[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]



 
                           WHICH VA IT ORGANIZATIONAL
                          STRUCTURE WOULD HAVE BEST
                         PREVENTED VA'S MELTDOWN IN 
                          INFORMATION MANAGEMENT

                                HEARING

                                 BEFORE THE

                              COMMITTEE ON 
                            VETERANS' AFFAIRS


                        HOUSE OF REPRESENTATIVES


                          ONE HUNDRED NINTH CONGRESS


                                 SECOND SESSION

                                   JUNE 28, 2006

                 Printed for the use of the Committee on Veterans' Affairs

              
                              Serial No. 109-58



                      U.S. GOVERNMENT PRINTING OFFICE
25-454 PDF                    WASHINGTON  :  2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government
Printing Office Internet:  bookstore.gpo.gov Phone:  toll free (866)
512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP,
Washington, DC 20402-0001 










                         COMMITTEE ON VETERANS' AFFAIRS
                              STEVE BUYER, Indiana, Chairman

MICHAEL BILIRAKIS, Florida                       LANE EVANS, Illinois, Ranking
TERRY EVERETT, Alabama                           BOB FILNER, California
CLIFF STEARNS, Florida                           LUIS V. GUTIERREZ, Illinois
DAN BURTON, Indiana                              CORRINE BROWN, Florida
JERRY MORAN, KANSAS                              VIC SNYDER, Arkansas
RICHARD H. BAKER, Louisiana                      MICHAEL H. MICHAUD, Maine
HENRY E. BROWN, Jr., South Carolina              STEPHANIE HERSETH, South
JEFF MILLER, Florida                               Dakota
JOHN BOOZMAN, Arkansas                           TED STRICKLAND, Ohio
JEB BRADLEY, New Hampshire                       DARLENE HOOLEY, Oregon
GINNY BROWN-WAITE, Florida                       SILVESTRE REYES, Texas
MICHAEL R. TURNER, Ohio                          SHELLEY BERKLEY, Nevada
JOHN CAMPBELL, California                        TOM UDALL, New Mexico 




                        JAMES M. LARIVIERE, Staff Director








                                       (II)









                                    CONTENTS
                                    June 28, 2006
                                                            Page                          
Which VA It Organizational Structure Would Have Best Pre-
 vented VA's ``Meltdown'' In Information Management .....      
                                                               1

                             OPENING STATEMENTS

Chairman Buyer ...........................................     1
Hon. Bob Filner ..........................................     3
  Prepared statement of Mr. Filner .......................    50
Hon. Sam Farr (introduction of his constituent, Robert J. 
  Brandewie, Defense Manpower Data Center) ...............     4


                                WITNESSES

Gauss, Hon. John A., Ph.D., President and Chief Operating Of- 
  ficer, FGM, Inc. (former Chief Information Officer, U.S. De-
  partment of Veterans Affairs) ..........................     7
Prepared statement of Hon. John A. Gauss .................    59 
McFarland, Hon. Robert (former Assistant Secretary for Infor-
  mation and Technology, and former Chief Information Offi-
  cer, U.S. Department of Veterans Affairs) ..............     9
Howard, MG Robert T. (Ret.), Senior Advisory to the Deputy
  Secretary Supervisor, Office of Information Technology, U.S.
  Department of Veterans Affairs..........................    10
Prepared statement of Hon. Robert Howard .................    61
Brandewie, Robert J., Director, Defense Manpower Data Cen-
  ter.....................................................    12
Prepared statement of Mr. Robert Brandewie ...............   
Bresson, Jim, Vice President and Managing Partner, Gartner
  Consulting .............................................    14
Prepared statement of Mr. Jim Bresson ....................    73






                            (III)





WHICH VA IT ORGANIZATIONAL
STRUCTURE WOULD HAVE BEST PREVENTED
VA'S MELTDOWN IN INFORMATION MANAGEMENT
Wednesday, June 28, 2006
House of Representatives
Committee on Veterans' Affairs
Washington, D.C.





The committee met, pursuant to call, at 10:40 a.m., in Room 334, 
Cannon House Office Building, Hon. Steve Buyer [chairman of the 
committee] presiding. 


Present:  Representatives Buyer, Bilirakis, Boozman, Filner, Brown of 
Florida, Brown-Waite, Udall, Salazar, Moran, Stearns, Herseth.


The Chairman.  The full Committee of House Veterans' Affairs 
Committee will come to order June 28th, 2006.


Good morning, ladies and gentlemen.  This is the fourth full Committee 
oversight hearing on the recent theft of sensitive information 
belonging to as many as 26.5 million veterans and 2.2 million 
servicemembers and their family members from a VA employee's home in 
May of 2006.


We will receive testimony today from current and former Department of 
Veterans Affairs' Chief Information Officers. This testimony will help 
us examine the VA's information technology reorganization and review 
the Secretary's decision to move to a federated model versus a 
centralized approach recommended by VA's own consultant, Gartner 
Consulting, which is one of the most leading-edge technology companies 
and they are experts with whom we have consulted.


That judgment was also in the complete opposite direction to that 
which the House had recommended in the passage of legislation last year.


This hearing will also focus on institutional barriers to an 
integrated departmental policy on cyber security and to protection of 
sensitive personal data presented by VA's current IT organizational 
structure.


Further, we will examine the implication of information security as it 
 relates to the organization of VA IT.  As we examine information 
management and security, two federal statutes are of central 
importance, the Clinger-Cohen Act of 1996 and the Federal Information 
Security Management Act of 2002, more commonly known as FISMA.


The Clinger-Cohen Act created a Chief Information Officer for each 
federal agency.  As defined by the Clinger- Cohen, the CIO's 
responsibilities include:


One, assisting the agency head to ensure that IT is acquired and 
information resources are managed in a manner that implements the 
policies and procedures of the agency;


Two, developing, maintaining, and facilitating a sound and integrated 
IT architecture for the agency;


And, three, promoting an effective and efficient design and operation 
of all major information resources management processes of the agency.


This Committee's examination of VA's information management over the 
past eight years have clearly shown the extent and impact of 
information management decentralization at the VA.


The Department's CIO is not fully empowered to enforce policy and 
cannot fulfill either the letter or the intent of Clinger-Cohen.


In our questioning last week of Tim McLain, the VA's General Counsel, 
we saw how the Department's lawyers in 2004 gave the narrowest of 
possible interpretations of then Secretary Anthony Principi's 
decision to centralize IT authority.


The General Counsel's questionable opinion that his directive was 
outside the statutory authority of FISMA, I believe, was a 
contributing factor to the 16 unmitigated vulnerabilities.  I have 
referred to his legal opinion as a heterodox legal opinion.


The Federal Information Security Management Act or FISMA requires 
each agency to inventory its major computer systems, identify 
appropriate security protections, and develop, document, and 
implement an agency-wide information security program.


FISMA also requires an annual independent review of agency 
information security program.  This review assesses the effectiveness 
of the information security programs, plans, and compliance of FISMA.


The Office of Management and Budget is then required to compile a 
summary of federal government security performance and report to 
Congress on the implementation of FISMA.


In our hearing last week on academic and legal implications of the 
DA's data loss, I said the Department does not identify who is in 
charge of developing policy, implementing policy, or enforcing policy.


The March 2006 FISMA report confirms my statement, indicating VA 
received a grade of "F" in a category on establishing and following 
information security policy.


Today, despite evidence piled high over the years, the Department's 
refusal to get control of its IT systems undermines efficiency, 
threatens the security of sensitive information, and endangers 
patient safety, despite the fact of the unprecedented data compromise 
that has revealed much larger problems related to decentralization.


The centurions of the status quo in VA administrations, especially in 
its health administration, insist on protecting their turf, and 
veterans and families, I believe, could pay the price.


Today through the eyes of two former VA CIO's, Bob McFarland, 
Dr. John Gauss, we have unique opportunity to examine what occurred 
within the Department during the years that this evidence accumulated 
and was sadly disregarded by many who could have made a difference.


We also welcome General Bob Howard, the VA's Acting Assistant 
Secretary for Information and Technology; Robert Brandewie is the 
Director of Defense Manpower Data Center; and Jim Bresson is a 
Managing Partner and Vice President of Gartner Consulting.


Gentlemen, we thank you in advance for your willingness to be here 
and to contribute to these proceedings.  I believe your insights 
today will be extremely important.


I also would like to recognize in the audience today, we have 
veterans from the Merchant Marines of World War II. We thank you for 
your presence.  We welcome you to the Veterans' Affairs Committee 
room, and we thank you for your service to country.  You and your 
generation truly have made a difference in freedom of the world and 
you left liberty in your footsteps.


I would like you to know we have some votes that are now about to 
occur.  I will recognize Mr. Filner for an opening statement.  And 
then I would welcome the Merchant Mariners to meet.  There is a room 
directly behind.


And what I will have is when we leave, I will turn you over to Kelly 
Craven, our Staff Director.  Kelly is right here.  Kelly, if you will 
stand up.  And I will have Committee staff speak with the Merchant 
Mariners.


Mr. Filner.


Mr. Filner.  Thank you, Mr. Chairman, and thank you for your courtesy 
to the Mariners who are here.


As you know, many are in their late seventies and eighties, served 
our country in World War II, had the highest casualty rates of any 
service in the war.  And, yet, when the war was over, the GI Bill did 
not apply to them. And even later attempts to make up for a past 
injustice was not done.  They missed out on the college education 
provided by the GI Bill, purchase of homes.


As you know, Mr. Chairman, I have a bill House Resolution 23 called a 
Belated Thank You to our Merchant Mariners of World War II.  A 
majority of the Congress, over 260, have co-sponsored it.  A majority 
of this Committee has co-sponsored it.  And I think they would like to 
talk to you and your staff about trying to get a vote on that at some 
point in this Congress.


So I appreciate your courtesy, Mr. Chairman.  Am I recognized for the 
opening statement on this hearing?


And we will have votes and the staff of both Democrats and Republicans 
will be talking to you and we will try to join you later during the 
hearing.


Again, Mr. Chairman, your opening -- 


The Chairman.  Mr. Filner -- 


Mr. Filner.  Yes, sir.


The Chairman.   -- if I could do this by way of procedure.  Mr. Farr 
of California is here and he would like to introduce one of the 
witnesses here today.  Can we yield to Mr. Farr?

Mr. Filner.  Please.


The Chairman.  Can we do that for an introduction?


Mr. Filner.  I will be happy to.


The Chairman.  Mr. Farr.


Mr. Farr.  Thank you very much, Mr. Chairman and members of the 
Committee.  It is a pleasure for me.


I am a member of the Appropriations Subcommittee with this 
jurisdiction, the military quality of life and Veterans' Affairs.  
And we had a similar hearing yesterday. In that hearing, the Chairman 
was there and I appreciate this effort.


I want to just tell you that out in my district, I represent the former 
Ft. Ord, which is the largest military base ever closed in the United 
States, and out of that, the Department of Defense kept a Manpower 
Development Center there.  It is a center where all of the personnel 
information for all of the people in the military and their families is kept.


And it is available 24/7, and you get calls from all over the world 
from spouses wondering about healthcare insurance or about issues of 
family or soldiers or, you know, divorce status or all the kinds of 
data that one would have.  And that center has been leading in 
helping the Department of Veterans Affairs with their security issues.


And the fellow who has really done the work to keep this center a 
state-of-the-art, quality center in that is Robert Brandewie who is 
here as a speaker today.  He has developed the Defense Biometric 
Identify System which has centralized the database.  It integrates 
biometric and other information.


He has also received all kinds of awards and is now being considered as 
one of the four finalists for the 2006 Service to America Metal to be 
awarded in September.  And it is just a pleasure to have somebody with 
such high skills and such incredible accomplishments come and share 
what they are actually doing on the ground to help men and women in 
uniform.


So I thank you for allowing me to introduce my constituent to you and 
good luck with your Committee.


The Chairman.  Thank you very much, Mr. Farr.  We appreciate your 
work on Appropriations as you work with us to come to these solutions 
and be of assistance to the VA. So thank you for your quality work.


Members, we have one vote.  It is a motion to adjourn. I would like 
to recess the Committee.  When we return, then Mr. Filner will give 
an opening statement and we will proceed with testimony.


The Committee stands in recess for about seven minutes.


[Recess.]


The Chairman.  The Committee will come back to order.


Mr. Filner, you are now recognized for an opening statement.


Mr. Filner.  Mr. Chairman, since we have kept these people waiting 
through the vote, I am going to submit my statement for the record.  
I do agree with what you said and so I do not need to add anything.


I would just like to add one little remark, if I may. Mr. Chairman, 
Secretary Nicholson said that they are going to correct this problem, 
but we have to be patient.  And I think we know what he means by being 
patient, as you have been personally working on it.  It took the VA at 
least seven years to address this problem.


And during our May 25th hearing, you directed VA officials to submit a 
chronology, time lines of events related to the handling of 
information related to the data loss, and you asked it for about ten 
days.


I note that over one month has now elapsed since the breach, and we 
are still being asked to be patient to respond to your request.  We 
might think about directing VA to provide these time lines by the end 
of close of business today.  Maybe we should consider asking that they 
be prepared independently, have them signed under a perjury clause, 
witnessed and sealed by the Inspector General.


We should have these time lines not only from the panel that we met 
with on May 25th, but also from the witnesses scheduled for tomorrow. 
I think it is time to send a message that we have been patient long 
enough.


Thank you, Mr. Chairman.


[The statement of Bob Filner appears on p.  ]

**********INSERT**********


The Chairman.  Mr. Filner, all members that may have opening 
statements will be submitted for the record.  And I thank the 
gentleman for bringing that issue back to the Chair's attention.


