, but more remains to be done. These 
initiatives include continuing the department's efforts to reorganize 
its management structure; developing a remedial action plan; 
establishing an information protection program; improving its incident 
management capability; and establishing an office responsible for 
oversight and compliance of IT within the department. However, although 
these initiatives have led to progress, their implementation has 
shortcomings. For example, although the management structure for 
information security has changed under the realignment, improved 
security management processes have not yet been completely developed 
and implemented, and responsibility for the department's information 
security functions is divided between two organizations, with no 
documented process for the two offices to coordinate with each other. 
In addition, VA has made limited progress in implementing prior 
security recommendations made by GAO and the department's Inspector 
General, having yet to implement 22 of 26 recommendations. Until the 
department addresses shortcomings in its major security initiatives and 
implements prior recommendations, it will have limited assurance that 
it can protect its systems and information from the unauthorized 
disclosure, misuse, or loss of personally identifiable information.

                               __________

Mr. Chairman and Members of the Committee:

    Thank you for inviting us to participate in today's hearing on the 
Department of Veterans Affairs (VA) realignment of its information 
technology management structure and actions toward strengthening its 
information security program. In carrying out its mission of serving 
our Nation's veterans, the department relies heavily on information 
technology (IT), for which it expends about $1 billion annually. As you 
know, however, VA has encountered persistent challenges in IT 
management, having experienced cost, schedule, and performance problems 
in its information system initiatives, as well as losses of sensitive 
information contained in its systems. We have reported that a 
contributing factor to VA's challenges in managing projects and 
improving security was the department's management structure, which 
until recently was decentralized, giving the administrations \1\ and 
headquarters offices \2\ control over a majority of the department's IT 
budget.
---------------------------------------------------------------------------
    \1\ The VA comprises three administrations: the Veterans Benefits 
Administration, the Veterans Health Administration, and the National 
Cemetery Administration.
    \2\ The headquarters offices include the Office of the Secretary, 
six Assistant Secretaries, and three VA-level staff offices.
---------------------------------------------------------------------------
    In October 2005, VA initiated a realignment of its IT program to 
provide greater authority and accountability over its resources. In 
undertaking this realignment (due for completion in July 2008), the 
department's goals are to centralize IT management under the 
department-level Chief Information Officer (CIO) and standardize 
operations and the development of systems across the department through 
the use of new management processes based on industry best practices. 
This past June we reported on the department's realignment initiative, 
noting progress as well as the need for additional actions to be 
completed. \3\ Just last week, we also released a report on VA 
information security, which included an assessment of the realignment 
with regard to the department's information security practices. \4\
---------------------------------------------------------------------------
    \3\ GAO, Veterans Affairs: Continued Focus on Critical Success 
Factors Is Essential to Achieving Information Technology Realignment, 
GAO-07-844 (Washington, D.C.: June 15, 2007).
    \4\ GAO, Information Security: Sustained Management Commitment and 
Oversight Are Vital to Resolving Longstanding Weaknesses at the 
Department of Veterans Affairs, GAO-07-1019 (Washington, D.C.: Sept. 7, 
2007).
---------------------------------------------------------------------------
    At your request, my testimony today will summarize the department's 
actions to realign IT management and our findings regarding the 
department's information security program. In developing this 
testimony, we reviewed our previous work on the department's 
realignment and efforts to strengthen information security. We also 
obtained and analyzed pertinent documentation and supplemented our 
analysis with interviews of responsible VA officials to determine the 
current status of the department's realignment efforts. All work on 
which this testimony is based was conducted in accordance with 
generally accepted government auditing standards.
Results in Brief
    VA has fully addressed two of six critical success factors we have 
identified as essential to a successful transformation, but it has not 
kept to its timelines for implementing new management processes that 
are the foundation of the realignment. Consequently, the department is 
in danger of not being able to meet its 2008 targeted completion date. 
The department has ensured commitment from top leadership and 
established a governance structure to manage resources, both of which 
are critical success factors. However, the department continues to 
operate without a single, dedicated implementation team to manage the 
realignment; such a dedicated team is important to oversee the further 
implementation of the realignment. Other challenges to the success of 
the realignment include delays in staffing and in implementing the IT 
management processes that are the foundation of the realignment. The 
department has not kept pace with its schedule for implementing these 
processes, having missed its original scheduled timeframes. Unless VA 
dedicates a team to oversee the further implementation of the 
realignment, including defining and establishing the processes that 
will enable the department to address its IT management weaknesses, it 
risks delaying or missing the potential benefits of the realignment.
    VA has made progress in strengthening information security, but 
much work remains to resolve longstanding security weaknesses. The 
department has begun or has continued several major initiatives to 
strengthen information security practices and secure personally 
identifiable information \5\ within the department. These initiatives 
include continuing the department's efforts, as described above, to 
realign its management structure; developing a remedial action plan; 
establishing an information protection program; improving its incident 
management capability; and establishing an office responsible for 
oversight and compliance of IT within the department. However, although 
these initiatives have led to progress, their implementation has 
shortcomings. For example, a new security management structure has been 
implemented, but improved security management processes have not yet 
been completely developed and implemented; in addition, the new 
security management structure divides the responsibility for the 
department's information security functions between two organizations, 
with no documented process for the two offices to coordinate with each 
other. Further, the department has made limited progress in addressing 
prior GAO and Inspector General recommendations to improve security: 
although VA has taken steps to address these, it has not yet completed 
the implementation of 22 out of 26 prior recommendations.
---------------------------------------------------------------------------
    \5\ Personally identifiable information, which can be used to 
locate or identify an individual, includes things such as names, 
aliases, and Social Security numbers.
---------------------------------------------------------------------------
    In the reports covered by this testimony, we have made numerous 
recommendations aimed at improving the department's management of its 
realignment and information security program. VA has agreed with these 
recommendations and has begun taking or plans to take action to 
implement them. If this implementation is properly executed, it could 
help the department to realize the expected benefits of the 
realignment, as well as to better secure its information and systems.
Background
    VA's mission is to promote the health, welfare, and dignity of all 
veterans in recognition of their service to the nation by ensuring that 
they receive medical care, benefits, social support, and lasting 
memorials. Over time, the use of IT has become increasingly crucial to 
the department's effort to provide benefits and services. VA relies on 
its systems for medical information and records for veterans, as well 
as for processing benefit claims, including compensation and pension 
and education benefits.
    In reporting on VA's IT management over the past several years, we 
have highlighted challenges the department has faced in enabling its 
employees to help veterans obtain services and information more quickly 
and effectively while also safeguarding personally identifiable 
information. A major challenge was that the department's information 
systems and services were highly decentralized, giving the 
administrations a majority of the IT budget. \6\ In addition, VA's 
policies and procedures for securing sensitive information needed to be 
improved and implemented consistently across the department.
---------------------------------------------------------------------------
    \6\ For example, according to an October 2005 memorandum from the 
former CIO to the Secretary of Veterans Affairs, the CIO had direct 
control over only 3 percent of the department's IT budget and 6 percent 
of the department's IT personnel. In addition, in the department's 
fiscal year 2006 IT budget request, the Veterans Health Administration 
was identified to receive 88 percent of the requested funding, while 
the department was identified to receive only 4 percent.
---------------------------------------------------------------------------
    As we have previously pointed out, \7\ it is crucial for the 
department CIO to ensure that well-established and integrated processes 
for leading, managing, and controlling investments in information 
systems and programs are followed throughout the department. Similarly, 
a contractor's assessment of VA's IT organizational alignment, issued 
in February 2005, noted the lack of control over how and when money is 
spent. \8\ The assessment noted that the focus of department-level 
management was only on reporting expenditures to the Office of 
Management and Budget and Congress, rather than on managing these 
expenditures within the department.
---------------------------------------------------------------------------
    \7\ GAO-07-844.
    \8\ Gartner Consulting, OneVA IT Organizational Alignment 
Assessment Project ``As-Is'' Baseline (McLean, Virginia; Feb. 18, 
2005).
---------------------------------------------------------------------------
Centralized IT Organization
    In response to the challenges that we and others have noted, the 
department officially began its effort to provide the CIO with greater 
authority over IT in October 2005. At that time, the Secretary issued 
an executive decision memorandum granting approval for the development 
of a new management structure for the department. According to VA, its 
goals in moving to centralized management are to enable the department 
to perform better oversight of the standardization, compatibility, and 
interoperability of systems, as well as to have better overall fiscal 
discipline for the budget.
    In February 2007, the Secretary approved the department's new 
organizational structure, which includes the Assistant Secretary for 
Information and Technology, who serves as VA's CIO. As shown in figure 
1, the CIO is supported by a principal deputy assistant secretary and 
five deputy assistant secretaries--new senior leadership positions 
created to assist the CIO in overseeing functions such as cyber 
security, IT portfolio management, systems development, and IT 
operations.
  Figure 1--Office of Information and Technology Organizational Chart
[GRAPHIC] [TIFF OMITTED] T9456A.001

    Source: VA
    Note: DAS = Deputy Assistant Secretary

    In addition, the Secretary approved an IT governance plan in April 
2007 that is intended to enable the Office of Information and 
Technology to centralize its decisionmaking. The plan describes the 
relationship between IT governance and departmental governance and the 
approach the department intends to take to enhance IT governance. The 
department also made permanent the transfer of its entire IT workforce 
under the CIO, consisting of approximately 6,000 personnel from the 
administrations. Figure 2 shows a timeline of the realignment effort.
         Figure 2--Timeline of Key Events for VA IT Realignment
[GRAPHIC] [TIFF OMITTED] T9456A.002


Multiple Factors Increasing Risk to Success of Realignment
    Although VA has fully addressed two of six critical success factors 
that we identified as crucial to a major organizational transformation 
such as the realignment, it has not fully addressed the other four 
factors, and it has not kept to its scheduled timelines for 
implementing new management processes that are the foundation of the 
realignment. Consequently, the department is in danger of not being 
able to meet its target of completing the realignment in July 2008. In 
addition, although it has prioritized its implementation of the new 
management processes, none has yet been implemented. In our recent 
report, \9\ we made six recommendations to ensure that VA's realignment 
is successfully accomplished; the department generally concurred with 
our recommendations and stated that it had actions planned to address 
them.
---------------------------------------------------------------------------
    \9\ GAO-07-844.
---------------------------------------------------------------------------
VA Has Not Fully Addressed All Critical Success Factors
    We have identified critical factors that organizations need to 
address in order to successfully transform an organization to be more 
results oriented, customer focused, and collaborative in nature. \10\ 
Large-scale change management initiatives are not simple endeavors and 
require the concentrated efforts of both leadership and employees to 
realize intended synergies and to accomplish new organizational goals. 
There are a number of key practices that can serve as the basis for 
Federal agencies to transform their cultures in response to governance 
challenges, such as those that an organization like VA might face when 
transforming to a centralized IT management structure.
---------------------------------------------------------------------------
    \10\ GAO, Results-Oriented Cultures: Implementation Steps to Assist 
Mergers and Organizational Transformations, GAO-03-669 (Washington, 
D.C.: July 2, 2003); and Highlights of a GAO Forum: Mergers and 
Transformation: Lessons Learned for a Department of Homeland Security 
and Other Federal Agencies, GAO-03-293SP (Washington, D.C.: Nov. 14, 
2002).
---------------------------------------------------------------------------
    The department has fully addressed two of six critical success 
factors that we identified (see table 1).


                   Table 1--Current Status of VA's Actions to Address Critical Success Factors
----------------------------------------------------------------------------------------------------------------
               Critical success factor                                Status as of September 2007
----------------------------------------------------------------------------------------------------------------
Ensuring commitment from top leadership                   Fully addressed: Secretary Nicholson approved the new
                                                          organization structure and the transfer of employees.
----------------------------------------------------------------------------------------------------------------
Establishing a governance structure to manage              Fully addressed: Secretary Nicholson approved the IT
 resources                                                     governance plan, and VA established three new IT
                                                        governance boards that began meeting earlier this year.
----------------------------------------------------------------------------------------------------------------
Linking IT strategic plan to organization strategic    Partially addressed: The department has developed a draft
 plan                                                   IT strategic plan and expects to finalize it in October
                                                                                                          2007.
----------------------------------------------------------------------------------------------------------------
Using workforce strategic management to identify       Partially addressed: VA has identified job requirements,
 proper roles for all employees                         has begun to develop career paths for IT staff, and has
                                                          not yet established a knowledge and skills inventory.
----------------------------------------------------------------------------------------------------------------
Communicating change to all stakeholders                 Partially addressed: VA increased communication on the
                                                           realignment, but has not staffed a key communication
                                                                                                        office.
----------------------------------------------------------------------------------------------------------------
Dedicating an implementation team to manage change               Not addressed: The department does not have an
                                                                 implementation team to manage the realignment.
----------------------------------------------------------------------------------------------------------------
Source: GAO.


    Ensuring commitment from top leadership. The department has fully 
addressed this success factor. As described earlier, the Secretary of 
VA has fully supported the realignment. He approved the department's 
new organizational structure and provided resources for the realignment 
effort.
    However, the Secretary recently submitted his resignation, 
indicating that he intended to depart by October 1, 2007. While it is 
unclear what effect the Secretaries departure will have on the 
realignment, the impending departure underscores the need for 
consistent support from top leadership through the implementation of 
the realignment, to ensure that its success is not at risk in the 
future.

    Establishing a governance structure to manage resources. The 
department has fully addressed this success factor. The department has 
established three governance boards, which have begun operation. The VA 
IT Governance Plan, approved April 2007, states that the establishment 
and operation of these boards will assist in providing the department 
with more cost-effective use of IT resources and assets.
    The department also has plans to further enhance the governance 
structure in response to operational experience. The department found 
that the boards' responsibilities need to be more clearly defined in 
the IT Governance Plan to avoid overlap. That is, one board (the 
Business Needs and Investment Board) was involved in the budget 
formulation for fiscal year 2009, but budget formulation is also the 
responsibility of the Deputy Assistant Secretary for IT Resource 
Management, who is not a member of this board. According to the 
Principal Deputy Assistant Secretary for Information and Technology, 
the department is planning to update its IT Governance Plan within a 
year to include more specificity on the role of the governance boards 
in VA's budget formulation process. Such an update could further 
improve the structure's effectiveness.

    Linking IT strategic plan to organization strategic plan. The 
department has partially addressed this success factor. VA has drafted 
an IT Strategic Plan that provides a course of action for the Office of 
Information and Technology over 5 years and addresses how IT will 
contribute to the department's strategic plan. According to the Deputy 
Director of the Quality and Performance Office, the draft IT strategic 
plan should be formally approved in October 2007. Finalizing the plan 
is essential to helping ensure that leadership understands the link 
between VA's organizational direction and how IT is aligned to meet its 
goals.

    Using workforce strategic management to identify proper roles for 
all employees. The department has partially addressed this success 
factor. The department has begun to identify job requirements, design 
career paths, and determine recommended training for the staff that 
were transferred as part of the realignment. According to a VA 
official, the department identified 21 specialized job activities, such 
as applications software and end user support, and has defined 
competency and proficiency targets \11\ for 6 of these activities. 
Also, by November 2007, VA expects to have identified the career paths 
for approximately 5,000 of the 6,000 staff that have been centralized 
under the CIO. Along with the development of the competency and 
proficiency targets, the department has identified recommended training 
based on grade level. However, the department has not yet established a 
knowledge and skills inventory to determine what skills are available 
in order to match roles with qualifications for all employees within 
the new organization. It is crucial that the department take the 
remaining steps to fully address this critical success factor, so that 
the staff transferred to the Office of Information and Technology are 
placed in positions that best suit their knowledge and skills, and the 
organization has the personnel resources capable of developing and 
delivering the services required.
---------------------------------------------------------------------------
    \11\ Competency refers to required capabilities for performing 
specialized job activities, such as business process reengineering or 
database administration. Proficiency targets indicate the level at 
which the individual can perform these activities.

    Communicating change to all stakeholders. The department has 
partially addressed this success factor. The department began 
publishing a bimonthly newsletter in June to better communicate with 
all staff about Office of Information and Technology activities, 
including the realignment. However, the department has not yet fully 
staffed the Business Relationship Management Office or identified its 
leadership. This office is to serve as the single point of contact 
between the Office of Information and Technology and the 
administrations; in this role, it provides the means for the Office of 
Information and Technology to understand customer requirements, promote 
services to customers, and monitor the quality of the delivered 
services. A fully staffed and properly led Business Relationship 
Management Office is important to ensure effective communication 
between the Office of Information and Technology and the 
administrations.
    Communicating the changed roles and responsibilities of the central 
IT organization versus the administrations is one of the important 
functions of the Business Relationship Management Office. These changes 
are crucial to software development, among other things. Before the 
centralization of the management structure, each of the administrations 
was responsible for its own software development. For example, the 
department's health information system--the Veterans Health Information 
System and Technology Architecture (VistA)--was developed in a 
decentralized environment. The developers and the doctors, closely 
collaborating at local facilities, developed and adapted this system 
for their own specific clinic needs. The result of their efforts is an 
electronic medical record that has been fully embraced by the 
physicians and nurses. However, the decentralized approach has also 
resulted in each site running a stand-alone version of VistA \12\ that 
is costly to maintain; in addition, data at the sites are not 
standardized, which impedes the ability to exchange computable 
information. \13\
---------------------------------------------------------------------------
    \12\ VA has achieved an integrated medical information system 
through the use of the Computerized Patient Record System in VistA, 
where authorized users are able to access patient healthcare data from 
any VA medical facility.
    \13\ Computable data are in a format that a computer application 
can act on, for example, to provide alerts to clinicians (of such 
things as drug allergies) or to plot graphs of changes in vital signs 
such as blood pressure. VA has standardized its pharmacy and allergy 
data in its health data repository.
---------------------------------------------------------------------------
    Under the new organization structure, approval of development 
changes for VistA will be centralized at the Veterans Health 
Administration headquarters and then approved for development and 
implementation by the Office of Information and Technology. The 
communications role of the Business Relationship Management Office is 
thus an important part of the processes needed to ensure that users' 
requirements will be addressed in system development.

