[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]



 
                   OVERSIGHT HEARING ON VETERANS
                      BENEFITS ADMINISTRATION
                           DATA SECURITY

                     Tuesday, June 20, 2006


House of Representatives,
Subcommittee on Disability Assistance and
Memorial Affairs, Joint with/Subcommittee 
on Economic Opportunity, Committee on 
Veterans' Affairs, Washington, D.C.


The Subcommittees met, pursuant to call, at 10:00 a.m., in Room 334, Cannon 
House Office Building, Hon. Jeff Miller [chairman of the Subcommittee on 
Disability Assistance and Memorial Affairs] and Hon. John Boozman [chairman of 
the Subcommittee on Economic Opportunity] Presiding.

Present:  Representatives Miller, Brown-Waite, Boozman, Berkley, Udall, 
Herseth, and Hooley. 


Mr. Miller.  Good morning everybody.  This joint hearing of the Subcommittees 
on Disability Assistance and Memorial Affairs and Economic Opportunity will 
come to order.


I would like to begin by saying this morning that while testimony was due to 
the Subcommittees by June 16th, we did not receive the VBA statement until 
last night.  We realize the Committee has scheduled a number of hearings this 
month.  However, we gave plenty of notice, in my opinion, and receiving the 
testimony the night before a hearing does not serve us well in our oversight 
capacity.


On the 22nd of May Congress and the public were informed that several weeks 
earlier there had been a severe data breach containing sensitive information 
on more than 26 million beneficiaries.  We learned just last week that an 
additional 2.2 million active duty servicemembers, reservists, and guardsmen 
and women may be affected as well.


Through testimony and briefings it is apparent that the Department's lack of 
specific policies and procedures has created security vulnerabilities.  While 
none of us could have imagined a situation affecting so many millions of 
people, I am beginning to believe something like this was bound to happen.


Since becoming chairman of this Subcommittee, a common thread is emerging.  
There appears to be a lack of uniformity within the Veterans Benefit 
Administration and certainly among the VBA.  Please understand that I'm not 
criticizing any single person or office.  There is certainly a cultural 
mentality that exists in many bureaucracies.  One of the difficulties facing a 
large agency like VA is that it takes time, it takes money, and buy-in to 
change that culture.  VA has not always been the most effective in keeping up 
with changing technologies, models or demands.  What has recently occurred has 
been the product of that resistance to change.


Whether it is lack of uniformity with how regional offices respond to a 
veteran or congressional inquiry, how claims are prioritized, or how 
information and technology and data security procedures are implemented, 
everyone seems to do things differently.


The IG found data security deficiencies at 37 of 55 regional offices.  Now if 
37 regional offices have 37 different ways of doing business, that requires a 
lot more management muscle to correct a deficiency than if we have a uniform 
implementation of procedures.


In order to receive benefits and services from VBA, veterans and survivors 
must provide at a minimum full names, social security numbers, and a home 
address.  In order to receive benefits such as nonservice-connected pension, 
wage and other financial information must also be submitted.


All of us trust that the federal government will do everything in its power to 
safeguard the information that has been provided.  Thankfully, we have not yet 
heard of any reports of identity theft, but the trust placed in VA has 
certainly been broken.


Our two subcommittees are holding this hearing to learn more about VBA's data 
security management program, what steps have been taken to educate its 
employees and how it intends to move forward to improve its data security 
policies.  I do look forward to hearing from the witnesses that are here 
today, and I want to turn now to the chairman of the Economic Opportunity 
Subcommittee, Dr. Boozman, for his opening remarks.


Mr. Boozman.  Thank you very much, Mr. Chairman, and I certainly appreciate 
your leadership in this area.


We appreciate you all being here.  You will notice that we have a large print 
version that shows the 16 IT vulnerabilities cited by the VA Inspector General 
as yet to be addressed by the Department.  The list shows a range of potential 
sources of data loss or compromise.  The recent loss of over 26 million 
veterans personal data highlights several things.


First, data security must be founded on laws and regulations that are dynamic 
and enforced.  Second, the appropriate technologies must be in place to 
implement the right levels of security and assist in enforcement and 
prevention.  And third, there must be aggressive and consistent enforcement by 
senior VA officials.


I do not know the motivation of the employee who willfully disregarded 
whatever rules were in place regarding working on the sensitive data from 
home, but what I do know is the VA missed an opportunity to increase its 
corporate control over data by imposing the bipartisan legislation passed by 
the House during the first session.  That bill, H.R. 4061, would reform the 
way VA structures its management of its information technology programs.  
Without a solid foundation, whether in a building or an organization, 
everything above it is suspect.  The policies at H.R. 4061, if put in place, 
would have provided that foundation.  And while H.R. 4061 alone would not have 
prevented what has happened, if adopted, the VA would have had the basis for a 
coherent technology development and management program.


That would enable leadership to implement and enforce a whole range of 
policies designed to control not only the fiscal issues but also things like 
data security in combination with aggressive technical security applications.  
H.R. 4061 is the right answer at the right time and place.  The Department 
should reconsider its position on this bill and move quickly to consolidate 
its information technology programs.


I am not just worried about cyber security.  I am also concerned about how 
programs like vocational rehabilitation and employment control access to 
veterans papers at the regional offices and their contractors.  These files 
often contain very sensitive psychological and other medical data which, if 
accessed by unauthorized personnel, could have serious consequences.


The constant theme in the testimony presented by the IG and GAO is the need 
for centralized cyber security among other things.  If the VA refuses to adopt 
a centralized approach to managing its IT systems as prepared by H.R. 4061, 
how can you expect to achieve consistency throughout the VA system on anything 
related to IT.


While we are talking about consistency, I want to broaden the scope just a 
little bit.  We constantly hear about how each regional office has its own 
process for handling benefits and that the first thing newly trained staff 
returning from something like Challenge Training is, "We don't do it that way 
in this RO."


It seems there is a lack of will by VA headquarters to impose and enforce best 
practices throughout its field operations.  Everything seems to be a 
suggestion and is left to the RO director to choose whether or not to follow a 
policy.


While I may be overstating the case slightly, it is a real problem  facing the 
Department and certainly this is a tremendous challenge.  It is something that 
we as a committee are committed to helping.


Thank you very much, Mr. Chairman.


[The statement of John Boozman appears on p.  ]




Mr. Miller.  Thank you very much, Dr. Boozman.


I would like to now recognize the Ranking Member of the Subcommittee on 
Disability Assistance and Memorial Affairs, Ms. Berkley, for an opening 
statement.


Ms. Berkley.  Thank you, Chairman Miller and Chairman Boozman, for holding 
this hearing.


Since the Under Secretary for Benefits is responsible for information security 
at the Veterans Benefits Administration Office, I for one would like to 
understand what problems exist and the steps that are being taken to address 
these problems.


Veterans and service members in my district, I can tell you -- and I assume 
throughout the United States, are rightfully outraged that the security of 
their personal data has been compromised by the Department of Veteran Affairs, 
and I can assure you right after this was disclosed my phone in my district 
office was ringing off the hook and the level of anger and concern was very 
concerning to me.


In 2004, during a routine review by the Inspector General of the Reno, Nevada 
VA regional office, several deficiencies related to Benefits Delivery Network 
computer security and sensitive claims folders were identified.  Similar 
deficiencies have been identified throughout the Nation.


The Inspector General has reported that although the VA is responsible for 
promptly correcting identified deficiencies, there is no systematic action 
taken to assure that the deficiencies identified in one office aren't 
corrected at other offices.  This piecemeal approach to fixing problems 
probably provides little assurance to our Nation's veterans and probably isn't 
a very effective way of conducting business.


I am also concerned that there may be inadequate staff to perform audit 
functions at data centers.  I am sure there is inadequate staff.  In addition, 
it is not clear there is any method for assuring security and control of data 
extracts provided to various components of the VA.  Extracts such as these 
were reportedly the source of the recent data theft.


I hope_and I am looking forward to hearing what the witnesses have to say, but 
I hope that you will address these concerns.  And again, thank you for being 
here today.  I am looking forward to your testimony.


Thank you.


[The statement of Shelley Berkley appears on p.  ]



Mr. Miller.  Thank you, Ms. Berkley.  And now the Ranking Member of the 
Subcommittee on Economic Opportunity, Ms. Herseth.


Ms. Herseth.  Thank you and good morning to you, Chairman Miller, Chairman 
Boozman, and of course Ranking Member Berkley and other colleagues.  I am 
pleased we are holding this hearing today to review the procedures at the 
Veterans Benefits Administration and the efforts to control and maintain 
veterans' personal and sensitive information in a secure manner.  I welcome 
witnesses on both panels this morning.  We appreciate your testimony.


The topic of today's hearing is both important and timely given the recent 
loss of nearly 26.5 million veterans' and active service members' private 
information.  Indeed, the Federal Government, as a whole, every federal agency 
and the VA specifically, must improve its data security measures and enhance 
its recognition of and respect for citizens' privacy and health information 
laws, and it is incumbent upon us as a subcommittee, as a full committee, and 
the other committees on which we serve to ask these questions and to get the 
answers that will guard us as well in the future as it relates to the 
resources that each of our federal agencies need and the continuity of each 
CIO organization and the strength of those organizations to implement what we 
passed 10 years ago to ensure the data security of citizens' privacy and other 
information.


I have a chance to see a lot of veterans across South Dakota; in particular, a 
lot of our Vietnam veterans as we get ready for a Memorial dedication in 
Pierre, South Dakota this fall, and as we know, it took a number of those 
veterans sometimes a number of years to overcome a level of distrust to even 
reach out to the VA to obtain some of the benefits that they deserve and many 
of them that I see now just shake their heads when they received the 
information that their information was compromised.


And in addition to that, many of them are serving to reach out to newly 
returned veterans, to work with them to make the adjustment back home after 
their deployments, and all of these men and women deserve our very best.  We 
know that the employees at the VA feel the same, but we have to ensure levels 
of accountability and a system that is in place with policies and supervision 
and enforcement to maintain the integrity of this data and a fast changing 
financial services environment.


So today, I am particularly interested in hearing about VBA's data security 
procedures with respect to information transferred to and from other Federal 
agencies, when information is controlled by contractors, such as the case when 
service members apply for education benefits or when contractors provide for 
vocational rehabilitation and employment services to a disabled veteran.