I note that sitting in the audience is the Deputy Secretary, and if 
you could make sure that someone has that prepared.  Any questions on 
it, please be in touch with the Staff Director.  And if you could 
bring that with you tomorrow and submit it to the Committee.  
Someone, I am sure, has been working on it.


And I think that is probably the best way to handle that, Mr. Filner. 
Would that be acceptable?


Mr. Filner.  That is fine.


The Chairman.  All right.  Should not be any problem with that, should 
there?


Deputy Secretary Mansfield.  No.


The Chairman.  Okay.  All right.  With this panel, we have an Army 
veteran, Robert McFarland.  He served in the Vietnam War.  He was 
nominated by President George W. Bush to serve as the Assistant 
Secretary for Information and Technology in the Department of Veterans 
Affairs on October 15th, 2003, and was confirmed by the Senate on 
January 22nd, 2004.


Prior to his appointment, he served as Vice President of Government 
Relations for Dell Computer Corporation.  Mr. McFarland left the 
Department of Veterans Affairs on May 18th of 2006.


We will also hear testimony from Dr. John Gauss who served 32 years 
in the United States Navy.  Following his retirement, Rear Admiral 
Gauss was nominated by the President and confirmed by the Senate to 
serve as the Assistant Secretary for Information and Technology and 
Chief Information Officer for the Department of Veterans Affairs from 
August 2001 through June 2003.


Rear Admiral Gauss transitioned from government service to the private 
sector accepting a senior position with Science Application 
International Corporation in September of 2003.  His primary focus at 
this company was the Olympic C41 Security Project considered critical 
for safe and successful 2004 Summer Olympic Games in Athens, Greece.


In January of 2005, Admiral Gauss founded Gauss Consulting Services 
and in February 2006, he joined FGM, Incorporated as the company's 
President.


We will also hear testimony from Major General Howard. General Howard 
is the Acting Assistant Secretary for Information and Technology and 
Acting Chief Information Officer at the Department of Veterans Affairs.


We will also hear from Mr. Brandewie who currently serves as the 
Director, Defense Manpower Data Center, Field Activity, reporting to 
the Office of the Secretary of Defense, Personnel and Readiness.  He 
is responsible for the oversight of the largest and most comprehensive 
automated personal database in DoD, management of a dozen major 
operational DoD programs, and supervision of a multi- disciplinary 
staff of approximately 800.


Recently he led the DMDC efforts to redesign the Department's medical 
benefits and entitlements database for the new TRICARE system, to 
design and field a comprehensive web authentication capability for 
the Department of Defense, to develop and field an identification 
card and biometric- based force protection system now widely deployed 
throughout the world, and to design and develop and field the common 
access smart card as the new DoD identification card. Currently more 
than ten million have been issued.


Pronounce it Bresson?


Mr. Bresson.  It is actually Bresson.


The Chairman.  Bresson.  Jim Bresson is the Vice President of Gartner 
Consulting where he was the managing partner for U.S. Department of 
Veterans Affairs within Gartner's USA Federal Consulting Practice.  
He is based in Arlington, Virginia, and his responsibilities for 
Gartner Consulting involve business development, associate 
development, and engagement and delivery.


We look forward to your testimony, and we will start with you 
Dr. Admiral Gauss.  Which do you want, Dr., Admiral, Secretary?


Admiral Gauss.  John is fine, sir.


The Chairman.  All right, John.  Proceed.


Do all of you have written testimony?


Admiral Gauss.  Yes, sir.


The Chairman.  All of you do, even  --  Mr. McFarland, do you not? 


Mr. McFarland.  No.


The Chairman.  So Mr. Brandewie, Dr. Gauss, Major General Howard, and 
Mr. Bresson, all of you have written testimony.  It will be submitted 
for the record.  Hearing no objection, so ordered.


You are now recognized, John.


STATEMENTS OF HON. JOHN A. GAUSS, PRESIDENT AND CHIEF OPERATING 
OFFICER, FGM, INC., (FORMER ASSISTANT SECRETARY FOR INFORMATION AND 
TECHNOLOGY AND FORMER CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF 
VETERANS AFFAIRS); HON. ROBERT MCFARLAND (FORMER ASSISTANT SECRETARY 
FOR INFORMATION AND TECHNOLOGY AND FORMER CHIEF INFORMATION OFFICER, 
U.S. DEPARTMENT OF VETERANS AFFAIRS); MG ROBERT T. HOWARD (RET.), 
SENIOR ADVISOR TO THE DEPUTY SECRETARY SUPERVISOR, OFFICE OF 
INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS; 
ROBERT J. BRANDEWIE, DIRECTOR, DEFENSE MANPOWER DATA CENTER; 
JIM BRESSON, VICE PRESIDENT AND MANAGING PARTNER, GARTNER CONSULTING; 
ACCOMPANIED BY JOE CLARKE, DIRECTOR, GARTNER CONSULTING 


STATEMENT OF JOHN A. GAUSS 


Admiral Gauss.  Thank you, Mr. Chairman.  Good morning to members of 
the Committee.  Thank you for inviting me here today to discuss the 
important issues related to the Department of Veterans Affairs' 
information technology reorganization efforts.


I would like to provide the Committee with some background information 
to help in understanding the thought process that goes into the 
remarks that follow.


At the time of my confirmation hearing as the VA's Chief Information 
Officer, the Department was faced with many challenges, including an 
ever-expanding IT budget, programs that were defined in a stovepipe 
manner due to the lack of an enterprise architecture, programs that 
were consistently overrunning budget, behind schedule, failing to 
meet their performance parameters.


The Department was faced with implementing a comprehensive cyber 
security program and having to implement an executive oversight 
process which was a recurring deficiency in many GAO audits.


As a result of the above and as presented in my opening statement 
before the Senate Veterans' Affairs Committee on 2 August 2001, 
during my confirmation hearing, I stated that I had five strategic 
objections:


First, complete the enterprise architecture road map for the future; 

Two, integrate the disparate telecommunications networks to improve 
performance and responsiveness for our veterans;


Three, implement a strong information security program and 
infrastructure;


Four, create a program and project management process to oversee and 
help information technology program managers deliver products that 
meet requirements, are delivered on time, and stay within budget;


And, finally, establish information technology metrics to 
continuously measure our ability to meet our veterans' needs.


Although implementing a strong information security program is listed 
as number three in the above list, it was my number one priority. 
Establishing a comprehensive enterprise architecture and integrating 
the telecommunications networks will place higher in the order since 
I believe they are prerequisites to attacking the cyber security problem.


During my 32 years in the Navy, I learned to address organizational 
issues by using the following simple thought process:


First, define the problem to be solved;


Second, define the optimal yet affordable solution to the problem; 


Three, define what work should be accomplished by government and what 
work should be performed by industry and then organize to implement.


Given the problems and strategic objectives defined above, I concluded 
three things:


First, all IT programs and IT related activities affecting the three 
administrations and the central office should be centrally managed at 
the Department level with funding located in the departments and not 
the administration's budgets, specifically enterprise architecture, 
cyber security, telecommunications networks, corporate data centers, 
any program with the above characteristic that would result from 
developing a comprehensive enterprise architecture such as VA-wide 
registration and eligibility and a central call center, and, finally, 
all IT programs under the auspices of any VA central office code;


Second, all development activities related to individual 
administration of IT programs should be managed at the Department 
level and funded from the Administration budget because they are the 
ones who have the business requirement for the program;


And, third, the operations and maintenance of in- service IT systems 
directly related to mission execution within an Administration should 
be managed by that Administration subject to a comprehensive budget 
and funding execution approval process with ultimate authority for 
approving the expenditure of funds residing in the Office of the CIO.


I recognize that the above conclusions are not consistent with 
current thinking, but I would respectfully ask the Committee to 
consider the following:


Without a central management of the development activities, how will 
the Department ever implement a comprehensive, enterprise-wide 
enterprise architecture to eliminate duplication, to 
cross-functionally  integrate the business processes, and ultimately 
slow or stop the growth of the Department's IT budget?


I hope this information will help the Committee in its deliberations. 
Thank you for the opportunity.  I stand ready to answer questions.


The Chairman.  Thank you very much.


Mr. McFarland, you are now recognized.


[The statement of John A. Gauss appears on p.  ]

**********INSERT**********


STATEMENT OF ROBERT MCFARLAND


Mr. McFarland.  Thank you, Mr. Chairman.


Although I have no prepared statement, I have had the privilege to 
appear before this Committee on many occasions over the last two plus 
years.  Our discussions have always been frank, and I have 
appreciated this Committee's support in my previous efforts to bring 
the VA's information and technology infrastructure into the 21st century.


I am honored to be here today and would be pleased to answer any 
questions this Committee may have regarding my experiences while 
Assistant Secretary and CIO at the Department.


The Chairman.  You sound like a man that has been at a trout stream.


Mr. Filner.  Explain it to us city guys.


The Chairman.  Explain it to a city guy?


Mr. Filner.  Yeah.


The Chairman.  Well, you know, he worked at the Department for a long 
time.  He took a break.  He got jammed while he was there for a 
while. He went to a trout stream to gather his mind, and we have 
pulled him back to Washington, D.C.  He is not too excited about being 
back in Washington, D.C.  And he says I will show up, but that does 
not mean I have to give a statement.  And if you want to ask any 
questions of me, go right ahead.


Mr. Filner.  Thank you, sir.


The Chairman.  So that sounds like a man with a clear mind that has 
been to a trout stream.


Mr. Filner.  All right.  Now I get it.  Thank you.


The Chairman.  You got it?


Is that about right, Mr. McFarland?


Mr. McFarland.  That is pretty close, sir.


The Chairman.  All right.  Thank you.


General Howard, you are now recognized.


STATEMENT OF ROBERT HOWARD 



General Howard.  Mr. Chairman and members of the Committee, good 
morning.  Thank you for your invitation to discuss the Department of 
Veterans Affairs' information and technology reorganization plan and 
the recent data loss incident.


First a short update on the VA IT realignment.  The VA IT system 
model has been developed and approved.  The key focus is to transition 
the IT community to operate within a management system that separates 
the development and operations and maintenance domains.


VA will establish required business practices and processes that 
harmonize the oversight and budgetary responsibilities of the Office 
of the CIO, the functionality of the domains, and business 
relationships of the IT service provider and the customer for all IT 
activities across the entire VA.

As background, in an executive decision memo dated October 19th, 2005, 
the Secretary of the Department of Veterans Affairs approved the 
concept of a new IT management system for the VA.  This decision to 
move to a new management construct was made to correct long-standing 
deficiencies in the current decentralized IT management system.


The concept separates the IT community into two domains, an operations 
and maintenance domain that is the responsibility of the Assistant 
Secretary for Information and Technology and a smaller application 
development domain that is the responsibility of the administrations 
and staff offices.  Although the domains are separated, the VA CIO 
will retain oversight responsibilities for all VA IT projects.


As Secretary Nicholson testified at the House Appropriations Committee 
hearing yesterday, the long-range plan is to also centralize the 
application development domain under the CIO.


The new VA IT management system will clearly enhance the Department's 
ability to strengthen the protection of sensitive information.  With 
all information security officers reporting to the CIO under this new 
management system, the CIO will be able to:


One, create and operate the agency-wide information security program;


Two, establish information security policies and procedures and 
control techniques for the agency which when followed will ensure 
compliance with all of the above requirements;


Three, to train and oversee personnel with significant 
responsibilities for information security;


And, finally, assist senior agency officials concerning their 
information security responsibilities including the analysis process.


The VA IT system model was developed as a framework for the future IT 
management system.  The principal elements of the model include the 
following:


Definitions of the roles, responsibilities, and initial boundaries 
between the operations and maintenance domain and the application 
development domain.  And this includes determination of business 
needs and priorities.


Although the domains are separated, the model prescribes procedures 
between the domains in order to provide the CIO with oversight and 
budget responsibilities for all VA IT projects.  It also provides the 
authority, delegation of authority, and governance structure and 
process for the conduct of all VA IT related business.


The model also contains key IT service delivery business process flows 
and sample scenarios to illustrate how domain activities are 
coordinated by these process flows.  These flows must be clearly 
defined to reflect the critical interdependence of business 
applications and the performance of the IT infrastructure.


Finally, the model contains a recommended "to be" organization for 
the Office of the CIO designed to balance the tactical needs of 
operating a complex infrastructure as a shared service with the 
strategic needs of aligning IT resources to best meet the mission 
requirements of the Department.


Transitioning now to the recent data loss incident, as you are aware, 
the Secretary initiated several recent actions to tighten our privacy 
and data security programs.


On May 24th, the Data Security Assessment and Strengthening of 
Control Program was established to provide a high priority, and much 
more focused effort to strengthen our data privacy and security 
procedures.


The two principal objectives of this program are to first reduce the 
risk of a reoccurrence of incidents such as the recent data loss and 
second to remedy the material weakness reported by the Inspector 
General.


There are three phases to this effort:  Assessment, strengthening of 
controls, and enforcement.  We are almost through the assessment phase 
and have actions underway in the other two phases as well.


On May 26th, the Secretary issues a directive that requires the top 
leadership to instruct all VA managers, supervisors, and team leaders 
of their duty and responsibility to protect sensitive and confidential 
information.


In this memo, the Secretary also announced that he had convened a task 
force of VA senior leaders to review all aspects of information security 
and make recommendations to strengthen our protection of sensitive 
information.


One of the first tasks of this group is to complete an inventory of all 
positions requiring access to sensitive VA data and to complete that by 
the end of June.


