Government Executive - Authors - Daniel Pulliam

Federal travel spending drops

Daniel Pulliam — Wed, 29 Aug 2007 00:00:00 -0400

This is the first time travel spending has dropped in recent memory, thanks to the decline at the Pentagon. But the rest of government spent more on flights, auto rentals and hotels in 2006. Hefty increases were seen at nearly all the largest agencies. And civilian agencies' portion of the government travel budget has risen from about a third in 2005 to nearly 50 percent.

Click here for full lists of the top federal travel vendors, from Government Executive's Aug. 15 special Procurement Preview issue.

The Homeland Security Department's travel spending jumped $124 million to $1 billion. The Justice, State and Treasury departments all saw increases of just over $50 million. The Transportation, Interior and Agriculture department travel budgets each jumped more than $20 million while the Veterans Affairs Department saw a $45 million increase to $393 million.

The only other civilian agency with a significant decrease was the Health and Human Services Department, where spending was down $11 million to $226 million. Others, such as the Securities and Exchange Commission and the departments of Education and Housing and Urban Development, saw smaller declines ranging from about 5 percent to 20 percent. The General Services Administration, a self-sustaining agency experiencing financial difficulties, saw travel spending dip $3 million to $39 million.

Agencies spent nearly $3.3 billion of their travel dollars on airline tickets in 2006, down from $3.4 billion in 2005, according to GSA. Another $2.3 billion was spent on hotel rooms, up from $2 billion. And auto rentals jumped to $423 million from $378 million the previous year.

United Airlines tightened its grip on the top spot among commercial carriers with $842 million in sales and 25.7 percent of the market. Delta Air Lines came in second with $631 million, or 19.3 percent. American Airlines is in the third spot with $570 million in sales and a 17.4 percent market share. United, Delta and American have more than 62 percent of the federal airline ticket market, with other competitors, led by U.S. Airways, all falling short of a 10 percent market share.

Federal travelers are far more diverse in their lodging selections. No hotel chain had more than 7 percent of the market in 2006, and nearly 42 percent of the market consists of hotels outside the top 26 chains. Marriott, Holiday Inn, Residence Inn and Hilton Hotel continued to be the most popular destinations in 2006. Consistent with past years, Hertz Corp. remains the government's favorite car rental dealer, bringing in $79.2 million, or 18.7 percent of all car rentals. Avis moved ahead of Enterprise Rent-a-Car for the No. 2 spot, followed by Budget and National.

]]>

Out of the Clouds

Daniel Pulliam — Wed, 15 Aug 2007 00:00:00 -0400

Travel spending loses altitude with big decline at Defense.

The fiscal 2005 travel spending boom, driven by increases at the Defense Department, hit the brakes in 2006, with expenditures down $1.3 billion to $14.1 billion, according to the Office of Management and Budget. After a $2 billion rise the previous year, military-related spending dropped $1.8 billion to $9.1 billion.

]]>

The Party’s Over

Daniel Pulliam — Wed, 15 Aug 2007 00:00:00 -0400

Tech spending squeezed out by war, continuing resolution, deficits.

It's been a lean year for spending on anything related to information technology. A months-long continuing resolution, deep budget deficits, and costly military conflicts in Iraq and Afghanistan have caused the slowdown.

Now add another hurdle: the Democratic takeover of Congress. Democrats have launched investigations and oversight hearings into contracts and program management, and in response, skittish federal IT managers are cutting back on spending, industry experts say.

Inspectors general and auditors at the Government Accountability Office have become more adamant, demanding that IT managers show returns on investment for the technologies they purchase and prove that the way they are buying IT provides the best value. "That's really what the industry is going to have to watch out for," says Ray Bjorklund, senior vice president of Federal Sources Inc., a technology research firm in McLean, Va. "There is going to be a lot more oversight because of the difference in political control" of Congress versus the White House.

But the investigations are not just politics as usual. The public is frustrated about poor government performance, Bjorklund says. Virtual Case File, a failed $170 million FBI network that was supposed to allow the bureau to share information about investigations, is a classic case in point.

Lawmakers are especially wary of SBInet, the Homeland Security Department's high-tech border security program, which missed its first deadline because of technical glitches. Democrats are trying to restructure the Coast Guard's $24 billion Deepwater fleet modernization project by preventing the service from putting contractors in charge.

IT spending growth has slowed to a level unmatched at nearly any other time. Only twice in the last 20 years-fiscal 1994 and 2007-has federal IT spending failed to grow at least as much as the rate of inflation. In fiscal 1994, it dipped slightly from the fiscal 2003 spending level of $25 billion. The 2007 IT budget came in at $65 billion, 2 percent below the enacted 2006 IT budget, according to a report from INPUT, a Reston, Va.-based market research firm. The fiscal 2008 budget request of $66.4 billion represents only a 2.3 percent increase over fiscal 2007, slightly below the rate of inflation.

"2007 was largely a wash," says John Slye, a senior analyst at IN-PUT. "We're looking at restoring in 2008 what was requested in 2007. Basically, agencies lost a year with the [continuing resolution]. That's affected their planning and their ability to ad-vance major initiatives."

For the next five years (from fiscal 2007 through fiscal 2012), most of the growth in the IT budget is expected in defense, intelligence, homeland security and health program areas, INPUT predicts. Defense and Homeland Security IT programs account for about 70 percent of the total fiscal 2008 IT budget request.

Spending on the war on terror shows no signs of letting up, so IT spending may continue to be tight for the foreseeable future. "I still think," Slye says, "we're seeing the war effort sucking away funds that might have normally gone to IT initiatives."

]]>

On the Mend

Robert Brodsky and Daniel Pulliam — Wed, 15 Aug 2007 00:00:00 -0400

The General Services Administration claims some successes amid controversy.

Nearly a year after dropping the widely unpopular Get It Right program, an effort to improve the General Services Administration's track record after a litany of procurement abuse scandals, the agency seems to be getting some things right. The progress has come despite an avalanche of negative attention focused on GSA Administrator Lurita Doan. Hardly a week goes by without a revelation of controversial comments and decisions that have led to multiple calls for her dismissal.

In June, Doan was found to have violated the Hatch Act, which limits political activity in the federal government, after she was alleged to have stumped for Republican candidates at a GSA meeting. The Office of Special Counsel, an independent agency charged with enforcing the act, recommended that Doan be punished to the "fullest extent."

The GSA Inspector General's Office found in April that Doan might have sidestepped federal ethics and procurement rules when she attempted to award a $20,000 contract to a friend in July 2006, two months after taking her post. Doan also is contending with accusations of riding roughshod over career professionals to award a controversial contract to Sun Microsystems.

But even as Doan struggles, the rest of the agency seems to be recovering from more than a year of missteps.

The Pentagon is urging acquisition officers to use a GSA contract vehicle to fulfill a congressional mandate to contract with small firms owned by service-disabled

veterans-a sign that the relationship between GSA and its biggest customer could be improving.

"The DoD-GSA [Memorandum of Agreement] has done a lot in providing a framework for the good will," says Molly Wilkinson, GSA's new chief acquisition officer. "They have to do things on their side of the table, us on our side of the table. But every time we do that . . . it gives credibility and comfort level and increases the trust factor."

In recent months, GSA took the final steps to consolidate two major procurement divisions into the new Federal Acquisition Service and moved to open its buying schedules to federal grant holders at the state and local levels. The agency also can claim credit as the sole shared-service provider for the governmentwide identification mandate known as Homeland Security Presidential Directive 12, and continues to plow ahead with implementation.

GSA received a clean financial audit for fiscal 2006. And defying naysayers, the agency successfully awarded its next-generation governmentwide telecommunications contract, Networx, on time, avoiding contract protests and convincing the Treasury Department to abandon its solo telecommunications procurement.

But despite the successes, storm clouds are gathering over the agency. An exodus of senior officials at the beginning of the year has depleted its leadership ranks, and a key House appropriations subcommittee chairman warned Doan explicitly in April that if scandals are not cleaned up, the agency's funding bill will be amended "to shreds."

