Lawmakers examine Veterans Affairs IT security efforts
Although the Veterans Affairs Department has been held up as a model for how government agencies should utilize information technology resources, it has a long way to go before it achieves satisfactory computer security, panelists told a House Appropriations subcommittee Wednesday.
The department is attempting to move toward a "One-VA," which includes streamlining agency services and using technology to increase efficiency and overlaps. President Bush's proposed fiscal 2003 budget includes $1.357 billion for VA's IT initiatives -- a 15 percent increase over last year's funding level.
"We want to know if the VA is investing their IT money wisely," said Rep. Steve Buyer, chairman of the House Veterans Affairs Committee's Subcommittee on Oversight and Investigations, which held a hearing Wednesday on the effectiveness of several VA IT programs. "We need to know what obstacles you foresee and how you plan to work through the VA's organization land mines, the cultural bias, the turf battles and the inherent inertia," he said.
Lawmakers and panelists said the VA's IT blueprint embodies the best practices sought by federal law such as the Government Information Security Act -- which calls for regular reviews of agency computer systems -- and the Clinger-Cohen Act, which places the responsibility for managing IT investment on agency heads.
But for an agency that has a history of being mired in bureaucracy, according to the lawmakers, they asked if VA is doing enough.
"This one VA horse has been allowed to stay in the barn for too long," said Rep. Julia Carson, D-Ind. "It's time to see if it can run."
Leon Kappelman, director of the Information Systems Research Center at the University of North Texas, said to achieve a "One-VA," there needs to be a central IT authority. The VA currently houses several IT directors and chief information officers.
David McClure, director of information technology management issues for the General Accounting Office, stressed that information security is one area that will require continued management attention. But he noted efforts by VA Assistant Secretary for Information Technology John Gauss to increase his focus on computer security and keep security policies current.
Gauss assured the committee that cyber security is one of the highest priorities for VA Secretary Anthony Principi. The VA's Office of Cyber Security aided the establishment of department-wide computer-protection priorities and an Enterprise Cyber Security Project -- aimed at controlling access to internal and external networks -- was approved in February. But an audit being conducted by the VA shows that significant information security vulnerabilities remain.
Gauss also said the federal government can help by ensuring that IT dollars go toward specific IT projects and by addressing the impending loss of hordes of federal IT workers to retirement. Gauss launched an IT workforce initiative to address the latter problem.
VA Inspector General Richard Griffin said key department security remediation actions need to be prioritized and completed in the next year, especially since recent discussions with the VA's Office of Cyber Security "indicate concern" that budget resources may not be available to complete all necessary actions.