This past Monday, we began a Security Awareness Week at all VA 
facilities.  We are emphasizing training and privacy and cyber 
security for all employees.  We require all VA employees, contractors, 
and volunteers to complete both cyber security and privacy training 
annually.

Normally employees are required to complete this training by September 
30th of each year.  However, given the recent incident, the Secretary 
has directed that this be accomplished by the end of June.

We will be conducting a department-wide inventory of laptops to ensure 
that they carry the encryption and other cyber security software 
necessary to ensure remote access users are operating in a safe and 
secure environment.  This effort is on hold, however, due to several 
class action lawsuits.  It will continue once legal clearance is 
obtained.

Finally we are reviewing all policies, directives, and handbooks 
related to privacy, cyber security, and records management to ensure 
they are accurate, clear, and focused. All of these efforts will 
provide for a more secure environment for sensitive data used in the 
VA.

Mr. Chairman, that concludes my statement.  Thank you for the 
opportunity to appear before you today.

The Chairman.  Thank you very much.

Mr. Brandewie, you are now recognized.

[The statement of Robert Howard appears on p.  ]  

**********INSERT**********


STATEMENT OF ROBERT BRANDEWIE 


Mr. Brandewie.  Mr. Chairman and members of the Committee, thank you 
for the opportunity to appear before you today to discuss the data 
exchanges between the Department of Defense and the Department of 
Veterans Affairs.

Our center is a central repository of automated human resource 
information in the Department of Defense, and we have been actively 
engaged with the DVA on most of the personnel information flowing 
between the two departments. These exchanges are very basic to 
providing an improved experience for the veteran and also for 
coordination of benefits between the two departments.

It is important to note that these exchanges have been ongoing for 
more than 25 years.  The purpose of the data exchanges between DVA and 
DoD are twofold:  To provide information to the DVA on currently
serving and recently separated individuals who are eligible for DVA 
benefits and services, and to competently administer programs in both 
agencies that benefit servicemembers, former servicemembers, and their families.

These data exchanges can be categorized as follows: Data for 
administering educational benefits, active duty and selected Reserve, 
Montgomery GI Bill; data for administering insurance programs, 
specifically veterans group life insurance; data for epidemiological 
studies and for assessing post-war illness; data for coordination of 
benefits and prevention of fraud, waste, and abuse; and data to 
estimate veteran population and expedite delivery of benefits.


Data exchanges with the VA, although long-standing, have expanded in 
breadth in recent years.  And an effort to consolidate the exchanges 
began in earnest about three years ago.  Close cooperation and 
increased exchanges of information have also received encouragement 
from the Congress and the Administration.

For example, the President's management agenda directed efforts to 
make the transition from DoD to the DVA seamless, and I quote, 
`` Transition should be seamless from the veterans' perspective and 
could be made seamless through data sharing between VA and DoD as well 
as within VA.''

Public Law 108-136 established an interagency Committee known as the 
DVA DoD Joint Executive Council to direct joint coordination and data 
sharing efforts between the two departments.  DoD believes there is 
great value to current servicemembers and veterans in the close 
cooperation evidenced by these data exchanges that has developed 
between DoD and the Department of Veterans Affairs.  However, it is 
equally important that the exchanges are done with utmost attention to 
security to ensure no unauthorized disclosure of information.

The DVA has been a partner with us in the implementation of secure 
transfer between the two agencies. In that regard, we have continued 
to improve that process and add security to this data transfer process.

My organization did the work to assess the impact of the recent data 
breach on currently serving active duty, Reserve, and Guard members.  
We continue to work on mitigation efforts with respect to the 
compromised information.

In spite of this tragic loss, it is important to reinforce the point 
there are many benefits to current data exchanges between the two 
departments.  They are done securely and they result in better 
service and better benefit delivery for servicemembers and veterans.

Mr. Chairman, I thank the Committee for the opportunity to report on 
data exchanges between DoD and DVA and would welcome the opportunity 
to answer any questions.

The Chairman.  Thank you very much.

[The statement of Robert Brandewie appears on p.  ]  

**********INSERT**********

The Chairman.  We have another vote, just one vote. It is a procedural 
vote.  So we are going to have to stand in recess for about seven 
minutes, and we will return.


[Recess.]

The Chairman.  All right.  The hearing will come back to order.

The Chair now recognizes Mr. Bresson for his statement.


STATEMENT OF JIM BRESSON 


Mr. Bresson.  Mr. Chairman, Mr. Vice Chairman, and members of the 
Committee, I appreciate the opportunity to participate in today's 
hearing regarding the Department of Veterans Affairs' information 
technology reorganization plan and VA's decision to pursue the 
federated model.

I am a managing partner within the consulting division at Gartner, the 
leading provider of research and analysis in the global IT industry.  
I am accompanied today by my colleague, Joe Clarke, Director with 
Gartner Consulting, who is the lead subject matter expert in the 
methodologies we employed in our most recent consulting engagement 
for the VA.

Unlike many of our competitors, Gartner does not offer IT systems or 
software implementation services that would compromise our 
independence and objectivity.  It is our objectivity combined with 
our past performance at the VA that was the basis for Gartner 
Consulting being selected to convert our originally recommended 
centralized model to a federated model at VA leadership's direction.  
I was the lead consultant for this effort.

In December 2005, the Assistant Secretary for IT directed Gartner 
Consulting to determine the best approach to implement a federated 
model for VA.  Our focus was on ensuring that the VA's federated model 
would yield a blueprint for implementation that incorporated the 
seven critical dimensions to achieving a higher performing IT 
organization at the VA.  Those seven dimensions are:

One, organizational structure, the structure in which the IT 
organization delivers value at a risk level that is tolerable to the 
Department and best supports its one VA mission;

Two, processes, the critical IT processes, their interfaces, and their 
dependencies required for IT delivery across the Department;

Three, roles, the IT management practices, responsibilities, and 
accountabilities required for IT delivery, what VA associates need to 
do to deliver IT value;

Four, IT services, the necessary IT capabilities that are valued and 
readily understood by the VA's business community, not just the IT 
community;

Five, guiding principles, the IT policies that establish focus, 
governance, and the decision-making fabric within and between VA's IT 
and business communities;

Six, performance management, the definition of IT performance 
objectives and success criteria and high-level analysis of IT 
performance relative to peers in government, insurance, and healthcare 
delivery;

Seven, culture and norms, the changes required in the underlying culture 
and norms to effect improved IT management behaviors.

In my written testimony, I have provided details about how Gartner 
Consulting derived roles and responsibilities and simulated scenarios 
to illustrate for VA's consideration how the federated approach would 
work within VA's environment.

It is important to note as we have in our intermittent engagements with 
the VA that organizational structure alone is not the silver bullet.  
It is just one dimension of necessary change to the existing IT 
organization at VA.

There is a tendency for government agencies to want to jump straight to 
organizational structure alone when seeking to initiate and drive 
change.  Encouraging desirable IT management behavior is less about 
structure and is more about relentless focus on strategy and execution.


Gartner research and our engagement results indicate that the VA must 
allow for a balance between line of business autonomy and common 
enterprise-wide needs.  VA's desired end state is not small change.  
It will require overt, firm, sustained action and persistent messaging 
supportive of the change from all levels of leadership across the 
Department.

What will be critical is sustaining the focus of executive leadership 
in seeing this change through and realizing improved IT performance.  
Whether VA leadership will achieve the desired end state in an 
expeditious manner may be less important than whether they are able to 
successfully institutionalize the federated IT management system.

I firmly believe that VA leadership is taking the right steps forward.

Mr. Chairman, Mr. Vice President, and members of the Committee, this 
concludes my statement.  Thank you again for the opportunity to 
discuss such an important matter to support our veterans.  I would be 
pleased to respond to any questions that you or other members of the 
Committee may have at this time.

[The statement of Jim Bresson appears on p.  ]  

**********INSERT**********

The Chairman.  Well, I would like to pick up right where you left off. 
I firmly believe the VA is now taking the right steps.  You have to 
reconcile that.  You have to reconcile that with the testimony that 
Gartner Consulting gave to this Committee and your recommendation for 
a centralized model that was stiff-armed by the VA.

You are a consultant to the VA; are you not?

Mr. Bresson.  We have been a consultant on occasion to the VA.  We 
are --  

The Chairman.  Are you a consultant to the VA right now?

Mr. Bresson.  We are currently not under engagement with the VA.

The Chairman.  Okay.  And were you hired in as a consultant to the VA 
with regard to the federated approach and its implementation?

Mr. Bresson.  Yes, we were.

The Chairman.  Do you anticipate future work with the VA?

Mr. Bresson.  I would like to anticipate future work with the VA, yes, 
sir.

The Chairman.  And would your future anticipation to work with the VA 
have anything to do with your last statement before this Committee?

Mr. Bresson.  Not at all, sir.  Not at all.

The Chairman.  Then reconcile your testimony, sir.

Mr. Bresson.  Okay.  I believe, as I said earlier, that organizational 
structure is one dimension.  The work that we did in converting the 
model that was recommended last spring, 2005 that is, to the federated 
model dove down deep into processes, roles, services, principles, 
performance management, and culture and norms.

And in constructing that model, we identified for the VA what path 
forward they should take in order to make this adhere in their 
environment.  And I believe that from that model they are stepping 
toward that direction heeding what we advised them to do.

The Chairman.  Does Gartner Consulting as a company still stand by its 
recommendation to the United States Congress that the VA centralize, 
have a centralized model for IT management?

Mr. Bresson.  We do stand by that, sir.

The Chairman.  In your written testimony to the Committee, I note that 
you have a quote in here, `` Given the poor state of the VA's IT 
investment management process and the stated demand to drive benefits 
over a shorter horizon, we recommended the centralization option to 
maximize the opportunity to create value for our veterans.''

You stand by that statement today?

Mr. Bresson.  Yes, we do, sir.

The Chairman.  Okay.  Now, Gartner has given this statement, calls it, 
``The poor state of VA's IT investment management.''

Well, now I am going to turn to Dr. Gauss and Mr. McFarland.  Can you 
explain to me why Gartner Consulting would call it a poor state of 
investment management when, in fact, both of you were the managers?

Admiral Gauss.  Mr. Chairman, I really have no idea why that finding 
was uncovered.  I can speak to the time between July of 2001 and June 
of 2003.

When I first became CIO, our capital investment control process for IT 
was poor.  And with a focused effort and working with the Office of 
Management and Budget, within one year, we turned around our process 
from a budget submission to OMB of about a five percent first pass 
acceptance to about a 95 percent first pass acceptance.

And after I departed VA, there was a substantial gap before 
Mr. McFarland became CIO.  And during that interval, I know I do not 
know what went on at VA and I am not sure whether Mr. McFarland does.

The Chairman.  Mr. McFarland, what are your thoughts with regard to 
that statement?

Mr. McFarland.  Sir, I believe that we continued the enterprise 
information board environment that Dr. Gauss started which was to 
review the individual development projects and sustainment projects.  
But our biggest issue was not making the decisions over which 
investments were good investments, although where I came from, we 
dealt with ROI, which is a difficult thing to do in the government 
because it is not the same as it is in the private sector.

But what we had a problem with was the use of the funds, and this, as 
you know, is something I was focused on for quite a while, which was 
to change the budget environment.

So when you use the words poor state of investment management, I 
think what Gartner was trying to say is that you may pass at an 
executive level a project spin plan and a project budget, and then the 
dissemination of that money and the use of that money in many cases 
which is not being able to be tracked and followed through the chain 
as it is used out in the field.

And I think that to me was the area where I felt the investment 
management process was failing, in the budget itself and the expense 
of the money, because we were never sure that the money was spent on 
exactly what it had been appropriated for.  And to me, that, I think, 
is what Gartner was trying to say when they said part of the issue of 
poor investment management process.

The Chairman.  To Mr. Bresson, I want you to know that we recognize 
that a movement to cure is more than just about structure.  We 
recognize that.  But we also have painfully recognized over the years, 
and we have embraced the testimony that Gartner had given to this 
Committee and the counsel that they gave to the VA prior to their 
judgment on which option to choose.

The reason we do focus on structure and lines of authority is that as 
we do the forensics here of trying to put this together in 
understanding what went wrong, we cannot move to cure until we create 
the right structure with the proper lines of authority so that we know 
who has authority to do what, who has the tools to do what.

And so that is kind of why we are focusing on those kinds of things 
at the moment.  We recognize culture and many other things that you 
also had testified to.

The ROI mentality, Mr. McFarland, that you brought to the VA, we have 
no objections to that at all because we are looking out at the 
interest of taxpayers, had to deal with the pains that you did with 
regard to the core FLS and the vets net.

And there is a reason that we here in Congress wanted the development 
side under your gentlemen's authorities. And we understand that they 
fight against that, and we recognize that there are crucibles out 
there for initiative and that your job is not to say no to that, but 
just to make sure that it is all compliant under the one architecture.

Gentlemen, we are considering many things in our packages.  So what I 
would like to do here today, we want to do some forensics, we want 
your opinion on cure.  What are your thoughts that if we were to, in 
our package we are to elevate the position of the CIO to an Under 
Secretary?

Mr. McFarland?

Mr. McFarland.  I would think that would be a good move, sir.  I 
believe that in this day and age, the VA like any other agency simply 
cannot do business for its veterans without an IT infrastructure.

The Chairman.  And then if we make the CISO a Deputy Secretary right 
under the CIO as an Under Secretary?

Mr. McFarland.  You mean an Assistant Secretary, sir?

The Chairman.  Assistant Secretary, yes.

