b'<html>\n<title> - OVERSIGHT HEARING ON VETERANS BENEFITS ADMINISTRATION DATA SECURITY Tuesday, June 20, 2006 House of Representatives, Subcommittee on Disability Assistance and Memorial Affairs, Joint with/Subcommittee on Economic Opportunity, Committee on Veterans\' Affairs, Washington, D.C. The Subcommittees met, pursuant to call, at 10:00 a.m., in Room 334, Cannon House Office Building, Hon. Jeff Miller [chairman of the Subcommittee on Disability Assistance and Memorial Affairs] and Hon. John Boozman [chairman of the Subcommittee on Economic Opportunity] Presiding. Present: Representatives Miller, Brown-Waite, Boozman, Berkley, Udall, Herseth, and Hooley. Mr. Miller. Good morning everybody. This joint hearing of the Subcommittees on Disability Assistance and Memorial Affairs and Economic Opportunity will come to order. I would like to begin by saying this morning that while testimony was due to the Subcommittees by June 16th, we did not receive the VBA statement until last night. We realize the Committee has scheduled a number of hearings this month. However, we gave plenty of notice, in my opinion, and receiving the testimony the night before a hearing does not serve us well in our oversight capacity. On the 22nd of May Congress and the public were informed that several weeks earlier there had been a severe data breach containing sensitive information on more than 26 million beneficiaries. We learned just last week that an additional 2.2 million active duty servicemembers, reservists, and guardsmen and women may be affected as well. Through testimony and briefings it is apparent that the Department\'s lack of specific policies and procedures has created security vulnerabilities. While none of us could have imagined a situation affecting so many millions of people, I am beginning to believe something like this was bound to happen. Since becoming chairman of this Subcommittee, a common thread is emerging. There appears to be a lack of uniformity within the Veterans Benefit Administration and certainly among the VBA. Please understand that I\'m not criticizing any single person or office. There is certainly a cultural mentality that exists in many bureaucracies. One of the difficulties facing a large agency like VA is that it takes time, it takes money, and buy-in to change that culture. VA has not always been the most effective in keeping up with changing technologies, models or demands. What has recently occurred has been the product of that resistance to change. Whether it is lack of uniformity with how regional offices respond to a veteran or congressional inquiry, how claims are prioritized, or how information and technology and data security procedures are implemented, everyone seems to do things differently. The IG found data security deficiencies at 37 of 55 regional offices. Now if 37 regional offices have 37 different ways of doing business, that requires a lot more management muscle to correct a deficiency than if we have a uniform implementation of procedures. In order to receive benefits and services from VBA, veterans and survivors must provide at a minimum full names, social security numbers, and a home address. In order to receive benefits such as nonservice-connected pension, wage and other financial information must also be submitted. All of us trust that the federal government will do everything in its power to safeguard the information that has been provided. Thankfully, we have not yet heard of any reports of identity theft, but the trust placed in VA has certainly been broken. Our two subcommittees are holding this hearing to learn more about VBA\'s data security management program, what steps have been taken to educate its employees and how it intends to move forward to improve its data security policies. I do look forward to hearing from the witnesses that are here today, and I want to turn now to the chairman of the Economic Opportunity Subcommittee, Dr. Boozman, for his opening remarks. Mr. Boozman. Thank you very much, Mr. Chairman, and I certainly appreciate your leadership in this area. We appreciate you all being here. You will notice that we have a large print version that shows the 16 IT vulnerabilities cited by the VA Inspector General as yet to be addressed by the Department. The list shows a range of potential sources of data loss or compromise. The recent loss of over 26 million veterans personal data highlights several things. First, data security must be founded on laws and regulations that are dynamic and enforced. Second, the appropriate technologies must be in place to implement the right levels of security and assist in enforcement and prevention. And third, there must be aggressive and consistent enforcement by senior VA officials. I do not know the motivation of the employee who willfully disregarded whatever rules were in place regarding working on the sensitive data from home, but what I do know is the VA missed an opportunity to increase its corporate control over data by imposing the bipartisan legislation passed by the House during the first session. That bill, H.R. 4061, would reform the way VA structures its management of its information technology programs. Without a solid foundation, whether in a building or an organization, everything above it is suspect. The policies at H.R. 4061, if put in place, would have provided that foundation. And while H.R. 4061 alone would not have prevented what has happened, if adopted, the VA would have had the basis for a coherent technology development and management program. That would enable leadership to implement and enforce a whole range of policies designed to control not only the fiscal issues but also things like data security in combination with aggressive technical security applications. H.R. 4061 is the right answer at the right time and place. The Department should reconsider its position on this bill and move quickly to consolidate its information technology programs. I am not just worried about cyber security. I am also concerned about how programs like vocational rehabilitation and employment control access to veterans papers at the regional offices and their contractors. These files often contain very sensitive psychological and other medical data which, if accessed by unauthorized personnel, could have serious consequences. The constant theme in the testimony presented by the IG and GAO is the need for centralized cyber security among other things. If the VA refuses to adopt a centralized approach to managing its IT systems as prepared by H.R. 4061, how can you expect to achieve consistency throughout the VA system on anything related to IT. While we are talking about consistency, I want to broaden the scope just a little bit. We constantly hear about how each regional office has its own process for handling benefits and that the first thing newly trained staff returning from something like Challenge Training is, "We don\'t do it that way in this RO." It seems there is a lack of will by VA headquarters to impose and enforce best practices throughout its field operations. Everything seems to be a suggestion and is left to the RO director to choose whether or not to follow a policy. While I may be overstating the case slightly, it is a real problem facing the Department and certainly this is a tremendous challenge. It is something that we as a committee are committed to helping. Thank you very much, Mr. Chairman. [The statement of John Boozman appears on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> Mr. Miller. Thank you very much, Dr. Boozman. I would like to now recognize the Ranking Member of the Subcommittee on Disability Assistance and Memorial Affairs, Ms. Berkley, for an opening statement. Ms. Berkley. Thank you, Chairman Miller and Chairman Boozman, for holding this hearing. Since the Under Secretary for Benefits is responsible for information security at the Veterans Benefits Administration Office, I for one would like to understand what problems exist and the steps that are being taken to address these problems. Veterans and service members in my district, I can tell you</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n                   OVERSIGHT HEARING ON VETERANS\n                      BENEFITS ADMINISTRATION\n                           DATA SECURITY\n\n                     Tuesday, June 20, 2006\n\n\nHouse of Representatives,\nSubcommittee on Disability Assistance and\nMemorial Affairs, Joint with/Subcommittee \non Economic Opportunity, Committee on \nVeterans\' Affairs, Washington, D.C.\n\n\nThe Subcommittees met, pursuant to call, at 10:00 a.m., in Room 334, Cannon \nHouse Office Building, Hon. Jeff Miller [chairman of the Subcommittee on \nDisability Assistance and Memorial Affairs] and Hon. John Boozman [chairman of \nthe Subcommittee on Economic Opportunity] Presiding.\n\nPresent:  Representatives Miller, Brown-Waite, Boozman, Berkley, Udall, \nHerseth, and Hooley. \n\n\nMr. Miller.  Good morning everybody.  This joint hearing of the Subcommittees \non Disability Assistance and Memorial Affairs and Economic Opportunity will \ncome to order.\n\n\nI would like to begin by saying this morning that while testimony was due to \nthe Subcommittees by June 16th, we did not receive the VBA statement until \nlast night.  We realize the Committee has scheduled a number of hearings this \nmonth.  However, we gave plenty of notice, in my opinion, and receiving the \ntestimony the night before a hearing does not serve us well in our oversight \ncapacity.\n\n\nOn the 22nd of May Congress and the public were informed that several weeks \nearlier there had been a severe data breach containing sensitive information \non more than 26 million beneficiaries.  We learned just last week that an \nadditional 2.2 million active duty servicemembers, reservists, and guardsmen \nand women may be affected as well.\n\n\nThrough testimony and briefings it is apparent that the Department\'s lack of \nspecific policies and procedures has created security vulnerabilities.  While \nnone of us could have imagined a situation affecting so many millions of \npeople, I am beginning to believe something like this was bound to happen.\n\n\nSince becoming chairman of this Subcommittee, a common thread is emerging.  \nThere appears to be a lack of uniformity within the Veterans Benefit \nAdministration and certainly among the VBA.  Please understand that I\'m not \ncriticizing any single person or office.  There is certainly a cultural \nmentality that exists in many bureaucracies.  One of the difficulties facing a \nlarge agency like VA is that it takes time, it takes money, and buy-in to \nchange that culture.  VA has not always been the most effective in keeping up \nwith changing technologies, models or demands.  What has recently occurred has \nbeen the product of that resistance to change.\n\n\nWhether it is lack of uniformity with how regional offices respond to a \nveteran or congressional inquiry, how claims are prioritized, or how \ninformation and technology and data security procedures are implemented, \neveryone seems to do things differently.\n\n\nThe IG found data security deficiencies at 37 of 55 regional offices.  Now if \n37 regional offices have 37 different ways of doing business, that requires a \nlot more management muscle to correct a deficiency than if we have a uniform \nimplementation of procedures.\n\n\nIn order to receive benefits and services from VBA, veterans and survivors \nmust provide at a minimum full names, social security numbers, and a home \naddress.  In order to receive benefits such as nonservice-connected pension, \nwage and other financial information must also be submitted.\n\n\nAll of us trust that the federal government will do everything in its power to \nsafeguard the information that has been provided.  Thankfully, we have not yet \nheard of any reports of identity theft, but the trust placed in VA has \ncertainly been broken.\n\n\nOur two subcommittees are holding this hearing to learn more about VBA\'s data \nsecurity management program, what steps have been taken to educate its \nemployees and how it intends to move forward to improve its data security \npolicies.  I do look forward to hearing from the witnesses that are here \ntoday, and I want to turn now to the chairman of the Economic Opportunity \nSubcommittee, Dr. Boozman, for his opening remarks.\n\n\nMr. Boozman.  Thank you very much, Mr. Chairman, and I certainly appreciate \nyour leadership in this area.\n\n\nWe appreciate you all being here.  You will notice that we have a large print \nversion that shows the 16 IT vulnerabilities cited by the VA Inspector General \nas yet to be addressed by the Department.  The list shows a range of potential \nsources of data loss or compromise.  The recent loss of over 26 million \nveterans personal data highlights several things.\n\n\nFirst, data security must be founded on laws and regulations that are dynamic \nand enforced.  Second, the appropriate technologies must be in place to \nimplement the right levels of security and assist in enforcement and \nprevention.  And third, there must be aggressive and consistent enforcement by \nsenior VA officials.\n\n\nI do not know the motivation of the employee who willfully disregarded \nwhatever rules were in place regarding working on the sensitive data from \nhome, but what I do know is the VA missed an opportunity to increase its \ncorporate control over data by imposing the bipartisan legislation passed by \nthe House during the first session.  That bill, H.R. 4061, would reform the \nway VA structures its management of its information technology programs.  \nWithout a solid foundation, whether in a building or an organization, \neverything above it is suspect.  The policies at H.R. 4061, if put in place, \nwould have provided that foundation.  And while H.R. 4061 alone would not have \nprevented what has happened, if adopted, the VA would have had the basis for a \ncoherent technology development and management program.