b'<html>\n<title> - WHICH VA IT ORGANIZATIONAL STRUCTURE WOULD HAVE BEST PREVENTED VA\'S MELTDOWN IN INFORMATION MANAGEMENT HEARING BEFORE THE COMMITTEE ON VETERANS\' AFFAIRS HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION JUNE 28, 2006 Printed for the use of the Committee on Veterans\' Affairs Serial No. 109-58 U.S. GOVERNMENT PRINTING OFFICE 25-454 PDF WASHINGTON : 2007</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n                           WHICH VA IT ORGANIZATIONAL\n                          STRUCTURE WOULD HAVE BEST\n                         PREVENTED VA\'S MELTDOWN IN \n                          INFORMATION MANAGEMENT\n\n                                HEARING\n\n                                 BEFORE THE\n\n                              COMMITTEE ON \n                            VETERANS\' AFFAIRS\n\n\n                        HOUSE OF REPRESENTATIVES\n\n\n                          ONE HUNDRED NINTH CONGRESS\n\n\n                                 SECOND SESSION\n\n                                   JUNE 28, 2006\n\n                 Printed for the use of the Committee on Veterans\' Affairs\n\n              \n                              Serial No. 109-58\n\n\n\n                      U.S. GOVERNMENT PRINTING OFFICE\n25-454 PDF                    WASHINGTON  :  2007\n---------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government\nPrinting Office Internet:  bookstore.gpo.gov Phone:  toll free (866)\n512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP,\nWashington, DC 20402-0001 \n\n\n\n\n\n\n\n\n\n\n                         COMMITTEE ON VETERANS\' AFFAIRS\n                              STEVE BUYER, Indiana, Chairman\n\nMICHAEL BILIRAKIS, Florida                       LANE EVANS, Illinois, Ranking\nTERRY EVERETT, Alabama                           BOB FILNER, California\nCLIFF STEARNS, Florida                           LUIS V. GUTIERREZ, Illinois\nDAN BURTON, Indiana                              CORRINE BROWN, Florida\nJERRY MORAN, KANSAS                              VIC SNYDER, Arkansas\nRICHARD H. BAKER, Louisiana                      MICHAEL H. MICHAUD, Maine\nHENRY E. BROWN, Jr., South Carolina              STEPHANIE HERSETH, South\nJEFF MILLER, Florida                               Dakota\nJOHN BOOZMAN, Arkansas                           TED STRICKLAND, Ohio\nJEB BRADLEY, New Hampshire                       DARLENE HOOLEY, Oregon\nGINNY BROWN-WAITE, Florida                       SILVESTRE REYES, Texas\nMICHAEL R. TURNER, Ohio                          SHELLEY BERKLEY, Nevada\nJOHN CAMPBELL, California                        TOM UDALL, New Mexico \n\n\n\n\n                        JAMES M. LARIVIERE, Staff Director\n\n\n\n\n\n\n\n\n                                       (II)\n\n\n\n\n\n\n\n\n\n                                    CONTENTS\n                                    June 28, 2006\n                                                            Page                          \nWhich VA It Organizational Structure Would Have Best Pre-\n vented VA\'s ``Meltdown\'\' In Information Management .....      \n                                                               1\n\n                             OPENING STATEMENTS\n\nChairman Buyer ...........................................     1\nHon. Bob Filner ..........................................     3\n  Prepared statement of Mr. Filner .......................    50\nHon. Sam Farr (introduction of his constituent, Robert J. \n  Brandewie, Defense Manpower Data Center) ...............     4\n\n\n                                WITNESSES\n\nGauss, Hon. John A., Ph.D., President and Chief Operating Of- \n  ficer, FGM, Inc. (former Chief Information Officer, U.S. De-\n  partment of Veterans Affairs) ..........................     7\nPrepared statement of Hon. John A. Gauss .................    59 \nMcFarland, Hon. Robert (former Assistant Secretary for Infor-\n  mation and Technology, and former Chief Information Offi-\n  cer, U.S. Department of Veterans Affairs) ..............     9\nHoward, MG Robert T. (Ret.), Senior Advisory to the Deputy\n  Secretary Supervisor, Office of Information Technology, U.S.\n  Department of Veterans Affairs..........................    10\nPrepared statement of Hon. Robert Howard .................    61\nBrandewie, Robert J., Director, Defense Manpower Data Cen-\n  ter.....................................................    12\nPrepared statement of Mr. Robert Brandewie ...............   \nBresson, Jim, Vice President and Managing Partner, Gartner\n  Consulting .............................................    14\nPrepared statement of Mr. Jim Bresson ....................    73\n\n\n\n\n\n\n                            (III)\n\n\n\n\n\nWHICH VA IT ORGANIZATIONAL\nSTRUCTURE WOULD HAVE BEST PREVENTED\nVA\'S MELTDOWN IN INFORMATION MANAGEMENT\nWednesday, June 28, 2006\nHouse of Representatives\nCommittee on Veterans\' Affairs\nWashington, D.C.\n\n\n\n\n\nThe committee met, pursuant to call, at 10:40 a.m., in Room 334, \nCannon House Office Building, Hon. Steve Buyer [chairman of the \ncommittee] presiding. \n\n\nPresent:  Representatives Buyer, Bilirakis, Boozman, Filner, Brown of \nFlorida, Brown-Waite, Udall, Salazar, Moran, Stearns, Herseth.\n\n\nThe Chairman.  The full Committee of House Veterans\' Affairs \nCommittee will come to order June 28th, 2006.\n\n\nGood morning, ladies and gentlemen.  This is the fourth full Committee \noversight hearing on the recent theft of sensitive information \nbelonging to as many as 26.5 million veterans and 2.2 million \nservicemembers and their family members from a VA employee\'s home in \nMay of 2006.\n\n\nWe will receive testimony today from current and former Department of \nVeterans Affairs\' Chief Information Officers. This testimony will help \nus examine the VA\'s information technology reorganization and review \nthe Secretary\'s decision to move to a federated model versus a \ncentralized approach recommended by VA\'s own consultant, Gartner \nConsulting, which is one of the most leading-edge technology companies \nand they are experts with whom we have consulted.\n\n\nThat judgment was also in the complete opposite direction to that \nwhich the House had recommended in the passage of legislation last year.\n\n\nThis hearing will also focus on institutional barriers to an \nintegrated departmental policy on cyber security and to protection of \nsensitive personal data presented by VA\'s current IT organizational \nstructure.\n\n\nFurther, we will examine the implication of information security as it \n relates to the organization of VA IT.  As we examine information \nmanagement and security, two federal statutes are of central \nimportance, the Clinger-Cohen Act of 1996 and the Federal Information \nSecurity Management Act of 2002, more commonly known as FISMA.\n\n\nThe Clinger-Cohen Act created a Chief Information Officer for each \nfederal agency.  As defined by the Clinger- Cohen, the CIO\'s \nresponsibilities include:\n\n\nOne, assisting the agency head to ensure that IT is acquired and \ninformation resources are managed in a manner that implements the \npolicies and procedures of the agency;\n\n\nTwo, developing, maintaining, and facilitating a sound and integrated \nIT architecture for the agency;\n\n\nAnd, three, promoting an effective and efficient design and operation \nof all major information resources management processes of the agency.\n\n\nThis Committee\'s examination of VA\'s information management over the \npast eight years have clearly shown the extent and impact of \ninformation management decentralization at the VA.\n\n\nThe Department\'s CIO is not fully empowered to enforce policy and \ncannot fulfill either the letter or the intent of Clinger-Cohen.\n\n\nIn our questioning last week of Tim McLain, the VA\'s General Counsel, \nwe saw how the Department\'s lawyers in 2004 gave the narrowest of \npossible interpretations of then Secretary Anthony Principi\'s \ndecision to centralize IT authority.\n\n\nThe General Counsel\'s questionable opinion that his directive was \noutside the statutory authority of FISMA, I believe, was a \ncontributing factor to the 16 unmitigated vulnerabilities.  I have \nreferred to his legal opinion as a heterodox legal opinion.\n\n\nThe Federal Information Security Management Act or FISMA requires \neach agency to inventory its major computer systems, identify \nappropriate security protections, and develop, document, and \nimplement an agency-wide information security program.\n\n\nFISMA also requires an annual independent review of agency \ninformation security program.  This review assesses the effectiveness \nof the information security programs, plans, and compliance of FISMA.\n\n\nThe Office of Management and Budget is then required to compile a \nsummary of federal government security performance and report to \nCongress on the implementation of FISMA.\n\n\nIn our hearing last week on academic and legal implications of the \nDA\'s data loss, I said the Department does not identify who is in \ncharge of developing policy, implementing policy, or enforcing policy.\n\n\nThe March 2006 FISMA report confirms my statement, indicating VA \nreceived a grade of "F" in a category on establishing and following \ninformation security policy.\n\n\nToday, despite evidence piled high over the years, the Department\'s \nrefusal to get control of its IT systems undermines efficiency, \nthreatens the security of sensitive information, and endangers \npatient safety, despite the fact of the unprecedented data compromise \nthat has revealed much larger problems related to decentralization.\n\n\nThe centurions of the status quo in VA administrations, especially in \nits health administration, insist on protecting their turf, and \nveterans and families, I believe, could pay the price.\n\n\nToday through the eyes of two former VA CIO\'s, Bob McFarland, \nDr. John Gauss, we have unique opportunity to examine what occurred \nwithin the Department during the years that this evidence accumulated \nand was sadly disregarded by many who could have made a difference.\n\n\nWe also welcome General Bob Howard, the VA\'s Acting Assistant \nSecretary for Information and Technology; Robert Brandewie is the \nDirector of Defense Manpower Data Center; and Jim Bresson is a \nManaging Partner and Vice President of Gartner Consulting.\n\n\nGentlemen, we thank you in advance for your willingness to be here \nand to contribute to these proceedings.  I believe your insights \ntoday will be extremely important.\n\n\nI also would like to recognize in the audience today, we have \nveterans from the Merchant Marines of World War II. We thank you for \nyour presence.  We welcome you to the Veterans\' Affairs Committee \nroom, and we thank you for your service to country.  You and your \ngeneration truly have made a difference in freedom of the world and \nyou left liberty in your footsteps.\n\n\nI would like you to know we have some votes that are now about to \noccur.  I will recognize Mr. Filner for an opening statement.  And \nthen I would welcome the Merchant Mariners to meet.  There is a room \ndirectly behind.\n\n\nAnd what I will have is when we leave, I will turn you over to Kelly \nCraven, our Staff Director.  Kelly is right here.  Kelly, if you will \nstand up.  And I will have Committee staff speak with the Merchant \nMariners.\n\n\nMr. Filner.\n\n\nMr. Filner.  Thank you, Mr. Chairman, and thank you for your courtesy \nto the Mariners who are here.\n\n\nAs you know, many are in their late seventies and eighties, served \nour country in World War II, had the highest casualty rates of any \nservice in the war.  And, yet, when the war was over, the GI Bill did \nnot apply to them. And even later attempts to make up for a past \ninjustice was not done.  They missed out on the college education \nprovided by the GI Bill, purchase of homes.\n\n\nAs you know, Mr. Chairman, I have a bill House Resolution 23 called a \nBelated Thank You to our Merchant Mariners of World War II.  A \nmajority of the Congress, over 260, have co-sponsored it.  A majority \nof this Committee has co-sponsored it.  And I think they would like to \ntalk to you and your staff about trying to get a vote on that at some \npoint in this Congress.\n\n\nSo I appreciate your courtesy, Mr. Chairman.  Am I recognized for the \nopening statement on this hearing?\n\n\nAnd we will have votes and the staff of both Democrats and Republicans \nwill be talking to you and we will try to join you later during the \nhearing.\n\n\nAgain, Mr. Chairman, your opening -- \n\n\nThe Chairman.  Mr. Filner -- \n\n\nMr. Filner.  Yes, sir.\n\n\nThe Chairman.   -- if I could do this by way of procedure.  Mr. Farr \nof California is here and he would like to introduce one of the \nwitnesses here today.  Can we yield to Mr. Farr?\n\nMr. Filner.  Please.\n\n\nThe Chairman.  Can we do that for an introduction?\n\n\nMr. Filner.  I will be happy to.\n\n\nThe Chairman.  Mr. Farr.\n\n\nMr. Farr.  Thank you very much, Mr. Chairman and members of the \nCommittee.  It is a pleasure for me.\n\n\nI am a member of the Appropriations Subcommittee with this \njurisdiction, the military quality of life and Veterans\' Affairs.  \nAnd we had a similar hearing yesterday. In that hearing, the Chairman \nwas there and I appreciate this effort.\n\n\nI want to just tell you that out in my district, I represent the former \nFt. Ord, which is the largest military base ever closed in the United \nStates, and out of that, the Department of Defense kept a Manpower \nDevelopment Center there.  It is a center where all of the personnel \ninformation for all of the people in the military and their families is kept.\n\n\nAnd it is available 24/7, and you get calls from all over the world \nfrom spouses wondering about healthcare insurance or about issues of \nfamily or soldiers or, you know, divorce status or all the kinds of \ndata that one would have.  And that center has been leading in \nhelping the Department of Veterans Affairs with their security issues.\n\n\nAnd the fellow who has really done the work to keep this center a \nstate-of-the-art, quality center in that is Robert Brandewie who is \nhere as a speaker today.  He has developed the Defense Biometric \nIdentify System which has centralized the database.  It integrates \nbiometric and other information.\n\n\nHe has also received all kinds of awards and is now being considered as \none of the four finalists for the 2006 Service to America Metal to be \nawarded in September.  And it is just a pleasure to have somebody with \nsuch high skills and such incredible accomplishments come and share \nwhat they are actually doing on the ground to help men and women in \nuniform.\n\n\nSo I thank you for allowing me to introduce my constituent to you and \ngood luck with your Committee.\n\n\nThe Chairman.  Thank you very much, Mr. Farr.  We appreciate your \nwork on Appropriations as you work with us to come to these solutions \nand be of assistance to the VA. So thank you for your quality work.\n\n\nMembers, we have one vote.  It is a motion to adjourn. I would like \nto recess the Committee.  When we return, then Mr. Filner will give \nan opening statement and we will proceed with testimony.\n\n\nThe Committee stands in recess for about seven minutes.\n\n\n[Recess.]\n\n\nThe Chairman.  The Committee will come back to order.\n\n\nMr. Filner, you are now recognized for an opening statement.\n\n\nMr. Filner.  Mr. Chairman, since we have kept these people waiting \nthrough the vote, I am going to submit my statement for the record.  \nI do agree with what you said and so I do not need to add anything.\n\n\nI would just like to add one little remark, if I may. Mr. Chairman, \nSecretary Nicholson said that they are going to correct this problem, \nbut we have to be patient.  And I think we know what he means by being \npatient, as you have been personally working on it.  It took the VA at \nleast seven years to address this problem.\n\n\nAnd during our May 25th hearing, you directed VA officials to submit a \nchronology, time lines of events related to the handling of \ninformation related to the data loss, and you asked it for about ten \ndays.\n\n\nI note that over one month has now elapsed since the breach, and we \nare still being asked to be patient to respond to your request.  We \nmight think about directing VA to provide these time lines by the end \nof close of business today.  Maybe we should consider asking that they \nbe prepared independently, have them signed under a perjury clause, \nwitnessed and sealed by the Inspector General.\n\n\nWe should have these time lines not only from the panel that we met \nwith on May 25th, but also from the witnesses scheduled for tomorrow. \nI think it is time to send a message that we have been patient long \nenough.\n\n\nThank you, Mr. Chairman.\n\n\n[The statement of Bob Filner appears on p.  ]\n\n**********INSERT**********\n\n\nThe Chairman.  