So both chairman, ranking member, thank you again for the hearing today.  We 
look forward to the testimony.


[The statement of Stephanie Herseth appears on p.  ]



[The statement of Ginny Brown-Waite appears on p.  ]




Mr. Miller.  Thank you very much.


The first panel is already seated at the table.  Mr. Ronald Aument is Deputy 
Under Secretary for Benefits at the Veterans Benefits Administration.  He is 
accompanied this morning by Mr. Jack McCoy, Associate Deputy Under Secretary 
for Policy and Program Management; Mr. Michael Walcoff, Associate Deputy Under 
Secretary for Field Operations; and Mr. Thomas Lloyd, Deputy Chief Information 
Officer at VBA.


Mr. Aument, you may begin.



STATEMENT OF RONALD AUMENT, DEPUTY UNDER SECRETARY FOR BENEFITS, VETERANS 
BENEFITS ADMINISTRATION; ACCOMPANIED BY JACK McCOY, ASSOCIATE DEPUTY UNDER 
SECRETARY FOR POLICY AND PROGRAM MANAGEMENT, VETERANS BENEFITS ADMINISTRATION; 
MICHAEL WALCOFF, ASSOCIATE DEPUTY UNDER SECRETARY FOR FIELD OPERATIONS, 
VETERANS BENEFITS ADMINISTRATION; AND THOMAS LLOYD, DEPUTY CHIEF INFORMATION 
OFFICER, VETERANS BENEFITS ADMINISTRATION



Mr. Aument.  Thank you, Mr. Chairman.  Chairman Miller, Chairman Boozman and 
members of the subcommittee, thank you for the opportunity to appear before 
you today to discuss data security and the Veterans Benefits Administration.


I would like to open up with an apology for the lateness of our prepared 
statement, Mr. Chairman.  I have no excuse for that.


I am accompanied by Mr. Jack McCoy, the Associate Deputy Under Secretary for 
Policy and Program Management, Mr. Mike Walcoff, Associate Deputy Under 
Secretary for Field Operations, and Mr. Tom Lloyd, Deputy Chief Information 
Officer.


With the committee's permission, I will offer a summary statement this morning 
and request that my written statement be submitted for the record.


Mr. Miller.  Without objection.


Mr. Aument.  Let me assure the subcommittee that VBA is thoroughly examining 
every aspect of our information security programs, our processes and our 
procedures to ensure that sensitive veterans data is neither mismanaged nor 
used for any unauthorized purpose.  Although our review is ongoing, I will 
outline security measures we have had in place prior to May 3rd, 2006 and 
additional steps we have taken regarding our data security policies and 
procedures.  I will also specifically address the security of the data feeds 
between VBA and the Department of Defense.


Responsibility for all IT security policy is centralized to the Department's 
Office of Cyber and Information Security, which reports directly to the VA's 
Chief Information Officer.  Implementation of IT security policy and 
procedures in VBA is through a three-layer organizational assignment of 
responsibilities.  The Information Security Officer at each regional office is 
responsible for the execution and oversight of IT security policy and 
procedures.  ISO has managed local access control to IT resources.  It 
conducts security audits under the focal point for incident reporting in the 
VBA facility.  The network support centers provide oversight of regional 
office compliance of IT security policy and procedures and expert advice to 
the regional office ISO community and IT staff on technical issues.  The VBA 
IT organization and headquarters provides technological support which 
implements IT support and procedures on the computer applications and systems.


The Secretary's recent decision to further centralize all IT operations and 
maintenance activities brings all of the VABs under the Department CIO.  We 
believe this further centralization of IT security will raise the 
organizational focus on the critical security issues and challenges and will 
bring added oversight and safeguards for sensitive information and records.  
VBA has incorporated security into all of our information systems and benefits 
delivery processes.  We have extensive well-articulated policies and 
procedures governing access requests, auditing and rules of behavior.  These 
policies and procedures pertain to all VBA employees as well as any other 
individuals authorized access to VBA systems and data.  In all VBA's benefit 
systems veteran data is protected by VA and VBA security policy and IT system 
and application security controls.  Programmatic access controls restrict 
access according to the specific veteran's record level of sensitivity and the 
authority of the individual accessing the data.


All individuals authorized access to VA systems must adhere to rules of 
behavior that govern the use of IT systems and capabilities.  The rules of 
behavior ensure that all users of IT resources are aware that any source 
potentially contains valuable and sometimes sensitive government or personal 
information which must be protected to prevent disclosure, unauthorized change 
or loss.


The VBA internal controls process requires regional office directors to 
conduct systematic analysis of their IT security operations and to certify 
annually that their facilities are in compliance with the directives.  The 
network support centers conduct annual surveys to ensure that the ROs are 
adhering to all VA, VBA and all other Federal security directives in the 
handbooks and that the deficiencies identified through the Inspector Generals 
combine that assessment program reviews are remediated.


In August of 2005, VBA completed the federally mandated certification and 
accreditation of 97 application systems on schedule.  VBA has a secure 
technology solution in place for external system users.  External access to 
VBA is controlled through the One-VA Virtual Private Network to a centralized 
terminal server.  VBA outbased workers as well as authorized veteran service 
organization representatives used One-VA VPN capability.  Additionally, the 
Veterans Administration Portal supplies secure encrypted user access to loan 
guarantee applications for internal and external users.


In March of this year we started the process to accelerate the implementation 
of public key infrastructure technology throughout VBA.  PKI will provide a 
common utility for VA to provide more secure electronic transactions and e-
mail.  VBA is supporting the Secretary's direction to accelerate to annually 
require privacy awareness and Social Security training.  All VBA's employees 
are now required to complete these training programs by June 22nd.  That will 
be this Thursday.


We have compiled a list of VBA databases that contain sensitive information 
and all interfaces or data feeds that update these database.  A VBA work group 
has been tasked with assessing all VBA policies and procedures related to the 
release of data protected by the Privacy Act to provide recommendations to 
improve protection of the data.


We also updated and strengthened procedures for handling veterans' requests to 
change address and direct deposit information to ensure proper verification of 
identity of the individual requesting the change.  In the average month, we 
receive in excess of 40,000 requests from VA beneficiaries to change their 
financial institution and/or their address.


Effective June 7th, in accordance with the Secretary's direction, VBA 
suspended all work at home and Flexiplace arrangements for employees directly 
involved in disability claims processing.  Employees who adjudicated claims at 
their homes or other non-VA work sites will now do all claims works requiring 
claims files in regional offices.  While VBA evaluates various solutions to 
protect sensitive data transported to and from offices, we are also developing 
a standard work at home and Flexiplace agreement to ensure all employees 
absolutely understand the responsibilities to safeguard sensitive data.


VBA will implement VA encryption solutions.  We have procured encryption 
capabilities for laptop computers and are considering expanding the use of the 
terminal server concept as a means of reducing or eliminating the information 
stored locally on a user's work station.  We are also working with the Office 
of Acquisition and Material Management to reinforce strong control of the 
shipping of records containing personal identifiable information.  This 
includes review of tracking procedures, signature requirements and expedited 
shipments.  Department of Defense data is delivered to VBA via secured 
transmission using commercial software products and direct computer-to-
computer connection.  These tools are used when sending or receiving files 
from the Defense Manpower Data Center.


The VA is fully committed to the uninterrupted delivery of the benefits to 
those who have returned from the battlefield and who are transitioning into 
our VA system.  We recognize the importance of securing the information shared 
with our DOD partners.


Our mission is to serve veterans and to provide benefits to the best of our 
ability.  IT is an essential tool that helps us serve veterans better, faster 
and more thoroughly.  However, the rapid rate of technological advances, while 
offering improved and expanded benefits delivery, also presents an ongoing 
challenge to VA to keep pace with security and privacy demands.  IT can make 
our service better and faster but the vulnerabilities increase just as fast.  
We must and will do what is necessary to protect as well as serve our 
veterans.


Chairman Miller and Chairman Boozman, this conclude my statement.  I will be 
happy to answer any questions you or any members of the subcommittee might 
have.


[The statement of Ronald Aument appears on p.  ]




Mr. Miller.  I don't know how many hearings that I have attended, and there 
are more to come in regards to this particular issue.  I know my colleagues 
have all been involved in hearings, and this is not a question that was 
prepared, but probably one that all of my colleagues want asked.


Every time I come into a Committee hearing where we are dealing with this 
issue, I am angry.  More than angry.  And then when I sit down and I hear the 
testimony that is given and the way the testimony is given and there is no 
emotion in the testimony, and I want to know what was your personal feeling 
when you heard that this had occurred.


Mr. Aument.  I felt somewhat betrayed that we had provided information to a 
trusted source that we expected to take the same level of care of that 
information that we would expect of our own employees and I felt betrayed and 
I felt as though we had betrayed our veterans.


Mr. Miller.  I am glad you ended your statement with "we have betrayed 
veterans" because the employee doesn't matter to me.  That employee is gone.  
And whatever reason, it's over.  But I sat in here, I think it was last week, 
and listened to testimony and there is no visceral reaction that I can tell 
except the Secretary was shaking profusely because he was so angry when he 
testified the first time.  But I don't see it from anybody else, and I hope 
that it is just me not reading people's body language correctly.


I would hope that everybody sitting at that table today would be mad as hell, 
and I don't see it.  Can I ask the people who are with you if they are upset 
too?


Mr. Aument.  Of course.


Mr. Miller.  Mr. Lloyd.


Mr. Lloyd.  Yes, sir.


Mr. Miller.  Mr. McCoy.


Mr. McCoy.  Absolutely.


Mr. Miller.  Mr. Walcoff.


Mr. Walcoff.  Yes.


Mr. Miller.  Thank you.


Who at VBA is responsible for implementing the new directive that is out 
there, Directive 6504, and how is it being implemented?


Mr. Aument.  Well, as with any directive, Mr. Chairman, the Under Secretary is 
ultimately responsible for its implementation.  Directive 6504, and I may turn 
to my colleague, Mr. Lloyd is very much a technical_has many technical 
capabilities, that we would rely upon the IT organization for its ultimate 
implementation.


Mr. Miller.  Mr. Lloyd.