    Dedicating an implementation team to manage change. The department 
has not addressed this success factor. A dedicated implementation team 
that is responsible for the day-to-day management of a major change 
initiative is critical to ensure that the project receives the focused, 
full-time attention needed to be sustained and successful. \14\ VA has 
not identified such an implementation team to manage the realignment. 
Rather, the department is currently managing the realignment through 
two organizations: the Process Improvement Office under the Quality and 
Performance Office (which will lead process improvements) and the 
Organizational Management Office (which will advise and assist the CIO 
during the final transformation to a centralized structure). However, 
the Executive Director of the Organizational Management Office \15\ has 
recently resigned his position, leaving one of the two responsible 
offices without leadership.
---------------------------------------------------------------------------
    \14\ GAO-07-844.
    \15\ This official was previously the Director of the IT 
Realignment Office.
---------------------------------------------------------------------------
    In our view, having a dedicated implementation team to manage major 
change initiatives is crucial to successful implementation of the 
realignment. An implementation team can assist in tracking 
implementation goals and identifying performance shortfalls or schedule 
slippages. The team could also provide continuity and consistency in 
the face of any uncertainty that could potentially result from the 
Secretaries resignation.
    Accordingly, in our recent report we recommended that the 
department dedicate an implementation team to be responsible for change 
management throughout the transformation and that it establish a 
schedule for the implementation of the management processes.
Department Is Behind Schedule in Implementing IT Management Processes
    As the foundation for its realignment, VA plans to implement 36 
management processes in five key areas: enterprise management, business 
management, business application management, infrastructure, and 
service support. These processes, which address all aspects of IT 
management, were recommended by the department's realignment contractor 
and are based on industry best practices. \16\ According to the 
contractor, they are a key component of the realignment effort as the 
Office of Information and Technology moves to a process-based 
organization. Additionally, the contractor noted that with a system of 
defined processes, the Office of Information and Technology could 
quickly and accurately change the way IT supports the department.
---------------------------------------------------------------------------
    \16\ Specifically, these processes are derived from the IT 
Governance Institute's Control Objectives for Information and related 
Technology (CobiT') and Information Technology 
Infrastructure Library (ITIL) as configured by the Process Reference 
Model for IT (PRM-IT) from a VA contractor.
---------------------------------------------------------------------------
    The department had planned to begin implementing the 36 management 
processes in March 2007; however, as of early May 2007, it had only 
begun pilot testing two of these processes. \17\ The Deputy Director of 
the Quality and Performance Office reported that the initial 
implementation of the first two processes will begin in the second 
quarter of 2008.
---------------------------------------------------------------------------
    \17\ These are the risk management and solution test and acceptance 
processes.
---------------------------------------------------------------------------
    The Principal Deputy Assistant Secretary for Information and 
Technology acknowledged that the department is behind schedule for 
implementing the processes, but it has prioritized the processes and 
plans to implement them in three groups, in order of priority (see 
attachment 1 for a description of the processes and their 
implementation priority). According to the Deputy Director of the 
Quality and Performance Office, the approach and schedule for process 
implementation is currently under review. Work on the 10 processes 
associated with the first group is under way, and implementation plans 
and timeframes are being revised. This official told us that initial 
planning meetings have occurred and primary points of contact have been 
designated for the financial management and portfolio management 
processes, which are to be implemented as part of the first group. The 
department also noted that it will work to meet its target date of July 
2008 for the realignment, but that all of the processes may not be 
fully implemented at that time.
    According to the Principal Deputy Assistant Secretary for 
Information and Technology, the department has fallen behind schedule 
with process implementation for two reasons:

      The department underestimated the amount of work required 
to redefine the 36 process areas. Process charters for each of the 
processes were developed by a VA contractor and provide an outline for 
operation under the new management structure. Based on its initial 
review, the department found that the processes are complicated and 
multilayered, involving multiple organizations. In addition, the 
contractor provided process charters and descriptions based on a 
commercial, for-profit business model, and so the department must 
readjust them to reflect how VA conducts business.
      With the exception of IT operations, the Veterans Health 
Administration operates in a decentralized manner. For example, the 
budget and spending for the medical centers are under the control of 
the medical center directors. In addition, the Office of Information 
and Technology only has ownership over about 30 percent of all 
activities within the financial management process. For example some 
elements within this process area (such as tracking and reporting on 
expenditures) are the responsibility of the department's Office of 
Management; \18\ this office is accountable for VA's entire budget, 
including IT dollars. Thus, the Office of Information and Technology 
has no authority to direct the Office of Management to take particular 
actions to improve specific financial management activities.
---------------------------------------------------------------------------
    \18\ The Assistant Secretary for Management, who leads the Office 
of Management, is the department's Chief Financial Officer.

    The department faces the additional obstacle that it has not yet 
staffed crucial leadership positions that are vital to the 
implementation of the management processes. As part of the new 
organizational structure, the department identified 25 offices whose 
leaders will report to the five deputy assistant secretaries and are 
responsible for carrying out the new management processes in daily 
operations. However, as of early September, 7 of the leadership 
positions for these 25 offices were vacant, and 4 were filled in an 
acting capacity. According to the Principal Deputy Assistant Secretary 
for Information and Technology, hiring personnel for senior leadership 
positions has been more difficult than anticipated. With these 
leadership positions remaining vacant, the department will face 
increased difficulties in supporting and sustaining the realignment 
through to its completion.
    Until the improved processes have been implemented, IT programs and 
initiatives will continue to be managed under previously established 
processes that have resulted in persistent management challenges. 
Without the standardization that would result from the implementation 
of the processes, the department risks cost overruns and schedule 
slippages for current initiatives, such as VistA modernization, for 
which about $682 million has been expended through fiscal year 2006.
VA Has Much Work Remaining To Resolve Long-Standing Security Weaknesses
    Recognizing the importance of securing Federal systems and data, 
Congress passed the Federal Information Security Management Act (FISMA) 
\19\ in December 2002, which sets forth a comprehensive framework for 
ensuring the effectiveness of information security controls over 
information resources that support Federal operations and assets. Using 
a risk-based approach to information security management, the Act 
requires each agency to develop, document, and implement an agencywide 
information security program for the data and systems that support the 
operations and assets of the agency. According to FISMA, the head of 
each agency has responsibility for delegating to the agency CIO the 
authority to ensure compliance with the security requirements in the 
act. To carry out the CIO's responsibilities in the area, a senior 
agency official is to be designated chief information security officer 
(CISO).
---------------------------------------------------------------------------
    \19\ FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-
347 (Dec. 17, 2002).
---------------------------------------------------------------------------
    The May 2006 theft from the home of a VA employee of a computer and 
external hard drive (which contained personally identifiable 
information on approximately 26.5 million veterans and U.S. military 
personnel) prompted Congress to pass the Veterans Benefits, Healthcare, 
and Information Technology Act of 2006. \20\ Under the act, the VA's 
CIO is responsible for establishing, maintaining, and monitoring 
departmentwide information security policies, procedures, control 
techniques, training, and inspection requirements as elements of the 
departmental information security program. The Act also includes 
provisions to further protect veterans and servicemembers from the 
misuse of their sensitive personally identifiable information. In the 
event of a security incident involving personally identifiable 
information, VA is required to conduct a risk analysis, and on the 
basis of the potential for compromise of personally identifiable 
information, the department may provide security incident 
notifications, fraud alerts, credit monitoring services, and identity 
theft insurance. Congress is to be informed regarding security 
incidents involving the loss of personally identifiable information.
---------------------------------------------------------------------------
    \20\ Veterans Benefits, Healthcare, and Information Technology Act 
of 2006, Pub. L. No. 109-461 (Dec. 22, 2006).
---------------------------------------------------------------------------
    In a report released last week, \21\ we stated that although VA has 
made progress in addressing security weaknesses, it has not yet fully 
implemented key recommendations to strengthen its information security 
practices. It has not implemented two of our four previous 
recommendations and 20 of 22 recommendations made by the department's 
inspector general. Among the recommendations not implemented are our 
recommendation that it complete a comprehensive security management 
program and inspector general recommendations to appropriately restrict 
access to data, networks, and VA facilities; ensure that only 
authorized changes are made to computer programs; and strengthen 
critical infrastructure planning to ensure that information security 
requirements are addressed. Because these recommendations have not yet 
been implemented, unnecessary risk exists that personally identifiable 
information of veterans and other individuals, such as medical 
providers, will be exposed to data tampering, fraud, and inappropriate 
disclosure.
---------------------------------------------------------------------------
    \21\ GAO-07-1019.
---------------------------------------------------------------------------
    The need to fully implement GAO and IG recommendations to 
strengthen information security practices is underscored by the 
prevalence of security incidents involving the unauthorized disclosure, 
misuse, or loss of personal information of veterans and other 
individuals (see table 2). These incidents were partially due to 
weaknesses in the department's security controls. In these incidents, 
which include the May 2006 theft of computer equipment from an 
employee's home (mentioned earlier) and the theft of equipment from 
department facilities, millions of people had their personal 
information compromised.


 Table 2--Number of Incidents by Type Reported to VA's Network and Security Operations Center from January 2003
                                                to November 2006
----------------------------------------------------------------------------------------------------------------
   Type of incident involving the loss of personal information       2003        2004        2005      2006 \a\
----------------------------------------------------------------------------------------------------------------
Records lost or misplaced                                                19          58          41         316
----------------------------------------------------------------------------------------------------------------
Records or hardware stolen                                                7           9          14          65
----------------------------------------------------------------------------------------------------------------
Improper disposal of records                                             10          27          10          80
----------------------------------------------------------------------------------------------------------------
Unauthorized access                                                      60         120         112         255
----------------------------------------------------------------------------------------------------------------
Unencrypted e-mails sent                                                  8          13          16         170
----------------------------------------------------------------------------------------------------------------
Unintended disclosure or release                                         22          48          24         199
----------------------------------------------------------------------------------------------------------------
Total number of incidents                                               126         275         217       1,085
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis of VA data on incidents.
\a\ Numbers reported are from January 1, 2006, to November 3, 2006.


    While the increase in reported incidents in 2006 reflects a 
heightened awareness on the part of VA employees of their 
responsibility to report incidents involving loss of personal 
information, it also indicates that vulnerabilities remain in security 
controls designed to adequately safeguard information.
    Since the May 2006 security incident, VA has begun or has continued 
several major initiatives to strengthen information security practices 
and secure personally identifiable information within the department. 
These initiatives include the realignment of its IT management 
structure, as discussed earlier. Under the realignment, the management 
structure for information security has changed. In the new 
organization, the responsibility for managing the program lies with the 
CISO/Director of Cyber Security (the CISO position has been vacant 
since June 2006, with the CIO acting in this capacity), while the 
responsibility for implementing the program lies with the Director of 
Field Operations and Security. Thus, responsibility for information 
security functions within the department is divided.
    VA officials indicated that the heads of the two organizations are 
communicating about the department's implementation of security 
policies and procedures, but this communication is not defined as a 
role or responsibility for either position in the new management 
organization book, nor is there a documented process in place to 
coordinate the management and implementation of the security program. 
Both of these activities are key security management practices. Without 
a documented process, policies or procedures could be inconsistently 
implemented throughout the department, which could prevent the CISO 
from effectively ensuring departmentwide compliance with FISMA. Until 
the process and responsibilities for coordinating the management and 
implementation of IT security policies and procedures throughout the 
department are clearly documented, VA will have limited assurance that 
the management and implementation of security policies and procedures 
are effectively coordinated and communicated. Developing and 
documenting these policies and procedures are essential for achieving 
an improved and effective security management process under the new 
centralized management model.
    In addition to the realignment initiative, the department also has 
others under way to address security weaknesses. These include 
developing an action plan to correct identified weaknesses; 
establishing an information protection program; improving its incident 
management capability; and establishing an office to be responsible for 
oversight of IT within the department. However, implementation 
shortcomings limit the effectiveness of these initiatives. For example:

      VA's action plan has task owners assigned and is updated 
biweekly, but department officials have not ensured that adequate 
progress has been made to resolve items in the plan. Specifically, VA 
has extended the completion date at least once for 38 percent of the 
plan items, and it did not have a process in place to validate the 
closure of the items. In addition, although numerous items in the plan 
were to develop or revise a policy or procedure, 87 percent of these 
items did not have a corresponding task with an established timeframe 
for implementation.
      VA installed encryption software on laptops at facilities 
inconsistently; however, VA's directive on encryption did not address 
the encryption of laptops that were categorized as medical devices, 
which make up a significant portion of the population of laptops at 
Veterans Health Administration facilities. In addition, the department 
has not yet fully implemented the acquisition of software tools across 
the department.
      VA has improved its incident management capability since 
May 2006 by realigning and consolidating two incident management 
centers, and made a notable improvement in its notification of major 
security incidents to U.S.-CERT (the U.S. Computer Emergency Readiness 
Team), the Secretary, and Congress, but the time it took to send 
notification letters to individuals was increased for some incidents 
because VA did not have adequate procedures for coordinating incident 
response and mitigation activities with other agencies and obtaining 
up-to-date contact information.
      VA established the Office of IT Oversight and Compliance 
to conduct assessments of its facilities to determine the adequacy of 
internal controls and investigate compliance with laws, policies, and 
directives and ensure that proper safeguards are maintained; however, 
the office lacked a process to ensure that its examination of internal 
controls is consistent across VA facilities.

    Until the department addresses recommendations to resolve 
identified weaknesses and implements the major initiatives it has 
undertaken, it will have limited assurance that it can protect its 
systems and information from the unauthorized use, disclosure, 
disruption, or loss.
    In our report released last week, we made 17 recommendations to 
assist the department in improving its ability to protect its 
information and systems. These recommendations included that VA 
document clearly define coordination responsibilities for the Director 
of Field Operations and Security and the Director of Cyber Security and 
develop and implement a process for these officials to coordinate on 
the implementation of IT security policies and procedures throughout 
the department. We also made recommendations to improve the 
department's ability to protect its information and systems, including 
the development of various processes and procedures to ensure that 
tasks in the department's security action plans have timeframes for 
implementation.
    In summary, effectively instituting a realignment of the Office of 
Information and Technology is essential to ensuring that VA's IT 
programs achieve their objectives and that the department has a solid 
and sustainable approach to managing its IT investments. VA continues 
to work on improving such programs as information security and systems 
development. Yet we continue to see management weaknesses in these 
programs and initiatives (many of a longstanding nature), which are the 
very weaknesses that VA aims to alleviate with its reorganized 
management structure. Until the department fully addresses the critical 
success factors that we identified and carries out its plans to 
establish a comprehensive set of improved management processes, the 
impact of this vital undertaking will be diminished. Further, the 
department may not achieve a solid and sustainable foundation for its 
new IT management structure.
    Mr. Chairman and Members of the Committee, this concludes our 
statement. We would be happy to respond to any questions that you may 
have at this time.
Contacts and Acknowledgements
    For more information about this testimony, please contact Valerie 
C. Melvin at (202) 512-6304 or Gregory C. Wilshusen at (202) 512-6244 
or by e-mail at [email protected] or [email protected]. Key contributors 
to this testimony were made by Barbara Oliver, Assistant Director; 
Charles Vrabel, Assistant Director; Barbara Collier, Nancy Glover, 
Valerie Hopkins, Scott Pettis, J. Michael Resser, and Eric Trout.

                               __________
               Attachment 1. Key IT Management Processes
                   To Be Addressed in VA Realignment
    In the following table, the priority group number reflects the 
order in which the department plans to implement each group of 
processes, with one being the first priority group.