\n\n\nThat would enable leadership to implement and enforce a whole range of \npolicies designed to control not only the fiscal issues but also things like \ndata security in combination with aggressive technical security applications.  \nH.R. 4061 is the right answer at the right time and place.  The Department \nshould reconsider its position on this bill and move quickly to consolidate \nits information technology programs.\n\n\nI am not just worried about cyber security.  I am also concerned about how \nprograms like vocational rehabilitation and employment control access to \nveterans papers at the regional offices and their contractors.  These files \noften contain very sensitive psychological and other medical data which, if \naccessed by unauthorized personnel, could have serious consequences.\n\n\nThe constant theme in the testimony presented by the IG and GAO is the need \nfor centralized cyber security among other things.  If the VA refuses to adopt \na centralized approach to managing its IT systems as prepared by H.R. 4061, \nhow can you expect to achieve consistency throughout the VA system on anything \nrelated to IT.\n\n\nWhile we are talking about consistency, I want to broaden the scope just a \nlittle bit.  We constantly hear about how each regional office has its own \nprocess for handling benefits and that the first thing newly trained staff \nreturning from something like Challenge Training is, "We don\'t do it that way \nin this RO."\n\n\nIt seems there is a lack of will by VA headquarters to impose and enforce best \npractices throughout its field operations.  Everything seems to be a \nsuggestion and is left to the RO director to choose whether or not to follow a \npolicy.\n\n\nWhile I may be overstating the case slightly, it is a real problem  facing the \nDepartment and certainly this is a tremendous challenge.  It is something that \nwe as a committee are committed to helping.\n\n\nThank you very much, Mr. Chairman.\n\n\n[The statement of John Boozman appears on p.  ]\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\n\nMr. Miller.  Thank you very much, Dr. Boozman.\n\n\nI would like to now recognize the Ranking Member of the Subcommittee on \nDisability Assistance and Memorial Affairs, Ms. Berkley, for an opening \nstatement.\n\n\nMs. Berkley.  Thank you, Chairman Miller and Chairman Boozman, for holding \nthis hearing.\n\n\nSince the Under Secretary for Benefits is responsible for information security \nat the Veterans Benefits Administration Office, I for one would like to \nunderstand what problems exist and the steps that are being taken to address \nthese problems.\n\n\nVeterans and service members in my district, I can tell you -- and I assume \nthroughout the United States, are rightfully outraged that the security of \ntheir personal data has been compromised by the Department of Veteran Affairs, \nand I can assure you right after this was disclosed my phone in my district \noffice was ringing off the hook and the level of anger and concern was very \nconcerning to me.\n\n\nIn 2004, during a routine review by the Inspector General of the Reno, Nevada \nVA regional office, several deficiencies related to Benefits Delivery Network \ncomputer security and sensitive claims folders were identified.  Similar \ndeficiencies have been identified throughout the Nation.\n\n\nThe Inspector General has reported that although the VA is responsible for \npromptly correcting identified deficiencies, there is no systematic action \ntaken to assure that the deficiencies identified in one office aren\'t \ncorrected at other offices.  This piecemeal approach to fixing problems \nprobably provides little assurance to our Nation\'s veterans and probably isn\'t \na very effective way of conducting business.\n\n\nI am also concerned that there may be inadequate staff to perform audit \nfunctions at data centers.  I am sure there is inadequate staff.  In addition, \nit is not clear there is any method for assuring security and control of data \nextracts provided to various components of the VA.  Extracts such as these \nwere reportedly the source of the recent data theft.\n\n\nI hope_and I am looking forward to hearing what the witnesses have to say, but \nI hope that you will address these concerns.  And again, thank you for being \nhere today.  I am looking forward to your testimony.\n\n\nThank you.\n\n\n[The statement of Shelley Berkley appears on p.  ]\n\n<GRAPHICS IS NOT AVAILABLE IN TIFF FORMAT>\n\nMr. Miller.  Thank you, Ms. Berkley.  And now the Ranking Member of the \nSubcommittee on Economic Opportunity, Ms. Herseth.\n\n\nMs. Herseth.  Thank you and good morning to you, Chairman Miller, Chairman \nBoozman, and of course Ranking Member Berkley and other colleagues.  I am \npleased we are holding this hearing today to review the procedures at the \nVeterans Benefits Administration and the efforts to control and maintain \nveterans\' personal and sensitive information in a secure manner.  I welcome \nwitnesses on both panels this morning.  We appreciate your testimony.\n\n\nThe topic of today\'s hearing is both important and timely given the recent \nloss of nearly 26.5 million veterans\' and active service members\' private \ninformation.  Indeed, the Federal Government, as a whole, every federal agency \nand the VA specifically, must improve its data security measures and enhance \nits recognition of and respect for citizens\' privacy and health information \nlaws, and it is incumbent upon us as a subcommittee, as a full committee, and \nthe other committees on which we serve to ask these questions and to get the \nanswers that will guard us as well in the future as it relates to the \nresources that each of our federal agencies need and the continuity of each \nCIO organization and the strength of those organizations to implement what we \npassed 10 years ago to ensure the data security of citizens\' privacy and other \ninformation.\n\n\nI have a chance to see a lot of veterans across South Dakota; in particular, a \nlot of our Vietnam veterans as we get ready for a Memorial dedication in \nPierre, South Dakota this fall, and as we know, it took a number of those \nveterans sometimes a number of years to overcome a level of distrust to even \nreach out to the VA to obtain some of the benefits that they deserve and many \nof them that I see now just shake their heads when they received the \ninformation that their information was compromised.\n\n\nAnd in addition to that, many of them are serving to reach out to newly \nreturned veterans, to work with them to make the adjustment back home after \ntheir deployments, and all of these men and women deserve our very best.  We \nknow that the employees at the VA feel the same, but we have to ensure levels \nof accountability and a system that is in place with policies and supervision \nand enforcement to maintain the integrity of this data and a fast changing \nfinancial services environment.\n\n\nSo today, I am particularly interested in hearing about VBA\'s data security \nprocedures with respect to information transferred to and from other Federal \nagencies, when information is controlled by contractors, such as the case when \nservice members apply for education benefits or when contractors provide for \nvocational rehabilitation and employment services to a disabled veteran.\n\n\nSo both chairman, ranking member, thank you again for the hearing today.  We \nlook forward to the testimony.\n\n\n[The statement of Stephanie Herseth appears on p.  ]\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\n[The statement of Ginny Brown-Waite appears on p.  ]\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\n\nMr. Miller.  Thank you very much.\n\n\nThe first panel is already seated at the table.  Mr. Ronald Aument is Deputy \nUnder Secretary for Benefits at the Veterans Benefits Administration.  He is \naccompanied this morning by Mr. Jack McCoy, Associate Deputy Under Secretary \nfor Policy and Program Management; Mr. Michael Walcoff, Associate Deputy Under \nSecretary for Field Operations; and Mr. Thomas Lloyd, Deputy Chief Information \nOfficer at VBA.\n\n\nMr. Aument, you may begin.\n\n\n\nSTATEMENT OF RONALD AUMENT, DEPUTY UNDER SECRETARY FOR BENEFITS, VETERANS \nBENEFITS ADMINISTRATION; ACCOMPANIED BY JACK McCOY, ASSOCIATE DEPUTY UNDER \nSECRETARY FOR POLICY AND PROGRAM MANAGEMENT, VETERANS BENEFITS ADMINISTRATION; \nMICHAEL WALCOFF, ASSOCIATE DEPUTY UNDER SECRETARY FOR FIELD OPERATIONS, \nVETERANS BENEFITS ADMINISTRATION; AND THOMAS LLOYD, DEPUTY CHIEF INFORMATION \nOFFICER, VETERANS BENEFITS ADMINISTRATION\n\n\n\nMr. Aument.  Thank you, Mr. Chairman.  Chairman Miller, Chairman Boozman and \nmembers of the subcommittee, thank you for the opportunity to appear before \nyou today to discuss data security and the Veterans Benefits Administration.\n\n\nI would like to open up with an apology for the lateness of our prepared \nstatement, Mr. Chairman.  I have no excuse for that.\n\n\nI am accompanied by Mr. Jack McCoy, the Associate Deputy Under Secretary for \nPolicy and Program Management, Mr. Mike Walcoff, Associate Deputy Under \nSecretary for Field Operations, and Mr. Tom Lloyd, Deputy Chief Information \nOfficer.\n\n\nWith the committee\'s permission, I will offer a summary statement this morning \nand request that my written statement be submitted for the record.\n\n\nMr. Miller.  Without objection.\n\n\nMr. Aument.  Let me assure the subcommittee that VBA is thoroughly examining \nevery aspect of our information security programs, our processes and our \nprocedures to ensure that sensitive veterans data is neither mismanaged nor \nused for any unauthorized purpose.  Although our review is ongoing, I will \noutline security measures we have had in place prior to May 3rd, 2006 and \nadditional steps we have taken regarding our data security policies and \nprocedures.  I will also specifically address the security of the data feeds \nbetween VBA and the Department of Defense.\n\n\nResponsibility for all IT security policy is centralized to the Department\'s \nOffice of Cyber and Information Security, which reports directly to the VA\'s \nChief Information Officer.  Implementation of IT security policy and \nprocedures in VBA is through a three-layer organizational assignment of \nresponsibilities.  The Information Security Officer at each regional office is \nresponsible for the execution and oversight of IT security policy and \nprocedures.  ISO has managed local access control to IT resources.  It \nconducts security audits under the focal point for incident reporting in the \nVBA facility.  The network support centers provide oversight of regional \noffice compliance of IT security policy and procedures and expert advice to \nthe regional office ISO community and IT staff on technical issues.  The VBA \nIT organization and headquarters provides technological support which \nimplements IT support and procedures on the computer applications and systems.\n\n\nThe Secretary\'s recent decision to further centralize all IT operations and \nmaintenance activities brings all of the VABs under the Department CIO.  We \nbelieve this further centralization of IT security will raise the \norganizational focus on the critical security issues and challenges and will \nbring added oversight and safeguards for sensitive information and records.  \nVBA has incorporated security into all of our information systems and benefits \ndelivery processes.  We have extensive well-articulated policies and \nprocedures governing access requests, auditing and rules of behavior.  These \npolicies and procedures pertain to all VBA employees as well as any other \nindividuals authorized access to VBA systems and data.  In all VBA\'s benefit \nsystems veteran data is protected by VA and VBA security policy and IT system \nand application security controls.  Programmatic access controls restrict \naccess according to the specific veteran\'s record level of sensitivity and the \nauthority of the individual accessing the data.\n\n\nAll individuals authorized access to VA systems must adhere to rules of \nbehavior that govern the use of IT systems and capabilities.  The rules of \nbehavior ensure that all users of IT resources are aware that any source \npotentially contains valuable and sometimes sensitive government or personal \ninformation which must be protected to prevent disclosure, unauthorized change \nor loss.\n\n\nThe VBA internal controls process requires regional office directors to \nconduct systematic analysis of their IT security operations and to certify \nannually that their facilities are in compliance with the directives.  The \nnetwork support centers conduct annual surveys to ensure that the ROs are \nadhering to all VA, VBA and all other Federal security directives in the \nhandbooks and that the deficiencies identified through the Inspector Generals \ncombine that assessment program reviews are remediated.\n\n\nIn August of 2005, VBA completed the federally mandated certification and \naccreditation of 97 application systems on schedule.  VBA has a secure \ntechnology solution in place for external system users.  External access to \nVBA is controlled through the One-VA Virtual Private Network to a centralized \nterminal server.  VBA outbased workers as well as authorized veteran service \norganization representatives used One-VA VPN capability.  Additionally, the \nVeterans Administration Portal supplies secure encrypted user access to loan \nguarantee applications for internal and external users.\n\n\nIn March of this year we started the process to accelerate the implementation \nof public key infrastructure technology throughout VBA.  PKI will provide a \ncommon utility for VA to provide more secure electronic transactions and e-\nmail.  VBA is supporting the Secretary\'s direction to accelerate to annually \nrequire privacy awareness and Social Security training.  All VBA\'s employees \nare now required to complete these training programs by June 22nd.  That will \nbe this Thursday.\n\n\nWe have compiled a list of VBA databases that contain sensitive information \nand all interfaces or data feeds that update these database.  