Mr. Filner, all members that may have opening \nstatements will be submitted for the record.  And I thank the \ngentleman for bringing that issue back to the Chair\'s attention.\n\n\nI note that sitting in the audience is the Deputy Secretary, and if \nyou could make sure that someone has that prepared.  Any questions on \nit, please be in touch with the Staff Director.  And if you could \nbring that with you tomorrow and submit it to the Committee.  \nSomeone, I am sure, has been working on it.\n\n\nAnd I think that is probably the best way to handle that, Mr. Filner. \nWould that be acceptable?\n\n\nMr. Filner.  That is fine.\n\n\nThe Chairman.  All right.  Should not be any problem with that, should \nthere?\n\n\nDeputy Secretary Mansfield.  No.\n\n\nThe Chairman.  Okay.  All right.  With this panel, we have an Army \nveteran, Robert McFarland.  He served in the Vietnam War.  He was \nnominated by President George W. Bush to serve as the Assistant \nSecretary for Information and Technology in the Department of Veterans \nAffairs on October 15th, 2003, and was confirmed by the Senate on \nJanuary 22nd, 2004.\n\n\nPrior to his appointment, he served as Vice President of Government \nRelations for Dell Computer Corporation.  Mr. McFarland left the \nDepartment of Veterans Affairs on May 18th of 2006.\n\n\nWe will also hear testimony from Dr. John Gauss who served 32 years \nin the United States Navy.  Following his retirement, Rear Admiral \nGauss was nominated by the President and confirmed by the Senate to \nserve as the Assistant Secretary for Information and Technology and \nChief Information Officer for the Department of Veterans Affairs from \nAugust 2001 through June 2003.\n\n\nRear Admiral Gauss transitioned from government service to the private \nsector accepting a senior position with Science Application \nInternational Corporation in September of 2003.  His primary focus at \nthis company was the Olympic C41 Security Project considered critical \nfor safe and successful 2004 Summer Olympic Games in Athens, Greece.\n\n\nIn January of 2005, Admiral Gauss founded Gauss Consulting Services \nand in February 2006, he joined FGM, Incorporated as the company\'s \nPresident.\n\n\nWe will also hear testimony from Major General Howard. General Howard \nis the Acting Assistant Secretary for Information and Technology and \nActing Chief Information Officer at the Department of Veterans Affairs.\n\n\nWe will also hear from Mr. Brandewie who currently serves as the \nDirector, Defense Manpower Data Center, Field Activity, reporting to \nthe Office of the Secretary of Defense, Personnel and Readiness.  He \nis responsible for the oversight of the largest and most comprehensive \nautomated personal database in DoD, management of a dozen major \noperational DoD programs, and supervision of a multi- disciplinary \nstaff of approximately 800.\n\n\nRecently he led the DMDC efforts to redesign the Department\'s medical \nbenefits and entitlements database for the new TRICARE system, to \ndesign and field a comprehensive web authentication capability for \nthe Department of Defense, to develop and field an identification \ncard and biometric- based force protection system now widely deployed \nthroughout the world, and to design and develop and field the common \naccess smart card as the new DoD identification card. Currently more \nthan ten million have been issued.\n\n\nPronounce it Bresson?\n\n\nMr. Bresson.  It is actually Bresson.\n\n\nThe Chairman.  Bresson.  Jim Bresson is the Vice President of Gartner \nConsulting where he was the managing partner for U.S. Department of \nVeterans Affairs within Gartner\'s USA Federal Consulting Practice.  \nHe is based in Arlington, Virginia, and his responsibilities for \nGartner Consulting involve business development, associate \ndevelopment, and engagement and delivery.\n\n\nWe look forward to your testimony, and we will start with you \nDr. Admiral Gauss.  Which do you want, Dr., Admiral, Secretary?\n\n\nAdmiral Gauss.  John is fine, sir.\n\n\nThe Chairman.  All right, John.  Proceed.\n\n\nDo all of you have written testimony?\n\n\nAdmiral Gauss.  Yes, sir.\n\n\nThe Chairman.  All of you do, even  --  Mr. McFarland, do you not? \n\n\nMr. McFarland.  No.\n\n\nThe Chairman.  So Mr. Brandewie, Dr. Gauss, Major General Howard, and \nMr. Bresson, all of you have written testimony.  It will be submitted \nfor the record.  Hearing no objection, so ordered.\n\n\nYou are now recognized, John.\n\n\nSTATEMENTS OF HON. JOHN A. GAUSS, PRESIDENT AND CHIEF OPERATING \nOFFICER, FGM, INC., (FORMER ASSISTANT SECRETARY FOR INFORMATION AND \nTECHNOLOGY AND FORMER CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF \nVETERANS AFFAIRS); HON. ROBERT MCFARLAND (FORMER ASSISTANT SECRETARY \nFOR INFORMATION AND TECHNOLOGY AND FORMER CHIEF INFORMATION OFFICER, \nU.S. DEPARTMENT OF VETERANS AFFAIRS); MG ROBERT T. HOWARD (RET.), \nSENIOR ADVISOR TO THE DEPUTY SECRETARY SUPERVISOR, OFFICE OF \nINFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS; \nROBERT J. BRANDEWIE, DIRECTOR, DEFENSE MANPOWER DATA CENTER; \nJIM BRESSON, VICE PRESIDENT AND MANAGING PARTNER, GARTNER CONSULTING; \nACCOMPANIED BY JOE CLARKE, DIRECTOR, GARTNER CONSULTING \n\n\nSTATEMENT OF JOHN A. GAUSS \n\n\nAdmiral Gauss.  Thank you, Mr. Chairman.  Good morning to members of \nthe Committee.  Thank you for inviting me here today to discuss the \nimportant issues related to the Department of Veterans Affairs\' \ninformation technology reorganization efforts.\n\n\nI would like to provide the Committee with some background information \nto help in understanding the thought process that goes into the \nremarks that follow.\n\n\nAt the time of my confirmation hearing as the VA\'s Chief Information \nOfficer, the Department was faced with many challenges, including an \never-expanding IT budget, programs that were defined in a stovepipe \nmanner due to the lack of an enterprise architecture, programs that \nwere consistently overrunning budget, behind schedule, failing to \nmeet their performance parameters.\n\n\nThe Department was faced with implementing a comprehensive cyber \nsecurity program and having to implement an executive oversight \nprocess which was a recurring deficiency in many GAO audits.\n\n\nAs a result of the above and as presented in my opening statement \nbefore the Senate Veterans\' Affairs Committee on 2 August 2001, \nduring my confirmation hearing, I stated that I had five strategic \nobjections:\n\n\nFirst, complete the enterprise architecture road map for the future; \n\nTwo, integrate the disparate telecommunications networks to improve \nperformance and responsiveness for our veterans;\n\n\nThree, implement a strong information security program and \ninfrastructure;\n\n\nFour, create a program and project management process to oversee and \nhelp information technology program managers deliver products that \nmeet requirements, are delivered on time, and stay within budget;\n\n\nAnd, finally, establish information technology metrics to \ncontinuously measure our ability to meet our veterans\' needs.\n\n\nAlthough implementing a strong information security program is listed \nas number three in the above list, it was my number one priority. \nEstablishing a comprehensive enterprise architecture and integrating \nthe telecommunications networks will place higher in the order since \nI believe they are prerequisites to attacking the cyber security problem.\n\n\nDuring my 32 years in the Navy, I learned to address organizational \nissues by using the following simple thought process:\n\n\nFirst, define the problem to be solved;\n\n\nSecond, define the optimal yet affordable solution to the problem; \n\n\nThree, define what work should be accomplished by government and what \nwork should be performed by industry and then organize to implement.\n\n\nGiven the problems and strategic objectives defined above, I concluded \nthree things:\n\n\nFirst, all IT programs and IT related activities affecting the three \nadministrations and the central office should be centrally managed at \nthe Department level with funding located in the departments and not \nthe administration\'s budgets, specifically enterprise architecture, \ncyber security, telecommunications networks, corporate data centers, \nany program with the above characteristic that would result from \ndeveloping a comprehensive enterprise architecture such as VA-wide \nregistration and eligibility and a central call center, and, finally, \nall IT programs under the auspices of any VA central office code;\n\n\nSecond, all development activities related to individual \nadministration of IT programs should be managed at the Department \nlevel and funded from the Administration budget because they are the \nones who have the business requirement for the program;\n\n\nAnd, third, the operations and maintenance of in- service IT systems \ndirectly related to mission execution within an Administration should \nbe managed by that Administration subject to a comprehensive budget \nand funding execution approval process with ultimate authority for \napproving the expenditure of funds residing in the Office of the CIO.\n\n\nI recognize that the above conclusions are not consistent with \ncurrent thinking, but I would respectfully ask the Committee to \nconsider the following:\n\n\nWithout a central management of the development activities, how will \nthe Department ever implement a comprehensive, enterprise-wide \nenterprise architecture to eliminate duplication, to \ncross-functionally  integrate the business processes, and ultimately \nslow or stop the growth of the Department\'s IT budget?\n\n\nI hope this information will help the Committee in its deliberations. \nThank you for the opportunity.  I stand ready to answer questions.\n\n\nThe Chairman.  Thank you very much.\n\n\nMr. McFarland, you are now recognized.\n\n\n[The statement of John A. Gauss appears on p.  ]\n\n**********INSERT**********\n\n\nSTATEMENT OF ROBERT MCFARLAND\n\n\nMr. McFarland.  Thank you, Mr. Chairman.\n\n\nAlthough I have no prepared statement, I have had the privilege to \nappear before this Committee on many occasions over the last two plus \nyears.  Our discussions have always been frank, and I have \nappreciated this Committee\'s support in my previous efforts to bring \nthe VA\'s information and technology infrastructure into the 21st century.\n\n\nI am honored to be here today and would be pleased to answer any \nquestions this Committee may have regarding my experiences while \nAssistant Secretary and CIO at the Department.\n\n\nThe Chairman.  You sound like a man that has been at a trout stream.\n\n\nMr. Filner.  Explain it to us city guys.\n\n\nThe Chairman.  Explain it to a city guy?\n\n\nMr. Filner.  Yeah.\n\n\nThe Chairman.  Well, you know, he worked at the Department for a long \ntime.  He took a break.  He got jammed while he was there for a \nwhile. He went to a trout stream to gather his mind, and we have \npulled him back to Washington, D.C.  He is not too excited about being \nback in Washington, D.C.  And he says I will show up, but that does \nnot mean I have to give a statement.  And if you want to ask any \nquestions of me, go right ahead.\n\n\nMr. Filner.  Thank you, sir.\n\n\nThe Chairman.  So that sounds like a man with a clear mind that has \nbeen to a trout stream.\n\n\nMr. Filner.  All right.  Now I get it.  Thank you.\n\n\nThe Chairman.  You got it?\n\n\nIs that about right, Mr. McFarland?\n\n\nMr. McFarland.  That is pretty close, sir.\n\n\nThe Chairman.  All right.  Thank you.\n\n\nGeneral Howard, you are now recognized.\n\n\nSTATEMENT OF ROBERT HOWARD \n\n\n\nGeneral Howard.  Mr. Chairman and members of the Committee, good \nmorning.  Thank you for your invitation to discuss the Department of \nVeterans Affairs\' information and technology reorganization plan and \nthe recent data loss incident.\n\n\nFirst a short update on the VA IT realignment.  The VA IT system \nmodel has been developed and approved.  The key focus is to transition \nthe IT community to operate within a management system that separates \nthe development and operations and maintenance domains.\n\n\nVA will establish required business practices and processes that \nharmonize the oversight and budgetary responsibilities of the Office \nof the CIO, the functionality of the domains, and business \nrelationships of the IT service provider and the customer for all IT \nactivities across the entire VA.\n\nAs background, in an executive decision memo dated October 19th, 2005, \nthe Secretary of the Department of Veterans Affairs approved the \nconcept of a new IT management system for the VA.  This decision to \nmove to a new management construct was made to correct long-standing \ndeficiencies in the current decentralized IT management system.\n\n\nThe concept separates the IT community into two domains, an operations \nand maintenance domain that is the responsibility of the Assistant \nSecretary for Information and Technology and a smaller application \ndevelopment domain that is the responsibility of the administrations \nand staff offices.  Although the domains are separated, the VA CIO \nwill retain oversight responsibilities for all VA IT projects.\n\n\nAs Secretary Nicholson testified at the House Appropriations Committee \nhearing yesterday, the long-range plan is to also centralize the \napplication development domain under the CIO.\n\n\nThe new VA IT management system will clearly enhance the Department\'s \nability to strengthen the protection of sensitive information.  With \nall information security officers reporting to the CIO under this new \nmanagement system, the CIO will be able to:\n\n\nOne, create and operate the agency-wide information security program;\n\n\nTwo, establish information security policies and procedures and \ncontrol techniques for the agency which when followed will ensure \ncompliance with all of the above requirements;\n\n\nThree, to train and oversee personnel with significant \nresponsibilities for information security;\n\n\nAnd, finally, assist senior agency officials concerning their \ninformation security responsibilities including the analysis process.\n\n\nThe VA IT system model was developed as a framework for the future IT \nmanagement system.  The principal elements of the model include the \nfollowing:\n\n\nDefinitions of the roles, responsibilities, and initial boundaries \nbetween the operations and maintenance domain and the application \ndevelopment domain.  And this includes determination of business \nneeds and priorities.\n\n\nAlthough the domains are separated, the model prescribes procedures \nbetween the domains in order to provide the CIO with oversight and \nbudget responsibilities for all VA IT projects.  It also provides the \nauthority, delegation of authority, and governance structure and \nprocess for the conduct of all VA IT related business.\n\n\nThe model also contains key IT service delivery business process flows \nand sample scenarios to illustrate how domain activities are \ncoordinated by these process flows.  These flows must be clearly \ndefined to reflect the critical interdependence of business \napplications and the performance of the IT infrastructure.\n\n\nFinally, the model contains a recommended "to be" organization for \nthe Office of the CIO designed to balance the tactical needs of \noperating a complex infrastructure as a shared service with the \nstrategic needs of aligning IT resources to best meet the mission \nrequirements of the Department.\n\n\nTransitioning now to the recent data loss incident, as you are aware, \nthe Secretary initiated several recent actions to tighten our privacy \nand data security programs.\n\n\nOn May 24th, the Data Security Assessment and Strengthening of \nControl Program was established to provide a high priority, and much \nmore focused effort to strengthen our data privacy and security \nprocedures.\n\n\nThe two principal objectives of this program are to first reduce the \nrisk of a reoccurrence of incidents such as the recent data loss and \nsecond to remedy the material weakness reported by the Inspector \nGeneral.\n\n\nThere are three phases to this effort:  Assessment, strengthening of \ncontrols, and enforcement.  We are almost through the assessment phase \nand have actions underway in the other two phases as well.\n\n\nOn May 26th, the Secretary issues a directive that requires the top \nleadership to instruct all VA managers, supervisors, and team leaders \nof their duty and responsibility to protect sensitive and confidential \ninformation.\n\n\nIn this memo, the Secretary also announced that he had convened a task \nforce of VA senior leaders to review all aspects of information security \nand make recommendations to strengthen our protection of sensitive \ninformation.\n\n\nOne of the first tasks of this group is to complete an inventory of all \npositions requiring access to sensitive VA data and to complete that by \nthe end of June.