[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]



 
                 HEARING ON THE REPEATED FAILURES OF
                VA'S INFORMATION TECHNOLOGY MANAGEMENT


                              HEARING

                             BEFORE THE

                    COMMITTEE ON VETERANS' AFFAIRS

                       HOUSE OF REPRESENTATIVES


                     ONE HUNDRED NINTH CONGRESS

                           SECOND SESSION

                            -------------

                            June 14, 2006

                            ------------

     Printed for the use of the Committee on Veterans' Affairs

                             Serial No. 109-51

                             --------------





                      U.S. GOVERNMENT PRINTING OFFICE
28-127 PDF                    WASHINGTON  :  2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government
Printing Office Internet:  bookstore.gpo.gov Phone:  toll free (866)
512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP,
Washington, DC 20402-0001 


Wednesday, June 14, 2006
House of Representatives,
Committee on Veterans' Affairs,
Washington, D.C.





The committee met, pursuant to call, at 10:34 a.m., in Room 334, 
Cannon House Office Building, Hon. Steve Buyer [chairman of the 
committee] presiding.


Present:  Representatives Buyer, Moran, Miller, Brown of South 
Carolina, Boozman, Bilirakis, Filner, Michaud, Herseth, Snyder, 
Salazar, Udall and Reyes.  


The Chairman.  The House Committee on Veterans' Affairs will come 
to order.  Today is June 14, 2006. 


Good morning, ladies and gentlemen.  We are here today to receive 
testimony from the Department of Veterans' Affairs Inspector General 
and the Government Accounting Office about past problems and 
recommendations in connection with information security and 
management at the VA. 


We are on a fast track here at the committee.  With the security of 
personnel data compromised last month and the very trust of veterans 
and their families at stake, we cannot afford to let time pass.  
Already we have held one hearing to learn about the immediate impact 
of the theft from the Secretary last week, joined by the Military 
Quality of Life and Veterans' Affairs Appropriations Subcommittee 
Chairman, Jim Walsh; and I have held a roundtable at which 
information technology experts from Goldman Sachs & Company, EMC 
Corporation, VISA, Citi Group, Tri-West, and the American Bankers 
Association offered very candid appraisals, all emphasizing the 
importance of a centralized management of key components of 
information and information systems. 


Today, we must establish how and why the second largest breach of 
personal data in American history occurred at the VA.  Then, 
continuing an aggressive series of hearings over the next 2 weeks, 
we will hear testimony from experts, largely from the private sector 
and the academic world, which will provide best practices to further 
guide us.  Finally, we will be hearing also from the VA General 
Counsel, Tim McClain, with an update on the progress being made 
at the Department as well as the legal ramifications of this 
breach.  We will then hear again from Secretary Jim Nicholson at 
the end of the month. 


We must identify and understand the scope of this problem.  Then we 
can determine how to correct the problems at the Department.  We will 
then act on that determination. 

Today is essentially about the past, about context.  Without the 
advantage of this historical context, the theft of an analyst's 
computer might appear to be an aberration, something unusual that 
can be corrected with a new policy or an official rule. 


The context shows something entirely different.  VA's internal 
controls and data security have been grossly inadequate for years.  
Both the VA IG and the GAO have indicated VA's decentralized 
management and the lack of accountability as major shortcomings 
which have led to 16 recurring, unmitigated information security 
vulnerabilities over the past 8 years. 


Since May of 2000, this committee has held six hearings where VA 
information security has been specifically addressed and where 
lapses have been repeatedly identified.  We have continued to hold 
three more hearings this Congress to review VA information 
technology and monitor the Department's actions with respect to 
IG and GAO recommendations and even directives from Department 
leadership.  In the upcoming hearings, we will continue to obtain 
insights from witnesses, which will help us develop a bipartisan 
approach to this problem. 


The next hearing will be on June 20, when the Subcommittee on 
Disability Assistance and Memorial Affairs and the Subcommittee on 
Economic Opportunities will hold a joint hearing on the VA data 
theft and cyber security procedures at the Veterans Benefits 
Administration.  This hearing will include an examination of 
security measures to ensure fiduciaries are protecting sensitive 
client information. 


On June 21, the Subcommittee on Health will be meeting to examine 
the Department of Veterans' Affairs efforts to maintain security and 
integrity of the electronic health records of enrolled veterans 
while safeguarding sensitive personal veteran information from 
internal and external security threats. 


On June 22, the full committee will meet to hear from academic and 
industry experts on operational aspects of IT security, as well as 
the VA General Counsel on legal implications. 


On June 28, we will examine the role of VA's Chief Information Officer 
and the Department's Office of Information and Technology Structure 
and Operations.  We will receive testimony from two of the former 
CIOs at the VA. 


And, finally, on June 29, we will bring back VA Secretary Jim 
Nicholson to testify before the full committee to provide us with 
an update of the status of the VA data theft. 


Please make sure, my colleagues, that you mark these important dates 
on your schedules.  To the extent that information security is a 
critical priority throughout government, what we hear today and the 
successive hearings on this issue will, I believe, be of a broad 
value that transcends any one agency. 


I now recognize Mr. Filner for an opening statement. 


Mr. Filner.  Thank you, Mr. Chairman. 


You used the words "aggressive" and "fast track" in these series of 
hearings, and I certainly appreciate that, and we will give you our 
full support.  I think you have mapped out a fine approach from 
this committee, and we thank you. 


If it were possible to approach the theft of veterans' and service 
members' records without the emotions triggered by this theft, and 
what I can only call a pathetic response from the Veterans' 
Administration, the emotions of disbelief, anger, frustration that 
we all feel, this situation might be even an interesting case study 
of lax policies, failed leadership, and organizational arrogance.  I 
can only call this situation the Katrina of the Veterans' 
Administration.  A disaster occurred presumably not of their own 
doing, and yet the response was clearly inadequate, causing more 
suffering, and a presidential crony at the top of the administration 
unable to respond in an adequate way.  I know that Mr. Nicholson 
doesn't want to hear this phrase from President Bush, that he is 
doing a heck of a job. 


We have 26.5 million veterans and over 2.2 million active and reserve 
service members at risk of identity theft, their lives now requiring 
a new and constant vigilance.  Sensitive disability codes pinpointing 
health and medical information on service-connected disabled 
veterans, their most private personal information, is poised to 
enter the public domain, with the steady drip, drip, drip of 
information each time adding more bad news.  A lot of sensitive 
information is involved here, with a baseless spin by Secretary 
Nicholson and the other VA officials that the stolen data, and I 
quote, "may have been erased by teenagers who sold the computer 
equipment." 


Reaching for outcomes that are less than tragic is not helpful in this 
situation, when the street value of this information probably exceeds 
half a billion dollars, quite an incentive for bad guys to get ahold 
of this data. 


We are collectively angered by the 19-day-long lag between the data 
theft and public announcement.  When we questioned what happened, we 
find that the employee who took the data home told his supervisors 
almost immediately about the theft, but it took 6 days for the VA 
Chief of Staff to find out and another 6 days for the Deputy Chief 
of Staff, the Deputy Secretary, and the VA General Counsel to get 
around to notifying the Secretary.  Don't some of these folks work 
in the same office suite as the Secretary?  Wouldn't it be 
reasonable to tell the boss immediately about the possibility of 
a great compromise of records? 


Then we learn that the Inspector General's initial involvement was 
not a result of direct notification by the leadership at the VA but 
because someone from the IG's office happened to attend a 
regularly scheduled information security meeting.  We have to 
question why the leadership of the VA would not be more proactive 
in getting the issue to the investigators at the IG. 


In addition, it seems that the VA's senior leadership was more 
focusing on communicating with the White House than on notifying 
the FBI.  That task fell on the IG.  While the most important 
action should have been to recover the stolen data, message 
management was more important to these political appointees than 
getting the FBI involved in the investigation of the burglary.  
When the FBI was finally brought into the investigation, the trail 
was already 2 weeks old.  Talk about misplaced priorities! 


Not until this point did the VA Secretary notify the Nation's 
veterans, on May 22, fully 19 days after the theft. 


The Secretary now clamors for stiffer penalties for government 
employees who mishandle personal information that is entrusted to 
them.  Yet this organization failed to update in any meaningful 
way the internal policies and regulations of information security 
before the theft.  VA just simply ignored a host of findings 
and recommendations over the years and never fixed any of the data 
control and information security problems; and, unbelievably, after 
the theft, the Secretary waited for over a month to implement an 
updated and substantive policy on information security.  Even that 
policy is somewhat light on enforcement and on specific liabilities 
and punitive actions when an individual fails to protect sensitive 
information. 


I believe, and I think the Chairman has said many times, this ID 
theft would not have happened if VA leaders since 2001 had cared 
about protecting sensitive data or could get the job done.  This 
would not have happened if this Congress was more of a co-equal 
oversight mechanism for the executive branch.  So we will learn 
today the history of information security and information technology 
problems at the VA, which the Chairman has amply outlined. 


There still is avoidance of accountability and responsibility at 
the VA.  One wayward employee alone did not give birth to this 
massive data compromise.  It was born of a culture of indifference 
and fathered by VA leaders who philosophically skipped town during 
the last 5 years in their collective attempts to avoid 
accountability. 


Anyone at VA who waited or delayed over 24 hours to report this 
compromise should be held accountable and fired.  From the first 
day, it was clear this was not a minor issue.  Likewise, anyone 
who interfered, blocked or undercut the numerous attempts to 
improve substantive, enforceable information security and IT 
policies should be held accountable.  I am looking forward to the 
testimony today to see how we may deal with that. 