Mr. Lloyd.  With the implementation of the federated model the operations and 
maintenance people of VBA have been detailed to the CIO's office.  We continue 
a close working relationship, and we are working to implement the directive.  
We have implemented the acquisition of the laptop software that Mr. Aument 
mentioned.  We are working with the ISOs on our collection of information 
about who has access to every system, every application and the assurance that 
the documentation is appropriate for the access that the people have.  We are 
looking at our databases, who has access for the appropriate approval and the 
documentation.  We have developed a plan to implement all of the items in the 
Secretary's directive.


Mr. Miller.  As a follow-on, 6,000 accredited VSO representatives are out 
there today but only 1,300 have completed the training responsibility involved 
in preparation of claims.  How do you ensure and monitor that only registered 
users have access to the system and how does VBA monitor representatives as 
fiduciaries?


Mr. Aument.  The Veterans Service Organization representatives have to undergo 
the same types of training both in IT security and in privacy training that we 
require of any VBA employee.  Anyone accessing the VBA system has to submit a 
request that at the local level those are managed by the ISO, the Information 
Security Officer.  We also require that before anyone is given_granted access 
to our systems in the VSO community that they would read, understand and sign 
the rules of behavior that we require of all VBA employees that we afford 
access to systems as well.


Mr. Miller.  I may have a follow-up question that I will submit for the 
record.  Another question that has been asked in other hearings is about the_I 
guess it was in the mid-1970s C File numbers were used and then there was a 
transition to social security numbers.  Are you exploring a change to the 
policy of using social security numbers?


Mr. Aument.  We have certainly discussed that.  I know that is an idea that 
has generated a lot of interest from those concerned with this data loss.  At 
the moment I believe that we are probably_ it is not a solution that we can 
take and run with, Mr. Chairman.  We receive data importantly, most 
importantly from the Department of Defense, which uses as their unique 
identifier Social Security numbers for those transitioning from the military 
services.  We are also required by law to provide extensive_have extensive 
information exchanges with other government partners.  By law, we are required 
to do data matches with the Social Security Administration and the Internal 
Revenue Service to support the continuing payments of benefits to those 
individual unemployability or for means tested programs.  We have to provide 
information through data matches to the Department of Education for veterans 
who are applying for assistance in the Department of Education programs. 


This is just to mention a couple of the types of exchanges that we have to 
make routinely with outside interests in support of veterans programs.


These entities all use Social Security numbers as their unique identifier.  So 
even if we for internal purposes decided to revert back to a unique claim 
number, we would still have to be able to cross-reference that in some fashion 
to Social Security numbers to facilitate these types of exchanges.


Mr. Miller.  Thank you.


Dr. Boozman.


Mr. Boozman.  Why don't I yield to the gentlelady from Nevada, and then you 
can come back to me.


Mr. Miller.  I was going to do that, but then I was told protocol said I had 
to go to you first.


Mr. Boozman.  You did go to me and I yielded.


Mr. Miller.  Thank you.  You are a kind gentlemen.  You can be the hero.


Ms. Berkley.  Thank you all very much.


You know, it is_how can I say this, I didn't have the same reaction that the 
chairman had about people not being mad enough because I didn't sense, quite 
frankly, that the Secretary_he was mad but I think he was mad because this 
happened under his administration and frankly, if it hadn't blown up in 
everybody's face, I don't think_I think he is so disengaged from the day-to-
day operation of this department that he wouldn't have known, he wouldn't have 
cared, and he wouldn't have bothered to inquire.


But what I am always struck with when people from the VA come and talk to us 
is how great the policies are.  And I mean you can, you know, we have heard 
testimony about some of the best policies and signing in and signing out and 
handbooks and all of the employees have training and yet the reality is that 
we have got a mess on our hands.  So it doesn't matter much what our policies 
are.  If they are not implemented and if we don't have people making sure that 
these are implemented, and I might be wrong, but I understand that the 
employee who is no longer here that the 26 or 27 million names were stolen 
from, he had done everything he needed to do, signed the_signed whatever he 
needed to do, attended whatever seminars he needed to do and he went ahead and 
did something completely wrong for 3 years that he wasn't supposed to be 
doing.  So it doesn't much matter what our policies are if we don't make sure 
that they are followed.


Let me ask you a couple of questions, or I have a number of them but there may 
be a second round.


How are all of the regional offices notified of patterns of deficiency 
identified by the IG?  I mean, is there a method of letting everyone know?


Mr. Aument.  Yes, there is, Congresswoman.


Ms. Berkley.  Do we do it?


Mr. Aument.  Yes, we do.  In fact, during the month of May, early in May, 
Admiral Cooper sent a memorandum to the regional officers bringing to their 
attention the deficiencies that were uncovered during the prior year's 
Inspector General CAP reviews.  And I may ask Mr. Walcoff, my colleague, to 
discuss a little bit, you know, further about what the expectations are but_


Ms. Berkley.  I would like to know once he sent out the notice in May, did we 
get feedback, do we know that they are now in compliance or moving towards 
compliance?  How do we do this?


Mr. Walcoff.  The letter that Ron was talking about was dated May 10th, was 
sent out by the Under Secretary, and we have gotten confirmation from every 
regional office that they are in the process of working on every one of these 
areas that was identified by the IG in their reviews, even in the situation 
where they themselves weren't reviewed but our OS officers were.  So they were 
supposed to review their own office to make sure they don't have deficiencies 
in that area.


The IT recommendations will be fully implemented_I think I gave them till 
Friday of this week.  The non-IT recommendations they have another 3 weeks 
after that to fully implement, but we will get a certification from every 
regional office director that it is done in their office.


Ms. Berkley.  Do you think you can provide us with a copy of that letter for 
the record?


Mr. Walcoff.  Sure.


[The information appears on p.  ]



Ms. Berkley.  How does VBA control data which is extracted from VBA's data 
system for use by a VBA office and other_VBA's other departments?


Mr. Aument.  Let me begin by giving you background and maybe transitioning 
into what we believe needs to be done as well.


Presently, any outside entity, and that could be both from within VA or from 
outside of VA, first has to initiate a formal request that goes to our Chief 
Information Officer within VBA.  They conduct a technical review of that 
request for data and then they consult back to the program office responsible 
for the contents of that system; for example, that would include our 
compensation and pension service or education service dependent upon the 
nature of the request, to try and make some determination of the 
appropriateness and the need for that request.


They then would, based upon that consultation, make a determination as to 
whether or not to provide that information.


At that point typically it has to go then to one of our data centers to have, 
you know, database administrators do the programming necessary to actually 
extract the data from the relevant system, and then it is made available based 
upon the requested arrangements with the requestor.  That is quite a range of 
potential business partners that make use of that sort of information.


Ms. Berkley.  Do we have a log?  How do we monitor this?


Mr. Aument.  Absolutely.  There is a number of them that are routine data 
exchanges.  We probably have some noted in the hundreds for that going to 
entities such as the Department of Defense, the Department of Education, other 
types of Federal partners as well as internal ones.  Our Office of the 
Inspector General receives routine data extracts out of the compensation and 
pension system as well as from the BIRL system.


This is an area that we have charged our performance analysis and integration 
to do some additional due diligence on behalf of VBA.  We believe that we need 
to have better rules on monitoring that.  For example, better rules governing 
how that information can be used, better rules that would make sure that that 
is not shared with any other entity or reconstituted in any other fashion, 
better rules saying the duration which they are allowed to maintain that data.  
If it is given to them for a specific purpose, we believe an improved system 
would require what they must do with it after they have completed that task is 
to destroy it, return it back to VBA.  We have looked at some other entities, 
Social Security, for example, that we believe serves as a much better model 
for that.  And it is our intention to try to strengthen this process 
considerably.


Ms. Berkley.  Thank you.  Are we going to have a second round?  In that case, 
I will yield.  Thank you very much.


Mr. Miller.  Dr. Boozman.


Mr. Boozman.  It is interesting, the VA, you all can be complimented, I think 
the system can be complimented in the sense that you have really been a leader 
in getting our records into format, which is important.  This whole country is 
going through this transformation process to make it easier for people to get 
access and yet along with that we want the access where we can use these 
things and yet now_and this is a huge thing that is something that again the 
whole country is struggling with how you protect access from unwarranted 
whatever.


So like I say, you have done a good job at switching over.  That is to be 
commended.  But I think the committee feels like you have not done as good a 
job as we need to and certainly this new incident brings that to a head.


I mentioned in my opening statement that we passed H.R. 4061 to consolidate IT 
policy and system development under the corporate Information Security 
Officer.


In light of what has gone on and in light of showing some weaknesses in the 
system, is there any rethinking of your position on the bill?  Is there any 
way we can work with you to_


Mr. Aument.  Well, Mr. Chairman, I don't speak for the Department in that 
regard.  The Secretary certainly has made a decision as to the organizational 
change that he believes is needed and our job is to make sure that we 
implement the Secretary's decision as thoroughly_


Mr. Boozman.  We can assume that is a no.


Mr. Aument.  Right.  We certainly agreed, I think_I mentioned that in my 
opening remarks, I think, that the IT security arrangements are going to be 
strengthened by the centralization of all security assets under the guidance 
of the CIO.


Mr. Boozman.  Last week's full committee hearing GAO and VA's own Inspector 
General's Office doesn't give its Chief Information Officer authority to 
implement the recommendations without approval from 33 Under Secretaries.  Do 
you believe that that is appropriate and that the Under Secretary should have 
that authority?


Mr. Aument.  Do I believe that is appropriate?  I believe the General Counsel 
is reviewing that issue at the moment as we speak, and I am not sure that is 
an accurate statement today given the centralization of all of the security 
assets now to the CIO.  It is my belief he has direct line authority today 
over all of the ISOs and all of the field personnel responsible for 
maintaining our systems.


Mr. Boozman.  So the IG testified to that effect last week, so it is changed?


Mr. Aument.  Well, again, that is an area that is probably a little bit 
outside of my portfolio.  But I do believe that with the detail of the 
personnel that are going to be permanently reassigned on October 1st that the 
CIO has direct line authority for all of the field IT staff within the 
Veterans Benefit Administration.


Mr. Boozman.  But you would agree that makes sense to do it that way?


Mr. Aument.  Yes, I do.


Mr. Boozman.  Do existing labor agreements contain any provisions for 
enforcing unauthorized use or access to data?  If not, do we anticipate 
revising the labor agreements to enable the Department to hold employees 
accountable for these type of actions?


