[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]





LEGISLATIVE HEARING ON VETERANS
IDENTITY AND CREDIT PROTECTION
LEGISLATION
Tuesday, July 18, 2006
House of Representatives
Committee on Veterans' Affairs
Washington, D.C.




The Committee met, pursuant to call, at 10:30 a.m., in Room 334, Cannon House Office Building, Hon. Steve Buyer [Chairman of the Committee] presiding.
 

Present:  Representatives Buyer, Boozman, Filner, Brown of Florida, Stearns, Herseth, Miller, Bradley, Snyder, Michaud, Udall, Salazar.
 

The Chairman.  The Committee on House Veterans' Affairs will come to order July 18th, 2006.
 

This morning, we will review draft legislation prepared in response to the theft in May of personal data belonging to as many as 26.5 million veterans and 2.2 million servicemembers as well as family members.
 

The stolen computer's recovery and the FBI's determination the files were not accessed do not reduce the importance of improving information security and management at the VA.  We have been sufficiently warned.
 

We also have the Minneapolis and Indianapolis data breaches and others.  We have challenges requiring the ongoing stewardship as we work with the VA on securing its information management systems.
 

I want to commend the members of this Committee and our staff.  To get here, we conducted three weeks of a series of five Committee and two Subcommittee hearings and that layer by layer, these last five weeks have allowed us to build our knowledge and equipped us to examine this issue in its totality so we may have a greater understanding of the problems.  And the VA has equally moved out in the same manner.
 

We brought in 18 witnesses and senior VA officials including former VA Chief Information Officers who answered questions on the data loss itself and the current and potential structure of VA's IT system of lack thereof.
 

We have learned from experts how the best firms in industry manage their information and data security, and we have heard from the academic world as well.  This work is undergirded by six years of hearings conducted by this Committee up to this point.  I expect that when we introduce this legislation, its quality will reflect this approach.
 

Eight legislative proposals have been introduced and referred to this Committee since the May 3rd data theft. Proposals have included requirements that the VA notify veterans of data loss and provide free credit monitoring.
 

Additionally, at first, they envisioned a claims process, but the Secretary spoke with me about insurance, and Mr. Bilbray has also introduced legislation to address this issue which calls for credit insurance as well as monitoring.  At least one bill requires VA to implement the GAO data security recommendations.
 

We have reviewed proposed legislation to limit the use of Social Security numbers and create personal identification numbers for veterans, and we received a proposal to create a new Office of Identity Protection within the VA.
 

There is much here worthy of our consideration.  Today we will review draft legislation that draws on many of these ideas.  The draft bill and a summary are before the members.
 

[The attachments appear on p.  ]

**********COMMITTEE INSERT**********
 

The Chairman.  First, the bill adds government-wide requirements to FISMA for agency procedures in the event of data breaches and for notice to individuals for whom personal information has been compromised.
 

Further, the bill would also make it clear that under FISMA, agency CIOs have enforcement authority for information security policy.
 

For the FISMA provisions on this bill, I want to thank Chairman Davis and Ranking Member Waxman, of the Government Reform Committee, as well as their staffs.  Their staff haave attended our hearings. They have been good listeners and recognize the challenge in all departments and agencies, and they are working with us in a cooperative spirit to move these FISMA improvements to the floor without delay.


Our goal must be to determine how best we can make whole any person harmed by a data compromise at the VA.  As important, we must address and ensure the Department's policies and organizational structure work to efficiently manage and safeguard the information.
 

But without a good organization guided by sound policy, we will be revisiting the tragedy of the compromised personal data all too often.
 

I look forward to our discussion today, and I wish to commend Mr. Filner and other members of the Committee for your perseverance and your hard work in dealing with a very difficult issue.
 

I now recognize Mr. Filner for an opening statement.
 

Mr. Filner.  Thank you, Mr. Chairman.  I thank our colleagues for being here this morning.
 

As the Chairman said, and I appreciate his leadership on this issue, we have gone through a real process of hearings, oversight hearings, of bringing experts in, of asking our colleagues for information, working with other committees, and in a bipartisan way, as this bill reflects, coming up with a product in a rather quick amount of time.
 

Mr. Chairman, I am sure you do not think it is a quick amount of time given your seven years of history on this concern, but obviously since May 3rd, we have finally moved very quickly.
 

We have learned a lot about the VA.  We have learned a lot about the specifics of the data theft itself and the underlying information technology and management problems that contributed to it. 

We have been dismayed and even shocked at the dysfunctional manner in which veterans' personal information has been handled, sometimes without any governing policy. While VA claims to have received a wake-up call, I believe it is incumbent upon this Committee and this Congress to follow through, and that is what we are doing with the legislation.
 

Our respective staffs have closely collaborated on this bill.  You have drawn on Democratic as well as Republican ideas.  Our colleagues, Mr. Salazar and Ms. Hooley, from this Committee have felt that their input has been very well-respected, and we certainly appreciate the joint working of this Committee.
 

I am interested in hearing from our witnesses on two matters in particular, both the adequacy of the protection that veterans will be afforded by this legislation and the triggers for those protections.  We have gone back and forth to get a good bipartisan product.
 

I do have a question, Mr. Chairman, although I am willing to go along with you, but I wonder about the need to elevate the Chief Information Officer from an Assistant Secretary to Under Secretary, placing this position on the same plane as the Department's mission objectives of health, benefits, and memorial affairs.
 

It has been obviously demonstrated in an all too real manner the dangers and complexities of technology and protecting sensitive information, but IT is still a support function, although a very important one.
 

I would like also to hear from our witnesses regarding the CIO elevation proposal for another reason as well.  It was abundantly clear from the testimony of more than 20 witnesses in the seven hearings that we had about the failures in reporting the data loss that, it came down largely to ambiguous or nonexistent policy, ineffectual communication, and poor leadership.  Putting a bigger badge on a CIO will not do anything to change those problems, so I hope we will look at that very closely.
 

Mr. Chairman, your work for the past seven years on this and the sincerity of your desire to fix this cannot be underestimated.  Thank you for your determination in bringing this Committee analysis of the problem.
 