Lastly, Mr. Chairman, I spent the last days of May, and the early 
part of June, talking to people all over my district.  Veterans 
were not only angry but scared.  They have the potential compromise 
of their most sensitive data.  They got a letter from the VA just 
recently, and they see a Web page from the VA, which says, basically 
go talk to your credit bureau. 


The VA should be proactive in response to this crisis, making sure 
veterans know that the data breech will not be a cost to them, either 
in money or in psychological anxiety.  We have an obligation, given 
what happened, to be comforting in every way possible, and the VA 
simply is not doing this.  I hope over the course of your month-long 
hearings, Mr. Chairman, that the VA could sit down with the credit 
bureaus and ask them to voluntarily provide, as a national service, 
away to mark these 26 or 28 million records so if any undue activity 
occurs we know about it right away, and it is not left up to the 
individual veterans to figure out how to deal with it. 


My colleagues, Mr. Salazar and Ms. Hooley, have legislation which 
calls for monitoring of the credit reports; and also Mr. Salazar has 
recently introduced legislation for an ombudsman at the VA to begin 
to deal with this data breach. 


Let us be proactive and not wait for more disasters to occur. 


Thank you, Mr. Chairman. 


The Chairman.  I thank the gentleman. 


As far as I know, the committee, on a bipartisan basis, Mr. Filner, 
has gone back to 1997, according to GAO testimony, from their audit.  
That was in submitted testimony. 


Does anyone have any other opening statements? 


Mr. Michaud, you are recognized. 


Mr. Michaud.  Thank you, Mr. Chairman. 


Just briefly, I want to thank you for staying focused on this very 
important issue.  I commend you and Ranking Member Evans for your 
leadership and having the committee explore this fully with an 
aggressive schedule over the next month.  I really appreciate it. 


I also want to thank Congressman Salazar for introducing legislation 
to look at this issue. 


I look forward to hearing the witnesses testify here today, and I 
would ask that my opening statement be submitted fully for the 
record. 


The Chairman.  All written statements will be submitted for the 
record, and members will have 3 business days to do so. 


[The statement of Michael Michaud appears on p.  :] 

******** INSERT 1-1 ********


The Chairman.  Any other opening statements?


All right, we will go to the witnesses.


Today, we welcome Michael Staley, the Assistant Inspector General 
for Audit at the Department of Veterans' Affairs.  Mr. Staley served 
with the Second Battalion Ninth Marines in Vietnam in 1968.  Upon 
returning from Vietnam, he devoted his career to helping veterans 
and their beneficiaries.  He held several positions of responsibility 
at the Veterans Benefit Administration upon joining them in 1971. 


Michael Staley was appointed the Assistant Inspector General for 
Auditing in December of 2003.  He directs a nationwide staff of over 
185 auditors and support staff located in offices across the 
Nation.  His office conducts audits and evaluations of the Department 
of Veterans' Affairs programs and functions and provides audit 
support to criminal and administrative investigations. 
 

Also before us is Ms. Linda Koontz.  You have been before us 
quite often over the years, and we appreciate your testimony.  She 
is the Director of Information Management Issues at the U.S. 
Government Accounting Office. 


We also have Gregory Wilshusen, Director of Information Security 
Issues at the U.S. Government Accountability Office. 


Ms. Koontz is responsible for government-wide telecommunications 
issues as well as issues concerning the collection, use, and 
dissemination of government information in an era of rapidly 
changing technology. 


Mr. Wilshusen has over 22 years of auditing and financial management 
information technology management experience and is the acting 
director on GAO's information technology team, where he leads 
information security audits at several Federal agencies. 


We also have Mr. Raponi with the VA IG; and I will leave that, 
Mr. Staley, for any further introductions. 



STATEMENTS OF MICHAEL STALEY, ASSISTANT INSPECTOR GENERAL FOR AUDIT, 
U.S. DEPARTMENT OF VETERANS' AFFAIRS, ACCOMPANIED BY MICHAEL 
RAPONI, REGION DIRECTOR, ST. PETERSBURG AUDIT OPERATION DIVISION, 
U.S. DEPARTMENT OF VETERANS' AFFAIRS; LINDA KOONTZ, DIRECTOR, 
INFORMATION MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY 
OFFICE; AND GREGORY WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, 
U.S. GOVERNMENT ACCOUNTABILITY OFFICE  


The Chairman.  Mr. Staley, you are now recognized. 



STATEMENT OF MICHAEL STALEY 



Mr. Staley.  Thank you, Mr. Chairman.


Mr. Chairman, members of the committee, thank you for the 
opportunity to testify today on the results of our reviews, which 
continue to address information and security vulnerabilities in VA, 
and to report on the status of VA's implementation of our 
recommendations. 


As you said, Mr. Mike Raponi is next to me today.  He served as the 
project manager on the IT security audits, as well as I have Steven 
Gaskell in the audience, who also served as a project manager on 
these audits. 


We have conducted a number of audits and evaluations on information 
management security and information technology systems that have 
shown the need for continued improvements in addressing security 
vulnerabilities.  As such, we have included IT security as a major 
management challenge for the Department in all of the major 
management challenge reports since the year 2000. 


In our annual financial statement audits, we have reported VA 
information security controls as a material weakness since our 
fiscal year 1997 audit.  Specifically, we reported that VA's 
financial data and sensitive veteran medical and benefits 
information are at risk due to vulnerabilities related to access 
controls, change controls, the need to segregate duties, and the 
need to improve service continuity practices. 


My IT security program auditors have identified and reported on 
significant information security weaknesses since 2001.  All four 
of these annual audits have reported on similar issues; and the 
recurring themes in these reports are the need for a centralized 
approach to achieve standardization, remediation of identified 
weaknesses, and accountability in VA information security.  We 
have continued to report control weaknesses in physical security, 
electronic security, reporting, wireless security and employee 
security.  Additionally, we have reported significant issues 
with the implementation of IT initiatives by VA. 


Our combined assessment program reviews continue to report physical 
security and access control security vulnerabilities at VA health 
care facilities and VA regional offices where security issues were 
evaluated.  We have recently issued an advance copy of our draft IT 
security program review to VA.  While it is not our general 
practice to comment on draft reports before they are published 
because of the extensive public interest in these information 
security issues, I have described the issues that VA is addressing 
in my testimony.  


In closing, I would like the committee to know that reviews of 
VA's information security will remain a top priority in my office.  
We remain committed to reporting on the adequacy of IT information 
security controls and following up on actions taken by VA to 
strengthen these controls as we remain dedicated to the goal of 
protecting our Nation's veterans. 


Mr. Chairman and members of the committee, thank you for the 
opportunity to be before you today; and I would be pleased to 
answer any questions that you might have. 


[The statement of Michael Staley appears on p.  :] 

******** COMMITTEE INSERT ********


The Chairman.  Ms. Koontz, you are recognized. 



STATEMENT OF LINDA KOONTZ 



Ms. Koontz.  Mr. Chairman and members of the committee, thank you 
for inviting us to participate in today's hearing on information 
security and privacy at the Department of Veterans' Affairs. 


The recent well-publicized security breach of the Department has 
thrown into high relief the importance of good information security 
controls in protecting personally identifiable information, not 
only at VA but throughout the government.  As we have reported many 
times, poor information security is a widespread problem that can 
potentially have devastating consequences. 


Today, we would like to summarize the recurring security weaknesses 
that we have reported at VA, discuss what agencies can do to prevent 
breaches of personal information, and comment on the issue of 
notifying individuals and the public when breaches occur. 


Since 1998, GAO and the VA IG have reported on wide-ranging 
deficiencies in VA's information security, including the lack of 
effective controls to prevent unauthorized access to VA systems and 
sensitive data.  In addition, the Department had not consistently 
provided adequate physical security for its computer facilities; it 
had not assigned duties so that incompatible functions were 
segregated; it had not controlled changes to its operating systems; 
and it had not updated or tested its disaster recovery plans. 


These deficiencies happened at least in part because VA had not 
fully implemented key components of a comprehensive, integrated 
information security program.  Such a program would establish 
Department-wide policies and procedures to address these 
weaknesses. 


Further, as we reported in 2002, VA's organization and management 
may also have hindered its ability to fully address security 
challenges.  Specifically, we reported that the hundreds of 
information security officers in VA did not report either 
directly or indirectly to the cyber security officer, and this 
official did not have control over a significant portion of the 
financial resources that the security program depends on to 
sustain its operations. 


VA has taken steps to improve information security.  For example, 
it reports that it recently centralized its security management.  
However, its efforts have not been sufficient to effectively protect 
its information and information systems.  As a result, sensitive 
information, including personally identifiable information, remains 
vulnerable to inadvertent or deliberate misuse, loss, or improper 
disclosure, as the recent breach demonstrates. 


In addition to a robust security program, agencies, including VA, can 
take a number of steps to help guard against the inadvertent 
compromise of personally identifiable information.  Specifically, 
under the E-Government Act, agencies are required to conduct privacy 
impact assessments.  Going forward, this gives agencies the 
opportunity to assess upfront how personally identifiable information 
is to be collected, stored, shared, and managed so that controls can 
be built in from the beginning. 


In addition, we suggest that agencies can take a number of other 
practical steps.  They can limit the collection of information to 
what they really need, they can limit the time that they keep 
such information, they can limit access to that information and 
train personnel accordingly, and they can appropriately use 
technological controls such as encryption when data needs to be 
stored on portable devices. 