Mr. Aument.  Yes.  It is not necessarily built into the labor agreement but 
our rules of behavior that every employee must sign it is explained in those 
rules of behavior that there are consequences for violation of those practices 
and policies.  It is explained to them.  That range of consequence can be from 
terminating their access privileges to systems up to removal from Federal 
service.


Mr. Boozman.  Could you give us copies of the rule?


Mr. Aument.  I would be happy to.


[The information appears on p.  ]




Mr. Boozman.  Thank you, Mr. Chairman.


Mr. Miller.  Ms. Herseth.


Ms. Herseth.  Thank you, Mr. Chairman.


Mr. Aument, I notice on your written testimony on page 10, actions taken to 
inform veterans about the data theft, that you talk about public contact teams 
working extended hours contracting with GSA, meeting with other contractors.  
I am somewhat familiar with what GSA charges our Federal judges and their 
chambers to rent space and provide other services.  So can you tell me how 
much the VA has expended on notices to veterans operations to call centers and 
other activities related to the data breach and from what accounts the funds 
are being provided?


Mr. Aument.  I certainly can, Congresswoman.  Let me begin with the mailings, 
the direct mailings that have been made to veterans and service members to 
inform them of this data breach.  A total of 17-1/2 million letters were sent 
out in this first round of mailings.  The cost for that was over $7 million.  
Around a million dollars cost for the printing costs and somewhat over $6 
million for the postage cost of that mailing.


For the call centers, we have spent to date the last I was informed on this 
was 3 to 4 business days ago we had spent slightly over $7 million for the 
operations of the call centers.  And that we are probably spending today a 
little bit over $200,000 a day for their continued operation.


That money at the moment I must say is not strictly a VBA expenditure but 
departmental expenditure in that they had made arrangements with the 
Appropriations Committee for reprogramming for other funds to support this 
effort.


Ms. Herseth.  And are the mailings coming out of_you said the first round of 
mailings.  Is it coming out of VBA or_


Mr. Aument.  We are anticipating there may be follow-up communications that 
are warranted on whatever types of follow-up actions that the administration 
and Congress feel may be needed to help veterans in this matter.


The compromised information came from the BIRL system.  I am sure you have 
seen referenced in some of the explanations here_contains_not contain veterans 
addresses.  So we really did not know the addresses of these individuals, many 
of whom are not receiving benefits from VA.


We obtained_we did not really even obtain those addresses, but we had to send 
data or our data files to Social Security Administration who reviewed through 
their records to try to find valid addresses and Social Security numbers.  
They did some Social Security number validation on that.  They in turn shared 
the information with the Internal Revenue Service to try and find as many 
accurate addresses as could be possible from those data files.  Then that 
information was then passed along to contractors to the Government Printing 
Office.  But none of that information actually came back to VA.


Ms. Herseth.  Okay.  I think I followed the circuitous route that this took.


So you mentioned that there has been a request to the Appropriations Committee 
both for fiscal year 2006 and fiscal year 2007 and reprogram moneys.


Mr. Aument.  Not fiscal year 2007.


Ms. Herseth.  Do you think there will_anticipate there will be a request?


Mr. Aument.  I really hate to speculate on that.  I don't know of anything 
that is planned on that at the moment.


Ms. Herseth.  Along the lines of what VBA understands to be within this 
universe of compromise data, let us say hypothetically_well, let me first ask 
the question of the 17-1/2 million letters that have been sent, those have all 
gone to and what you just described there in trying to verify matching Social 
Security numbers up with addresses to those within the universe of the 26-1/2 
million veterans whose data was compromised?


Mr. Aument.  Yes.


Ms. Herseth.  If an active duty airman has only contact with the VA, has been 
to apply for a home loan, was he informed within_I am still trying to 
understand who was really encompassed by_


Mr. Aument.  The process of information entering into that system today since 
the early 1990s, the Department of Defense has sent us information at the time 
of enlistment in the service, so that the service member need not have applied 
for any VA benefits to have had their information included in this system.


Ms. Herseth.  And I know there will be a chance for a second round.  So is the 
VA, VBA, everyone is still trying to figure out just how this universe came 
together with this particular employee's project that he was working on so it 
is more just what you had as of enlistment, but we still aren't quite sure how 
someone could have been drawn into that pool, that universe of individuals 
whose data was compromised?  We are trying to figure that out?


Mr. Aument.  We believe we know the one large file that we are speaking of, 
this extract from BIRLS.  We understand the programming that was used to 
select the records that went into that.  So we believe we understand the 
universe of compromised records.


The 26-1/2 million, it is the difference between 26-1/2 million records versus 
the 17.5 million records was sent out, was that not all of those records 
contained all of the complete data.  For example, I ran 7 million of those 
records, they contained no Social Security number.  Without that Social 
Security number, it was not possible to conduct any sort of accurate address 
determination on that.


So we also found that in the records, included in the records were invalid 
Social Security numbers in some cases, which once again would have prevented 
any sort of a finding of address, and in some cases it involved deceased 
veterans as well.


Ms. Herseth.  I will wait for the second round.  Thank you, Mr. Chairman.


Mr. Miller.  Ms. Brown-Waite.


Ms. Brown-Waite.  Thank you very much, Mr. Chairman.  In reading over the 
testimony, it was noted that VBA has recalled all work-at-home employees and 
required them to return all files and equipment to VBA.  How do you know what 
files they have?


Mr. Aument.  I am probably going to turn this over to Mr. Walcoff, but there 
have always been in existence for all of our claims adjudicators who are 
working at home fairly rigid check-out/check-in practices for any files that 
they take away from the regional office, you know, for work home_under 
work-at-home agreements.


Ms. Brown-Waite.  Do these include electronic files?  If they downloaded an 
electronic file, what record do you have of that?  And I will let the 
gentleman answer.


Mr. Walcoff.  Well, the_


Mr. Miller.  If you pull your mike and then turn it on.


Mr. Walcoff.  The vast majority of the work-at-home people were rating 
specialists and we have_we use a system called COVERS to electronically track 
where a folder is so when they take folders home, we will wand it and it will 
be electronically recorded that that folder is being taken home by that 
particular rating specialist.  So we are able to make sure that every folder 
that was taken out by our rating specialist back to his house was brought back 
when he brought all of the equipment in and all of the hard copy folders.


Ms. Brown-Waite.  I am not sure that I got the answer to the electronic files.


Mr. Aument.  We may have to turn to Mr. Lloyd on that.  But I believe that the 
on-line components of the veterans' record are not downloadable to these 
individuals' work station.  They would have the narrative descriptions of the 
rating decisions that they are working on for the immediate case that they are 
working on on the personal computer.  But_


Ms. Brown-Waite.  I would also ask what COVERS, the acronym, what that stands 
for?


Mr. Aument.  I am not sure, Congresswoman.  It is the tracking system that we 
use internally and externally in the regional office to track the locations of 
veterans' claims folders.


Ms. Brown-Waite.  Is that the same system that when I call in on behalf of a 
veteran that the file could never be found?


Mr. Aument.  I am not really able to answer that question.


Ms. Brown-Waite.  Or is that another acronym?


Mr. Aument.  Could you restate the question, please?


Ms. Brown-Waite.  Is that the same system that when I call in inquiring on 
behalf of a constituent that the file can't be found, is this the same system?


Mr. Aument.  Quite possibly, yes.  The difficulty there would be within the 
regional office we could identify it is within the service center but as to 
whether or not it is on an individual's desk or on a file cabinet sometimes it 
might be imprecise in that fashion.  We would be able to track if it has left 
the building under the work-at-home program.


Ms. Brown-Waite.  I still need the answer to the electronic files question.


Mr. Lloyd.  When a veteran rating specialist works at home, they take the 
folders with them and they use an application called RBA 2000.  That 
application allows them to work at home in the development of their rating 
information.  There is a local database on the PC they use at home that 
contains the work that they are doing while they are at home.  When they come 
back to the office, which I believe is weekly or biweekly, they upload that 
information into the corporate database.  So while they are working at home 
there is information in the development of the ratings that they are doing.


Ms. Brown-Waite.  Just a follow-up question, Mr. Chairman.


When you ask them to return all files and equipment, what sanctions were there 
if this request was ignored?


Mr. Aument.  There were 370 ratings specialists in total working from their 
homes who were required to return to the regional offices.  I believe that 
involved most, if not at all regional offices.


Mike?


Mr. Walcoff.  Yeah.  Not every station had work at home_had people working at 
home.  I would say about two-thirds of the stations did and every one of them 
has come back to the office with their equipment, with their files.


Ms. Brown-Waite.  One other question.


On page 13 of the testimony of Mr. Aument, there was a statement that said 
VBA_it is about, almost halfway down the page_information security officers 
are required to review users' access and privileges at least quarterly or when 
a job change occurs.


After a job change occurs, how soon does that review take place, you know, and 
you know job change could be termination?


Mr. Aument.  Tom, do you have an answer to that?


Mr. Lloyd.  Specifically for the terminations part of the check-out procedure, 
the supervisor and HR staff are to inform the Information Security Officer 
that the employee has been terminated and the ISO is supposed to remove all 
permissions and access on the day that the person leaves.  That is the 
process.


Ms. Brown-Waite.  Has there been any examples of when the access continued after 
the employee was terminated?


Mr. Lloyd.  I am aware over the course of the years where_especially 
interorganizational terminations that we don't always inform each other and 
the ISOs didn't know an employee has been terminated.


Ms. Brown-Waite.  Has that situation been remedied?


Mr. Aument.  One of the things we are doing at the moment with Mr. Lloyd, an 
example that he might be referring to where a VHA employee has access to a VBA 
system, authorized access, and we may not follow as closely when that 
individual changes jobs, is reassigned, retires or is terminated.  We are 
working with the Department for a solution on that today.  That would allow us 
access to our payroll system to have these automatic updates provided from the 
payroll system to that effect.


Ms. Brown-Waite.  Just one quick_


Mr. Miller.  Let's go to the other two members and then we will come back.


Ms. Brown-Waite.  Okay.


Mr. Miller.  Did I hear you right that every file that is taken out or all 
information that is taken out you have the ability to track when the 
information leaves; is that true?


Mr. Aument.  All the files, you know, have a bar code attached to the file.  
The procedure is that when a file is_it leaves the building under the work-at-
home program would be to, you know, using the bar code reader check that file 
out and at the time it returns check the file back in.