--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                 IT management      Implementation
                          Key area                                  process         priority group                       Description
--------------------------------------------------------------------------------------------------------------------------------------------------------
Enterprise management                                                IT strategy                2   Addresses long- and short-term objectives, business
                                                                                                     direction, and their impact on IT, the IT culture,
                                                                                                        communications, information, people, processes,
                                                                                                              technology, development, and partnerships
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   IT management                2    Defines a structure of relationships and processes
                                                                                                                  to direct and control the IT endeavor
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                 Risk management       See note a       Identifies potential events that may affect the
                                                                                                             organization and manages risk to be within
                                                                                                      acceptable levels so that reasonable assurance is
                                                                                                     provided regarding the achievement of organization
                                                                                                                                             objectives
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                    Architecture                2   Creates, maintains, promotes, and governs the use of
                                                                      management                        IT architecture models and standards across and
                                                                                                          within the change programs of an organization
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                       Portfolio                1   Assesses all applications, services, and IT projects
                                                                      management                    that consume resources in order to understand their
                                                                                                                           value to the IT organization
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Security management               2         Manages the department's information security
                                                                                                        program, as mandated by the Federal Information
                                                                                                                Security Management Act (FISMA) of 2002
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                 IT research and                3         Generates ideas, evaluates and selects ideas,
                                                                      innovation                               develops and implements innovations, and
                                                                                                    continuously recognizes innovators and learning from
                                                                                                                                         the experience
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Project management                1   Plans, organizes, monitors, and controls all aspects
                                                                                                        of a project in a continuous process so that it
                                                                                                                                achieves its objectives
--------------------------------------------------------------------------------------------------------------------------------------------------------
Business management                                                  Stakeholder                1   Manages and prioritizes all requests for additional
                                                                    requirements                            and new technology solutions arising from a
                                                                      management                                                       customer's needs
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                        Customer                3         Determines whether and how well customers are
                                                                    satisfaction                            satisfied with the services, solutions, and
                                                                      management                                     offerings from the providers of IT
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                       Financial                1   Provides sound stewardship of the monetary resources
                                                                      management                                                    of the organization
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Service pricing and               3            Establishes a pricing mechanism for the IT
                                                                        contract                       organization to sell its services to internal or
                                                                  administration                     external customers and to administer the contracts
                                                                                                          associated with the selling of those services
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                               Service marketing                3         Enables the IT organization to understand the
                                                                       and sales                       marketplace it serves, to identify customers, to
                                                                                                             ``market'' to these customers, to generate
                                                                                                    ``marketing'' plans for IT services and support the
                                                                                                       ``selling'' of IT services to internal customers
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                      Compliance                2          Ensures adherence with laws and regulations,
                                                                      management                      internal policies and procedures, and stakeholder
                                                                                                                                            commitments
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                Asset management                1    Maintains information regarding technology assets,
                                                                                                    including leased and purchased assets, licenses, and
                                                                                                                                              inventory
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                       Workforce                2    Enables an organization to provide the optimal mix
                                                                      management                    of staffing (resources and skills) needed to provide
                                                                                                     the agreed-on IT services at the agreed-on service
                                                                                                                                                 levels
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   Service-level                2     Manages service-level agreements and performs the
                                                                      management                       ongoing review of service achievements to ensure
                                                                                                         that the required and cost-justifiable service
                                                                                                           quality is maintained and gradually improved
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                      IT service                1        Ensures that agreed-on IT services continue to
                                                                      continuity                        support business requirements in the event of a
                                                                      management                                             disruption to the business
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                        Supplier                3   Develops and exercises working relationships between
                                                                    relationship                     the IT organization and suppliers in order to make
                                                                      management                      available the external services and products that
                                                                                                      are required to support IT service commitments to
                                                                                                                                              customers
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                       Knowledge                3       Promotes an integrated approach to identifying,
                                                                      management                    capturing, evaluating, categorizing, retrieving, and
                                                                                                    sharing all of an organization's information assets
--------------------------------------------------------------------------------------------------------------------------------------------------------
Business application management                                         Solution                2   Translates provided customer (business) requirements
                                                                    requirements                             and IT stakeholder-generated requirements/
                                                                                                    constraints into solution-specific terms, within the
                                                                                                       context of a defined solution project or program
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                               Solution analysis                1   Creates a documented design from agreed-on solution
                                                                      and design                    requirements that describes the behavior of solution
                                                                                                       elements, the acceptance criteria, and agreed-to
                                                                                                                                           measurements
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                  Solution build                3       Brings together all the elements specified by a
                                                                                                      solution design via customization, configuration,
                                                                                                        and integration of created or acquired solution
                                                                                                                                             components
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                               Solution test and       See note a            Validates that the solution components and
                                                                      acceptance                                 integrated solutions conform to design
                                                                                                      specifications and requirements before deployment
--------------------------------------------------------------------------------------------------------------------------------------------------------
Infrastructure                                                 Service execution                2   Addresses the delivery of operational services to IT
                                                                                                     customers by matching resources to commitments and
                                                                                                          employing the IT infrastructure to conduct IT
                                                                                                                                             operations
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                Data and storage                3      Ensures that all data required for providing and
                                                                      management                    supporting operational service are available for use
                                                                                                        and that all data storage facilities can handle
                                                                                                      normal, expected fluctuations in data volumes and
                                                                                                     other parameters within their designed tolerances.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                Event management                3   Identifies and prioritizes infrastructure, service,
                                                                                                      business and security events, and establishes the
                                                                                                                  appropriate response to those events.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                    Availability                3   Plans, measures, monitors, and continuously strives
                                                                      management                    to improve the availability of the IT infrastructure
                                                                                                    and supporting organization to ensure that agreed-on
                                                                                                                      requirements are consistently met
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Capacity management               3           Matches the capacity of the IT services and
                                                                                                    infrastructure to the current and future identified
                                                                                                                                  needs of the business
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Facility management               1     Creates and maintains a physical environment that
                                                                                                     houses IT resources and optimizes the capabilities
                                                                                                                          and costs of that environment
--------------------------------------------------------------------------------------------------------------------------------------------------------
Service support                                                Change management                1        Manages the life cycle of a change request and
                                                                                                       activities that measure the effectiveness of the
                                                                                                     process and provides for its continued enhancement
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Release management                1       Controls the introduction of releases (that is,
                                                                                                          changes to hardware and software) into the IT
                                                                                                         production environment through a strategy that
                                                                                                         minimizes the risk associated with the changes
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   Configuration                1     Identifies, controls, maintains, and verifies the
                                                                      management                              versions of configuration items and their
                                                                                                                relationships in a logical model of the
                                                                                                                            infrastructure and services
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                    User contact                3    Manages each user interaction with the provider of
                                                                      management                                   IT service throughout its life cycle
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Incident management               2   Restores a service affected by any event that is not
                                                                                                       part of the standard operation of a service that
                                                                                                          causes or could cause an interruption to or a
                                                                                                               reduction in the quality of that service
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Problem management                2      Resolves problems affecting the IT service, both
                                                                                                                             reactively and proactively
--------------------------------------------------------------------------------------------------------------------------------------------------------
Source: GAO.
\a\ The department indicated that this process had completed a pilot, but did not assign it to a priority group.


                               __________
  Appendix III: Information on Selected Security Incidents at VA from 
                     December 2003 to January 2007
    The Department of Veterans Affairs (VA) had at least 1500 security 
incidents reported between December 2003 and January 2007 which 
included the loss of personal information. Below is additional 
information on a selection of incidents, including all publicly 
reported incidents subsequent to May 3, 2006, that were reported to the 
department during this period and what actions it took to respond to 
these incidents. These incidents were selected from data obtained from 
VA to provide illustrative examples of the incidents that occurred at 
the department during this period.

      December 9, 2003: stolen hard drive with data on 100 
appellants. A VA laptop computer with benefit information on 100 
appellants was stolen from the home of an employee working at home. As 
a result, the agency office was going to recall all laptop computers 
and have encryption software installed by December 23, 2003.

      November 24, 2004: unintended disclosure of personal 
information. A public drive on a VA e-mail system permitted entry to 
folders/files containing veterans' personal information (names, Social 
Security numbers, dates of birth, and in some cases personal health 
information such as surgery schedules, diagnosis, status, etc.) by all 
users after computer system changes made. All folders were restricted, 
and individual services were contacted to set up limited access lists.

      December 6, 2004: two personal computers containing data 
on 2,000 patients stolen. Two desktop personal computers were stolen 
from a locked office in a research office of a medical center. One of 
the computers had files containing names, Social Security numbers, next 
of kin, addresses, and phone numbers of approximately 2,000 patients. 
The computers were password protected by the standard VA password 
system. The medical center immediately contacted the agency Privacy 
Officer for guidance. Letters were mailed to all research subjects 
informing them of the computer theft and potential for identity theft. 
VA enclosed letters addressed to three major credit agencies and 
postage paid envelopes. This incident was reported to VA and Federal 
incident offices.

      March 4, 2005: list of 897 providers' Social Security 
numbers sent via e-mail. An individual reported e-mailing a list of 897 
providers' names and Social Security numbers to a new transcription 
company. This was immediately reported, and the supervisor called the 
transcription company and spoke with the owner and requested that the 
file be destroyed immediately. Notification letters were sent out to 
all 897 providers. Disciplinary action was taken against the employee.

      October 14, 2005: personal computer containing data on 
421 patients stolen. A personal computer that contained information on 
421 patients was stolen from a medical center. The information on the 
computer included patients' names; the last four digits of their Social 
Security numbers; and their height, weight, allergies, medications, 
recent lab results, and diagnoses. The agency's Privacy Officer and 
medical center information security officer were notified. The use of 
credit monitoring was investigated, and it was determined that because 
the entire Social Security number was not listed, it would not be 
necessary to use these services at the time.

      February 2, 2006: inappropriate access of VA staff 
medical records. A VA staff member accessed several coworkers' medical 
records to find date of birth. Employee information was compromised and 
several records were accessed on more than one occasion. No resolution 
recorded.

      April 11, 2006: suspected hacker compromised systems with 
employee's assistance. A former VA employee is suspected of hacking 
into a medical center computer system with the assistance of a current 
employee providing rotating administrator passwords. All systems in the 
medical center serving 79,000 veterans were compromised.

      May 5, 2006: missing backup tape with sensitive 
information on 7,052 individuals. An office determined it was missing a 
backup tape containing sensitive information. On June 29, 2006, it was 
reported that approximately 7,052 veterans were affected by the 
incident. On October 11, 2006, notification letters were mailed, and 
5,000 veterans received credit protection and data breach analysis for 
2 years.

      August 3, 2006: desktop computer with approximately 
18,000 patient financial records stolen. A desktop computer was stolen 
from a secured area at a contractor facility in Virginia that processes 
financial accounts for VA. The desktop computer was not encrypted. 
Notification letters were mailed and credit monitoring services 
offered.

      September 6, 2006: laptop with patient information on an 
unknown number of individuals stolen. A laptop attached to a medical 
device at a VA medical center was stolen. It contained patient 
information on an unknown number of individuals. Notification letters 
and credit protection services were offered to 1,575 patients.

      January 22, 2007: external hard drive with 535,000 
individual records and 1.3 million non-VA physician provider records 
missing or stolen. An external hard drive used to store research data 
with 535,000 individual records and 1.3 million non-VA physician 
provider records was discovered missing or stolen from a research 
facility in Birmingham, Alabama. Notification letters were sent to 
veterans and providers, and credit monitoring services were offered to 
those individuals whose records contained personally identifiable 
information.

                                 
              Prepared Statement of Hon. Robert T. Howard,
                Assistant Secretary for Information and
               Technology and Chief Information Officer,
   Office of Information and Technology, U.S. Department of Veterans 
                                Affairs
    Thank you, Mr. Chairman. I would like to thank you for the 
opportunity to testify on the realignment progress in the Office of 
Information and Technology (OIT).
    This is such a crucial issue, and I appreciate the Committee's 
interest. With me today from OIT is Arnie Claudio (Director, Oversight 
and Compliance). I am also accompanied by:

      Adair Martinez (Deputy Assistant Secretary for 
Information Protection and Management)
      Jeff Shyshka (Deputy CIO for Enterprise Operations and 
Infrastructure)

    And on a separate panel will be Paul Tibbits (Deputy CIO for 
Enterprise Development).
    Firstly, I would like to thank you, Mr. Chairman, for giving me the 
opportunity to testify about the progress being made in OIT's 
realignment. This Committee has demonstrated great support for and 
interest in this issue, and we genuinely appreciate it.
    Last week, during a similar hearing conducted by the Senate 
Committee on Veterans' Affairs, I began by talking about my top seven 
priorities as Assistant Secretary for the Office of Information and 
Technology. Today, I would like to do that again as these priorities 
are guiding the realignment process we see taking place. Briefly, they 
include (1) establishing a well-led, high-performing, IT organization 
that delivers responsive IT support to the three Administrations and 
Central Office staff sections; (2) standardizing IT infrastructure and 
IT business processes throughout VA; (3) establishing programs that 
make VA's IT system more interoperable and compatible; (4) effectively 
managing the VA IT appropriation to ensure sustainment and 
modernization of our IT infrastructure and more focused application 
development to meet increasing and changing requirements of our 
business units; (5) strengthening data security controls within VA and 
among our contractors in order to substantially reduce the risk of 
unauthorized exposure of veteran or VA employee sensitive personal 
information; (6) creating an environment of vigilance and awareness to 
the risks of compromising veteran or employee sensitive personal 
information within the VA by integrating security awareness into daily 
activities; and (7) remedying the Department's longstanding IT material 
weaknesses relating to a general lack of security controls. I assure 
you that we are working hard to give these priorities the required 
attention.
    As you know, the Government Accountability Office (GAO) recently 
released a report on our realignment progress and correctly identified 
that there is more work to be done to have a successful transition from 
a decentralized to a centralized organization. We have already begun 
implementing some of their recommendations such as establishing an IT 
governance plan, continuing with process development, and expediting 
the development of performance metrics to track realignment progress. 
Implementing these recommendations will certainly aid in the 
realignment.
    We have made, I believe, solid progress in other areas of this 
realignment. We have dramatically improved incident response because of 
the significant amount of policy guidance and training conducted on 
information protection. Since we have begun this, we have seen an 
increase in self-reporting security and privacy violations and 
incidents. We are also making great improvements in the area of data 
protection by encrypting over 18,000 laptops, implementing procedures 
for issuing encrypted portable data storage devices, purchasing 
software to address the encryption of data at-rest this month, reducing 
the use of Social Security numbers, and reviewing and eliminating a 
significant amount of personally identifiable information VA currently 
holds. Regarding these last two points, VA has drafted two documents 
outlining plans to achieve both these goals. These plans were developed 
in accordance with the Office of Management and Budget (OMB) Memorandum 
M-07-16, ``Safeguarding Against and Responding to the Breach of 
Personally Identifiable Information'' and will be included in this 
year's Federal Information Security Management Act (FISMA) report. 
Regarding the FISMA report, not only will we submit one this year, (we 
got an incomplete last year), but we have, for the first time, 
completed testing of over 10,000 security controls on our 603 computer 
systems. Mr. Chairman, you will be pleased to know that we recently 
awarded a contract for extensive port monitoring, which will help us 
better control network access--a very important tool in our information 
protection toolkit.
    Through this realignment, we are also addressing the critical issue 
of asset management. As you remember, the House Veterans' Affairs 
Oversight and Investigations Committee recently held a hearing on VA's 
IT asset management based on a GAO report (report 07-505) which found 
inadequate controls and risk associated with theft, loss, and 
misappropriation of IT equipment at selected VA locations. In that 
report, GAO found many problems regarding the IT asset management 
environment and included a number of important recommendations--with 
which we agree and are implementing. We have completed a handbook on 
the Control of Information Technology Equipment within the VA which 
includes each of the recommendations made by GAO in its report. These 
documents are now being finalized within the Department, but we have 
already implemented the procedures they describe. They will provide 
clear direction on all aspects of IT asset management.
    For the past 6 months, tightening IT inventory control throughout 
VA has been the focus of a cross-functional Tiger Team. In addition, VA 
has issued a memorandum requiring each VA facility to complete, by the 
end of December of this year, a wall-to-wall inventory of all IT 
equipment assets, including sensitive items, regardless of cost. 
Reporting requirements have been established at the Facility, Regional 
and Field Operations levels to ensure that issues are identified and 
addressed early in the process. By way of support, we have established 
an IT Inventory Control Knowledge Center that is accessible by all VA 
personnel. This website provides references, templates, definitions, 
frequently asked questions and a link to contact the Tiger Team 
directly. Also, the Office of Oversight and Compliance is working with 
Tiger Team members to develop a compliance checklist that will be used 
for scheduled and unscheduled audits regarding IT assets. This initial 
inventory will help provide a VA IT asset baseline--something that has 
not existed before and is a direct result of the realignment.
    Lastly, an important and fair question to ask regarding this 
realignment is how has it impacted the delivery of healthcare and 
benefits to our veterans. In my opinion, there has been no significant 
change in these two areas--which was a key objective of this 
reorganization--to do no harm. This is not to say we have not had 
problems--we have. But we have also experienced improvements in our 
ability to gain knowledge over IT activities that were not very visible 
in the past, in IT funding details across the VA, and in our ability to 
protect the sensitive information of our veterans.
    In closing, I want to assure you, Mr. Chairman, that a successful 
realignment in OIT is a key goal within the VA. I have good people in 
my office who all share this commitment and work hard to achieve it. We 
have accomplished many things this past year but more remains to be 
done. I appreciate having this opportunity to discuss this with you and 
will gladly respond to your questions.

                                 
                 Prepared Statement of Arnaldo Claudio
       Executive Director, Office of IT Oversight and Compliance
   Office of Information and Technology, U.S. Department of Veterans 
                                Affairs
    Thank you, Mr. Chairman and Members of the Committee. I appreciate 
the opportunity to speak with you today on the topic of the 
Department's Information Technology (IT) reorganization and to share 
with you the impact and progress that the Department of Veterans 
Affairs (VA) has achieved as a result of the establishment of the 
Office of IT Oversight and Compliance (ITOC).
    ITOC was established in February of 2007, as a response to the need 
for the VA to enhance the protection of our veterans' sensitive 
information. This concept was initially addressed by Professor Eugene 
H. Spafford, during his Congressional testimony shortly after the data 
breach of May 2006; and later by the IBM study in their December 2006 
publication entitled: High Level Target Organizational Structure on 
VA's IT realignment. Furthermore, in February of 2007, Secretary 
Nicholson conveyed a strong message regarding the importance of 
proactively identifying, addressing and mitigating any risks that could 
jeopardize the potential loss of veterans' sensitive information.
    To fulfill this vital requirement, ITOC is charged with providing 
independent, objective, and quality oversight and compliance assessment 
services in the area of information and technology to include Cyber 
Security, Records Management, Privacy and Physical Security.
    The concept of ITOC is not entirely new to VA. Prior to ITOC's 
establishment, a smaller scale initiative collocated within the Office 
of Cyber and Information Security (OCIS) known as the Review Inspection 
Division (RID) existed.
    In October 2002, the RID was created to fulfill the requirements 
set by the Office of Management and Budget (OMB), VA Directive 6210, VA 
policy and Departmental commitments to Congress, which mandated 
security audits (reviews and inspections) be conducted at every VA 
facility on a recurring basis. Although RID was given a mission to 
review the entire Department's cyber and information security program 
at all VA facilities, it was never given sufficient resources and 
authority to carry out all but a small fraction of these tasks. 
Staffing was inadequate with only five VA employees and a handful of 
contractors. Considering VA has over 1200 sites, RID was given an 
impossible task to perform. In addition, none of the detailed reports 
created and forwarded to OCIS senior management were approved or 
forwarded to sites.
    Today with the establishment of ITOC, that is no longer the case. 
We are now resourced and equipped to identify issues and to address our 
observations immediately after the completion of our assessments with 
the hospital leadership including the facility Director, Chief 
Information Officer, Information Security Officer, Privacy Officer and 
other important members of the hospital staff; and thereafter, we 
report our findings directly to the VA CIO Mr. Robert Howard. The ITOC 
has the robustness and appropriate strategic planning, focus, and 
vision necessary to successfully address the new paradigm facing VA.
    Since its creation earlier this year, ITOC has grown from 7 to 128 
employees and, by the end of Phase 2 in FY 2009, it is expected to have 
a total workforce of 165 employees. This is in itself a success story. 
Most government programs take years before they can be stood up and 
become fully operational. Our employees have been selected from a pool 
of talented subject matter experts from both industry and government.
    The ITOC has achieved a great deal in just a few months and it is 
already showing dramatic results and measurable benefits across VA. As 
of today, we have conducted over 100 assessments--a rate of 18 to 20 
assessments per month, versus 2 per month compared to our predecessor 
organization.
    We have experienced our share of significant challenges--but none 
so far that have proven impossible. The assessments performed by my 
staff are very thorough. We are working together with VHA, VBA and NCA 
to correct and eliminate the existing deficiencies found by the 
Inspector General (IG) and the General Accounting Office (GAO) over the 
last few years.
    As Executive Director, for the Office of IT Oversight and 
Compliance at VA, but first and foremost, as a veteran, I truly feel 
the responsibility for ensuring compliance with the integrity and 
security of VA's sensitive information and IT assets. I understand that 
security awareness is a paradigm change--a change to our business 
operations culture and simply the way we do things. My staff and I have 
found that the field facilities welcome our independent and objective 
assessments as the leadership across VA continues to drive home, to 
each employee, the importance of securing sensitive information. I am 
prepared to answer your questions today about what the Office of IT 
Oversight and Compliance is doing to effect real change to improve VA's 
FISMA scorecard, as well as how we are working together with other VA 
Administrations to mentor, train, coach and optimize our valuable 
resources to better serve our Nation's veterans.
    In closing, I want to assure you, Mr. Chairman, and the members of 
this Committee that we will continue to be diligent in our efforts to 
improve and remedy VA's Information Technology environment. Thank you 
for your time and the opportunity to speak on this issue. I would be 
happy to answer any questions you may have.