Nonetheless, even with security and privacy protections in place, 
breaches can occur, particularly if enforcement is lax or employees 
willfully disregard policy.  When such breaches occur, notifications 
to those affected or the public has clear benefits, allowing people 
the opportunity to protect themselves from identity theft. 


Further, although existing law does not require agencies to notify 
the public, such notification is consistent with agencies' 
responsibility to inform individuals about how their information 
is being accessed and used, and it promotes accountability for 
privacy protections. 


That said, we need to be careful to define appropriate criteria for 
triggering notification, and notices must be sufficiently informative 
to allow people to understand the threat and how they should 
respond to it.  As the Comptroller General testified last week, 
these are factors we think that Congress should consider as it 
deliberates on proposed legislation on breached notification. 


In summary, Mr. Chairman, long-standing information security control 
weaknesses at VA have placed its information systems and information, 
including personally identifiable information, at increased risk of 
misuse and unauthorized disclosure.  Although VA has taken steps to 
mitigate previously reported weaknesses, its efforts have been 
insufficient to address these serious issues.  Only through strong 
leadership and sustained management commitment can VA implement a 
comprehensive, integrated information security program that can 
effectively manage risks on an ongoing basis. 


Mr. Chairman, that concludes my statement.  Mr. Wilshusen and I would 
be happy to answer questions. 


The Chairman.  Thank you very much. 


[The statement of Linda Koontz appears on p.  :] 

******** COMMITTEE INSERT ********


The Chairman.  When I think about the lapses of security in some of 
the hearings we have had over the years we had some problems in 
pension compensation fraud.  So whether it was a $12 million case 
in Atlanta, a $6 million case in Manhattan, a $6 million case at 
Bay Pines, each time we come up here we talk about what the problems 
were; and it always goes back to unauthorized access, not having 
sufficient controls, who had the keys, where was the authority.  
I hate to keep saying it, but it is ditto, ditto, ditto.  It is 
almost like you can prepare your testimony by looking back on the 
testimony that you have given over the years. 


So here is what is sort of exhaustive.  You highlight these problems 
and concerns not only from GAO but IG, and you hand these off to 
the administration.  Who acts on them?  Who is supposed to act on 
the reports? 


Mr. Wilshusen.  Well, at least with regard to the GAO reports, we 
usually direct our recommendations to the head of the agency, and 
then they may direct it down to lower levels of management. 


The Chairman.  And in this case it is the Secretary? 


Mr. Wilshusen.  In this case, it would be to the Secretary of VA.  
Because, under FISMA, which is the Federal Information Security 
Management Act, it is the head of the agency that is responsible 
for implementing the safeguards and information security controls 
necessary to protect the information and information systems under 
his control that support the operations and assets of that agency. 


The Chairman.  All right.  Mr. Staley?  I mean, you provided 
testimony from your fiscal year 2004 report, including 16 
recommendations, all of which remain open as of today.  So these 
reports go to whom? 


Mr. Staley.  We issue our draft reports, Mr. Chairman, to the 
Chief Information Officer; and our recommendations in this report 
that you referred to included the Chief Information Officer and 
all of VA senior leadership that was involved in any IT security 
functions so that they could act jointly in trying to resolve 
these 16 recommendations. 


In our prior reports, we have issued our reports to the Chief 
Information Officer; and his concern and his response has been that 
he doesn't have the enforcement authority to implement the 
recommendations solely by himself.  So, in an attempt to remediate 
that issue, we were then broadening our recommendations to include 
all of VA senior leadership. 


The Chairman.  All right, but_okay, so when you are faced with a 
general counsel's decision that the CIO could only go with 
compliance and not enforcement, you then would take your reports 
and send them to whom above the CIO?  When you say "senior 
management," I don't know what that means. 


Mr. Staley.  If we are unable to resolve a recommendation or to get 
an action plan that is acceptable, we would then elevate it to the 
Deputy Secretary and the Secretary, if necessary. 


The Chairman.  Where does the CIO obtain his authority? 


Mr. Staley.  The CIO obtains his authority from the FISMA act. 


The Chairman.  Does he not also obtain his authority from directives 
from the Secretary? 


Mr. Staley.  Certainly, he is responsible to reporting to the 
Secretary, and he is under his leadership. 


Mr. Wilshusen.  And, also, if I may add, Mr. Chairman, Mr. Staley 
is correct.  FISMA, in addition to making_having the Secretary assume 
overall responsibility for the program, he also can delegate to the 
CIO the authority to ensure compliance with the Act and the 
provisions of the Act and to develop and maintain an agency-wide 
information security program that contains several different 
elements including assessing risks, developing the policies and 
procedures that are necessary to reduce those risks or 
cost-effectively reduce those risks, and to provide the testing 
and evaluation regarding the compliance and effectiveness of those 
controls. 


The Chairman.  I have one last question.  Are you aware_Ms. Koontz, 
are you aware of the memorandum of March 16, 2004, whereby then 
Secretary Tony Principi made an effort to make sure that cyber 
security, accountability,and protecting VA's computer information 
systems was the responsibility of the CIO Robert McFarland? 


Ms. Koontz.  Yes. 


The Chairman.  You are familiar with that memorandum? 


Ms. Koontz.  I have read it.  Yes. 


The Chairman.  Are you also familiar then with the general counsel's 
opinion that said that, despite the Secretary extending authority, 
that he really did not have the authority of enforcement?  Are you 
familiar with the general counsel's memorandum? 


Ms. Koontz.  The general counsel memorandum that I am familiar with 
is from February, 2004.  I don't know if this is the same one or 
not.  I am not sure I have all the documentation that you have, but 
a similar issue was raised at that time. 


The Chairman.  I have one here dated April 7, 2004.  So I will make 
sure you get a copy of this. 


Ms. Koontz.  Okay.  Very good. 


The Chairman.  My question is, is when you look at the FISMA 
legislation that we passed here in Congress, were there rulings 
from other general counsels of other government departments 
consistent to what the VA did with regard to authority of a CIO? 


Ms. Koontz.  We haven't done a government-wide review of that, but 
I am not aware of any other general counsel that has_any other 
counsel decisions that would be similar. 


Mr. Wilshusen.  Nor am I. 


The Chairman.  You are not aware of up to date, but you have not 
given it a review. 


Ms. Koontz.  I haven't done a systematic review, no, and asked 
everybody. 


Mr. Chairman.  Would you be outside of your lane to do that for 
this committee? 


Ms. Koontz.  I don't think so. 


Mr. Wilshusen.  No, we could work with your staff to look at that. 


The Chairman.  All right.  What we are most curious about is whether 
this legal opinion is consistent with other general counsels' opinion 
of the interpretation of the Act, or was this an opinion that was 
written because it was placating toward the interests of the three 
Under Secretaries? 


Ms. Koontz.  I understand. 


The Chairman.  Mr. Filner, you are recognized. 


Mr. Filner.  Thank you, Mr. Chairman. 


It is a bit beyond the scope of your testimony, but I would like to 
know if either of you have thought about or would need further 
direction from this committee to think about a proactive response.  
That is, we have an unprecedented breach of security here.  I know 
personally that dealing with identity theft is extremely difficult, 
it is frustrating, it is time consuming.  People who are older 
especially, find it hard to fix.  They need our help. 


Have you thought about a way that we can, in fact, taking into 
account privacy concerns, give the veterans some help from us 
rather than leave it to them as individuals to figure out credit 
breaches or monitor their credit reports or get their credit 
reports?  Could the VA figure out a way to work with the credit 
bureaus to monitor any suspicious activity, and therefore know 
of problems immediately?  To put some of the burden on the VA 
rather than on the individual veteran?  Can you comment?  Have 
you thought about that at all? 


We have to think outside the box, as they say.  We are thinking in 
very traditional terms about dealing with this issue, and yet this 
massive breach and the kind of people that we have a responsibility 
to deserve better. 


Ms. Koontz.  There are probably a number of options that are 
available to the Congress to deal with this if the Congress makes 
a policy decision that this kind of action is warranted.  I have 
seen proposals all the way from offering veterans free credit 
reports over some period of time to working more proactively with 
the credit bureaus in terms of monitoring.  But, quite honestly, 
we haven't evaluated any of these proposals nor looked into it 
further. 


Mr. Filner.  Are you restricted to evaluating? 


Ms. Koontz.  Yes. 


Mr. Filner.  We have to have some people giving us some policy 
recommendations in response to this breech, not just an audit 
function. 


The Chairman.  Mr. Filner, that is what we have done in our 
coordination of hearings.  We will have academics, we have private 
industries and all.  We have brought in the auditors for them to 
give us the historical context of all the problems and concerns.  
When we understand the context of the problem, then we can move 
out toward a solution. 


Mr. Filner.  I appreciate that, Mr. Chairman. 


An independent audit that was done about a little more than 3 years 
ago_this was not done by either GAO or IG but Deloitte and Touche_ 
and I quote from that report.  In the so-called C and P system, 
compensation and pension, we identified numerous security 
weaknesses, including inappropriate access privileges and 
inadequate management of access privilege, excessive assignment 
of powerful privileges to sensitive information, and inadequate 
segregation of duties, permitting individuals to both initiate 
claims and authorize the claims for disbursement. 


It seems to me we knew that there was a disaster waiting to occur.  
Do you have any comment on that?  Is that part of what you had found 
in previous years? 


Mr. Staley.  Well, in commenting to the report, sir, the report 
continued to talk about role-based user profiles in terms of_ 


Mr. Filner.  I am sorry.  Can you define this in English, please? 