Regardless of whether Doan follows the advice of Henry Waxman, D-Calif., House Oversight and Government Reform Committee chairman, and resigns or is dismissed by Bush for violating the Hatch Act, GSA is in between a rock and a hard place.

If Doan stays, the scandals will not go away. If Doan leaves, the agency risks being without a leader for the remainder of the Bush administration, since finding a qualified replacement will take time.

]]>

Lawmaker presses OSC chief to hand over e-mails

Daniel Pulliam — Fri, 20 Jul 2007 00:00:00 -0400

The head of the Office of Special Counsel is facing questions from members of his own political party on his office's handling of an investigation into a potential violation of the law limiting politics in federal agencies.

In a letter Friday, Rep. Tom Davis, R-Va., ranking member of the House Oversight and Government Reform Committee, asked Special Counsel Scott Bloch to hand over certain e-mails sent from his personal AOL account that relate to official OSC matters. The e-mails would help determine whether Bloch conducted work through personal e-mail or engaged in prohibited lobbying, Davis said.

In a second letter Friday, Davis posed a wide range of questions stemming from a hearing last week on Bloch's leadership. During the July 12 hearing, Davis revealed that Bloch had sent at least one e-mail from his AOL account related to official business.

The message -- sent June 19 -- discussed the pending reauthorization of OSC, the agency charged with safeguarding the federal merit system. The message also criticized General Services Administration chief Lurita Doan, who OSC investigated for alleged violations of the Hatch Act. And it criticized two members of Congress with oversight responsibility for OSC.

"We have received the letters from Rep. Davis, but we will not be commenting at this time," said James Mitchell, an OSC spokesman.

In a third letter Thursday, Davis asked Randy Falco, chairman and chief executive officer of AOL, to protect and preserve all e-mail records associated with Bloch's account.

Work-related messages sent from private accounts may not get preserved as required by the Federal Records Act, and they also may not be accessible to the public through the Freedom of Information Act, Davis said.

Last month, Bloch sent a report to the White House concluding that Doan violated the Hatch Act and recommending that President Bush discipline her "to the fullest extent" for the violation and her failure to cooperate fully and honestly with OSC's investigation.

OSC found that Doan violated the Hatch Act at a Jan. 26 meeting at the agency's headquarters. During that meeting, attended by Doan and more than 30 political appointees, Scott Jennings, a deputy to Karl Rove, the leading political strategist at the White House, presented a PowerPoint presentation that listed Republican and Democratic political races viewed by the White House as most vulnerable in 2008. Doan asked Jennings how GSA could help Republicans, according to OSC.

The White House has received OSC's report, but a spokeswoman said Thursday the findings still are being reviewed. The report was delivered to President Bush six weeks ago. The spokeswoman has noted the White House has no deadline for completing its review.

Bloch's office also is heading up a governmentwide investigation of alleged violations of the Hatch Act that could go "well into 2008," according to an OSC spokesman. The White House revealed in May that federal agencies hosted about 20 briefings in 2006 and 2007 similar to the one at the heart of the Doan investigation.

Eighteen agencies have been asked by OSC to preserve electronic information dating back to January 2001, including all e-mail records, calendar information, phone logs and hard drives. The task force is headed by James Byrne, deputy special counsel at OSC.

]]>

IRS to spend $13.2 million on headquarters flood recovery

Daniel Pulliam — Thu, 19 Jul 2007 00:00:00 -0400

The Internal Revenue Service will spend about $13.2 million to fix damage from June 2006 storm flooding that submerged the subbasement of its Washington headquarters building in 20 feet of water, according to a recent audit.

As of the end of 2006, the IRS had spent $11.6 million to recover from the flood, the 18-page report from the Treasury Inspector General for Tax Administration said. The latest estimate for the overall cost is 37 percent below the original projection of $21.1 million.

The IRS followed contracting rules and did not rely on additional funding from Congress, auditors added. The agency paid by using year-end surpluses, rent credits from the damaged buildings and fees charged to individuals and businesses for special benefits beyond those granted to the public.

IRS officials told the inspector general that the original estimates were high because they were made before damage had been thoroughly assessed. Technology improvements also helped reduce costs.

The four offices with the highest estimated costs were the agencywide shared services office, at $8 million; the modernization and information technology services office, at $2.7 million; the chief counsel's office, at $1.6 million; and the criminal investigation office, at $700,000. Nearly three-quarters of the money went toward rent for temporary space, data processing equipment, services and maintenance, and salaries.

Water severely damaged the building's electrical, heating and air-conditioning systems in the subbasement. It also destroyed offices, vehicles, furniture and computer equipment located in the basement and garage, the audit stated. The 2,200 employees who worked in the building, including the top officials in the agency's major divisions, were assigned temporary space in other IRS facilities or teleworked.

In February, auditors found that while IRS officials protected taxpayer data satisfactorily after the flood, it took several days before a system was set up to track computers that were removed from the building.

For the more recent report, the auditors reviewed a sample of the 140 purchases related to the flood recovery and looked at the 10 largest expenditures. They did not find anything improper. All purchases for more than $2,500 were properly handled through the procurement process and the IRS used existing federal contracts with approved vendors to purchase large-dollar items.

Since the building is leased from the General Services Administration, the IRS was not responsible for making structural repairs. GSA estimated in September 2006 that it would cost about $36.8 million to repair the building, grounds and internal infrastructure such as the plumbing, the electrical system, heating and air-conditioning, and wiring. The inspector general did not review this aspect of the recovery.

]]>

CIA alters ‘news media’ definition for FOIA requests

Daniel Pulliam — Wed, 18 Jul 2007 00:00:00 -0400

Criticism of proposed rules on fees for obtaining documents under the Freedom of Information Act has prompted the CIA to establish a definition of "news media" that could include bloggers.

The CIA's final rule on FOIA processing fees, from which members of the news media are usually exempt, takes a pass on a more complex fee structure proposed in a draft version. The CIA decided against the complicated structure due to the lack of public support for the change, according to a notice published in the Federal Register Wednesday.

The new rule, effective Wednesday, adopts the definition of "news media" contained in a 1987 Office of Management and Budget FOIA guidebook that includes "alternative media" that would be disseminated electronically "through telecommunications." Under the 1986 FOIA Reform Act, OMB is responsible for promulgating a "uniform schedule of fees" across the government.

The notice stated that while the CIA remains confident in the adequacy of its old interpretation of "news media," officials concluded that it is better to avoid "sterile and unproductive technical litigation" and the "diversion of resources from more productive pursuits."

Meredith Fuchs, general counsel of the National Security Archive, a research institute and library located at The George Washington University, said the CIA changed its definition in an attempt to pre-empt a court ruling that the agency's existing regulations were illegal. The Archive filed a lawsuit in District Court for the District of Columbia in June 2006, challenging a CIA decision that it did not qualify as "news media" and that its request would have to concern "current events" to qualify for the fee waiver.

"We hope these changes will minimize CIA efforts to discourage news media FOIA requesters in the future," Fuchs said.

A CIA spokesman declined to comment on whether the change was related to the lawsuit, pointing to the Federal Register notice for an explanation of the final rule.

Members of the news media, along with educational, noncommercial or scientific groups, have a special status under the FOIA law. News organizations do not have to pay fees for the agency to search and review requested documents since they are disseminating information to the public, but they may have to pay duplication fees depending on the size of the request. Any requester who can show that the disclosure of the documents is in the public interest may pay reduced or no duplication fees.

Wednesday's final rule, published by Scott Koch, the CIA's information and privacy coordinator, stated that the Jan. 8 draft contained a number of "innovative features" in an attempt to make the new fee approach workable.

But some comments from the public were "very critical," Wednesday's notice stated. Under the original proposal, the CIA would have stopped charging processing fees for all requests except those coming from the federal government, or from state and local governments. Instead, the CIA would have billed for duplication costs with the first 100 pages free.

The proposed regulations would have established maximum amounts the CIA could bill for searches and duplication. Federal, state and local government requesters would have had "search fees" attached, with the first two hours free.

In June, the CIA publicly released two large collections of previously classified documents known widely as the "Family Jewels." They consisted of nearly 700 pages of responses from CIA employees to a 1973 directive asking them to report activities they thought might be inconsistent with the agency's charter. The release was in response to a FOIA request filed by the Archive 15 years earlier.