We will have a bill on Thursday.  It will reflect our mutual commitment to protecting sensitive information, providing essential services veterans will need in the event of a data breach, and responding to the cavalier manner in which this breach and others were handled.
 

The Chairman.  Thank you very much, Mr. Filner.
 

Is someone else having any opening remarks?  Thank you.
 

We will now proceed with our first panel.  It is comprised of members who have introduced various legislation following the announcement of the May 3rd data loss at the VA.
 

Two of these members come from our own Committee.  Our first witness is Ms. Darlene Hooley of the 5th District of Oregon.  Ms. Hooley is also a member of the Committee and has two VA facilities in her District.
 

Next we will hear from Ms. Marsha Blackburn, who represents the 7th District of Tennessee.  The bill introduced by Ms. Blackburn, House Resolution 5464, shows her experience from serving on the Energy and Commerce Committee and has provided some guidance in the draft of this bill before us in dealing with cyber security issues.
 

We will then hear from Mr. John Salazar, who represents the 3rd District of Colorado.  He is the only veteran in the Colorado Delegation.  Mr. Salazar has been a member of this Committee since February of this year and was one of the first to introduce a substantive piece of legislation on this issue, and we appreciate your expertise.
 

We will also then hear from our last witness, Ms. Shelley Moore Capito, representing the 2nd District of West Virginia.  She has traveled twice to Afghanistan, once to Iraq where she has been able to meet with our troops fighting the War on Terror and the rebuilding efforts in both countries.  Her sincerity for the concerns and well- being of veterans is evident and real.
 

I will now yield.  Ms. Hooley, you are now recognized.


STATEMENTS OF HON. DARLENE HOOLEY, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF OREGON; HON. MARSHA BLACKBURN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TENNESSEE; HON. JOHN T. SALAZAR, REPRESENTATIVE IN CONGRESS FROM THE STATE OF COLORADO; AND HON. SHELLEY MOORE CAPITO, REPRESENTATIVE IN CONGRESS FROM THE STATE OF WEST VIRGINIA



STATEMENT OF HON. DARLENE HOOLEY

 

Ms. Hooley.  Good morning, Mr. Chairman, Ranking Member Filner.
 

First of all, I want to thank you for all the hearings that you have had on this issue and all the work you have done and for allowing us the opportunity to appear before the Committee.
 

The Chairman.  Ms. Hooley, and to each of the witnesses, do each of you have a written statement?
 

Ms. Hooley.  Pardon?
 

The Chairman.  Do all of you have written statements?
 

Ms. Hooley.  Right.
 

The Chairman.  They all nod in the affirmative.  Do you all wish they to be submitted for the record?
 

Ms. Hooley.  Yes.
 

The Chairman.  Hearing no objections, so ordered.
 

Ms. Hooley, you are recognized.
 

Ms. Hooley.  As one of millions of former credit card fraud victims and as a member of the House Financial Services Committee, I have long had a very strong interest in identity theft and threats to financial crimes.
 

Identity theft represents a fundamental threat to e- commerce, to our overall economy, and to our homeland security.  No longer are we facing just hobbyist hackers looking to create a nuisance.  Increasingly these attacks are driven by skilled criminals and ID theft has become big business.
 

For the past six years, I have worked on the Financial Services Committee to protect consumers from the threat of ID theft.  We have made significant progress in the recent past including signing into law the FACT Act of 2003.  That bill, I was a proud co-author with Congressman LaTourette which provides consumers with landmark new protections including the right to a free annual credit report and the right to place a red flag fraud alert on their credit reports.
 

Last February, after data security breaches at ChoicePoint and LexisNexis, I began working on legislation to prevent future data breaches, to provide meaningful notification when consumers could be harmed by a security breach, and to provide consumers with additional protections when they are placed at risk of identity theft.
 

The need for such legislation was made crystal clear by the massive data security breach suffered at the VA in May. The details of that breach, which have been highlighted many times in this Committee, underscore the glaring weaknesses in data security policies and procedures not only in the VA but throughout government agencies and in the private sector.
 

Any data security bill passed by Congress must include a number of key ingredients if we are going to be effective. First, it must mandate data security safeguards and require all businesses and government entities that handle sensitive personal information to have a robust data security policy and procedures in place.
 

Currently many businesses and most government agencies are not required to employ such protections leaving consumers at risk.  Mandating protection of sensitive information is the first step in protecting consumers.
 

Second, legislation must mandate that all businesses and government entities immediately conduct an investigation upon learning that a breach of security might have occurred. That investigation should determine the information involved, whether or not that information is useable, and determine the likelihood that the information has been or will be misused.
 

Third, legislation should require that upon discovering a breach, the business or government entity notify Secret Service immediately and their functional regulator, if they have one, each of the credit reporting agencies, and any third party who must take steps to protect consumers from resulting fraud or identity theft.
 

Fourth, legislation should include a system restoration requirement that requires any business or government entity to repair any breach and restore the security and confidentiality of that sensitive personal information and to make improvements in its data security policies and procedures.
 

Finally, legislation should require meaningful consumer notice.  That notice should contain vital information to aid the consumer in protecting themselves.  In addition, that notice should provide consumers who are put at risk of identity theft with an opportunity to sign up for free-of- charge credit monitoring services.
 

Legislation I have co-authored, House Resolution 3997, the Financial Data Protection Act, would accomplish exactly that.  However, the breach suffered by the VA highlighted two additional components needed to address any massive government breach like the VA that were not included in the bill as it was passed out of Financial Services.
 

In order to address those two needs, I introduced legislation shortly after the massive VA breach that would supplement House Resolution 3997.  That legislation, the Veterans ID Theft Protection Act, would first of all authorize funding as necessary to the Secretary of Veterans Affairs to provide credit monitoring as required, and, two, make certain VA has all the necessary negotiating power to secure the best possible price for credit monitoring services.
 

In conclusion, Chairman Buyer and Acting Ranking Member Filner, I would simply state that now is the time to act. The need for federal action on data security is clear.  We should not wait for the next catastrophic breach to prod us into action.
 