A VBA work group \nhas been tasked with assessing all VBA policies and procedures related to the \nrelease of data protected by the Privacy Act to provide recommendations to \nimprove protection of the data.\n\n\nWe also updated and strengthened procedures for handling veterans\' requests to \nchange address and direct deposit information to ensure proper verification of \nidentity of the individual requesting the change.  In the average month, we \nreceive in excess of 40,000 requests from VA beneficiaries to change their \nfinancial institution and/or their address.\n\n\nEffective June 7th, in accordance with the Secretary\'s direction, VBA \nsuspended all work at home and Flexiplace arrangements for employees directly \ninvolved in disability claims processing.  Employees who adjudicated claims at \ntheir homes or other non-VA work sites will now do all claims works requiring \nclaims files in regional offices.  While VBA evaluates various solutions to \nprotect sensitive data transported to and from offices, we are also developing \na standard work at home and Flexiplace agreement to ensure all employees \nabsolutely understand the responsibilities to safeguard sensitive data.\n\n\nVBA will implement VA encryption solutions.  We have procured encryption \ncapabilities for laptop computers and are considering expanding the use of the \nterminal server concept as a means of reducing or eliminating the information \nstored locally on a user\'s work station.  We are also working with the Office \nof Acquisition and Material Management to reinforce strong control of the \nshipping of records containing personal identifiable information.  This \nincludes review of tracking procedures, signature requirements and expedited \nshipments.  Department of Defense data is delivered to VBA via secured \ntransmission using commercial software products and direct computer-to-\ncomputer connection.  These tools are used when sending or receiving files \nfrom the Defense Manpower Data Center.\n\n\nThe VA is fully committed to the uninterrupted delivery of the benefits to \nthose who have returned from the battlefield and who are transitioning into \nour VA system.  We recognize the importance of securing the information shared \nwith our DOD partners.\n\n\nOur mission is to serve veterans and to provide benefits to the best of our \nability.  IT is an essential tool that helps us serve veterans better, faster \nand more thoroughly.  However, the rapid rate of technological advances, while \noffering improved and expanded benefits delivery, also presents an ongoing \nchallenge to VA to keep pace with security and privacy demands.  IT can make \nour service better and faster but the vulnerabilities increase just as fast.  \nWe must and will do what is necessary to protect as well as serve our \nveterans.\n\n\nChairman Miller and Chairman Boozman, this conclude my statement.  I will be \nhappy to answer any questions you or any members of the subcommittee might \nhave.\n\n\n[The statement of Ronald Aument appears on p.  ]\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\n\nMr. Miller.  I don\'t know how many hearings that I have attended, and there \nare more to come in regards to this particular issue.  I know my colleagues \nhave all been involved in hearings, and this is not a question that was \nprepared, but probably one that all of my colleagues want asked.\n\n\nEvery time I come into a Committee hearing where we are dealing with this \nissue, I am angry.  More than angry.  And then when I sit down and I hear the \ntestimony that is given and the way the testimony is given and there is no \nemotion in the testimony, and I want to know what was your personal feeling \nwhen you heard that this had occurred.\n\n\nMr. Aument.  I felt somewhat betrayed that we had provided information to a \ntrusted source that we expected to take the same level of care of that \ninformation that we would expect of our own employees and I felt betrayed and \nI felt as though we had betrayed our veterans.\n\n\nMr. Miller.  I am glad you ended your statement with "we have betrayed \nveterans" because the employee doesn\'t matter to me.  That employee is gone.  \nAnd whatever reason, it\'s over.  But I sat in here, I think it was last week, \nand listened to testimony and there is no visceral reaction that I can tell \nexcept the Secretary was shaking profusely because he was so angry when he \ntestified the first time.  But I don\'t see it from anybody else, and I hope \nthat it is just me not reading people\'s body language correctly.\n\n\nI would hope that everybody sitting at that table today would be mad as hell, \nand I don\'t see it.  Can I ask the people who are with you if they are upset \ntoo?\n\n\nMr. Aument.  Of course.\n\n\nMr. Miller.  Mr. Lloyd.\n\n\nMr. Lloyd.  Yes, sir.\n\n\nMr. Miller.  Mr. McCoy.\n\n\nMr. McCoy.  Absolutely.\n\n\nMr. Miller.  Mr. Walcoff.\n\n\nMr. Walcoff.  Yes.\n\n\nMr. Miller.  Thank you.\n\n\nWho at VBA is responsible for implementing the new directive that is out \nthere, Directive 6504, and how is it being implemented?\n\n\nMr. Aument.  Well, as with any directive, Mr. Chairman, the Under Secretary is \nultimately responsible for its implementation.  Directive 6504, and I may turn \nto my colleague, Mr. Lloyd is very much a technical_has many technical \ncapabilities, that we would rely upon the IT organization for its ultimate \nimplementation.\n\n\nMr. Miller.  Mr. Lloyd.\n\n\nMr. Lloyd.  With the implementation of the federated model the operations and \nmaintenance people of VBA have been detailed to the CIO\'s office.  We continue \na close working relationship, and we are working to implement the directive.  \nWe have implemented the acquisition of the laptop software that Mr. Aument \nmentioned.  We are working with the ISOs on our collection of information \nabout who has access to every system, every application and the assurance that \nthe documentation is appropriate for the access that the people have.  We are \nlooking at our databases, who has access for the appropriate approval and the \ndocumentation.  We have developed a plan to implement all of the items in the \nSecretary\'s directive.\n\n\nMr. Miller.  As a follow-on, 6,000 accredited VSO representatives are out \nthere today but only 1,300 have completed the training responsibility involved \nin preparation of claims.  How do you ensure and monitor that only registered \nusers have access to the system and how does VBA monitor representatives as \nfiduciaries?\n\n\nMr. Aument.  The Veterans Service Organization representatives have to undergo \nthe same types of training both in IT security and in privacy training that we \nrequire of any VBA employee.  Anyone accessing the VBA system has to submit a \nrequest that at the local level those are managed by the ISO, the Information \nSecurity Officer.  We also require that before anyone is given_granted access \nto our systems in the VSO community that they would read, understand and sign \nthe rules of behavior that we require of all VBA employees that we afford \naccess to systems as well.\n\n\nMr. Miller.  I may have a follow-up question that I will submit for the \nrecord.  Another question that has been asked in other hearings is about the_I \nguess it was in the mid-1970s C File numbers were used and then there was a \ntransition to social security numbers.  Are you exploring a change to the \npolicy of using social security numbers?\n\n\nMr. Aument.  We have certainly discussed that.  I know that is an idea that \nhas generated a lot of interest from those concerned with this data loss.  At \nthe moment I believe that we are probably_ it is not a solution that we can \ntake and run with, Mr. Chairman.  We receive data importantly, most \nimportantly from the Department of Defense, which uses as their unique \nidentifier Social Security numbers for those transitioning from the military \nservices.  We are also required by law to provide extensive_have extensive \ninformation exchanges with other government partners.  By law, we are required \nto do data matches with the Social Security Administration and the Internal \nRevenue Service to support the continuing payments of benefits to those \nindividual unemployability or for means tested programs.  We have to provide \ninformation through data matches to the Department of Education for veterans \nwho are applying for assistance in the Department of Education programs. \n\n\nThis is just to mention a couple of the types of exchanges that we have to \nmake routinely with outside interests in support of veterans programs.\n\n\nThese entities all use Social Security numbers as their unique identifier.  So \neven if we for internal purposes decided to revert back to a unique claim \nnumber, we would still have to be able to cross-reference that in some fashion \nto Social Security numbers to facilitate these types of exchanges.\n\n\nMr. Miller.  Thank you.\n\n\nDr. Boozman.\n\n\nMr. Boozman.  Why don\'t I yield to the gentlelady from Nevada, and then you \ncan come back to me.\n\n\nMr. Miller.  I was going to do that, but then I was told protocol said I had \nto go to you first.\n\n\nMr. Boozman.  You did go to me and I yielded.\n\n\nMr. Miller.  Thank you.  You are a kind gentlemen.  You can be the hero.\n\n\nMs. Berkley.  Thank you all very much.\n\n\nYou know, it is_how can I say this, I didn\'t have the same reaction that the \nchairman had about people not being mad enough because I didn\'t sense, quite \nfrankly, that the Secretary_he was mad but I think he was mad because this \nhappened under his administration and frankly, if it hadn\'t blown up in \neverybody\'s face, I don\'t think_I think he is so disengaged from the day-to-\nday operation of this department that he wouldn\'t have known, he wouldn\'t have \ncared, and he wouldn\'t have bothered to inquire.\n\n\nBut what I am always struck with when people from the VA come and talk to us \nis how great the policies are.  And I mean you can, you know, we have heard \ntestimony about some of the best policies and signing in and signing out and \nhandbooks and all of the employees have training and yet the reality is that \nwe have got a mess on our hands.  So it doesn\'t matter much what our policies \nare.  If they are not implemented and if we don\'t have people making sure that \nthese are implemented, and I might be wrong, but I understand that the \nemployee who is no longer here that the 26 or 27 million names were stolen \nfrom, he had done everything he needed to do, signed the_signed whatever he \nneeded to do, attended whatever seminars he needed to do and he went ahead and \ndid something completely wrong for 3 years that he wasn\'t supposed to be \ndoing.  So it doesn\'t much matter what our policies are if we don\'t make sure \nthat they are followed.\n\n\nLet me ask you a couple of questions, or I have a number of them but there may \nbe a second round.\n\n\nHow are all of the regional offices notified of patterns of deficiency \nidentified by the IG?  I mean, is there a method of letting everyone know?\n\n\nMr. Aument.  Yes, there is, Congresswoman.\n\n\nMs. Berkley.  Do we do it?\n\n\nMr. Aument.  Yes, we do.  In fact, during the month of May, early in May, \nAdmiral Cooper sent a memorandum to the regional officers bringing to their \nattention the deficiencies that were uncovered during the prior year\'s \nInspector General CAP reviews.  And I may ask Mr. Walcoff, my colleague, to \ndiscuss a little bit, you know, further about what the expectations are but_\n\n\nMs. Berkley.  I would like to know once he sent out the notice in May, did we \nget feedback, do we know that they are now in compliance or moving towards \ncompliance?  How do we do this?\n\n\nMr. Walcoff.  The letter that Ron was talking about was dated May 10th, was \nsent out by the Under Secretary, and we have gotten confirmation from every \nregional office that they are in the process of working on every one of these \nareas that was identified by the IG in their reviews, even in the situation \nwhere they themselves weren\'t reviewed but our OS officers were.  So they were \nsupposed to review their own office to make sure they don\'t have deficiencies \nin that area.\n\n\nThe IT recommendations will be fully implemented_I think I gave them till \nFriday of this week.  The non-IT recommendations they have another 3 weeks \nafter that to fully implement, but we will get a certification from every \nregional office director that it is done in their office.\n\n\nMs. Berkley.  Do you think you can provide us with a copy of that letter for \nthe record?\n\n\nMr. Walcoff.  Sure.\n\n\n[The information appears on p.  ]\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\nMs. Berkley.  How does VBA control data which is extracted from VBA\'s data \nsystem for use by a VBA office and other_VBA\'s other departments?\n\n\nMr. Aument.  Let me begin by giving you background and maybe transitioning \ninto what we believe needs to be done as well.\n\n\nPresently, any outside entity, and that could be both from within VA or from \noutside of VA, first has to initiate a formal request that goes to our Chief \nInformation Officer within VBA.  They conduct a technical review of that \nrequest for data and then they consult back to the program office responsible \nfor the contents of that system; for example, that would include our \ncompensation and pension service or education service dependent upon the \nnature of the request, to try and make some determination of the \nappropriateness and the need for that request.\n\n\nThey then would, based upon that consultation, make a determination as to \nwhether or not to provide that information.\n\n\nAt that point typically it has to go then to one of our data centers to have, \nyou know, database administrators do the programming necessary to actually \nextract the data from the relevant system, and then it is made available based \nupon the requested arrangements with the requestor.  That is quite a range of \npotential business partners that make use of that sort of information.\n\n\nMs. Berkley.  Do we have a log?  