\n\n\nThis past Monday, we began a Security Awareness Week at all VA \nfacilities.  We are emphasizing training and privacy and cyber \nsecurity for all employees.  We require all VA employees, contractors, \nand volunteers to complete both cyber security and privacy training \nannually.\n\nNormally employees are required to complete this training by September \n30th of each year.  However, given the recent incident, the Secretary \nhas directed that this be accomplished by the end of June.\n\nWe will be conducting a department-wide inventory of laptops to ensure \nthat they carry the encryption and other cyber security software \nnecessary to ensure remote access users are operating in a safe and \nsecure environment.  This effort is on hold, however, due to several \nclass action lawsuits.  It will continue once legal clearance is \nobtained.\n\nFinally we are reviewing all policies, directives, and handbooks \nrelated to privacy, cyber security, and records management to ensure \nthey are accurate, clear, and focused. All of these efforts will \nprovide for a more secure environment for sensitive data used in the \nVA.\n\nMr. Chairman, that concludes my statement.  Thank you for the \nopportunity to appear before you today.\n\nThe Chairman.  Thank you very much.\n\nMr. Brandewie, you are now recognized.\n\n[The statement of Robert Howard appears on p.  ]  \n\n**********INSERT**********\n\n\nSTATEMENT OF ROBERT BRANDEWIE \n\n\nMr. Brandewie.  Mr. Chairman and members of the Committee, thank you \nfor the opportunity to appear before you today to discuss the data \nexchanges between the Department of Defense and the Department of \nVeterans Affairs.\n\nOur center is a central repository of automated human resource \ninformation in the Department of Defense, and we have been actively \nengaged with the DVA on most of the personnel information flowing \nbetween the two departments. These exchanges are very basic to \nproviding an improved experience for the veteran and also for \ncoordination of benefits between the two departments.\n\nIt is important to note that these exchanges have been ongoing for \nmore than 25 years.  The purpose of the data exchanges between DVA and \nDoD are twofold:  To provide information to the DVA on currently\nserving and recently separated individuals who are eligible for DVA \nbenefits and services, and to competently administer programs in both \nagencies that benefit servicemembers, former servicemembers, and their families.\n\nThese data exchanges can be categorized as follows: Data for \nadministering educational benefits, active duty and selected Reserve, \nMontgomery GI Bill; data for administering insurance programs, \nspecifically veterans group life insurance; data for epidemiological \nstudies and for assessing post-war illness; data for coordination of \nbenefits and prevention of fraud, waste, and abuse; and data to \nestimate veteran population and expedite delivery of benefits.\n\n\nData exchanges with the VA, although long-standing, have expanded in \nbreadth in recent years.  And an effort to consolidate the exchanges \nbegan in earnest about three years ago.  Close cooperation and \nincreased exchanges of information have also received encouragement \nfrom the Congress and the Administration.\n\nFor example, the President\'s management agenda directed efforts to \nmake the transition from DoD to the DVA seamless, and I quote, \n`` Transition should be seamless from the veterans\' perspective and \ncould be made seamless through data sharing between VA and DoD as well \nas within VA.\'\'\n\nPublic Law 108-136 established an interagency Committee known as the \nDVA DoD Joint Executive Council to direct joint coordination and data \nsharing efforts between the two departments.  DoD believes there is \ngreat value to current servicemembers and veterans in the close \ncooperation evidenced by these data exchanges that has developed \nbetween DoD and the Department of Veterans Affairs.  However, it is \nequally important that the exchanges are done with utmost attention to \nsecurity to ensure no unauthorized disclosure of information.\n\nThe DVA has been a partner with us in the implementation of secure \ntransfer between the two agencies. In that regard, we have continued \nto improve that process and add security to this data transfer process.\n\nMy organization did the work to assess the impact of the recent data \nbreach on currently serving active duty, Reserve, and Guard members.  \nWe continue to work on mitigation efforts with respect to the \ncompromised information.\n\nIn spite of this tragic loss, it is important to reinforce the point \nthere are many benefits to current data exchanges between the two \ndepartments.  They are done securely and they result in better \nservice and better benefit delivery for servicemembers and veterans.\n\nMr. Chairman, I thank the Committee for the opportunity to report on \ndata exchanges between DoD and DVA and would welcome the opportunity \nto answer any questions.\n\nThe Chairman.  Thank you very much.\n\n[The statement of Robert Brandewie appears on p.  ]  \n\n**********INSERT**********\n\nThe Chairman.  We have another vote, just one vote. It is a procedural \nvote.  So we are going to have to stand in recess for about seven \nminutes, and we will return.\n\n\n[Recess.]\n\nThe Chairman.  All right.  The hearing will come back to order.\n\nThe Chair now recognizes Mr. Bresson for his statement.\n\n\nSTATEMENT OF JIM BRESSON \n\n\nMr. Bresson.  Mr. Chairman, Mr. Vice Chairman, and members of the \nCommittee, I appreciate the opportunity to participate in today\'s \nhearing regarding the Department of Veterans Affairs\' information \ntechnology reorganization plan and VA\'s decision to pursue the \nfederated model.\n\nI am a managing partner within the consulting division at Gartner, the \nleading provider of research and analysis in the global IT industry.  \nI am accompanied today by my colleague, Joe Clarke, Director with \nGartner Consulting, who is the lead subject matter expert in the \nmethodologies we employed in our most recent consulting engagement \nfor the VA.\n\nUnlike many of our competitors, Gartner does not offer IT systems or \nsoftware implementation services that would compromise our \nindependence and objectivity.  It is our objectivity combined with \nour past performance at the VA that was the basis for Gartner \nConsulting being selected to convert our originally recommended \ncentralized model to a federated model at VA leadership\'s direction.  \nI was the lead consultant for this effort.\n\nIn December 2005, the Assistant Secretary for IT directed Gartner \nConsulting to determine the best approach to implement a federated \nmodel for VA.  Our focus was on ensuring that the VA\'s federated model \nwould yield a blueprint for implementation that incorporated the \nseven critical dimensions to achieving a higher performing IT \norganization at the VA.  Those seven dimensions are:\n\nOne, organizational structure, the structure in which the IT \norganization delivers value at a risk level that is tolerable to the \nDepartment and best supports its one VA mission;\n\nTwo, processes, the critical IT processes, their interfaces, and their \ndependencies required for IT delivery across the Department;\n\nThree, roles, the IT management practices, responsibilities, and \naccountabilities required for IT delivery, what VA associates need to \ndo to deliver IT value;\n\nFour, IT services, the necessary IT capabilities that are valued and \nreadily understood by the VA\'s business community, not just the IT \ncommunity;\n\nFive, guiding principles, the IT policies that establish focus, \ngovernance, and the decision-making fabric within and between VA\'s IT \nand business communities;\n\nSix, performance management, the definition of IT performance \nobjectives and success criteria and high-level analysis of IT \nperformance relative to peers in government, insurance, and healthcare \ndelivery;\n\nSeven, culture and norms, the changes required in the underlying culture \nand norms to effect improved IT management behaviors.\n\nIn my written testimony, I have provided details about how Gartner \nConsulting derived roles and responsibilities and simulated scenarios \nto illustrate for VA\'s consideration how the federated approach would \nwork within VA\'s environment.\n\nIt is important to note as we have in our intermittent engagements with \nthe VA that organizational structure alone is not the silver bullet.  \nIt is just one dimension of necessary change to the existing IT \norganization at VA.\n\nThere is a tendency for government agencies to want to jump straight to \norganizational structure alone when seeking to initiate and drive \nchange.  Encouraging desirable IT management behavior is less about \nstructure and is more about relentless focus on strategy and execution.\n\n\nGartner research and our engagement results indicate that the VA must \nallow for a balance between line of business autonomy and common \nenterprise-wide needs.  VA\'s desired end state is not small change.  \nIt will require overt, firm, sustained action and persistent messaging \nsupportive of the change from all levels of leadership across the \nDepartment.\n\nWhat will be critical is sustaining the focus of executive leadership \nin seeing this change through and realizing improved IT performance.  \nWhether VA leadership will achieve the desired end state in an \nexpeditious manner may be less important than whether they are able to \nsuccessfully institutionalize the federated IT management system.\n\nI firmly believe that VA leadership is taking the right steps forward.\n\nMr. Chairman, Mr. Vice President, and members of the Committee, this \nconcludes my statement.  Thank you again for the opportunity to \ndiscuss such an important matter to support our veterans.  I would be \npleased to respond to any questions that you or other members of the \nCommittee may have at this time.\n\n[The statement of Jim Bresson appears on p.  ]  \n\n**********INSERT**********\n\nThe Chairman.  Well, I would like to pick up right where you left off. \nI firmly believe the VA is now taking the right steps.  You have to \nreconcile that.  You have to reconcile that with the testimony that \nGartner Consulting gave to this Committee and your recommendation for \na centralized model that was stiff-armed by the VA.\n\nYou are a consultant to the VA; are you not?\n\nMr. Bresson.  We have been a consultant on occasion to the VA.  We \nare --  \n\nThe Chairman.  Are you a consultant to the VA right now?\n\nMr. Bresson.  We are currently not under engagement with the VA.\n\nThe Chairman.  Okay.  And were you hired in as a consultant to the VA \nwith regard to the federated approach and its implementation?\n\nMr. Bresson.  Yes, we were.\n\nThe Chairman.  Do you anticipate future work with the VA?\n\nMr. Bresson.  I would like to anticipate future work with the VA, yes, \nsir.\n\nThe Chairman.  And would your future anticipation to work with the VA \nhave anything to do with your last statement before this Committee?\n\nMr. Bresson.  Not at all, sir.  Not at all.\n\nThe Chairman.  Then reconcile your testimony, sir.\n\nMr. Bresson.  Okay.  I believe, as I said earlier, that organizational \nstructure is one dimension.  The work that we did in converting the \nmodel that was recommended last spring, 2005 that is, to the federated \nmodel dove down deep into processes, roles, services, principles, \nperformance management, and culture and norms.\n\nAnd in constructing that model, we identified for the VA what path \nforward they should take in order to make this adhere in their \nenvironment.  And I believe that from that model they are stepping \ntoward that direction heeding what we advised them to do.\n\nThe Chairman.  Does Gartner Consulting as a company still stand by its \nrecommendation to the United States Congress that the VA centralize, \nhave a centralized model for IT management?\n\nMr. Bresson.  We do stand by that, sir.\n\nThe Chairman.  In your written testimony to the Committee, I note that \nyou have a quote in here, `` Given the poor state of the VA\'s IT \ninvestment management process and the stated demand to drive benefits \nover a shorter horizon, we recommended the centralization option to \nmaximize the opportunity to create value for our veterans.\'\'\n\nYou stand by that statement today?\n\nMr. Bresson.  Yes, we do, sir.\n\nThe Chairman.  Okay.  Now, Gartner has given this statement, calls it, \n``The poor state of VA\'s IT investment management.\'\'\n\nWell, now I am going to turn to Dr. Gauss and Mr. McFarland.  Can you \nexplain to me why Gartner Consulting would call it a poor state of \ninvestment management when, in fact, both of you were the managers?\n\nAdmiral Gauss.  Mr. Chairman, I really have no idea why that finding \nwas uncovered.  I can speak to the time between July of 2001 and June \nof 2003.\n\nWhen I first became CIO, our capital investment control process for IT \nwas poor.  And with a focused effort and working with the Office of \nManagement and Budget, within one year, we turned around our process \nfrom a budget submission to OMB of about a five percent first pass \nacceptance to about a 95 percent first pass acceptance.\n\nAnd after I departed VA, there was a substantial gap before \nMr. McFarland became CIO.  And during that interval, I know I do not \nknow what went on at VA and I am not sure whether Mr. McFarland does.\n\nThe Chairman.  Mr. McFarland, what are your thoughts with regard to \nthat statement?\n\nMr. McFarland.  Sir, I believe that we continued the enterprise \ninformation board environment that Dr. Gauss started which was to \nreview the individual development projects and sustainment projects.  \nBut our biggest issue was not making the decisions over which \ninvestments were good investments, although where I came from, we \ndealt with ROI, which is a difficult thing to do in the government \nbecause it is not the same as it is in the private sector.\n\nBut what we had a problem with was the use of the funds, and this, as \nyou know, is something I was focused on for quite a while, which was \nto change the budget environment.\n\nSo when you use the words poor state of investment management, I \nthink what Gartner was trying to say is that you may pass at an \nexecutive level a project spin plan and a project budget, and then the \ndissemination of that money and the use of that money in many cases \nwhich is not being able to be tracked and followed through the chain \nas it is used out in the field.\n\nAnd I think that to me was the area where I felt the investment \nmanagement process was failing, in the budget itself and the expense \nof the money, because we were never sure that the money was spent on \nexactly what it had been appropriated for.  And to me, that, I think, \nis what Gartner was trying to say when they said part of the issue of \npoor investment management process.\n\nThe Chairman.  To Mr. Bresson, I want you to know that we recognize \nthat a movement to cure is more than just about structure.  We \nrecognize that.  But we also have painfully recognized over the years, \nand we have embraced the testimony that Gartner had given to this \nCommittee and the counsel that they gave to the VA prior to their \njudgment on which option to choose.\n\nThe reason we do focus on structure and lines of authority is that as \nwe do the forensics here of trying to put this together in \nunderstanding what went wrong, we cannot move to cure until we create \nthe right structure with the proper lines of authority so that we know \nwho has authority to do what, who has the tools to do what.\n\nAnd so that is kind of why we are focusing on those kinds of things \nat the moment.  We recognize culture and many other things that you \nalso had testified to.\n\nThe ROI mentality, Mr. McFarland, that you brought to the VA, we have \nno objections to that at all because we are looking out at the \ninterest of taxpayers, had to deal with the pains that you did with \nregard to the core FLS and the vets net.\n\nAnd there is a reason that we here in Congress wanted the development \nside under your gentlemen\'s authorities. And we understand that they \nfight against that, and we recognize that there are crucibles out \nthere for initiative and that your job is not to say no to that, but \njust to make sure that it is all compliant under the one architecture.\n\nGentlemen, we are considering many things in our packages.  So what I \nwould like to do here today, we want to do some forensics, we want \nyour opinion on cure.  What are your thoughts that if we were to, in \nour package we are to elevate the position of the CIO to an Under \nSecretary?\n\nMr. McFarland?\n\nMr. McFarland.  I would think that would be a good move, sir.  I \nbelieve that in this day and age, the VA like any other agency simply \ncannot do business for its veterans without an IT infrastructure.