I am so happy that we are going to be marking up a bill on Thursday.  I think we need to do it and need to do it now.
 

Again, I thank you for the opportunity to testify before the Committee and look forward to working with each of you to pass common-sense data security legislation. Thank you.
 

The Chairman.  Thank you, Ms. Hooley.
 

Ms. Blackburn.
 

[The statement of Darlene Hooley appears on p.  ]

**********INSERT**********
 

Ms. Hooley.  Mr. Chair, I would apologize.  I do need to leave for another meeting, and I will be back for questions.
 

The Chairman.  If any member would like to grill her before she leaves, you can question her right now.
 

All right.  You are excused, Ms. Hooley.
 

Ms. Hooley.  Thank you.
 

The Chairman.  Your colleagues are nice to you.


STATEMENT OF HON. MARSHA BLACKBURN

 

Ms. Blackburn.  Thank you, Mr. Chairman, and thank you for the hearing.  Ranking Member Filner, thank you also. And I congratulate the two of you on a bipartisan draft and attention to a much-needed issue.
 

I also want to thank you for inviting me to testify today regarding the legislation that I introduced with Representative Simmons.
 

We drafted our Veterans Identity Protection Act as you referenced it, House Resolution 5464, this May in the days after Congress learned that the personal information of millions of the nation's veterans had been stolen from a Department of Veterans Affairs' employee.
 

As representative to a large military post and a district with tens of thousands of veterans, this issue has clearly been a source of concern.  I know that Representative Simmons, who is a veteran himself, has also heard the same thing from his constituents.
 

The idea that your identity can be stolen, your credit ruined, and your life impacted in such a negative way is absolutely unsettling, and it is our responsibility to bring as much reassurance and assistance as possible to those veterans who have been touched by this theft.
 

The situation is very similar to the information breaches that have occurred with data brokers over the past year.  Those instances led to Energy and Commerce Committee hearings that exposed just how easy it is to steal a person's identity by acquiring their financial information.
 

After the data breaches occurred, brokers addressed the situation by sending a notice to affected customers informing them that they could request, they could request a free credit report and free credit monitoring. Approximately ten percent of the affected people chose the option.
 

The bill Representative Simmons and I introduced follows a similar course of action.  Instead of mandating a costly 100 percent coverage of free monitoring and reports, veterans would be provided a notice from which they would opt for the items.  These keep the cost down to millions instead of billions of taxpayer dollars.  The provisions in our bill are similar to provision 5725 in your Committee draft.
 

The legislation would also allow the VA to contract with credit agencies for reports and monitoring which further keeps down the cost.  It would provide a free credit report every three months for the next year.
 

It has been reported the stolen laptop containing the veteran information was not accessed or compromised.  While that may be so, now is the time for the VA to coordinate with credit agencies for future data thefts which we hope will not occur, but as we have seen are increasingly becoming a fact of life.
 

A recent report by VA's Inspector General shows many shortcomings with the Department and its security practices and its vulnerabilities.  We would be wise to remain concerned about the ability of the VA to secure the personal information of our veterans, and it is my hope every step will be taken to prevent future thefts and prepare contingency plans should a breach occur.
 

I will end by requesting that the Committee consider including a provision to the salaries and expenses at the Department to the implementation of the IG recommendations. The recommendations are valid.  They deserve consideration and they deserve implementation.
 

I believe these steps are necessary to focus the Department on this critical concern and ensure the appropriate steps are taken to protect veterans' personal information.
 

Mr. Chairman, that concludes my statement, and I am available to answer any questions you may have.  Thank you. I yield back.
 

The Chairman.  Thank you very much.
 

Mr. Salazar, you are recognized.
 

[The statement of Marsha Blackburn appears on p.  ]

**********INSERT**********


STATEMENT OF HON. JOHN T. SALAZAR

 

Mr. Salazar.  Thank you, Mr. Chairman.
 

Chairman Buyer, Acting Ranking Member Filner, I want to thank you for the opportunity to come before the House Committee on Veterans' Affairs to testify with regard to the provisions of the Veterans Identity and Credit Protection Act of 2006.
 

I wish there was no need for this bill, but the simple fact is that on May 3rd of this year, personal computer equipment containing the personal information of some 26 and a half million veterans and 2.2 million active-duty and reserve-component servicemembers and their spouses were stolen from the home of a VA employee.
 

This theft, while alarming on its own merit, brought to light a deep and more troubling tragedy regarding cyber security and the communications of the Department of Veterans Affairs.
 

In the two months since the theft of the computer equipment, this Committee has held five oversight hearings in which we heard from current and former VA employees, private sector experts on IT security, academics, and the Secretary himself.  The hearings opened the Committee's eyes to numerous problems that have already been discussed.
 

The purpose of my testimony today is to discuss provisions of the bill related to new notification requirements of the Secretary.  I, like many of my colleagues on this Committee, was outraged when I learned that there was a 19-day gap between the date of the theft and the day Congress and the public was notified.
 

In response to the theft of this data and the revelation that such delays in notification occurred, I introduced House Resolution 5588.  This comprehensive bill, much of which is adopted before the Committee today, addresses a notification structure and requirements within the Department should another data breach occur.
 

There are a few differences between the bill and House Resolution 5588, so I will address the similarities between the two bills.
 

Both House Resolution 5588 and the Veterans Identity and Credit Protection Act of 2006 codify in federal statute the manner in which the Secretary of Veterans Affairs is to notify Congress and affected individuals involved in a data breach.
 

By outlining the manner, content, and time frame under which the notification of a data breach takes place, it is my hope that we can prevent a repeat of the 19-day delay that we witnessed in May.
 

Under the provisions of both bills, this Committee and our counterparts in the Senate are to receive notice of any breach without unreasonable delay following the discovery of a data breach and the implementation of any measure necessary to determine the scope of that breach, to prevent any further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.
 