                                 
              Prepared Statement of Paul A. Tibbits, M.D.
   Deputy Chief Information Officer, Office of Enterprise Development
   Office of Information and Technology, U.S. Department of Veterans 
                                Affairs
    Thank you, Mr. Chairman. I would like to thank you for the 
opportunity to testify on the realignment progress in the Office of 
Information and Technology (OIT) and to share with you the progress 
made in VA as a result of the centralization of IT development 
activities.
    Joining me on this panel is Dr. Ben J. Davoren, Director, Clinical 
Informatics, from our San Francisco Medical Center.
    This Committee has demonstrated great support for and interest in 
IT in the VA, and we genuinely appreciate it.
    You have just heard testimony from Assistant Secretary Howard 
regarding the GAO report on our realignment progress and the need for 
more work to be done to achieve successful transition from a 
decentralized to a centralized organization. While General Howard 
focused on the information protection aspects of the realignment, I 
would like to share with you our progress in establishing an IT 
governance plan, strengthening development process improvement efforts, 
and fostering innovation.
    You have also heard General Howard refer to his seven (7) 
priorities and how they are guiding the realignment process. I would 
like to talk more about those priorities that have special significance 
to the Office of Enterprise Development. They include (1) establishing 
a well-led, high-performing, IT organization that delivers responsive 
IT support to the three Administrations and Central Office staff 
sections; (2) standardizing IT infrastructure and IT business processes 
throughout VA; (3) establishing programs that make VA's IT system more 
interoperable and compatible; (4) effectively managing the VA IT 
appropriation to ensure sustainment and modernization of our IT 
infrastructure and more focused application development to meet 
increasing and changing requirements of our business units.
CIO Priorities
    First, with respect to establishing a well-led, high-performing IT 
organization that delivers responsive IT support to the three 
Administrations and Staff Offices, we are pursuing improvement of the 
development workforce throughout the Office of Enterprise Development. 
In so doing, development staff will be better prepared to act as 
knowledgeable consultants at the local level to assist healthcare 
providers in development of innovation software solutions that are 
likely to be technically sound and ready for national deployment.
    To improve the capability of the VA IT development workforce we are 
instituting real-time coaching and mentoring by industry experts in 
best practices for systems development, to institutionalize these 
practices at the VA.
    Improving workforce capability increases the staff's readiness to 
perform critical development processes, increases the likelihood of 
achieving desired results from performing the processes, and allows the 
VA to realize the benefits from the investment in process improvement 
for all VA facilities.
    Second, with respect to standardizing IT infrastructure and IT 
business processes throughout VA, standardization of these processes 
provides the baseline for measuring the effectiveness of its 
development process. It is the first step to reduce time to deliver 
applications, reduce costs to develop applications, implement business-
driven process performance measures, and increase productivity of the 
development workforce. And it is hard work.
    For the IT development organization, our standardized processes are 
based on industry best practices as codified in the Capability and 
Maturity Models from the Software Engineering Institute for both 
software development and workforce competency. We are using independent 
industry to guide us through this self-improvement initiative.
    Third, let me address establishing programs that make VA's IT 
system more interoperable and compatible. Interoperability begins with 
a common understanding of terminology. To establish this with 
sufficient precision, the IT development organization is collaborating 
closely with the Administrations in use of business modeling to provide 
a uniform basis of developing a shared understanding of new way to 
serve veterans and the information required to do so.
    Next we are engaging with the Administrations and with DoD to 
strengthen and accelerate data standardization activities within VA and 
with DoD. We are exploring ways to focus on high priority patient 
groups, such as traumatic brain injury and post traumatic stress 
disorder, while continuing the hard work of semantic analysis and 
reconciliation and the consolidation of multiple data feeds between VA 
and DoD.
    Fourth, we are focused on managing the VA IT appropriation to 
ensure sustainment and modernization of our IT infrastructure and more 
focused application development to meet increasing and changing 
requirements of our business units. We are applying life cycle and 
total cost of ownership management practices to all development 
projects, to account for all costs of implementation and operations, as 
a foundation for budget formulation. We are moving toward clear, line-
of-sight alignment with the VA strategic plan and the Performance 
Accountability Report by reshaping our OMB 300 exhibits in FY 2010, 
creation of the first multi-year IT budget, and strengthening our 
relationship with the requirements processes of the Administrations and 
Staff offices.
Governance
    We have established a participative, transparent IT governance 
process at the senior executive level of the VA. Decisionmakers at the 
VA were not equipped with the framework for understanding the relative 
importance of one dimension of project performance with respect to 
others, leading to a bias toward financial metrics during process 
prioritization. Decisionmakers lacked key information with respect to 
project benefits and total cost to make effective decisions on 
priorities. We have created a set of organizational principles and 
governance structures and practices that surface business strategy; 
facilitate accurate project cost, benefit, and risk estimation, and 
provide a decisionmaking framework that focuses attention on a subset 
of the most critical projects and delivers timely, accurate information 
to the VA's senior decisionmakers.
    We are strengthening the use of earned value systems in our large 
programs. We have undertaken independent assessment of the soundness of 
our approach to managing certain IT development projects and will 
expand this activity.
    We are developing management dashboards to implement early warning 
of issues with system development:

      Project/program Status--tracking of project performance 
as compared to cost, schedule, and scope estimates.
      Project/program data quality--Assesses the quality of 
software releases, through analysis of defects found and problems 
noted.
      Project/program Return on Investment (ROI), earned value, 
and risk management--Compares real program ROI with estimated ROI, and 
uses earned value to serve as a leading indicator of deviation from 
forecasted cost and schedule.
      Portfolio resource allocation--Determines the application 
of financial resources to various projects, to balance production 
across multiple related initiatives.
      Portfolio timelines--Provides an integrated view of 
program timelines, highlighting the programs that will attain 
significant milestones or be complete by a specific future date.
      Portfolio mix--Displays the mix of project spending among 
groups of related software applications.

    We are focusing intense effort on managing the execution of funds 
in accordance with established plans, to ensure projects are adequately 
resourced, and learning lessons for improvements next year.
Promote innovation
    Challenges. The Secretary has migrated all IT activities under a 
single leadership authority, in part due to the need to drive 
standardization and interoperability of applications and infrastructure 
across VA. We need application development plans that employ industry 
best practices and have the potential to accelerate the successful 
completion of IT projects, including implementation across the VA.
    The centralized IT budget (the single IT appropriation) sets a 
context for competition among new ideas, since some are not affordable. 
This creates the perception at the hospital that many good ideas are 
disregarded despite ``local needs'', and that the flexibility available 
to VISN and hospital directors to use healthcare funds for IT is a 
constraint. This view disregards the rest of the story. Solutions 
developed locally were rarely deployed across all VA medical centers, 
resulting in some centers not getting the advantage of these IT 
capabilities. Furthermore, many needs were thought of as local, when in 
fact they were enterprise-wide requirements, such as reports to support 
Joint Commission accreditation visits.
    Under the single IT authority and single IT appropriation, we 
operate in an environment of financial transparency. Funds dedicated to 
sustainment, extending legacy systems to meet urgent needs of returning 
warriors, and to modernize our computing environment are now visible to 
senior VA executives. We have no formal mechanism to allocate funds to 
IT innovation. Unmanaged local innovation makes the implementation of 
enterprise solutions very difficult. Many IT products are operating in 
various VAMCs, with no support mechanism to proliferate the more 
successful of them to all other medical centers.
    In close collaboration with VHA, we are moving to create a 
mechanism to deal with this challenge. We have developed a process to 
identify new ideas at the local level, facilitate collaboration among 
field developers and VAMC healthcare professionals, to develop new 
software products in a non-production environment in an unconstrained 
manner. In order to enter the live production environment and assure 
deployability across all VA sites, certain technical, business value, 
security, and patient safety assessments will be made and any 
remediation necessary applied. There are effectively no constraints on 
the trail development of new IT solutions; there are disciplined 
assessments prior to VA-wide implementation to assure safety and 
continuity of operations of the IT production environment.
    The migration from the VistA legacy system to the HealtheVet 
platform entails complex development, a new programming medium, a new 
architecture, and establishment of a veteran-centric medical record 
versus the facility-centric nature of VistA. This form of innovation 
must be centrally managed. It is too large for local initiatives alone 
to accomplish. In addition, some forms of new IT support require an 
analysis of end-to-end processes to serve veterans, such as transition 
from DoD to VA, again not easily accomplished at the local level when 
complex data standardization and security issues are involved. We are 
attempting to strike the right balance.
    Effective communication is critical to successful organizational 
change. The migration of IT development personnel under a single IT 
authority will need to be supported by a focused communications 
strategy and plan to avoid disruption to VA's business operations and 
to achieve the benefits of new organization.
    We are strengthening our communications strategy for the 
development staff.
    There has been no significant change in the delivery of healthcare 
and benefits to veterans with this realignment. We have had some 
problems, but we have also gained valuable visibility over unknown IT 
activities--a definite improvement. We also now know more about IT 
funding details across the VA and have a greater ability to protect the 
sensitive veterans' information.
    In closing, let me say that we want your ideas. I want to assure 
you, Mr. Chairman, that a successful realignment of IT development 
activities is a key goal within the VA. We have accomplished many 
things this past year but more remains to be done. I appreciate having 
this opportunity to discuss this with you and will gladly respond to 
your questions.

                                 
           Prepared Statement of J. Ben Davoren, M.D., Ph.D.,
                   Director of Clinical Informatics,
             San Francisco Veterans Affairs Medical Center,
  Veterans Health Administration, U.S. Department of Veterans Affairs
    Good morning, Mr. Chairman and Members of the Committee. Thank you 
for this opportunity to provide my personal perspective of the Veterans 
Affairs Office of Information and Technology (OI&T) reorganization that 
began in 2005. The views that I present today are my own and do not 
necessarily represent the views of the VA Medical Center San Francisco, 
Veterans Integrated Service Network (VISN) 21, or the Veterans Health 
Administration.
    I would like to preface my testimony with VHA and OI&T's mutual 
goals, and principles in the facilitation of the reorganization. In 
addition, the testimony will discuss realignment concerns I believe 
were voiced from the field in 2005, my views of the impact of the 
realignment on Veterans Health Administration's (VHA) missions, and the 
regional computer system downtime of August 31, 2007, as a paradigm.
Mutual Goals and Principles
    As described in a GAO interim report of June 2007, the primary 
goals of the OI&T reorganization were to centralize IT management under 
a department-level Chief Information Officer, to standardize 
operations, and the development of systems across the Department using 
new management processes based on industry best practices. The VA 
Inspector General reported that the lack of a centralized structure was 
a major impediment to successful IT management. Events related to the 
loss or potential loss of sensitive information reinforced VA's need to 
reorganize IT, especially in terms of data security processes.
    The OI&T stated principles for the reorganization process were 
that:

      A single IT leadership management system would facilitate 
achievement of enterprise strategic objectives, standardization, 
compatibility, interoperability, and fiscal discipline;
      A process-focused organization and IT management system 
would be aligned with best practices for IT processes, roles, metrics, 
and governance;
      Strong integration between OI&T and the business offices 
(VHA, Veterans Benefit Administration, National Cemetery 
Administration, and Staff Offices) would set IT strategy, determine 
requirements, and implement solutions;
      Approaches to legacy and new application development 
would be synchronized;
      New process-based organizational structure for the Office 
of the Assistant Secretary for Information and Technology would be 
defined; and
      IT realignment would transform VA into a service-based IT 
organization with a client-centric IT model that aligned IT with VA 
business needs, priorities, and mission.
Concerns Voiced From the Field in 2005
    In response to the Secretaries proposals for IT realignment, I 
believe that employees at some medical centers expressed a number of 
concerns about the details of the plan. In particular, I believe they 
felt that the regionalization of IT resources would create new points 
of failure that could not be controlled by the sites experiencing the 
impact, and that the system redundancy required to prevent this was 
never listed as a prerequisite to centralization of critical patient 
care IT resources. From my point of view as the Director of Clinical 
Informatics, it was clear to me that the focus of reorganization/
realignment was on technical relationships and not on how the missions 
of VHA would be communicated to the new OI&T structure. For example, 
realignment success metrics were focused on Regional Data Processing 
Center (RDPC) deliverables rather than facility needs. Finally, key 
facility-based IT staff had been tightly integrated into local 
Committees and planning groups as subject matter experts, but could no 
longer be tasked directly by the facility Director to participate, and 
had no clear OI&T-driven incentive to continue. Ultimately, the concern 
was that in trying to create a new structure in the name of 
``standardization'', support would wane to a ``lowest common 
denominator'' for all facilities, no matter how diverse their actual 
needs were.
Impact on VHA's Four Principal Missions
    With respect to the primary patient care mission, the good news has 
been that new policies and procedures regarding encryption of sensitive 
information have been well-publicized and have heightened the awareness 
of all care providers as to the critical nature of the information they 
use everyday. I think this has positively impacted the culture of VHA 
and improved respect for our veterans. The bad news is that 
centralization of physical IT resources to the RDPCs has directly led 
to more system downtime for individual medical centers than they have 
ever had before, resulting in hundreds of simultaneous threats to the 
safety of our veteran patients. In addition, it is my opinion that 
disagreements over whether new proposals for clinical application or 
device procurement are ``IT'' or ``not-IT'' has markedly delayed 
upgrading of aging systems and implementation of new systems for 
veterans' care.
    With respect to the education mission, the good news is again that 
standards for encryption of sensitive information have heightened the 
awareness of all staff and students as to the critical nature of the 
information they have at their fingertips and the need to protect it in 
all settings.
    However, from my vantage, rules on encryption of all portable 
devices, such as ``thumb drives'', rather than just on encrypting 
sensitive information, have made it cumbersome to go about common work, 
such as giving academic and scientific presentations where no sensitive 
information is present. Further, security rules for using network 
resources have stopped some Internet-based videoconferencing activities 
between VA and non-VA colleagues, while awaiting new funding cycles to 
procure next-generation equipment.
    With respect to the research mission, the proposed standardization 
of VHA databases as part of centralization may create significant 
research opportunities, and has been supported by the research 
community though, at this time, no specific progress has been made. 
Rules regarding encryption of transported sensitive information have 
been warmly received by the research community as a best practice. 
However, security rules for using network resources have stopped some 
Internet-based videoconferencing activities between VA and non-VA 
colleagues. Some additional unique local IT resources have been 
required to maintain other research activities which utilize the 
Internet and I have concerns about how long they can continue.
    In terms of our role in supporting the Department of Defense, I 
believe that initiatives to enhance electronic data-sharing between VHA 
and DoD have proceeded appropriately.
Impact on VHA's Accomplishments and Morale
    In my opinion, confirmed in many conversations with my peers, there 
has been a lack of transparent communication between VHA and the 
reorganizing OI&T structure. At present, economies of scale that were a 
cornerstone of the OI&T realignment proposal have not been communicated 
to the facility level where the work of VHA occurs. The focus on 
security and data integrity has led to a number of new requirements 
with impacts that generate significant concern without a clear pathway 
to resolution. For example, to fully comply with security requirements 
on our examination room PCs, we must log out of both a clinical 
application such as our Computerized Patient Record System and the 
Microsoft Windows operating system each time we leave the room even for 
a moment, yet it may take as long as 12 minutes to log back on when we 
return. Given a 20 or 30 minute visit with their veteran patient, the 
clinician is thus forced to choose to ``do the right thing'' for either 
the patient or the system, but cannot do both.
    In my view, there remains a tremendous uncertainty about how to 
work with our longstanding IT colleagues to address local or regional 
clinical care, research, or educational needs. These arise on an almost 
daily basis as the result of new mandates from accrediting bodies, VA 
performance measures, or Congressional action. Accountability for all 
these activities remains with the individual Facility Directors, but 
they no longer have the authority to task IT staff nor directly acquire 
technological resources that are a part of every new idea that is put 
forth to meet the new needs. There is a sense of great inertia that 
overrides the anticipation of great opportunities in the new OI&T 
structure. I believe that this has greatly slowed the field development 
process that is the very foundation of our VA-created computer system, 
VistA.
Regional Computer System Downtime of August 31, 2007
    On August 31, 2007, the new ``Region One'' of OI&T-supported 
facilities experienced the most significant technological threat to 
patient safety VA has ever had--a 9-hour downtime during standard 
business hours that crippled the clinical and other information systems 
of 17 different VHA medical facilities. During the downtime, it became 
clear to me that many assumptions about the RDPC model were erroneous. 
Specifically, rather than creating a redundancy to protect facilities 
from system problems, a new single point of failure caused a problem 
that could never have been replicated without the RDPC model having 
been created. In this vein, the ability to ``failover'' from the RDPC 
in Sacramento to Denver, previously described as a major advantage to 
the RDPC model, was never taken advantage of. Electronic contingency 
systems, put in place as a part of the RDPC migration strategy, were 
unavailable or overwhelmed in four of the medical centers, despite 
prior experience that this was a known risk during the pilot phase of 
the RDPC collocation project. Lastly, and of great concern to the 
medical centers as a harbinger of future support, clinical need was 
expected to be the driver of the service restoration process. Instead, 
half a day of troubleshooting and error log evaluation and analysis 
went by before the shutdown and reboot process was initiated to 
actually fix the problem.
    The after-action report, while done in a timely fashion and 
generally clear, did not address the two major concerns of the 
facilities that had to deal with the impact of the downtime at all. 
Specifically, how it could be that the RDPC model designed for 
redundancy could instead have been designed to create the single point 
of failure that facilities predicted 2 years earlier would paralyze 
them? Why was the ``failover'' from the Sacramento RDPC to the Denver 
RDPC not initiated immediately when the magnitude of the impact was 
known? Despite repeated queries about this on the official Region 1 
VistA Outlook email thread designed to facilitate communication between 
OI&T and VHA facilities, I am unaware of whether this question was ever 
answered.
    In my view, the OI&T realignment process begun in VA in 2005 for 
the right reasons has been focused on technical IT issues and the 
reporting structure of its new 6000-strong employee force. While there 
has been measurable success in those areas, my perspective is that this 
has not been the case for the planned linking of IT strategic planning 
with organizational strategic planning and communication between all 
stakeholders in VA. Mr. Chairman this concludes my statement. I will be 
pleased to answer any questions that you or other Members of the 
Committee might have.