]]>

Veterans Affairs chief resigns

Daniel Pulliam — Tue, 17 Jul 2007 00:00:00 -0400

The head of the Veterans Affairs Department announced Tuesday that he plans to resign after more than two and a half years in office.

James Nicholson will leave before Oct. 1. According to the VA, Nicholson has said he wants to return to the private sector, but he has no definite plans at this time.

"This coming February, I turn 70 years old, and I feel it is time for me to get back into business, while I still can," Nicholson said.

VA said in a statement that under Nicholson's leadership, the department continued to evolve as a leader in health care innovations, education services and other benefits to veterans.

Rep. Steve Buyer, R-Ind., ranking member of the House Veterans' Affairs Committee, said in a statement that "Nicolson has been a warrior for veterans," but noted that his time at the VA has been marked by great challenges.

In June 2005 VA officials had to go before Congress and explain why the agency had an unanticipated $1.5 billion shortfall in its fiscal 2005 funding. The department attributed the gap to errors in forecasting health care system needs, but Democrats said it was the result of poor planning.

The secretary's tenure was also plagued by two of the largest data breaches in the federal government's history - one in May 2006 involving the theft of a laptop computer containing personal information on 26.5 million veterans and active duty military personnel from an employee's home and the other in January, when a hard drive went missing from a Birmingham, Ala., medical research facility.

In June 2006, former VA information security chief Pedro Cadenas told Government Executive that he had an impossible job and that he was cut out of the department's decision-making process. Cadenas said that during his tenure at the department, he met Nicholson only once at a social event.

Ultimately Nicholson issued orders that centralized control over the department's sprawling information technology infrastructure under the chief information officer.

Nicholson praised and thanked President Bush for the honor of serving him and the country's veterans in such a "critical time in our nation's global war on terror." Nicholson, a Vietnam veteran, was sworn in on Feb. 1, 2005.

Following the revelation of bureaucratic troubles and poor conditions at Walter Reed Army Medical Center, Bush directed Nicholson to lead a Cabinet-member task force to examine the immediate needs at Walter Reed and other facilities.

In a message to employees shown on VA's closed-circuit television system, Nicholson said he was privileged to work with them in fulfilling the nation's promises and obligations to veterans.

"This is a very big government agency that, among many other things, sees over 1 million patients a week in its health care system, and is doing a world class job," Nicholson said. "The American people can feel proud about the way we are treating our veterans. The president and the Congress have been very supportive, and for that I am grateful as well."

Prior to government service, Nicholson spent more than 10 years in business, where he ran a residential development and construction company. He was elected chairman of the Republican National Committee in January 1997, and before taking over at VA, was ambassador to the Vatican.

Sen. Larry Craig, R-Idaho, ranking member of the Senate Veterans' Affairs Committee, said that Nicholson "has done a great job of leading and managing the" VA.

"I am sorry to see him leave but certainly wish him well his new endeavors," Craig said. "Nicholson was willing to rise up and take on those challenges and has worked tirelessly to fulfill VA's mission to 'care for him who shall have borne the battle, his widow, and his orphan.'"

Alma Lee, president of the National Veterans Affairs Council 53 of the American Federation of Government Employees, which represents more than 150,000 VA employees, said in a statement that Nicholson's departure presents an opportunity for the VA to reexamine its framework and look to make "significant changes."

"[I]it is critical that we take this opportunity to accent our strengths and address the system's critical failures of chronic budget shortfalls, inadequate resources [and] staffing shortages," Lee said. "We believe this is an opportunity for significant change."

Rep. Phil Hare, D-Ill., who called for Nicholson to step down in May following the disclosure that a number of bonuses for senior VA employees were approved despite financial challenges at the department, said that the hurdles facing veterans in accessing health care and other services go much deeper than the shortcomings of one person.

"The next secretary will inherit a disability claims backlog of 600,000, staffing shortages at our vet centers, and ongoing challenges at Walter Reed and other medical facilities that care for our wounded soldiers," Hare said. "I strongly urge President Bush to nominate a veterans' veteran -- someone in the mold of former Republican VA Secretary Anthony Principi -- who will put the needs of our fighting men and women above any political ideology."

]]>

Administration’s financial management chief to retire

Daniel Pulliam — Thu, 12 Jul 2007 00:00:00 -0400

Office of Management and Budget Controller Linda Combs has announced that she will retire next month, after a career in federal government going back to the Reagan administration.

Combs is planning to leave Aug. 10. Her announcement comes a month after her husband, David, said he would leave his position as chief information officer of the Agriculture Department to return to North Carolina.

An OMB spokeswoman said Danny Werfel, the deputy controller, will take over as acting controller until a permanent replacement is named.

As controller, Combs helped establish governmentwide principles for fiscal accountability.

"I thank Linda for her dedication to improving financial management across government," said Clay Johnson, OMB deputy director for management. "I congratulate her for her leadership, under which agencies have set and met ambitious goals."

Combs worked to get agencies to shed unneeded real estate, helping to complete the first governmentwide inventory of excess federal property in recent years. She also oversaw the financial management portion of President Bush's agenda for making government more effective and was involved in efforts to consolidate agency financial systems.

Johnson noted that under Combs, agencies reduced annual improper payments by more than $8 billion and significantly reduced material financial weaknesses. More federal agencies are getting clean audits, he added.

Combs was confirmed as controller in June 2005 after serving as the Environmental Protection Agency's chief financial officer from 2001 to 2003.

During the Reagan and the George H.W. Bush administrations, Combs served in various oversight roles and executive level management positions at the Education, Treasury and Veterans Affairs departments.

]]>

Senator criticizes GSA plans to cut office supply program

Daniel Pulliam — Wed, 11 Jul 2007 00:00:00 -0400

The chairman of the Senate Small Business and Entrepreneurship Committee early this week urged the General Services Administration to hold off on eliminating part of a purchasing program that has high participation from small businesses.

In a letter Monday to GSA Administrator Lurita Doan, Sen. John Kerry, D-Mass., asked the agency to postpone plans to drop office supplies from its Global Supply stock program, a one-stop source for buying everything from firefighting equipment to furniture. Nearly 80 percent of government purchases of office supplies through this program are directed to small businesses, the letter stated.

A decision to end the program would prompt agencies to buy supplies from a handful of large companies, Kerry said. He added he is concerned about the impact the decision will have on emergency readiness capabilities and the government's ability to react quickly to major disasters.

"It's unacceptable for the administration to abandon innovative and effective small businesses in favor of a handful of big businesses," Kerry said in a statement. "Before GSA eliminates these contracts, we need to know exactly what it means, economically and operationally, for the small firms that have been doing business with the federal government."

Kerry's letter also was signed by Senate Small Business and Entrepreneurship ranking member Olympia Snowe, R-Maine, Sen. Johnny Isakson, R-Ga., and Reps. Nydia Velazquez, D-N.Y., chairwoman of the House Small Business Committee, and Steve Chabot, R-Ohio, the ranking member.

The letter noted that lawmakers will ask the Government Accountability Office to review the consequences of the decision since the program creates a "vital and readily accessible resource" to agencies in times of emergency.

The lawmakers asked GSA confirm within 30 days of receiving the letter that the agency has suspended any efforts to change the stock program until the matter is reviewed by GAO.

Doan, a former small business owner who has urged GSA officials to focus on the benefits small businesses can provide to government agencies, did not respond to requests for comment.

Joe Jeu, assistant commissioner of GSA's Federal Acquisition Service Office of General Supplies and Services, said in a statement that the agency welcomes the chance to meet with lawmakers to understand and respond to any concerns.

"GSA is looking to provide best value to other federal agencies and to the taxpayer in meeting their needs for office supplies in terms of price, quality and delivery time," Jeu said. "GSA can do so by making office products that are readily available on the commercial market available through direct delivery from the vendor, a model that GSA has utilized to some extent for years."

The move will save money, and will better support the missions of federal agencies, Jeu said. Other products that GSA provides in support of national readiness and emergency response will remain available and in stock at GSA distribution centers, he said.