How do we monitor this?\n\n\nMr. Aument.  Absolutely.  There is a number of them that are routine data \nexchanges.  We probably have some noted in the hundreds for that going to \nentities such as the Department of Defense, the Department of Education, other \ntypes of Federal partners as well as internal ones.  Our Office of the \nInspector General receives routine data extracts out of the compensation and \npension system as well as from the BIRL system.\n\n\nThis is an area that we have charged our performance analysis and integration \nto do some additional due diligence on behalf of VBA.  We believe that we need \nto have better rules on monitoring that.  For example, better rules governing \nhow that information can be used, better rules that would make sure that that \nis not shared with any other entity or reconstituted in any other fashion, \nbetter rules saying the duration which they are allowed to maintain that data.  \nIf it is given to them for a specific purpose, we believe an improved system \nwould require what they must do with it after they have completed that task is \nto destroy it, return it back to VBA.  We have looked at some other entities, \nSocial Security, for example, that we believe serves as a much better model \nfor that.  And it is our intention to try to strengthen this process \nconsiderably.\n\n\nMs. Berkley.  Thank you.  Are we going to have a second round?  In that case, \nI will yield.  Thank you very much.\n\n\nMr. Miller.  Dr. Boozman.\n\n\nMr. Boozman.  It is interesting, the VA, you all can be complimented, I think \nthe system can be complimented in the sense that you have really been a leader \nin getting our records into format, which is important.  This whole country is \ngoing through this transformation process to make it easier for people to get \naccess and yet along with that we want the access where we can use these \nthings and yet now_and this is a huge thing that is something that again the \nwhole country is struggling with how you protect access from unwarranted \nwhatever.\n\n\nSo like I say, you have done a good job at switching over.  That is to be \ncommended.  But I think the committee feels like you have not done as good a \njob as we need to and certainly this new incident brings that to a head.\n\n\nI mentioned in my opening statement that we passed H.R. 4061 to consolidate IT \npolicy and system development under the corporate Information Security \nOfficer.\n\n\nIn light of what has gone on and in light of showing some weaknesses in the \nsystem, is there any rethinking of your position on the bill?  Is there any \nway we can work with you to_\n\n\nMr. Aument.  Well, Mr. Chairman, I don\'t speak for the Department in that \nregard.  The Secretary certainly has made a decision as to the organizational \nchange that he believes is needed and our job is to make sure that we \nimplement the Secretary\'s decision as thoroughly_\n\n\nMr. Boozman.  We can assume that is a no.\n\n\nMr. Aument.  Right.  We certainly agreed, I think_I mentioned that in my \nopening remarks, I think, that the IT security arrangements are going to be \nstrengthened by the centralization of all security assets under the guidance \nof the CIO.\n\n\nMr. Boozman.  Last week\'s full committee hearing GAO and VA\'s own Inspector \nGeneral\'s Office doesn\'t give its Chief Information Officer authority to \nimplement the recommendations without approval from 33 Under Secretaries.  Do \nyou believe that that is appropriate and that the Under Secretary should have \nthat authority?\n\n\nMr. Aument.  Do I believe that is appropriate?  I believe the General Counsel \nis reviewing that issue at the moment as we speak, and I am not sure that is \nan accurate statement today given the centralization of all of the security \nassets now to the CIO.  It is my belief he has direct line authority today \nover all of the ISOs and all of the field personnel responsible for \nmaintaining our systems.\n\n\nMr. Boozman.  So the IG testified to that effect last week, so it is changed?\n\n\nMr. Aument.  Well, again, that is an area that is probably a little bit \noutside of my portfolio.  But I do believe that with the detail of the \npersonnel that are going to be permanently reassigned on October 1st that the \nCIO has direct line authority for all of the field IT staff within the \nVeterans Benefit Administration.\n\n\nMr. Boozman.  But you would agree that makes sense to do it that way?\n\n\nMr. Aument.  Yes, I do.\n\n\nMr. Boozman.  Do existing labor agreements contain any provisions for \nenforcing unauthorized use or access to data?  If not, do we anticipate \nrevising the labor agreements to enable the Department to hold employees \naccountable for these type of actions?\n\n\nMr. Aument.  Yes.  It is not necessarily built into the labor agreement but \nour rules of behavior that every employee must sign it is explained in those \nrules of behavior that there are consequences for violation of those practices \nand policies.  It is explained to them.  That range of consequence can be from \nterminating their access privileges to systems up to removal from Federal \nservice.\n\n\nMr. Boozman.  Could you give us copies of the rule?\n\n\nMr. Aument.  I would be happy to.\n\n\n[The information appears on p.  ]\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\n\nMr. Boozman.  Thank you, Mr. Chairman.\n\n\nMr. Miller.  Ms. Herseth.\n\n\nMs. Herseth.  Thank you, Mr. Chairman.\n\n\nMr. Aument, I notice on your written testimony on page 10, actions taken to \ninform veterans about the data theft, that you talk about public contact teams \nworking extended hours contracting with GSA, meeting with other contractors.  \nI am somewhat familiar with what GSA charges our Federal judges and their \nchambers to rent space and provide other services.  So can you tell me how \nmuch the VA has expended on notices to veterans operations to call centers and \nother activities related to the data breach and from what accounts the funds \nare being provided?\n\n\nMr. Aument.  I certainly can, Congresswoman.  Let me begin with the mailings, \nthe direct mailings that have been made to veterans and service members to \ninform them of this data breach.  A total of 17-1/2 million letters were sent \nout in this first round of mailings.  The cost for that was over $7 million.  \nAround a million dollars cost for the printing costs and somewhat over $6 \nmillion for the postage cost of that mailing.\n\n\nFor the call centers, we have spent to date the last I was informed on this \nwas 3 to 4 business days ago we had spent slightly over $7 million for the \noperations of the call centers.  And that we are probably spending today a \nlittle bit over $200,000 a day for their continued operation.\n\n\nThat money at the moment I must say is not strictly a VBA expenditure but \ndepartmental expenditure in that they had made arrangements with the \nAppropriations Committee for reprogramming for other funds to support this \neffort.\n\n\nMs. Herseth.  And are the mailings coming out of_you said the first round of \nmailings.  Is it coming out of VBA or_\n\n\nMr. Aument.  We are anticipating there may be follow-up communications that \nare warranted on whatever types of follow-up actions that the administration \nand Congress feel may be needed to help veterans in this matter.\n\n\nThe compromised information came from the BIRL system.  I am sure you have \nseen referenced in some of the explanations here_contains_not contain veterans \naddresses.  So we really did not know the addresses of these individuals, many \nof whom are not receiving benefits from VA.\n\n\nWe obtained_we did not really even obtain those addresses, but we had to send \ndata or our data files to Social Security Administration who reviewed through \ntheir records to try to find valid addresses and Social Security numbers.  \nThey did some Social Security number validation on that.  They in turn shared \nthe information with the Internal Revenue Service to try and find as many \naccurate addresses as could be possible from those data files.  Then that \ninformation was then passed along to contractors to the Government Printing \nOffice.  But none of that information actually came back to VA.\n\n\nMs. Herseth.  Okay.  I think I followed the circuitous route that this took.\n\n\nSo you mentioned that there has been a request to the Appropriations Committee \nboth for fiscal year 2006 and fiscal year 2007 and reprogram moneys.\n\n\nMr. Aument.  Not fiscal year 2007.\n\n\nMs. Herseth.  Do you think there will_anticipate there will be a request?\n\n\nMr. Aument.  I really hate to speculate on that.  I don\'t know of anything \nthat is planned on that at the moment.\n\n\nMs. Herseth.  Along the lines of what VBA understands to be within this \nuniverse of compromise data, let us say hypothetically_well, let me first ask \nthe question of the 17-1/2 million letters that have been sent, those have all \ngone to and what you just described there in trying to verify matching Social \nSecurity numbers up with addresses to those within the universe of the 26-1/2 \nmillion veterans whose data was compromised?\n\n\nMr. Aument.  Yes.\n\n\nMs. Herseth.  If an active duty airman has only contact with the VA, has been \nto apply for a home loan, was he informed within_I am still trying to \nunderstand who was really encompassed by_\n\n\nMr. Aument.  The process of information entering into that system today since \nthe early 1990s, the Department of Defense has sent us information at the time \nof enlistment in the service, so that the service member need not have applied \nfor any VA benefits to have had their information included in this system.\n\n\nMs. Herseth.  And I know there will be a chance for a second round.  So is the \nVA, VBA, everyone is still trying to figure out just how this universe came \ntogether with this particular employee\'s project that he was working on so it \nis more just what you had as of enlistment, but we still aren\'t quite sure how \nsomeone could have been drawn into that pool, that universe of individuals \nwhose data was compromised?  We are trying to figure that out?\n\n\nMr. Aument.  We believe we know the one large file that we are speaking of, \nthis extract from BIRLS.  We understand the programming that was used to \nselect the records that went into that.  So we believe we understand the \nuniverse of compromised records.\n\n\nThe 26-1/2 million, it is the difference between 26-1/2 million records versus \nthe 17.5 million records was sent out, was that not all of those records \ncontained all of the complete data.  For example, I ran 7 million of those \nrecords, they contained no Social Security number.  Without that Social \nSecurity number, it was not possible to conduct any sort of accurate address \ndetermination on that.\n\n\nSo we also found that in the records, included in the records were invalid \nSocial Security numbers in some cases, which once again would have prevented \nany sort of a finding of address, and in some cases it involved deceased \nveterans as well.\n\n\nMs. Herseth.  I will wait for the second round.  Thank you, Mr. Chairman.\n\n\nMr. Miller.  Ms. Brown-Waite.\n\n\nMs. Brown-Waite.  Thank you very much, Mr. Chairman.  In reading over the \ntestimony, it was noted that VBA has recalled all work-at-home employees and \nrequired them to return all files and equipment to VBA.  How do you know what \nfiles they have?\n\n\nMr. Aument.  I am probably going to turn this over to Mr. Walcoff, but there \nhave always been in existence for all of our claims adjudicators who are \nworking at home fairly rigid check-out/check-in practices for any files that \nthey take away from the regional office, you know, for work home_under \nwork-at-home agreements.\n\n\nMs. Brown-Waite.  Do these include electronic files?  If they downloaded an \nelectronic file, what record do you have of that?  And I will let the \ngentleman answer.\n\n\nMr. Walcoff.  Well, the_\n\n\nMr. Miller.  If you pull your mike and then turn it on.\n\n\nMr. Walcoff.  The vast majority of the work-at-home people were rating \nspecialists and we have_we use a system called COVERS to electronically track \nwhere a folder is so when they take folders home, we will wand it and it will \nbe electronically recorded that that folder is being taken home by that \nparticular rating specialist.  So we are able to make sure that every folder \nthat was taken out by our rating specialist back to his house was brought back \nwhen he brought all of the equipment in and all of the hard copy folders.\n\n\nMs. Brown-Waite.  I am not sure that I got the answer to the electronic files.\n\n\nMr. Aument.  We may have to turn to Mr. Lloyd on that.  But I believe that the \non-line components of the veterans\' record are not downloadable to these \nindividuals\' work station.  They would have the narrative descriptions of the \nrating decisions that they are working on for the immediate case that they are \nworking on on the personal computer.  But_\n\n\nMs. Brown-Waite.  I would also ask what COVERS, the acronym, what that stands \nfor?\n\n\nMr. Aument.  I am not sure, Congresswoman.  It is the tracking system that we \nuse internally and externally in the regional office to track the locations of \nveterans\' claims folders.\n\n\nMs. Brown-Waite.  Is that the same system that when I call in on behalf of a \nveteran that the file could never be found?\n\n\nMr. Aument.  I am not really able to answer that question.\n\n\nMs. Brown-Waite.  Or is that another acronym?\n\n\nMr. Aument.  Could you restate the question, please?\n\n\nMs. Brown-Waite.  Is that the same system that when I call in inquiring on \nbehalf of a constituent that the file can\'t be found, is this the same system?\n\n\nMr. Aument.  Quite possibly, yes.  The difficulty there would be within the \nregional office we could identify it is within the service center but as to \nwhether or not it is on an individual\'s desk or on a file cabinet sometimes it \nmight be imprecise in that fashion.  