Mr. Miller.  But going back to Ms. Brown-Waite's question, that is not an 
electronic file, correct?  That could be a paper file?


Mr. Aument.  That is a paper file.


Mr. Miller.  So an electronic file could have been removed and you don't have 
a way to track that?


Mr. Aument.  We do not have all of the veterans' data_I wish I could say 
otherwise_contained in anelectronic file.


Mr. Miller.  We know that.  All Members of Congress are aware of that.


Mr. Aument.  Right.  So that the information that they would have access to at 
home through RBA 2000 is the information accessible to them.


Mr. Miller.  I guess I am still trying to figure out how we are still not sure 
today of the information that is missing, who it affects, and it seems like 
every week we get a new group of people that are included.  How is that so?


Mr. Aument.  I believe, and you will certainly have an opportunity to speak to 
the next panel, the Inspector General has been looking carefully as to what 
access to data this employee actually had.  I would like to think that, you 
know, we know fully today and that there will be no further disclosures, sir.


Mr. Miller.  Thank you.


Mr. Udall, questions?


Mr. Udall.  Thank you, Mr. Chairman.  According to the IG testimony, a 
contractor successfully penetrated the VBA system access to regional office 
files, created a fictitious veteran, established an award and mailed an award 
letter to a real address.


If all of the policies and procedures you described were in place and 
functioning, how was this possible.


Mr. Aument.  This incident, Congressman, took place a little over a year ago 
at our Waco regional office.  Let me start to begin with, and I am sure you 
will follow up with our colleagues from the Inspector Generals Office, that 
first of all, they were already afforded access to the system.  The IG had 
requested permission to get inside the firewall.  So this did not replicate 
the situation where an entity outside VA would have broken into the system to 
have done this type of fraudulent activity.


Mr. Udall.  Would somebody with the information that was taken out in the case 
of this recent employee, would they have been able to use that information and 
access the system?


Mr. Aument.  No, they would not have.


Mr. Udall.  Go ahead.


Mr. Aument.  But the Inspector General was already given privileged status to 
be inside the system wherein they then conducted what is the equivalent of 
sophisticated hacking of captured passwords.


What this really demonstrated would be that a sufficiently skilled VBA 
employee with fraudulent intent inside a system, you know, could go ahead and 
have replicated the IG's efforts to create a fictitious payment.  Now, they 
have identified to us the shortcomings, you know, the critical vulnerabilities 
and we have taken actions to address those vulnerabilities.


Mr. Udall.  So from what you are saying then no longer would somebody within 
the system with the access they have be able to do what they did?


Mr. Aument.  I believe we have remediated.  There was about a dozen different 
vulnerabilities they have raised.  We have remediated most of those.  Any of 
those who have not been completed, they are in the process of remediation.


Mr. Udall.  According to the IG, VBA senior leadership is not receiving 
information concerning the financial costs of correcting conditions identified 
by the IG.  How can VBA obtain a complete and accurate picture of the 
resources and funding needed to remediate security deficiencies without such 
information?


Mr. Aument.  I am not really certain of what the IG's particular findings and 
recommendations are in that regard.  I do know that one of the largest 
undertakings that we have begun over the past year was the completion of the 
original round of certification and accreditation of application systems that 
were completed by the end of fiscal year 2005.  We have gone through and we 
have identified all the tasks that need to be undertaken to remediate the 
findings of that process, and we have attached a price tag to each and every 
one of those remediations.


We understand what it is going to cost us to solve those problems.  Other 
types of problems that we believe that we need to be addressing, it is in a 
full encryption solution, both for, you know, desktop systems as well as the 
transmission systems and our legacy systems.  We have attached price tags to 
those as well, too.


There may be some financial unknowns, but we believe that we have tried to 
address, get our arms around those as best as we possibly can.


Mr. Udall.  According to your testimony, in the average month VA receives in 
excess of 40,000 requests to change the financial institution or address for 
receipt of benefits.


I understand that all financial institution changes for veterans being paid on 
Vets Net must be manually adjusted at the Hines BDN.  Is this still the case 
and when will VetsNet be able to handle such transactions without manual 
rekeying of information?


Mr. Aument.  Tom, can you answer that?  I am not sure that is still true or not.


Mr. Lloyd.  I believe, Congressman, that is in the August release.  It is the 
issue of when they change from check to or from EFT to check.


Mr. Aument.  I see.


Mr. Lloyd.  And that is in the remediation that was_


Mr. Aument.  I don't know if you got that.


Mr. Udall.  So they are able to do that now?


Mr. Aument.  They will be in August.


Mr. Udall.  Thank you very much.  Appreciate it.


Mr. Miller.  Ms. Hooley.


Ms. Hooley.  Thank you, Mr. Chairman.  I want to follow up on Ms. 
Brown-Waite's question.


I know that you stopped the work-at-home privileges.  And a lot of those paper 
files had irreplaceable documents in it.


My question is when they took them home, they could, it seems to me they could 
take something out of that file and still scan it in.  Are there backup copies 
of those documents?  Are there electronic copies of those documents?  


I don't think there is anyone in the room_maybe there is someone here -- that 
hasn't at some point lost something out of some file.  And so assuming that 
they didn't take them deliberately, maybe they just lost them.  Are there 
backup copies of those documents.


Mr. Aument.  No, there are not, Congresswoman.


Ms. Hooley.  Is that changing?


Mr. Aument.  No, it is not.


Ms. Hooley.  Do you think it needs to be changed?  If they have irreplaceable 
documents, don't you think you need a scan of those?


Mr. Aument.  I think we should ultimately move to an electronic record system.  
I could not agree more.


Ms. Hooley.  And when do you think you can move to an electronic system?


I mean, when you are dealing with that much paper, we have all, every single 
one of us here, every Member has known about cases where they can't find the 
files.  They can't find the documents.  But when are we going to get there?

RPTS CALHOUN DCMN MAYER


Mr. Aument.  In some of our program business lines we are already there.  Our 
insurance program uses a totally electronic record, our education program uses 
electronic records, totally imaged files.  The real challenge for us is our 
compensation and pension business line.


I would_one of the places I would encourage you to visit, if you have an 
opportunity, is our Records Management Center in St. Louis.  There are over 20 
million files in that building that represent veterans' claims folders, as well 
as service medical records that we receive from the various military services.


The process of converting those files to either electronic images or, more 
importantly, data that can be used within the systems is a daunting challenge.  
We are attempting to tackle that in the pension component of the compensation 
and pension business line through our pension maintenance centers.  They are 
moving to a totally electronic record, but we are not there yet, Congresswoman.


Ms. Hooley.  I saw the letter that went out to the veterans notifying them of 
that data breach.  My question is_I saw the letter and I didn't think the 
information in there was very useful about what to do.  So my question is, now 
you have got the call centers, and you have got your employees.  Have they 
been trained to handle questions from the veterans that come up in the process 
of their casework?  Have they been trained to know what the answers are to the 
questions they ask?


Mr. Aument.  Yes, we have, Congresswoman.  We have attempted to provide a set 
of_I hesitate to use the word, but "scripts" or "answers to frequently asked 
questions" from concerned veterans.  We have been providing those both to the 
contract call centers as well as to our public contact teams at our regional 
offices.


We are probably now on our fifteenth iteration of updating that list of 
frequently asked questions, based upon our experience, coming in from 
concerned veterans and callers and their family members.  So we have been 
doing our best to try and keep them informed with what we understand to be the 
types of questions most veterans are asking.


Ms. Hooley.  A couple of the most useful things I think you can tell the 
veterans is that they can put a fraud alert on their credit reports and they 
can get free credit reports, and yet when I went online after this happened, 
if you went through the whole system, you might get to that answer.


Are those kinds of things being told to the veterans now?


Mr. Aument.  Today, at the call centers and at our regional offices we attempt 
to respond to the questions.  So if that question is posed, we certainly 
provide that information.


Ms. Hooley.  That question may not be posed because they may not know enough 
to ask that question.


Mr. Aument.  Correct.


Ms. Hooley.  It seems to me those are things that people should be told that 
they can do.  They could be told immediately one way to help prevent identity 
theft, which is_the whole idea behind this is to prevent identity theft, which 
is a very long, tedious process if that happens to you, that they can put a 
fraud alert on immediately, and that lasts for 90 days; and they can get a 
free credit report, which helps them keep track, to make sure nothing is 
happening to their account.


Why isn't that information given to them now?


Mr. Aument.  I think I mentioned, in response to Congresswoman Herseth's 
question about our mailings, that we are potentially contemplating a second 
mailing.  Some of the drafts of communications I have read included precisely 
that sort of information.


Ms. Hooley.  Again, the letter is not being sent, but I would hope that at the 
call centers, that is information_without them asking the question, that is 
information, here is what you can do.


Mr. Aument.  We will take that one on, Congresswoman.


Ms. Hooley.  Thank you.


Mr. Miller.  We will go to a second round, and I would like to ask the members 
if you could ask just one more question to each person so we can move to the 
second panel.


To follow up on Ms. Hooley's question, when somebody puts a fraud alert on 
their credit file, do you know what the impact is to that file?


Mr. Aument.  I profess no expertise in that, Mr. Chairman.  As far as_I have 
seen some different iterations of the various levels of protections, just over 
the past couple of weeks, that can be involved and the terms of art that apply 
to a fraud alert versus a credit freeze versus something else.  I know that 
there are various levels of protection afforded there.  Some would require 
that the individual who invokes that type of a credit check would ask to be 
contacted by one of the credit bureaus in the event that anyone attempted to 
obtain credit using that Social Security number.


We also understand that some of these types of provisions vary on a State-to-
State basis as well, so that there are some differences based upon where a 
veteran may reside.


Mr. Miller.  I think the thing that confuses a lot of us is that the mistake 
was made by VA, yet the burden has been placed on the back of the veteran.  I 
am trying to figure out, why isn't VA being more proactive, other than sending 
out a letter, and if there is a way to make a mass notification to credit 
bureaus of the information, because you know who they are because you sent 
letters to them.


If it is not going to negatively affect them in one way or another and their 
ability to get credit or their borrowing power, wouldn't that be a 
responsibility of VA?


I mean, every time I hear VA talk about the issue, it is what the veteran can 
do to protect their identity.  My God, they thought their identity was 
protected.  VA screwed up and now we are putting the onus on the backs of the 
veterans that are out there.