Mr. McFarland.  I certainly would applaud those moves because I think 
that the infrastructure that runs the VA today in its current state is 
an IT infrastructure and it is important enough that given the past 
history that those moves would certainly help.  It would give the CIO 
an equal seat at the table with the main administrations to be able to 
provide the service that keeps the business running.

The Chairman.  Admiral Gauss?

Admiral Gauss.  Mr. Chairman, I think your idea is an excellent one.  
And if I may, I have been associated in management positions in the 
last 14 years of government service where I have had the opportunity 
to observe how Chief Information Officers can be effective not only 
at the Department of Veterans Affairs but in other parts of government 
as well.

Without the Chief Information Officer being elevated to the status of 
Under Secretary or Under Secretary equivalent, the CIO does not have a 
seat at the table at any department within government, and the 
founders or the people who created the Clinger-Cohen Act will continue 
to be disappointed in results until such a bold action is taken.

I would highly endorse your suggestion, sir.

The Chairman.  Thank you.

Mr. Filner.

Mr. Filner.  Thank you, Mr. Chairman.  Thank you for putting together 
this panel.  I learned a lot today.

Mr. Chairman, you said you cannot move to a cure unless certain steps 
were taken, and I would include in those steps at least a recognition 
of the problem and get out of a sense of denial.

Every time Mr. Howard referred to what happened on May 3rd, the 
incident.  I do not know if you have been out in the field talking to 
veterans, but they are scared to death. You got 26 million or more 
people worried about identity theft.

We have had testimony here that if it was a professional has the data, 
and there are some circumstances about the theft that may lead to that 
conclusion, it may be a year before they even know that their identity 
has been stolen.

So we have a major disaster here.  And until you guys start calling it 
that, I do not think we are going to get the kind of response that we 
need.

So I hope you folks in the front row there will take that message back 
to the Secretary, that if he is in a state of denial still, although, 
I do not know, it took a week to hear the other news, maybe he will 
not get this message by tomorrow.

Dr. Gauss, you started, your opening sentence was quite an indictment 
of this situation.  Could you just read that for me again or did you 
have that written out?

Admiral Gauss.  Yes, sir.  At the time of my confirmation hearing --  

Mr. Filner.  No, no.  Before that.  I think it was the first sentence.  
You outlined the situation as you saw what was --  

Admiral Gauss.  Yes, sir.  That was at the time of my confirmation --  

Mr. Filner.  Oh, okay.

Admiral Gauss.   -- the Department was faced with -- 

Mr. Filner.  Okay.  Right.

Admiral Gauss.   -- an ever-expanding IT budget, programs that were 
defined in a stovepipe manner due to the lack of an enterprise 
architecture, programs that were consistently overrunning budget, 
behind schedule, and failing to meet their performance requirements, 
was faced with implementing a comprehensive cyber security program, 
and having to institute executive-level oversight process as a result 
of a recurring theme of GAO reports.

Mr. Filner.  I mean, I would like to ask a very generalized set of 
questions that maybe several of you can respond to.  I mean, that is a 
cultural indictment, and I would like to know if it still exists as 
you see it, Mr. McFarland?  Has it changed?  Why hasn't it changed?  
What did you think of the polyanna statement by Mr. Howard, everything 
has changed and we are moving forward?

And I might just for Dr. Gauss, I was not at the hearing, but I think 
at one hearing where Chairman Buyer said to you, would you like to 
have centralized line control of the system, and I guess you had to 
say no at that time. I do not know if that was your personal opinion 
or OMB's opinion because I think they had to approve your statements 
here.

But if you can go back from that statement, and has anything changed 
since you have left?  Does Mr. Howard's statement sound right to you?  
I mean, and what needs to be changed for it to come true?  Please, and 
then Mr. McFarland if he can.  Get him off the trout stream there.

Admiral Gauss.  Let us see.  I am really not qualified to discuss what 
has happened recently because my knowledge of what has happened is 
what I have read in the newspaper and in preparing for this hearing, 
material that I found on the VA web site.

Mr. Filner.  But you were there for a couple years.

Admiral Gauss.  Yes, sir.

Mr. Filner.  So did it change while you were there?

Admiral Gauss.  During that time -- 

Mr. Filner.  You mentioned one major thing.

Admiral Gauss.  For the record, sir, all of the testimony that I gave 
in front of this Committee was my testimony.  It was the truth.  I was 
not influenced by OMB or my senior --  

Mr. Filner.  They did not have to be approved?

Admiral Gauss.  I am sure it had to be approved, but I held no punches 
and I spoke my views.

Mr. Filner.  We did have testimony at an earlier hearing of one of, I 
think, your successors, Mr. Brody, right, who said, because I asked 
him, he said that he could not say what he wanted to say because it 
was approved by OMB.  So that seemed to be the procedure.

Admiral Gauss.  I stand by today -- 

Mr. Filner.  Okay.  Thank you.

Admiral Gauss.   -- the testimony that I gave in front of the 
Subcommittee at the hearings for which I participated.

Now, from a cultural perspective -- 

Mr. Filner.  Did I get that right that you said no to Mr. Buyer when 
he said would you like to have the centralized control?

Admiral Gauss.  I believe that in my answer, I qualified it along the 
terms of what I had in my opening statement, that I felt that the 
development activity should be centralized.  The CIOs should have the 
authority over all development activities, but that the operations and 
maintenance of the products that were deployed to the field should 
still be distributed within the administrations.

And a little bit of the background, we are all an invention of our 
past.  And having served for 32 years in the Navy, I look at the model 
that is proposed today and it equates to allowing commanding officers 
to develop their command and control capability, but, yet, to operate 
it, maintain it, and fix it, you have to go back to the Pentagon.  And 
somehow that just does not seem right based on my experience.

As far as the culture goes, there were cultural impediments at VA that 
precluded making progress while I was there.  Specifically at the 
executive level, there was commitment to have reform, but there was 
not commitment to effect the type of change necessary to make that 
reform.

When you find you are broke, the processes and procedures you operate 
under are not going to fix you because if they would, you would not be 
broke in the first place.  So change was fundamental, but the attitude 
was fix it within the current process.

Second, the VA concurrence process is onerous.  In my testimony in 
September of 2002, I talked about a memo the Secretary had signed in 
August directing the centralization of IT activities.  I testified in 
front of the Subcommittee that we put a team together to build a plan 
and it would go to the Secretary by November of 2002.  That did not 
happen. It took until May to get it done because the VA concurrence 
process waters everything down to the lowest common denominator in 
which people can agree.

I was told one time I could not offer a differing view because nothing 
goes to the Secretary without the principals concurring.

And, three, the financial management of the programs, the money is 
distributed into the Administration budget, at least it was during the 
two years I was there, for such things as enterprise architecture, 
cyber security, the data networks, all of the infrastructure things 
needed to run, the machinery needed to run the IT at the Department 
and for the administrations, and it was left to my office to have to 
get the money from the administrations in the year of execution.

The budgets should reflect the execution because at the end of the 
day, the real organization follows the flow of the money.  And with 
the money spread in execution, it is very difficult to get the 
resources one needs to execute the job.

Mr. Filner.  Okay.  That was pretty clear.

Mr. McFarland, would you concur or do you have anything to add to 
that?

Mr. McFarland.  I do concur with Dr. Gauss on the state of what he 
left was pretty much what I found when I got there.  I believe the VA 
has moved forward in doing some things that will make the job easier.

With the help of this Committee and Congress, there is now a 
consolidated budget, although I would tell you that I was disappointed 
that the budget contained only nonpay dollars and not the full budget. 
I will be frank about that.  That does allow better oversight over the 
spend. There is now under this federated model at least a 
consolidation of the infrastructure.

And where I might disagree with Dr. Gauss a little bit, I do believe 
that the infrastructure has to be consolidated because I believe that 
if you do not consolidate the infrastructure under the CIO, then all 
you will do is be involved with directives and guidelines over policy 
of privacy and security.

Without control of that infrastructure, technical control of that infrastructure, you cannot ensure that the environment is safe.  So I 
would disagree.  I believe the infrastructure should be consolidated 
and that not only --  all those assets need to be under a single 
control.  The --  

Mr. Filner.  Mr. Howard, are you heading in that direction or not?

General Howard.  Sir, with respect to the operations and maintenance 
domain, we are.  And as I indicated in my testimony --  

Mr. Filner.  Wait, wait.  He just said something very clear.  He said 
control of the infrastructure.

General Howard.  Yes, sir.

Mr. Filner.  Is that what you are talking about or not?

General Howard.  With respect to the operations and maintenance infrastructure, that is correct.  The data centers --  

Mr. Filner.  But he was not restricting it like you are.  I mean, he 
did not have any qualification over infrastructure.  What other part 
of the infrastructure there is?  Development?

General Howard.  Development is not included in the -- 

Mr. Filner.  Why not?

General Howard.   -- IT organization that has currently been approved.

Mr. Filner.  That is the point, Mr. Howard.  I am saying should it be 
in that?

Mr. McFarland, did you include what he said, operations, maintenance, 
and development in the consolidated structure --  

Mr. McFarland.  Under the current plan -- 

Mr. Filner.   -- infrastructure?

Mr. McFarland.  Under the current plan -- 

Mr. Filner.  I do not even talk the language you do, so I am trying 
to get this.

Mr. McFarland.  I understand.  Infrastructure to me does not 
include development.  Infrastructure is the basic assets and people 
necessary to provide the IT service to the community.

In the current federated model, that infrastructure is supposed to be 
consolidated under the CIO.  And the administrations and staff offices 
become users of that infrastructure.  I strongly believe you cannot 
allow the infrastructure to be managed by administrations and staff 
offices.

Mr. Filner.  So explain to me the differences in federated model and 
the centralized model.  I mean, what --  

Mr. McFarland.  The difference -- 

Mr. Filner.   --  is included in one and not the other?

Mr. McFarland.  The difference under the Gartner scenarios that were 
developed is only one issue, that the applications development, 
the development of new products to serve the needs of veterans in each 
of the administrations and staff offices, whether it be a financial 
system or whether it be a medical system, the development of those 
products, application development, is done in the federated model by 
the administrations.  Everything else is managed by the CIO.

In the centralized model, all of that would be managed by the CIO.  And 
what would happen would be the staff offices and the administrations 
would provide the specifications and requirements for their needs to 
the CIO who would then go to the marketplace and develop those 
products for them.

Mr. Filner.  And you agree that that is okay?

Mr. McFarland.  I am sorry, sir.

Mr. Filner.  We got word directly from the Secretary about what 
Mr. Howard should say, so maybe you should read the note for us, 
Mr. Howard.

The Chairman.  Mr. McFarland, to be responsive to the question, I think 
it would be that do you concur with the centralized model that 
development should be under authorities of the CIO?  I think that is 
where Mr. Filner was getting to.

Mr. McFarland.  I have been on record from day one as being preferring 
the centralized model.  I have agreed to support the federated model 
when I was in office because that was the recommendation of the agency 
and it was candidly the best I could get.

Mr. Filner.  And give me again as concise as you can why --  you 
defined the federated --  you gave us a clear explanation, but why 
would you prefer the centralized?  I mean, what did it do that the 
other did not?

Mr. McFarland.  I believe you have to have control over development.

Mr. Filner.  Well, that is what I asked you at the beginning, and you 
said no.  I asked what did consolidation of infrastructure mean, and 
you said operation, maintenance, but not development.  Now you are 
saying development should be.

Mr. McFarland.  Let me define infrastructure for you, sir.

Mr. Filner.  Okay.

Mr. McFarland.  Infrastructure is the assets and people that provide 
IT services --  

Mr. Filner.  Okay.

Mr. McFarland.   -- provide the electrons to anyone who uses those 
electrons, your e-mail, your whatever, no matter whether you are a 
doctor, a benefits coordinator, whatever, the users of those 
workstations.  That is the infrastructure.

The development of product is actually the generation of new code --  

Mr. Filner.  All right.

Mr. McFarland.   -- to run applications.

Mr. Filner.  And both should be under the CIO in your preference?

Mr. McFarland.  It has been my professional -- 

Mr. Filner.  Okay.

Mr. McFarland.   -- opinion that they should be consolidated --  

Mr. Filner.  Okay.

Mr. McFarland.   -- under one environment.

Mr. Filner.  And so they are going in a different direction than that 
right now?

Mr. McFarland.  They are using -- 

Mr. Filner.  All right.  That is all.

Mr. McFarland.   -- the federated model, yes.

Mr. Filner.  Thank you.

Thank you, sir.

The Chairman.  Mr. Bilirakis, just as a follow-up, if I may.

Mr. Bresson, Gartner Consulting, you are consulting to the leading top 
100 companies in the world; are you not?

Mr. Bresson.  Yes, sir.

The Chairman.  Are there any of these companies that you are a 
consultant to in the world of these companies ever take the 
development side outside the --  to take the development outside the 
authority of the CIO?

Mr. Bresson.  Indeed there are, yes, sir.  And I think one of the 
nuances to the federated model as it may exist in commercial and 
outside of public sector is that while development may remain outside 
the CIO's control, in order for those products to run on the 
infrastructure, they still must, you know, pass through the wickets 
and be certified to run on that infrastructure.  So there is a 
transfer.

The Chairman.  Thank you.

Mr. Bilirakis.

Mr. Bilirakis.  Mr. Chairman, virtually everything has kind of been 
covered on a detailed basis.  If this continues on, it is just going 
to continue to make work for us and take us away from being concerned 
about healthcare and about claims processing and things of this 
nature. Somewhere along the line, it has got to be solved.