                                 
                  Statement of Hon. Harry E. Mitchell,
         a Representative in Congress from the State of Arizona
    Thank you Mr. Chairman.
    Last week, the Government Accountability Office released their 
review of the progress made in reorganizing information technology at 
the VA.
    In October 2005, the VA began centralizing its information 
technology management structure.
    Shortly thereafter, in May 2006, a laptop theft from an employee's 
home containing personal information brought the importance of this 
issue to light, and the Department's mismanagement of the situation 
showed the urgency of centralization.
    The GAO report showed that the Department has not yet implemented 
full security protocols to protect veterans' and medical providers' 
personal information.
    It also highlighted the importance of an implementation team, which 
has also been previously suggested and ignored by top officials in the 
Department.
    Information security is not an issue that we can take lightly these 
days.
    Securing the personal information of our veterans should be a high 
priority, and any breach of government security should be taken 
seriously.
    Following the compromised security of information at the VA in May 
of 2006, officials pledged stronger action, but the security breach 
this past January shows that they have yet to deliver once again.
    Arizona leads the nation in identity theft and this report only 
further concerns me about security at the VA.
    I look forward to hearing how we can work together to address this 
pressing issue.

                                 
                   Statement of Bryan D. Volpp, M.D.,
            Associate Chief of Staff, Clinical Informatics,
        Veterans Affairs Northern California Healthcare System,
  Veterans Health Administration, U.S. Department of Veterans Affairs
    Good morning Mr. Chairman and Members of the Committee. Thank you 
for this opportunity to discuss the impact on patient care due to the 
disruption to the VISTA and Computerized Patient Record System (CPRS) 
at the VA Northern California Healthcare System (VA NCHCS). The VA 
NCHCS is an integrated healthcare delivery system serving more 377,700 
veterans dispersed over a wide area covering ten geographic sites. We 
serve approximately 70,000 unique veterans per year and average close 
to 2000 visits per day. VA NCHCS offers a comprehensive array of 
medical, surgical, rehabilitative, primary, mental health and extended 
care to veterans in Northern California. In addition, we provide 
inpatient acute and critical care services at the Sacramento site (50 
beds) and inpatient nursing home and subacute care (115 beds) at the 
Martinez site.
Disruption to VISTA and CPRS
    On August 31, 2007, at approximately 7:30 am on Friday, VA NCHCS 
experienced a major disruption with the logons to our VistA and CPRS. 
The disruption resulted from a problem at the Sacramento Regional Data 
Processing Center (SRDPC) and affected 17 sites within VA NCHCS.
Contingency Plan for Disruptions
    VA NCHCS immediately implemented our local contingency plan for 
failure, which consists of three backup levels. The first level backup 
is a switch over from the Sacramento Data Center to the Denver Data 
Center. The second level backup is a read-only version of the patient 
data. And the final level of backup is a set of files stored on some 
local PCs that contains brief summaries of a subset of the patient data 
for patients who are current inpatients or who have appointments in the 
next 2 days. A key element in our contingency plan is that 
communication to the users on the cause and an estimate of length of 
the downtime are to be made on a regular basis by IRM. This did not 
occur.
    The contingency plans failed to stop the disruption. The switch 
over to the Denver Data Center did not occur. The read-only backup of 
the patient data had been made unavailable earlier in the week of 
August 31 in order for the Regional Data Center staff to create a new 
version of our test account. Test accounts are required to be refreshed 
every 4-6 months at all VA sites. With failure of the first two backup 
levels, we became reliant on the data stored on several local personal 
computers that could be printed. The data stored on the personal 
computers are health summaries. Health summaries are brief extracts of 
the record for patients with scheduled appointments which contain 
recent labs, medication lists, problem lists and recent notes along 
with allergies and a few other elements of the patient record. The 
disruption severely interfered with our normal operation, particularly 
with inpatient and outpatient care, and pharmacy.
Disruption Impact on Inpatient Care
    The inpatient sites were immediately affected. The residents on 
rounds in all the impacted facilities were not able to access patient 
charts to review the prior day's results, add or review orders. Nursing 
reports were interrupted because some of the handoffs from one shift to 
the next are done by reviewing activities and progress in the 
electronic record. Discharge planning for that morning was interrupted 
as well due to lack of electronic record availability. On the inpatient 
wards, there were many delays in medication administration and in 
discharges. The delays included the following:

      The medical staff was forced to write discharge 
instructions and notes on paper.
      The electronic lists of instructions and of medications 
were not available for the patients being discharged.
      Patients being discharged could not be given follow-up 
appointments at the time of discharge. The appointments had to be made 
later and the patient notified by phone.
      There were delays in obtaining discharge medications and 
patients remained on the wards longer than would normally be required.
      The nurses administered medications to the patients and 
used the paper MAR to record the administration events. Initial 
medication passes were interrupted and delayed until the paper copies 
of the Medication Administration Record (MAR) could be printed.

    The use of the paper MAR continued well after the system came back 
up at around 4 pm. This occurred because there was a delay in the 
automated updating of all the medications with new orders and changes. 
Until both Pharmacy and Nursing can verify that the electronic lists 
have been updated and are accurate, the electronic MAR cannot be used. 
One inpatient did not meet inpatient criteria but could not be 
transferred to the nursing home since adequate records were not 
available. The patient stayed an extra 4 days and required an 
additional nurse to stay in his room as a sitter until he could be 
transferred.
Disruption Impact on Outpatient Care
    Outpatient activities were impacted within a few minutes after the 
outage. Although most clinics did not have scheduled patients until 
8:00 am, many providers who were beginning to prepare for clinic were 
affected almost immediately. Consent forms that had been done 
previously for scheduled surgery and for other procedures were not 
available since these are all done electronically. The providers with 
patient appointments early in the morning had no medical records to use 
for these patients. For many of the patients, a medication list was 
available on paper but the paper health summary backups had not yet 
been printed. We began to instruct the users to print the paper health 
summaries for use in the clinics and on the wards just after 8:00 am. 
These were distributed as quickly as possible but for patients with 
appointments at 8:00 am to 9:00 am, very few of these summaries were 
available in time to provide the needed information to the provider 
while seeing the patient.
Disruption Impact on Pharmacy
    The pharmacy quickly became overloaded with prescriptions that they 
were attempting to fill for patients. The labeling equipment and 
automated dispensing equipment, both linked to VistA, were unavailable. 
The pharmacy began to ask patients if they could wait to have the 
prescriptions mailed. This problem was made more difficult by the fact 
that Monday, September 3, 2007, was Labor Day and the next transmission 
to the Centralized Mail Out Pharmacy (CMOP) would be on Tuesday, 
September 4, 2007. In addition, the transmission to the CMOP for August 
31, 2007 was scheduled for 8:00 am. This also caused a delay in 
patients receiving medications. The prescription entries completed on 
August 30, 2007 by the pharmacy were not received at the CMOP for 
fulfillment until September 4, 2007.
Other Impacts Resulting From the Disruption
    The local health summaries for patients were printed in all clinic 
areas and on the wards which essentially created a temporary patient 
record. After 2 hours, most users began to record their documentation 
on paper. For example:

      Paper order forms were distributed and orders were being 
faxed to Pharmacy and Radiology for inpatients and outpatients.
      Paper prescriptions were written for outpatients.
      Laboratory orders were written on paper and patients sent 
to the lab with paper copies of orders.
      Multiple patients who had planned CT scans and who needed 
a measure of kidney function prior to the procedures had to have their 
blood redrawn since the prior results were not available.
      Consent forms were done on paper.
      Vital signs and screenings for depression, post-traumatic 
stress disorder (PTSD) and other interventions were recorded on paper.
      The cardiologists could not read any of the EKGs that had 
been done prior to the failure since these had not been printed and are 
usually reviewed and interpreted online.
      Surgeons could not enter their operative notes in to the 
surgery package. Consults could neither be ordered or responded to or 
even updated.
      Appointments could not be made and, if a patient 
canceled, there was no way to identify other patients to fill those 
slots.

    Although the paper health summaries were available for patients 
with scheduled appointments, there were no records at all available for 
patients who came to Urgent Care or to the Sacramento ER or walk-in 
patients at any of the clinics.
Prior Computer Failures
    Although we have had brief periods of scheduled and occasionally 
unscheduled computer failure in the past, many of these were isolated 
to one site or one building and none lasted as long as the disruption 
experienced on August 31, 2007. Our contingency plans had been 
implemented successfully as drills during many of these periods. During 
prior outages, the local IT staff had always been very forthcoming with 
information on the progress of the failure and estimated length even in 
the face of minimal or no knowledge of the cause. To my knowledge, this 
was absent during the most recent outage.
Disruption Recovery
    Once the disruption was resolved, a tremendous amount of work was 
undertaken to restore the integrity of the electronic record. 
Laboratory and pharmacy staff worked late that Friday night and over 
the weekend to update the results and orders in the electronic record 
and to enter all the new orders and outpatient prescriptions. Complete 
recovery in the pharmacy took over a week. Administrative staff worked 
for over 2 weeks to complete the checkouts on all the patients who were 
seen that day. However, entering checkout data on all these patients 
many days after the fact is potentially inaccurate. Many providers have 
gone back into CPRS and tried to reconstruct notes that summarize the 
paper notes that they wrote in order to mitigate the risk of missing 
information.
    This work to recover the integrity of the medical record will 
continue for many months since so much information was recorded on 
paper that day. When you consider that hundreds of screening exams for 
PTSD, depression, alcohol use, and smoking, and entry of educational 
interventions, records of outside results, discharge instructions and 
assessments are all now on paper and are not in a format that is easily 
found in the electronic record, the burden of this one failure will 
persist for a long time. This adds an additional load for the staff to 
have to pull up the paper records from that day and presents a risk 
that some important facts or results collected on that day will be 
missed at some point in the future. For example, consent forms done 
that day for future procedures will not be in the same location as our 
usual consent forms since these were done on paper and scanned into the 
record during recovery.
    In summary, there were severe impacts to patient care, timeliness 
of care and the integrity of the medical record due to the disruption 
and these affects will persist for some period of time into the future. 
Mr. Chairman, this concludes my statement.

                                 
          POST HEARING QUESTIONS AND RESPONSES FOR THE RECORD

                                     Committee on Veterans' Affairs
                                                    Washington, DC.
                                                    October 3, 2007

Honorable Gordon Mansfield
Acting Secretary
U.S. Department of Veterans Affairs
810 Vermont Ave., NW
Washington, DC 20420

Dear Mr. Mansfield:

    In reference to our Full Committee hearing VA IT Reorganization: 
How Far Has VA Come? on September 26, 2007, I would appreciate it if 
you could answer the enclosed hearing questions by the close of 
business on November 14, 2007.
    In an effort to reduce printing costs, the Committee on Veterans' 
Affairs, in cooperation with the Joint Committee on Printing, is 
implementing some formatting changes for materials for all full 
committee and subcommittee hearings. Therefore, it would be appreciated 
if you could provide your answers consecutively and single-spaced. In 
addition, please restate the question in its entirety before the 
answer.
    Due to the delay in receiving mail, please provide your response by 
fax to Debbie Smith at 202-225-2034. If you have any questions, please 
call 202-225-9756.

            Sincerely,
                                                         BOB FILNER
                                                           Chairman
DT:ds

                                ------                                

                        Questions for the Record
                   The Honorable Bob Filner, Chairman
                  House Committee on Veterans' Affairs
                           September 26, 2007

               VA IT Reorganization: How Far Has VA Come?

    In the September 26, 2007, report of Valerie Melvin, Director of 
Human Capital and Management Information Systems Issues at GAO (``GAO 
Statement''), GAO stated:

        As part of the new organizational structure, the department 
        identified 25 offices whose leaders will report to the five 
        deputy assistant secretaries and are responsible for carrying 
        out the new management processes in daily operation. However, 
        as of early September 2007, seven of the leadership positions 
        for these 25 offices were vacant, and four were filled in and 
        acting capacity.

    Question 1: Please identify for each of those 25 offices:

    a.  the name of the office and its function;
    b.  the date on which the leadership position in each office was 
filled and the person filling the position;
    c.  for offices for which the leadership position is filled on an 
acting basis, the date on which the leadership position in each office 
was filled on an acting basis, the person filling the position, and the 
date by which the position will be permanently filled; and,
    d.  for offices for which the leadership position is vacant, the 
date by which the position will be permanently filled.

    Response:


----------------------------------------------------------------------------------------------------------------
                                                                                                  Date Vacant
                                                          Permanent Person   Acting Person &        Position
                  Office Name/Function                    & Date Position          Date         Projected to be
                                                               Filled                                Filled
----------------------------------------------------------------------------------------------------------------
1. Privacy and Records Management--Integrates privacy    Sally Wallace, 10/              N/A                N/A
 considerations into the way the Department of Veterans            1/2006
 Affairs (VA) uses technologies and handles
 information. Oversees compliance with Privacy Act of
 1974, Freedom of Information Act, Health Insurance
 Portability and Accountability Act (HIPAA), Electronic
 Communications Privacy Act, Office of Management and
 Budget (OMB) Circular A-130, and Government Paperwork
 Reduction Act. Completes privacy impact assessments on
 new programs.
----------------------------------------------------------------------------------------------------------------
2. Cyber Security--Sets policy and oversees              Jaren Doherty, 2/
 implementation and operation of VA's information                  4/2008
 technology (IT) security program. Providing
 information security protection commensurate with risk
 and magnitude of harm resulting from unauthorized
 access, use, disclosure, disruption, modification or
 destruction of: (1) Information collected or
 maintained by or on behalf of VA, (2) Information
 systems used or operated by VA or by a contractor of
 VA or other organization on behalf of VA.
----------------------------------------------------------------------------------------------------------------
3. Education and Training--Oversees VA-wide cyber                  Terri Cinnamon,       N/A
 security training, education and awareness program, as         11/8/2007
 well as VA annual information security conference.
 Manages VA's internal information security working
 group. Ensures VA policies comply with regulatory
 requirements and legislated mandates.
----------------------------------------------------------------------------------------------------------------
4. Risk Management & Incident Response--Develops cost           Katherine                N/A                N/A
 effective strategies for IT risk management                    Maginnis,
 (encompassing IT risk, business continuity management          4/29/2007
 and information security management) for data
 processing environments under the control of the Chief
 Information Officer (CIO).
----------------------------------------------------------------------------------------------------------------
5. Business Continuity--Manage processes to identify     Andres Lopez, 10/               N/A                N/A
 potential threats to business continuity and develops            29/2007
 capability to effectively safeguards interest of its
 key stakeholders.
----------------------------------------------------------------------------------------------------------------
6. Enterprise Architecture--Develops an enterprise-wide            Scott Cragg,          N/A                N/A
 technical architecture that enables the business               8/22/2004
 activities of VA and facilitates the adaptation of
 technology to meet the changing business needs.
----------------------------------------------------------------------------------------------------------------
7. Business Relationship Management--Negotiates                    Vacant        Ross Smith,          3/31/2008
 business requirements on behalf of the administrations                             11/11/07
 with IT solution providers.
----------------------------------------------------------------------------------------------------------------
8. IT Strategy and E-Gov--Leads ad-hoc teams of            Loise Russell,                N/A                N/A
 information architects, in developing, best practices          4/24/2007
 and standards that will integrate paper processes into
 electronic systems.
----------------------------------------------------------------------------------------------------------------
9. Research and Innovation--Identifies new technologies            Vacant                N/A          12/1/2008
 that provide benefit to VA and enables improved level
 of service to veterans.
----------------------------------------------------------------------------------------------------------------
10. Portfolio Programming and Management--Assist in                Vacant        Tim Weigel,          3/31/2008
 developing IT project management plans, and investment                           11/11/2007
 protocols, to meet legislative requirements of Federal
 capital asset programs
----------------------------------------------------------------------------------------------------------------
11. Program Management--Oversees integrated IT                     Vacant   Michael Osband, 1/        3/31/2008
 management process, reviews milestones and assures IT                               28/2008
 projects are on schedule, within budget and meet
 performance criteria.
----------------------------------------------------------------------------------------------------------------
12. Information Technology Comptroller--Manages              Len Bourget,                N/A                N/A
 financial processes of the Office of Information and           2/18/2007
 Technology (OIT) including budget formulation and
 execution, cost accounting, cost recovery, cost
 allocations, charge-back models, and revenue
 accounting.
----------------------------------------------------------------------------------------------------------------
13. Human Resource Career Development--Aligns OIT human            Vacant     Thomas Barritt          2/28/2008
 resource management with VA's Office of Human Resource
 and Administration (HRA) and the Office of Personnel
 Management.
----------------------------------------------------------------------------------------------------------------
14. IT Capital Planning and Investment Management--                Vacant   Karen Kemmet, 7/1/        3/17/2008
 Plans and controls IT budgets; and evaluates financial                                 2007
 performance.
----------------------------------------------------------------------------------------------------------------
15. Asset Management--Provides users with hardware and   Gary Shaffer, 12/               N/A                N/A
 software needed to do their jobs in the most cost                 9/2007
 effective manner.
----------------------------------------------------------------------------------------------------------------
16. Vendor and Supplier Management--Develops,                      Vacant                N/A          12/1/2008
 implements, and manages sourcing strategies to improve
 the process of negotiating and managing IT contracts
 and evaluating vendor performance.
----------------------------------------------------------------------------------------------------------------
17. Veterans Health IT Development Program Executive               Vacant       Jackie Gill,          3/31/2008
 Office (PEO)--Manages IT development activities in                                9/15/2007
 support of the Veterans Heath Administration (VHA).
----------------------------------------------------------------------------------------------------------------
18. Veterans Benefits IT Development PEO--Manages IT             Richard Culp,
 development activities in support of the Veterans               4/1/2007
 Benefit Administration (VBA).
----------------------------------------------------------------------------------------------------------------
19. IT Development Resource Management PEO--Manages          Joseph Bond,
 development, integration and implementation of new              4/1/2007
 enterprise applications within resource management
 systems portfolio.
----------------------------------------------------------------------------------------------------------------
20. Memorial Affairs IT Development PEO--Manages the            Dan Pate,                N/A                N/A
 development, integration and implementation of new             9/30/2007
 enterprise applications within the National Cemetery
 Administration (NCA).
----------------------------------------------------------------------------------------------------------------
21. Field Operations and Security--Manages day-to-day    Raymond Sullivan,               N/A                N/A
 IT operations, data centers, IT services and IT               10/29/2006
 security across 4 geographic regions.
----------------------------------------------------------------------------------------------------------------
22. Infrastructure Engineering--Tests, evaluates and                     Charles DeSanno,N/A                N/A
 certifies software and hardware prior to deployment.            1/2/2007
 Responsible for change management, systems
 engineering, configuration management, release
 management, production control and maintenance.
----------------------------------------------------------------------------------------------------------------
23. Corporate Franchise Data Center--Provides IT                   Vacant       John Rucker,          3/17/2008
 services to VA medical centers, regional offices,                                  8/1/2007
 national cemeteries, and other VA and non-VA
 organizations.
----------------------------------------------------------------------------------------------------------------
24. Field Business Operations and Services--Controls          Gary Twedt,                N/A                N/A
 and improves the processes, services and outcomes             10/29/2006
 relative to end user support, network services and
 security services.
----------------------------------------------------------------------------------------------------------------
25. Network and Telecom--Providing telecommunication               David Cheplick, 7/    N/A                N/A
 systems to support VA requirements.                              22/2007
----------------------------------------------------------------------------------------------------------------


    Question 1(e): In addition, please provide organization charts 
showing the reporting relationships of the 25 offices to the five 
deputy assistant secretaries.