More importantly, however, House Resolution 5588 prescribes the way in which the Secretary is to notify affected individuals.  Each individual whose information has been compromised shall be notified in writing without unreasonable delay and that notification will include the following:
 

A description of the personal information that was acquired during the breach;
 

A telephone number that the individual may use at no cost to make inquiries about the breach;
 

Toll-free contact numbers for the major credit reporting agencies;
 

Toll-free telephone numbers and web site addresses for the Federal Trade Commission;
 

And information regarding the right of an individual to place a fraud alert, obtain a security freeze, and receive credit monitoring where applicable.
 

There are relatively few differences between House Resolution 5588 and the Veterans Identity Credit Protection Act in this section of the bill.
 

Mr. Chairman, I would hope that you in the next two days would address some of these minor differences and come to an agreement on any amendments that may need to be made.
 

Mr. Chairman and Acting Ranking Member Filner, I would like to thank you for holding this hearing today.  And I also want to thank you for providing the last five oversight hearings.  I feel this Committee can work in a very bipartisan manner to pass a finely crafted, comprehensive piece of legislation that I think will serve the veterans well.
 

This bill makes much needed changes to the VA culture of indifference that we heard so much about during our five oversight hearings.
 

Mr. Chairman, I want to thank you for inviting me to testify today.  Your work and your dedication for fixing the bureaucratic inefficiencies and problems within the VA as well as your commitment to protecting veterans is very much appreciated.  Thank you.
 

The Chairman.  Thank you, Mr. Salazar.
 

When you referred to five committees, you were referring to the five full committees, not the two subcommittees or round-table; is that correct?
 

Mr. Salazar.  The oversight committees that we heard.
 

The Chairman.  Five full committee?
 

Mr. Salazar.  Right.
 

The Chairman.  When you said five committees, you were referring to five full committee?
 

Mr. Salazar.  Right, sir.
 

The Chairman.  All right.  Thank you.
 

Ms. Shelly Moore Capito, you are recognized.
 

[The statement of John T. Salazar appears on p.  ]

**********INSERT**********


STATEMENT OF HON. SHELLEY MOORE CAPITO

 

Ms. Capito.  Thank you, Chairman Buyer, and thank you, Ranking Member Filner and members of the Committee, for inviting me here today and for holding this very important meeting and for giving me the opportunity to testify.
 

My State of West Virginia has long had one of the highest per capita rates of military service, making veterans' issues and the protection of personal data an issue with direct implication for tens of thousands of my State's residents.
 

The loss of the personal data of over 26 million veterans and service personnel last month has highlighted the need for this legislation to protect the credit of all those who have bravely served our nation.
 

Identify theft can be extremely negative, we have heard in testimony and I am sure you have heard in all your testimony, for those impacted.  Because the government handles large amounts of personal data, it is vital that we have policies to protect information from theft and help victims cope.
 

Later this week, we will celebrate the 75th anniversary of the Department of Veterans Affairs.  As the Department carries out its mission of caring for our veterans, we must ensure that the Department is adequately protecting veterans from identity theft.
 

First, I commend the Department for offering free credit reports to those veterans whose personal information was exposed.  It is important that government take responsibility for the mistakes.
 

The legislation I introduced would establish an Office of Veterans Identity Protection within the Department to prevent the loss of personal data and to work with credit reporting agencies, law enforcement agencies, and veterans to mitigate the impact if data is lost.
 

I commend the Committee's draft for its creation of the Under Secretary for Information Services who would serve as the Chief Information Officer for the Department.
 

Advances in technology open up exciting possibilities for using information, but the complexities involved in technology often make it that much easier for those who want to access data for illegal purposes.
 

It is important that the Department of Veterans Affairs and other governmental agencies have a proper management structure in place to protect personal information.
 

It is important and appropriate that a mandate to properly report information losses to law enforcement entities, the Federal Trade Commission, this Congress, and the public be included in any legislation that we pass.
 

In the recent security breach, the VA initially attempted to resolve the situation internally.  Clearly the best chance we have to prevent loss or stolen data from being used by criminals is to get law enforcement involved as quickly as possible as they begin recovery efforts.
 

Veterans themselves should be notified as quickly as possible that they can immediately begin to monitor their bank accounts and credit activity.  Congressional Committees should be notified so that proper oversight can be exercised and, if necessary, legislation to provide additional protections or help to prevent future data losses can be considered.
 

We must also remember that in the recent security breach, the personal data of up to 1.1 million active-duty personnel, 430,000 National Guard members, and 645,000 reserve personnel were also compromised.  My legislation would require that the Department of Veterans Affairs work closely with the Department of Defense to ensure that these active-duty personnel have access to credit reporting services.
 

Our nation's military forces, particularly those deployed in combat regions, the regions of Iraq, Afghanistan, and elsewhere around the globe, already bear a heavy burden as they bravely defend our nation.  The last thing they need to worry about is whether someone is illegally accessing their credit or their identity.
 

I believe strongly that anyone removing personal data without authorization should be punished, and this is where my bill differs from your bill.  My bill contains a provision that would allow for criminal penalties for anyone who removes personal data without proper authorization.
 

We can and should establish a structure within the Department to protect personal data, but these policies will not do much good if they are ignored.
 

My bill would make it a felony, punishable by fines of up to two years in prison for removing personal data without proper authorization.  I believe stiff penalties are important as a deterrent to violating data security procedures.
 

I agree with the provision of the Committee's draft that would prohibit the release of personal data by any Department contractor and require contracts to include penalties for data breaches that would pay for credit protection services.  It is crucial that any contractor with access to personal data be a strong partner in protecting the identities of our veterans.
 

Mr. Chairman, I want to thank you and I want to congratulate you on the bipartisan bill that you have put together.  I want to thank you for your willingness to tackle this important issue for our nation's veterans.  I look forward to working with you and the rest of the Committee to pass legislation to provide these vital identity protections.  And I thank you.
 

The Chairman.  Thank you very much for your testimony.
 

[The statement of Shelley Moore Capito appears on p.  ]

**********INSERT**********
 

The Chairman.  This has been a genuine team effort, not only members of the Committee working with the VA, but also with the input from members who are not on the Committee because you also bring other expertise.
 