Mr. Aument.  There have been_I would acknowledge that too.  I believe_I feel 
that all of us in VA are very concerned about that, that we believe that we 
need to be doing more to try, as you have suggested, proactively to help 
assist veterans in this process.


Some of the solutions that I have seen proposed so far_I believe that we will 
be seeing further steps that are going to be taken, but there has to have been 
some actual vetting of what the best solution actually is.


Mr. Miller.  Do you know how long it takes to steal somebody's identity?  We 
are vetting.  We are how many weeks past the time it was stolen and we are 
still vetting?


Mr. Aument.  Part of the question there, Mr. Chairman, is whether or not all 
veterans want to have a solution imposed upon them, and that is_one of the 
questions that we are wrestling with is, will all veterans, for example, want 
to have credit freezes or fraud alerts established on their accounts?  Because 
there is some difference of views on that.


Mr. Miller.  That is why I asked not about a credit freeze but a fraud alert.  
There is a difference.


Dr. Boozman.


Mr. Boozman.  I will go ahead and yield again to the gentlelady.


Ms. Berkley.  Thank you, Chairman Miller and Mr. Boozman.


You said that you would like us to go to electronic as fast as possible.  Is 
it a matter of money?  Is it a matter of personnel?  Because if I am here 20 
years from now I have this sinking sensation that you and I will be having the 
same conversation.


One thing I have noticed about government is that we are very slow to embrace 
technology.  Even the United States Congress isn't where it needs to be.


Is it a matter of money or personnel or a lack of desire?  When are we moving 
actually to the 21st century?  


Mr. Aument.  Congresswoman, I believe it is probably a combination of all of 
the above to one degree or another.


There is probably_one other factor to add to the list that you have just put 
out too is trying maintain our focus on bringing through to completion some of 
the projects that we are already undertaking_VETS NET, for example.  I am sure 
everybody wants to have an opportunity to mention that.


Ms. Berkley.  What is the current status of VETS NET, since I can only ask one 
question?


Mr. Aument.  We were up here on May 12th briefing the staff.  We gave a 
relatively complete briefing there.


We are in the process of attempting to implement all of the recommendations 
that the Software Engineering Institute had given to us in their report they 
completed last fall, and we owe the committee a report back by the end of 
August with an end-to-end plan for implementation of VETS NET.


However, my point was that moving now to tackle an electronic records project, 
as valuable as it is_I think that one of the reasons we are still uncompleted 
on VETS NET is moving to other distractions.  And not that it is not a very 
important undertaking on that, too, but we believe that we need to first 
deliver on those things that we already have in progress.


Mr. Miller.  Dr. Boozman.


Ms. Berkley.  Thank you.  


Mr. Boozman.  When will VBA be fully compliant with the Federal Information 
Security Management Act?


Mr. Aument.  The first steps we have at the moment are to complete the 
certification and accreditation, remediation projects that are on our plate.  
We have_most of those are either under way or scheduled for completion.  We 
believe that we should complete those.  I would say that we could probably 
complete those within the next 2 years.


Some of those involve minor construction types of projects to control physical 
security, but I would say probably within 2 years.


Mr. Boozman.  So compliant within 2 years, you think?


Mr. Aument.  I believe so.


Mr. Boozman.  I guess, and I am trying to adhere to the chairman's wish of one 
question thing, but I would like to comment again, you have done a tremendous 
job of getting records.  You are moving that right in that direction.


I am an optometrist.  I know how it is with charts, when you have got 100,000 
patients among the clinic and you have got a chart on somebody's desk.  And 
you have a system of dealing with that now that I am sure works pretty well.  
You lose charts now, you lose records.


On the other hand, we are faced with this challenge of moving over in the 
other direction.  But it does seem like it makes sense to me that rather than 
the VA spending a tremendous amount of money, which we are doing_Social 
Security spending a tremendous amount of money, DOD, Medicare.  Medicare is 
pushing very hard for physicians to get all of their stuff electronic.  So you 
can imagine the challenge that they are going to have in securing this stuff.


It does seem like the Secretary, yourself, your counterparts at HHS would sit 
down and say, I will give so much, you give so much, let's come up with a deal 
because it is interoperable as far as security.  That is the only comment I 
have got.


I wish you would carry that back.  And, again, somebody has got to show some 
leadership in this area and kind of get it going in the right direction.


Mr. Aument.  I will take that back, Mr. Chairman.


Mr. Miller.  Ms. Herseth.


Ms. Herseth.  Thank you.


On page 13 of your written testimony_and you referred to it in your oral 
testimony today_you mentioned that VBA is also considering expanding the use 
of terminal servers as a means of reducing or eliminating the amount of 
information stored locally on a remote user's work station.


I would contend that you need to move beyond considering and actually move to 
expanding it.  And in the first hearing we had I shared a little bit of 
experience in the private sector where even at my work station in the office I 
couldn't save anything other than what was centrally located in the system, 
let alone accessing information remotely and storing it_the way I read that 
is, if you are a remote user, that means you are outside of the VA facility, 
your office, and you are able to store something locally.  That means at home, 
to me.  That is sort of what brought us here today.


So I would just make that point and ask you if_what are the barriers to 
expanding the use of these terminal servers?  Is it just a matter of resources?


Mr. Aument.  Resources is a consideration, but it also takes some technical 
engineering as well to make sure that we would be able to put in place a 
solution such as terminal servers.


Let me suggest to you that we are already_before we would even consider 
putting the ratings specialist back in a position working at home, that is, a 
solution that we would be imposing on them for any of the work-at-homes, would 
be that they would only be able to access the application, the RBA 2000, only 
be able to access that via terminal server.


Mr. Miller.  Ms. Hooley.


Ms. Hooley.  Thank you.


I am just going to go back to the fraud alert, credit freeze, credit monitoring.


Fraud alert and credit freeze are very different.  Everybody can do a fraud 
alert that has had their data security breached.  Not every State allows a 
credit freeze, we don't have a national standard, but you can do a fraud 
alert; and you need to tell veterans they can do that and what it means.


They can get a free credit report, which they need to do; and again, you can 
tell them all they need to do is call one number or go online and they can do 
that.  So you need to make sure that they know that.


And then what I would hope you would do is look at_for those that want it, 
that you have some kind of credit monitoring service, which I think is really 
how you best help the veteran.


I know, Mr. Miller, when you were talking about the veteran has to do this, 
the veteran has to do that, putting_first of all, they need to know that they 
can do a fraud alert, a free credit report, but free credit monitoring is a 
one thing you can do for veterans.  They still have to sign up for it.


I know I was a victim of a security breach, and they allowed us to have free 
credit monitoring; and actually what I was told is, they couldn't sign us up 
for it, but we could subscribe to it.  So we got the paperwork at home; it was 
very simple, it was literally signing your name and a date, saying, I want 
free credit monitoring service.


I would hope that you would seriously look at that as an option for our 
veterans.  I think they need some peace of mind, and that is really how they 
are going to get it, is through a credit monitoring system.


The question I have is, you talked about the number of files that are sitting 
in your_one of your offices.  How long is that going to take to get all of 
those on electronic files so that we don't have_so we aren't losing, 
literally, documents that are_I mean, they are not duplicated anywhere.  How 
long is that going to take?


Mr. Aument.  For the 20 million records that reside at our Records Management 
Center, Congresswoman, I would probably propose that we would probably never 
image those.  Many of those are inactive files, some pertaining to deceased 
veterans that because of Federal records management requirements we need to 
maintain for some specified period of time.  Many of those inactive files 
would not be certainly where we would begin in moving towards imaging of 
records.


We would likely begin probably making some conscious business decisions with 
those records that enter into the system that are newly created and entering 
into the system and going backwards then with those at the time that veterans 
reopen claims, possibly seeking increased ratings or claiming other 
disabilities.


We would probably try to put together a logical progression such as that.  


Ms. Hooley.  How long would that take?


Mr. Aument.  I have no idea.


Mr. Miller.  Thank you very much for your testimony this morning.  I am sure 
members have other questions and they will be getting to you after the 
hearing.  Thank you very much.


I would like to ask the second panel, if they would, to move forward.  While 
everybody's getting situated I am going to go ahead and introduce the second 
panel.


Mr. Michael Staley is the Assistant Inspector General for Audit at VA's Office 
of Inspector General.  He is accompanied by Mr. Stephen Gaskell, Director of 
Central Office Audit Operations.


Mr. Gregory Wilshusen is the Director of Information Security Issues at the 
U.S. Government Accountability Office, and he is accompanied by Ms. Linda 
Koontz, Director of Information Management Issues.



STATEMENTS OF MICHAEL STALEY, ASSISTANT INSPECTOR GENERAL FOR AUDIT, 
ACCOMPANIED BY STEPHEN GASKELL, DIRECTOR, CENTRAL OFFICE AUDIT OPERATIONS 
DIVISION, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS' AFFAIRS; 
AND GREGORY WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, ACCOMPANIED BY 
LINDA KOONTZ, DIRECTOR, INFORMATION MANAGEMENT ISSUES, U.S. GOVERNMENT 
ACCOUNTABILITY OFFICE 



Mr. Miller.  We thank you for being with the Subcommittees today; and, Mr. 
Staley, we will begin with you, please.



STATEMENT OF MICHAEL STALEY



Mr. Staley.  Mr. Chairman and members of the subcommittee, thank you for the 
opportunity to testify today on the results of our, reviews, which continue to 
address information security vulnerabilities in the VA and to report on the 
status of VA's implementation of our records.


I have with me today Stephen Gaskell, who served as a project manager on these 
IT audits.


We have conducted a number of audits and evaluations on information management 
security and information technology systems that have shown the need for 
continued improvements in addressing security vulnerabilities in VA and, as 
such, we have included IT security as a major management challenge for the 
Department in all of the major challenge reports issued since the fiscal year 
2000.


In our annual financial statements we have reported VA information security 
controls as a material weakness since our fiscal year 1997 audit.  
Specifically, we have reported that VA's financial data and sensitive veteran 
medical and disability information are at risk due to vulnerabilities related 
to access controls, change controls, the need to segregate duties and the need 
to improve service continuity practices.


My IT security program auditors have identified and reported on significant 
information security weaknesses since 2001.  All four of these annual audits 
have reported on similar issues, and the recurring themes in these reports are 
the need for a centralized approach and to achieve standardization, 
remediation of identified weaknesses, and accountability in VA information 
security.