    Response: See Attachment 1 on next page.
                              Attachment 1
[GRAPHIC] [TIFF OMITTED] T9456A.003


    Question 2: Please provide a timeline for completion separately for 
each of the following three:

    Question 2(a): The 36 new processes of the IT management processes, 
including the 9 of the 36 that the VA began implementing in March 2007.

    Response: The 36 core IT business processes are undergoing process 
improvement, ultimately resulting in the development of a series of 
improved, standardized processes across all business lines. These 
improved processes will be developed by teams of experts, documented, 
and disseminated across VA to ensure that they are repeatable by all VA 
IT entities. The availability of standard operating procedures will not 
only ensure consistency from site to site, but will also prevent 
duplication of effort in developing them. VA process maturity levels 
will evolve and improve over time based on continuous refinement and 
process improvement.
    The timeline for the 36 core IT management processes calls for 
implementation by July 2008. We have completed process redesign pilot 
programs for two: (1) risk management and (2) solution test and 
acceptance. In addition, Process Manuals exist for 27 of the processes, 
either in draft or final version. Key meetings have been held for 20 of 
the processes, with approximately 8 more planned for the week of 
February 11, 2008. The attached spreadsheet provides the details for 
each of the 36 processes.
    The approach and schedule for process implementation has been 
revised, based upon lessons learned from the pilot programs and current 
implementation experiences. We are streamlining the process improvement 
approach in order to meet the July 2008 timeframe.
    Attachment 2 provides a listing of all 36 processes and the status 
of each.
                              Attachment 2
                Status of 36 New IT Management Processes
                               3/13/2008

----------------------------------------------------------------------------------------------------------------
                                                                                        Status of Process
                                                                               ---------------------------------
                            Process                           Process  Manual       Procedure(s) or Guidance
                                                                  Complete     ---------------------------------
                                                                                   In Review         Complete
----------------------------------------------------------------------------------------------------------------
Capital Planning & Investment Control                                                            
----------------------------------------------------------------------------------------------------------------
Project Management                                                      draft          
----------------------------------------------------------------------------------------------------------------
Service Level Management                                                draft          
----------------------------------------------------------------------------------------------------------------
Architecture Management
----------------------------------------------------------------------------------------------------------------
Customer Satisfaction Management
----------------------------------------------------------------------------------------------------------------
Data and Storage Management
----------------------------------------------------------------------------------------------------------------
IT Research & Innovation
----------------------------------------------------------------------------------------------------------------
IT Strategy                                                             draft
----------------------------------------------------------------------------------------------------------------
Knowledge Management
----------------------------------------------------------------------------------------------------------------
Service Marketing and Sales
----------------------------------------------------------------------------------------------------------------
Stakeholder Requirements Mgmt
----------------------------------------------------------------------------------------------------------------
Asset Management                                                                
----------------------------------------------------------------------------------------------------------------
Financial Management                                                    draft
----------------------------------------------------------------------------------------------------------------
Supplier Relationship Management
----------------------------------------------------------------------------------------------------------------
Workforce Management                                                    draft
----------------------------------------------------------------------------------------------------------------
Compliance Management                                                                            
----------------------------------------------------------------------------------------------------------------
Change Management                                                               
----------------------------------------------------------------------------------------------------------------
Configuration Management                                                        
----------------------------------------------------------------------------------------------------------------
Facility Management                                                     draft
----------------------------------------------------------------------------------------------------------------
Release Management                                                              
----------------------------------------------------------------------------------------------------------------
Service Execution                                                       draft
----------------------------------------------------------------------------------------------------------------
Availability Management                                                 draft
----------------------------------------------------------------------------------------------------------------
Capacity Management                                                     draft
----------------------------------------------------------------------------------------------------------------
Event Management                                                        draft
----------------------------------------------------------------------------------------------------------------
Incident Management                                                     draft
----------------------------------------------------------------------------------------------------------------
Problem Management                                                      draft
----------------------------------------------------------------------------------------------------------------
Service Pricing & Contract Admin                                        draft
----------------------------------------------------------------------------------------------------------------
User Contact Management                                                 draft
----------------------------------------------------------------------------------------------------------------
Solution Test and Acceptance                                          
----------------------------------------------------------------------------------------------------------------
Solution Analysis and Design                                          
----------------------------------------------------------------------------------------------------------------
Solution Build                                                        
----------------------------------------------------------------------------------------------------------------
Solution Requirements                                                 
----------------------------------------------------------------------------------------------------------------
Risk Management                                                       
----------------------------------------------------------------------------------------------------------------
IT Service Continuity Management                                        draft          
----------------------------------------------------------------------------------------------------------------
Security Management                                                                    
----------------------------------------------------------------------------------------------------------------
IT Management System Framework                                        
----------------------------------------------------------------------------------------------------------------


    Question 2(b): The 20 out of the 22 information security-related 
recommendations made by the inspector general in 2006, including any 
updates on the status of the 2 of 22 implemented. The status and 
targeted completion date of the 17 FISMA related findings made by the 
VA Office of Inspector General recommendations in its annual FISMA 
report for fiscal year 2005, issued in September 2006.

    Response: The 22 recommendations related to information security 
made by the Inspector General in 2006 consist of:

      The 17 recommendations in the Office of Inspector General 
(OIG) Fiscal Year (FY) 2005 Audit of VA Information Security Program 
(report number 05-00055-216 dated September 20, 2006); and
      The five recommendations from the OIG Report: Review of 
Issues Related to the Loss of VA Information Involving the Identity of 
Millions of Americans (report number 06-02238-163 dated July 11, 2006).
      In addition to the 22 recommendations, 13 recommendations 
were made as a result of the OIG's FY 2006 audit work and are published 
in the OIG's FY 2006 Audit of VA's Information Security Program (report 
number 06-00035-222) dated September 28, 2007.

    Recommendations number 6 and 12 from the OIG FY 2005 Audit of VA 
Information Security Program (report number 05-00055-216 dated 
September 20, 2006) have been closed out by the OIG. All of the 
recommendations and status are listed below:
    Target completion dates for corrective action have been included 
below, where available. Data Security--Assessment and Strengthening of 
Controls Program (DS-ASC) personnel will be working with personnel 
responsible for implementation of corrective action to obtain target 
completion dates for all OIG recommendations shown below.
Recommendations from FY 2005 Audit of VA Information Security Program, 
        Report Number 05-00055-216, September 20, 2006
    Recommendation 1. Implement a centralized IT management approach; 
apply appropriate resources; establish, clarify, and modify IT policies 
and procedures pursuant to organizational changes; and implement and 
enforce security controls.

    Status: Corrective Action Still in Process.

    All IT personnel and the entire IT budget have been placed under 
the control of the Assistant Secretary for OI&T, who serves as the VA 
CIO. Over the past year, the CIO has issued policies, procedures, and 
directives implementing this new, centralized management concept to 
include VA Directive 6500, Information Security Program and its 
accompanying handbook, VA Handbook 6500. Several other policies 
providing guidance regarding implementation of IT security controls are 
either in draft or in concurrence.
    In addition, the CIO is centrally managing implementation, 
enforcement, and remediation of IT security controls throughout VA via 
the data security assessment and strengthening of controls (DS-ASC) 
program and has established the Office of IT Oversight and Compliance 
(ITOC) which consolidates existing IT security activities into one 
office to assist in centralizing enforcement of IT security controls.

    Recommendation 2. Develop and implement solutions for the 
establishment of a patch management program.

    Status: Corrective Action Still in Process. The enterprise 
framework (EF) will provide centralized IT infrastructure management by 
asset management and software delivery (inventory and configuration) 
and interface with the patch management process (portal and policy 
compliance). The current project status is as follows:

      Completed proof of concept with the integration of two 
Veteran's Integrated Service Networks (VISN). The second quarter of FY 
2007 focused on developing configuration and process baselines. This 
was followed by deploying and integrating three additional VISNs, to 
form a centrally managed Region, during the third quarter of FY 2007 
through the third quarter of FY 2008. This will be repeated in Regions 
2, 3, and 4.
      VA has deployed a vulnerability and patch remediation 
solution (i.e., Harris STAT Guardian and previously Citadel Hercules) 
that the field has been using since 2003 to scan systems and remediate 
deficiencies. VA has over 300 dedicated Harris STAT servers providing 
scan and automated patch capabilities across the VA IT enterprise 
today. This does not include other patch remediation tools that have 
been deployed locally such as systems management server and update 
expert. VA has spent approximately $15M since 2003 on an enterprise-
wide vulnerability and patch remediation solution. The long term 
solution is to leverage the EF to provide this capability.

    In addition, other completed actions to implement a patch 
management program for the VA enterprise are as follows:

    1.  Current practices have been gathered (completion date August 
2007).
    2.  Patch management working group charter, process, and list of 
deliverables have been developed (completion date October 2007).
    3.  Patch management working group and working group lead have been 
identified (completion date December 2007).
    4.  Memorandum issued, titled Enterprise Patch Management 
Requirements, detailing VA's patch management program's roles and 
responsibilities, key personnel contact information, and standard 
operating procedures for field implementation (completion date December 
2007).

    Other actions that still need to be accomplished include:

    1.  Review of all current patch management practices across VA, 
target date for completion is late March 2008.
    2.  Development of VA patch management policy, target date for 
completion is May 2008.
    3.  Development of a patch management program to support 
configuration management procedures, target date for completion is 
November 2008.
    4.  Implementation of the patch management program and training 
plans enterprise wide, target date for completion is September 2009.

    Recommendation 3: Identify and implement solutions for resolving 
access control vulnerabilities, ensure segregation of duties, remind 
all sites to confirm virus protection fields are updated prior to 
authorizing connection to their networks, and resolve all self-reported 
access control weaknesses.

    Status: Corrective Action Still in Process. VA IT Directive 06-1, 
Data Security: Assessment and Strengthening of Controls, dated May 24, 
2006, established a program to remediate the IT security controls 
material weakness. As a result the DS-ASC plan was developed to address 
deficiencies. The target date for resolution of these deficiencies is 
third quarter of FY 2008.

    Recommendation 4: Review and update all applicable position 
descriptions to better describe sensitivity ratings, better document 
employee personnel records and contractor files to include signed 
``Rules of Behavior'' instructions, annual privacy and HIPAA training 
certifications, and position sensitivity level designations.

    Status: Corrective Action Still in Process.

    With issuance of the Secretaries June 28, 2006 memorandum, the 
Assistant Secretary for OI&T now has complete responsibility and 
authority for information security policies, procedures, and practices 
to include risk and sensitivity levels of employee position 
descriptions.
    Position descriptions and their corresponding sensitivity 
designations are being reviewed for consistency VA wide. Based on the 
results of these reviews, self certifications from VA's organizational 
components indicate that VA has requested approximately 95 percent of 
its required background investigations.
    In addition, a VA national Rules of Behavior document is included 
in an appendix to the recently published VA Handbook 6500 and will be 
signed by personnel with access to VA information systems and placed in 
the appropriate file. VA reported to OMB that 95 percent of its 
employees completed FY 2007 cyber security awareness training.

    Recommendation 5: Timely request the appropriate levels of 
background investigations on all applicable VA employees and 
contractors. Additionally, monitor and ensure timely requests for 
reinvestigations on all applicable employees and contractors.

    Status: Corrective Action Still in Process.

    Department wide, implementation of this recommendation is 
approximately 95 percent complete. The Department is awaiting input 
from the remaining organizations to certify that all required 
background investigations have been initiated.
    In December 2006, the Office of Security & Law Enforcement within 
the former Office of Policy, Planning and Preparedness published a 
notice providing guidance for requesting the appropriate level of 
backgrounds for contractors and the proper procedures for processing 
these requests. Additionally, VA Directive 0710 was revised and has 
been placed in the concurrence process. The amended Directive 0710 
provides more detailed guidance for processing employee and contractor 
background investigations. VA Handbook 0710 is currently being revised 
and is planned to be completed within the next several months.
    The Security and Investigations Center (SIC) has developed and is 
using a computer tracking system that will automatically generate a 
notice to the SIC staff when an employee or contractors is due a 
background reinvestigation. This tracking system will ensure that a 
timely notice is sent to the employee or contractor when 
reinvestigation packets are due to be completed.

    Recommendation 6: Provide our office the results of researching the 
benefits and costs of deploying intrusion prevention systems (IPS) at 
all sites.

    Status: Closed by the OIG.

    Recommendation 7: Continue efforts to strengthen critical 
infrastructure planning, complete the critical infrastructure 
protection plan, and ensure infrastructure planning addresses Executive 
Order 13231, and other information security requirements.

    Status: Corrective Action Still in Process.

    VA has completed the following critical infrastructure protection 
actions:

      Security training was provided to the appropriate 
personnel assigned to the Network and Security Operations Center 
(NSOC). The new hires will have training this year.
      Encryption software was installed on all laptops by 
September 2006.
      The Critical Infrastructure Protection (CIP) division is 
implementing the public key infrastructure (PKI) solution. Over 135,000 
PKI certificates have been issued to date.
      VA has a continuity of operations plan (COOP) and 
comprehensive emergency program plan. OI&T participates in VA's annual 
master COOP plan test. Primary responsibility for the VA's master COOP 
plan rests with the Office of Operations, Security, and Preparedness 
(OSP). VA has issued Directive and Handbook 0320, Comprehensive 
Emergency Management Program. Both are dated March 24, 2005. VA also 
has an OI&T COOP plan which was posted to VA Intranet in June 2003.
      VA's critical infrastructure protection contingency plan 
references Homeland Security Presidential Directive--HSPD 7, Homeland 
Security Act 2002, National Response Plan, and National Incident 
Management System (NIMS) plus other historical cyber security 
requirements. The CIP division is working with the Office of Cyber 
Security to incorporate the requirements, recommendations and 
guidelines into the policies and procedures. Target completion date is 
August 2008.
      The CIP division is installing network intrusion 
prevention (NIP) devices capable of monitoring and blocking network 
traffic. The VA NSOC is performing an analysis to see what other 
locations can benefit from the NIP units. This is an ongoing process 
where we continuously re-evaluate to ensure the VA has adequate 
coverage with regards to the NIPS.

    Recommendation 8: Collaboratively test ITC COOPs in a joint effort 
with all tenant groups (VHA, VBA, NCA, and other program offices) to 
ensure that backup sites will support all mission related operations, 
and report test results to our office for further review.

    Status: Corrective Action Still in Process.

    The Corporate Franchise Data Center (CFD), Austin Campus (formerly 
the Austin Automation Center or AAC) conducts COOP tests annually and 
has integrated its COOP test with the organizations collocated at its 
facility. The test includes the following:

    1.  Verifying the ability of CFD, Philadelphia Information 
Technology Center (ITC), and Hines ITC staff to recover the CFD Mission 
Critical and Essential Support systems currently replicated to the 
Philadelphia and Hines ITCs. Examples of Mission Critical and essential 
Support systems include applications such as PAID, VETSNET and FMS.
    2.  Testing the ability of the CFD to use its workspace recovery 
facility for CFD staff to remotely log onto CFD recovery platforms 
using the OneVA virtual private network (VPN).
    3.  Testing CFD, Philadelphia Insurance, and Veterans Benefits 
Administration (VBA) Benefits Delivery Network (BDN) end-to-end 
transmission of files between the Hines ITC, Philadelphia ITC, 
Financial Services Center (FSC) Waco facility, and Treasury's 
Hyattsville Processing Facility.
    4.  Testing Beneficiary Identification and Records Locator System 
(BIRLS) functionality between the Hines and Philadelphia ITCs.

    The last disaster recovery (DR) exercise for the CFD, Austin Campus 
was conducted in August 2007; the next exercise is scheduled for August 
2008. Mission critical and essential support applications are tested 
with resident organization input during the annual DR exercise. Table 
top tests were performed on routine applications in 2007.
    The Philadelphia ITC established an agreement between the ITC, 
Philadelphia Regional Office and Insurance Center (ROIC), and the 
Philadelphia VA Medical Center (VAMC) that established a command post 
at the VAMC for key ITC and ROIC personnel for disaster recovery 
purposes. The Philadelphia ITC conducted full DR tests for the VBA Web 
applications and the Insurance Payment System in April/May 2007. A BDN 
disaster recovery test by Hines and Philadelphia staff was performed in 
Philadelphia July 9-12, 2007. A joint exercise including tenants is 
planned in 2008; however, this will be a simulated or desktop exercise 
and not a full DR test. The next VBA web application disaster recovery 
test is scheduled for the May-June 2008 timeframe at Hines Information 
Technology Center. We also plan to conduct the Insurance Payment System 
disaster recovery test during this same timeframe.
    The Hines ITC maintains a comprehensive DR plan for the legacy 
Benefits Delivery Network (BDN). The disaster recovery exercise in July 
2007 successfully demonstrated that the Bull and IBM BDN disaster 
recovery infrastructure at the Philadelphia ITC is capable of executing 
the BDN online and batch processing in the event of a real disaster. 
This plan is exercised annually in the summer months. The Hines ITC 
conducted a joint table-top exercise in December 2007.