]]>

Employee tried to mask extent of latest VA data breach

Daniel Pulliam — Mon, 09 Jul 2007 00:00:00 -0400

An information technology specialist at the Veterans Affairs Department misled investigators in an attempt to cover up the extent of a data breach early this year that jeopardized personal information on more than a million people, according to a recent audit report.

In an interview with auditors, the specialist gave inaccurate information about the Jan. 22 loss of an external computer hard drive from VA's Birmingham, Ala., research facility, the report from the department's inspector general stated. The information ended up in a press release about the incident, the investigators found.

The specialist also encrypted and deleted multiple files from his computer shortly after he reported the data missing, making it more difficult to determine what was stored on his desktop, the IG said. He initially denied this when confronted by investigators, the report said. But an IG computer forensic analysis prompted him to admit to taking actions to hide the extent of the missing data.

As of February, the IT specialist, who was not named in the report, had been placed on administrative leave pending the outcome of the investigation. The VA did not respond to requests for an update Monday on the specialist's employment status.

Michael Kussman, VA's undersecretary for health, concurred with the IG's recommendation that "appropriate administrative action [be] taken against the IT specialist for his inappropriate actions during the course of the investigation and for failing to properly safeguard personally identifiable information on his missing external hard drive." Kussman said the "target completion" date for this was Oct. 1, following a review of the evidence.

The specialist had used the hard drive to back up research data he kept on a desktop computer and to store other data from a shared network. The drive is thought to have contained personally identifiable information for more than 250,000 veterans and 1.3 million medical providers. The data on medical providers came from the Centers for Medicare and Medicaid Services and the Health and Human Services Department.

If the specialist had protected the information in accordance with the terms under which it was provided, the breach might have been avoided, the report said. The IG also criticized managers for failing to follow proper procedures to safeguard data stored on external hard drives.

An Aug. 7, 2006, VA policy prohibits employees from storing sensitive data on portable devices without encryption, and assigns responsibility to local supervisors for protecting sensitive information. The Birmingham facility's director did not request encryption software and depended on employees to store external hard drives in a locked office safe when not in use, the audit found.

According to the report, several employees decided not to put the hard drives in the safe, and at least one took home a hard drive that contained privacy protected information concerning VA employees. The facility did not keep records of when the safe was accessed or whether there was an inventory of its contents.

The director of the Birmingham Medical Center moved the research facility into new office space without ensuring that its information security needs were sufficiently evaluated, the IG added. The director told investigators that when he made the decision, he was not aware that employees stored large amounts of sensitive data on external hard drives.

Kussman also agreed with the IG that the center's director should have "appropriate administrative action" taken against him "for failing to take adequate security measures to protect personally identifiable information."

The FBI has joined the investigation in coordination with the Birmingham Police Department. A $25,000 reward has been posted. The VA's technology chief said last month that the data breach would cost the department $20 million.

Investigators have considered "all possible leads," the report stated. Those include a burglary of the office; the IT specialist taking the hard drive out of the office and losing it or having it stolen; a co-worker hiding the hard drive for vengeful reasons; or the accidental disposal of the hard drive during routine housekeeping.

Investigators have visited local computer repair shops, contacted eBay and questioned many individuals working or living near the office, including homeless individuals who frequent the area, the report stated. Fingerprints have been taken and two homes and five vehicles of employees were searched, according to the IG.

]]>

Audit finds FEMA laptops lack proper security settings

Daniel Pulliam — Thu, 05 Jul 2007 00:00:00 -0400

The Federal Emergency Management Agency needs better policies and procedures for safeguarding its inventory of 32,000 laptop computers from unauthorized users, according to a recent audit report.

The partially redacted 37-page report from the Homeland Security Department's inspector general said that without the proper security configurations, sensitive data on the laptops might be at risk.

The audit was conducted in the wake of 16 security incidents involving stolen or missing DHS laptop computers in 2006. The IG and the Government Accountability Office reported last summer that FEMA had more than 100 missing and presumed stolen laptops valued at $300,000.

For the recent review, auditors tested a sample of 298 FEMA laptops. Deficiencies included failure to apply security settings that met mandatory standards, and a lack of procedures for installing software security updates.

Because FEMA applied the same security policies for its desktop computers, the configuration weaknesses identified with laptop computers apply to all government-issued computers at the agency, the IG found.

FEMA has not classified its laptop computers as part of a recognized information technology system, so auditors were unable to evaluate whether the agency was compliant with requirements of the 2002 Federal Information Security Management Act.

To secure data stored on government-issued laptop computers, auditors recommended that FEMA's chief information officer, Anthony Cira, develop and implement a standard security setting for all agency computers. The agency also should fix existing "critical vulnerabilities" identified on the laptop computers tested by the auditors and check to see whether other laptops have similar weaknesses, the IG said.

In a heavily redacted section of the report, auditors outlined how many of the computers tested had not received the most recent security software updates. FEMA officials concurred with the IG's recommendation in that area, by agreeing to implement an automated software patch management system.

]]>

Windows security standardization cited as top tech challenge

Daniel Pulliam — Tue, 03 Jul 2007 00:00:00 -0400

Compliance with a recent Office of Management and Budget mandate requiring the application of standard security configurations on computers using Microsoft Windows is the main challenge facing federal information technology security executives, a recent survey concluded.

Managing and testing the standard security configurations against potential vulnerabilities was at the top of the list of difficulties cited by federal chief information security officers and managers at a June 20 panel discussion hosted by Secure Elements, a Herndon, Va.-based security product vendor. Three-fourths of audience members surveyed after the discussion said they consider the OMB mandate their top priority or a very high priority, the vendor said.

In a March 20 order to chief information officers, Karen Evans, OMB's administrator of e-government and IT, said agencies must implement a standard security setting for all computers running the Windows XP and Vista operating systems no later than Feb. 1, 2008. Requirements include restricting access to authorized professionals, testing configurations in a nonproduction environment and patching vulnerabilities.

The government is dominated by computers that run on Windows. OMB officials believe that a standard security configuration will provide a basic level of protection across government, while still saving time and resources.

Half of the 15 federal CISOs and managers who responded to the survey said they believed they have the budget and staff to meet the mandate, while another quarter said they do not have the budget and staffing. A final 25 percent were not sure.

Fifty percent said their existing tools and technologies are insufficient to achieve the requirements. Another 25 percent said they have adequate tools and technologies, and the remaining quarter said they were not sure.

The survey found that none of the CISOs and managers will start moving their systems to Vista within the next six months. Half said they plan to start the transition in the next six to 12 months, while the other half was unsure about the timing.

OMB's mandate does not require agencies to move to Vista, and some agencies are reluctant to make the switch in the near future. For instance, in March Daniel Mitz, the Transportation Department's chief information officer, and David Litman, the department's senior procurement executive, issued an "indefinite moratorium" on upgrading to Vista, citing concerns about both cost and technical issues.

]]>

Open government group says FOIA backlogs worse than reported

Daniel Pulliam — Mon, 02 Jul 2007 00:00:00 -0400

Five agencies have requests for public information that go back 15 years or more, according to a new review from an independent open government group.

Many of the 87 departments and component agencies reviewed face extensive backlogs of requests for documents under the Freedom of Information Act, the report from the National Security Archive at George Washington University stated. Some requests to the State Department, CIA, Air Force, Justice Department criminal division and FBI have been pending more than 15 years, the group said.

The review, released in anticipation of the 1967 FOIA law's 40th anniversary on July 4, found that the oldest pending FOIA request was made to the State Department on May 5, 1987, on behalf of the Church of Scientology. The request asked for all documents related to that church or "cults" from the department's offices responsible for the Vatican and Italy. And at least seven pending FOIA requests were made in the 1980s.

"Forty years after the law went into effect, we're seeing twenty years of delay," said Tom Blanton, the Archive's director. "Sunlight is the best disinfectant, but this kind of inexcusable delay by federal agencies just keeps us in the dark."

The report is the result of a set of January 2007 FOIA requests filed by the Archive asking agencies for copies of their 10 oldest pending FOIA requests. Five months later, a third of the agencies had not responded, despite the fact the law requires responses within 20 days.