Mr. Staley.  Identifying the employee's specific duties, and then 
identifying what specific data that employee would need to perform 
those duties, and then limiting the access and controlling the 
access to only that specific set of data.  What we are finding is 
that there is a broader set of data that employees are able to 
access. 


By going ahead and limiting that access and I think, as Ms. Koontz 
has said in her testimony, by going ahead and restricting how much 
they can get, you certainly can mitigate the risks of some employee 
going off farther into other data than they should be. 


Mr. Wilshusen.  I would just add that those lists of deficiencies 
that you just pointed out from the Deloitte report are very 
similar_in fact, identical_to many of the weaknesses we identified 
years before then, after from 1997 or 1998 to 2002.  And I think it 
is just emblematic of the lack of having a comprehensive security 
program. 


Because you can find problems and weaknesses on one system with 
one organization, and if you don't have a centralization of your 
controls and standardization you will end up finding weaknesses 
across the Department.  Without having a strong, centralized focal 
point for implementing information security, it is likely that 
once an identified weakness is known it may be corrected, and VA 
generally is pretty good at correcting identified weaknesses, but 
they are not that good at proactively going forward and looking to 
see if similar weaknesses exist across the Department and taking 
corrective action. 


Mr. Filner.  Mr. Chairman, I don't mean this in any partisan way.  
I don't care if it is a Democratic administration or a Republican 
Congress or vice versa or executive-legislative being in the hands 
of the same party.  The oversight function of Congress is critical. 
 You have shown, as we look down the month's schedule, the proper 
way to do oversight.  I think all the committees have to take this 
more seriously, again, without any partisan thought.  I think you 
have outlined a way that a committee ought to do oversight, and I 
hope we can serve as an example for other committees, too. 


My time is up.  Thank you, Mr. Chairman. 


The Chairman.  Thank you. 


Mr. Moran. 


Mr. Moran.  Thank you, Mr. Chairman. 


We have heard for a long time, and you have outlined again today, a 
long list, a long history of weaknesses within the system.  My 
interest is perhaps beyond your realm of ability to answer, but how 
do you explain the failure of the VA to implement the recommendations 
and for the atmosphere or culture that exists at the VA in regard 
to this issue to continue despite the significant and series of 
warnings that have occurred over a long period of time?  What is 
wrong at the VA that inadequate response occurs, it seems to me, 
in each and every occasion to the Inspector General, to the GAO, 
and to congressional committees' direction following review of 
their procedures?  Why no or insufficient response? 


Mr. Staley.  One of the reasons I think, sir, is that the 
recommendations_the Department has seemed to focus on a resolution 
of recommendations at the sites that we visit.  We go out to the 
information technology centers, and then we go out to a select 
number of medical centers or regional offices, and then we conduct 
these program reviews where we go out to offices.  And the responses 
we get back to those recommendations are, is we have taken actions 
at site A. 


Then next year we come along and we go to site B and we see that the 
same conditions exist.  We have been continuing to report that these 
are systemic issues and that you need a comprehensive and central 
approach to ensuring that all of the recommendations are issued at 
all the sites concurrently.  So we wind up going ahead and making 
the recommendation the following year, and so then it just seems to 
perpetuate itself. 


Really, the Department needs to take an aggressive stance in ensuring 
that all of the regional offices and all of the facilities are 
correcting the vulnerabilities that we have identified and also 
correcting the vulnerabilities that they have recognized through 
their own certification and accreditation process in order to 
mitigate the risks that we are talking about here today. 


Mr. Wilshusen.  If I may add, because I wholeheartedly endorse what 
Mr. Staley said, is also there needs to be appropriate 
accountability mechanisms in place to help assure compliance; and, 
if not, that there are consequences for not implementing security 
controls. 


Mr. Moran.  Mr. Wilshusen, your testimony was that, legally, the 
responsibility for these issues, the security of information 
contained at the VA, rests with the Secretary of the Department.  
Is that true? 


Mr. Wilshusen.  Yes, under the Federal Information Security 
Management Act. 


Mr. Moran.  So no question as to who is responsible legally. 


Mr. Wilshusen.  He has overall responsibility. 


Mr. Moran.  What is your reaction to what is very troublesome to me 
as about the time frame in which it_the time passage.  Say that 
differently.  A long period of time_at least in my mind, a long 
period of time transpired before this breach reached the desk of 
the Secretary, and yet you tell me that the Secretary is legally 
responsible for this system and the consequences of that breach. 
What does it tell us about the VA in the failure for this 
information to quickly reach the Secretary? 


Mr. Wilshusen.  One of the elements that is required under law by 
FISMA is that agencies develop the policies and procedures for 
adequately detecting, reporting, and responding to security 
incidents and events. 


It seems clear_and, again, we haven't done any work, so I don't 
know the specifics of this other than what I have read_but it seems 
like there might have been a breakdown in those policies and 
procedures. 


Mr. Moran.  Are there policies for response and for notification in 
place at the VA today?  


Mr. Wilshusen.  That is something we haven't looked at recently. 


Mr. Staley.  There is an incident response criteria in VA's handbook. 
We currently have an administrative investigation ongoing to look 
at the specific instructions of the incident response handbook and 
what occurred from the point of time where the employee notified 
the VA.  We hope to issue that report to the Department for comment 
at the end of this month; and as soon as the Department responds to 
our issues and recommendations, we will be issuing the report, 
hopefully in mid-July. 


Mr. Moran.  Well, as I indicated, this aspect of it is clearly 
troublesome to me, the idea that it would take so long for the 
Secretary to learn of this breach.  The concern it raises with me is 
we either have a desire at a level of the VA in which to camouflage 
or hide, cover up the errors and mistakes, or a suggestion that the 
Secretary or the upper management is disengaged in these issues.  
And either one is a terrible conclusion to reach. 


But I would like to know_I am anxious for your report, Mr. Staley_to 
learn why it would take such an extraordinary amount of time.  I just 
know in the management of any business, small or large, the first 
place you go with something of this magnitude is to the leader; and 
it clearly happened in a very slow fashion at the Department of 
Veterans' Affairs. 


Thank you, Mr. Chairman. 


The Chairman.  Thank you very much. 


Mr. Michaud. 


Mr. Michaud.  Thank you very much, Mr. Chairman. 


Question:  During the coordinated draft, VA directive 6500 
information security program, VHA questioned the requirement that 
all companies acting as contractors or subcontractors with access 
to VA's information system, including transcription services and 
medical devices, shall be American owned. 


Today, the VA Office of Inspector General will release a report 
indicating that, in February of 2005, an offshore subcontractor 
contacted the Office of Inspector General hot line division 
threatening to expose about 30,000 VHA patient records from five 
VHA facilities over the Internet if the contractor did not pay over 
$28,000 owed.  Draft directive 6500 would have prevented this.  But 
the culture within VHA, as explained at previous hearings, that 
"don't tell me what to do" attitude, questioned the American-owned 
transcription service requirement.  They went out, but, as a result, 
confidentiality of medical records of over 30,000 veterans was 
jeopardized. 


I would like you to comment.


Mr. Staley.  Yes, sir.  We have been conducting this audit for some 
time in conjunction with our Office of Investigations, because there 
have also been certain investigations that have been ongoing as 
well, some of which would been under seal, so we have been a bit 
delayed in issuing this report.  In fact, we worked with the 
Justice Department a few months ago to try to sort out what language 
we could or could not put in the report before we issued it, and 
we just recently received comments back from the Justice Department. 


The break in the control is that the contracts do not specify to 
the contractors a number of criteria in terms of how to protect 
personal identifying information.  Such as you can send it to a 
U.S. contractor, but you cannot use an offshore foreign 
subcontractor.  It is silent on the issue.  So, consequently, you 
have an issue such as you have described this morning arise. 


And, of course, our report hopes to be out on the Internet today, 
latest tomorrow; and it talks about four issues: using speech 
recognition technology in-house to try to keep more of this in-house 
and not outsource it because the information is so sensitive; 
acquiring transcription services uniformly; and verifying the 
invoices and then, most importantly, the management controls over 
patient privacy and personal patient identifiers. 


The Chairman.  Mr. Michaud, if the gentleman would yield to me.  I 
recognized you out of order, and if you hold your thoughts, let me 
recognize Dr. Snyder, because he is going to have to get to the Armed 
Services Committee. 


Mr. Michaud.  No problem. 


The Chairman.  Mr. Snyder. 


Mr. Snyder.  Thank you, Mr. Chairman.  I appreciate your holding this 
hearing, also. 


I don't know if it happened to you, Mr. Chairman, but, as I mentioned 
in another hearing, my wife and I have a 3-week-old baby, so we got 
about 3 weeks behind in our mail.  Two days ago we were going 
through literally a laundry basket full of mail because we are on 
so many lists, and there was my letter from Secretary Nicholson, 
and I thought I was not going to be_did you think the same thing? 


The Chairman.  It was personalized, too. 


Mr. Snyder.  It was very personalized. 


The Chairman.  "Dear Veteran." 


Mr. Snyder.  It gives you this empty feeling when you realize that 
somebody is sitting out there with your stuff. 


But at one of the hearings that was held, I think it was in the 
May 25th hearing_I will direct this to you, Mr. Staley_some 
private-sector privacy experts suggested that the VA doesn't need to 
be using Social Security numbers at all; and, in fact, that we were 
all_everybody in the military memorizes for all time their service 
number.  We could either use our service number, which is just 
distinctly for the military, or be assigned another number.  Why do 
we have to use a Social Security number at all since this is all an 
in-house thing? 