We would be able to track if it has left \nthe building under the work-at-home program.\n\n\nMs. Brown-Waite.  I still need the answer to the electronic files question.\n\n\nMr. Lloyd.  When a veteran rating specialist works at home, they take the \nfolders with them and they use an application called RBA 2000.  That \napplication allows them to work at home in the development of their rating \ninformation.  There is a local database on the PC they use at home that \ncontains the work that they are doing while they are at home.  When they come \nback to the office, which I believe is weekly or biweekly, they upload that \ninformation into the corporate database.  So while they are working at home \nthere is information in the development of the ratings that they are doing.\n\n\nMs. Brown-Waite.  Just a follow-up question, Mr. Chairman.\n\n\nWhen you ask them to return all files and equipment, what sanctions were there \nif this request was ignored?\n\n\nMr. Aument.  There were 370 ratings specialists in total working from their \nhomes who were required to return to the regional offices.  I believe that \ninvolved most, if not at all regional offices.\n\n\nMike?\n\n\nMr. Walcoff.  Yeah.  Not every station had work at home_had people working at \nhome.  I would say about two-thirds of the stations did and every one of them \nhas come back to the office with their equipment, with their files.\n\n\nMs. Brown-Waite.  One other question.\n\n\nOn page 13 of the testimony of Mr. Aument, there was a statement that said \nVBA_it is about, almost halfway down the page_information security officers \nare required to review users\' access and privileges at least quarterly or when \na job change occurs.\n\n\nAfter a job change occurs, how soon does that review take place, you know, and \nyou know job change could be termination?\n\n\nMr. Aument.  Tom, do you have an answer to that?\n\n\nMr. Lloyd.  Specifically for the terminations part of the check-out procedure, \nthe supervisor and HR staff are to inform the Information Security Officer \nthat the employee has been terminated and the ISO is supposed to remove all \npermissions and access on the day that the person leaves.  That is the \nprocess.\n\n\nMs. Brown-Waite.  Has there been any examples of when the access continued after \nthe employee was terminated?\n\n\nMr. Lloyd.  I am aware over the course of the years where_especially \ninterorganizational terminations that we don\'t always inform each other and \nthe ISOs didn\'t know an employee has been terminated.\n\n\nMs. Brown-Waite.  Has that situation been remedied?\n\n\nMr. Aument.  One of the things we are doing at the moment with Mr. Lloyd, an \nexample that he might be referring to where a VHA employee has access to a VBA \nsystem, authorized access, and we may not follow as closely when that \nindividual changes jobs, is reassigned, retires or is terminated.  We are \nworking with the Department for a solution on that today.  That would allow us \naccess to our payroll system to have these automatic updates provided from the \npayroll system to that effect.\n\n\nMs. Brown-Waite.  Just one quick_\n\n\nMr. Miller.  Let\'s go to the other two members and then we will come back.\n\n\nMs. Brown-Waite.  Okay.\n\n\nMr. Miller.  Did I hear you right that every file that is taken out or all \ninformation that is taken out you have the ability to track when the \ninformation leaves; is that true?\n\n\nMr. Aument.  All the files, you know, have a bar code attached to the file.  \nThe procedure is that when a file is_it leaves the building under the work-at-\nhome program would be to, you know, using the bar code reader check that file \nout and at the time it returns check the file back in.\n\n\nMr. Miller.  But going back to Ms. Brown-Waite\'s question, that is not an \nelectronic file, correct?  That could be a paper file?\n\n\nMr. Aument.  That is a paper file.\n\n\nMr. Miller.  So an electronic file could have been removed and you don\'t have \na way to track that?\n\n\nMr. Aument.  We do not have all of the veterans\' data_I wish I could say \notherwise_contained in anelectronic file.\n\n\nMr. Miller.  We know that.  All Members of Congress are aware of that.\n\n\nMr. Aument.  Right.  So that the information that they would have access to at \nhome through RBA 2000 is the information accessible to them.\n\n\nMr. Miller.  I guess I am still trying to figure out how we are still not sure \ntoday of the information that is missing, who it affects, and it seems like \nevery week we get a new group of people that are included.  How is that so?\n\n\nMr. Aument.  I believe, and you will certainly have an opportunity to speak to \nthe next panel, the Inspector General has been looking carefully as to what \naccess to data this employee actually had.  I would like to think that, you \nknow, we know fully today and that there will be no further disclosures, sir.\n\n\nMr. Miller.  Thank you.\n\n\nMr. Udall, questions?\n\n\nMr. Udall.  Thank you, Mr. Chairman.  According to the IG testimony, a \ncontractor successfully penetrated the VBA system access to regional office \nfiles, created a fictitious veteran, established an award and mailed an award \nletter to a real address.\n\n\nIf all of the policies and procedures you described were in place and \nfunctioning, how was this possible.\n\n\nMr. Aument.  This incident, Congressman, took place a little over a year ago \nat our Waco regional office.  Let me start to begin with, and I am sure you \nwill follow up with our colleagues from the Inspector Generals Office, that \nfirst of all, they were already afforded access to the system.  The IG had \nrequested permission to get inside the firewall.  So this did not replicate \nthe situation where an entity outside VA would have broken into the system to \nhave done this type of fraudulent activity.\n\n\nMr. Udall.  Would somebody with the information that was taken out in the case \nof this recent employee, would they have been able to use that information and \naccess the system?\n\n\nMr. Aument.  No, they would not have.\n\n\nMr. Udall.  Go ahead.\n\n\nMr. Aument.  But the Inspector General was already given privileged status to \nbe inside the system wherein they then conducted what is the equivalent of \nsophisticated hacking of captured passwords.\n\n\nWhat this really demonstrated would be that a sufficiently skilled VBA \nemployee with fraudulent intent inside a system, you know, could go ahead and \nhave replicated the IG\'s efforts to create a fictitious payment.  Now, they \nhave identified to us the shortcomings, you know, the critical vulnerabilities \nand we have taken actions to address those vulnerabilities.\n\n\nMr. Udall.  So from what you are saying then no longer would somebody within \nthe system with the access they have be able to do what they did?\n\n\nMr. Aument.  I believe we have remediated.  There was about a dozen different \nvulnerabilities they have raised.  We have remediated most of those.  Any of \nthose who have not been completed, they are in the process of remediation.\n\n\nMr. Udall.  According to the IG, VBA senior leadership is not receiving \ninformation concerning the financial costs of correcting conditions identified \nby the IG.  How can VBA obtain a complete and accurate picture of the \nresources and funding needed to remediate security deficiencies without such \ninformation?\n\n\nMr. Aument.  I am not really certain of what the IG\'s particular findings and \nrecommendations are in that regard.  I do know that one of the largest \nundertakings that we have begun over the past year was the completion of the \noriginal round of certification and accreditation of application systems that \nwere completed by the end of fiscal year 2005.  We have gone through and we \nhave identified all the tasks that need to be undertaken to remediate the \nfindings of that process, and we have attached a price tag to each and every \none of those remediations.\n\n\nWe understand what it is going to cost us to solve those problems.  Other \ntypes of problems that we believe that we need to be addressing, it is in a \nfull encryption solution, both for, you know, desktop systems as well as the \ntransmission systems and our legacy systems.  We have attached price tags to \nthose as well, too.\n\n\nThere may be some financial unknowns, but we believe that we have tried to \naddress, get our arms around those as best as we possibly can.\n\n\nMr. Udall.  According to your testimony, in the average month VA receives in \nexcess of 40,000 requests to change the financial institution or address for \nreceipt of benefits.\n\n\nI understand that all financial institution changes for veterans being paid on \nVets Net must be manually adjusted at the Hines BDN.  Is this still the case \nand when will VetsNet be able to handle such transactions without manual \nrekeying of information?\n\n\nMr. Aument.  Tom, can you answer that?  I am not sure that is still true or not.\n\n\nMr. Lloyd.  I believe, Congressman, that is in the August release.  It is the \nissue of when they change from check to or from EFT to check.\n\n\nMr. Aument.  I see.\n\n\nMr. Lloyd.  And that is in the remediation that was_\n\n\nMr. Aument.  I don\'t know if you got that.\n\n\nMr. Udall.  So they are able to do that now?\n\n\nMr. Aument.  They will be in August.\n\n\nMr. Udall.  Thank you very much.  Appreciate it.\n\n\nMr. Miller.  Ms. Hooley.\n\n\nMs. Hooley.  Thank you, Mr. Chairman.  I want to follow up on Ms. \nBrown-Waite\'s question.\n\n\nI know that you stopped the work-at-home privileges.  And a lot of those paper \nfiles had irreplaceable documents in it.\n\n\nMy question is when they took them home, they could, it seems to me they could \ntake something out of that file and still scan it in.  Are there backup copies \nof those documents?  Are there electronic copies of those documents?  \n\n\nI don\'t think there is anyone in the room_maybe there is someone here -- that \nhasn\'t at some point lost something out of some file.  And so assuming that \nthey didn\'t take them deliberately, maybe they just lost them.  Are there \nbackup copies of those documents.\n\n\nMr. Aument.  No, there are not, Congresswoman.\n\n\nMs. Hooley.  Is that changing?\n\n\nMr. Aument.  No, it is not.\n\n\nMs. Hooley.  Do you think it needs to be changed?  If they have irreplaceable \ndocuments, don\'t you think you need a scan of those?\n\n\nMr. Aument.  I think we should ultimately move to an electronic record system.  \nI could not agree more.\n\n\nMs. Hooley.  And when do you think you can move to an electronic system?\n\n\nI mean, when you are dealing with that much paper, we have all, every single \none of us here, every Member has known about cases where they can\'t find the \nfiles.  They can\'t find the documents.  But when are we going to get there?\n\nRPTS CALHOUN DCMN MAYER\n\n\nMr. Aument.  In some of our program business lines we are already there.  Our \ninsurance program uses a totally electronic record, our education program uses \nelectronic records, totally imaged files.  The real challenge for us is our \ncompensation and pension business line.\n\n\nI would_one of the places I would encourage you to visit, if you have an \nopportunity, is our Records Management Center in St. Louis.  There are over 20 \nmillion files in that building that represent veterans\' claims folders, as well \nas service medical records that we receive from the various military services.\n\n\nThe process of converting those files to either electronic images or, more \nimportantly, data that can be used within the systems is a daunting challenge.  \nWe are attempting to tackle that in the pension component of the compensation \nand pension business line through our pension maintenance centers.  They are \nmoving to a totally electronic record, but we are not there yet, Congresswoman.\n\n\nMs. Hooley.  I saw the letter that went out to the veterans notifying them of \nthat data breach.  My question is_I saw the letter and I didn\'t think the \ninformation in there was very useful about what to do.  So my question is, now \nyou have got the call centers, and you have got your employees.  Have they \nbeen trained to handle questions from the veterans that come up in the process \nof their casework?  Have they been trained to know what the answers are to the \nquestions they ask?\n\n\nMr. Aument.  Yes, we have, Congresswoman.  We have attempted to provide a set \nof_I hesitate to use the word, but "scripts" or "answers to frequently asked \nquestions" from concerned veterans.  We have been providing those both to the \ncontract call centers as well as to our public contact teams at our regional \noffices.\n\n\nWe are probably now on our fifteenth iteration of updating that list of \nfrequently asked questions, based upon our experience, coming in from \nconcerned veterans and callers and their family members.  So we have been \ndoing our best to try and keep them informed with what we understand to be the \ntypes of questions most veterans are asking.\n\n\nMs. Hooley.  A couple of the most useful things I think you can tell the \nveterans is that they can put a fraud alert on their credit reports and they \ncan get free credit reports, and yet when I went online after this happened, \nif you went through the whole system, you might get to that answer.\n\n\nAre those kinds of things being told to the veterans now?\n\n\nMr. Aument.  Today, at the call centers and at our regional offices we attempt \nto respond to the questions.  So if that question is posed, we certainly \nprovide that information.\n\n\nMs. Hooley.  That question may not be posed because they may not know enough \nto ask that question.\n\n\nMr. Aument.  Correct.\n\n\nMs. Hooley.  It seems to me those are things that people should be told that \nthey can do.  They could be told immediately one way to help prevent identity \ntheft, which is_the whole idea behind this is to prevent identity theft, which \nis a very long, tedious process if that happens to you, that they can put a \nfraud alert on immediately, and that lasts for 90 days; and they can get a \nfree credit report, which helps them keep track, to make sure nothing is \nhappening to their account.