\n\nThe Chairman.  And then if we make the CISO a Deputy Secretary right \nunder the CIO as an Under Secretary?\n\nMr. McFarland.  You mean an Assistant Secretary, sir?\n\nThe Chairman.  Assistant Secretary, yes.\n\nMr. McFarland.  I certainly would applaud those moves because I think \nthat the infrastructure that runs the VA today in its current state is \nan IT infrastructure and it is important enough that given the past \nhistory that those moves would certainly help.  It would give the CIO \nan equal seat at the table with the main administrations to be able to \nprovide the service that keeps the business running.\n\nThe Chairman.  Admiral Gauss?\n\nAdmiral Gauss.  Mr. Chairman, I think your idea is an excellent one.  \nAnd if I may, I have been associated in management positions in the \nlast 14 years of government service where I have had the opportunity \nto observe how Chief Information Officers can be effective not only \nat the Department of Veterans Affairs but in other parts of government \nas well.\n\nWithout the Chief Information Officer being elevated to the status of \nUnder Secretary or Under Secretary equivalent, the CIO does not have a \nseat at the table at any department within government, and the \nfounders or the people who created the Clinger-Cohen Act will continue \nto be disappointed in results until such a bold action is taken.\n\nI would highly endorse your suggestion, sir.\n\nThe Chairman.  Thank you.\n\nMr. Filner.\n\nMr. Filner.  Thank you, Mr. Chairman.  Thank you for putting together \nthis panel.  I learned a lot today.\n\nMr. Chairman, you said you cannot move to a cure unless certain steps \nwere taken, and I would include in those steps at least a recognition \nof the problem and get out of a sense of denial.\n\nEvery time Mr. Howard referred to what happened on May 3rd, the \nincident.  I do not know if you have been out in the field talking to \nveterans, but they are scared to death. You got 26 million or more \npeople worried about identity theft.\n\nWe have had testimony here that if it was a professional has the data, \nand there are some circumstances about the theft that may lead to that \nconclusion, it may be a year before they even know that their identity \nhas been stolen.\n\nSo we have a major disaster here.  And until you guys start calling it \nthat, I do not think we are going to get the kind of response that we \nneed.\n\nSo I hope you folks in the front row there will take that message back \nto the Secretary, that if he is in a state of denial still, although, \nI do not know, it took a week to hear the other news, maybe he will \nnot get this message by tomorrow.\n\nDr. Gauss, you started, your opening sentence was quite an indictment \nof this situation.  Could you just read that for me again or did you \nhave that written out?\n\nAdmiral Gauss.  Yes, sir.  At the time of my confirmation hearing --  \n\nMr. Filner.  No, no.  Before that.  I think it was the first sentence.  \nYou outlined the situation as you saw what was --  \n\nAdmiral Gauss.  Yes, sir.  That was at the time of my confirmation --  \n\nMr. Filner.  Oh, okay.\n\nAdmiral Gauss.   -- the Department was faced with -- \n\nMr. Filner.  Okay.  Right.\n\nAdmiral Gauss.   -- an ever-expanding IT budget, programs that were \ndefined in a stovepipe manner due to the lack of an enterprise \narchitecture, programs that were consistently overrunning budget, \nbehind schedule, and failing to meet their performance requirements, \nwas faced with implementing a comprehensive cyber security program, \nand having to institute executive-level oversight process as a result \nof a recurring theme of GAO reports.\n\nMr. Filner.  I mean, I would like to ask a very generalized set of \nquestions that maybe several of you can respond to.  I mean, that is a \ncultural indictment, and I would like to know if it still exists as \nyou see it, Mr. McFarland?  Has it changed?  Why hasn\'t it changed?  \nWhat did you think of the polyanna statement by Mr. Howard, everything \nhas changed and we are moving forward?\n\nAnd I might just for Dr. Gauss, I was not at the hearing, but I think \nat one hearing where Chairman Buyer said to you, would you like to \nhave centralized line control of the system, and I guess you had to \nsay no at that time. I do not know if that was your personal opinion \nor OMB\'s opinion because I think they had to approve your statements \nhere.\n\nBut if you can go back from that statement, and has anything changed \nsince you have left?  Does Mr. Howard\'s statement sound right to you?  \nI mean, and what needs to be changed for it to come true?  Please, and \nthen Mr. McFarland if he can.  Get him off the trout stream there.\n\nAdmiral Gauss.  Let us see.  I am really not qualified to discuss what \nhas happened recently because my knowledge of what has happened is \nwhat I have read in the newspaper and in preparing for this hearing, \nmaterial that I found on the VA web site.\n\nMr. Filner.  But you were there for a couple years.\n\nAdmiral Gauss.  Yes, sir.\n\nMr. Filner.  So did it change while you were there?\n\nAdmiral Gauss.  During that time -- \n\nMr. Filner.  You mentioned one major thing.\n\nAdmiral Gauss.  For the record, sir, all of the testimony that I gave \nin front of this Committee was my testimony.  It was the truth.  I was \nnot influenced by OMB or my senior --  \n\nMr. Filner.  They did not have to be approved?\n\nAdmiral Gauss.  I am sure it had to be approved, but I held no punches \nand I spoke my views.\n\nMr. Filner.  We did have testimony at an earlier hearing of one of, I \nthink, your successors, Mr. Brody, right, who said, because I asked \nhim, he said that he could not say what he wanted to say because it \nwas approved by OMB.  So that seemed to be the procedure.\n\nAdmiral Gauss.  I stand by today -- \n\nMr. Filner.  Okay.  Thank you.\n\nAdmiral Gauss.   -- the testimony that I gave in front of the \nSubcommittee at the hearings for which I participated.\n\nNow, from a cultural perspective -- \n\nMr. Filner.  Did I get that right that you said no to Mr. Buyer when \nhe said would you like to have the centralized control?\n\nAdmiral Gauss.  I believe that in my answer, I qualified it along the \nterms of what I had in my opening statement, that I felt that the \ndevelopment activity should be centralized.  The CIOs should have the \nauthority over all development activities, but that the operations and \nmaintenance of the products that were deployed to the field should \nstill be distributed within the administrations.\n\nAnd a little bit of the background, we are all an invention of our \npast.  And having served for 32 years in the Navy, I look at the model \nthat is proposed today and it equates to allowing commanding officers \nto develop their command and control capability, but, yet, to operate \nit, maintain it, and fix it, you have to go back to the Pentagon.  And \nsomehow that just does not seem right based on my experience.\n\nAs far as the culture goes, there were cultural impediments at VA that \nprecluded making progress while I was there.  Specifically at the \nexecutive level, there was commitment to have reform, but there was \nnot commitment to effect the type of change necessary to make that \nreform.\n\nWhen you find you are broke, the processes and procedures you operate \nunder are not going to fix you because if they would, you would not be \nbroke in the first place.  So change was fundamental, but the attitude \nwas fix it within the current process.\n\nSecond, the VA concurrence process is onerous.  In my testimony in \nSeptember of 2002, I talked about a memo the Secretary had signed in \nAugust directing the centralization of IT activities.  I testified in \nfront of the Subcommittee that we put a team together to build a plan \nand it would go to the Secretary by November of 2002.  That did not \nhappen. It took until May to get it done because the VA concurrence \nprocess waters everything down to the lowest common denominator in \nwhich people can agree.\n\nI was told one time I could not offer a differing view because nothing \ngoes to the Secretary without the principals concurring.\n\nAnd, three, the financial management of the programs, the money is \ndistributed into the Administration budget, at least it was during the \ntwo years I was there, for such things as enterprise architecture, \ncyber security, the data networks, all of the infrastructure things \nneeded to run, the machinery needed to run the IT at the Department \nand for the administrations, and it was left to my office to have to \nget the money from the administrations in the year of execution.\n\nThe budgets should reflect the execution because at the end of the \nday, the real organization follows the flow of the money.  And with \nthe money spread in execution, it is very difficult to get the \nresources one needs to execute the job.\n\nMr. Filner.  Okay.  That was pretty clear.\n\nMr. McFarland, would you concur or do you have anything to add to \nthat?\n\nMr. McFarland.  I do concur with Dr. Gauss on the state of what he \nleft was pretty much what I found when I got there.  I believe the VA \nhas moved forward in doing some things that will make the job easier.\n\nWith the help of this Committee and Congress, there is now a \nconsolidated budget, although I would tell you that I was disappointed \nthat the budget contained only nonpay dollars and not the full budget. \nI will be frank about that.  That does allow better oversight over the \nspend. There is now under this federated model at least a \nconsolidation of the infrastructure.\n\nAnd where I might disagree with Dr. Gauss a little bit, I do believe \nthat the infrastructure has to be consolidated because I believe that \nif you do not consolidate the infrastructure under the CIO, then all \nyou will do is be involved with directives and guidelines over policy \nof privacy and security.\n\nWithout control of that infrastructure, technical control of that infrastructure, you cannot ensure that the environment is safe.  So I \nwould disagree.  I believe the infrastructure should be consolidated \nand that not only --  all those assets need to be under a single \ncontrol.  The --  \n\nMr. Filner.  Mr. Howard, are you heading in that direction or not?\n\nGeneral Howard.  Sir, with respect to the operations and maintenance \ndomain, we are.  And as I indicated in my testimony --  \n\nMr. Filner.  Wait, wait.  He just said something very clear.  He said \ncontrol of the infrastructure.\n\nGeneral Howard.  Yes, sir.\n\nMr. Filner.  Is that what you are talking about or not?\n\nGeneral Howard.  With respect to the operations and maintenance infrastructure, that is correct.  The data centers --  \n\nMr. Filner.  But he was not restricting it like you are.  I mean, he \ndid not have any qualification over infrastructure.  What other part \nof the infrastructure there is?  Development?\n\nGeneral Howard.  Development is not included in the -- \n\nMr. Filner.  Why not?\n\nGeneral Howard.   -- IT organization that has currently been approved.\n\nMr. Filner.  That is the point, Mr. Howard.  I am saying should it be \nin that?\n\nMr. McFarland, did you include what he said, operations, maintenance, \nand development in the consolidated structure --  \n\nMr. McFarland.  Under the current plan -- \n\nMr. Filner.   -- infrastructure?\n\nMr. McFarland.  Under the current plan -- \n\nMr. Filner.  I do not even talk the language you do, so I am trying \nto get this.\n\nMr. McFarland.  I understand.  Infrastructure to me does not \ninclude development.  Infrastructure is the basic assets and people \nnecessary to provide the IT service to the community.\n\nIn the current federated model, that infrastructure is supposed to be \nconsolidated under the CIO.  And the administrations and staff offices \nbecome users of that infrastructure.  I strongly believe you cannot \nallow the infrastructure to be managed by administrations and staff \noffices.\n\nMr. Filner.  So explain to me the differences in federated model and \nthe centralized model.  I mean, what --  \n\nMr. McFarland.  The difference -- \n\nMr. Filner.   --  is included in one and not the other?\n\nMr. McFarland.  The difference under the Gartner scenarios that were \ndeveloped is only one issue, that the applications development, \nthe development of new products to serve the needs of veterans in each \nof the administrations and staff offices, whether it be a financial \nsystem or whether it be a medical system, the development of those \nproducts, application development, is done in the federated model by \nthe administrations.  Everything else is managed by the CIO.\n\nIn the centralized model, all of that would be managed by the CIO.  And \nwhat would happen would be the staff offices and the administrations \nwould provide the specifications and requirements for their needs to \nthe CIO who would then go to the marketplace and develop those \nproducts for them.\n\nMr. Filner.  And you agree that that is okay?\n\nMr. McFarland.  I am sorry, sir.\n\nMr. Filner.  We got word directly from the Secretary about what \nMr. Howard should say, so maybe you should read the note for us, \nMr. Howard.\n\nThe Chairman.  Mr. McFarland, to be responsive to the question, I think \nit would be that do you concur with the centralized model that \ndevelopment should be under authorities of the CIO?  I think that is \nwhere Mr. Filner was getting to.\n\nMr. McFarland.  I have been on record from day one as being preferring \nthe centralized model.  I have agreed to support the federated model \nwhen I was in office because that was the recommendation of the agency \nand it was candidly the best I could get.\n\nMr. Filner.  And give me again as concise as you can why --  you \ndefined the federated --  you gave us a clear explanation, but why \nwould you prefer the centralized?  I mean, what did it do that the \nother did not?\n\nMr. McFarland.  I believe you have to have control over development.\n\nMr. Filner.  Well, that is what I asked you at the beginning, and you \nsaid no.  I asked what did consolidation of infrastructure mean, and \nyou said operation, maintenance, but not development.  Now you are \nsaying development should be.\n\nMr. McFarland.  Let me define infrastructure for you, sir.\n\nMr. Filner.  Okay.\n\nMr. McFarland.  Infrastructure is the assets and people that provide \nIT services --  \n\nMr. Filner.  Okay.\n\nMr. McFarland.   -- provide the electrons to anyone who uses those \nelectrons, your e-mail, your whatever, no matter whether you are a \ndoctor, a benefits coordinator, whatever, the users of those \nworkstations.  That is the infrastructure.\n\nThe development of product is actually the generation of new code --  \n\nMr. Filner.  All right.\n\nMr. McFarland.   -- to run applications.\n\nMr. Filner.  And both should be under the CIO in your preference?\n\nMr. McFarland.  It has been my professional -- \n\nMr. Filner.  Okay.\n\nMr. McFarland.   -- opinion that they should be consolidated --  \n\nMr. Filner.  Okay.\n\nMr. McFarland.   -- under one environment.\n\nMr. Filner.  And so they are going in a different direction than that \nright now?\n\nMr. McFarland.  They are using -- \n\nMr. Filner.  All right.  That is all.\n\nMr. McFarland.   -- the federated model, yes.\n\nMr. Filner.  Thank you.\n\nThank you, sir.\n\nThe Chairman.  Mr. Bilirakis, just as a follow-up, if I may.\n\nMr. Bresson, Gartner Consulting, you are consulting to the leading top \n100 companies in the world; are you not?\n\nMr. Bresson.  Yes, sir.\n\nThe Chairman.  Are there any of these companies that you are a \nconsultant to in the world of these companies ever take the \ndevelopment side outside the --  to take the development outside the \nauthority of the CIO?\n\nMr. Bresson.  Indeed there are, yes, sir.  And I think one of the \nnuances to the federated model as it may exist in commercial and \noutside of public sector is that while development may remain outside \nthe CIO\'s control, in order for those products to run on the \ninfrastructure, they still must, you know, pass through the wickets \nand be certified to run on that infrastructure.  So there is a \ntransfer.\n\nThe Chairman.  Thank you.\n\nMr. Bilirakis.\n\nMr. Bilirakis.  Mr. Chairman, virtually everything has kind of been \ncovered on a detailed basis.  If this continues on, it is just going \nto continue to make work for us and take us away from being concerned \nabout healthcare and about claims processing and things of this \nnature. Somewhere along the line, it has got to be solved.\n\nLet me ask.  My impression is that all testimony, I mean, for --  it \ngoes all the way back, not just this Administration, the prior \nAdministration and Administration before that.  All testimony before \ncoming before Congress has to go to OMB; is that correct?  Does \nanybody know?  That is true, right?\n\nGeneral Howard.  [Nods head affirmatively.]