Mr. Staley.  Well, it is certainly a policy decision by the Department. 
 But my views on that, as I had a service number and not a Social 
Security number, but I also joined the VA around 1971, so I recognized 
that the Department of Defense was moving from service numbers to 
Social Security numbers depending on the branch of service you were 
in.  So VA eventually moved Social Security numbers as your general 
identifier.  And many of your affiliations and your other business 
associates that work with the VA also use Social Security numbers.  
Department of Defense uses Social Security numbers.  So I think that 
is pretty much how Social Security numbers became the_ 


Mr. Snyder.  I understand why it was done 35 years ago.  But why do 
we perpetuate it?  We have a distinctive number that is not a Social 
Security number.  Would that not add a different level of protection 
if we got away from Social Security numbers? 


Mr. Staley.  Certainly your point is well taken. 


Mr. Snyder.  They go throughout their military career with using a 
number that is not their Social Security number.  Is that not 
correct?  


Mr. Staley.  I am sorry, your question again? 


Mr. Snyder.  People in the military go throughout their military 
career, whether it is 2 years or 20 years, with a number that is 
not their Social Security number as their identifying number.  Is 
that not correct? 


Mr. Staley.  I believe_I am not sure whether all military branches 
use a unique service number.  I couldn't comment on that. 


Mr. Snyder.  I want to get back to Mr. Buyer's statement about this 
memorandum on the CIO authority.  And I haven't read this, I just 
quickly looked through it. 


When you start seeing_when someone has to ask for this kind of 
guidance and somebody is quoting court cases on statutory authority, 
you know, the principles of interpreting statute, we are in doo-doo 
city.  I mean, because somebody out there has to sit_is looking for 
how do I have to do my dang job?  And do I have authority or not?  
And when I call up you to tell you I have the authority, I don't 
need to be sending along:  Well, you need to refer to page 7, 
footnote 3, about my authority to tell you how to improve your 
stuff.  I mean, does this not point that we need to do some 
clarifying legislative kind of language so that the lines of 
authority on this are clear? 


Mr. Staley.  Obviously, I can't speak for the general counsel in that 
their legal opinion has been the focal point of the reasons why the 
CIO has continued to inform us, as we push forward in trying to move 
our recommendations forward, that he had been hampered by enforcing 
many of the initiatives that he had tried to execute in terms of 
having the authority to make them happen. 


Mr. Snyder.  And you folks from the GAO, there is a statement in 
there.  You talk about the weaknesses, that things have been 
identified in 2001 that had not been resolved, what Mr. Buyer 
referred to as the ditto document, that we are rehashing some of 
the stuff had been talked about in the past.  In one line there in 
the report, it talks about  the Department has maximized limited 
resources to make significant improvements.  The phrase "limited 
resources" catches my attention.  Do we have now and have we had 
funding issues in terms of getting this done? 


Mr. Wilshusen.  I think that was the Department's response. 


Mr. Snyder.  It was the Department's response.  Do you agree with 
that response?  Is it partly a money issue? 


Mr. Wilshusen.  We believe_and in our reports we talk about what 
resources are available that they have and how they are being 
used.  I wouldn't say that is a resource issue or that they need 
more money.  We generally don't make such recommendations along 
those lines.  We look at how they use the resources that they 
have.  


Mr. Snyder.  Dr. Staley, one of the problems that you mentioned is 
controlling access to physical space.  Now we can talk about 
encryption and all these kind of things as being a new problem.  
We all understand new problems.  But access, protection of medical 
records, physical space is not a new challenge.  Why is that not an 
easy problem to correct? 


I assume what we are talking about is the ability of someone just to 
walk in and say I am going to grab that file.  Why are we still 
having to deal, after this many decades of concern about medical 
privacy, before even the advent of computers, why are we still 
dealing with controlling access to physical space, just somebody 
walking in and grabbing files? 


Mr. Staley.  Well, it is an issue of vigilance, sir, and continually 
ensuring that your physical space is secure.  Obviously, the 
Department has made improvements by adding key cards and things of 
that nature to control physical space better.  We see more and more 
of that as we go out on these site visits. 


But it doesn't preclude someone from sticking a pop bottle in that 
door, and then we arrive and, my goodness, there is a pop bottle and 
the door is open.  It doesn't preclude cleaning crews from going 
in there unescorted, or because of a lack of time, someone lets a 
contractor in there to deliver materials and they are not there next 
to them.  


So these physical security issues continue to persist, and it is 
really an issue of vigilance and ensuring that our guard is not let 
down and that those areas are always secured. 


Mr. Snyder.  If you see in your work, if you see Mr. Buyer's or my 
file laying around, would you let us know? 


Thank you.  Thank you, Mr. Chairman. 


The Chairman.  Dr. Snyder, your question with regard to Social 
Security numbers.  At the last hearing, Gartner Consulting gave 
a recommendation to the committee that the VA should no longer 
use Social Security numbers and should use a user personal 
identifier.  So, distinctive. 


Your other question on enforcement, where we are going, is the 
reason we have turned now to the other subcommittees to hold 
their own hearings.  Because if the CIO can't do the enforcement, 
then the enforcement is the responsibility of the three Under 
Secretaries.  So we have got to bring them in. 


Mr. Snyder.  Thank you. 


The Chairman.  Mr. Michaud. 


Mr. Michaud.  Thank you very much, Mr. Chairman. 


I just want to follow up on my last question.  St our last hearing 
we were assured that there is a culture within VHA based upon the 
medical profession code to do no harm by Dr. Perlin.  But my concern 
when I find out that just last year that you received a call from 
a subcontractor threatening to expose 30,000 veterans' information, 
medical records, over the Internet unless VA pay the $28,000 owed 
is a real concern that I have.  And I am just wondering, in your 
many reviews of the VA IT system, have you identified a stronger 
IT security culture in VHA versus the Veterans Benefits 
Administration or the National Cemetery Administration? 


Mr. Staley.  Our principal focus is in the Veterans' Health 
Administration and the Veterans' Benefits Administration.  They have 
far more platforms and systems than the National Cemetery 
Administration.  There is only a few systems that are being used 
there.  And we are finding similar problems in both 
administrations.  Referring to encryption solutions, you will 
find the same problems, that the veterans' benefits network does 
transmit clear text, unencrypted among its network.  You go to VHA, 
you look at their Vista system, which is predominant, and the 
transmission and storage is in clear text.  And when you look at 
some of the other areas that I have testified on in my written 
testimony, similar conditions exist in both administrations. 


Mr. Michaud.  Has the GAO found that with other agencies dealing 
with subcontractors, that this is a problem?  Have you looked at 
this issue as a potential problem? 
 

Mr. Wilshusen.  We looked at the issue last year in terms of the 
use of contractors to provide services, information technology and 
security-related services; and one of the things we found is that 
Federal agencies, by and large, did not do an adequate job of 
providing oversight over the services that those contractors 
provide. 


One of the things_again, I keep referring to FISMA.  But one of the 
things that FISMA does, is it also extends the requirement that the 
agency's information security program extends to the information and 
the systems that are being operated on its behalf by contractors 
and other third parties; and we found that there is still room for 
improvement on agencies' oversight of the work being done by 
contractors with regard to information security. 


Mr. Michaud.  Thank you, Mr. Chairman. 


The Chairman.  Thank you.  


Mr. Bilirakis. 


Mr. Bilirakis.  Thank you, Mr. Chairman. 


Mr. Staley, as you may know, tomorrow the Subcommittee on Oversight 
Investigations will hold a hearing on patient safety, where we will 
hear testimony from GAO on credentialing physicians, which includes 
background checks, of course.  Your written testimony states that 
you have identified instances where background investigations and 
reinvestigations were not initiated in a timely manner on employees 
and contractors or were not initiated at all.  Now, are you telling 
this committee that the Department is lacking background checks for 
personnel that handle secure data as well? 


Mr. Staley.  Yes, Mr. Bilirakis. 


Mr. Bilirakis.  You are saying that. 


Mr. Staley.  Yes.  VBA has recently reported to our office that they 
need to conduct about 3,000 new background checks in order to 
resolve this issue.  So that is one of the reasons our recommendation 
remains open and why we continue to monitor it. 


Mr. Bilirakis.  My God.  We identified IT and security deficiencies 
at 37; 67 percent of 55 Veterans' Benefits Administration facilities 
reviewed.  And this is something that has been in the offing, as you 
know, for a long, long time.  We have held hearing after hearing 
after hearing.  We have had roundtables.  We can just go on and on 
and on. 


I guess we can continue to talk about the details here and about 
Social Security numbers, but I don't know why in the world we got 
away from the old military service numbers, quite frankly, and went 
into Social Security numbers.  All we did was just compounded the 
problem. 


Mr. Moran went into the atmosphere of the culture.  I would add an 
additional word to that, and that is turf, T-U-R-F.  Frankly, one 
of my biggest disappointments_and I am not a spring chicken.  I have 
served in the military.  You just name it.  Basically, I think I 
have done it all.  Yet it is still one of my biggest disappointments 
since coming to the Congress 24 years ago is the turf concerns that 
we have up here.  I think we probably would function one hell of a 
lot better if we weren't as concerned with it as we are.  And maybe 
it is human nature and maybe it is something we can't ever change 
because it is within us.  I don't know.  But that is a terrible 
disappointment on my part. 