So I want to thank you, Ms. Blackburn, dealing with this issue on the Energy and Commerce Committee and your expertise reflected in your bill.  We are going to be taking some of the provisions of your bill and incorporating them, but not its entirety.  And we are doing that with everyone.
 

And so what we are doing is, you know, sometimes in Congress somebody comes up with an idea and somebody else tries to claim credit for it.  I do not claim credit for other people's work product.  And so we are incorporating some of your ideas, and we appreciate what you have done.
 

So, Mr. Salazar, I noted your disappointment that we did not incorporate some more parts of your bill.  Please continue to work with staff in a bipartisan basis.  We are working all these things out.  You may not get total satisfaction.  I enjoy your spirit.  We all were there at one point.
 

Ms. Capito, with regard to your criminal penalties provision, as you know, that is the Judiciary Committee.  We cannot do legislation in this Committee with regard to Title 18.
 

When we passed the bill protecting military funerals, Mr. Sensenbrenner did waive jurisdiction to this Committee. It is the only time he has ever waived jurisdiction, and I am not anxious to push it again.  You know what I mean?
 

Ms. Capito.  I know.  I got it.
 

The Chairman.  All right.  You really should, though, also talk with Mr. Davis and Mr. Waxman because even the Secretary spoke with regard to what you did about increasing his ability and law enforcement's ability with regard to FISMA.  And the Secretary had noted to us about these penalties are in the Privacy Act, but they are not in FISMA.
 

And so just because we are marking up and we are trying to give certain authorities on the civil side and making sure that he can take particular actions, it even goes beyond that.  So when you not only just want to do criminal penalties, it is making sure that as a management tool, managers have the ability to do certain things within the system.
 

If someone has done something wrong or violated a policy, whether they are to be disciplined is a managerial decision, but that is all set in the Civil Service Act and union contracts and the like.  So I welcome your work.
 

I want to thank each of you for your testimony today. I will now yield to Mr. Filner if he has any questions or comment.
 

Mr. Filner.  We appreciate all of your testimony.
 

There has been a lot of emphasis on credit monitoring and free credit reports and credit freezes.  We have learned from the testimony before this Committee that if a professional is involved with a theft, it probably will not show up on a credit report for at least a year.
 

What is more important are the analyses that can now be done of the complete data against other files to see if there was identity theft that is traceable to this breach.  We have included that in the legislation to go beyond just the credit reports because they may not show up a potential identity theft for a long time.
 

So it will go beyond just the credit monitoring, credit reports.
 

Thank you all for your work here.
 

The Chairman.  Thank you.
 

Any other colleagues have any questions?
 

Thank you very much for your testimony.  This panel is now excused.
 

Our second panel also appeared at our June 28th hearing with Chief Information Officers.  We have brought them back to receive their input on the draft legislation the Committee is reviewing.
 

Mr. McFarland, Admiral Gauss, please come forward.
 

Robert McFarland is an Army veteran who was nominated by President Bush to serve as the Assistant Secretary for Information and Technology in the Department of Veterans Affairs on October 15th, 2003, and he was confirmed by the Senate on January 22nd, 2004.
 

Prior to his appointment, he served as Vice President of Government Relations of Dell Computer Corporation.  Mr. McFarland left the Department of Veterans Affairs on May 18th, 2006.
 

Dr. John Gauss was nominated by the President and confirmed by the Senate and served as the Assistant Secretary for Information and Technology and Chief Information Officer of the Department of Veterans Affairs from August 2001 through June 2003.  In January of 2005, Admiral Gauss founded Gauss Consulting Services, Incorporated.  And in February 2006, he joined FGM, Incorporated as the company's president.
 

Gentlemen, I want to thank you for your work with the Committee, your testimonies.  You do not have to do this. You are doing it because of the work that you have done in the past, and your genuine commitment to service to others.  And I know that there are a lot of other things you could be doing out there, but you continue to come back.
 

And so on behalf of the country, on behalf of veterans and this Committee, I want to thank both of you for being here and taking the time that you are putting into this.  It is very meaningful.
 

So, Admiral Gauss, you are recognized.


STATEMENTS OF ROBERT MCFARLAND, FORMER ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY AND FORMER CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS; JOHN A. GAUSS, PRESIDENT AND CHIEF OPERATING OFFICER, FGM, INC., FORMER ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY AND FORMER CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS



STATEMENT OF JOHN A. GAUSS

 

Admiral Gauss.  Thank you, Mr. Chairman, good morning, and members of the Committee.  Thank you for inviting me here today to discuss some of the important issues related to the draft legislation to enact the Veterans Identity and Credit Protection Act of 2006.
 

My comments today are focused on those elements of the draft legislation relating to the management of the Department of Veterans Affairs' Information Technology and Information Security programs.
 

As a private citizen interested in the welfare of our nation's veterans and the efficient operation of government, I would like to commend the Chairman and this Committee for exercising such bold leadership by moving forward with this ground-breaking piece of legislation.
 

By elevating the positions of the Chief Information Officer and the Chief Information Security Officer at the VA to Under Secretary and Deputy Under Secretary positions respectively, you are blazing a trail for the rest of the Executive Branch of government to follow.
 

Based on 34 years of government service in the Department of Defense and at the VA, it has become clear to me that until the position of CIO is elevated to an Under Secretary position within all departments of the Executive Branch of government, the authors of the Information Technology Management Reform Act of 1996 will remain disappointed.
 

As an Under Secretary, the CIO will have a seat at the table where the real decisions are made with respect to the operation of the Department and he or she will not be relegated to subordinate working groups that can only recommend and not decide.
 

I know the Committee is struggling to determine the appropriate level of legislative direction to enact into law.  Too little direction will allow the advocates of the status quo to find loopholes in the law or legal interpretations to preserve business as usual.  Conversely, too much detail becomes legislative micromanagement which I know is not the intent of this Committee.
 

With that said, although some of the recommendations I put forth in my statement for the record are aimed at proposing changes to the draft legislation, other recommendations should be considered for direction to be placed in appropriations bills, policy to be implemented by the Office of Management and Budget, and/or discussion points that could be used during future Senate confirmation hearings.
 