Responses from 10 agencies revealed pending FOIA requests older than what the agencies described to Congress in their fiscal 2006 annual FOIA reports, according to the group's analysis. The agencies were the Commerce, State and Treasury departments, the Agriculture Department's Animal and Health Inspection Service, the Air Force, the CIA, the Office of the Director of National Intelligence, the FBI, the National Science Foundation and the Justice Department's Office of Information and Privacy.

A Justice spokeswoman said in a statement that the information and privacy office has correctly reported the date of its oldest request to Congress, using the date it was received by the office as provided for under the law.

The Justice Department's information and privacy office, which is responsible for providing FOIA guidance to the rest of the government, "shares the concern" about long delays encountered by some agencies in responding to FOIA requests, the spokeswoman said. "There is no single reason that causes long delays for certain requests," she said, adding that there are some general reasons. For example, some records contain classified information that can be reviewed only by officials with proper clearances.

The Archive also stated that an executive order signed by President Bush in December 2005 to encourage improvements to the FOIA process has not resulted in much progress.

As part of the executive order, the information and privacy office released guidance last week for agencies to report on the progress they have made or have committed to make to fix deficiencies encountered. Agency reports are due Aug. 1.

"The executive order provides a comprehensive framework for agencies to use to devise ways to improve their administration of the FOIA," the spokeswoman said. "Additional efforts under the executive order -- including follow-up reports, the setting of additional backlog reduction goals and specialized training -- all hold great potential to realize even greater improvement."

Five months ago, the House overwhelmingly passed sweeping legislation (H.R. 1309) to reform the FOIA system despite the Bush administration's contention the bill would impose substantial administrative and financial burdens on agencies.

Similar legislation (S. 849) awaits action on the Senate floor, but Sen. Jon Kyle, R-Ariz., has placed a hold on the bill because of the Justice Department's objections.

]]>

Use of free tax filing software drops significantly

Daniel Pulliam — Fri, 29 Jun 2007 00:00:00 -0400

Use of the Internal Revenue Service's free electronic tax filing offering dropped substantially following the introduction of new eligibility restrictions, according to an audit report released Friday.

The decrease in use could keep the agency from meeting its congressionally-mandated goal of having 80 percent of all federal tax returns filed electronically by the end of 2007, the 45-page Treasury Inspector General for Tax Administration report said. In 2006 about 66 percent of taxpayers filed electronically.

"It is imperative that the IRS carefully examine the reasons this free service is not being used by more taxpayers," Treasury Inspector General J. Russell George said. "The IRS must review its marketing strategy to better target taxpayers who file paper returns even though they are eligible for this program."

The service, dubbed the Free File Program, allows people to prepare and file their income tax returns electronically and free of charge. The software is available on the IRS Web site and is provided by a consortium of tax software companies known as the Free File Alliance.

When the program started in 2003, the alliance agreed to offer free services to at least 60 percent of individual taxpayers. In 2005, some vendors offered the free software to all interested individual filers. But in October of that year, the alliance amended its agreement so that no more than 70 percent of individual taxpayers would qualify, based on adjusted gross income. For returns filed in 2006, for instance, taxpayers had to have adjusted gross incomes of $50,000 or less to qualify.

In 2005, a record 5.12 million taxpayers used the free program. But participation fell to 3.9 million, or 3 percent of all individual tax returns, in 2006. The drop coincided with the introduction of the new income restrictions.

The report did find that 24 percent of the users of the free file program in 2006, or 819,000 taxpayers, were first-time filers.

Despite the fact that no further adjustments were made in 2007, auditors found that as of April 14, only 3.3 million taxpayers filed returns using the free service.

The audit also found that the IRS failed to fully document oversight reviews of companies participating in the Free File Alliance. Alliance members incorrectly included the Free File indicator on approximately 37,000 returns from taxpayers who actually paid tax companies to prepare and file their returns, the IG found. The program software also did not always accurately compute taxes due.

In response to the report, Richard Morgante, commissioner of the IRS' wage and investment division, said the agency would develop a plan to evaluate and promote the Free File program. He also said the agency would expand marketing efforts by directing promotional materials to taxpayers who are eligible to use the software, but have filed their returns on paper. He agreed to establish a process to assess the accuracy of the Free File indicator early in the filing season.

Morgante did not agree with the auditor's recommendation to establish a process to test the accuracy of the software used in the program before the filing season. He said doing so would present a monumental challenge, due to the complexity of tax law.

Representatives of the Free File Alliance did not respond to requests for comment on the report.

]]>

Locals pan DHS decision to ditch communications project

Daniel Pulliam — Thu, 28 Jun 2007 00:00:00 -0400

The Homeland Security Department's effort to scrap a digital communications tool used to coordinate emergency response with local governments has riled a group of county-level officials.

In a June 18 memorandum, Timothy Loewenstein, chairman of the information technology committee at the National Association of Counties, told the DHS technology chief that discontinuing or diminishing the Disaster Management program without talking to the users was unacceptable.

"If your office continues to shift system strategies and withhold critical information from users, we do not believe the president's vision for intergovernmental partnership in the area of disaster management is achievable," Loewenstein said. "The president's e-government strategy asserts that the government-to-government customer segment was created to 'enable federal, state and local governments to more easily work together to better serve citizens within key lines of business.' "

Disaster Management's mission is to create interoperable communication standards for emergency management software and to distribute free basic disaster management software to local governments that otherwise could not afford to buy such tools.

Loewenstein, who also serves as the vice chair of the association's technology and telecommunications committee and is on the Buffalo County, Neb., Board of Supervisors, told Government Executive that the Disaster Management tool is critical for emergency response in rural America. Loewenstein is also the chair of the Disaster Management Practitioner Steering Group, which provides input and recommendations on the program.

"Lives are at stake," Loewenstein said. "I am very passionate about making sure rural America has reasonable tools to use when they have to respond on the worst days."

The memo was addressed to DHS Chief Information Officer Scott Charbo. The Office of Management and Budget's administrator of e-government and technology, Karen Evans, was one of the many officials copied on the message. A list of about a dozen questions accompanied the memo with a request for a response by June 25.

An OMB spokeswoman said that "as with all presidential e-government initiatives, OMB works closely with the managing partner agencies to ensure quality services are delivered and maintained. To the extent that changes occur, OMB encourages open communication with users."

In August 2006, DHS decided not to spend $5.3 million that had been set aside for the tool, despite the project's status as one of the Bush administration's e-government initiatives.

A DHS spokesman said the department would let Charbo respond to Loewenstein, rather than providing a response through the media. He said he did not think Charbo had responded yet.

"There is repetition in some of the systems, so the idea is to make some changes [for the betterment of] our first responder community and the public," the spokesman said.

According to Loewenstein's memo, Charbo's office has implemented a "rationalization project" that will transfer Disaster Management tools to the Homeland Security Information Network and the department's public affairs office.

In April, Sen. Olympia Snowe, R-Maine, ranking member of the Senate Small Business and Entrepreneurship Committee, told President Bush in a letter that Disaster Management's Web portal -- DisasterHelp.gov -- fails in providing citizens an all-inclusive Web site with links to the "wide range of public assistance available after disasters strike."

Snowe cited the fact that DisasterHelp.gov has registered "only 41,693" users since August 2005 and said much of the information on the Web site was outdated.

"DisasterHelp.gov should be an indispensable tool to citizens, state and local governments before, during and after a catastrophe," Snowe said. "I urge you to harness the vast resources of the federal government and make this Web site realize its promise."

]]>

House appropriators limit e-gov funding

Daniel Pulliam — Wed, 27 Jun 2007 00:00:00 -0400

Congressional opposition to the Bush administration's e-government projects has persisted, despite hopes that the Democrats now in control would be more sympathetic to the efforts.

In a report accompanying the fiscal 2008 Financial Services and General Government Appropriations Act (H.R. 2829), which advanced to the full House Tuesday, appropriators expressed concern that the Office of Management and Budget could use e-government initiatives to "force its management priorities on agencies that would otherwise choose different approaches to serving the public."