I might add, too, my first experience with the IG was when I was in 
the military, and I saw a lot of power there.  I mean, people 
straightened up and paid attention when the IG got involved in a 
particular situation.  Now we have GAO which_thank God for you.  
I think, frankly, you do great work.  And we have the IG.  And yet 
we haven't been able to straighten things out at the VA. 


Granted, we have secretaries who are political appointments, many of 
whom don't even serve the full 4 years that they are appointed.  I 
think that there is a lot of resentment probably towards them by 
the bureaucrats. 


Why can't we get these things straightened out?  I mean, don't you 
have any recommendations to us?  Is the only way to get this culture 
and this atmosphere that exists there and these turf problems_and I 
know you haven't acknowledged that yet, but I think you probably 
would acknowledge that turf is part of the problem.  Isn't there 
any way to get this straightened out without necessarily someone 
coming in and saying just we are going to clean out everybody?  And 
I don't want the papers to report that I have suggested that, 
but_clean out everyone and start from scratch?  Why should we 
continue to_I mean, it creates work for us and whatnot.  And maybe 
that is good, because we are needed.  But, at the same time, why 
can't we get past that? 


Comments?  GAO, Ms. Koontz, say you are queen of the day.  I mean, 
tell me, what would you do? 


Ms. Koontz.  Well, I think one of the things that I didn't want to 
leave this hearing without saying is that one of the very serious 
problems at VA has been the lack of a strong CIO organization, and 
VA was very slow to put into place a full-time CIO.  That didn't 
happen until 2001.  And, since then, there has been two CIOs who 
have come and gone.  Each of them recognized that there was a need 
to realign the CIO function and to strengthen it. 


We supported the notion that you needed to have centralized security 
management, and we supported the idea that the CIO really had to have 
a seat at the table and needed to have veto authority, power over 
things that just didn't make sense, that weren't standard within 
the organization, that shouldn't be connected to the network, that 
didn't meet security standards.  And what you have seen is that two 
CIOs have come and gone and the realignment has yet to happen. 


Obviously, VA is very, very resistant to change, quite slow to move. 
 And I have to say I think it is up to the Secretary to make sure 
that the CIO has the support to make the realignment happen in such 
a way that we can get a positive result. 


Mr. Bilirakis.  Should that CIO be someone coming through the ranks, 
so to speak, a bureaucrat, or should it be somebody from the 
outside? 


Ms. Koontz.  I think that the CIO has to have particular 
qualifications, and the CIO at VA is a political appointment. I 
think that the talent and the qualifications of the person is 
probably most important, but, also, the support from the Secretary 
is very vital. 


Mr. Bilirakis.  But if that CIO is and has to be_I mean, I don't know 
whether that person has to be a political appointment.  But if he or 
she has to be a political appointment, won't that person maybe 
suffer the same problems that the Secretary_any Secretary might 
because of resentment and the culture that exists there and this 
is an outsider coming in? 


Ms. Koontz.  I think that will be a challenge for anyone coming up, 
either within the ranks or from outside.  And, again, I think that 
the Secretary has the authority and the power to make sure that the 
CIO can be effective in the organization, even though I recognize 
there are big challenges in terms of all the reasons that you have 
just mentioned_that it is a very large organization, it is very 
difficult to change, and there appears to be some resistance to 
changing things in this area. 


Mr. Bilirakis.  In the process_and I don't see the red light on yet, 
Mr. Chairman, so I guess I will continue.  But in the process of 
your investigations and also the investigations of the IG, you go 
into the details and you see things wrong and you make 
recommendations, but do you take into consideration this culture, 
invisible type of thing, culture, turf, atmosphere type thing in 
the process?  Or do you just concentrate on, I will say, the 
tangible, if you will, the mistakes that are made, the 
inefficiencies, and things of that nature? 


Ms. Koontz.  Well, I think_from a GAO perspective, I think we always 
try to identify what the root cause is of any particular deficiencies 
that we found.  And I think we have reported over and over 
that_management being a very critical problem at VA in terms of 
IT and one that needs to be resolved.  So I think we have taken 
that into consideration. 
RPTS LYNCH 
DCMN NORMAN 


Mr. Bilirakis.  Mr. Staley, anything to add on that?  Again, I said 
my experience with you all is that you are awfully powerful, but are 
you not powerful as far as the VA is concerned. 

Mr. Staley.  We continue to make recommendations, Mr. Bilirakis.  
In my written testimony, the first recommendation speaks to a 
centralized approach which we recognized because each administration 
needs to work together to resolve the vulnerabilities that are 
talked about in the testimony from 2 to 17, in that all of the 
administrations need to work together to achieve success.  And I 
know there are some very hardworking individuals in each of the 
administrations that have specific missions for their specific 
administration.  But there is a bigger picture here, in that what 
everything points to is a standardized approach, and the only way 
that can be accomplished is if it is all done as one voice. 


Mr. Bilirakis.  Do you see continuity?  Secretary Principi left, 
Secretary Nicholson came aboard.  I guess there was probably a 
little bit of a gap period of time there.  Is there continuity?  
How much time is spent by those two secretaries, along with their 
chief personnel, to sit down and to kind of go over, hey, this is 
what has been a problem, this is what we have accomplished, this 
is what we have kind of turned over to you and recommend?  Is that 
taking place? 


Mr. Staley.  In the case of Secretary Principi he was very adamant 
that the administrations complete their certifications and 
accreditation process by August 21, 2005.  And he made that happen.  
And it also allowed the Department to realize and to catalog the 
number of vulnerabilities that it really had to deal with just by 
the fact that they were able to certify and accreditate all of 
their systems.  It also gave them a better handle on how many 
systems they really had.  So Secretary Principi did make progress 
in that area, of course; then he had moved on.  And now we have 
secretary Nicholson trying to get a handle on this issue. 


Mr. Bilirakis.  Thank you. 


The Chairman.  We will have a second round.  Ms. Herseth. 


Ms. Herseth.  Thank you, Mr. Chairman.  If I could make just a 
request to add on to yours, in working with the committee and with 
the GAO to undertake a systematic analysis of the general counsel's 
rulings.  I would alsoinquire, Mr. Chairman, as to your willingness 
to extend that to look at, in light of Ms. Koontz's acknowledgment 
or her explanation of what she thinks is a problem here and a lack 
of a strong CIO organization, we have got since 1996 under the 
Klinger-Cohen Act, a CIO is supposed to be created in each Federal 
agency.  It would be interesting to see if we have the same problem 
in the other Federal agencies with the lack of a strong organization 
with the CIO, if there are other determinations, and maybe we can 
extend it. 


I only bring it up because we need some continuity across agencies.  
And if they are having the same problem in another agency with the 
lack of a strong CIO that has led to some of the same problems that 
the VA has been experiencing based on a currently decentralized 
system but the need for some sort of centralization, we have other 
CIOs that have been created in other Federal agencies.  And I do not 
know if they all communicate effectively about the different problems 
they are having, but we do need to facilitate the exchange of 
information among these different entities we create after statutory 
authority to do so. 


The Chairman.  Your point is well taken.  The reason we focus on this 
memo, and we will bring the general counsel up, is that Tony 
Principi, the former Secretary, went out and found one of the 
Nation's best and brightest in Bob McFarland to be the CIO to take 
on these challenges that GAO and IG have laid out.  But what happened 
is we had a strong intelligent person who is undercut in his 
authority to be able to implement it, and that is what we are going 
to get to the bottom of. 


I yield back.  


Ms. Herseth.  I appreciate that, Mr. Chairman, and I hope that we 
can pursue this in other ways because I think_and this leads to sort 
of my next question here_if we can identify where things are working 
better in a different agency with a new position that we create, 
that way it helps us to identify how we improve, kind of find sort 
of the best practices for other agencies. 


So that leads me, Mr. Stalely, to my question for you.  And that is 
on page 3 of your written testimony, and I know that Mr. Bilirakis 
identified this as well.  We have a number, significant percentages 
here of our VHA and VBA facilities that have an ongoing problem 
with implementing recommendations and have these vulnerabilities.  
But has there ever been an analysis as to what is going right or 
what steps were taken at the 40 VHA facilities and the 18 VBA 
facilities in which these comprehensive reviews have shown that 
the recommendations were acted on or they have been able to avoid 
or take corrective action to address the vulnerabilities so that as 
we seek to centralize and standardize the procedures, is it 
differences in leadership at the regional offices?  Is it differences 
in attitude?  We have all posed questions about culture.  Is it 
differences how resources are being allocated? 


I would rather us move_while we can talk for hours about the 
problems, maybe we could shift our focus to those sites, those 
facilities, that have done a good job, and figure out how we 
integrate their practices into our desire to have a more 
centralized and effective system to address the vulnerabilities.  
Has a similar analysis and trying to figure out and put together 
a best practices has been completed? 


Mr. Staley.  Certainly we haven't reported as a cumulative on best 
practices, as you have suggested.  It is a good point.  What we have 
done is discuss a best practice or a control in an individual report. 
 But no, we have not taken those facilities that are complying and 
are vigilant about access controls and those kind of issues and 
talked about them as; here is a body of work and here is what you 
need to do for example.  We haven't done that. 


We have reached out to these PCIE communities.  My IG has reached 
out to the PCIE to talk about whether we need to get together as a 
group and look at this issue governmentwide.  I do know that we are 
scheduled to meet with the PCIE in the future and talk about this 
very issue. 


Ms. Herseth.  And the acronym stands for what again?  Did you say 
PCAI? 


Mr. Staley.  PCIE, the President's Council on Integrity and 
Efficiency. 