Mr. Chairman, since the remainder of my testimony is lengthy, I would like to request that it be entered into the record and with your permission, I would like to highlight six of the ten recommendations made as part of that testimony.
 

The Chairman.  Hearing no objection, so ordered.
 

Admiral Gauss.  The first I would like to highlight is in Section 4 of the draft legislation, several new sections to Title 38, United States Code relate to contracting activities associated with the handling of sensitive personal information.
 

In my review of the draft legislation, I was unable to find any prohibitions for off-shore storage of or access to the sensitive information from companies that might operate outside the United States.  I recommend the Committee consider adding such prohibitions to the draft legislation.
 

Second, a CIO must be more than just the IT person for a department or agency.  I believe the CIO must also be the change agent of the organization from a business perspective.  The CIO working with the administrations and departments' offices must lead the cross-functional integration of business processes in order to improve mission effectiveness and gain efficiency.
 

A single 1-800 number for a veteran to call to obtain service and one integrated registration process are but two examples of improvements that should be pursued.
 

The CIO must establish plans and have the authority to implement those plans to control the growth of information technology spending.
 

The CIO must understand that data is a strategic capital asset.  He or she must understand how to best store the information and make it available only to those who must use the data to service our nation's veterans in a secure and protected manner.  Many of these traits are discussed in the Information Technology Management Reform Act of 1996.
 

Mr. Chairman and members of the Committee, I most strongly recommend that future nominees for the newly- established position of Under Secretary for Information Services be required to have these skills and demonstrate during the confirmation process how they will apply these skills at the VA.
 

Third, the qualifications for the Deputy Under Secretary for Security are equally as important as the qualifications for the CIO.  I believe this person must be a certified information systems security professional and demonstrate a comprehensive understanding of cyber security in general, information security, details of FISMA, and be thoroughly versed in physical and personal security related issues as they pertain to electronic and information security.
 

I most strongly recommend that future candidates for the newly-established position of Deputy Under Secretary for Security be required to have these skills and demonstrate during the hiring process how they will apply these skills at VA.
 

Four, with respect to accessing sensitive and critical information, I believe it is imperative that the CIO be responsible for electronic identity management at VA and that electronic identity management be implemented with a sense of urgency to comply with Homeland Security Presidential Directive 12.  Electronic identity management will not only strengthen access controls for electronically stored data, it can be also used to strengthen physical access controls throughout VA.
 

Five, policies need to be implemented and funding must be provided to encrypt data while in motion or at rest.  The implementation of data encryption must be closely coupled with the electronic identity management process just discussed.
 

And, finally, I once had the privilege to meet Mr. Louis Gerstner when he was the Chief Executive Officer of IBM.  He shared with me the actions he took to transform IBM's business processes and information technology from a collection of stovepipes to a highly-integrated machine.  He reorganized the management of all of IBM's information technology by centralizing the authority with the corporate CIO in less than 90 days.
 

Over the next two years and on a global basis, IBM transitioned its IT stovepipe infrastructure to a modern, integrated, corporate-wide infrastructure.  During the same two-year period, he and his Chief Information Officer led the modernization of IBM's business processes focusing on eliminating duplication, improving productivity, increasing efficiency and effectiveness, and reducing IT cost.
 

Mr. Gerstner emphasized the need for speed.  He believed that the absence of speed would allow the inertia of the status quo to prevail.  Since this legislation is clearly focused on effecting real change at the VA, this change must be implemented with lightning speed to be effective.
 

Therefore, I recommend the Committee consider including two additional items in this legislation to enable a high- velocity change at VA.
 

First, the VA should be given 90 to 180 days to fully implement this legislation.  The advocates of the status quo will argue that speed will create too much risk and that deliberate thought and study is necessary to avoid creating problems.
 

Given the current situation at the VA, isn't the risk associated with the status quo significantly greater than whatever damage might be caused by moving forward with lightning speed?
 

Second, the VA should be given the same hiring authority to support the implementation of this legislation that was given to the Department of Homeland Security in the legislation that formed that department.  If VA uses the business as usual hiring processes, it will take months or even years to properly staff the offices established by this legislation.
 

I hope the information I have provided in this opening statement will help the Committee in its deliberations, and thank you for this opportunity to discuss this landmark legislation.  I will be happy to answer any questions you might have.
 

[The statement of John A. Gauss appears on p.  ]

**********INSERT**********
 

The Chairman.  All right.  As I understand, the mental framework of the man at the trout stream has remained unchanged, so he shows up to the Committee without a statement; is that correct?
 

Mr. McFarland.  Mr. Chairman, I have a short opening statement_ 
 

The Chairman.  Oh, you do?
 

Mr. McFarland.  _that I would be happy to give to you, sir.
 

The Chairman.  This is rather exciting.  We are in anticipation.  You are recognized.


STATEMENT OF ROBERT MCFARLAND

 

Mr. McFarland.  Thank you, sir.
 

Good morning, Mr. Chairman and members of the Committee.  Thank you for the opportunity to comment on the Committee's draft bill to enact the Veterans Identity and Credit Protection Act of 2006.
 

I have given my suggestions to Committee staff and I have consulted with my colleague, Dr. Gauss, on his testimony and agree with the suggestions and comments.
 

As always, I appreciate the work this Committee continues to do on behalf of veterans, and I am pleased to contribute whatever I can to this important legislative effort.
 

I will be happy to answer any questions that any of you or any of the members may have regarding these issues. Thank you.
 

The Chairman.  This is not in the bill itself, but trying to be a good listener here, we had some testimony by Dr. Spafford who is one of the nation's leading experts in cyber security.  He runs a program called SIRUS at Purdue University and he produces 25 percent of the nation's Ph.D.s in cyber security.  And I do not remember the exact number, if anybody can remember.  It was like 75 or 80 per year. That is all the Ph.D.s we are producing in cyber security.
 

So when you think about all of the hacking that is going on and trying to make these systems more sophisticated, we really do not have programs out there to help this curriculum.
 