\n\nMr. McFarland.  [Nods head affirmatively.]\n\nMr. Bilirakis.  Okay.  So this is not something that is new.\n\nDr. Gauss, you prepared your testimony.  Of course, obviously, OMB \ndoes not tell you what to respond to when you are asked questions from \nthe panel up here.  But you prepared your testimony for today, and \nthen there is a process?  It went up the line, did it, up through \nthe --  \n\nAdmiral Gauss.  [Shakes head negatively.]\n\nMr. Bilirakis.  No?  Where does your testimony go?\n\nAdmiral Gauss.  As a private citizen -- \n\nMr. Bilirakis.  You are a private citizen, right. All right.  I am \ngoing to go to General Howard.  Forgive me for doing this.  Getting a \ngood opportunity for this old Staff Sergeant to talk to a Major \nGeneral.\n\nGeneral Howard.  It has to go through OMB, sir.\n\nMr. Bilirakis.  Has to go.  All right.  But does it go up the line \nthrough the VA first --  \n\nGeneral Howard.  Yes, sir.\n\nMr. Bilirakis.   -- before it goes to OMB?\n\nGeneral Howard.  Yes, sir, it does.  General Counsel- -\n\nMr. Bilirakis.  Do you like that as a former General officer?\n\nGeneral Howard.  Sir, it was probably the same way in the Pentagon, \nalthough I cannot remember.\n\nMr. Bilirakis.  Yeah, I will bet.  I will bet.\n\nGeneral Howard.  But that is the process.\n\nMr. Bilirakis.  You know, what is happening here is, you know, we have \ngot a Veterans Administration that I have always had very high regard \nfor.  When I came to Congress 24 years ago, there was one committee \nthat I specifically fought for.  I guess I did not have to fight too \nvery hard, but the point is I wanted to get a VA Committee, and I did \n24 years ago, first day one.\n\nAnd Mr. Buyer may not know this, but when our side came up with this \nidea of grading committees, certain committees are considered A \ncommittees, B committees, C committees. The rule was that if you had \nan A committee, you could not serve on any other committee.  And the \nVeterans Committee was considered other than an A committee.\n\nAnd so Energy and Commerce was considered and still is considered an A \ncommittee.  And the deal was if you wanted to stay on an A committee, \nyou had to give up any other committees.\n\nI let it be known that I would be glad to give up Energy and Commerce \nif I could keep Veterans Committee. That is how much I feel about this \nCommittee and that is why I get awfully frustrated and angry \nsometimes when we get partisan here and throw stones at each other, \nwhich is something we did not used to do on this Committee.  But that \nis besides the point.\n\nThe point here is that activity like this, promises made to Congress \non record and whatnot and not kept on what, you know, contract on IT \nwas to be awarded June the 10th and contract work was to be started on \nJune the 15th of this year of 2006 when, in fact, that has not taken \nplace, that is the result of testimony before this Committee back in \nMarch of this year.\n\nOther things.  We have gone through hearing after hearing.  We have \nhad round-table discussions, everything on IT, and still do not see \nvery much progress being made.  I mean, that hurts the image of the \nVeterans Administration.\n\nAnd, you know, we would like to hear from the veterans, complaints \nabout maybe healthcare, about their claims, or something of that \nnature.  And what we are hearing is they are concerned about privacy \nand the lack of privacy and their concern about what might happen to \ntheir personal situation as a result of what has transpired.\n\nMr. McFarland, you came aboard with a heck of a background, a \ntremendous IT background.  You were given a certain responsibility.  \nWas your background respected in the VA?  Now, you should be free to \nrespond here.\n\nMr. McFarland.  Yes, sir.  I never got a feeling that my background \nwas not respected.  I think I felt I brought a business acumen to the \nVA --  \n\nMr. Bilirakis.  Yeah.\n\nMr. McFarland.   -- which I think was -- \n\nMr. Bilirakis.  All right.  But -- \n\nMr. McFarland.   -- somewhat new, and I think it was respected \ncertainly in the beginning.  I am not sure --  \n\nMr. Bilirakis.  In the beginning.  What happened -- \n\nMr. McFarland.   -- if it is respected today.\n\nMr. Bilirakis.  What happened after the beginning?\n\nMr. McFarland.  Well, I think whenever you embark on change, you are \ngoing to run into culture.  I have said many times I did not believe \nthat a majority of the issues at VA were so much about technology as \nthey were about culture.\n\nMr. Bilirakis.  Yeah.\n\nMr. McFarland.  It is a long-standing history of decentralized \nmanagement.  And when you bring a business acumen that says you want \nto centralize many of those management functions, I think you run \ninto cultural problems.\n\nBut that being said, I do not think anyone disrespected my \nbackground.  I never had --  \n\nMr. Bilirakis.  Well -- \n\nMr. McFarland.   -- anybody chastise me for it, so -- \n\nMr. Bilirakis.  Yeah.  I do not think anybody would have done that, \nbut I am not referring to that obviously.  I am referring to --  I \nmean, were you paid attention to?  Were you taken seriously in terms \nof some of the changes as a result of your actual background and \nexperience and that sort of thing?\n\nMr. McFarland.  Oh, I think I was taken very seriously, sir, on many \noccasions.  I do not think it was ever an issue of taking me \nseriously.  It was that the problem was the disagreement over the \nchange.\n\nMr. Bilirakis.  All right.  So you were taken seriously, but there \nwere disagreements?  Some people disagreed with you?\n\nMr. McFarland.  Yeah.\n\nMr. Bilirakis.  General Howard, you know, here we are.  And the \nChairman\'s idea of legislation, basically upgrading the CIO position \nand whatnot is a good idea.  But here we are trying to micro manage.  \nAnd damn it, we should not be doing that.  And, yet, we feel that we \nalmost have to from the questions that have been asked here, \ndetailed-type questions for crying out loud.\n\nWe should not have to be concerned with something like that, I do not \nthink.  And, yet, we are because we see a process that just is not \nmoving.  It is not progressing the way it should be.  And then, of \ncourse, these errors such as the loss of those files.\n\nGeneral Howard, your testimony had to be cleared, but your responses \nto us are not cleared, do not have to be cleared.\n\nGeneral Howard.  No, sir.  That is correct.\n\nMr. Bilirakis.  All right.  Now, you are a General Officer.  Are we \ngoing to fix this?\n\nI mean, Mr. McFarland mentioned the word culture.  He knew darn well \nthat I was going to mention culture because I talked about it \nconstantly during our past hearings.  There is a culture there.  There \nis a turf thing there that exists up here, too, and I am the first one \nto admit that.  If I had to say the one thing that bothers me about \nthe Congress is the turf, turf fighting, and committees\' jurisdictions \nand things of that nature.\n\nWhat do you think?  Are we on the right path here?  Are we going to \nfix this?  Are we going to be as proud of the VA in terms of IT as we \nare on our work on healthcare and the Spinal Cord Injury Center, for \ninstance, Haiti Hospital in Tampa?\n\nThere was a young lady here with Pfizer who lives down in that area \nand who volunteers there one day a week.  And as I went out to vote, \nshe was boasting to me about the great work that they do.\n\nI mean, there is a lot of pride there.  But the pride does not exist \nas far as IT is concerned.  Respond to that.\n\nGeneral Howard.  Sir, there is, first of all, no question that this \ncan be fixed.  Obviously we cannot predict the future.  But in my \nmind --  \n\nMr. Bilirakis.  What do you mean by that?\n\nGeneral Howard.  You said will we fix it.  We can fix it and we are \nheading in the right direction.  There is no question about that.\n\nThe issue regarding centralization is still, you know, full \ncentralization, that is, including the development domain, is still on \nthe table.  But I think based on the Secretary\'s testimony yesterday, \nthat also will be centralized.  And he went public with that yesterday \nduring the Appropriations hearing.  I think that is a very important \naspect of it.\n\nCan we do it right away?  My personal opinion is we should not.  We \nare already very deep into moving the operations and maintenance and \nconsolidating that.\n\nIn the contract you refer to, you are correct.  That was delayed due \nto contracting procedures, but that is ready to be signed.  If it is \nnot signed today, it will be in the next few days to bring in the \ncontractor who is going to help us further refine the details of the \ncurrent approved IT reorganization.  But as the Secretary mentioned \nyesterday, he is going to take the next step.\n\nMr. Bilirakis.  All right.  You said something, you mentioned \ncontract procedures, delays as a result of the contract procedures.  \nShould those procedures in your opinion be changed?\n\nGeneral Howard.  Sir, those are typical government procedures.  It \njust takes time to work through that.  I did not see anything really \nout of line.  It just took longer than we thought.  I mean, we \nfollowed all of the procedures. We had written proposals.  We had oral \npresentations and a thorough review.\n\nThe last reviews that had to take place were with General Counsel and \nthe Contracting Office.  You know, I got an e-mail this morning that \nindicated those are complete.\n\nSo there is no reason why this contract should not be signed.  And \nthat will be a very significant piece to what we are discussing today \nbecause they will come in, this contractor will come in and help us \nrefine the processes and procedures under which we should operate.\n\nMr. Bilirakis.  Are we going to pay attention to them?  Are we going \nto --  \n\nGeneral Howard.  Sir, we are going to pay a lot of attention to them. \nAnd the fact of the matter is, you know, we have already detailed \n4,600 people to the Office of Information and Technology.  And that \ndetail will become permanent on the 1st of October.\n\nSir, that is in effect as we would refer to in DoD, that is a field \noperating agency.  That is not a staff section.  That is a large \nnumber of people, and we are now in the process of organizing them, \ndelivering the guidance, an important subset, for example, of the \nInformation Security Offices that exist throughout the VA.  There is \nslightly over 300 of them.  They are now under my control.\n\nYou know, we are the ones that issue them instructions, that give them \nthe training, that develop their careers, all of that.  Bob McFarland \ndid not have that, but we do.  And that alone is very helpful in terms \nof improving our information security.\n\nMr. Bilirakis.  Well, I am reminded by staff that this was said \nsomething like last October that it was going to take place, and here \nit is what, June, almost July of the next year.\n\nGeneral Howard.  Yes, sir.  It happened in April, sir.  That is --  \n\nMr. Bilirakis.  In April.\n\nGeneral Howard.  That is when the detail took place. But to sort of \nsummarize, I am fully confident that we can fix this problem.  Clearly \nit is an organization issue, but it is more than just moving the boxes \naround.\n\nAs Gartner mentioned, processes are very important and probably more \nimportant than anything else is the leadership and the emphasis we \nplace upon the whole enterprise.\n\nMr. Bilirakis.  Yeah.  Just my last question.  What say you to this \nculture thing that has been admitted to over a period of time in the \nVA?\n\nGeneral Howard.  Sir, I have been in the VA just a little over a year. \nI came out of the private sector. There is a culture issue.  And one \nof the reasons for that, I think we all know that we are operating \nwith an agency that is very decentralized.  And you cannot fix that \novernight.  I mean, that has to be done over time.  We need to put \nmore emphasis on it.\n\nBut, again, under Dr. Kaiser, it was deliberately decentralized and \nthe result of that, quite frankly, was more effective healthcare.  I \nmean, it was, you know, innovation in the field and all of that.  And \nin many ways, that is a good thing.  What we probably did not do is \nmaintain sufficient controls over that decentralization.\n\nEven in the Army, you know, you can encourage innovation and to a \ndegree decentralization, but you have regulations and clear directives \nto make sure that things are followed correctly.\n\nAnd one comment on directives.  The business about are we going to fix \nthis.  Sir, one first step, a major first step is to publish very \nclear directives.  I have only been in OI&T a little over a month and \nclearly that is a problem. Bob McFarland had difficulty with that.\n\nAnd no longer guidelines and handbooks and all of that. Our policies \nneed to be in very clear directives with signatures on them so that \npeople are very clear about what they --  \n\nMr. Bilirakis.  Yeah.  That seems natural.  Why did Mr. McFarland have \ntrouble with it and why do you say that it is going to be difficult?  \nI mean, why?\n\nGeneral Howard.  Sir, I do not see that difficulty anymore.\n\nMr. Bilirakis.  All right.  Why was it -- \n\nGeneral Howard.  It took us less than a week to publish 6504.  In \nfact, the Deputy Secretary was a co- signature on it along with \nmyself.  And 6500 is another very critical directive that we are \ncurrently working on.\n\nMr. Bilirakis.  Yeah.\n\nGeneral Howard.  And there are more.  We cannot rely on memos and \nguidance that is not signed out and approved at the very high level.\n\nMr. Bilirakis.  Will enforcement exist?\n\nGeneral Howard.  Sir, on the enforcement part, I mentioned in my \ntestimony that we have established an overarching program to address \nthese issues, the Data Security Assessment and Strengthening of \nControls Program. This is an overarching program sanctioned by the \nDeputy Secretary.  We have a very detailed list of actions that must \noccur.  In fact, we would be happy to brief this Committee at any \ntime.  There are a lot of things that need to be done.\n\nAs I mentioned to you, there were three phases to it. The last phase \nis enforcement.  And to give you an example, I think in the area of \nenforcement, one of the most important things we can do is improve our \naudit and inspection capability.\n\nAs an old Army guy, if you roll into an organization and you do not \nhave a good inspection program, you got a problem right from the \nvery beginning.  And we do not have that right now.  We have some.  We \nhave the IG, of course.\n\nBut within OI&T, for example, it is relatively small. It is nowhere \nnear as robust as it needs to be.  And along with that capability \nneeds to be the authority to go anywhere within the VA, knock on the \ndoor, and walk in and see what is going on.\n\nSir, I know you are laughing, but we need that and it needs to be \nrobust.  And you know what I am talking about. You are talking \nabout unit inspection programs.\n\nMr. Bilirakis.  I am not sure why the Chair is laughing.  I think \nbecause he is happy.\n\nBut we had testimony what, last week from the counsel that you did \nnot have the authority, the enforcement authority.  Am I wrong there \nor do you have it?  Do you feel that you have it?\n\nGeneral Howard.  Sir, right now I have certain authority as a result \nof the approval of the IT organization up to this point.  For example, \nin the area of information security, I own these people.  I am \nresponsible for telling them what to do.  I have the authority to \ndiscipline them.\n\nWhat I do not have is the authority to discipline somebody in VHA.  \nI do have the authority to lay out the policies and regulations that \nmust be adhered to.  And if the VHA folks, for example, do not \ndiscipline someone who violates these policies, you know, then it is a \nmatter for the tenth floor, you know, the Secretary level.\n\nNow, I will say that so basically within what has already happened, I \ndo have some authority.  Now, with respect to additional authority, \nthere is a memo being debated right --  not debated.  It is being \nfinalized and reviewed by the Secretary, regarding further delegation \nof authority.  It has not been signed yet.  He may talk to that \ntomorrow.  But there is more to come on that issue.\n\nMr. Bilirakis.  Well, I know I have taken much more time than I should \nhave.  Thank you, General, gentlemen.\n\nMr. Chairman, we all have suffered through an awful lot of frustration \nhere.  I yield back whatever time.\n\nThe Chairman.  Well, Mr. Bilirakis, this is a challenge.  It has been \na challenge for us for a long time.\n\nAnd I am smiling whenever I can hear you talk about authority.\n\nBack in 2002, Ms. Carson asked you, Dr. Gauss, a direct question, are \nyou the man in charge.  That is exactly how she asked it.  And you \nsaid, yes, ma\'am, it is me.  