For the Veterans Benefit Administration we have continued to report control 
weaknesses in access controls, physical security, electronic security and 
employee security.  Our combined assessment program reviews continue to report 
security and access control vulnerabilities at VA regional offices where 
security issues were evaluated.


For example, at regional offices we have identified the need to strengthen 
physical security and access controls, procedures for providing employee 
security training and for obtaining background checks.


We have issued our most recent IT security program review in draft to VA for 
comment.  While it is not our general practice to comment on draft reports 
before they are published, because of the extensive public interest in these 
information security issues, I have described the issues that VA is addressing 
in my written testimony.


In closing, I would like the committee to know the reviews of the VA's 
information security will remain a top priority for my office.  We remain 
committed to reporting on the adequacy of IT security controls, and following 
up on actions taken by VA to strengthen these controls, we remain dedicated to 
the goal of protecting our Nation's veterans.


Mr. Chairman and members of the subcommittee, thank you again for this 
opportunity.  I would be pleased to answer any questions.


[The statement of Mr. Staley appears on p.  ]




Mr. Miller.  In the past, the IG has found some instances where terminated or 
separated employees retained access to critical systems identified at various 
locations.


Whose responsibility is it to ensure that former VBA employees don't have 
access to computer systems and information and such?


Mr. Staley.  That is correct, Mr. Chairman.  We have been finding that during 
our combined assessment program reviews.  Access controls actually have been 
found during our financial statement audits and when we do testing during our 
FISMA reviews.


Mr. Miller.  Can you tell who is making_are they accessing or do they just 
have the ability to access?


Mr. Staley.  They have the ability to access.


Mr. Miller.  Are you finding that anybody is trying to access after the fact?


Mr. Staley.  Not any specific examples I can give you at this time.


Mr. Miller.  I would go to Dr. Boozman, but he will yield to Ms. Berkley.  So 
Ms. Berkley.


Ms. Berkley.  Cut out the middleman.


Let me ask you a question.  According to your opening statement, this was a 
disaster waiting to happen, so I assume that you weren't overwhelmingly 
surprised when this theft occurred?  


Mr. Staley.  I would have to say that I think you are always concerned when 
something like this happens to_whether it be one veteran or all of us 
veterans.  I know myself, my data is also on that listing.


Ms. Berkley.  My husband received his letter as well.


Had the VA implemented your recommendations, could this have been avoided?


Mr. Staley.  It is very difficult to say whether this particular incident 
could be avoided.  The issues that we have talked about for these many years 
have addressed network security issues, access control issues.


In response to this specific issue, we do have an administrative investigation 
ongoing which we hope to report on to the Department at the end of this month.  
And we will be asking for comments and hope to actually issue the report for 
you mid-July or so.


Ms. Berkley.  During the prior two hearings on this topic, we heard a 
significant amount about the culture at the VA.  This culture is characterized 
as entrenched and indifferent relating to IT projects.


Does VBA's fielding of VETS NET, a project that is in the works for over a 
decade now, relate to such cultural problems?


Mr. Staley.  I think what we had been talking about is the 16 or so issues 
that we presented, before you really speak to the issue of standardization; 
and that can only be accomplished if the three administrations work 
collectively to address them as one voice.


Ms. Berkley.  Is VETS NET the solution to the problems?


Mr. Staley.  Well, VETS NET is a solution to an aging benefits delivery 
network system.  I think_of course, I joined the VA in 1971, and I believe 
Target 1 by Honeywell was just starting at that time, so it is 30 years, may 
even be 40 years old.  We need to find solutions to replace these platforms, 
and VETS NET is attempting to do that.


We have not reviewed VETS NET, we have not studied VETS NET; we are waiting 
for this contractor to complete his review, which I believe is due this 
summer.  But we have been overseeing the progress and getting briefings on the 
progress of VETS NET.


Ms. Berkley.  Thank you.


Mr. Miller.  Dr. Boozman.


Mr. Boozman.  Thank you, Mr. Chairman.


Earlier we had testimony that VBA estimates that they will have full 
compliance in 2 years with the Federal Information Securtiy Management Act.  
Do you feel like that is possible?


Mr. Staley.  I feel for many of the issues that we have been identifying each 
year, the fixes are fairly dependent on vigilance.  It is an issue of having 
very strong access controls, having your users only have information that they 
need information for.  Many of these fixes can be done relatively soon.


For the bigger issues, such as VETS NET and replacing platforms, I do know 
that the Department is working on these major system initiatives; and I have 
seen their timelines and charts and whatnot.  Some of them are out to fiscal 
year 2008, 2009 and 2010.


Mr. Boozman.  As we move_is that a "yes" or a "no"?


Mr. Staley.  For many of them, a 2-year timeline is feasible.  For platform 
replacement issues, I could not say.


Mr. Boozman.  When you get into going from one extreme to the other, when you 
get into encrypting and things like that, will that slow down_do you run into 
problems then with a slowdown of the systems?


Mr. Staley.  That is one of the issues that the Department is facing with many 
of these aging systems and that they were constructed 30-some-odd years ago.  
From what the technicians are telling us, that could be a possible outcome to 
adding software that would encrypt data.  So it is possible.


Mr. Boozman.  Our current system, can it identify instances of large downloads 
of data?


Mr. Staley.  It is my understanding that you can_you will get a log of the 
time that someone is in a system but not necessarily what is being downloaded.  


Mr. Boozman.  Do you, in investigating this and being a part of it, do you see 
any accompanying legislation that we need to do for VA to help them in dealing 
with the problem?


Mr. Staley.  Well, I am really not in a position to comment on new 
legislation.  Obviously, from my audit perspective, compliance with FISMA and 
remediating the issues that we have identified is one issue.  I do know 
thatsometime in May, OMB issued instructions to all the agencies to take a 
strong look at the security issue, which I believe they are required to report 
in their next FISMA report in 2006.


Mr. Boozman.  You mentioned security access and then also you mentioned 
background checks.  So we have got the problem that we are dealing with in 
this regard, and then too, as far as the background checks, to actually_even 
if you have those systems in place and having the appropriate people hired, 
what is the problem with background checks?


We learned at an earlier hearing that we have a physician that has a history 
of being a sexual offender.  What's the deal?  


Mr. Staley.  From what we are seeing, it is a coordination problem from the 
point of the program office that that employee begins to work for, the HR 
division that is responsible for processing paperwork, and then the security 
and law enforcement.  So it is the process of actually requesting these 
background checks timely, to get them done.


And then the Department has also discussed the fact that it does take time to 
do these background checks; but there are various tiers of background checks 
that can be performed, and some of them only require law enforcement, 
fingerprinting-type procedures, and others are far more extensive and they 
take more time.


Mr. Boozman.  Does it is make sense that all of our agencies_again, Medicare, 
as they go to an all-physician record situation and stuff where all that is 
digitalized and things, does it make sense for the agencies to talk to each 
other and try and figure this out together versus spending millions of dollars 
independently?


Mr. Staley.  It would make sense to communicate and work with as many agencies 
as possible.


Mr. Boozman.  Thank you, Mr. Chairman.


Mr. Miller.  If we could, Mr. Wilshusen, if you would proceed with your 
testimony.  


STATEMENT OF GREGORY WILSHUSEN



Mr. Wilshusen.  Chairman Miller, Chairman Boozman and members of the 
subcommittees, thank you for inviting us to participate in today's joint 
hearing on data security at the Veterans Benefits Administration.


The recent well-publicized security breach at the Department of Veterans' 
Affairs has highlighted the importance of good information security controls 
and protecting personally identifiable information not only at VA but 
throughout government.


As we have reported on many occasions, poor information security controls is a 
widespread problem that can have devastating consequences such as the 
disruption of critical operations and unauthorized disclosure of highly 
sensitive information.


Today, I will discuss the recurring security weaknesses that have been 
reported at VA, including those at VBA, what agencies can do to prevent 
breaches of personal information and the notification of individuals when 
such breaches occur.


Since 1998, GAO and the VA IG have reported on wide-ranging deficiencies in 
VA's information security controls, including the lack of effective controls 
to prevent individuals from gaining unauthorized access to VA systems and 
sensitive data.  In addition, the Department had not consistently provided 
adequate physical security for its computer facilities, assigned duties in a 
manner that segregated incompatible functions, controlled changes to its 
operating systems, or updated and tested its disaster recovery plans.


These deficiencies existed in part because VA had not fully implemented key 
components of a comprehensive information security program, including the lack 
of centralized management and an approach for addressing security challenges.


Although VA has taken steps to improve security, its efforts have not been 
sufficient to effectively protect its information and information systems.  As 
a result, these remain vulnerable to inadvertent or deliberate misuse, loss or 
improper disclosure, as the recent breach demonstrates.


In addition to providing and implementing a robust security program, agencies 
such as VBA can better protect personally identifiable information by 
conducting privacy impact assessments that determine up front how personal 
information is to be collected, stored, shared and managed, so that controls 
can be built in from the beginning, by limiting access to the information and 
training personnel accordingly, and appropriately using technology controls 
such as encryption.


VBA officials have informed us that since the May 3rd incident they have 
taken, or plan to take, a number of steps to enhance protection of veterans' 
personal information.  These include reviewing and recertifying user access to 
sensitive information, evaluating encryption technologies for transmitting and 
storing data, and requiring privacy and cybersecurity training for all VBA 
employees by June 30.


Although we have not reviewed these actions and cannot comment on their 
sufficiency or effectiveness at this time, they appear to be important first 
steps.  However, the true test will be VBA's ability to fully implement and 
sustain appropriate protections over the long term.


Nonetheless, even with security and privacy protections in place, breaches can 
occur, particularly if enforcement is lax or employees willfully disregard 
policy.  When such breaches occur, appropriate, sufficient, and timely 
notification to those affected have clear benefits, allowing people the 
opportunity to protect themselves from identity theft.


In summary, long-standing control weaknesses at VA have placed its information 
systems and information at increased risk of misuse and improper disclosure.  
Although VA has made progress in mitigating previously reported weaknesses, it 
has not taken all the steps necessary to address these serious issues.  Only 
through strong leadership and sustained management commitment can VA implement 
a comprehensive information security program that can effectively manage risk 
on an ongoing basis.


Mr. Chairman, this concludes my statement.  Ms. Koontz and I will be happy to 
answer questions.