    Recommendation 9: Address all self-reported deficiencies identified 
as the result of completed C&A and related review work.

    Status: Corrective Action Still in Process.

    In May 2006, the CIO issued VA IT Directive 06-1, Data Security: 
Assessment and Strengthening of Controls. This directive established a 
program to remediate IT security controls deficiencies. From this DS-
ASC plan was developed which addresses deficiencies resulting from 
completed certification and accreditation (C&A) work, details of which 
are contained in the plans of actions and milestones (POA&M) section of 
the security management and reporting tool (SMART) database.
    The Office of Oversight and Compliance has been established to 
ensure continuity and followthrough on remediation of these 
deficiencies.

    Recommendation 10: Determine the extent to which uncertified 
Internet gateways continue to exist, and take actions to upgrade and 
terminate external connections susceptible to inappropriate access.

    Status: Corrective Action Still in Process.

    NCA shut down its Internet gateway on June 20, 2006.
    VBA shut down its Internet gateway a year ago. VBA continue to 
maintain a private T1 connection to benefits delivery discharge (BDD) 
centers at two military facilities in Korea and Germany. VBA routes no 
other data traffic to them, and they are getting ready to ship 
preconfigured firewalls to these centers. The T1 connections will be 
removed within the next 3 months and the traffic will route through a 
virtual private network (VPN) when the firewalls are installed.
    VHA's VISN 20, 21, and 22 have migrated its traffic to the 
enterprise cyber security infrastructure program (ECSIP) and have shut 
down their external connections; however, VHA has identified additional 
external business connections that require business partner gateway 
(BPG) VPN connections. These connections are documented, justified, and 
submitted to the enterprise security cyber control board (ESCCB) for 
approval.
    The Environmental Protection Agency (EPA) connection moved to the 
ECSIP gateway and the moving of the remaining connections is contingent 
on ESCCB approval. In March 2007, the AAC moved all of it's existing 
site-to-site VPN connections to the AAC's Internet firewall, and then 
moved the AAC's Internet firewall's and franchise firewall's internal 
interfaces from the internal gateway to the VA wide area network (WAN). 
This was necessary to complete the process of moving site-to-site VPNs 
and Internet facing web servers to the VA WAN for Internet access, thus 
allowing the shutdown of the supporting Internet service provider. 
ESCCB approval is pending for a plan to migrate the Internet facing web 
servers as the next step in the process.
    Significant progress is being made with migrating Corporate 
Franchise Data Center (CFD) (formerly Austin Automation Center) 
remaining customers off of the CFD Internet gateway. DoD traffic will 
be migrated by the end of February 2008 and all other customers such as 
Home TeleHealth (HTH), Workman's Compensation, and the National 
Archives and Records Administration (NARA) will be completely migrated 
by June 30th, 2008.

    Recommendation 11: Improve configuration management practices by 
identifying, replacing, or justifying the continuance of older 
operating systems that are vulnerable to security breaches.

    Status: Corrective Action Still in Process.

    VA has been upgrading its computers to the Microsoft Windows XP 
operating system and also has been upgrading peripheral devices, as 
necessary.
    All VBA workstations are operating under Windows 2000, and all VBA 
servers are operating under Windows 2003. Implementation plans are 
underway for workstation upgrades to Windows XP. However, the 
conversion to newer operating systems for VBA platforms is dependent 
upon upgrading the applications systems code to use the newer operating 
systems capabilities. The applications upgrade has been estimated at 
approximately $2 million and will take approximately 2 years to 
complete. Application upgrading will begin and the conversion to a 
newer operating system can be accomplished at the end of this upgrade 
process. VA is currently working to develop requests for waivers for 
these applications until the application upgrade can be accomplished.
    In VHA most desktop systems or IT servers use the latest operating 
system, Windows XP. The exceptions to this rule includes specialized 
equipment incorporating an operating system such as three V-Tel systems 
in VISN 17 using Windows 98 and one telephone switch in VISN 19 using 
Windows 98 as well as medical devices. The V-Tel systems and telephone 
switch are connected via a virtual local area network (VLAN) that 
provides isolation from the facility LAN which is being replaced. All 
medical equipment, regardless of the operating system, is required by 
VHA policy to be connected to facility networks using the VA isolation 
architecture. Some medical systems cannot be upgraded.
    Configuration management has been addressed in the recently 
published VA Handbook 6500. In addition, a plan to address 
configuration management deficiencies was completed in August 2007. 
Minimum configuration settings for information technology products were 
established in September 2007 and submitted in October 2007 to the 
configuration management technical working group (CM/TWG) for 
finalization and approval in conjunction with enterprise change and 
configuration management processes. In September 2007 VA decided on 
replacement requirements for personal equipment.
    Field security operations are in the process of defining a process 
to standardize operating systems and applications. Processes are also 
being developed for monitoring system changes and their impacts. Target 
date for completion is late March 2008 with final completion dependent 
on the CM/TWG and the testing/procurement of an enterprise management 
framework (EMF) toolset to support these processes. The CM/TWG has a 
target completion date of September 30, 2008, to develop the needed 
change control procedures, and the EMF project has a target completion 
date of FY 2009, with pilot testing in the last quarter of FY 2008.

    Recommendation 12: Complete actions to relocate and consolidate 
VACO's data Center.

    Status: Closed by the OIG.

    Recommendation 13: Develop and implement VA-wide application 
program/operating system change control procedures to ensure consistent 
documentation and authorization practices are deployed at all 
facilities.

    Status: Corrective Action Still in Process.

    Change control, as a required security control defined in the 
National Institute of Standards and Technology (NIST) Special 
Publication 800-53, is included in the recently published VA 6500 
Handbook. A new technical oversight Committee has been established, 
chaired by the Office of Development, and will review the need for 
specific and separate change control policy beyond the scope of VA 
Handbook 6500.
    Additionally, the IT regional data processing change management 
process is establishing integrated change control and ultimately a full 
change management process. The current outcome is a change management 
process with an interim definition established in a January 29, 2007 
memorandum--Regional Data Processing Information Technology Change 
Management Interim Process--which focuses on change requests that may 
impact the infrastructure or operating environment of the regional data 
processing. The work group will establish a full change management 
process and ultimately configuration management. This workgroup and 
processes are linked with VBA's architecture change and review board, 
AAC's change management process and change control board, and ESCCB. 
This work group will look at incorporating other change control 
processes such as those used by VA developers. There is a process 
definition technical work group that will define the VA process for 
change management.
    Related actions that have been completed regarding implementation 
of change controls throughout the VA enterprise include:

    1.  Current change control practices have been gathered, completion 
date August 2007.
    2.  Change control working group charter, process, and list of 
deliverables have been developed, completion date October 2007.
    3.  Change control working group and working group lead has been 
identified, completion date December 2007.

    Related actions that still need to be accomplished regarding change 
controls include:

    1.  Review all current practices across VA focusing on the impact 
to operating systems including security, target date for completion is 
late March 2008.
    2.  Develop change control policy, target date for completion is 
May 2008.
    3.  Develop change control procedures, target date for completion 
is November 2008.
    4.  Implement change controls and training plans VA wide, target 
date for completion is September 2009.

    Recommendation 14: Strengthen physical access controls to correct 
previously reported physical access control deficiencies, develop 
consistent standardized physical access control requirements, policies, 
and guidelines throughout VA.

    Status: Corrective Action Still in Process.

    The OSP has revised VA Directive and Handbook 0730, including 
Appendix B, Physical Security Requirements and Options. Along with 
other major changes, the revised 0730 document contains updated 
requirements for the physical access of protect IT spaces, such as 
computer rooms and telecommunication/data connections. This directive 
is currently pending departmental concurrence. After concurrence is 
received, in accordance with title 38 section 901 it must then be 
submitted to the Department of Justice for review prior to publication. 
The Office of Operations, Security and Preparedness anticipates it may 
not be until the end of FY 2008 before the revised VA Directive and 
Handbook 0730 Directive and Handbook are released.
    Physical and environmental controls have been addressed nationally 
in the recently published VA Handbook 6500. Resolution of physical 
access control deficiencies is an iterative process. VA IT Directive 
06-1, Data Security--Assessment and Strengthening of Controls, dated 
May 24, 2006, established a program to remediate the IT security 
controls material weakness. As a result the DS-ASC plan was developed 
to address the physical access control deficiencies mentioned above. 
Target date for remediation of these deficiencies is the third quarter 
of FY 2008.
    The Office of Information and Technology Office of Oversight and 
Compliance has been established to ensure continuity and followthrough 
on remediation of physical access control deficiencies. In order to 
highlight the necessary physical security requirements, the Office of 
Information and Technology Oversight and Compliance (ITOC) worked 
closely with representatives from the Office of Operations, Security 
and Preparedness to develop an Information Physical Security (IP) 
checklist to be utilized by ITOC during assessments of VA facilities. 
The IP checklist has been added to the assessment protocols. The 
initial prototype was tested at a number of VA facilities and was well 
received by Facility Directors, CIOs, Information Security Officers, 
Chiefs of Police, and others. An early observation indicates it will 
prove invaluable to direct attention to physical access issues. The 
ITOC assessment teams are also continuing to stress the applicable 
security controls from the NIST 800-53 protocols during the 
assessments.
    An Information Memorandum, to be jointly issued by the Assistant 
Secretary for Operations, Security and Preparedness and the Assistant 
Secretary for Information and Technology, is being prepared. This joint 
memorandum will form the basis of a physical security awareness 
campaign. This memorandum is expected to be released sometime in mid-FY 
2008.

    Recommendation 15: Reduce wireless security vulnerabilities by 
ensuring sites have an effective and up-to-date methodology to protect 
against the interception of wireless signals and accessing the network. 
Additionally, ensure the wireless network is segmented and protected 
from the wired network.

    Status: Corrective Action Still in Process.

    Wireless laptops on VA networks are protected and separated from 
the wireless network by AirFortress. Methods used to protect the 
interception of wireless signals and accessing the network are included 
in VA's Wireless and Handheld Device Security Guideline, Version 3.2, 
dated August 15, 2005.
    VHA and VBA have installed AirFortress wireless security gateway to 
secure their wireless LAN systems. All wireless data traffic is routed 
through the AirFortress wireless security gateway before it is 
transmitted on VA network. The AirFortress wireless security gateway 
not only provides encryption of data between the wireless client and 
the security gateway, it also provides firewall functionality and 
limits access to VA network to only authorized devices and users. Since 
firewall functionality has already been provided as part of the 
AirFortress solution there is no need to install an additional firewall 
between AirFortress and VA network.
    VA recognizes that any secure wireless LAN system will include a 
wired/wireless network border gateway security device that will enforce 
an access control policy between the wired and wireless network thereby 
limiting access to only authorized users on authorized ports, all 
features of a firewall.
    However, additional work needs to be done in the wireless area. 
Blackberries and PalmPilots connecting to the network are not 
encrypted. Encryption for these devices is being piloted. In addition, 
the NSOC is establishing a wireless assessment program that will 
identify and assist the field with remediation of wireless security 
vulnerabilities.

    Recommendation 16: Identify and deploy solutions to encrypt 
sensitive data and resolve clear text protocol vulnerabilities.

    Status: Corrective Action Still in Process.

    VA has taken several actions toward the protection of sensitive 
information. By September 15, 2006 the VA encrypted over 15,000 
laptops. Simultaneously, VA developed and implemented procedures to 
ensure that all laptops have applied updated security policies and 
removed all sensitive information that was not authorized to be stored 
on the devices. This procedure will continue to occur throughout the 
Department routinely and is one measure VA has undertaken to protect 
information.
    VA has begun deploying technology to ensure information is 
protected and is identifying and leveraging existing technologies that 
will contribute to protecting VA information. These technologies and 
the status of their deployments are shown below:

      Sanctuary port security and device control technology. 
Sanctuary has been deployed and is operational in Region 4 
(Northeastern United States). Sanctuary is actively restricting the use 
of non-VA approved universal serial bus devices on VA computers. The 
technical documentation, architecture design, server configuration, and 
project documentation created during Region 4 deployment are being 
leveraged by the rest of the enterprise as they begin deployment of the 
technology. Region 3 (Southern/near Midwestern United States) will be 
the next region to deploy Sanctuary and is in the process of procuring 
hardware to support its implementation. Subsequently, Region 1 (Western 
United States), Region 2 (Southwestern/far Midwestern United States), 
the Corporate Franchise Data Center (Austin, Texas), VBA, and NCA will 
deploy.
      Microsoft Rights Management Services (RMS) technology to 
safeguard digital information from unauthorized use. VA completed the 
deployment of over 157,000 RMS clients across the enterprise in FY 
2007. VA procured robust hardware to support the operations of RMS for 
the enterprise, thus enabling VA to use the current hardware for the 
infrastructure for the RMS continuity of operations. VA has begun to 
test the external provisioning component for RMS which will extend the 
RMS functionality of protecting emails and documents to VA business 
partners. Without the external provisioning component, VA business 
partners, such as the Department of Justice, cannot read email messages 
that are sent with RMS security controls applied.
      Attachmate host integration and secure network 
transmission technology. In 2007 VA conducted pilot testing of 
Attachmate technology across all of VA's Regions. The pilot included 
the installation and testing of the terminal emulator client in 
unencrypted mode and then encrypted mode. This technology will be able 
to encrypt information sent across VA network from applications such as 
VistA (veterans health information systems and technology 
architecture), CPRS (computerized patient record system), and IFCAP/ETA 
(integrated funds distribution, control point accounting and 
procurement/enhanced time and attendance). VA has developed the various 
configurations depending on how the product will be used to include the 
corresponding technical documentation. The installation package and the 
technical documentation will be posted to a share point and made 
available for sites to acquire this information and the file. Region 4 
will be the first to deploy the client in an encrypted mode throughout 
their region.
      Cisco and BigFix secure remote access technology. The 
secure remote access project, also known as the remote enterprise 
security compliance update environment (RESCUE), proof of concept was 
successfully completed in mid-October 2007. The RESCUE solution 
consists of Cisco technology for enforcement and network access control 
and BigFix for remediation of non-compliant devices. Recently, VA NSOC 
installed a portion of the hardware to support RESCUE in the Reston 
gateway. In January 2008 a small user group test was conducted out of 
the Reston gateway. Simultaneously, RESCUE hardware and software will 
be installed in the remaining gateways by February 2008. The virtual 
private network (VPN) user-base will be migrated to the RESCUE solution 
by June 2008.

    Recommendation 17: Conduct validation tests in conjunction with 
remediation efforts to ensure all information and data retained in the 
SMART database is accurate, complete, and reliable.

    Status: Corrective Action Still in Process. ITOC performs 
validation tests of SMART database as part of their assessments. To 
date numerous assessments have been conducted by ITOC. ITOC has 
validated internal processes and procedures in the identification and 
accuracy of POA&M items and has stressed to the field the need to 
ensure updated information is incorporated into SMART. The ITOC 
inspection checklist has been modified to add additional task lines to 
verify entries in SMART. Target completion date is April 1, 2008.
Recommendations from OIG Report: Review of Issues Related to the Loss 
        of VA Information Involving the Identity of Millions of 
        Americans, Report # 06-02238-163, Issued July 11, 2006
    Recommendation 1: Establish one clear, concise VA Policy on 
safeguarding protected Information when stored or not stored in VA 
automated systems, ensure that the policy is readily accessible to 
employees, and that employees are held accountable for non-compliance.

    Status: Closed by the OIG based on the issuance of VA Handbook 
6500, Information Security Program, on September 18, 2007 and meeting 
with OIG on September 7, 2007.

    Recommendation 2: Modify the mandatory Cyber Security and Privacy 
Awareness training to identify and provide a link to all applicable 
laws and VA policy.

    Status: Corrective Action Completed. Cyber security and privacy 
awareness training modules have been updated. The privacy awareness 
training module has been updated and now contains links to applicable 
laws and VA policy. It has been provided to the OIG for review. The FY 
2008 cyber security awareness training was made available on October 1, 
2007. All applicable VA policy and Federal laws are linked on the 
reference page of the online training course. VA is currently working 
with the OIG to close out this Issue.

    Recommendation 3: Ensure that all position descriptions are 
evaluated and have proper sensitivity level designations that there is 
consistency nationwide for positions that are similar in nature or have 
similar access to VA protected information and automated systems, and 
that all required background checks are completed in a timely manner.

    Status: Corrective Action Still in Process.

      New fields have been added to VA payroll system to 
reflect position risk/sensitivity levels for each VA position and 
background investigation levels for each employee.
      The revised version of VA Directive 0710, Personnel 
Suitability and Security Program, is still in concurrence. In addition, 
the accompanying handbook, VA Handbook 0710, is under development by 
OSP.

    VA will ensure that all background investigations are requested, 
and as appropriate, adjudicated when completed, in the required 
timeframes and will monitor the status of investigations performed by 
outside entities. VA cannot ensure background investigations are 
completed in a timely manner as VA does not conduct background 
investigations; these are performed by the Office of Personnel 
Management.
    Self-certifications from VA's organizational components indicate 
that VA has requested approximately 95 percent of its required 
background investigations.

    Recommendation 4: Establish VA-wide policy for contracts for 
service that requires access to protected information and/or VA 
automated systems, that ensures contractor personnel are held to the 
same standards as VA employees, and that information accessed, stored 
or processed on non-VA automated systems is safeguarded.

    Status: Closed out by the OIG based on the issuance of VA 6500 
Handbook, Information Security Program, dated September 18, 2007.