Ms. Herseth.  That was going to be another question.  That is the 
entity that brings all the offices of the inspector general 
together. 


Mr. Staley.  Yes.


Ms. Herseth.  To identify patterns and trends.  And how often does 
that Council get together? 


Mr. Staley.  It is routine.  I cannot give you an exact time but 
usually monthly. 


Ms. Herseth.  Just as a follow-up, Ms. Koontz, are you aware at the 
GAO, do the CIOs created among the different agencies, do they have 
a mechanism in which they get together on a regular basis to 
share information? 


Ms. Koontz.  The CIOs also have the CIO Council which was 
established_or reestablished under the E-Government Act. 


Ms. Herseth.  So they all meet together.  They are meeting in sort 
of subsets of one another, based on whether they are in the IG office 
or CIO? 


Ms. Koontz.  Right. 


Ms. Herseth.  I will yield back.  I hate to end on this note but I 
think it is important to put this on the record again because it is 
an observation that has some pretty powerful implications.  In the 
first hearing that we had on the data theft, we secured a written 
statement from Dr. Leon Kappelman who is an expert in information 
technology in our organization, culture, and operations.  Here is 
what he observed.  He has personally seen VA personnel subvert 
and sabotage hundreds of millions of dollars' worth of IT projects 
and read about billions more wasted on other failures.  I have 
seen a total disregard for one cyber security effort after another.  
These are only the tip of the iceberg. 
 

Why do such things happen at VA?  Largely because these systems and 
efforts would make the utilization of budget and personnel more 
transparent and thereby make accountability possible.  Have either 
of you in your work ever seen evidence at different facilities of 
personnel intentionally subverting and sabotaging projects designed 
to implement recommendations, particularly in the cyber security 
and information technology arena? 


Mr. Wilshusen.  No, I cannot say that I have seen any personnel 
sabotaging such projects. 


Mr. Staley.  The same for me.  I can not recall any specific 
instances.  Of course we are an audit organization.  We do have an 
Office of Investigations, but I cannot speak for any specific 
instance where that may have occurred. 


Ms. Herseth.  I appreciate your responses. 


Mr. Bilirakis.  Will the gentlewoman yield.


Ms. Herseth.  Yes, Mr. Bilirakis.  


Mr. Bilirakis.  As a follow up on that, how does the VA in your 
opinions, particularly GAO because you have experience throughout 
all of the other departments and agencies, how does the VA compare 
in these areas with the other departments and agencies? 


Mr. Wilshusen.  At least with regard to information security, every 
year we look at the FISMA reports that are required that each agency 
is supposed to send to the Congress and also to OMB.  Our analysis 
of those FISMA reports tends to show that VA and its implementation 
of the FISMA requirements tends to be at the bottom end of the 
scale, if you will, along with some of the other larger, more 
diverse organizations compared to other smaller organizations that 
tend to do higher on that particular score.  But certainly with VA 
reporting material weaknesses since 1998, 1997, it is an indication 
that there is a lot of work that needs to be done. 


Mr. Bilirakis.  Thank you. 


The Chairman.  Thank you very much.  I would like to go to your 
issue number one and it deals with the implementation of a 
centralized agencywide IT security program.  We got to go to this 
one because a lot of people will_and it is easy to say this is 
the responsibility of the CIO.  Really?  I suppose that is what 
it should be in corporate America and it is.  It is what it should 
be at the VA but it is not.  


So Tony Principi goes out there and he finds one of the best, makes 
him the CIO, and then we learn that operational controls are 
decentralized among each of the administrations; so VHA, VBA, the 
National Cemetery Administration and other programs, they have the 
operational control.  The CIO can only provide guidance and the 
tools to support these activities but has no ability to enforce.  
Is that statement correct? 


Mr. Staley.  That is correct.  Correct, sir.  That is correct, 
sir. 


The Chairman.  I wanted to make sure I was hearing correctly.  That 
is an important predicate.  It is an important predicate because 
we need to figure out what are the lines of authority.  If you 
figure out what are the lines of authority, then we can get to 
the implementation to cure the problem. 


In Congress when we looked at this last year on a bipartisan basis, 
we moved overwhelmingly, not only in this committee but in the 
entire House.  Not a single vote against centralizing the IT 
system.  Whoa, did we get pushed back.  The Senate wanted to give 
deference to the VA and the bureaucracy became the centurians.  
Wow.  Then we continued to receive your reports about all of these 
issues that are still noncompliant.  I suppose, then, if we have a 
system that is so decentralized_ but let's go back.  


We have the Secretary who has the authority.  He then extends part 
of his authority to CIO and part of that goes to cyber security, 
both of which can only do compliance but not enforcement; therefore, 
I must assume that enforcement then rests with the three Under 
Secretaries.  Would that be a correct assumption? 


Mr. Staley.  That is correct. 


The Chairman.  So it is now the responsibility of the three Under 
Secretaries to implement these recommendations from GAO and IG; 
would that be correct?  I am looking for responsibility, 
Mr. Stalely. 


Mr. Staley.  The CIO in conjunction with VA leadership, they have a 
joint responsibility to implement these recommendations.  That is 
correct Mr. Chairman. 


The Chairman.  Okay.  Both of you have an incredibly challenging 
job.  When you see something in error and you keep highlighting 
the error and you are trying to work with someone else who says, 
I know all about it but I have no authority, and this has been 
happening for years. 


Let me ask this.  On GAO you have got to have a higher authority.  
If the GAO turns to the VA and for years you give these 
recommendations to cure, yet you have a department of government 
that is not implementing GAO recommendations, who is your higher 
authority? 


Mr. Wilshusen.  I would just say, you know, it is the management's 
responsibility for implementing those recommendations.  We continue 
to make them. 


The Chairman.  Who is the manager of the management? 


Mr. Wilshusen.  That would be at the agency.  It would be the 
Secretary and the senior managers of CIO, as others. 


The Chairman.  Wait a minute, wait a minute.  I do not understand 
the answer.  At the GAO you are overlooking departments of 
government, and you have a department of government that is 
noncompliant and perhaps even recalcitrant from a bureaucracy 
that will not implement the changes, who do you appeal to.  Do 
you turn to OMB?  Do you report this to the White House?  Is there 
a higher appellate authority?  Or do you just say, you know what, 
the Secretary reports to the Cabinet and all we can do is we're 
auditors.  We can tell them what we see and if they act on the 
information that is great; if they do not act, well, I guess that 
is what happens. 


Mr. Wilshusen.  Well, we do report to the Department; that is 
correct.  I do not know if we would appeal to OMB on a specific 
instance where a department is noncompliant with implementing 
our recommendations. 


The Chairman.  So your audits would only go to a Secretariat of a 
department, and they do not go anywhere else. 


Mr. Wilshusen.  No, we also send, usually, copies of the 
recommendations; and our reports go to different congressional 
committees of jurisdiction. 


The Chairman.  So outside of our oversight and the Senate's 
oversight, what oversight is there in the executive branch if 
you have a department of government that does not implement 
changes to prevent a train wreck?  I don't know.  If there is 
not, just tell me.  I am not asking you a question I know the 
answer to.  I do not know. 


Mr. Wilshusen.  I guess the only other higher authority might be 
the American public, because many of our reports are also publicized 
and put on the Web site. 


The Chairman.  I will stay within the executive branch.  Within GAO 
is there ever a function whereby you take your report and you send 
it to anyone else?  The anyone else would be what?  The White House. 
Because the Secretariats work for the President. 


Mr. Wilshusen.  Generally, when we would do a governmentwide review, 
our recommendations and report would then usually be addressed to the 
director of OMB if it has OMB issues in it.  But that would not 
necessarily be the result of our work that we have been doing over 
at VA. 


The Chairman.  If it has OMB issues on it.  All right.  Let's go 
with theft, fraud, 6 million, right, 6 million, 12 million, these 
Bay Pines debacles, hundreds of millions of dollars.  That is kind 
of OMB implication, right?  So if you have got the VA 
nonimplementation, was there ever a thought within GAO that, gee, 
we probably need to kick this over to OMB?  I am just curious.  I 
do not know. 


Ms. Koontz.  I think one of the mechanisms that we use is that we 
have publicized information security as being a governmentwide 
high-risk area since 1997, I believe.  And we have put a lot of 
emphasis on it and there have been a lot of conversations with OMB 
and with the individual agencies about trying to address this 
particular weakness. 


Mr. Wilshusen.  Right.  And one other comment, too, is that agencies 
are to report how they have implemented the GAO recommendations.  
So I guess it is to the GAO oversight committees, which would be 
the House Government Reform and Senate Homeland Security, Government 
Affairs. 


The Chairman.  All right.  Let's go to Government Reform, because 
they ended up coming with the FISMA act.  So we put teeth in Privacy 
Act violations.  Are there sufficient_is there sufficient teeth for 
compliance in this act?  Do you think Congress needs to come back 
in to the FISMA and make them equate with the Privacy Act violation? 


Mr. Wilshusen.  I do not think there are any particular, I will 
say, penalties. 


The Chairman.  Enforcement mechanisms?  Tools? 


Mr. Wilshusen.  Right.  Other than agencies are required to report 
to Congress and to OMB on the progress of implementing FISMA. 


The Chairman.  And there are no consequences for not? 


Mr. Wilshusen.  For not reporting?  I do not know if that has 
happened.  I think each agency has reported. 