\n\n\nWhy isn\'t that information given to them now?\n\n\nMr. Aument.  I think I mentioned, in response to Congresswoman Herseth\'s \nquestion about our mailings, that we are potentially contemplating a second \nmailing.  Some of the drafts of communications I have read included precisely \nthat sort of information.\n\n\nMs. Hooley.  Again, the letter is not being sent, but I would hope that at the \ncall centers, that is information_without them asking the question, that is \ninformation, here is what you can do.\n\n\nMr. Aument.  We will take that one on, Congresswoman.\n\n\nMs. Hooley.  Thank you.\n\n\nMr. Miller.  We will go to a second round, and I would like to ask the members \nif you could ask just one more question to each person so we can move to the \nsecond panel.\n\n\nTo follow up on Ms. Hooley\'s question, when somebody puts a fraud alert on \ntheir credit file, do you know what the impact is to that file?\n\n\nMr. Aument.  I profess no expertise in that, Mr. Chairman.  As far as_I have \nseen some different iterations of the various levels of protections, just over \nthe past couple of weeks, that can be involved and the terms of art that apply \nto a fraud alert versus a credit freeze versus something else.  I know that \nthere are various levels of protection afforded there.  Some would require \nthat the individual who invokes that type of a credit check would ask to be \ncontacted by one of the credit bureaus in the event that anyone attempted to \nobtain credit using that Social Security number.\n\n\nWe also understand that some of these types of provisions vary on a State-to-\nState basis as well, so that there are some differences based upon where a \nveteran may reside.\n\n\nMr. Miller.  I think the thing that confuses a lot of us is that the mistake \nwas made by VA, yet the burden has been placed on the back of the veteran.  I \nam trying to figure out, why isn\'t VA being more proactive, other than sending \nout a letter, and if there is a way to make a mass notification to credit \nbureaus of the information, because you know who they are because you sent \nletters to them.\n\n\nIf it is not going to negatively affect them in one way or another and their \nability to get credit or their borrowing power, wouldn\'t that be a \nresponsibility of VA?\n\n\nI mean, every time I hear VA talk about the issue, it is what the veteran can \ndo to protect their identity.  My God, they thought their identity was \nprotected.  VA screwed up and now we are putting the onus on the backs of the \nveterans that are out there.\n\n\nMr. Aument.  There have been_I would acknowledge that too.  I believe_I feel \nthat all of us in VA are very concerned about that, that we believe that we \nneed to be doing more to try, as you have suggested, proactively to help \nassist veterans in this process.\n\n\nSome of the solutions that I have seen proposed so far_I believe that we will \nbe seeing further steps that are going to be taken, but there has to have been \nsome actual vetting of what the best solution actually is.\n\n\nMr. Miller.  Do you know how long it takes to steal somebody\'s identity?  We \nare vetting.  We are how many weeks past the time it was stolen and we are \nstill vetting?\n\n\nMr. Aument.  Part of the question there, Mr. Chairman, is whether or not all \nveterans want to have a solution imposed upon them, and that is_one of the \nquestions that we are wrestling with is, will all veterans, for example, want \nto have credit freezes or fraud alerts established on their accounts?  Because \nthere is some difference of views on that.\n\n\nMr. Miller.  That is why I asked not about a credit freeze but a fraud alert.  \nThere is a difference.\n\n\nDr. Boozman.\n\n\nMr. Boozman.  I will go ahead and yield again to the gentlelady.\n\n\nMs. Berkley.  Thank you, Chairman Miller and Mr. Boozman.\n\n\nYou said that you would like us to go to electronic as fast as possible.  Is \nit a matter of money?  Is it a matter of personnel?  Because if I am here 20 \nyears from now I have this sinking sensation that you and I will be having the \nsame conversation.\n\n\nOne thing I have noticed about government is that we are very slow to embrace \ntechnology.  Even the United States Congress isn\'t where it needs to be.\n\n\nIs it a matter of money or personnel or a lack of desire?  When are we moving \nactually to the 21st century?  \n\n\nMr. Aument.  Congresswoman, I believe it is probably a combination of all of \nthe above to one degree or another.\n\n\nThere is probably_one other factor to add to the list that you have just put \nout too is trying maintain our focus on bringing through to completion some of \nthe projects that we are already undertaking_VETS NET, for example.  I am sure \neverybody wants to have an opportunity to mention that.\n\n\nMs. Berkley.  What is the current status of VETS NET, since I can only ask one \nquestion?\n\n\nMr. Aument.  We were up here on May 12th briefing the staff.  We gave a \nrelatively complete briefing there.\n\n\nWe are in the process of attempting to implement all of the recommendations \nthat the Software Engineering Institute had given to us in their report they \ncompleted last fall, and we owe the committee a report back by the end of \nAugust with an end-to-end plan for implementation of VETS NET.\n\n\nHowever, my point was that moving now to tackle an electronic records project, \nas valuable as it is_I think that one of the reasons we are still uncompleted \non VETS NET is moving to other distractions.  And not that it is not a very \nimportant undertaking on that, too, but we believe that we need to first \ndeliver on those things that we already have in progress.\n\n\nMr. Miller.  Dr. Boozman.\n\n\nMs. Berkley.  Thank you.  \n\n\nMr. Boozman.  When will VBA be fully compliant with the Federal Information \nSecurity Management Act?\n\n\nMr. Aument.  The first steps we have at the moment are to complete the \ncertification and accreditation, remediation projects that are on our plate.  \nWe have_most of those are either under way or scheduled for completion.  We \nbelieve that we should complete those.  I would say that we could probably \ncomplete those within the next 2 years.\n\n\nSome of those involve minor construction types of projects to control physical \nsecurity, but I would say probably within 2 years.\n\n\nMr. Boozman.  So compliant within 2 years, you think?\n\n\nMr. Aument.  I believe so.\n\n\nMr. Boozman.  I guess, and I am trying to adhere to the chairman\'s wish of one \nquestion thing, but I would like to comment again, you have done a tremendous \njob of getting records.  You are moving that right in that direction.\n\n\nI am an optometrist.  I know how it is with charts, when you have got 100,000 \npatients among the clinic and you have got a chart on somebody\'s desk.  And \nyou have a system of dealing with that now that I am sure works pretty well.  \nYou lose charts now, you lose records.\n\n\nOn the other hand, we are faced with this challenge of moving over in the \nother direction.  But it does seem like it makes sense to me that rather than \nthe VA spending a tremendous amount of money, which we are doing_Social \nSecurity spending a tremendous amount of money, DOD, Medicare.  Medicare is \npushing very hard for physicians to get all of their stuff electronic.  So you \ncan imagine the challenge that they are going to have in securing this stuff.\n\n\nIt does seem like the Secretary, yourself, your counterparts at HHS would sit \ndown and say, I will give so much, you give so much, let\'s come up with a deal \nbecause it is interoperable as far as security.  That is the only comment I \nhave got.\n\n\nI wish you would carry that back.  And, again, somebody has got to show some \nleadership in this area and kind of get it going in the right direction.\n\n\nMr. Aument.  I will take that back, Mr. Chairman.\n\n\nMr. Miller.  Ms. Herseth.\n\n\nMs. Herseth.  Thank you.\n\n\nOn page 13 of your written testimony_and you referred to it in your oral \ntestimony today_you mentioned that VBA is also considering expanding the use \nof terminal servers as a means of reducing or eliminating the amount of \ninformation stored locally on a remote user\'s work station.\n\n\nI would contend that you need to move beyond considering and actually move to \nexpanding it.  And in the first hearing we had I shared a little bit of \nexperience in the private sector where even at my work station in the office I \ncouldn\'t save anything other than what was centrally located in the system, \nlet alone accessing information remotely and storing it_the way I read that \nis, if you are a remote user, that means you are outside of the VA facility, \nyour office, and you are able to store something locally.  That means at home, \nto me.  That is sort of what brought us here today.\n\n\nSo I would just make that point and ask you if_what are the barriers to \nexpanding the use of these terminal servers?  Is it just a matter of resources?\n\n\nMr. Aument.  Resources is a consideration, but it also takes some technical \nengineering as well to make sure that we would be able to put in place a \nsolution such as terminal servers.\n\n\nLet me suggest to you that we are already_before we would even consider \nputting the ratings specialist back in a position working at home, that is, a \nsolution that we would be imposing on them for any of the work-at-homes, would \nbe that they would only be able to access the application, the RBA 2000, only \nbe able to access that via terminal server.\n\n\nMr. Miller.  Ms. Hooley.\n\n\nMs. Hooley.  Thank you.\n\n\nI am just going to go back to the fraud alert, credit freeze, credit monitoring.\n\n\nFraud alert and credit freeze are very different.  Everybody can do a fraud \nalert that has had their data security breached.  Not every State allows a \ncredit freeze, we don\'t have a national standard, but you can do a fraud \nalert; and you need to tell veterans they can do that and what it means.\n\n\nThey can get a free credit report, which they need to do; and again, you can \ntell them all they need to do is call one number or go online and they can do \nthat.  So you need to make sure that they know that.\n\n\nAnd then what I would hope you would do is look at_for those that want it, \nthat you have some kind of credit monitoring service, which I think is really \nhow you best help the veteran.\n\n\nI know, Mr. Miller, when you were talking about the veteran has to do this, \nthe veteran has to do that, putting_first of all, they need to know that they \ncan do a fraud alert, a free credit report, but free credit monitoring is a \none thing you can do for veterans.  They still have to sign up for it.\n\n\nI know I was a victim of a security breach, and they allowed us to have free \ncredit monitoring; and actually what I was told is, they couldn\'t sign us up \nfor it, but we could subscribe to it.  So we got the paperwork at home; it was \nvery simple, it was literally signing your name and a date, saying, I want \nfree credit monitoring service.\n\n\nI would hope that you would seriously look at that as an option for our \nveterans.  I think they need some peace of mind, and that is really how they \nare going to get it, is through a credit monitoring system.\n\n\nThe question I have is, you talked about the number of files that are sitting \nin your_one of your offices.  How long is that going to take to get all of \nthose on electronic files so that we don\'t have_so we aren\'t losing, \nliterally, documents that are_I mean, they are not duplicated anywhere.  How \nlong is that going to take?\n\n\nMr. Aument.  For the 20 million records that reside at our Records Management \nCenter, Congresswoman, I would probably propose that we would probably never \nimage those.  Many of those are inactive files, some pertaining to deceased \nveterans that because of Federal records management requirements we need to \nmaintain for some specified period of time.  Many of those inactive files \nwould not be certainly where we would begin in moving towards imaging of \nrecords.\n\n\nWe would likely begin probably making some conscious business decisions with \nthose records that enter into the system that are newly created and entering \ninto the system and going backwards then with those at the time that veterans \nreopen claims, possibly seeking increased ratings or claiming other \ndisabilities.\n\n\nWe would probably try to put together a logical progression such as that.  \n\n\nMs. Hooley.  How long would that take?\n\n\nMr. Aument.  I have no idea.\n\n\nMr. Miller.  Thank you very much for your testimony this morning.  I am sure \nmembers have other questions and they will be getting to you after the \nhearing.  Thank you very much.\n\n\nI would like to ask the second panel, if they would, to move forward.  While \neverybody\'s getting situated I am going to go ahead and introduce the second \npanel.\n\n\nMr. Michael Staley is the Assistant Inspector General for Audit at VA\'s Office \nof Inspector General.  He is accompanied by Mr. Stephen Gaskell, Director of \nCentral Office Audit Operations.\n\n\nMr. Gregory Wilshusen is the Director of Information Security Issues at the \nU.S. Government Accountability Office, and he is accompanied by Ms. Linda \nKoontz, Director of Information Management Issues.\n\n\n\nSTATEMENTS OF MICHAEL STALEY, ASSISTANT INSPECTOR GENERAL FOR AUDIT, \nACCOMPANIED BY STEPHEN GASKELL, DIRECTOR, CENTRAL OFFICE AUDIT OPERATIONS \nDIVISION, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS\' AFFAIRS; \nAND GREGORY WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, ACCOMPANIED BY \nLINDA KOONTZ, DIRECTOR, INFORMATION MANAGEMENT ISSUES, U.S. GOVERNMENT \nACCOUNTABILITY OFFICE \n\n\n\nMr. Miller.  We thank you for being with the Subcommittees today; and, Mr. \nStaley, we will begin with you, please.\n\n\n\nSTATEMENT OF MICHAEL STALEY\n\n\n\nMr. Staley.  