The bill would reduce the administration's $5 million request for the interagency e-government fund to $2.97 million -- the same as the fiscal 2007 level. It would not allow OMB to use a $40 million surplus from the General Services Administration's acquisition services fund to finance e-government initiatives.

"The committee refuses to relinquish oversight of the development and procurement of information technology projects of the various agencies under its jurisdiction," the report stated. "The committee continues the provision concerning the use of funds for the 'e-Gov' initiative that were not appropriated specifically for that purpose."

Lawmakers also urged OMB and agencies to work with individual appropriations subcommittees in advance of recommending interagency funding transfers for e-government projects.

In a statement of administration policy Tuesday, OMB raised objections to the e-government-related language and encouraged Congress to fund President Bush's full requests in that area. The administration also asked lawmakers to let agencies transfer a total of $17 million to GSA's Office of Governmentwide Policy account to support the initiatives.

OMB stated that the 1996 Clinger-Cohen Act and the 2002 E-Government Act require agencies to work together as a single unit to reduce duplicative information technology investments while improving service at a lower cost.

"OMB will work directly with the individual subcommittees so that initiatives can move forward without disruption," the statement pledged. "The administration also requests that Congress allow OMB's e-government report to fulfill all reprogramming procedures and requirements for e-government initiatives in this or any other appropriations act."

The president has threatened to veto the appropriations bill, but over language weakening sanctions against Cuba and changing policies on abortion rather than the e-government restrictions.

Previous appropriations bills containing restrictions on e-government funding have drawn veto threats, but OMB has never followed through. After years of battling Congress on the matter, OMB appears to have backed away from the strategy of requiring interagency transfers of funding for governmentwide IT projects.

Rather than pushing agencies to consolidate IT systems, OMB has now endorsed a strategy that involves the creation of governmentwide price and performance measures - centered specifically on desktop management and support, data centers and telecommunication networks.

On Tuesday GSA announced the award of a $22 million contract to Gartner Inc. to develop performance metrics and establish baseline data on agency management of backend IT systems. The measurements will look at service levels and cost efficiency.

The contract has one base year and four one-year options. It is part of OMB's IT infrastructure optimization line of business, which seeks to minimize agencies' costs of managing backend systems.

]]>

GSA awards air travel contracts to 14 carriers

Daniel Pulliam — Tue, 26 Jun 2007 00:00:00 -0400

The federal government's discount airline ticket program could become more competitive in fiscal 2008 and produce more savings, thanks to the increased number of airlines that will be involved.

The General Services Administration has awarded one-year contracts effective Oct. 1 and worth a total of more than $2 billion to 14 U.S.-based carriers. That's up from 11 for this fiscal year.

The GSA-negotiated City Pair contracts offer federal agencies the opportunity to book flights to more than 4,000 destinations at an average cost 69 percent below full commercial airline fares.

The government is expected to save more than $4.5 billion in fiscal 2008 as a result of the discount. This is nearly double the amount GSA estimated it would save in fiscal 2006 when it projected $2.8 billion in savings with 13 airlines under the City Pair contract. For fiscal 2007, GSA has estimated savings of $3.6 billion.

The new airlines in the fiscal 2008 program include North American, ExpressJet, JetBlue and Mesa. Southwest Airlines, which is on the list for 2007, did not receive a new contract.

The other 2008 contracts are with United Airlines, American Airlines, AirTran Airways, ATA Airlines, Delta Air Lines, Frontier Airlines, US Airways, Northwest Airlines, Midwest Airlines and Alaska Airlines.

The program started more than 20 years ago when GSA began providing discount rates covering only 11 markets.

]]>

Open government advocates slam report on FOIA reform

Daniel Pulliam — Mon, 25 Jun 2007 00:00:00 -0400

The Justice Department's second annual report on agencies' efforts to improve responses to requests for public information paints a disingenuous "rose-colored" portrait, advocates of openness in government said Monday.

The 118-page report, issued earlier this month under a requirement in the December 2005 executive order mandating improvements in the administration of Freedom of Information Act requests, stated that agencies are making "diligent and measurable progress." But there is little evidence to support this conclusion, members of the FOIA community said.

Daniel Metcalfe, the former director of the Justice Department's Office of Information and Privacy, said the report is an "unfortunately transparent" attempt to make the situation look far better than it actually is. Metcalfe is now retired.

Rather than simply stating whether agencies were successful in meeting their goals as outlined under the executive order, the report makes use of Office of Management and Budget-style traffic light grades measuring success, Metcalfe noted. The grades are assigned by the Justice Department "in coordination with OMB," the report stated.

"The executive order says that either you met an improvement goal or you didn't," Metcalfe said. "That doesn't translate to red, yellow, green. It's black and white. And unfortunately, there's a lot of black underneath OMB's yellow."

The majority of the marks handed out to the 25 agencies highlighted and their components, over dozens of categories, were green. There were only four reds assigned.

"The only middle ground that has any place in a report such as this," Metcalfe said, is where an agency missed an early goal or interim milestone "but at least redoubled its efforts to meet it subsequently and by now has done so." But even this is "lamely obscured" by the traffic light-style categorization, he said.

"All one need do is look at the Justice Department's own individual agency report, shockingly full of deficiencies declared early in January, and compare it to the colorful display here," Metcalfe said. "It makes a mockery of all good executive order implementation efforts elsewhere and previously."

But a Justice Department spokesman said in a statement that while everyone would agree that additional improvement is needed, there is no denying agencies have made real strides. The report represents just seven months of activity under the executive order, the spokesman said, and made clear that additional time is needed for full implementation.

"The report discusses deficiencies as well as improvements," the spokesman said. "It is certainly meaningful to have 41 agencies report a decrease in the number of pending requests."

The report stated that more than half of the 25 major agencies featured met their milestones and goals for fiscal 2006, and that 90 percent made meaningful progress. But the report's graphics show that only 11 of those 25 agencies met all their milestones, and that three agencies did not meet a single target.

Meredith Fuchs, general counsel for the National Security Archive, which collects and publishes declassified documents, said the report presents an odd analysis of the executive order's impact. She noted that it only describes progress at 25 agencies out of 90 that prepared FOIA improvement plans.

"For those 25, it picks and chooses some examples of improvement," Fuchs said. "It ignores the fact that very little seems to have improved for FOIA requesters. It is essentially smoke and mirrors designed to discourage Congress from enacting a law that would mandate improvement in FOIA processing."

In March, the House overwhelmingly passed sweeping legislation (H.R. 1309) to reform the FOIA system despite the Bush administration's contention the bill would impose substantial administrative and financial burdens on agencies. Similar legislation (S. 849) awaits action on the Senate floor, but Sen. Jon Kyle, R-Ariz., has placed a hold on the bill because of the Justice Department's objections.

Pete Weitzel, coordinator of the Arlington, Va.-based Coalition of Journalists for Open Government, said the report is "totally meaningless."

"The milestones themselves are simply a measure of bureaucratic progress," Weitzel said in a paper responding to the report. "They are the self-established steps toward service improvement, not a measure of service improvement itself."

Weitzel noted in the paper that the report commends the Housing and Urban Development Department for exceeding its milestones on backlog reduction. The agency proclaimed in its own annual report that it completed a goal a year ahead of time, he said. But the milestone was having the agency's deputy secretary circulate a memorandum on backlog problems while the agency's backlog of unprocessed FOIA requests increased 33 percent in fiscal 2006, Weitzel said.

"HUD's performance has significantly deteriorated, and here they are throwing them up as the example of good FOIA management," Weitzel said.

The report did not address overall backlog numbers. But according to Weitzel's paper, the number of unprocessed requests among the 25 agencies Justice decided to highlight actually increased 13 percent.

In addressing the matter, the report noted that 32 out of 92 agencies that report FOIA data found an increase in the number of pending requests. It is "not unexpected" that half of these agencies experienced an increase in the number pending at the end of the fiscal year, the report said.

"One should not underestimate the challenges that some agencies face in eliminating their backlogs," the report stated. "The number of requests agencies receive, and how complex those requests are, are not under the control of agencies, nor are the number of offices that must be searched in order to appropriately respond to a request."