And so let me ask if both of you were still in your positions and we were to create a new position.  So we have some scholarships under the Health Agency for doctors.
 

What if we were to create a scholarship for Ph.D.s in cyber security within the VA, you know, two positions, one position, whatever the need is going to be here, and we fund that?  Estimated cost of that could be 60,000 per student, maybe double that for a private school.  Just give me what your thoughts are for creating a lane, and then we can do a two- for-one service to country.
 

I mean, we need to generate some levels of expertise here and the country needs to embrace where we need to go. I mean, we could take that and move it to other departments and other legislation, but we have an opportunity to address a particular problem here.  And I know I am catching you cold, but what are you thoughts to that?
 

Mr. McFarland.  Mr. Chairman, I think that would be an exceptional idea.  I think it is very difficult for government to compete with the private sector on these very sophisticated positions.  I think that if you were able to be the benefactor of some good talent towards that kind of expertise, I think you would have a leg up.
 

I think you would be closer to competing with the private sector in trying to get these kind of people which are necessary if you are going to enact the kind of controls that you need to enact to avoid these kind of problems in the future.
 

The Chairman.  So whether it is by scholarship or by grant, when you used the word benefactor, immediately I thought of a grant.  Even if it were a grant program to a particular university, we somehow then become a benefactor of that individual for years of service.
 

Mr. McFarland.  I think it is an excellent suggestion and I think it would help you attract those kinds of people because it is very difficult to do it without those kind of people.
 

The Chairman.  Most importantly, though, you believe it is going to be helpful to the VA to bring that level of expertise in because of having to compete for it because everybody is competing for it, right, whether it is Google or Microsoft or everybody else?
 

Mr. McFarland.  It gets worse every day.  I mean, as you pointed out, there is a limited number of these professionals that are available, and it is very difficult to get them into government service.  I think this would be certainly an advantage.
 

The Chairman.  If they are only producing, even if the number is less than a hundred, less than ninety, the level of competition into such limited programs, these are the geniuses.  These are real geniuses in a very narrow lane and trying to attract them will be very challenging.
 

Admiral Gauss, what are your thoughts?
 

Admiral Gauss.  Mr. Chairman, I think the idea of some grants for education is an excellent idea.  One of the things for consideration is that there are many Ph.D.s that graduate annually with electrical engineering degrees.  Each Ph.D. has to have some kind of minor.
 

I think you could also incent educational institutions to take some of their main line double Es and have them achieve additional skill levels as a minor in cyber security.  Many of the disciplines you need to have to understand how to deal with this threat are disciplines you would learn in the double E curriculum.
 

The Chairman.  All right.  Well, I mean, it is something I have just been thinking about.  I have not even had a chance to share it with everyone.  And we can talk about it here over the next couple of days.  But I wanted to get your reactions.
 

If you were in charge and you had that type of program, would it be helpful to you?  Would you utilize it?
 

Let me ask this.  To create a pipeline, of necessity, how many of these per year do you think would we need, if we were to incorporate it in this bill?  One, Two, three?
 

Mr. McFarland.  I think in the case of the VA, for an agency the size of the VA, I think you would want to do at least two or three per year and try to build yourself up a cadre over a period of four or five years of a staff of people that could be dispersed.
 

And one of your problems is not all the problems are in one place.  So being as dispersed as the VA is, I think you are going to need more than a couple of these over the next few years.
 

The Chairman.  And because it may take me three years or four years to get a dividend from that, I could in the first three or four years do a loan repayment.  I could do a student repayment in return so we could get an immediate attraction perhaps.
 

Okay.  I yield to Mr. Filner.
 

Mr. Filner.  I think the virtue, Mr. Buyer, of such a proposal is enhanced if, you incorporate it with veterans' preference, and we try to encourage veterans going into that field.
 

And to just take it one step further, I will support a Buyer Chair in Cyber Security at Indiana University or Purdue if you support a Filner Chair at San Diego State University.  Okay?  Is that a deal?
 
We have talked in many of the hearings, of centralization versus decentralization.  Does this legislation deal with those tensions in a reasonable fashion? Shall we proceed in this way?
 

Do we come to grips with the necessity on one hand of centralization versus a need to have some decentralized approaches to the various reaches of the VA?  Do we meet that balance somewhere in this legislation in your view?
 

Admiral Gauss.  Yes, sir, I believe you do.  In my testimony, I did not include that recommendation.  I tried to stay focused on the objectives you were trying to achieve in terms of elevating the position, establishing the new Deputy Under Secretary positions, and the Credit Act.
 

But, actually, yes, sir, I do think that it would be important to have it in legislation that all of IT needs to be centralized.
 

At the last hearing, Mr. McFarland and I shared a differing view on the operations and maintenance. Subsequent to that hearing, I have had the opportunity to intellectualize what Mr. McFarland said.  We have discussed it subsequently, and I have shifted my view.  And he and I are in complete agreement that all of the resources should be centralized within the Department underneath the Under Secretary for Information Services.
 

Mr. Filner.  And you are both pretty clear on this issue of elevating the CIO to the position of Under Secretary?
 

Mr. McFarland.  I am clear on it, and I have agreed with Dr. Gauss on that issue.  I think it is important because there is something called the VA Executive Board which I believe is a governing body that is made up of the three Under Secretaries, the General Counsel, the Deputy, and the Secretary.  That is a very important body in governing and managing the VA.
 

I believe given that information technology is really the railroad that most of the delivery of services to veterans run on, I think it is imperative that this new position be on that VA Executive Board in order to be there when decisions are made about how the Department is going to be managed and how that technology will be used to manage the Department.
 

Mr. Filner.  Well, of course, if you have not changed any of the culture, the CIO could just left off the Executive Board.  I think the Executive Board must be just an informal designation by the Secretary, is that correct? 
 

Mr. McFarland.  No, sir, I do not believe it is informal.  I believe it is a very formal board.
 

Mr. Filner.  Okay.  But you could easily let that person off or on with or without any title, I assume.  But, no.  I hear what you are saying.  The title does mean something to the whole organization and provides a sense of how important we think that position is.
 