Let me ask.  My impression is that all testimony, I mean, for --  it 
goes all the way back, not just this Administration, the prior 
Administration and Administration before that.  All testimony before 
coming before Congress has to go to OMB; is that correct?  Does 
anybody know?  That is true, right?

General Howard.  [Nods head affirmatively.]

Mr. McFarland.  [Nods head affirmatively.]

Mr. Bilirakis.  Okay.  So this is not something that is new.

Dr. Gauss, you prepared your testimony.  Of course, obviously, OMB 
does not tell you what to respond to when you are asked questions from 
the panel up here.  But you prepared your testimony for today, and 
then there is a process?  It went up the line, did it, up through 
the --  

Admiral Gauss.  [Shakes head negatively.]

Mr. Bilirakis.  No?  Where does your testimony go?

Admiral Gauss.  As a private citizen -- 

Mr. Bilirakis.  You are a private citizen, right. All right.  I am 
going to go to General Howard.  Forgive me for doing this.  Getting a 
good opportunity for this old Staff Sergeant to talk to a Major 
General.

General Howard.  It has to go through OMB, sir.

Mr. Bilirakis.  Has to go.  All right.  But does it go up the line 
through the VA first --  

General Howard.  Yes, sir.

Mr. Bilirakis.   -- before it goes to OMB?

General Howard.  Yes, sir, it does.  General Counsel- -

Mr. Bilirakis.  Do you like that as a former General officer?

General Howard.  Sir, it was probably the same way in the Pentagon, 
although I cannot remember.

Mr. Bilirakis.  Yeah, I will bet.  I will bet.

General Howard.  But that is the process.

Mr. Bilirakis.  You know, what is happening here is, you know, we have 
got a Veterans Administration that I have always had very high regard 
for.  When I came to Congress 24 years ago, there was one committee 
that I specifically fought for.  I guess I did not have to fight too 
very hard, but the point is I wanted to get a VA Committee, and I did 
24 years ago, first day one.

And Mr. Buyer may not know this, but when our side came up with this 
idea of grading committees, certain committees are considered A 
committees, B committees, C committees. The rule was that if you had 
an A committee, you could not serve on any other committee.  And the 
Veterans Committee was considered other than an A committee.

And so Energy and Commerce was considered and still is considered an A 
committee.  And the deal was if you wanted to stay on an A committee, 
you had to give up any other committees.

I let it be known that I would be glad to give up Energy and Commerce 
if I could keep Veterans Committee. That is how much I feel about this 
Committee and that is why I get awfully frustrated and angry 
sometimes when we get partisan here and throw stones at each other, 
which is something we did not used to do on this Committee.  But that 
is besides the point.

The point here is that activity like this, promises made to Congress 
on record and whatnot and not kept on what, you know, contract on IT 
was to be awarded June the 10th and contract work was to be started on 
June the 15th of this year of 2006 when, in fact, that has not taken 
place, that is the result of testimony before this Committee back in 
March of this year.

Other things.  We have gone through hearing after hearing.  We have 
had round-table discussions, everything on IT, and still do not see 
very much progress being made.  I mean, that hurts the image of the 
Veterans Administration.

And, you know, we would like to hear from the veterans, complaints 
about maybe healthcare, about their claims, or something of that 
nature.  And what we are hearing is they are concerned about privacy 
and the lack of privacy and their concern about what might happen to 
their personal situation as a result of what has transpired.

Mr. McFarland, you came aboard with a heck of a background, a 
tremendous IT background.  You were given a certain responsibility.  
Was your background respected in the VA?  Now, you should be free to 
respond here.

Mr. McFarland.  Yes, sir.  I never got a feeling that my background 
was not respected.  I think I felt I brought a business acumen to the 
VA --  

Mr. Bilirakis.  Yeah.

Mr. McFarland.   -- which I think was -- 

Mr. Bilirakis.  All right.  But -- 

Mr. McFarland.   -- somewhat new, and I think it was respected 
certainly in the beginning.  I am not sure --  

Mr. Bilirakis.  In the beginning.  What happened -- 

Mr. McFarland.   -- if it is respected today.

Mr. Bilirakis.  What happened after the beginning?

Mr. McFarland.  Well, I think whenever you embark on change, you are 
going to run into culture.  I have said many times I did not believe 
that a majority of the issues at VA were so much about technology as 
they were about culture.

Mr. Bilirakis.  Yeah.

Mr. McFarland.  It is a long-standing history of decentralized 
management.  And when you bring a business acumen that says you want 
to centralize many of those management functions, I think you run 
into cultural problems.

But that being said, I do not think anyone disrespected my 
background.  I never had --  

Mr. Bilirakis.  Well -- 

Mr. McFarland.   -- anybody chastise me for it, so -- 

Mr. Bilirakis.  Yeah.  I do not think anybody would have done that, 
but I am not referring to that obviously.  I am referring to --  I 
mean, were you paid attention to?  Were you taken seriously in terms 
of some of the changes as a result of your actual background and 
experience and that sort of thing?

Mr. McFarland.  Oh, I think I was taken very seriously, sir, on many 
occasions.  I do not think it was ever an issue of taking me 
seriously.  It was that the problem was the disagreement over the 
change.

Mr. Bilirakis.  All right.  So you were taken seriously, but there 
were disagreements?  Some people disagreed with you?

Mr. McFarland.  Yeah.

Mr. Bilirakis.  General Howard, you know, here we are.  And the 
Chairman's idea of legislation, basically upgrading the CIO position 
and whatnot is a good idea.  But here we are trying to micro manage.  
And damn it, we should not be doing that.  And, yet, we feel that we 
almost have to from the questions that have been asked here, 
detailed-type questions for crying out loud.

We should not have to be concerned with something like that, I do not 
think.  And, yet, we are because we see a process that just is not 
moving.  It is not progressing the way it should be.  And then, of 
course, these errors such as the loss of those files.

General Howard, your testimony had to be cleared, but your responses 
to us are not cleared, do not have to be cleared.

General Howard.  No, sir.  That is correct.

Mr. Bilirakis.  All right.  Now, you are a General Officer.  Are we 
going to fix this?

I mean, Mr. McFarland mentioned the word culture.  He knew darn well 
that I was going to mention culture because I talked about it 
constantly during our past hearings.  There is a culture there.  There 
is a turf thing there that exists up here, too, and I am the first one 
to admit that.  If I had to say the one thing that bothers me about 
the Congress is the turf, turf fighting, and committees' jurisdictions 
and things of that nature.

What do you think?  Are we on the right path here?  Are we going to 
fix this?  Are we going to be as proud of the VA in terms of IT as we 
are on our work on healthcare and the Spinal Cord Injury Center, for 
instance, Haiti Hospital in Tampa?

There was a young lady here with Pfizer who lives down in that area 
and who volunteers there one day a week.  And as I went out to vote, 
she was boasting to me about the great work that they do.

I mean, there is a lot of pride there.  But the pride does not exist 
as far as IT is concerned.  Respond to that.

General Howard.  Sir, there is, first of all, no question that this 
can be fixed.  Obviously we cannot predict the future.  But in my 
mind --  

Mr. Bilirakis.  What do you mean by that?

General Howard.  You said will we fix it.  We can fix it and we are 
heading in the right direction.  There is no question about that.

The issue regarding centralization is still, you know, full 
centralization, that is, including the development domain, is still on 
the table.  But I think based on the Secretary's testimony yesterday, 
that also will be centralized.  And he went public with that yesterday 
during the Appropriations hearing.  I think that is a very important 
aspect of it.

Can we do it right away?  My personal opinion is we should not.  We 
are already very deep into moving the operations and maintenance and 
consolidating that.

In the contract you refer to, you are correct.  That was delayed due 
to contracting procedures, but that is ready to be signed.  If it is 
not signed today, it will be in the next few days to bring in the 
contractor who is going to help us further refine the details of the 
current approved IT reorganization.  But as the Secretary mentioned 
yesterday, he is going to take the next step.

Mr. Bilirakis.  All right.  You said something, you mentioned 
contract procedures, delays as a result of the contract procedures.  
Should those procedures in your opinion be changed?

General Howard.  Sir, those are typical government procedures.  It 
just takes time to work through that.  I did not see anything really 
out of line.  It just took longer than we thought.  I mean, we 
followed all of the procedures. We had written proposals.  We had oral 
presentations and a thorough review.

The last reviews that had to take place were with General Counsel and 
the Contracting Office.  You know, I got an e-mail this morning that 
indicated those are complete.

So there is no reason why this contract should not be signed.  And 
that will be a very significant piece to what we are discussing today 
because they will come in, this contractor will come in and help us 
refine the processes and procedures under which we should operate.

Mr. Bilirakis.  Are we going to pay attention to them?  Are we going 
to --  

General Howard.  Sir, we are going to pay a lot of attention to them. 
And the fact of the matter is, you know, we have already detailed 
4,600 people to the Office of Information and Technology.  And that 
detail will become permanent on the 1st of October.

Sir, that is in effect as we would refer to in DoD, that is a field 
operating agency.  That is not a staff section.  That is a large 
number of people, and we are now in the process of organizing them, 
delivering the guidance, an important subset, for example, of the 
Information Security Offices that exist throughout the VA.  There is 
slightly over 300 of them.  They are now under my control.

You know, we are the ones that issue them instructions, that give them 
the training, that develop their careers, all of that.  Bob McFarland 
did not have that, but we do.  And that alone is very helpful in terms 
of improving our information security.

Mr. Bilirakis.  Well, I am reminded by staff that this was said 
something like last October that it was going to take place, and here 
it is what, June, almost July of the next year.

General Howard.  Yes, sir.  It happened in April, sir.  That is --  

Mr. Bilirakis.  In April.

General Howard.  That is when the detail took place. But to sort of 
summarize, I am fully confident that we can fix this problem.  Clearly 
it is an organization issue, but it is more than just moving the boxes 
around.

As Gartner mentioned, processes are very important and probably more 
important than anything else is the leadership and the emphasis we 
place upon the whole enterprise.

Mr. Bilirakis.  Yeah.  Just my last question.  What say you to this 
culture thing that has been admitted to over a period of time in the 
VA?

General Howard.  Sir, I have been in the VA just a little over a year. 
I came out of the private sector. There is a culture issue.  And one 
of the reasons for that, I think we all know that we are operating 
with an agency that is very decentralized.  And you cannot fix that 
overnight.  I mean, that has to be done over time.  We need to put 
more emphasis on it.

But, again, under Dr. Kaiser, it was deliberately decentralized and 
the result of that, quite frankly, was more effective healthcare.  I 
mean, it was, you know, innovation in the field and all of that.  And 
in many ways, that is a good thing.  What we probably did not do is 
maintain sufficient controls over that decentralization.

Even in the Army, you know, you can encourage innovation and to a 
degree decentralization, but you have regulations and clear directives 
to make sure that things are followed correctly.

And one comment on directives.  The business about are we going to fix 
this.  Sir, one first step, a major first step is to publish very 
clear directives.  I have only been in OI&T a little over a month and 
clearly that is a problem. Bob McFarland had difficulty with that.

And no longer guidelines and handbooks and all of that. Our policies 
need to be in very clear directives with signatures on them so that 
people are very clear about what they --  

Mr. Bilirakis.  Yeah.  That seems natural.  Why did Mr. McFarland have 
trouble with it and why do you say that it is going to be difficult?  
I mean, why?

General Howard.  Sir, I do not see that difficulty anymore.

Mr. Bilirakis.  All right.  Why was it -- 

General Howard.  It took us less than a week to publish 6504.  In 
fact, the Deputy Secretary was a co- signature on it along with 
myself.  And 6500 is another very critical directive that we are 
currently working on.

Mr. Bilirakis.  Yeah.

General Howard.  And there are more.  We cannot rely on memos and 
guidance that is not signed out and approved at the very high level.

Mr. Bilirakis.  Will enforcement exist?

General Howard.  Sir, on the enforcement part, I mentioned in my 
testimony that we have established an overarching program to address 
these issues, the Data Security Assessment and Strengthening of 
Controls Program. This is an overarching program sanctioned by the 
Deputy Secretary.  We have a very detailed list of actions that must 
occur.  In fact, we would be happy to brief this Committee at any 
time.  There are a lot of things that need to be done.

As I mentioned to you, there were three phases to it. The last phase 
is enforcement.  And to give you an example, I think in the area of 
enforcement, one of the most important things we can do is improve our 
audit and inspection capability.

As an old Army guy, if you roll into an organization and you do not 
have a good inspection program, you got a problem right from the 
very beginning.  And we do not have that right now.  We have some.  We 
have the IG, of course.

But within OI&T, for example, it is relatively small. It is nowhere 
near as robust as it needs to be.  And along with that capability 
needs to be the authority to go anywhere within the VA, knock on the 
door, and walk in and see what is going on.

Sir, I know you are laughing, but we need that and it needs to be 
robust.  And you know what I am talking about. You are talking 
about unit inspection programs.

Mr. Bilirakis.  I am not sure why the Chair is laughing.  I think 
because he is happy.

But we had testimony what, last week from the counsel that you did 
not have the authority, the enforcement authority.  Am I wrong there 
or do you have it?  Do you feel that you have it?

General Howard.  Sir, right now I have certain authority as a result 
of the approval of the IT organization up to this point.  For example, 
in the area of information security, I own these people.  I am 
responsible for telling them what to do.  I have the authority to 
discipline them.

What I do not have is the authority to discipline somebody in VHA.  
I do have the authority to lay out the policies and regulations that 
must be adhered to.  And if the VHA folks, for example, do not 
discipline someone who violates these policies, you know, then it is a 
matter for the tenth floor, you know, the Secretary level.