Very close.  You may have been in charge, \nbut you did not have a lot of authority in reality.\n\nAnd that is what also then we learned with your successor, Mr. \nMcFarland.  He was in charge.  The Secretary even wrote a directive, \nand then that is undercut by a General Counsel in his interpretation \nof FISMA that says that you have responsibility, but you do not have \nauthorities.\n\nGeneral, reflecting upon your days in the United States Army, pretty \nhard for you to have received responsibility to ensure compliance, but \nthen you have no authority to accomplish a mission.  You are to take \nthe hill.  You are to ensure compliance of having taken the hill, but \nyou have no authority to give orders to anyone.\n\nThat is why I use the form heterodox, because it is totally against \neverything in our society.  So my challenge with the Office of the \nGeneral Counsel, it is how you get to yes.  How do you get to yes?\n\nYou do not create these odd anomalies that then has a detrimental \nimpact upon an organization.  We figure out how we get to work \ntogether and pull in the same direction, not to create these \ndivisions and as someone had earlier testified to as decentralizations \nof mass dispersions, equate to mass dispersions in the VA.\n\nSo that is why I am smiling.  I am pleased that the VA is moving \ntoward that direction with regard to lines of authority.\n\nI now recognize Ms. Herseth.\n\nMs. Herseth.  Thank you, Mr. Chairman.\n\nLet me just follow-up on the line of questioning of Mr. Bilirakis and \nsome of the comments that the Chairman just made.  And I appreciate \nthe testimony that you have offered, written testimony that I had a \nchance to review and some of your oral testimony today that in the \nlight of the vote, some of us missed.\n\nBut I just want to make sure that we have turned a corner and that we \nwill be able to confirm some of this further with the Secretary \ntomorrow.  But the Chairman says, you know, how do we get to yes.\n\nIt is sort of like what we say to members of our staff here in \nWashington or back home serving constituents.  You know, it is one \nthing to move the ball down the field and get to the five yard line, \nbut they all need to get it over the line.  It is not just about \ngetting it close.  It is getting it there.\n\nAnd in the questions that Mr. Bilirakis posed to Mr. McFarland about \nhow you were received given your background, your experience when you \narrived at the VA, you felt that, you know, you brought this business \nacumen, it was respect, but there was disagreement then based on the \nproposals of centralizing the IT function.\n\nAnd then in response to the question posed to you, General Howard, \nabout once we get the contractor, are you going to pay attention to \nthem.  You said, yes, you are going to pay attention to them.\n\nBut what if there is disagreement with how they are advising to refine \nthe processes?  Have we turned the corner to say now that the \nSecretary has made the decision to centralize, we have got the \ncontractor that is going to be in place, are we behind that now?  It \nis not about disagreement anymore?  It is about simply executing \nand implementing the recommendations of refining the processes?\n\nGeneral Howard.  Ma\'am, I cannot say there will never be \ndisagreements.  I mean, you are always likely to run into that.  But \nmy feeling right now is those have been greatly minimized.\n\nMs. Herseth.  May I interrupt?  Even if there is disagreement, though, \nyou are right.  There is going to be disagreement.  But despite the \ndisagreement, are we going to just rehash the disagreement and --  \n\nGeneral Howard.  No.\n\nMs. Herseth.   -- push back on the contractor about the \nrecommendations or is it, you know, we disagree, but your job was to \nadvise us, recommend, now we are going to implement the \nrecommendations?\n\nGeneral Howard.  We have turned the corner.  There is no doubt in my \nmind about this.  Just the reassignment of people alone, you know, \nincluding the empty spaces that have been given to us upon the \ninsistence of the Deputy Secretary.  He says do not just move the \npeople.  We want the spaces, too, so that we can flesh out this \norganization in the correct manner.\n\nSo everything that I see from our leadership is heading in the right \ndirection.  There is no doubt in my mind about that.\n\nMs. Herseth.  Okay.\n\nGeneral Howard.  But to execute is going to require very strong \nleadership and determination right down until when you finally take the \nhill, sir, you are right.\n\nMs. Herseth.  And authorities, right, General Howard? So do you \nfeel --  \n\nGeneral Howard.  And the authorities.  And as I mentioned, a very \nimportant delegation memo is currently being worked and --  \n\nMs. Herseth.  Great.  We hope to see that soon and to ask the \nSecretary about it tomorrow because that was again a line of \nquestioning we pursued last week with the General Counsel who kind of, \nI felt, was trying to have it both ways by reiterating his \ninterpretation of FISMA, but then talking about certain options the \nSecretary had to delegate certain authorities.\n\nAnd it was just really hard to pin him down on whether or not he was \ntrying to allow his interpretation of FISMA to trump what these \nreserved powers that could be delegated from the Secretary.\n\nSo I hope we have turned the corner there, that we are getting very \nclose, that we are moving in the right direction, but not just moving \nin the right direction and down the field, but that delegation exists \nto get us to score the goal.\n\nLet me move to a different line of questioning.  Mr. Brandewie, we \nhave also in past weeks in different hearings gone into what is \nhappening in other federal agencies with the relative organization of \nthe CIO.\n\nAre there some weaknesses?  Are there strengths that we should be \nevaluating to assist us with the Department of Veterans Affairs\' \nsituation?\n\nI know that the Chairman has asked for a GAO investigation and report \non other interpretations of FISMA by other General Counsels and \ndifferent agencies.\n\nAnd so in your statement, you note that the DMDC is at the center of \nmost of the human resource information flowing between DoD and the \nDepartment of Veterans Affairs.  Under the definition in FISMA, is \nDMDC considered a strategic security system?\n\nMr. Brandewie.  No, ma\'am, it is not.  The data sources for the \ninformation that flows to the VA are not classified as national \nsecurity systems.\n\nMs. Herseth.  Okay.  So it does not contain information about security \nclearances and military job codes?\n\nMr. Brandewie.  No, it does not.  If I could just comment in a little \nmore detail.  The information that goes to the VA starts out very \nskeletal.  I mean, it is just the basic identification information.  \nIt grows as events happen in a servicemember\'s life.\n\nFor example, they become eligible for Montgomery GI Bill is a good \nexample.  Then we add information on that program and feed it to the \nVA.  So the information that goes from DoD to VA is basic \nidentification and then programmatic information.\n\nMs. Herseth.  Okay.\n\nMr. Brandewie.  It is not national security information.\n\nMs. Herseth.  I appreciate your responses and it relieves me of some \nof the concerns there.\n\nHowever, let me just ask this question.  I know the Chairman is \ninterested whether, you know, based on your responses that it does not \ninclude national security information.  But over the course of a \nservicemember\'s lifetime as that information grows, you know, how do \nyou feel about data sharing with an agency system plagued by such \nvulnerabilities as we know the Department of Veterans Affairs\' system \nhas been?\n\nMr. Brandewie.  Well, I mean, naturally we are concerned.  I mean, we \nare concerned because of the massiveness of the scale.  Essentially as \ncame out in the data breach, a vast majority of our active duty and \nReserve members\' information potentially was compromised in the data \nbreach.\n\nHowever, in our data use agreements with the VA, we require \nsecurity evaluations be done on the recipient systems.  They have \nbeen studious about doing that.  I know they are rereviewing a number \nof the systems right now to make sure that they are, in fact, meeting \nthe security requirements.  And so we have to in a partnership sense \nrely on our partner in the VA to maintain security in the system, but \nwe all remain concerned.\n\nOne fix that we have been pursuing actually began under Admiral Gauss \nis to consolidate the feeds that go from DoD to VA and try and \nminimize the kind of proliferation of data throughout the agency.  And \nby concentrating that information, I think we can concentrate our \nefforts to make it more secure and protected.\n\nMs. Herseth.  I agree.  But I think a very important first step, \nespecially in light of the concern that as it does get spread out \nmore, you then have the potential of employees within the different \nadministrations --  well, just the potential for more possibilities of \ncompromise, I should say.\n\nOne last line of questioning, if I might pursue that, Mr. Chairman.\n\nThe Chairman.  Yes, ma\'am.\n\nMs. Herseth.  And I think, Admiral Gauss, you answered part of this \nquestion when you were talking about the VA concurrence process and \nthat you were told at one point within the chain of command, so to \nspeak, in the VA that you could not go to the Secretary with some of \nyour concerns unless it was consistent, unless it meant these \nconcurrence principles.  And, otherwise, if things got watered down to \nthe point that some of your concerns were inconsistent with the \nminimum threshold of what it was watered down to that it was hard for \nyou to reach the Secretary with those concerns.\n\nSo my question is for Mr. McFarland and for you, Admiral.  Last week, \nBruce Brody, who was a former Associate Deputy Assistant Secretary for \ncyber and information security at VA, testified before the Committee.  \nAnd he explained that while he served in that capacity, he was not \npermitted to speak openly about many of the problems associated with \nVA\'s management and information security.\n\nSo during each of your tenures as Chief Information Officer for DVA, \nwere you ever instructed by the Secretary or other senior Department \nofficials to withhold from members of Congress any concerns you held \nregarding the Department\'s information system?\n\nAdmiral Gauss.  Let me start since Bruce worked for me first before he \nworked for Bob.\n\nI was never instructed nor did I direct Bruce to withhold information \nfrom Congress.  What I did, and this is me doing it, is Bruce \nsometimes could be quite colorful in the presentation of his issues, \nand sometimes the importance of his issue could be lost in the \ncolorful flavor that he would present them.  And I did ask him to tone \nsome things down, but never to obfuscate an issue.\n\nMs. Herseth.  I appreciate the response.\n\nAdmiral Gauss.  And if I may on the first part -- \n\nMs. Herseth.  Yes.\n\nAdmiral Gauss.   -- when I talked about the concurrence process, I did \nnot mean to imply that I could not go to see the Secretary.  The \nprocess, though, required as you lumbered your way through to get a \ndocument that could be approved, it required the concurrence.\n\nIn fact, I was called once by the former Deputy Secretary, and he \nsaid I need you to take your nonconcurrence off.  And I said why.  It \nis my view.  And he said, well, if it goes the other way, will you \nsupport it. And I said of course I will.  And that is the only time \na dissenting view got documented from my office.\n\nMr. McFarland.  I would concur with Admiral Gauss on the issues.  I \nalso managed Bruce Brody and I did see some of the colorful \npresentation, but he was always straightforward and given the ability \nto speak his mind. And never was I ever either told that I had to \nwater down my opinions or could not speak, nor was I ever told not to \nsubmit anything to Congress.\n\nThe concurrence process to me, I agree with Admiral Gauss, is \ntroublesome.  Unlike what I understand DoD\'s concurrence to be, at the \nVA, there is no penalty for not meeting concurrence deadlines.  And so \nwhat happens is you get the slow roll.\n\nAnd without having a defined, definitive concurrence deadline such as, \nI believe, DoD has where if you do not concur or nonconcur, you do not \ndo anything, then you opt out and have no say because one of the \nreasons you have problems in getting things done quickly is because \nthis concurrence process takes a long time when people simply do not \nconcur, neither nonconcur or concur.\n\nThe process allows nonconcurrence.  That is not an issue.  I believe \nthat we have moved ahead with issues at the VA.  Even with \nnonconcurrence, we have moved ahead.  An example would be the \nfederated model.  I did not concur with the federated model, but I \nagreed to support it.  So my nonconcurrence on the federated model was \nwell-documented.\n\nThe issue is the time frame and this problem of slow roll, which is \nwhat happens, is what causes you the delays in many of these \noccurrences from happening in the time frame they should happen.  And \nI strongly believe that that time frame should be changed and I have \nspoken so.\n\nMs. Herseth.  One last question then.  Do you feel that the Chairman\'s \nproposal to elevate the status and authority of the CIO position would \nbe sufficient to effect the concurrent process or do we also need --  \nagain, not that we want to micro manage, but do we also need to \nsomehow specifically address the time frame of the concurrence process \nor would elevating the position of the CIO with that type of authority \nmake that move on its own?  Would it effectuate the change on its own \nas opposed to independently from another proposal of the Committee?\n\nMr. McFarland.  Well, I support the move, the proposed move to Under \nSecretary status.  And I think that will help.  I also believe that \nthe VA has at the top level competent management and I believe \ncompetent management can deal with this issue.\n\nI do not believe personally that Congress should have to deal with an \nissue of concurrence in its time lines. People at the VA at executive \nlevel are competent.  They can deal with this.\n\nMs. Herseth.  I know I have taken up a lot of time, and I appreciate \nthat response.  So may I read into your response that with the \ncompetent senior leadership at the VA that elevating CIO to an Under \nSecretary status would allow the competency of senior management in \naddition to the individual holding the CIO position to address the \nissue of the concurrence process because if both you and the Admiral \nare saying that this has been a problem because it has been taking \ntoo long, but, yet, you have confidence in senior management at the \nVA, is it just that one move of elevating the position to Under \nSecretary status, and will it happen eventually because I also get \nthe sense that you really do not think the Committee should have to \ndo anything on that front, but is there something else that needs to \nhappen to address it effectively?\n\nMr. McFarland.  I think it will help greatly because at an Under \nSecretary level that the CIO will get to sit regularly with Admiral \nCooper, Dr. Perlin, Bill Tuork and discuss these issues at that level \nwhich should ferret the problems out earlier.  That is my opinion.\n\nMs. Herseth.  Thank you.\n\nThank you, Mr. Chairman.\n\nThe Chairman.  I would like to thank Minority Council.  They have \nbrought to this hearing testimony of March 13th, 2002.\n\nIt is you and me, Dr. Gauss.  You got this one too?\n\nAdmiral Gauss.  Is it the verbal?  If it is the verbal, I do not have \nthat one.\n\nThe Chairman.  You know, that is all right. Yesterday Chairman Walsh \nreferred to this as groundhog day. And, you know, I listened to him, \nand I kind of half chuckled.  Reading this, now I almost want to laugh \nout loud.  There are things that we have talked about here. This is \nback in 2002.\n\nYou and I had a little banter going back and forth here and I asked \nyou a specific question.  Oh, gosh.  We talked about who is in \ncharge.  I am in charge.  A lot of your questions, I mean, you are \nthe Admiral here.  I am in charge.  I am responsible.  I am in \ncharge of the ship.\n\nBut then when we got into specific lines of authority, do you have the \nspecific line authority, and your answer is, no, sir, I do not have \ndirect line authority.  I have indirect authority for matters of IT \n and I have suborganizations within the structure where I deal \ndirectly with these people on matters of enterprise architecture and \ncyber security and that it is an efficiency gained over the past year \nbecause I do not have to go to an Under Secretary to get it approved \nto go to the Deputy Under Secretary in order to get one of the CIOs.  \nI pick up the phone.  I call. I direct.\n\nSo basically you are saying that I could get it done. I could achieve \neven though I do not have line authority.  I think looking back on \nall of that, you would probably look at this and say that was pretty \nhard to accomplish because what we have learned here is that unless \nwe give you the tools, how can you really accomplish that, you know?\n\nI mean, that is kind of where we are.  I am not picking on your \ntestimony and your role.  What I am trying to do is is I am trying to \ngo back in time, see where we were, where are we today, and how we \nmove to cure.\n\nAnd there is something else in here.  Let me go to this one.  We even \nhad a conversation, and this deals with compliance, and we were \ntalking about the lines of authority again.  And then I got into the \nquestion about the rating of people.  And I asked you what input do \nyou have with regard to rating people, and you said I have direct \ninput to the reporting seniors of these folks for what goes into their \nperformance evaluation.\n\nI then say okay.  Then with regard to promotions and merit bonuses, do \nyou have an input into that also, and you then say the process at the \nVA?  And I said if you are working with someone in one of those \nadministrations who is messing with you and making life difficult to \nget implementation to the one VA is what you were talking about at \nthe time, going, do you have the ability to say no to a merit bonus.  \nAnd you say I do not have that.\n\nThe reason I took time to go back in history with regard to this \nconversation is that since your days at the VA to today, we advance \nourselves, the VA has continued to receive this failing grade, yet, \nwe have individuals of whom received bonuses.\n\nNow, going back to this whole question that Mr. Bilirakis brought up \nabout micro management, you are absolutely right.  We do not like to \ndo that.  We have an oversight responsibility and function.\n\nBut if we are going to create a package and part of that package is \nalso going to be on personnel issues, whether it is in specific \nstatutory authority or in report language, if we are to say that with \nregard to performance reviews, if as a CIO you are to ensure \ncompliance, should IT compliance be one of the criteria of performance \nreviews or merit bonus?\n\nSo I am interested in your thoughts, Dr. Gauss, Mr. McFarland, General \nHoward.\n\nAdmiral Gauss.  Mr. Chairman, as far as the recommendation of \nincluding those as part of the evaluations, I would agree.\n\nThe Chairman.  All right.  Thank you.\n\nMr. McFarland.\n\nMr. McFarland.  I would submit to you that I not only agree.  I would \nsubmit to you that there is proof that it works because if you remember \nlast time we got an F, one of the major reasons we got an F is because \nwe did not have our 600 major systems certified and accredited.\n\nAnd when Secretary Principi got very upset about that, we asked for \nauthority to include the potential of bonuses not being paid in the \noutcome if all of those 600 systems did not get C and A\'d within a \nyear.  Those 600 systems did get C and A\'d in a year and it was \nbecause of that potential financial threat.\n\nI am convinced of that because he was very clear with the management \nteam that he would look very harshly on bonuses and people\'s paychecks \nwould be affected if this did not happen.  So I would submit to you \nthat it does work.\n\nThe Chairman.  General Howard.\n\nGeneral Howard.  I totally agree, sir.  It is a good mechanism that \nought to be put in place.\n\nThe Chairman.  All right.  Let us envision this for a moment.  How \nwould this work under the federated model?  You are now an Under \nSecretary.  You have the responsibility under FISMA to ensure \ncompliance.  The Secretary has now directed authorities to you.  I am \nanticipating that finally this slow roll approach over Directive 6500 \nafter three years is finally coming and that is what I am hoping for.  \nHow do we do it?  How do you do this?\n\nGeneral Howard.  Sir, the area that it would be difficult is punitive \naction, you know, any action that must be taken against a person from \nthe person\'s supervisor.  In other words, if Art, for example, worked \nin another department and violated one of these policies and violated \nan item --  \n\nThe Chairman.  Can you turn that on for me, your microphone on, \nplease.\n\nGeneral Howard.   -- you know, violated one of these policies, we can \nmake it very clear that he has done so. But the punitive action itself \ncannot be taken by the CIO. It would have to be taken by his supervisor.\n\nThe Chairman.  Right.  But let us keep it to the question on a \nperformance measure.\n\nGeneral Howard.  Right.\n\nThe Chairman.  So I am in one of the stovepipes.\n\nGeneral Howard.  Right.\n\nThe Chairman.  So I am now a middle-level manager, just like you, \ndirecting a battalion.\n\nGeneral Howard.  Right.\n\nThe Chairman.  You have given a directive to your battalion commander \nthat you want certain things to be noted.  So all of your officers, \nthey have to make sure that they are compliant with one of your \ndirectives.  So how do you as now an Under Secretary and CIO, and you \nnow have got CIOs completely under you, right?\n\nGeneral Howard.  Right.  And I -- \n\nThe Chairman.  So how are we going to do that?\n\nGeneral Howard.  Those folks belong to me.  There is no question \nabout, you know, disciplinary action, any kind of action against folks \nwho directly work for the CIO.  If they work somewhere else, you know, \nclearly violations of anything should be reported to the CIO.  You can \nhave that provision.\n\nThe Chairman.  All right.  Wait.  You are off subject again.  Let us \ngo back to the issue on bonuses.\n\nGeneral Howard.  On bonuses?\n\nThe Chairman.  On merit, performance, and bonus.\n\nGeneral Howard.  And the individual is in one of the stovepipes?\n\nThe Chairman.  Yes.\n\nGeneral Howard.  And gets a bonus?\n\nThe Chairman.  Wants a bonus.\n\nGeneral Howard.  And should not have gotten -- \n\nThe Chairman.  But is not compliant.\n\nGeneral Howard.  And should not have gotten the bonus?\n\nThe Chairman.  Uh-huh.\n\nGeneral Howard.  The only thing you can do is elevate it to a higher \nlevel because, you know, or --  \n\nThe Chairman.  Wait.  Time out.  Let us break this out.  One of your \nCIOs is at one of the medical centers.\n\nGeneral Howard.  So he belongs to me.\n\nThe Chairman.  But he is at one of the medical centers.\n\nGeneral Howard.  Does not matter.  He belongs to me.\n\nThe Chairman.  He is at one of the medical centers and he belongs to \nyou?\n\nGeneral Howard.  Yes, sir.\n\nThe Chairman.  He is sitting at the table as any good hospital \nadministrator would do.  He has got him at the table there, and that \nhospital administrator, one of his issues is to be compliant.\n\nAnd what I am trying to figure out under the federated approach, \nsince the CIO is not going to be in these lines of authority with \nregard to punitive actions, but if you make it a performance measure, \nthen it is the Secretary through the Under Secretary that has to \nensure that certain directives are made and have compliance.\n\nGeneral Howard.  Yes.\n\nThe Chairman.  That is our challenge with tomorrow\'s panel --  \n\nGeneral Howard.  Sir -- \n\nThe Chairman.   -- because what is clear today is that with regard to the General Counsel\'s legal opinion that said unto Bob McFarland that you do not have this authority, then that authority then vested with the Secretary, and directive 6500 just sat out there.  Nothing was really acted on with regard to those authorities.  It vested with the Deputy and the three Under Secretaries.\n\nAnd even though you had the responsibility of compliance, authority was not exercised to bring the Department in compliance with FISMA.\n\nGeneral Howard.  Sir -- \n\nThe Chairman.  I am just letting you know that.\n\nGeneral Howard.  Okay, sir.\n\nThe Chairman.  So my challenge here is if we are going to go under the federated approach and we say, fine, we are going to bring it into a performance measure, your CIOs out there can be counsel to that administrator, you know, meeting with them, making sure that they are compliant because here is what is in the pipeline or here is what is going on.  That is what he is there for. He is to be the counsel to the administrator.  You agree with that?\n\nGeneral Howard.  Sir, he also has a black hat on his head, too, that --  \n\nThe Chairman.  What does that mean?\n\nGeneral Howard.   -- needs -- he needs to report instances that are not in compliance.\n\nThe Chairman.  And who does he report that to?\n\nGeneral Howard.  Up the chain to me.\n\nThe Chairman.  All right.  But he also has a responsibility to the hospital administrator, correct?\n\nGeneral Howard.  Yes, sir.  He sure does as a customer.  You know, he is a service provider.\n\nThe Chairman.  Okay.\n\nGeneral Howard.  But he also has eyes and ears and he needs to keep them open.  And if he uncovers things that are not going on, I expect him to do something about it. Obviously to inform the hospital director, but me too.\n\nI mean, it is like first brigade and second brigade. You know, I cannot give an Article 15 to some guy in first brigade, but I sure can put heat on that brigade commander through the division commander.  And it is particularly a problem in the punitive type of action.\n\nThe Chairman.  So this is going to require -- let me turn now to Gartner --  under this federated approach, in order for this to work, this is going to require some pretty stern leadership from the Secretary, Deputy Secretary to the Under Secretaries to perfect it.\n\nMr. Bresson.  It does not relinquish leadership at any level, sir.  You characterized it as stern.  That would probably be a good thing.  But the model itself does not preclude that leadership from being exercised, those authorities to be implemented.\n\nThe Chairman.  I appreciated your insights with regard to Ms. Herseth\'s questions.  You did a very good job today with regard to the concurrence and nonconcurrence. That was insightful or us.\n\nAnd I appreciate the Deputy Secretary being here today, that you are hearing this, and those are things that you struggled with over the years that you have worked.  But those time lines, I think, that have been recommended are probably pretty important.\n\nHaving that directive sitting out there for three years was probably not a good thing, and we will get a chance to talk about that tomorrow.\n\nWith regard to nonpay contractors involved in software development, do you know how many there are?\n\nGeneral Howard.  Numbers of contractors, sir, I am not sure.  I will have to get that for you.\n\nThe Chairman.  Mr. McFarland, would you have any idea approximately?\n\nMr. McFarland.  Contractors are in nonpay, yes.  I do not know exactly how many are there.  I could give you an educated guess.  I would say it is somewhere between 500 to 700, I would guess, throughout the Department.  And that is made up of administrations and staff offices.  That would be my guess.\n\nThe Chairman.  Now, there is -- \n\nGeneral Howard.  Sir, if I could pile on.  I mentioned that we have phase one of this program we put in place, assessment.  We finished the internal part.  The next steps is contractors, you know, where are they, what are they doing, et cetera, et cetera.\n\nThe Chairman.  The -- \n\nGeneral Howard.  When we get through with that, we can give you some feedback.\n\nThe Chairman.  The Secretary gave testimony yesterday to Mr. Walsh\'s Subcommittee on Appropriations with regard to the concerns about a subcontractor perhaps releasing data if they did not receive a proper payment.  The Secretary responded that he was not aware that he had any prime contractors that were offshore.\n\nNow, as I understand, this may be, in fact, technically correct.  But what happens if we also put in our package so that we are not jeopardized nor our national security, if we are going to have contractors, that they may not subcontract with any off-shore entity.\n\nWhat are your thoughts?\n\nGeneral Howard.  Sir, I am not familiar with the details of the incident.  I believe you are right.  It was a subcontractor that was involved.\n\nThe Chairman.  If you know about that, will you make sure the Secretary is briefed for tomorrow?\n\nGeneral Howard.  Yes, sir.\n\nThe Chairman.  All right.  Mr. McFarland, your thoughts.\n\nMr. McFarland.  I think it is important to know who subcontractors are.  There are difficulties in the IT world today.  It is an international product.  So much of what is put into IT both hardware and software today, much of it does come from various overseas subsidiaries and various overseas environments through contracts.\n\nI think it is wise in the contracting process to understand who your subcontractors are and put in a requirement that requires they notify you if they intend to push any of that work offshore, and then you can make a decision at that point whether you believe that is --  I mean, pushing something offshore to Britain, for example, may not be near the issue it would be to pushing something offshore to China.  And I think it is a matter of understanding and having a requirement would be good to know what, if any, off-shore requirements come up.\n\nThe Chairman.  All right.  I am going to go to Dr. Gauss, but I want you to think about this because I am going to come right back to you, Mr. McFarland, about your counsel to us with regard to what should be included in our package. But I want you to think about it and I am going to come back to you.\n\nDr. Gauss.\n\nAdmiral Gauss.  I would think that in dealing with the purchase of purely commercial products and the support services that go with those commercial products, it would be very difficult to sever off-shore relationships.\n\nThat said, any contract that is done for the government where the government is getting specific products and services that meet a specific government need, I think you could impose restrictions that limit off-shore involvement. But there are two separate camps here, I believe.\n\nThe Chairman.  Well, we have experience in this in the Department of Defense with regard to our procurement policies, who is going to build what, who gains access to what, from weapons systems to guidance systems.  I mean, you name it.\n\nI hate to create that type of system, but I am very insulted that there is a company out there in another country that would try to blackmail our country, and that is what they tried to do.\n\nAnd what that does is create a heightened awareness. And you are absolutely right.  You do not want to penalize Great Britain or penalize any of our valued allies in the world, but I am pretty concerned.\n\nI am going to come back to you, Mr. McFarland.  Take your concept and take it to the next step.  What is your best counsel to me?\n\nMr. McFarland.  Well, as Dr. Gauss said, there are two distinct domains here.  Those are products and services that are bundled, if you will, such as a workstation, a printer, any kind of bundled service where components come from all over the world.  You have things called TAA and BAA by American act, those kinds of acts that preclude you from taking product made in certain countries that do not meet those requirements.  So you are protected there.\n\nI think your biggest problem is the other domain which is the services domain where you contract with someone for a service, transcription services, you name it.  And there you run into the problem.\n\nI think you should require that before any subcontractor, allow any of that work to go off-shore, that he get clearance from the VA so that the VA has an understanding of whether that offshore is Great Britain or if that offshore is China.  And I think it would be wise to- -\n\nThe Chairman.  So, number one, would be a notification procedure?\n\nMr. McFarland.  Right.  And then an approval.\n\nThe Chairman.  And then an approval process, right?\n\nMr. McFarland.  Right.\n\nThe Chairman.  Go ahead.\n\nMr. McFarland.  I mean, I am not familiar enough with our contracts for services in the VA to know, and I am sure each of them is unique for the service.  But those to me ought to be clauses that are boiler plate and that an approval process be required if a subcontractor is an off- shore entity or any of the information is offshore.\n\nThe Chairman.  All right.  Here is why I am taking a little time on this particular issue.\n\nMr. Bresson.  Excuse me, Mr. Chairman.\n\nThe Chairman.  Yes.\n\nMr. Bresson.  The only thing I might add with respect to services is it would be significant, yes, to identify the subcontractor as an entity, but quite often knowing the key personnel and their background and/or other attributes about them might also be significant and important to such an action.\n\nThe Chairman.  