[The statement of Mr. Wilshusen and Ms. Koontz appears on p.  ]




Mr. Miller.  In terms of information security can you give us some type of a 
feel as to how VA or VBA fits within other agencies?  Is everybody failing?


Mr. Wilshusen.  No, everybody is not failing.  One measure that would be 
important is, the FISMA reports that agencies are required to submit to 
Congress and to the OMB regarding their implementation of the provisions of 
the Federal Information Security Management Act, or FISMA.  Each year we 
perform an analysis of those reports, and we found that over the past 4 out of 
5 years VA typically has ended up towards the bottom end of the scale whereas 
other agencies, particularly some of the smaller, single-mission-type 
organizations tend to score higher.  But what VA has done, too, is not 
dissimilar to other large complex organizations.


Mr. Miller.  Do you have any role in seeing that your recommendations are 
implemented?  Is there any follow-up at all with the reports that you make?


Mr. Wilshusen.  Yes, there is.  We follow up on all of our recommendations 
that we make, yes.


Mr. Miller.  And when a recommendation is not followed then next year, you 
bring it up again and you follow it up and you do it again next year?  It 
would seem pretty exasperating if that was what your job was year in and year 
out.


Mr. Wilshusen.  We do find that agencies, including VA, do take some 
corrective actions to address specific weaknesses, but often they do not 
address the larger recommendations that relate to the underlying causes of 
those weaknesses.


For example, we have routinely reported_again, we haven't done much work at VA 
for a number of years, but we would follow up and look at the underlying 
reasons that we felt dealt with not having a comprehensive information 
security program that has been fully developed, documented and implemented at 
the agency.


And so what that does is, while they may take corrective actions on specific 
technical findings that we identify, often what may happen is, they only 
correct them at the sites or the systems that we looked at and they don't look 
across the organization, across other similar systems, to take corrective 
actions on those same weaknesses.


Mr. Miller.  Do they ever come back and say, this is a distraction, we can't 
deal with this right now, we have this other thing we are working on right here?


Mr. Wilshusen.  Never in those blunt words.  We often -- often they concur 
with our recommendations, and I think they try to take action.  But sometimes 
it is a challenging endeavor for many organizations in the Federal Government 
because, one, the computing environment is very complex and the threats and 
the types of risks are constantly changing.  It is a very dynamic environment.


There are challenges.  But with appropriate and well-defined and executed 
information security programs, they can address those risks.


Mr. Miller.  Thank you.


Ms. Berkley.


Ms. Berkley.  Thank you.  I wish that we would have had this panel before the 
first panel because I would like to have heard the first panel's response to 
some of your testimony.


Since May 3rd, have you detected any change in behavior or attitude with the 
VA?  In your opinion, do they recognize the seriousness of what has transpired 
and are moving to implement corrective action so this can't happen again?


Mr. Wilshusen.  We had one meeting with the VBA officials in order to collect 
some of the information about actions that they have taken or plan to take in 
response to this incident.  Just from that one meeting it seems like they are 
very concerned and are trying to take the actions, but again, the proof is in 
the pudding.


Once the actions and policies have been decided and developed, they need to 
execute and implement those.  That will take time and commitment over a long 
period of time.


Ms. Berkley.  So you had a meeting with the VBA officials, discussed with them 
what they need to do.  And now how do you follow up and make sure this is 
happening?  Or is that not your job?  If it is not your job, whose job is it?


Mr. Wilshusen.  Actually, the work we do is, by and large, requested by_either 
requested by Congress or congressional committees and/or mandated.


We have received several requests, and there have been some potential mandates 
proposed where we would do some work in this area, but we have not done any 
yet.


Ms. Berkley.  Perhaps Mr. Boozman is going to ask the question that he asked 
previously, but what is it that_would you need any additional legislation from 
Congress, or how could we do our jobs better so that you can do your job 
better, and ultimately, VBA and the Veterans Administration can protect the 
privacy of our veterans?


Mr. Wilshusen.  Well, with regard to information security, as Mr. Staley 
pointed out, there is a law called the Federal Information Security Management 
Act of 2002, FISMA, and that provides a comprehensive framework for 
implementing security throughout a Federal agency; assigns specific 
responsibilities to the head of the agency, senior managers, to the CIO.  In 
addition, it requires each agency to develop, document and implement an 
agency-wide security information program that contains several elements.


That law has, I believe, raised the level of attention given to information 
security and provides a solid framework for agencies to follow in order to 
implement better security.


The fact is that many agencies still have difficulty in fully implementing 
those programs.  So I don't know if additional legislation is needed.  
Certainly in terms of what we need to do in having been requested to go in and 
do follow-up work, we can do that.


Ms. Berkley.  Thank you.


Mr. Miller.  Dr. Boozman.


Mr. Boozman.  Thank you.


Mr. Wilshusen, we talked earlier about H.R. 4061, and the approach the 
committee felt might be a little more effective by centralizing the system a 
little bit more than they are now.  As you work with the other agencies, can 
you comment on that?  Is this something that you found to be effective or is 
the decentralized approach better?


Mr. Wilshusen.  We haven't done a systematic review of the other Federal 
agencies in terms of their organization, of how the CIO is organized relative 
to the other program offices; but what we have found is that for information 
security, centralization having a central management approach is preferable, 
because the interconnections between the systems and the types of policies and 
procedures that are in place at one agency or component could have an impact 
on other elements or components within that agency.


So we wholeheartedly endorse having a centralized managed approach to 
implementing security at a Federal agency.


Mr. Boozman.  As you deal with these problems system-wide, it does seem 
like_again, with Medicare pushing hard to get electronic records, things like 
that, that ability is far outpacing again the transition from where do we put 
the charts, where do we put the records versus we can secure that, how do we 
secure this other thing.


What_in your experience, what agencies are doing a better job?


Mr. Wilshusen.  Well, certainly the use of electronic records and using the 
interconnectivity of systems has brought tremendous benefits to Federal 
agencies in terms of being able to deliver government services to the people.  
But those same benefits and opportunities are subjected to and can create 
significant risks if adequate safeguards are not built into those 
technologies.


We have found that it is imperative that agencies consider and build security 
into these systems from the very beginning throughout the entire life cycle, 
rather than trying to add them on as an afterthought.  They tend to be more 
expensive and they tend to be less effective.


So certainly one of the things that agencies need to do when converting paper 
records to electronic records is think about and implement and design security 
controls up front.  


Mr. Boozman.  Is there a model agency out there?


Mr. Wilshusen.  I think that probably some of the different agencies have 
varied experiences in doing this.  I don't know if there is a model agency per 
se in terms of implementing security on electronic systems.  At most of the 
agencies we go to, where we have done specific testing of the controls, we 
generally find weaknesses on each system or most of the systems we look at.


Mr. Boozman.  It doesn't make sense_again, I am harping on this.  It doesn't 
make sense to me; I guess I am asking if it does to you.


But we want VA_and VA has done a good job of switching over; we want VA to be 
able to talk to DOD.  We want Medicare_I think we will foresee a time where 
Medicare and VA should be talking to each other as far as medical records and 
pharmacy records and all those kinds of things.


But it does seem like, in making things interoperable and in solving some of 
these problems, you want more access to the records through all these different 
agencies.  But then how do you secure that access?


It does seem like that needs to be set up as you go along, as you just said, 
rather than trying to backtrack at some point and figure out how do we do 
this.


I guess my question is, how do you do that?  There doesn't seem to be much 
talk among the agencies, so that_you really wouldn't comment on a model out 
there, but I am sure there are some good ones that are better than others.


How do we get that done?


Mr. Wilshusen.  Well, one way is, what agencies need to do_and I believe there 
is a CIO Council that can meet to discuss issues that cut across different 
agencies.  And certainly this could be a topic for that council to start 
addressing, looking at government-wide security requirements that are needed 
for these systems as they develop them.  So that would be one way, through 
there.


But definitely what agencies need to do, as they develop their systems, is to 
assess the risks, categorize the type of information they are going to be 
collecting and storing on those systems, and determine what the appropriate 
level of security over that information will be.


Ms. Koontz.  If I can just add, from a privacy perspective, too, this is one 
of the reasons that we have emphasized the importance of agencies implementing 
the privacy impact assessments which are required under the 
E-Government Act, and that is a way of looking at the implications of 
collecting, handling and disseminating personally identifiable information in 
an agency and being able to build controls up front before the information is 
collected and before the system is built.


You are absolutely right that once these things are done, it is very difficult 
to retrofit.  And I think that you are also right in that technology is 
creating tremendous challenges for agencies in terms of balancing 
accessibility with security and privacy concerns; and I think there is a role 
here for the Congress in terms of policy, as well as for agencies in terms of 
implementation.


Mr. Boozman.  Thank you very much.


Thank you, Mr. Chairman.


Mr. Miller.  Dr. Boozman, any closing comments?


Mr. Boozman.  I appreciate your leadership in this area and getting the two 
committees together.  I think the VA is to be complimented in the sense that 
it has done a very good job of moving forward.  We pressed them hard to get 
the records in digital format and things like that.


So we have done a good job that way, but we have lagged much, much behind and 
as we have talked about, having the security that goes along with that.  It is 
something that not only VA has got to work very hard on, but it is a 
system-wide problem.  Testimony mentioned the problems not only of the data 
but having the right people there.  


So there are so many things like this that we have really got to shore up not 
only in the VA, but system-wide.


Again, I know that our Subcommittee, the Committee in general, in a very 
bipartisan way, is committed to doing whatever it takes legislatively to give 
the agencies, in our case, specifically, the VA, the tools.


Thank you, Mr. Chairman.


Mr. Miller.  Thank you very much, also, for your leadership and again for a 
bipartisan approach.


We thank everybody for their testimony today.  While there has apparently been 
no identity theft that we are aware of, we all agree that the potential is 
great.  We must continue to work together to make sure that nothing like this 
happens again, and while this information continues to be floating out there 
somewhere, that nobody's credit or identity is harmed by what has happened.


I appreciate everybody being here today.  Members will have 5 legislative days 
in which to add their statements to the record.


[The statements appear on p.  ]




Mr. Miller.  Without any further comment, this joint subcommittee meeting is 
adjourned.


[Whereupon, at 11:54 a.m., the joint hearing of the subcommittees was 
adjourned.]