Now, I will say that so basically within what has already happened, I 
do have some authority.  Now, with respect to additional authority, 
there is a memo being debated right --  not debated.  It is being 
finalized and reviewed by the Secretary, regarding further delegation 
of authority.  It has not been signed yet.  He may talk to that 
tomorrow.  But there is more to come on that issue.

Mr. Bilirakis.  Well, I know I have taken much more time than I should 
have.  Thank you, General, gentlemen.

Mr. Chairman, we all have suffered through an awful lot of frustration 
here.  I yield back whatever time.

The Chairman.  Well, Mr. Bilirakis, this is a challenge.  It has been 
a challenge for us for a long time.

And I am smiling whenever I can hear you talk about authority.

Back in 2002, Ms. Carson asked you, Dr. Gauss, a direct question, are 
you the man in charge.  That is exactly how she asked it.  And you 
said, yes, ma'am, it is me.  Very close.  You may have been in charge, 
but you did not have a lot of authority in reality.

And that is what also then we learned with your successor, Mr. 
McFarland.  He was in charge.  The Secretary even wrote a directive, 
and then that is undercut by a General Counsel in his interpretation 
of FISMA that says that you have responsibility, but you do not have 
authorities.

General, reflecting upon your days in the United States Army, pretty 
hard for you to have received responsibility to ensure compliance, but 
then you have no authority to accomplish a mission.  You are to take 
the hill.  You are to ensure compliance of having taken the hill, but 
you have no authority to give orders to anyone.

That is why I use the form heterodox, because it is totally against 
everything in our society.  So my challenge with the Office of the 
General Counsel, it is how you get to yes.  How do you get to yes?

You do not create these odd anomalies that then has a detrimental 
impact upon an organization.  We figure out how we get to work 
together and pull in the same direction, not to create these 
divisions and as someone had earlier testified to as decentralizations 
of mass dispersions, equate to mass dispersions in the VA.

So that is why I am smiling.  I am pleased that the VA is moving 
toward that direction with regard to lines of authority.

I now recognize Ms. Herseth.

Ms. Herseth.  Thank you, Mr. Chairman.

Let me just follow-up on the line of questioning of Mr. Bilirakis and 
some of the comments that the Chairman just made.  And I appreciate 
the testimony that you have offered, written testimony that I had a 
chance to review and some of your oral testimony today that in the 
light of the vote, some of us missed.

But I just want to make sure that we have turned a corner and that we 
will be able to confirm some of this further with the Secretary 
tomorrow.  But the Chairman says, you know, how do we get to yes.

It is sort of like what we say to members of our staff here in 
Washington or back home serving constituents.  You know, it is one 
thing to move the ball down the field and get to the five yard line, 
but they all need to get it over the line.  It is not just about 
getting it close.  It is getting it there.

And in the questions that Mr. Bilirakis posed to Mr. McFarland about 
how you were received given your background, your experience when you 
arrived at the VA, you felt that, you know, you brought this business 
acumen, it was respect, but there was disagreement then based on the 
proposals of centralizing the IT function.

And then in response to the question posed to you, General Howard, 
about once we get the contractor, are you going to pay attention to 
them.  You said, yes, you are going to pay attention to them.

But what if there is disagreement with how they are advising to refine 
the processes?  Have we turned the corner to say now that the 
Secretary has made the decision to centralize, we have got the 
contractor that is going to be in place, are we behind that now?  It 
is not about disagreement anymore?  It is about simply executing 
and implementing the recommendations of refining the processes?

General Howard.  Ma'am, I cannot say there will never be 
disagreements.  I mean, you are always likely to run into that.  But 
my feeling right now is those have been greatly minimized.

Ms. Herseth.  May I interrupt?  Even if there is disagreement, though, 
you are right.  There is going to be disagreement.  But despite the 
disagreement, are we going to just rehash the disagreement and --  

General Howard.  No.

Ms. Herseth.   -- push back on the contractor about the 
recommendations or is it, you know, we disagree, but your job was to 
advise us, recommend, now we are going to implement the 
recommendations?

General Howard.  We have turned the corner.  There is no doubt in my 
mind about this.  Just the reassignment of people alone, you know, 
including the empty spaces that have been given to us upon the 
insistence of the Deputy Secretary.  He says do not just move the 
people.  We want the spaces, too, so that we can flesh out this 
organization in the correct manner.

So everything that I see from our leadership is heading in the right 
direction.  There is no doubt in my mind about that.

Ms. Herseth.  Okay.

General Howard.  But to execute is going to require very strong 
leadership and determination right down until when you finally take the 
hill, sir, you are right.

Ms. Herseth.  And authorities, right, General Howard? So do you 
feel --  

General Howard.  And the authorities.  And as I mentioned, a very 
important delegation memo is currently being worked and --  

Ms. Herseth.  Great.  We hope to see that soon and to ask the 
Secretary about it tomorrow because that was again a line of 
questioning we pursued last week with the General Counsel who kind of, 
I felt, was trying to have it both ways by reiterating his 
interpretation of FISMA, but then talking about certain options the 
Secretary had to delegate certain authorities.

And it was just really hard to pin him down on whether or not he was 
trying to allow his interpretation of FISMA to trump what these 
reserved powers that could be delegated from the Secretary.

So I hope we have turned the corner there, that we are getting very 
close, that we are moving in the right direction, but not just moving 
in the right direction and down the field, but that delegation exists 
to get us to score the goal.

Let me move to a different line of questioning.  Mr. Brandewie, we 
have also in past weeks in different hearings gone into what is 
happening in other federal agencies with the relative organization of 
the CIO.

Are there some weaknesses?  Are there strengths that we should be 
evaluating to assist us with the Department of Veterans Affairs' 
situation?

I know that the Chairman has asked for a GAO investigation and report 
on other interpretations of FISMA by other General Counsels and 
different agencies.

And so in your statement, you note that the DMDC is at the center of 
most of the human resource information flowing between DoD and the 
Department of Veterans Affairs.  Under the definition in FISMA, is 
DMDC considered a strategic security system?

Mr. Brandewie.  No, ma'am, it is not.  The data sources for the 
information that flows to the VA are not classified as national 
security systems.

Ms. Herseth.  Okay.  So it does not contain information about security 
clearances and military job codes?

Mr. Brandewie.  No, it does not.  If I could just comment in a little 
more detail.  The information that goes to the VA starts out very 
skeletal.  I mean, it is just the basic identification information.  
It grows as events happen in a servicemember's life.

For example, they become eligible for Montgomery GI Bill is a good 
example.  Then we add information on that program and feed it to the 
VA.  So the information that goes from DoD to VA is basic 
identification and then programmatic information.

Ms. Herseth.  Okay.

Mr. Brandewie.  It is not national security information.

Ms. Herseth.  I appreciate your responses and it relieves me of some 
of the concerns there.

However, let me just ask this question.  I know the Chairman is 
interested whether, you know, based on your responses that it does not 
include national security information.  But over the course of a 
servicemember's lifetime as that information grows, you know, how do 
you feel about data sharing with an agency system plagued by such 
vulnerabilities as we know the Department of Veterans Affairs' system 
has been?

Mr. Brandewie.  Well, I mean, naturally we are concerned.  I mean, we 
are concerned because of the massiveness of the scale.  Essentially as 
came out in the data breach, a vast majority of our active duty and 
Reserve members' information potentially was compromised in the data 
breach.

However, in our data use agreements with the VA, we require 
security evaluations be done on the recipient systems.  They have 
been studious about doing that.  I know they are rereviewing a number 
of the systems right now to make sure that they are, in fact, meeting 
the security requirements.  And so we have to in a partnership sense 
rely on our partner in the VA to maintain security in the system, but 
we all remain concerned.

One fix that we have been pursuing actually began under Admiral Gauss 
is to consolidate the feeds that go from DoD to VA and try and 
minimize the kind of proliferation of data throughout the agency.  And 
by concentrating that information, I think we can concentrate our 
efforts to make it more secure and protected.

Ms. Herseth.  I agree.  But I think a very important first step, 
especially in light of the concern that as it does get spread out 
more, you then have the potential of employees within the different 
administrations --  well, just the potential for more possibilities of 
compromise, I should say.

One last line of questioning, if I might pursue that, Mr. Chairman.

The Chairman.  Yes, ma'am.

Ms. Herseth.  And I think, Admiral Gauss, you answered part of this 
question when you were talking about the VA concurrence process and 
that you were told at one point within the chain of command, so to 
speak, in the VA that you could not go to the Secretary with some of 
your concerns unless it was consistent, unless it meant these 
concurrence principles.  And, otherwise, if things got watered down to 
the point that some of your concerns were inconsistent with the 
minimum threshold of what it was watered down to that it was hard for 
you to reach the Secretary with those concerns.

So my question is for Mr. McFarland and for you, Admiral.  Last week, 
Bruce Brody, who was a former Associate Deputy Assistant Secretary for 
cyber and information security at VA, testified before the Committee.  
And he explained that while he served in that capacity, he was not 
permitted to speak openly about many of the problems associated with 
VA's management and information security.

So during each of your tenures as Chief Information Officer for DVA, 
were you ever instructed by the Secretary or other senior Department 
officials to withhold from members of Congress any concerns you held 
regarding the Department's information system?

Admiral Gauss.  Let me start since Bruce worked for me first before he 
worked for Bob.

I was never instructed nor did I direct Bruce to withhold information 
from Congress.  What I did, and this is me doing it, is Bruce 
sometimes could be quite colorful in the presentation of his issues, 
and sometimes the importance of his issue could be lost in the 
colorful flavor that he would present them.  And I did ask him to tone 
some things down, but never to obfuscate an issue.

Ms. Herseth.  I appreciate the response.

Admiral Gauss.  And if I may on the first part -- 

Ms. Herseth.  Yes.

Admiral Gauss.   -- when I talked about the concurrence process, I did 
not mean to imply that I could not go to see the Secretary.  The 
process, though, required as you lumbered your way through to get a 
document that could be approved, it required the concurrence.

In fact, I was called once by the former Deputy Secretary, and he 
said I need you to take your nonconcurrence off.  And I said why.  It 
is my view.  And he said, well, if it goes the other way, will you 
support it. And I said of course I will.  And that is the only time 
a dissenting view got documented from my office.

Mr. McFarland.  I would concur with Admiral Gauss on the issues.  I 
also managed Bruce Brody and I did see some of the colorful 
presentation, but he was always straightforward and given the ability 
to speak his mind. And never was I ever either told that I had to 
water down my opinions or could not speak, nor was I ever told not to 
submit anything to Congress.

The concurrence process to me, I agree with Admiral Gauss, is 
troublesome.  Unlike what I understand DoD's concurrence to be, at the 
VA, there is no penalty for not meeting concurrence deadlines.  And so 
what happens is you get the slow roll.

And without having a defined, definitive concurrence deadline such as, 
I believe, DoD has where if you do not concur or nonconcur, you do not 
do anything, then you opt out and have no say because one of the 
reasons you have problems in getting things done quickly is because 
this concurrence process takes a long time when people simply do not 
concur, neither nonconcur or concur.

The process allows nonconcurrence.  That is not an issue.  I believe 
that we have moved ahead with issues at the VA.  Even with 
nonconcurrence, we have moved ahead.  An example would be the 
federated model.  I did not concur with the federated model, but I 
agreed to support it.  So my nonconcurrence on the federated model was 
well-documented.

The issue is the time frame and this problem of slow roll, which is 
what happens, is what causes you the delays in many of these 
occurrences from happening in the time frame they should happen.  And 
I strongly believe that that time frame should be changed and I have 
spoken so.

Ms. Herseth.  One last question then.  Do you feel that the Chairman's 
proposal to elevate the status and authority of the CIO position would 
be sufficient to effect the concurrent process or do we also need --  
again, not that we want to micro manage, but do we also need to 
somehow specifically address the time frame of the concurrence process 
or would elevating the position of the CIO with that type of authority 
make that move on its own?  Would it effectuate the change on its own 
as opposed to independently from another proposal of the Committee?

Mr. McFarland.  Well, I support the move, the proposed move to Under 
Secretary status.  And I think that will help.  I also believe that 
the VA has at the top level competent management and I believe 
competent management can deal with this issue.

I do not believe personally that Congress should have to deal with an 
issue of concurrence in its time lines. People at the VA at executive 
level are competent.  They can deal with this.

Ms. Herseth.  I know I have taken up a lot of time, and I appreciate 
that response.  So may I read into your response that with the 
competent senior leadership at the VA that elevating CIO to an Under 
Secretary status would allow the competency of senior management in 
addition to the individual holding the CIO position to address the 
issue of the concurrence process because if both you and the Admiral 
are saying that this has been a problem because it has been taking 
too long, but, yet, you have confidence in senior management at the 
VA, is it just that one move of elevating the position to Under 
Secretary status, and will it happen eventually because I also get 
the sense that you really do not think the Committee should have to 
do anything on that front, but is there something else that needs to 
happen to address it effectively?

Mr. McFarland.  I think it will help greatly because at an Under 
Secretary level that the CIO will get to sit regularly with Admiral 
Cooper, Dr. Perlin, Bill Tuork and discuss these issues at that level 
which should ferret the problems out earlier.  That is my opinion.

Ms. Herseth.  Thank you.

Thank you, Mr. Chairman.

The Chairman.  I would like to thank Minority Council.  They have 
brought to this hearing testimony of March 13th, 2002.

It is you and me, Dr. Gauss.  You got this one too?

Admiral Gauss.  Is it the verbal?  If it is the verbal, I do not have 
that one.