Thank you for that because the Secretary has brought up several times the issue about, background checks -- that individuals with access to certain data even within the VA have not had background checks.\n\nSo what?  We are going to highly scrutinize Americans, yet permit some of the services and access to data to be subcontracted to a third-world country with no form of notification or compliance or approval.  So I think we need to pause and think about that as we develop our systems.  So thank you very much.\n\nSo now let me turn to DoD, and that is why I am pretty concerned.  My first question would be, because I do not know the answer to this, when a forensic analysis of the data was done with regard to what was stolen, with regard to active duty Guard and Reserve, were MOSs included?\n\nMr. Brandewie.  No, sir.\n\nThe Chairman.  No?\n\nMr. Brandewie.  No, sir.\n\nThe Chairman.  Okay.  Does the VA within the universe of their data, would they have the MOS?\n\nMr. Brandewie.  No.  We do not furnish the MOS as part of our data transfer.  On separatees, the DOD Form 214, and I am not exactly a hundred percent positive, on separatees, I believe the MOS is included on the DOD Form 214.\n\nThat does not come in a data exchange.  It comes through a basically paper form and is actually automated by the VA.  When it is automated, I am not sure if they include the MOS, but I would assume they do.  But it is not part of our automated feed from the Department of Defense to VA.\n\nThe Chairman.  Much of our present War on Terror is operated in the dark world.  And I have heightened awareness of our special operators and they sure do not want the world to know who they are and what they have done.\n\nAnd I am really concerned with regard to protections of data that is out there because I look at this and say, well, yes, this may have happened, but what is next, what could happen.\n\nAnd I do not want to blow up worst case scenarios, but, Mr. Deputy Secretary, this is an issue I want to explore with you over the next several weeks, and we will bring it up tomorrow on how we develop a system because, you know, as we work here with the Department of Defense, they are not going to be too keen about how do we gto health medical records.\n\nYou know, if we cannot give veterans assurances, how can we give our partners assurances?  I do not have an expertise or background in procurement law and so I am going to have to turn to experts to help us on how we devise a system to do this.\n\nLet me ask a question about biometrics, user ID numbers.  I am also considering placing in our package --  this package will be large enough that it will have jurisdictional referrals to other committees.  We are going to recommend changes to FISMA.\n\nI am not going to have any of this in the future about lawyers\' interpretations.  We are going to make this pretty doggone clear.  And I have already spoken with Mr. Davis about it, so we are going to make those corrections.\n\nI am also considering saying to the Department of Defense in this legislation and the VA that you cannot use the Social Security number.  So let me ask for your thoughts about that.\n\nMr. Brandewie.  If could start out -- \n\nThe Chairman.  You are going to have to come up with a soldier\'s ID number or some type of number that both the VA and DoD use that is not the Social Security number.\n\nMr. Brandewie.  In passing, sir, I referred to a consolidated feed between DoD and the VA which were to replace the legacy feeds that we do.  In that consolidated feed, we feed the VA a new ID number which we give a very odd name to.  It is called electronic data interchange personal ID.\n\nIt is a made up number.  And it is the number we actually trade with the VA in the consolidated feed instead of Social Security number.  And it could form the basis for interaction between the two departments without reliance on Social Security number.\n\nHaving said that, Social Security number remains an important identifier in establishing identity.  Once identity is established, then between agencies and in large- scale computer systems, it would be possible to only use Social Security number simply as an identity anchor and not a way to trade information between systems.\n\nI might add we do that also with the medical community and we have established this number as a patient ID with the medical community, and also pass that over to the VA as well.  There are new technologies that are emerging that would allow us to deemphasize Social Security number as a universal identifier.\n\nHaving said that, totally banning it from IT systems would create chaos, but it could be deemphasized especially in terms of data interchange.  And, again, once identity is established, its importance recedes, and that could be emphasized in legislation.\n\nThe Chairman.  Our challenge here is that so long as the financial services industries rely upon that Social Security number, therein lies our challenge.  So if I take that out of their criteria, you know, I at least can protect our veterans and our military.\n\nWhat we would have to do is is when they take their oath of enlistment or commission, we are reverting back to the old days where you get your ID number, your soldier number, or whatever.\n\nDo you remember what yours is, Mr. McFarland?\n\nMr. McFarland.  Yes, sir.\n\nThe Chairman.  What is it?\n\nMr. McFarland.  US54342381.\n\nThe Chairman.  There you go.\n\nYou guys knows yours?\n\nGeneral Howard.  Yes, sir, 097560.\n\nThe Chairman.  Wow.  Well, I am just letting you know that is where I am considering going.  And it might create a heartache for you because if you have come up with some other kind of number, we will figure out how we can best do this, and we want to work with DoD to do that because that will also be what we will use with regard to our patient medical records and that type of thing.\n\nGeneral Howard.  Sir, I might add within the VA for employees, we have discussed going to ID numbers for employees.\n\nThe Chairman.  Just to let you know some of the major areas where we are thinking about, and this is not an exclusive list at all, as this Committee and others work together, we are going to look at this issue on performance reviews and criteria.  We are going to consider this movement of the CIO to an Under Secretary and elevate the CISO to the Deputy Secretary or Assistant Secretary.  I am sorry.\n\nI personally asked the Secretary what personnel changes, if any, does he need with regard to his authorities with regard to disciplinary actions to make sure he can ensure compliance or fire someone.\n\nWe are going to look at the issue on the credit monitoring package.  I am deeply appreciative to the VA on what they had done in stepping forth to offer that to veterans along with the insurance package.  That was a good thing.\n\nI am deeply disturbed with regard to the lawsuit.  For the VA to move forward, to take actions to help the veterans and now for a class action lawsuit to prevent you from advertising that assistance, what it does for us is it shows that time is of the essence for us to move our package, and we are going to have to give a directive.\n\nThe Secretary shall.  And we want to work with you with regard to our language.  But when I come in and I use mandatory language instead of discretionary language, what I have done is I have shot a hole through this class action lawsuit out there.\n\nWe will also include some FISMA changes and that DoD, VA are not authorized to use Social Security numbers with regard to personal identification.  We might direct them to really create a soldier\'s number, an identification number.  It probably would be better to do it in the prospective manner than to say that you shall not or cannot use a Social Security number.  I mean, that does not make a lot of sense.\n\nWe want to address the issue with regard to the outsourcing and we are also going to bring back our issue on centralization.  I have not let it go.  I cannot let it go. I respect your opinions.  I got to figure out how we can get there.\n\nLet me ask Gartner.  I will not keep you here much longer, but let me ask Gartner Consulting.  When you turn to one of your major corporations out there and you have now said we need to centralize your IT, how long does that take?\n\nMr. Bresson.  Mr. Chairman, there are a number of factors in that kind of advice, particularly the current business environment, because, as we all know, it is not all about IT meaning that the way decisions are made in the business or in this case in the mission and the business will set the stage for how successful centralizing and/or federating the IT portion of that business.\n\nWe do counsel that once the decision is made, centralization, rough order of magnitude, would probably take anywhere between 12 and 36 months, and there are a lot of variables there, the global dispersion of the assets and the people and the organization, the sheer volume of systems and other items that need to be brought under control.\n\nThe Chairman.  All right.  Let me break it down and go right to security.  So when the VA designs a security policy, they finally get that done, what kind of training is going to be needed to promulgate that policy to make sure it is properly implemented?  What kind of time are we looking at?\n\nMr. Bresson.  I would be guessing, sir.\n\nThe Chairman.  I mean, you are consulting a lot of companies out there that make changes and all.  I mean, three months, six months, nine months?\n\nMr. Bresson.  Right.  There is probably a footprint that needs to be established that has a defined period in which it should be established.  And then beyond that, there is the continual changes of new personnel coming aboard, potentially other changes in personnel roll, et cetera, that would need to be addressed.\n\nIn terms of time -- \n\nThe Chairman.  Let me reask the question because you are very good at dancing now.  What is a reasonable time line with regard to implementation of a security policy for an entity such as the VA or a major corporation?\n\nMr. Bresson.  Implementation of a security policy. Well, I am not a security expert, sir, but I would imagine that something implementation-wise starts within a 90-day period and potentially to a 180-day period.\n\nThe Chairman.  How long did it take DoD?\n\nMr. BRANDEWIE.  To implement a security policy?\n\nThe Chairman.  Yes.\n\nMr. BRANDEWIE.  I mean, in the basics, it has taken a number of years.  I mean, and security is always evolving and changing.  I mean, the centralization of the global information grid took probably over two years, you know, and the security policies associated with it.  But we are very diverse and decentralized with IT, so I am not sure there is a corollary there for the VA.\n\nThe Chairman.  Well, kind of because you are very decentralized and so is the VA.  And it is not that it is all that bad either.\n\nMr. BRANDEWIE.  No.\n\nThe Chairman.  And just because it is decentralized does not mean you \ndo not have security policies.  They have security policies.  It is \nthat it is agency-wide security policy.  So it is the development of \nthe agency-wide security policy and its implementation as you \ncentralize that is our challenge, right?\n\nMr. BRANDEWIE.  If I could make one comment.  I mean, there are \npolicies all over the place and security policy is certainly one of \nthem. It takes a long time to articulate and work its way through the \nsystem.\n\nOne thing that DoD has done that has been very effective, I believe, is \nthe establishment of a joint task force for network operations \nprotection, JTFGNO.  And they are very fast in terms of identifying a \nsecurity issue, finding a fix to a security problem, mandating that the \nfix be implemented, and enforcing the implementation of that fix.\n\nIt is like, if you will, a kind of go team that takes the security \npolicy, puts it against the real world threats that are out there, \nmonitors those threats, and then takes action.  And that I found to be \nparticularly effective within DoD.\n\nThe Chairman.  So let me ask this about FISMA for a moment.  When the \nFISMA audits have come back and have given the VA very poor ratings \nover the last four years, as we proceed in this federated model, the \nresponsibility here rests with the Secretary.  He acknowledges \nresponsibility.\n\nWho does he delegate this to with regard to compliance based on the \nFISMA audit?  Are you aware, General Howard?\n\nGeneral Howard.  Sir, it will be cleared up with this delegation memo \nI referred to.  But as I sit here today, it is my problem, you know, \nto set the policies and set the actions that need to take place to \nalleviate a deficiency because the reorganization that will take \nplace, a good number of those will rely with me now.\n\nFor example, take the protection of server rooms and things like that. \nThat is now my responsibility with the current direction we are going \nin the IT reorganization.\n\nI do not know if that answers your question, but -- \n\nThe Chairman.  You have a really difficult job.  You do.  I am not here \nto beat you up at all because you are saying to this Committee it is \nme.  That is no different than what Admiral Gauss said back in 2002 to \nMs. Carson, it is me.\n\nSo you can do everything you want.  But if you do not get the backing \nfrom the Deputy Secretary or the Secretary to make sure things happen \nto those Under Secretaries, you are going to be back before this \nCommittee.  Members of Congress are going to be asking you why once \nagain did you get an "F" in the audit.\n\nGeneral Howard.  Sir, the backing is absolutely necessary.  You are \nexactly right.  But it is up to me to make it clear as to what should \noccur. That is my problem. And we have got a lot of work to do in that \narea.\n\nThe Chairman.  DoD, you received an "F" on your audit, too, did you \nknow, from FISMA?\n\n\nMr. BRANDEWIE.  I believe that is correct.\n\n\nThe Chairman.  Why did that happen?\n\n\nMr. BRANDEWIE.  I really do not know. I am not familiar with the \ndetailed reasons for the DOD score.\n\n\nThe Chairman.  All right.  I just thought I would let you know I knew. \nYou thought you were going to get away with it, didn\'t you?\n\n\nAll right.  I want to thank all of you for coming.  I have a great \ndeal of respect for you and what you are trying to do here.  It is \nhard for me.  I have never been a CEO.  I have never run a major \norganization.  It is hard for me, though, in today\'s time whether it \nis a government department or agency or whether it is a company or \nany form of entity, when I have IT involved, why I would not make the \nCIO my new best friend.  I do not understand why that would not happen.\n\n\nI had an opportunity, just to let you know, McKesson Company out \nthere.  Bloomington Hospital just outside of my district, they wanted \nto modernize their IT.  They wanted to do some centralization and do \nsome things.  And they brought in McKesson.  And the hospital \nadministrator brought in someone from Purdue University, very sharp in \ninformation management, and made that CIO his best friend.\n\n\nAnd it sent such an incredible signal to the medical director to get \non board, that these things are coming, these changes are made, \nwhether it came from the business side of the house; tell me what \nyour recommendations are, what you are looking for.  The CIO is going \nto look at it.\n\n\nOn the medical side of the house, whether it is filmless or that \nmedical technologies, everything had to be compatible and everything \nhad to go through the CIO.  And everybody at the board table knew that \nand everybody was also enthused to talk about how as a team they were \nall going to work.  And they all wanted to know and associate with the \nCIO.  That was a system of pure empowerment, and they were able to \nperfect changes in a hospital setting rapidly.\n\n\nSo it is challenging for me, General Howard, why you are not the new \nbest friend.  I do not know if you are or you are not.  But what I am \nsaying is that I recognize you have a very difficult job because you \nhave to be the agent of change.  And I do not care if you are going \nto change the flavor of ice cream at lunch, you are going to have \nsomebody attack the agent of change.  And it should never be taken \npersonally when you are the agent of change.  All right?\n\n\nGeneral Howard.  Yes, sir.  I agree.\n\n\nThe Chairman.  We want to continue to work with you. Please, if you \nhave recommendations based on the questions, please be in touch with the \nCommittee as we formulate the package.\n\n\nTo Gartner Consulting, thank you very much.  You have well earned your \npay in your counsel and advice to the VA. It has been very sound, and we \nappreciate that.\n\n\nTo DOD, you have still got your own work to do, and we will send you \nback.  We appreciate you coming out here today.\n\n\nThis hearing is now concluded.\n\n\n[Whereupon, at 1:42 p.m., the Committee was adjourned.]\n\x1a\n</pre></body></html>\n'