Unaddressed in the report is the fact that three agencies -- NASA, the CIA and the Treasury Department -- reported fewer requests, but their backlogs still rose, Weitzel added in his paper.

The report stated that NASA reduced its backlog of pending requests from the triple digits into double digits, but a review of the agency's fiscal 2005 and fiscal 2006 FOIA reports shows that the backlog increased from 135 requests to 241.

]]>

Audit prompts Treasury to seek help with ID cards

Daniel Pulliam — Fri, 22 Jun 2007 00:00:00 -0400

Audit findings have convinced the Treasury Department to abandon its solo effort to meet a governmentwide identification card mandate and seek the General Services Administration's help.

An 18-page report from the Treasury Inspector General for Tax Administration, released Friday, stated that the Internal Revenue Service's attempts to develop its own system for issuing high tech cards required under Homeland Security Presidential Directive 12 risked wasting money and time.

"We believe the IRS was taking unnecessary risks, not only because its costs are likely to exceed the GSA solution, but because it was taking resources away from tax administration duties," the report stated.

The mandate requires agencies to verify employees' identities and issue cards to all workers with less than 15 years of service by Oct. 27, 2007. A year later, agencies must issue the cards to all employees. Some agencies, such as GSA, have said publicly that while they will not meet the 2007 deadline, they intend to meet the 2008 target.

The audit stated that despite assigning 68 employees and contractors to produce cards, the IRS never got around to purchasing the necessary hardware and software and did not plan to complete the program until September 2010, two years after the 2008 deadline.

IRS officials failed to provide cost projections showing the agency could issue compliant cards at a lower price than GSA, the IG noted.

In response to the report, Daniel Galik, chief of mission assurance and security services for the IRS, said the agency followed the auditors' recommendation and signed up for assistance from GSA on May 18.

The move is good news for GSA, which has struggled to attract larger agencies to use its shared services offerings to meet the ID mandate. Officials hoped that if enough agencies signed up with GSA, the economies of scale would allow GSA to issue to cards at a lower cost.

IRS officials initially believed that they were in a better position than GSA to distribute the cards to Treasury locations around the country, according to the IG report. The officials were concerned that GSA's technology would not be compatible with the IRS' information technology systems. And they were worried that GSA would not be able to produce the large number of cards needed to meet hiring demands during the tax return filing season. Difficulties with the contract for GSA's shared service offering also made IRS wary of signing on, the audit stated.

Despite GSA's plans to have over 225 nationwide stations to enroll employees and issue cards, including 25 mobile stations, IRS officials were concerned about the cost and time for employees traveling to the stations, according to the audit.

GSA had produced 100 cards to help the IRS meet an October 2006 deadline for agencies to issue at least one card to an employee. But the cards contained errors such as incorrect addresses and misspellings, according to the report. This also contributed to the IRS' initial decision to produce the cards on its own, auditors said.

Agencies that are planning to implement the mandate on their own include the Homeland Security, Transportation, Veterans Affairs, Health and Human Services, Education and Labor departments, the Environmental Protection Agency and the Social Security Administration.

]]>

New cards may make user IDs, passwords obsolete

Daniel Pulliam — Thu, 21 Jun 2007 00:00:00 -0400

The hodgepodge of user names and passwords that federal employees must memorize to access computers and other services may become obsolete thanks to new governmentwide identification card requirements, a federal official said Thursday.

David Temoshok, director of the General Services Administration's Identity Policy and Management office, said the high-tech ID cards required for all federal employees and designated contractors under Homeland Security Presidential Directive 12 could simplify login procedures. The mandate requires agencies to distribute the new cards to all employees and contractors by October 2008. Temoshok made the comments at the Homeland Defense Journal Conference on credentialing and identity assurance.

"You log on to your computer with your user ID and password. You log on to Web sites with a user ID and password. You log on to your laptop with a user ID and password," Temoshok said. "Gee, we have got lots of user IDs and passwords. It is the vision that those existing authentication systems, which are typically user ID and password, will use different technologies."

Temoshok said the cards will verify employees' identities electronically at building entrances and on computers. Agencies will have to purchase card readers that meet the technical requirements of HSPD 12. But in the end, they could save money since they will no longer have to manage the ID and password system, he said.

"Agencies ought to be able to take advantage of the [identity management] tool that they're implementing," Temoshok said. "That's all part of the infrastructure that we're enabling the government to put in place."

Before employees use the new ID cards, agencies first must verify the recipients' identities and have complete background investigations on file. This process has sparked concerns among groups of federal employees.

GSA is launching about 400 enrollment sites nationwide for the 42 agencies that have signed up for its shared service offering. Agencies that will receive their cards through GSA include the Commerce, Housing and Urban Development, Justice, Energy and Treasury departments, the Office of Personnel Management, the Federal Reserve, the U.S. Postal Service and the Federal Communications Commission.

Twenty-five smaller agencies had signed up with the Interior Department's National Business Center for help fulfilling the mandate, but the department has since discontinued the program because of cost considerations and will consider using GSA as a shared service provider.

The State Department is providing new identity cards to agencies that work internationally and the Defense Department is serving the military's needs. Twelve agencies have decided to build their own ID card infrastructure, including NASA, which has concerns about placing employee data on outsourced systems.

Other agencies that are implementing the system on their own include the Homeland Security, Transportation, Veterans Affairs, Health and Human Services, Education and Labor departments, the Environmental Protection Agency, and the Social Security Administration.

]]>

FBI deploys first phase of technology upgrade

Daniel Pulliam — Wed, 20 Jun 2007 00:00:00 -0400

The FBI this week rolled out the initial part of its $425 million information technology system upgrade to reduce agents' dependence on paper-based files.

Employees now have an Internet-based interface giving them access to the Automated Case Support system. A "personal workbox" summarizes agents' cases and leads, while a "squad workbox" allows supervisors to better manage resources and make assignments. The new interface also has a better search function, according to the agency.

The upgrades mark the first of four phases for the six-year effort, known as Sentinel and designed to take the place of the failed $170 million Virtual Case File project.

"With the completion of Phase 1, FBI employees will see a marked improvement in their ability to access, retrieve and move information," said Joseph Ford, the FBI's associate deputy director, in a statement.

Lockheed Martin Corp. worked on the first stage of the program under a $57 million contract awarded in March 2006. It includes options that could be worth $248 million for work on the three additional phases.

Linda Gooden, executive vice president of Lockheed Martin Information Systems and Global Services, said in a statement that the company is "proud to support the FBI in the first-phase delivery of this highly capable system."

The initial upgrades were originally scheduled to take effect earlier this year, but in April, FBI Director Robert Mueller told congressional appropriators that the deployment would be delayed at least a month because of "some unforeseen technicalities." Mueller said Sentinel would begin a test period at FBI headquarters and some field offices that month, and that the agency was in the final approval process with Lockheed Martin for the start of the first phase.

A group of FBI employees trained on the system in preparation for the initial deployment. They will serve as the points of contact for support in their offices. All FBI employees were offered training, the agency stated. As part of it, users had opportunities to make recommendations on changes to the application.

Mueller told congressional appropriators that Sentinel's second phase is more important than the first because it will affect more field agents. He said the second phase could come a year to 18 months after the first starts. The interim would be used in part to incorporate lessons learned from the first phase, he said.

]]>

DHS technology chief faces tough questioning at House hearing

Daniel Pulliam — Wed, 20 Jun 2007 00:00:00 -0400

The Homeland Security Department's chief information officer needs to explain to Congress why he should keep his job in light of recently uncovered security lapses, the head of the House panel overseeing the department said Wednesday.

Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, said he is not convinced DHS technology chief Scott Charbo is serious about fixing vulnerabilities in the department's information technology systems.

"If he's not committed to securing our networks, I have to question his ability to lead the department's IT efforts," Thompson said in an opening statement at a hearing before the panel's Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "I can't understand for the life of me why it takes outside auditors to tell the CIO and his contractors that these networks are insecure."