The Chairman.  You know, that is all right. Yesterday Chairman Walsh 
referred to this as groundhog day. And, you know, I listened to him, 
and I kind of half chuckled.  Reading this, now I almost want to laugh 
out loud.  There are things that we have talked about here. This is 
back in 2002.

You and I had a little banter going back and forth here and I asked 
you a specific question.  Oh, gosh.  We talked about who is in 
charge.  I am in charge.  A lot of your questions, I mean, you are 
the Admiral here.  I am in charge.  I am responsible.  I am in 
charge of the ship.

But then when we got into specific lines of authority, do you have the 
specific line authority, and your answer is, no, sir, I do not have 
direct line authority.  I have indirect authority for matters of IT 
 and I have suborganizations within the structure where I deal 
directly with these people on matters of enterprise architecture and 
cyber security and that it is an efficiency gained over the past year 
because I do not have to go to an Under Secretary to get it approved 
to go to the Deputy Under Secretary in order to get one of the CIOs.  
I pick up the phone.  I call. I direct.

So basically you are saying that I could get it done. I could achieve 
even though I do not have line authority.  I think looking back on 
all of that, you would probably look at this and say that was pretty 
hard to accomplish because what we have learned here is that unless 
we give you the tools, how can you really accomplish that, you know?

I mean, that is kind of where we are.  I am not picking on your 
testimony and your role.  What I am trying to do is is I am trying to 
go back in time, see where we were, where are we today, and how we 
move to cure.

And there is something else in here.  Let me go to this one.  We even 
had a conversation, and this deals with compliance, and we were 
talking about the lines of authority again.  And then I got into the 
question about the rating of people.  And I asked you what input do 
you have with regard to rating people, and you said I have direct 
input to the reporting seniors of these folks for what goes into their 
performance evaluation.

I then say okay.  Then with regard to promotions and merit bonuses, do 
you have an input into that also, and you then say the process at the 
VA?  And I said if you are working with someone in one of those 
administrations who is messing with you and making life difficult to 
get implementation to the one VA is what you were talking about at 
the time, going, do you have the ability to say no to a merit bonus.  
And you say I do not have that.

The reason I took time to go back in history with regard to this 
conversation is that since your days at the VA to today, we advance 
ourselves, the VA has continued to receive this failing grade, yet, 
we have individuals of whom received bonuses.

Now, going back to this whole question that Mr. Bilirakis brought up 
about micro management, you are absolutely right.  We do not like to 
do that.  We have an oversight responsibility and function.

But if we are going to create a package and part of that package is 
also going to be on personnel issues, whether it is in specific 
statutory authority or in report language, if we are to say that with 
regard to performance reviews, if as a CIO you are to ensure 
compliance, should IT compliance be one of the criteria of performance 
reviews or merit bonus?

So I am interested in your thoughts, Dr. Gauss, Mr. McFarland, General 
Howard.

Admiral Gauss.  Mr. Chairman, as far as the recommendation of 
including those as part of the evaluations, I would agree.

The Chairman.  All right.  Thank you.

Mr. McFarland.

Mr. McFarland.  I would submit to you that I not only agree.  I would 
submit to you that there is proof that it works because if you remember 
last time we got an F, one of the major reasons we got an F is because 
we did not have our 600 major systems certified and accredited.

And when Secretary Principi got very upset about that, we asked for 
authority to include the potential of bonuses not being paid in the 
outcome if all of those 600 systems did not get C and A'd within a 
year.  Those 600 systems did get C and A'd in a year and it was 
because of that potential financial threat.

I am convinced of that because he was very clear with the management 
team that he would look very harshly on bonuses and people's paychecks 
would be affected if this did not happen.  So I would submit to you 
that it does work.

The Chairman.  General Howard.

General Howard.  I totally agree, sir.  It is a good mechanism that 
ought to be put in place.

The Chairman.  All right.  Let us envision this for a moment.  How 
would this work under the federated model?  You are now an Under 
Secretary.  You have the responsibility under FISMA to ensure 
compliance.  The Secretary has now directed authorities to you.  I am 
anticipating that finally this slow roll approach over Directive 6500 
after three years is finally coming and that is what I am hoping for.  
How do we do it?  How do you do this?

General Howard.  Sir, the area that it would be difficult is punitive 
action, you know, any action that must be taken against a person from 
the person's supervisor.  In other words, if Art, for example, worked 
in another department and violated one of these policies and violated 
an item --  

The Chairman.  Can you turn that on for me, your microphone on, 
please.

General Howard.   -- you know, violated one of these policies, we can 
make it very clear that he has done so. But the punitive action itself 
cannot be taken by the CIO. It would have to be taken by his supervisor.

The Chairman.  Right.  But let us keep it to the question on a 
performance measure.

General Howard.  Right.

The Chairman.  So I am in one of the stovepipes.

General Howard.  Right.

The Chairman.  So I am now a middle-level manager, just like you, 
directing a battalion.

General Howard.  Right.

The Chairman.  You have given a directive to your battalion commander 
that you want certain things to be noted.  So all of your officers, 
they have to make sure that they are compliant with one of your 
directives.  So how do you as now an Under Secretary and CIO, and you 
now have got CIOs completely under you, right?

General Howard.  Right.  And I -- 

The Chairman.  So how are we going to do that?

General Howard.  Those folks belong to me.  There is no question 
about, you know, disciplinary action, any kind of action against folks 
who directly work for the CIO.  If they work somewhere else, you know, 
clearly violations of anything should be reported to the CIO.  You can 
have that provision.

The Chairman.  All right.  Wait.  You are off subject again.  Let us 
go back to the issue on bonuses.

General Howard.  On bonuses?

The Chairman.  On merit, performance, and bonus.

General Howard.  And the individual is in one of the stovepipes?

The Chairman.  Yes.

General Howard.  And gets a bonus?

The Chairman.  Wants a bonus.

General Howard.  And should not have gotten -- 

The Chairman.  But is not compliant.

General Howard.  And should not have gotten the bonus?

The Chairman.  Uh-huh.

General Howard.  The only thing you can do is elevate it to a higher 
level because, you know, or --  

The Chairman.  Wait.  Time out.  Let us break this out.  One of your 
CIOs is at one of the medical centers.

General Howard.  So he belongs to me.

The Chairman.  But he is at one of the medical centers.

General Howard.  Does not matter.  He belongs to me.

The Chairman.  He is at one of the medical centers and he belongs to 
you?

General Howard.  Yes, sir.

The Chairman.  He is sitting at the table as any good hospital 
administrator would do.  He has got him at the table there, and that 
hospital administrator, one of his issues is to be compliant.

And what I am trying to figure out under the federated approach, 
since the CIO is not going to be in these lines of authority with 
regard to punitive actions, but if you make it a performance measure, 
then it is the Secretary through the Under Secretary that has to 
ensure that certain directives are made and have compliance.

General Howard.  Yes.

The Chairman.  That is our challenge with tomorrow's panel --  

General Howard.  Sir -- 

The Chairman.   -- because what is clear today is that with regard to the General Counsel's legal opinion that said unto Bob McFarland that you do not have this authority, then that authority then vested with the Secretary, and directive 6500 just sat out there.  Nothing was really acted on with regard to those authorities.  It vested with the Deputy and the three Under Secretaries.

And even though you had the responsibility of compliance, authority was not exercised to bring the Department in compliance with FISMA.

General Howard.  Sir -- 

The Chairman.  I am just letting you know that.

General Howard.  Okay, sir.

The Chairman.  So my challenge here is if we are going to go under the federated approach and we say, fine, we are going to bring it into a performance measure, your CIOs out there can be counsel to that administrator, you know, meeting with them, making sure that they are compliant because here is what is in the pipeline or here is what is going on.  That is what he is there for. He is to be the counsel to the administrator.  You agree with that?

General Howard.  Sir, he also has a black hat on his head, too, that --  

The Chairman.  What does that mean?

General Howard.   -- needs -- he needs to report instances that are not in compliance.

The Chairman.  And who does he report that to?

General Howard.  Up the chain to me.

The Chairman.  All right.  But he also has a responsibility to the hospital administrator, correct?

General Howard.  Yes, sir.  He sure does as a customer.  You know, he is a service provider.

The Chairman.  Okay.

General Howard.  But he also has eyes and ears and he needs to keep them open.  And if he uncovers things that are not going on, I expect him to do something about it. Obviously to inform the hospital director, but me too.

I mean, it is like first brigade and second brigade. You know, I cannot give an Article 15 to some guy in first brigade, but I sure can put heat on that brigade commander through the division commander.  And it is particularly a problem in the punitive type of action.

The Chairman.  So this is going to require -- let me turn now to Gartner --  under this federated approach, in order for this to work, this is going to require some pretty stern leadership from the Secretary, Deputy Secretary to the Under Secretaries to perfect it.

Mr. Bresson.  It does not relinquish leadership at any level, sir.  You characterized it as stern.  That would probably be a good thing.  But the model itself does not preclude that leadership from being exercised, those authorities to be implemented.

The Chairman.  I appreciated your insights with regard to Ms. Herseth's questions.  You did a very good job today with regard to the concurrence and nonconcurrence. That was insightful or us.

And I appreciate the Deputy Secretary being here today, that you are hearing this, and those are things that you struggled with over the years that you have worked.  But those time lines, I think, that have been recommended are probably pretty important.

Having that directive sitting out there for three years was probably not a good thing, and we will get a chance to talk about that tomorrow.

With regard to nonpay contractors involved in software development, do you know how many there are?

General Howard.  Numbers of contractors, sir, I am not sure.  I will have to get that for you.

The Chairman.  Mr. McFarland, would you have any idea approximately?

Mr. McFarland.  Contractors are in nonpay, yes.  I do not know exactly how many are there.  I could give you an educated guess.  I would say it is somewhere between 500 to 700, I would guess, throughout the Department.  And that is made up of administrations and staff offices.  That would be my guess.

The Chairman.  Now, there is -- 

General Howard.  Sir, if I could pile on.  I mentioned that we have phase one of this program we put in place, assessment.  We finished the internal part.  The next steps is contractors, you know, where are they, what are they doing, et cetera, et cetera.

The Chairman.  The -- 

General Howard.  When we get through with that, we can give you some feedback.

The Chairman.  The Secretary gave testimony yesterday to Mr. Walsh's Subcommittee on Appropriations with regard to the concerns about a subcontractor perhaps releasing data if they did not receive a proper payment.  The Secretary responded that he was not aware that he had any prime contractors that were offshore.

Now, as I understand, this may be, in fact, technically correct.  But what happens if we also put in our package so that we are not jeopardized nor our national security, if we are going to have contractors, that they may not subcontract with any off-shore entity.

What are your thoughts?

General Howard.  Sir, I am not familiar with the details of the incident.  I believe you are right.  It was a subcontractor that was involved.

The Chairman.  If you know about that, will you make sure the Secretary is briefed for tomorrow?

General Howard.  Yes, sir.

The Chairman.  All right.  Mr. McFarland, your thoughts.

Mr. McFarland.  I think it is important to know who subcontractors are.  There are difficulties in the IT world today.  It is an international product.  So much of what is put into IT both hardware and software today, much of it does come from various overseas subsidiaries and various overseas environments through contracts.

I think it is wise in the contracting process to understand who your subcontractors are and put in a requirement that requires they notify you if they intend to push any of that work offshore, and then you can make a decision at that point whether you believe that is --  I mean, pushing something offshore to Britain, for example, may not be near the issue it would be to pushing something offshore to China.  And I think it is a matter of understanding and having a requirement would be good to know what, if any, off-shore requirements come up.

The Chairman.  All right.  I am going to go to Dr. Gauss, but I want you to think about this because I am going to come right back to you, Mr. McFarland, about your counsel to us with regard to what should be included in our package. But I want you to think about it and I am going to come back to you.

Dr. Gauss.

Admiral Gauss.  I would think that in dealing with the purchase of purely commercial products and the support services that go with those commercial products, it would be very difficult to sever off-shore relationships.

That said, any contract that is done for the government where the government is getting specific products and services that meet a specific government need, I think you could impose restrictions that limit off-shore involvement. But there are two separate camps here, I believe.

The Chairman.  Well, we have experience in this in the Department of Defense with regard to our procurement policies, who is going to build what, who gains access to what, from weapons systems to guidance systems.  I mean, you name it.

I hate to create that type of system, but I am very insulted that there is a company out there in another country that would try to blackmail our country, and that is what they tried to do.

And what that does is create a heightened awareness. And you are absolutely right.  You do not want to penalize Great Britain or penalize any of our valued allies in the world, but I am pretty concerned.

I am going to come back to you, Mr. McFarland.  Take your concept and take it to the next step.  What is your best counsel to me?

Mr. McFarland.  Well, as Dr. Gauss said, there are two distinct domains here.  Those are products and services that are bundled, if you will, such as a workstation, a printer, any kind of bundled service where components come from all over the world.  You have things called TAA and BAA by American act, those kinds of acts that preclude you from taking product made in certain countries that do not meet those requirements.  So you are protected there.

I think your biggest problem is the other domain which is the services domain where you contract with someone for a service, transcription services, you name it.  And there you run into the problem.

I think you should require that before any subcontractor, allow any of that work to go off-shore, that he get clearance from the VA so that the VA has an understanding of whether that offshore is Great Britain or if that offshore is China.  And I think it would be wise to- -

The Chairman.  So, number one, would be a notification procedure?

Mr. McFarland.  Right.  And then an approval.

The Chairman.  And then an approval process, right?

Mr. McFarland.  Right.

The Chairman.  Go ahead.