Mr. Chairman and members of the subcommittee, thank you for the \nopportunity to testify today on the results of our, reviews, which continue to \naddress information security vulnerabilities in the VA and to report on the \nstatus of VA\'s implementation of our records.\n\n\nI have with me today Stephen Gaskell, who served as a project manager on these \nIT audits.\n\n\nWe have conducted a number of audits and evaluations on information management \nsecurity and information technology systems that have shown the need for \ncontinued improvements in addressing security vulnerabilities in VA and, as \nsuch, we have included IT security as a major management challenge for the \nDepartment in all of the major challenge reports issued since the fiscal year \n2000.\n\n\nIn our annual financial statements we have reported VA information security \ncontrols as a material weakness since our fiscal year 1997 audit.  \nSpecifically, we have reported that VA\'s financial data and sensitive veteran \nmedical and disability information are at risk due to vulnerabilities related \nto access controls, change controls, the need to segregate duties and the need \nto improve service continuity practices.\n\n\nMy IT security program auditors have identified and reported on significant \ninformation security weaknesses since 2001.  All four of these annual audits \nhave reported on similar issues, and the recurring themes in these reports are \nthe need for a centralized approach and to achieve standardization, \nremediation of identified weaknesses, and accountability in VA information \nsecurity.\n\n\nFor the Veterans Benefit Administration we have continued to report control \nweaknesses in access controls, physical security, electronic security and \nemployee security.  Our combined assessment program reviews continue to report \nsecurity and access control vulnerabilities at VA regional offices where \nsecurity issues were evaluated.\n\n\nFor example, at regional offices we have identified the need to strengthen \nphysical security and access controls, procedures for providing employee \nsecurity training and for obtaining background checks.\n\n\nWe have issued our most recent IT security program review in draft to VA for \ncomment.  While it is not our general practice to comment on draft reports \nbefore they are published, because of the extensive public interest in these \ninformation security issues, I have described the issues that VA is addressing \nin my written testimony.\n\n\nIn closing, I would like the committee to know the reviews of the VA\'s \ninformation security will remain a top priority for my office.  We remain \ncommitted to reporting on the adequacy of IT security controls, and following \nup on actions taken by VA to strengthen these controls, we remain dedicated to \nthe goal of protecting our Nation\'s veterans.\n\n\nMr. Chairman and members of the subcommittee, thank you again for this \nopportunity.  I would be pleased to answer any questions.\n\n\n[The statement of Mr. Staley appears on p.  ]\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\n\nMr. Miller.  In the past, the IG has found some instances where terminated or \nseparated employees retained access to critical systems identified at various \nlocations.\n\n\nWhose responsibility is it to ensure that former VBA employees don\'t have \naccess to computer systems and information and such?\n\n\nMr. Staley.  That is correct, Mr. Chairman.  We have been finding that during \nour combined assessment program reviews.  Access controls actually have been \nfound during our financial statement audits and when we do testing during our \nFISMA reviews.\n\n\nMr. Miller.  Can you tell who is making_are they accessing or do they just \nhave the ability to access?\n\n\nMr. Staley.  They have the ability to access.\n\n\nMr. Miller.  Are you finding that anybody is trying to access after the fact?\n\n\nMr. Staley.  Not any specific examples I can give you at this time.\n\n\nMr. Miller.  I would go to Dr. Boozman, but he will yield to Ms. Berkley.  So \nMs. Berkley.\n\n\nMs. Berkley.  Cut out the middleman.\n\n\nLet me ask you a question.  According to your opening statement, this was a \ndisaster waiting to happen, so I assume that you weren\'t overwhelmingly \nsurprised when this theft occurred?  \n\n\nMr. Staley.  I would have to say that I think you are always concerned when \nsomething like this happens to_whether it be one veteran or all of us \nveterans.  I know myself, my data is also on that listing.\n\n\nMs. Berkley.  My husband received his letter as well.\n\n\nHad the VA implemented your recommendations, could this have been avoided?\n\n\nMr. Staley.  It is very difficult to say whether this particular incident \ncould be avoided.  The issues that we have talked about for these many years \nhave addressed network security issues, access control issues.\n\n\nIn response to this specific issue, we do have an administrative investigation \nongoing which we hope to report on to the Department at the end of this month.  \nAnd we will be asking for comments and hope to actually issue the report for \nyou mid-July or so.\n\n\nMs. Berkley.  During the prior two hearings on this topic, we heard a \nsignificant amount about the culture at the VA.  This culture is characterized \nas entrenched and indifferent relating to IT projects.\n\n\nDoes VBA\'s fielding of VETS NET, a project that is in the works for over a \ndecade now, relate to such cultural problems?\n\n\nMr. Staley.  I think what we had been talking about is the 16 or so issues \nthat we presented, before you really speak to the issue of standardization; \nand that can only be accomplished if the three administrations work \ncollectively to address them as one voice.\n\n\nMs. Berkley.  Is VETS NET the solution to the problems?\n\n\nMr. Staley.  Well, VETS NET is a solution to an aging benefits delivery \nnetwork system.  I think_of course, I joined the VA in 1971, and I believe \nTarget 1 by Honeywell was just starting at that time, so it is 30 years, may \neven be 40 years old.  We need to find solutions to replace these platforms, \nand VETS NET is attempting to do that.\n\n\nWe have not reviewed VETS NET, we have not studied VETS NET; we are waiting \nfor this contractor to complete his review, which I believe is due this \nsummer.  But we have been overseeing the progress and getting briefings on the \nprogress of VETS NET.\n\n\nMs. Berkley.  Thank you.\n\n\nMr. Miller.  Dr. Boozman.\n\n\nMr. Boozman.  Thank you, Mr. Chairman.\n\n\nEarlier we had testimony that VBA estimates that they will have full \ncompliance in 2 years with the Federal Information Securtiy Management Act.  \nDo you feel like that is possible?\n\n\nMr. Staley.  I feel for many of the issues that we have been identifying each \nyear, the fixes are fairly dependent on vigilance.  It is an issue of having \nvery strong access controls, having your users only have information that they \nneed information for.  Many of these fixes can be done relatively soon.\n\n\nFor the bigger issues, such as VETS NET and replacing platforms, I do know \nthat the Department is working on these major system initiatives; and I have \nseen their timelines and charts and whatnot.  Some of them are out to fiscal \nyear 2008, 2009 and 2010.\n\n\nMr. Boozman.  As we move_is that a "yes" or a "no"?\n\n\nMr. Staley.  For many of them, a 2-year timeline is feasible.  For platform \nreplacement issues, I could not say.\n\n\nMr. Boozman.  When you get into going from one extreme to the other, when you \nget into encrypting and things like that, will that slow down_do you run into \nproblems then with a slowdown of the systems?\n\n\nMr. Staley.  That is one of the issues that the Department is facing with many \nof these aging systems and that they were constructed 30-some-odd years ago.  \nFrom what the technicians are telling us, that could be a possible outcome to \nadding software that would encrypt data.  So it is possible.\n\n\nMr. Boozman.  Our current system, can it identify instances of large downloads \nof data?\n\n\nMr. Staley.  It is my understanding that you can_you will get a log of the \ntime that someone is in a system but not necessarily what is being downloaded.  \n\n\nMr. Boozman.  Do you, in investigating this and being a part of it, do you see \nany accompanying legislation that we need to do for VA to help them in dealing \nwith the problem?\n\n\nMr. Staley.  Well, I am really not in a position to comment on new \nlegislation.  Obviously, from my audit perspective, compliance with FISMA and \nremediating the issues that we have identified is one issue.  I do know \nthatsometime in May, OMB issued instructions to all the agencies to take a \nstrong look at the security issue, which I believe they are required to report \nin their next FISMA report in 2006.\n\n\nMr. Boozman.  You mentioned security access and then also you mentioned \nbackground checks.  So we have got the problem that we are dealing with in \nthis regard, and then too, as far as the background checks, to actually_even \nif you have those systems in place and having the appropriate people hired, \nwhat is the problem with background checks?\n\n\nWe learned at an earlier hearing that we have a physician that has a history \nof being a sexual offender.  What\'s the deal?  \n\n\nMr. Staley.  From what we are seeing, it is a coordination problem from the \npoint of the program office that that employee begins to work for, the HR \ndivision that is responsible for processing paperwork, and then the security \nand law enforcement.  So it is the process of actually requesting these \nbackground checks timely, to get them done.\n\n\nAnd then the Department has also discussed the fact that it does take time to \ndo these background checks; but there are various tiers of background checks \nthat can be performed, and some of them only require law enforcement, \nfingerprinting-type procedures, and others are far more extensive and they \ntake more time.\n\n\nMr. Boozman.  Does it is make sense that all of our agencies_again, Medicare, \nas they go to an all-physician record situation and stuff where all that is \ndigitalized and things, does it make sense for the agencies to talk to each \nother and try and figure this out together versus spending millions of dollars \nindependently?\n\n\nMr. Staley.  It would make sense to communicate and work with as many agencies \nas possible.\n\n\nMr. Boozman.  Thank you, Mr. Chairman.\n\n\nMr. Miller.  If we could, Mr. Wilshusen, if you would proceed with your \ntestimony.  \n\n\nSTATEMENT OF GREGORY WILSHUSEN\n\n\n\nMr. Wilshusen.  Chairman Miller, Chairman Boozman and members of the \nsubcommittees, thank you for inviting us to participate in today\'s joint \nhearing on data security at the Veterans Benefits Administration.\n\n\nThe recent well-publicized security breach at the Department of Veterans\' \nAffairs has highlighted the importance of good information security controls \nand protecting personally identifiable information not only at VA but \nthroughout government.\n\n\nAs we have reported on many occasions, poor information security controls is a \nwidespread problem that can have devastating consequences such as the \ndisruption of critical operations and unauthorized disclosure of highly \nsensitive information.\n\n\nToday, I will discuss the recurring security weaknesses that have been \nreported at VA, including those at VBA, what agencies can do to prevent \nbreaches of personal information and the notification of individuals when \nsuch breaches occur.\n\n\nSince 1998, GAO and the VA IG have reported on wide-ranging deficiencies in \nVA\'s information security controls, including the lack of effective controls \nto prevent individuals from gaining unauthorized access to VA systems and \nsensitive data.  In addition, the Department had not consistently provided \nadequate physical security for its computer facilities, assigned duties in a \nmanner that segregated incompatible functions, controlled changes to its \noperating systems, or updated and tested its disaster recovery plans.\n\n\nThese deficiencies existed in part because VA had not fully implemented key \ncomponents of a comprehensive information security program, including the lack \nof centralized management and an approach for addressing security challenges.\n\n\nAlthough VA has taken steps to improve security, its efforts have not been \nsufficient to effectively protect its information and information systems.  As \na result, these remain vulnerable to inadvertent or deliberate misuse, loss or \nimproper disclosure, as the recent breach demonstrates.\n\n\nIn addition to providing and implementing a robust security program, agencies \nsuch as VBA can better protect personally identifiable information by \nconducting privacy impact assessments that determine up front how personal \ninformation is to be collected, stored, shared and managed, so that controls \ncan be built in from the beginning, by limiting access to the information and \ntraining personnel accordingly, and appropriately using technology controls \nsuch as encryption.\n\n\nVBA officials have informed us that since the May 3rd incident they have \ntaken, or plan to take, a number of steps to enhance protection of veterans\' \npersonal information.  These include reviewing and recertifying user access to \nsensitive information, evaluating encryption technologies for transmitting and \nstoring data, and requiring privacy and cybersecurity training for all VBA \nemployees by June 30.\n\n\nAlthough we have not reviewed these actions and cannot comment on their \nsufficiency or effectiveness at this time, they appear to be important first \nsteps.  However, the true test will be VBA\'s ability to fully implement and \nsustain appropriate protections over the long term.\n\n\nNonetheless, even with security and privacy protections in place, breaches can \noccur, particularly if enforcement is lax or employees willfully disregard \npolicy.  When such breaches occur, appropriate, sufficient, and timely \nnotification to those affected have clear benefits, allowing people the \nopportunity to protect themselves from identity theft.