The Chairman.  Ms. Koontz, I can remember the first time in your 
testimony before one of the subcommittees that I chaired, the VA 
was the last to go out and get a CIO that I recall.  It was driving 
me crazy with the Klinger Act.  And that is when I first_ I had 
deep respect for you because you went right at it.  And our 
difficulty right now is that we have so many of these security 
vulnerabilities, key controls, information that should have never 
been taken down, information that does not even_if you have an 
individual that gains access to particular information, it is not 
even time sensitive. 


This is going to take a tremendous amount of work to put this one 
together.  Does anybody else have further questions?  Mr. Moran. 


Mr. Moran.  No, sir. 


The Chairman.  Mr. Bilirakis. 


Mr. Bilirakis.  I guess you have to go over there. 


Mr. Michaud.  Yes.  Thank you, Mr. Chairman.  FISMA applies to 
national and nonnational security systems.  The data that was 
stolen, does that fall in that category as national or nonnational 
security?  


Mr. Staley.  Sir, I am really not able to comment at this time, in 
that we currently have an ongoing administrative investigation and 
we are also doing a set of comprehensive policy reviews as well and 
working with the Justice Department.  And I believe our intention 
is to get that report out at the end of the month to the Department 
for comment, and then to issue it to the public and to the Hill by 
mid-July. 


Mr. Michaud.  So you cannot comment whether it was national or 
nonnational? 


Mr. Staley.  I would not be able to comment_ sir. 


Mr. Michaud.  Assuming that it was or is a national or 
nonnational_assuming that it was or it is_my question is that on 
August 1 of 2003, the general counsel issued an advisory opinion to 
address the extent of the authority and responsibility to the VA 
chief information officer contemplated by the Federal Information 
Security Management Act of 2003 as a national security information 
and information system.  It held that FISMA charges the CIO with 
certain security responsibilities, a major one being the development 
and maintenance of information security policy, procedures and 
controlled techniques to ensure security requirements issued by 
the President and OMB requiring national and nonnational security 
systems are met.  FISMA requires the CIO to develop and implement 
an agencywide security program to achieve these purposes.  Has this 
happened?  Why or why not? 


Mr. Staley.  Certainly.  Our reports have repeatedly shown that 
security vulnerabilities continue to exist in many facets of the 
Department, and that the VA even itself reported itself as receiving 
an F grade in terms of IT security.  I think, as GAO had pointed 
out, they have a long way to go to mitigate these vulnerabilities 
and to have a sound comprehensive IT security program. 


Mr. Michaud.  When will you know whether or not this is a national 
or nonnational security issue? 


Mr. Staley.  Well, our report will be issued mid-July and it is 
conducting a comprehensive review of policy procedures and these 
other issues. 


Mr. Michaud.  Thank you, Mr. Chairman. 


The Chairman.  Mr. Filner. 


Mr. Filner.  I thank the panel for being here.  I want to make two 
quick comments, Mr. Chairman.  We can go through all of this analysis 
(We used to call it "analysis paralysis") and recommendations.  
Between the lines of the bureaucratese and the big words everybody 
is using, there is a failure of management at the very top.  The 
Secretary has not taken control, and we should hold him accountable. 
It is as simple as that, as far as I can tell. 


Secondly, it has been 6 weeks since this theft of data.  The 
Department of Veterans' Affairs finally got out a letter to people 
who were impacted by this theft, although they said they didn't get 
a letter out earlier because they did not have enough envelopes.  
The letter gives the veteran little support or help.  The Web site 
that everybody has been referred to gives little or no help.  The 
800 number gives little or no help.  Basically, the VA leaves it 
to the individual veteran to solve this massive issue. 


It is about time that the VA had an answer for these veterans.  We 
are going to make sure nothing happens again_that  we have centralized 
IT _but we still have this problem.  Veterans are not getting the 
help, and they better!  I do not know how many people are sitting 
out there from the VA Department.  They have a lot of people 
monitoring stuff rather than doing stuff.  You better come back 
with a proactive stance soon.  It has been 6 weeks.  We should not 
go another week without having some help and hope for these 
veterans. 


The Chairman.  Thank you, Mr. Bilirakis. 


Mr. Bilirakis.  Thank you, Mr. Chairman.  To get clear here_and 
maybe we already are, I do not know_the General Accountability 
Office used to be the General Accounting Office.  So your 
responsibility is accountability.  Is that accountability limited 
to just making recommendations? 


Mr. Wilshusen.  Well, we do follow up to see if they are taking 
corrective actions on our recommendations. 


Mr. Bilirakis.  And if they haven't, that is it? 


Mr. Wilshusen.  Well, we report on that. 


Mr. Bilirakis.  You report on that. 


Mr. Wilshusen.  Yes.  We do not have the authority to actually 
implement the actions at the organizations. 


Mr. Bilirakis.  So I guess it really gets back to, again, what we 
have been talking about here, not really knowing where the buck 
stops.  And it really, I guess, stops with the head of the VA I, 
suppose, the head of the particular agency or department. 


Mr. Wilshusen.  Well, under FISMA he is responsible for 
implementing appropriate safeguards. 


Mr. Bilirakis.  Now, the IG sir, I keep coming back to you because I 
keep thinking that you have, or should have maybe, more authority.  
Again, in your case, what is it?  You uncover things that go wrong 
and you make, what, you make recommendations, then? 


Mr. Staley.  Yes, sir.  At the conclusion of our audits we make a 
series of recommendations to the Department.  The leadership in the 
Department is responsible for implementing those recommendations.  
We have a follow-up system to determine whether their implementation 
plans are adequate and, again, if the recommendations are not 
implemented, we report them as such. 


Mr. Bilirakis.  You report them to, again, going back. 


Mr. Staley.  They are in our semiannual report to Congress and to 
the Secretary.  And we leave them open and we continue to ask the 
Department for corrective action. 


Mr. Bilirakis.  Mr. Chairman, again, we can talk about details here, 
but I am not sure even_we come up with legislation and we come up 
with laws and we mandate certain things and whatnot, but we are 
awfully busy people, despite the fact that we have oversight 
subcommittees.  We are awfully busy people and we go off to maybe 
fight another fire or whatever the case might be.  So it still comes 
down, I think, to culture and the mental state of the people who 
should be doing this job. 


I do not really have any hope, I do not care how many hearings we 
hold, that any of that is going to change until the culture 
basically changes in the VA and the other organizations, here 
in this committee where our concern is the VA.  It has always been 
my biggest concern ever since I have been in the Congress.  It 
is disappointing.  Thank you, Mr. Chairman. 


The Chairman.  Thank you, Mr. Bilirakis. 


Ms. Koontz, I have to go back to the issue on GAO and what actions 
are taken when there is a Department that may not act.  Have you ever 
seen any other Department or agency of government not act on your recommendations with regard to IT? 


Mr. Wilshusen.  Well, I would also just like to say with regard to 
VA, that on many of our recommendations that they have taken 
corrective actions, usually on the specific, detailed, technical 
control findings that we would identify.  I do not want to leave 
the impression that they have not done anything.  But with regard 
to the larger recommendations related to implementing an 
entitywide security program, their efforts have fallen short in 
that area. 


Other agencies where we have conducted repeatable work, we find 
similar situations where we can make a number of detailed technical 
findings and recommendations.  And often they will act on those, 
but it is more in terms of acting proactively and taking what they 
learned in terms of the identified findings and seeing if they 
exist elsewhere where they fall short.  And again it often comes 
down to not having implemented an information security program 
agencywide.  And, yes, those incidents do occur where we have 
made recommendations, and they have not yet fully implemented 
them. 


The Chairman.  Tomorrow in the Commerce Committee under part of 
Mr. Bilirakis' leadership, along with Nathan Deal and Sherrod 
Brown, on a bipartisan basis, we are going to deal with the health 
record and the security of the health record and these kind of 
issues.  We are going to create a position for a national 
coordinator within HHS so that we move toward more of a 
standardization with regard to plans and policies programmatics 
with the health record. 


And so it is interesting.  We are going to try to create that czar 
over the health record to make sure that everybody_and we moved 
to centralized_so here we are, Mr. Bilirakis and I, on the Commerce 
Committee, yet we are not going to defend a stovepipe.  The 
stovepipe in this case would be our jurisdiction of the VA. 


So when Mr. Bilirakis talks about the turf and everybody defending 
the turf, we are going to have to move toward the empowerment of 
this national coordinator to make sure it all gets implemented so 
we are not decentralized.  So as we talk about centralized, what I 
see is that is the trend line, that is where everybody is going. 


I asked staff, Ms. Koontz, to give up the August 1, 2003, memorandum 
from the general counsel that was read by Mr. Michaud.  I give it 
to you because as you look at this question for us with regard to 
general counsel and the interpretation of the FISH bill, this is 
on August 1, 2003, they make a holding that is completely different 
than the April 2004.  So it is almost like what happened over the 
year?  So it will be interesting, the way to get into this.  And 
we will be having Admiral Goss and Bob McFarland will both come 
in and give their testimony about what happened. 


These were two individuals who were attempted to have been empowered, 
and then their authorities were taken away and we have ended up with 
this mess.  I think it is clear to the American people that this 
loss of data was not caused by just the negligent act of just one 
person.  We have a systemwide meltdown of information management 
systems, and what we are going to do here in Congress is move a 
package that attempts to not only take actions to assist the 
veterans but also what can we do with regard to implementation 
down at VA? 


I want to thank you for your leadership.  We look forward to looking 
to your report.  And, Ms. Koontz I have a feeling that you will be 
back before us soon.  This hearing is now concluded. 


[Whereupon, at 12:15 p.m., the committee was adjourned.] 