Mr. McFarland.  I mean, I am not familiar enough with our contracts for services in the VA to know, and I am sure each of them is unique for the service.  But those to me ought to be clauses that are boiler plate and that an approval process be required if a subcontractor is an off- shore entity or any of the information is offshore.

The Chairman.  All right.  Here is why I am taking a little time on this particular issue.

Mr. Bresson.  Excuse me, Mr. Chairman.

The Chairman.  Yes.

Mr. Bresson.  The only thing I might add with respect to services is it would be significant, yes, to identify the subcontractor as an entity, but quite often knowing the key personnel and their background and/or other attributes about them might also be significant and important to such an action.

The Chairman.  Thank you for that because the Secretary has brought up several times the issue about, background checks -- that individuals with access to certain data even within the VA have not had background checks.

So what?  We are going to highly scrutinize Americans, yet permit some of the services and access to data to be subcontracted to a third-world country with no form of notification or compliance or approval.  So I think we need to pause and think about that as we develop our systems.  So thank you very much.

So now let me turn to DoD, and that is why I am pretty concerned.  My first question would be, because I do not know the answer to this, when a forensic analysis of the data was done with regard to what was stolen, with regard to active duty Guard and Reserve, were MOSs included?

Mr. Brandewie.  No, sir.

The Chairman.  No?

Mr. Brandewie.  No, sir.

The Chairman.  Okay.  Does the VA within the universe of their data, would they have the MOS?

Mr. Brandewie.  No.  We do not furnish the MOS as part of our data transfer.  On separatees, the DOD Form 214, and I am not exactly a hundred percent positive, on separatees, I believe the MOS is included on the DOD Form 214.

That does not come in a data exchange.  It comes through a basically paper form and is actually automated by the VA.  When it is automated, I am not sure if they include the MOS, but I would assume they do.  But it is not part of our automated feed from the Department of Defense to VA.

The Chairman.  Much of our present War on Terror is operated in the dark world.  And I have heightened awareness of our special operators and they sure do not want the world to know who they are and what they have done.

And I am really concerned with regard to protections of data that is out there because I look at this and say, well, yes, this may have happened, but what is next, what could happen.

And I do not want to blow up worst case scenarios, but, Mr. Deputy Secretary, this is an issue I want to explore with you over the next several weeks, and we will bring it up tomorrow on how we develop a system because, you know, as we work here with the Department of Defense, they are not going to be too keen about how do we gto health medical records.

You know, if we cannot give veterans assurances, how can we give our partners assurances?  I do not have an expertise or background in procurement law and so I am going to have to turn to experts to help us on how we devise a system to do this.

Let me ask a question about biometrics, user ID numbers.  I am also considering placing in our package --  this package will be large enough that it will have jurisdictional referrals to other committees.  We are going to recommend changes to FISMA.

I am not going to have any of this in the future about lawyers' interpretations.  We are going to make this pretty doggone clear.  And I have already spoken with Mr. Davis about it, so we are going to make those corrections.

I am also considering saying to the Department of Defense in this legislation and the VA that you cannot use the Social Security number.  So let me ask for your thoughts about that.

Mr. Brandewie.  If could start out -- 

The Chairman.  You are going to have to come up with a soldier's ID number or some type of number that both the VA and DoD use that is not the Social Security number.

Mr. Brandewie.  In passing, sir, I referred to a consolidated feed between DoD and the VA which were to replace the legacy feeds that we do.  In that consolidated feed, we feed the VA a new ID number which we give a very odd name to.  It is called electronic data interchange personal ID.

It is a made up number.  And it is the number we actually trade with the VA in the consolidated feed instead of Social Security number.  And it could form the basis for interaction between the two departments without reliance on Social Security number.

Having said that, Social Security number remains an important identifier in establishing identity.  Once identity is established, then between agencies and in large- scale computer systems, it would be possible to only use Social Security number simply as an identity anchor and not a way to trade information between systems.

I might add we do that also with the medical community and we have established this number as a patient ID with the medical community, and also pass that over to the VA as well.  There are new technologies that are emerging that would allow us to deemphasize Social Security number as a universal identifier.

Having said that, totally banning it from IT systems would create chaos, but it could be deemphasized especially in terms of data interchange.  And, again, once identity is established, its importance recedes, and that could be emphasized in legislation.

The Chairman.  Our challenge here is that so long as the financial services industries rely upon that Social Security number, therein lies our challenge.  So if I take that out of their criteria, you know, I at least can protect our veterans and our military.

What we would have to do is is when they take their oath of enlistment or commission, we are reverting back to the old days where you get your ID number, your soldier number, or whatever.

Do you remember what yours is, Mr. McFarland?

Mr. McFarland.  Yes, sir.

The Chairman.  What is it?

Mr. McFarland.  US54342381.

The Chairman.  There you go.

You guys knows yours?

General Howard.  Yes, sir, 097560.

The Chairman.  Wow.  Well, I am just letting you know that is where I am considering going.  And it might create a heartache for you because if you have come up with some other kind of number, we will figure out how we can best do this, and we want to work with DoD to do that because that will also be what we will use with regard to our patient medical records and that type of thing.

General Howard.  Sir, I might add within the VA for employees, we have discussed going to ID numbers for employees.

The Chairman.  Just to let you know some of the major areas where we are thinking about, and this is not an exclusive list at all, as this Committee and others work together, we are going to look at this issue on performance reviews and criteria.  We are going to consider this movement of the CIO to an Under Secretary and elevate the CISO to the Deputy Secretary or Assistant Secretary.  I am sorry.

I personally asked the Secretary what personnel changes, if any, does he need with regard to his authorities with regard to disciplinary actions to make sure he can ensure compliance or fire someone.

We are going to look at the issue on the credit monitoring package.  I am deeply appreciative to the VA on what they had done in stepping forth to offer that to veterans along with the insurance package.  That was a good thing.

I am deeply disturbed with regard to the lawsuit.  For the VA to move forward, to take actions to help the veterans and now for a class action lawsuit to prevent you from advertising that assistance, what it does for us is it shows that time is of the essence for us to move our package, and we are going to have to give a directive.

The Secretary shall.  And we want to work with you with regard to our language.  But when I come in and I use mandatory language instead of discretionary language, what I have done is I have shot a hole through this class action lawsuit out there.

We will also include some FISMA changes and that DoD, VA are not authorized to use Social Security numbers with regard to personal identification.  We might direct them to really create a soldier's number, an identification number.  It probably would be better to do it in the prospective manner than to say that you shall not or cannot use a Social Security number.  I mean, that does not make a lot of sense.

We want to address the issue with regard to the outsourcing and we are also going to bring back our issue on centralization.  I have not let it go.  I cannot let it go. I respect your opinions.  I got to figure out how we can get there.

Let me ask Gartner.  I will not keep you here much longer, but let me ask Gartner Consulting.  When you turn to one of your major corporations out there and you have now said we need to centralize your IT, how long does that take?

Mr. Bresson.  Mr. Chairman, there are a number of factors in that kind of advice, particularly the current business environment, because, as we all know, it is not all about IT meaning that the way decisions are made in the business or in this case in the mission and the business will set the stage for how successful centralizing and/or federating the IT portion of that business.

We do counsel that once the decision is made, centralization, rough order of magnitude, would probably take anywhere between 12 and 36 months, and there are a lot of variables there, the global dispersion of the assets and the people and the organization, the sheer volume of systems and other items that need to be brought under control.

The Chairman.  All right.  Let me break it down and go right to security.  So when the VA designs a security policy, they finally get that done, what kind of training is going to be needed to promulgate that policy to make sure it is properly implemented?  What kind of time are we looking at?

Mr. Bresson.  I would be guessing, sir.

The Chairman.  I mean, you are consulting a lot of companies out there that make changes and all.  I mean, three months, six months, nine months?

Mr. Bresson.  Right.  There is probably a footprint that needs to be established that has a defined period in which it should be established.  And then beyond that, there is the continual changes of new personnel coming aboard, potentially other changes in personnel roll, et cetera, that would need to be addressed.

In terms of time -- 

The Chairman.  Let me reask the question because you are very good at dancing now.  What is a reasonable time line with regard to implementation of a security policy for an entity such as the VA or a major corporation?

Mr. Bresson.  Implementation of a security policy. Well, I am not a security expert, sir, but I would imagine that something implementation-wise starts within a 90-day period and potentially to a 180-day period.

The Chairman.  How long did it take DoD?

Mr. BRANDEWIE.  To implement a security policy?

The Chairman.  Yes.

Mr. BRANDEWIE.  I mean, in the basics, it has taken a number of years.  I mean, and security is always evolving and changing.  I mean, the centralization of the global information grid took probably over two years, you know, and the security policies associated with it.  But we are very diverse and decentralized with IT, so I am not sure there is a corollary there for the VA.

The Chairman.  Well, kind of because you are very decentralized and so is the VA.  And it is not that it is all that bad either.

Mr. BRANDEWIE.  No.

The Chairman.  And just because it is decentralized does not mean you 
do not have security policies.  They have security policies.  It is 
that it is agency-wide security policy.  So it is the development of 
the agency-wide security policy and its implementation as you 
centralize that is our challenge, right?

Mr. BRANDEWIE.  If I could make one comment.  I mean, there are 
policies all over the place and security policy is certainly one of 
them. It takes a long time to articulate and work its way through the 
system.

One thing that DoD has done that has been very effective, I believe, is 
the establishment of a joint task force for network operations 
protection, JTFGNO.  And they are very fast in terms of identifying a 
security issue, finding a fix to a security problem, mandating that the 
fix be implemented, and enforcing the implementation of that fix.

It is like, if you will, a kind of go team that takes the security 
policy, puts it against the real world threats that are out there, 
monitors those threats, and then takes action.  And that I found to be 
particularly effective within DoD.

The Chairman.  So let me ask this about FISMA for a moment.  When the 
FISMA audits have come back and have given the VA very poor ratings 
over the last four years, as we proceed in this federated model, the 
responsibility here rests with the Secretary.  He acknowledges 
responsibility.

Who does he delegate this to with regard to compliance based on the 
FISMA audit?  Are you aware, General Howard?

General Howard.  Sir, it will be cleared up with this delegation memo 
I referred to.  But as I sit here today, it is my problem, you know, 
to set the policies and set the actions that need to take place to 
alleviate a deficiency because the reorganization that will take 
place, a good number of those will rely with me now.

For example, take the protection of server rooms and things like that. 
That is now my responsibility with the current direction we are going 
in the IT reorganization.

I do not know if that answers your question, but -- 

The Chairman.  You have a really difficult job.  You do.  I am not here 
to beat you up at all because you are saying to this Committee it is 
me.  That is no different than what Admiral Gauss said back in 2002 to 
Ms. Carson, it is me.

So you can do everything you want.  But if you do not get the backing 
from the Deputy Secretary or the Secretary to make sure things happen 
to those Under Secretaries, you are going to be back before this 
Committee.  Members of Congress are going to be asking you why once 
again did you get an "F" in the audit.

General Howard.  Sir, the backing is absolutely necessary.  You are 
exactly right.  But it is up to me to make it clear as to what should 
occur. That is my problem. And we have got a lot of work to do in that 
area.

The Chairman.  DoD, you received an "F" on your audit, too, did you 
know, from FISMA?


Mr. BRANDEWIE.  I believe that is correct.


The Chairman.  Why did that happen?


Mr. BRANDEWIE.  I really do not know. I am not familiar with the 
detailed reasons for the DOD score.


The Chairman.  All right.  I just thought I would let you know I knew. 
You thought you were going to get away with it, didn't you?


All right.  I want to thank all of you for coming.  I have a great 
deal of respect for you and what you are trying to do here.  It is 
hard for me.  I have never been a CEO.  I have never run a major 
organization.  It is hard for me, though, in today's time whether it 
is a government department or agency or whether it is a company or 
any form of entity, when I have IT involved, why I would not make the 
CIO my new best friend.  I do not understand why that would not happen.


I had an opportunity, just to let you know, McKesson Company out 
there.  Bloomington Hospital just outside of my district, they wanted 
to modernize their IT.  They wanted to do some centralization and do 
some things.  And they brought in McKesson.  And the hospital 
administrator brought in someone from Purdue University, very sharp in 
information management, and made that CIO his best friend.


And it sent such an incredible signal to the medical director to get 
on board, that these things are coming, these changes are made, 
whether it came from the business side of the house; tell me what 
your recommendations are, what you are looking for.  The CIO is going 
to look at it.


On the medical side of the house, whether it is filmless or that 
medical technologies, everything had to be compatible and everything 
had to go through the CIO.  And everybody at the board table knew that 
and everybody was also enthused to talk about how as a team they were 
all going to work.  And they all wanted to know and associate with the 
CIO.  That was a system of pure empowerment, and they were able to 
perfect changes in a hospital setting rapidly.


So it is challenging for me, General Howard, why you are not the new 
best friend.  I do not know if you are or you are not.  But what I am 
saying is that I recognize you have a very difficult job because you 
have to be the agent of change.  And I do not care if you are going 
to change the flavor of ice cream at lunch, you are going to have 
somebody attack the agent of change.  And it should never be taken 
personally when you are the agent of change.  All right?


General Howard.  Yes, sir.  I agree.


The Chairman.  We want to continue to work with you. Please, if you 
have recommendations based on the questions, please be in touch with the 
Committee as we formulate the package.


To Gartner Consulting, thank you very much.  You have well earned your 
pay in your counsel and advice to the VA. It has been very sound, and we 
appreciate that.


To DOD, you have still got your own work to do, and we will send you 
back.  We appreciate you coming out here today.


This hearing is now concluded.


[Whereupon, at 1:42 p.m., the Committee was adjourned.]