\n\n\nIn summary, long-standing control weaknesses at VA have placed its information \nsystems and information at increased risk of misuse and improper disclosure.  \nAlthough VA has made progress in mitigating previously reported weaknesses, it \nhas not taken all the steps necessary to address these serious issues.  Only \nthrough strong leadership and sustained management commitment can VA implement \na comprehensive information security program that can effectively manage risk \non an ongoing basis.\n\n\nMr. Chairman, this concludes my statement.  Ms. Koontz and I will be happy to \nanswer questions.\n\n\n[The statement of Mr. Wilshusen and Ms. Koontz appears on p.  ]\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\n\nMr. Miller.  In terms of information security can you give us some type of a \nfeel as to how VA or VBA fits within other agencies?  Is everybody failing?\n\n\nMr. Wilshusen.  No, everybody is not failing.  One measure that would be \nimportant is, the FISMA reports that agencies are required to submit to \nCongress and to the OMB regarding their implementation of the provisions of \nthe Federal Information Security Management Act, or FISMA.  Each year we \nperform an analysis of those reports, and we found that over the past 4 out of \n5 years VA typically has ended up towards the bottom end of the scale whereas \nother agencies, particularly some of the smaller, single-mission-type \norganizations tend to score higher.  But what VA has done, too, is not \ndissimilar to other large complex organizations.\n\n\nMr. Miller.  Do you have any role in seeing that your recommendations are \nimplemented?  Is there any follow-up at all with the reports that you make?\n\n\nMr. Wilshusen.  Yes, there is.  We follow up on all of our recommendations \nthat we make, yes.\n\n\nMr. Miller.  And when a recommendation is not followed then next year, you \nbring it up again and you follow it up and you do it again next year?  It \nwould seem pretty exasperating if that was what your job was year in and year \nout.\n\n\nMr. Wilshusen.  We do find that agencies, including VA, do take some \ncorrective actions to address specific weaknesses, but often they do not \naddress the larger recommendations that relate to the underlying causes of \nthose weaknesses.\n\n\nFor example, we have routinely reported_again, we haven\'t done much work at VA \nfor a number of years, but we would follow up and look at the underlying \nreasons that we felt dealt with not having a comprehensive information \nsecurity program that has been fully developed, documented and implemented at \nthe agency.\n\n\nAnd so what that does is, while they may take corrective actions on specific \ntechnical findings that we identify, often what may happen is, they only \ncorrect them at the sites or the systems that we looked at and they don\'t look \nacross the organization, across other similar systems, to take corrective \nactions on those same weaknesses.\n\n\nMr. Miller.  Do they ever come back and say, this is a distraction, we can\'t \ndeal with this right now, we have this other thing we are working on right here?\n\n\nMr. Wilshusen.  Never in those blunt words.  We often -- often they concur \nwith our recommendations, and I think they try to take action.  But sometimes \nit is a challenging endeavor for many organizations in the Federal Government \nbecause, one, the computing environment is very complex and the threats and \nthe types of risks are constantly changing.  It is a very dynamic environment.\n\n\nThere are challenges.  But with appropriate and well-defined and executed \ninformation security programs, they can address those risks.\n\n\nMr. Miller.  Thank you.\n\n\nMs. Berkley.\n\n\nMs. Berkley.  Thank you.  I wish that we would have had this panel before the \nfirst panel because I would like to have heard the first panel\'s response to \nsome of your testimony.\n\n\nSince May 3rd, have you detected any change in behavior or attitude with the \nVA?  In your opinion, do they recognize the seriousness of what has transpired \nand are moving to implement corrective action so this can\'t happen again?\n\n\nMr. Wilshusen.  We had one meeting with the VBA officials in order to collect \nsome of the information about actions that they have taken or plan to take in \nresponse to this incident.  Just from that one meeting it seems like they are \nvery concerned and are trying to take the actions, but again, the proof is in \nthe pudding.\n\n\nOnce the actions and policies have been decided and developed, they need to \nexecute and implement those.  That will take time and commitment over a long \nperiod of time.\n\n\nMs. Berkley.  So you had a meeting with the VBA officials, discussed with them \nwhat they need to do.  And now how do you follow up and make sure this is \nhappening?  Or is that not your job?  If it is not your job, whose job is it?\n\n\nMr. Wilshusen.  Actually, the work we do is, by and large, requested by_either \nrequested by Congress or congressional committees and/or mandated.\n\n\nWe have received several requests, and there have been some potential mandates \nproposed where we would do some work in this area, but we have not done any \nyet.\n\n\nMs. Berkley.  Perhaps Mr. Boozman is going to ask the question that he asked \npreviously, but what is it that_would you need any additional legislation from \nCongress, or how could we do our jobs better so that you can do your job \nbetter, and ultimately, VBA and the Veterans Administration can protect the \nprivacy of our veterans?\n\n\nMr. Wilshusen.  Well, with regard to information security, as Mr. Staley \npointed out, there is a law called the Federal Information Security Management \nAct of 2002, FISMA, and that provides a comprehensive framework for \nimplementing security throughout a Federal agency; assigns specific \nresponsibilities to the head of the agency, senior managers, to the CIO.  In \naddition, it requires each agency to develop, document and implement an \nagency-wide security information program that contains several elements.\n\n\nThat law has, I believe, raised the level of attention given to information \nsecurity and provides a solid framework for agencies to follow in order to \nimplement better security.\n\n\nThe fact is that many agencies still have difficulty in fully implementing \nthose programs.  So I don\'t know if additional legislation is needed.  \nCertainly in terms of what we need to do in having been requested to go in and \ndo follow-up work, we can do that.\n\n\nMs. Berkley.  Thank you.\n\n\nMr. Miller.  Dr. Boozman.\n\n\nMr. Boozman.  Thank you.\n\n\nMr. Wilshusen, we talked earlier about H.R. 4061, and the approach the \ncommittee felt might be a little more effective by centralizing the system a \nlittle bit more than they are now.  As you work with the other agencies, can \nyou comment on that?  Is this something that you found to be effective or is \nthe decentralized approach better?\n\n\nMr. Wilshusen.  We haven\'t done a systematic review of the other Federal \nagencies in terms of their organization, of how the CIO is organized relative \nto the other program offices; but what we have found is that for information \nsecurity, centralization having a central management approach is preferable, \nbecause the interconnections between the systems and the types of policies and \nprocedures that are in place at one agency or component could have an impact \non other elements or components within that agency.\n\n\nSo we wholeheartedly endorse having a centralized managed approach to \nimplementing security at a Federal agency.\n\n\nMr. Boozman.  As you deal with these problems system-wide, it does seem \nlike_again, with Medicare pushing hard to get electronic records, things like \nthat, that ability is far outpacing again the transition from where do we put \nthe charts, where do we put the records versus we can secure that, how do we \nsecure this other thing.\n\n\nWhat_in your experience, what agencies are doing a better job?\n\n\nMr. Wilshusen.  Well, certainly the use of electronic records and using the \ninterconnectivity of systems has brought tremendous benefits to Federal \nagencies in terms of being able to deliver government services to the people.  \nBut those same benefits and opportunities are subjected to and can create \nsignificant risks if adequate safeguards are not built into those \ntechnologies.\n\n\nWe have found that it is imperative that agencies consider and build security \ninto these systems from the very beginning throughout the entire life cycle, \nrather than trying to add them on as an afterthought.  They tend to be more \nexpensive and they tend to be less effective.\n\n\nSo certainly one of the things that agencies need to do when converting paper \nrecords to electronic records is think about and implement and design security \ncontrols up front.  \n\n\nMr. Boozman.  Is there a model agency out there?\n\n\nMr. Wilshusen.  I think that probably some of the different agencies have \nvaried experiences in doing this.  I don\'t know if there is a model agency per \nse in terms of implementing security on electronic systems.  At most of the \nagencies we go to, where we have done specific testing of the controls, we \ngenerally find weaknesses on each system or most of the systems we look at.\n\n\nMr. Boozman.  It doesn\'t make sense_again, I am harping on this.  It doesn\'t \nmake sense to me; I guess I am asking if it does to you.\n\n\nBut we want VA_and VA has done a good job of switching over; we want VA to be \nable to talk to DOD.  We want Medicare_I think we will foresee a time where \nMedicare and VA should be talking to each other as far as medical records and \npharmacy records and all those kinds of things.\n\n\nBut it does seem like, in making things interoperable and in solving some of \nthese problems, you want more access to the records through all these different \nagencies.  But then how do you secure that access?\n\n\nIt does seem like that needs to be set up as you go along, as you just said, \nrather than trying to backtrack at some point and figure out how do we do \nthis.\n\n\nI guess my question is, how do you do that?  There doesn\'t seem to be much \ntalk among the agencies, so that_you really wouldn\'t comment on a model out \nthere, but I am sure there are some good ones that are better than others.\n\n\nHow do we get that done?\n\n\nMr. Wilshusen.  Well, one way is, what agencies need to do_and I believe there \nis a CIO Council that can meet to discuss issues that cut across different \nagencies.  And certainly this could be a topic for that council to start \naddressing, looking at government-wide security requirements that are needed \nfor these systems as they develop them.  So that would be one way, through \nthere.\n\n\nBut definitely what agencies need to do, as they develop their systems, is to \nassess the risks, categorize the type of information they are going to be \ncollecting and storing on those systems, and determine what the appropriate \nlevel of security over that information will be.\n\n\nMs. Koontz.  If I can just add, from a privacy perspective, too, this is one \nof the reasons that we have emphasized the importance of agencies implementing \nthe privacy impact assessments which are required under the \nE-Government Act, and that is a way of looking at the implications of \ncollecting, handling and disseminating personally identifiable information in \nan agency and being able to build controls up front before the information is \ncollected and before the system is built.\n\n\nYou are absolutely right that once these things are done, it is very difficult \nto retrofit.  And I think that you are also right in that technology is \ncreating tremendous challenges for agencies in terms of balancing \naccessibility with security and privacy concerns; and I think there is a role \nhere for the Congress in terms of policy, as well as for agencies in terms of \nimplementation.\n\n\nMr. Boozman.  Thank you very much.\n\n\nThank you, Mr. Chairman.\n\n\nMr. Miller.  Dr. Boozman, any closing comments?\n\n\nMr. Boozman.  I appreciate your leadership in this area and getting the two \ncommittees together.  I think the VA is to be complimented in the sense that \nit has done a very good job of moving forward.  We pressed them hard to get \nthe records in digital format and things like that.\n\n\nSo we have done a good job that way, but we have lagged much, much behind and \nas we have talked about, having the security that goes along with that.  It is \nsomething that not only VA has got to work very hard on, but it is a \nsystem-wide problem.  Testimony mentioned the problems not only of the data \nbut having the right people there.  \n\n\nSo there are so many things like this that we have really got to shore up not \nonly in the VA, but system-wide.\n\n\nAgain, I know that our Subcommittee, the Committee in general, in a very \nbipartisan way, is committed to doing whatever it takes legislatively to give \nthe agencies, in our case, specifically, the VA, the tools.\n\n\nThank you, Mr. Chairman.\n\n\nMr. Miller.  Thank you very much, also, for your leadership and again for a \nbipartisan approach.\n\n\nWe thank everybody for their testimony today.  While there has apparently been \nno identity theft that we are aware of, we all agree that the potential is \ngreat.  We must continue to work together to make sure that nothing like this \nhappens again, and while this information continues to be floating out there \nsomewhere, that nobody\'s credit or identity is harmed by what has happened.\n\n\nI appreciate everybody being here today.  Members will have 5 legislative days \nin which to add their statements to the record.\n\n\n[The statements appear on p.  ]\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\n\nMr. Miller.  Without any further comment, this joint subcommittee meeting is \nadjourned.\n\n\n[Whereupon, at 11:54 a.m., the joint hearing of the subcommittees was \nadjourned.]\n\x1a\n</pre></body></html>\n'