Lawmakers called on Charbo to answer questions about numerous breaches uncovered by auditors. The Government Accountability Office reported that the department failed to fix vulnerabilities in the IT system supporting the US-VISIT program to track entrances and exits to the United States, for instance, and did not invest adequately in defensive measures.

Thompson questioned how the rest of the government and the private sector could take cybersecurity seriously if DHS doesn't fix its own configurations.

"A 'do as I say, not as I do' policy is a recipe for disaster, and if we are serious about the security risks facing our networks, then we need to start acting and stop posturing," Thompson said. "The American people are tired of hearing that getting a D is a security improvement. I'm tired of hearing it."

In April, the department received a D grade on an annual congressional report card measuring compliance with the law governing federal information security. The department flunked the previous year.

Charbo said many of the findings cited by the subcommittee are based on data from a year ago and on legacy systems that are in the process of being replaced.

"The department takes these incidents very seriously and will work diligently to ensure they do not occur," Charbo said. "We need to increase our vigilance to ensure that such incidents do not happen again."

Charbo said that DHS Secretary Michael Chertoff's decision to boost the chief information officer's authority will result in a more "coherent and effective" use of IT resources.

"My authority over all of these areas directly affects our overall security posture," Charbo said. "IT programs and acquisitions are being reviewed at the department level to ensure that they are reconciled with the department's strategic goals."

According to subcommittee chairman Rep. James Langevin, D-R.I., the department experienced 844 security incidents in fiscal 2005 and fiscal 2006 on IT networks at its headquarters, the Immigration and Customs Enforcement bureau, U.S. Customs and Border Protection, the Federal Emergency Management Agency and elsewhere.

Congressional investigators found a password dumping application and other malicious files on two DHS systems, computers infected with multiple Trojan horses and viruses, hard copies of user identifications and passwords for a local administrator account, classified e-mails sent over unclassified networks, unauthorized users attaching their personal computers to the DHS network, unauthorized individuals gaining access to DHS equipment and data, and misconfigured firewalls.

"In spite of the significant vulnerabilities in its systems, the department doesn't appear to be in any rush to fix them," Langevin said. "I wish DHS exerted the same level of effort to protect its networks that our adversaries are exerting to penetrate them."

Langevin criticized the department for "failing to dedicate adequate funding" to IT security. While experts agree that agencies should allocate about 20 percent of their IT budgets to cybersecurity, DHS only spends about 6.7 percent to secure its systems, he said.

Charbo said, however, that consultants working with the department have recommended spending between 3 and 8 percent of the IT budget on security.

]]>

Computer security law may come under Hill scrutiny

Daniel Pulliam — Tue, 19 Jun 2007 00:00:00 -0400

The federal law governing information security policies at agencies could come under scrutiny during a House subcommittee hearing Wednesday that will focus on cybersecurity incidents at the Homeland Security Department.

The House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology is scheduled to hear testimony from DHS Chief Information Officer Scott Charbo and the Government Accountability Office. While the hearing will focus on DHS, industry and congressional sources have indicated that a broader discussion of the 2002 Federal Information Security Management Act is likely to arise.

Despite its status as the nation's security agency, DHS has not been a model of computer security law compliance. In April, the department received a D grade on an annual congressional report card measuring how well agencies follow FISMA. The department flunked the previous year.

In a statement Tuesday, Rep. Bennie Thompson, D-Miss., chairman of the Homeland Security Committee, said Congress has "to turn FISMA away from a paper exercise." He said that optimal security policies would require agencies to monitor networks, test penetration, complete forensic analyses and mitigate vulnerabilities.

"Though FISMA brought much needed attention to federal information security, agencies can still receive high grades for compliance and be insecure," Thompson said. "Implementing those efforts will mean better security on our networks, and that's the next step the federal government needs to take."

Thompson is expected to attend the hearing and give an opening statement.

In April, Donald Reid, senior coordinator for security infrastructure at the State Department's Bureau of Diplomatic Security, told the subcommittee that FISMA does not "tell the whole story" when it comes to agencies' information security practices.

"Our ability to detect and respond to intrusions . . . nowhere is that measured in FISMA," Reid said. "It's a great baseline log, but we clearly have more work to do."

Another criticism of FISMA is that compliance is measured based on reports produced by agencies, rather than independent auditors. Such a setup does little to hold agencies accountable for instituting proper security, according to critics.

Rep. Tom Davis, R-Va., who issues the annual report card on FISMA compliance and serves on the Homeland Security Committee, said in a statement that he expects Wednesday's hearing to involve "the usual suspects with complaints: failing agencies, those who misunderstand what the act was designed to do and those who fail to recognize what it has accomplished" in making IT security a priority at federal agencies.

"Certainly, we want to avoid a 'check the box' mentality," Davis said. "We need to incentivize strong information protection policies and pursue a goal of security rather than compliance. The FISMA process is a good one, but we'll always ask if we can make it better."

Davis said additional work is needed in developing effective security plans and establishing milestones to measure implementation progress.

"More improvement is needed in how systems are configured from a security standpoint and for training for employees with significant information security responsibilities," Davis said. "We continue to meet with public and private stakeholders searching for other ideas for what might be most effective."

Wednesday's hearing is expected to focus on questions stemming from specific incidents on DHS networks such as hacking, classified leaks, unauthorized use by contractors and computer viruses.

GAO has been asked to describe findings on an unnamed DHS network that is "riddled with significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized disclosure," according to a hearing briefing document.

The department's efforts to consolidate its computer networks under one roof also are likely to enter into the discussion, as are questions about "the lack of IT security funding" at DHS, the document indicates.

The committee sent Charbo letters on April 30 and May 31 that indicate the panel already has taken up its own investigation of the department's IT security, asking more than 25 questions over the course of two months about the status of the department's network security.

]]>

IG: Justice inconsistent in reporting of data breaches

Daniel Pulliam — Mon, 18 Jun 2007 00:00:00 -0400

Officials at the Justice Department have failed to report certain computer security incidents within the time frame required by the Office of Management and Budget, according to an audit report released Monday.

The 142-page report from Justice's inspector general office found that the department had not consistently implemented a July 2006 OMB requirement that agencies report data breaches involving the loss of personally identifiable information within one hour of discovery. Recent computer security incidents, including the Veterans Affairs Department's May 2006 loss of 26.5 million records containing sensitive information on veterans, prompted the requirement.

Two of nine agencies within the department had not updated their policies and procedures to include the new OMB requirement, the IG found. And an analysis of nearly 200 computer security incidents from July to November 2006 found that officials failed to consistently report the loss of personally identifiable information within one hour to the department's Computer Emergency Readiness Team. The audit found that none of the incidents were reported within one hour to the Homeland Security Department's Computer Emergency Readiness Team, or US-CERT, as required by OMB.

Auditors also found that none of the department's component agencies have established procedures for notifying people who could be affected by the loss of personal information. "We believe that the lack of procedures could cause delays in notifying individuals whose information has been compromised, increasing the individuals' risk of falling victim to fraud or identity theft," the report stated.

In addition, the IG found that officials at the nine Justice agencies believed their employees followed the proper internal reporting procedures when issuing notifications of security incidents. But the information technology staff of the FBI was not always doing so in practice, the auditors found.

Incident reports are sent to two separate offices at the FBI, yet only one is required to relay them to the Justice team, the IG noted. The result is that some incidents do not get reported, the auditors stated.

On a more positive note, the IG found that several Justice agencies have taken extra steps to minimize unauthorized access to sensitive information and to educate employees on reporting requirements. These include posting security information on their intranet sites or on employee computer monitors upon login. The IG urged officials to consider adopting these procedures across the department.

Justice officials told the IG that reporting within an hour is not practical. They also said the guidance on reporting to US-CERT -- the organization responsible for coordinating the response to computer security incidents governmentwide -- is not clear on whether reports must arrive within the same hour as those to the Justice readiness team.

But officials concurred with the IG's eight recommendations to help improve the department's procedures, including one to clarify the deadlines for reporting incidents. The department also agreed to instruct agencies on proper reporting of incidents with classified information, and is developing reporting measures for ensuring that all agencies meet established time frames. Additionally, officials are developing procedures for notifying people affected by a loss of personal information.

]]>