    Recommendation 5: Establish VA policy and procedures that provide 
clear, consistent for reporting, investigating, and tracking incidents 
of loss, theft, or potential disclosure of protected information or 
unauthorized access to automated systems, including specific timeframes 
and responsibilities for reporting within the VA chain-of-command and, 
where appropriate, to OIG and other law enforcement entities, as well 
as appropriate notification to individuals whose protected information 
may be compromised.

    Status: Closed by the OIG based on the issuance of VA Handbook 
6500, Information Security Program, on September 18, 2007 and meeting 
with OIG on September 7, 2007.
Recommendations from OIG's FY 2006 Audit of VA's Information Security 
        Program, Report Number 06-00035-222, dated September 28, 2007.
    Recommendation 1: Provide for the maintenance of appropriate 
documentation of completed background investigations for employees and 
contractors.

    Status: Corrective Action Still in Process. Documentation of 
completed background investigations will be maintained for employees 
and contractors in accordance with VA policies and procedures.

    Recommendation 2: Require contractors with access to VA systems to 
complete cyber security awareness training in accordance with OMB A-
130.

    Status: Corrective Action Still in Process. Paragraphs 2 and 3f of 
VA Directive 6500, Information Security Program, dated August 4, 2006, 
requires annual security awareness training for all contractors with 
access to VA sensitive information and information systems. VA 6500 
Handbook, Information Security Program, issued on September 18, 2007, 
also requires that contractors take this training.

    In addition, VA has developed standard contract language to be used 
in all VA contracts regarding protection of VA information and 
information systems which will incorporate the requirement for 
contractors to complete annual security awareness training. The 
contractual language is still undergoing Departmental concurrence. 
Target date for obtaining concurrence on this contract language is 
April 2008.

    Recommendation 3: Develop and implement a methodology to assess the 
effectiveness of VA's Intrusion Prevention Systems in protecting VA 
systems and data from inappropriate access.

    Status: Corrective Action Still in Process. VA will implement a 
method to evaluate the effectiveness of VA's IPS.

    Recommendation 4: Develop a comprehensive COOP for OI&T and update 
and finalize the OI&T appendix within the VA Master COOP to include its 
essential functions, emergency relocation group, mission critical 
systems, and vital records in accordance with the Federal Preparedness 
Circular 65, Federal executive branch Continuity of Operations.

    Status: Corrective Action Still in Process. VA has a master COOP 
and comprehensive emergency program plan. Primary responsibility for 
VA's master COOP plan rests with the OSP. OI&T is a part of and 
participates in VA's annual master COOP plan tested.

    OI&T has its own COOP plan which was posted to the VA Intranet in 
June 2003. This plan is contained in OI&T Handbook 0320, Continuity of 
Operations, Planning Procedures and Operational Requirements. The 
purpose of the OI&T COOP plan is to:

    a.  Provide command and control of IT assets during emergency 
situations to ensure continuation of mission-critical and mission-
essential operations.
    b.  Provide a coordinated response and recovery effort to 
effectively mitigate an emergency or disaster.
    c.  Ensure the Assistant Secretary for OI&T can perform its 
mission-critical and mission-essential responsibilities during and 
after an emergency situation.
    d.  Ensure the safety and welfare of VA IT staff both during and 
after an emergency situation.
    e.  Provide a mechanism for the prompt notification of all VA IT 
personnel during an emergency situation.
    f.   Reconstitute, as rapidly as possible, IT systems that are 
adversely affected due to an emergency or disaster.
    g.  Develop mitigation strategies that will ensure the survival of 
VA's critical IT infrastructure.
    h.  Support regular training and exercises designed to enable 
personnel to perform assigned emergency management duties.
    i.   Provide a standardized format for reporting the status of 
essential IT systems and functions.

    This plan applies to all VA IT staff, and contractors, and its 
mission of supporting VA Central Office (VACO) with IT, information 
management, record management, cyber security, and telecommunications. 
The plan addresses emergency preparedness activities to ensure business 
continuity. Preparedness activities include plans, procedures, 
readiness measures, and mitigation strategies that enhance VA's ability 
to respond to and recover from a designated emergency.
    OI&T will complete the identification and prioritization of its 
critical information assets, essential functions, emergency relocation 
group, mission critical systems, and vital records and will update and 
finalize its appendix section within the VA master COOP to make it 
current with the OI&T reorganization.

    Recommendation 5: Ensure the C&A work is complete and that the C&A 
certifications are supported by the work performed.

    Status: Corrective Action Still in Process. Certification and 
accreditation (C&A) work for VA's information systems is complete. Re-
accreditation for the vast majority of VA's systems (which were 
accredited in August 2005) is due to be completed in August 2008.

    In 2006, VA contracted with an outside firm to perform an 
independent validation and verification (IV&V) of its 2005 C&A effort. 
VA will review the issues and recommendations contained in the 
contractor's IV&V report, along with the issues identified on pages 11-
13 of this audit report, and make the appropriate revisions to VA's C&A 
policy to ensure that future C&As are performed according to NIST 800-
37.
    In 2006, VA contracted with an outside firm to perform an 
independent validation and verification (IV&V) of its 2005 C&A effort. 
VA has reviewed the issues and recommendations contained in the 
contractor's IV&V report and will make the appropriate revisions to its 
ongoing reaccreditation efforts to ensure that certification and 
accreditation efforts (C&A) are properly documented and cross-
referenced.

    Recommendation 6: Develop a Department-wide configuration 
management plan/security configuration policy.

    Status: Corrective Action Still in Process. Configuration 
management has been addressed in the recently published VA Handbook 
6500. Additional policy regarding this issue still needs to be 
developed.

    To date the following actions have been completed regarding 
implementation of a configuration management plan for the VA 
enterprise: (1) current configuration management practices have been 
gathered (August 2007), (2) the current status of the VA configuration 
management program policy and handbook have been determined (July 
2007), (3) a configuration management working group charter, process, 
and list of deliverables has been established/developed; and (4) a 
configuration management working group has been established and a 
working group lead has been identified (December 2007).
    Tasks that still need to be accomplished are: (1) a review of all 
current configuration management practices across the VA enterprise 
(target completion date is late March 2008), (2) development of VA 
configuration management policy (target completion date is May 2008), 
(3) development of configuration management plans to support change 
control procedures (target completion date is November 2008), and (4) 
execution of configuration management implementation and training plans 
VA-wide, target completion date is September 2009.

    Recommendation 7: Verify information categorization and risk 
assessments relating to sensitive information are in accordance with 
FIPS 199.

    Status: Corrective Action Still in Process. VA IT Directive 06-1, 
Data Security--Assessment and Strengthening of Controls, dated May 24, 
2006, established a program to remediate the IT security deficiencies. 
The DS-ASC plan, was developed to address deficiencies. VA has 
established a data control board to classify VA data which will assist 
in the implementation of this recommendation.

    Recommendation 8: Develop and fully implement procedures for 
protecting sensitive information accessed remotely or removed from VA 
facilities in accordance with NIST SP 800-53.

    Status: Corrective Action Still in Process. VA IT Directive 06-1, 
Data Security--Assessment and Strengthening of Controls, dated May 24, 
2006, established a program to remediate the IT security deficiencies. 
This is already being partially addressed through the introduction of 
new software.

    Recommendation 9: Complete the implementation of two-factor 
authentication in accordance with NIST SP 800-53.

    Status: Corrective Action Still in Process. VA IT Directive 06-1, 
Data Security--Assessment and Strengthening of Controls, dated May 24, 
2006, established a program to remediate IT security deficiencies. This 
issue has been provided to DS-ASC personnel for incorporation into the 
DS-ASC program. A consolidated program for identity management has 
already been established to partially address this deficiency.

    A target date has not been established. With the initiation of the 
DS-ASC contract award, milestones are being developed and target dates 
will be established in the next 2 or 3 months.

    Recommendation 10: Identify solutions and an implementation plan 
for a workable time-out function for remote access through VPN in 
accordance with NIST SP 800-53.

    Status: Corrective Action Still in Process. While this 
recommendation is being addressed in the DS-ASC, it cannot be currently 
implemented as the 30 minute time-out feature for inactivity does not 
always work as intended with technology currently deployed. This 
limitation can be attributed to the frequent system activity caused by 
certain software products (e.g., host based IPS) which makes the VPN 
connection appear to be active, therefore never reaching the 30 minutes 
threshold of inactivity.

    While the applications in use do timeout, the VPN sometimes does 
not. VA feels that the timeout capability provided by the current suite 
of deployed software is enough to mitigate this risk. VA will search 
for solutions to this issue in its next generation of RESCUE software.

    Recommendation 11: Complete implementation of security control 
measures involving access to sensitive information by non-VA employees.

    Status: Corrective Action Still in Process. This recommendation is 
being added as a task to the DS-ASC and will address the five areas of 
improvement identified in the OI&T August 25, 2006 briefing to the 
former Secretary.

    Recommendation 12: Implement a standardized security program for 
use by all of VA's national and regional data centers to facilitate 
more consistent security program assessment and monitoring.

    Status: Corrective Action Still in Process. A standardized security 
program for the data centers will be developed and implemented.

    Recommendation 13: Institute mechanisms to notify all VA facilities 
of the specific security issues identified in this report and from 
future testing so that appropriate corrective actions can be taken on 
these issues if they exist at other facilities.

    Status: Corrective Action Still in Process. The OIG FY 2006 FISMA 
audit report has been distributed to personnel who have overall 
responsibility for implementation of corrective action (champions and 
project managers) shown in the data security-assessment and 
strengthening of controls (DS-ASC) program. This report, and all 
subsequent similar reports, will be posted to the VA Intranet by the 
end of March 2008 so that deficiencies identified in these reports can 
be made available to OI&T personnel located at other VA facilities. An 
e-mail will be sent notifying OI&T personnel of each report's 
availability and VA Intranet location.

    Question 3: What has been accomplished since June 2007 in fully 
implementing the IT Governance plan? Are all governance boards in place 
and operating?

    Response: Implementation of the IT governance plan is the 
responsibility of the VA Executive Board, the Strategic Management 
Council (SMC) and VA senior leadership; not just OI&T. IT governance is 
an integral part of VA-wide governance and aligns to VA's business 
strategies and objectives. Trust must be built among the stakeholders 
in the management of IT in VA. Implementing VA IT governance involves 
shared decisionmaking through the IT governance boards, based on the 
guiding principle of aligning IT strategy and goals to business 
strategy and goals.
    Since June 2007, each of the IT governance boards played an 
integral part in identifying and prioritizing the myriad requirements 
that the business units have to contend with. The Planning, Technology 
and Services (PATS) Board developed the FY 2009 program with input from 
the business units and stakeholders. The Business Needs and Investment 
Board (BNIB) developed FY 2008 execution strategy and FY 2009 funding 
recommendations. The Information Technology Leadership Board (ITLB) 
carried the message of the PATS and BNIB to the highest levels of VA's 
leadership and recommended that the Deputy Secretary approve the IT 
budgets. The FY 2009 budget submission was unanimously approved by the 
SMC/VA Enterprise Board (VAEB).

    Question 4: With respect to the VistA outage on August 31, 2007, 
described in the testimony of Dr. Volpp, please state what actions are 
being taken to ensure that such an outage does not occur in the future. 
In addition, state whether the ``failover'' function between the two 
western data centers is sufficient to ensure uptime of VistA sufficient 
to meet the healthcare needs of VHA, the reason(s) the ``failover'' 
function is or is not able to meet those needs, and, if the 
``failover'' is not sufficient to meet those needs, what remediation 
will be undertaken.

    Response: The root-cause of the outage on August 31, 2007 was lack 
of adherence to change management procedures by VA staff. Staff has 
been retrained in change management procedures and compliance is being 
closely monitored. Senior management have communicated to staff that 
any future outage with similar cause may result in disciplinary actions 
against those individuals not adhering to the procedures.
    The ``failover'' function is in place and able to meet the 
healthcare needs of VHA in this region. Failover capability has been 
successfully tested as recently as September 16, 2007.
    Failover capability is a core system design requirement of the 
regional data processing program and as such is available if an event 
occurs that warrants that action. The design is intended for disaster 
situations. Although it takes up to 4 hours to failover once the 
decision is made to do so, sites do have ``read only'' capability 
available. During the August 2007 outage, ``read only'' capability was 
available to all affected sites.
    The outage that took place on August 31, 2007 at the west coast 
Regional Processing Center (RPC) in Sacramento was precipitated by a 
change that was made to the running environment without formal 
approval. Additionally, this unapproved change was made incorrectly--
resulting in a number of systems being taken offline, rendering the 
entire system unavailable. Based on detailed analysis, the Department 
is instituting a number of improvements and architectural changes to 
the RPC on the west coast in order to ensure efficient day to day 
processing, increased availability and enhancement of failover of 
resources in the event of a disaster. The RPC was originally 
architected to ensure continuity of operations during a Katrina like 
episode or other regional disaster. The Department has also engaged a 
contractor for an independent analysis of the RPC. The results of that 
engagement have not been delivered as of yet. This information will 
also be used to validate or enhance the department's architectural 
decisions.
    These changes in the RPC environment will ensure that VA moves 
closer to a more highly available environment for the VistA systems 
that serve the Department's medical centers and clinics. Already, the 
RPC on the east coast is providing very high availability. The 
scheduled and unscheduled downtime metrics for VistA in those data 
centers fall into the ``Best In Class'' category as defined by 
Gartner--their most stringent category. While hardware augmentation and 
realignment of systems will improve availability in the west coast data 
centers and with the VistA platform design in general--it should be 
noted that the Department's aging VistA application must also be 
examined.
    The Department has launched an assessment team to review ``Class 
3'' applications. It is believed that certain class 3 code can 
negatively affect the health and performance of a running VistA system. 
The team embarked upon its analysis at a VA facility--the San Francisco 
VAMC--where the presence of Class 3 code is significant. We are 
examining efficiency of Class 3 code, adherence to standards, and 
scalability qualities--in order to ensure efficient use ability at a 
RPC.
    In closing, we believe the availability needs of the organization 
will be met by the continued application of engineering enhancements to 
the RPC infrastructure as well as the analysis and renovation of Class 
3 code. Disaster recovery failover capabilities have been in place 
since the launch of the RPCs and will also continue to be enhanced by 
the engineering changes being implemented already, with others on the 
immediate horizon. In the end, however, the application is what 
dictates, in great part, limitations on performance and availability. 
The current VistA application has roots and elements that are more than 
20 years old. Until the advent and full deployment of HealtheVet--which 
brings significant renovation of the aging VistA code by rearchitecting 
using industry best practices including Service Oriented Architecture 
(SOA)--overall availability for VistA can be optimized only to a point 
but will still fall in Gartners's ``Outstanding'' or ``Best in Class'' 
categories.

    Question 5: GAO identified ``dedicating an implementation team to 
manage change'' as a critical success factor to the department's 
implementation of a centralized structure. The department is currently 
managing the realignment through two organizations: the Process 
Improvement Office under the Quality and Performance Office and the 
Organizational Management Office. The Executive Director of the 
Organizational Management Office has recently resigned his position, 
leaving one of the two offices without leadership. Please explain the 
following:

    Question 5(a): Why did VA decide to manage the realignment through 
two organizations rather than dedicating a single implementation team 
to manage change? What is the benefit to having two organizations over 
one?

    Response: Since the executive director of the Organization 
Management Office resigned, the deputy director of the Office of 
Quality and Performance has been assigned the responsibility to advise 
the principal deputy assistant secretary (PDAS) and Assistant Secretary 
for OI&T on realignment issues in addition to continuing the process 
improvement effort.
    Overall, IT executive leadership team is responsible for meeting 
established performance goals related to the implementation of the IT 
realignment. For example, the Information Protection and Risk 
Management (IP&RM) organization is responsible for ensuring proper 
policies and procedures are in place to protect personally identifiable 
information of both veterans and employees, as is ITOC. The Resource 
Management (RM) organization is responsible for career management, 
funds execution and asset management. Similarly, the Office of 
Enterprise Development (OED) ensures appropriate processes are 
implemented as IT products are developed, Enterprise Operations and 
Infrastructure (EO&I) is measured on their compliance to service level 
agreements and the Office of Enterprise Strategy, Policy, Plans and 
Programs (OESPP&P) ensures multi-year programming and project 
management activities are implemented as well as developing and 
describing IT strategic plan goals. Each component of OI&T has 
developed performance metrics, which will be tracked and managed to 
ensure goals are met and performance shortfalls identified. 
Additionally, processes for the 36 major IT business areas have been 
defined and are in the initial implementation stages. Recently, OI&T 
has streamlined the organizational management of the realignment to one 
office, the Office of Quality and Performance. This organization will 
be responsible for ensuring IT process implementation, performance 
management, as well as program evaluation and analysis and will advise 
the PDAS and Assistant Secretary for OI&T on realignment performance 
goals and areas for improvement.

    Question 5(b): Who will be held responsible in tracking 
implementation goals and identifying performance shortfalls? Who will 
be held accountable if the implementation goals are not met and 
performance shortfalls are realized?

    Response: Overall, the IT executive leadership team is responsible 
for meeting established performance goals related to the implementation 
of the IT realignment. For example, IP&RM organization is responsible 
for ensuring proper policies and procedures are in place to protect 
personally identifiable information of both veterans and employees, as 
is ITOC. The RM organization is responsible for career management, 
funds execution and asset management. Similarly, OED ensures 
appropriate processes are implemented as IT products are developed, 
EO&I is measured on their compliance to service level agreements and 
OESPP&P ensures multi-year programming and project management 
activities are implemented as well as developing and describing IT 
strategic plan goals. Each component of OI&T has developed performance 
metrics, which will be tracked and managed to ensure goals are met and 
performance shortfalls identified. Additionally, processes for the 36 
major IT business areas have been defined and are in the initial 
implementation stages. Recently, OI&T has streamlined the 
organizational management of the realignment to one office, the Office 
of Quality and Performance. This organization will be responsible for 
ensuring IT process implementation, performance management, as well as 
program evaluation and analysis and will advise the PDAS and Assistant 
Secretary for IT on realignment performance goals and areas for 
improvement.

    Question 5(c): Who is currently advising and assisting the CIO 
since the Executive Director of the Organizational Management Office 
resigned?

    Response: The Deputy Director of the Office of Quality and 
Performance is assigned the responsibility to advise and assist the 
Principal Deputy Assistant Secretary and Assistant Secretary for IT on 
realignment issues.