Mr. McFarland.  Well, sir, it also puts the CIO at the table and additionally from where they are at the table with the normal Assistant Secretary position.  So it is another chance to be at the table when decisions are made. That was my point.
 

Mr. Filner.  So, You think it is important, for a title that will lead to other more formal kinds of responsibilities.
 

Admiral Gauss.  Sir, may I add to that?
 

Mr. Filner.  Yes.  Please.
 

Admiral Gauss.  Having spent most of my professional career in the Defense Department, my observation is that the real decision making within the Department lies with the Under Secretaries, the Deputy Secretary, and the Secretary.
 

And I watched the CIO within the Defense Department try to be the change agent, try to lead the modernization of the business processes.  And every forum that he would call, the principal Deputy Under Secretaries would show up and it was an inertia that prevented change, that prevented moving forward.
 

The CIO has to be more than the IT person because IT is a value when you apply it to improved ways of doing business, to cut costs, to gain efficiency, to improve service.  IT should be applied to the business rules. Someone has to have a seat at the table who can be the advocate of that change and the driver of the integration of those processes to gain some efficiencies and help get the IT budget on a negative slope rather than the constant sharp increase slope that it is on today.
 

Mr. Filner.  I appreciate it.
 

Yield back, Mr. Chairman.
 

The Chairman.  Mr. Stearns?
 

[The statement of Cliff Stearns appears on p.  ]

**********INSERT**********
 

Mr. Stearns.  Yes.  Thank you, Mr. Chairman.
 

When you give notices out to veterans and lots of times, a lot of these veterans might not be in the United States, so they might perhaps be in Iraq.  They might be in the Pacific Rim.
 

I have a bill, House Resolution 4127, the Data Accountability and Trust Act through the Energy and Commerce.  And we approved it on the 29th of March in Subcommittee and it went to full Committee and passed too. And in the bill, and I am reading from it, we had that a possible direct notification could include e-mail notification.
 

So I was just wondering how you feel about the possibility of having e-mail as a way to solve the problem of notification for veterans.  I mean, is that just something that is easy to do in your opinion?
 

Admiral Gauss.  As a means to notify, yes, sir, I think that would be a very convenient means.  However, I would respectfully offer a caution_ 
 

Mr. Stearns.  Yes.
 

Admiral Gauss.  _that personal privacy information not be included in the content of the e-mail.  The Social Security number, the date of birth, or any other identifying information must not be included with the e-mail because it is too easy to capture as it floats its way through cyber space.
 

Mr. Stearns.  How about if it was encrypted?
 

Admiral Gauss.  Then the veteran would have to have this encryption device.
 

Mr. Stearns.  But how would you_
 

Admiral Gauss.  Notification, you know, if it came from VA to me as a veteran_ 
 

Mr. Stearns.  Right.
 

Admiral Gauss.  _to my home e-mail address that said this is to advise you that personal privacy information might have been compromised, please call such and such a number, that would certainly be an expedient notification method.
 

Mr. Stearns.  And it might be a way to notify him. Otherwise, I guess just sending it through the mail to him would be the alternative.
 

Yes.
 

Mr. McFarland.  I think it is an excellent way to do it, and I agree with Dr. Gauss' statements on it.  I can tell you that I did receive a letter obviously.
 

Mr. Stearns.  Right.
 

Mr. McFarland.  I was in the 26.5.  I would have received an e-mail much faster than I received that letter. So I think it is an added method of communication that is important to get the word out quickly.
 

Mr. Stearns.  I do not know, Mr. Chairman, what finally the Veterans spent in mailing out their notifications because of the loss of data.  Does anyone know?  I mean, Mr. Chairman, does counsel know?  I am just curious what the final figure came in.  I had heard about $7 million it was.
 

The Chairman.  I do not know.  The VA turned to the IRS.
 

Mr. Stearns.  And they sent it out?
 

The Chairman.  They sent it out.
 

Mr. Stearns.  Yeah.  But any way that could be used more inexpensively for the veterans.  E-mail might be certainly done in a way which they could be notified but without the personal identifiable information with it.
 

All right.  Thank you, Mr. Chairman.
 

The Chairman.  Mr. Michaud.
 

Mr. Michaud.  Thank you very much, Mr. Chairman.  I want to thank you for having this hearing.  I want to thank all the panel members who have spoken and will be speaking later on today.
 

I just have one question, Mr. McFarland.  I gather you agree with all of Dr. Gauss' comments.  Do you have any additional recommendations above and beyond what the doctor has suggested or what is in the legislation that we should be looking at?
 

Mr. McFarland.  Well, sir, having had reasonable recent exposure into the operations of the VA, I would recommend along with authorities and responsibilities that you talk about in the legislation that you make clear this issue of enforcement and be sure that there is clear authority to enforce these rules and regulations that you want to be put in place to try to control access and control the leakage of data.
 

One of the issues I wrestled with is this whole issue of enforcement, and I know this Committee has dealt with this through some past testimony and past hearings.  Without an ability to enforce, authority does not mean anything.  So I do not think you can be too careful in pointing out that enforcement is a part of granting authority.
 

Mr. Michaud.  Great.  Thank you very much once again for your testimony.
 

With that, Mr. Chairman, I will yield back the balance of my time.
 

The Chairman.  Dr. Snyder, you are recognized.
 

Mr. Snyder.  Mr. Chairman, I was not here at the gavel.  I think Mr. Salazar was here.  Thank you.
 

The Chairman.  Would you like to yield?
 

Mr. Salazar.
 

Mr. Salazar.  Dr. Gauss, in your testimony, you talk about the VA using_ if you use the business as usual hiring process that it will take months or even years to staff your offices.
 

How many staff members are you going to have to hire to implement this legislation?
 

Admiral Gauss.  There are several key staff members that you would need.  You would need the Deputy Under Secretaries and maybe one or two other people.  So it would not be to do a replacement of eight or nine thousand folks, but rather for those key positions, with key skills that are needed to enact the legislation, the process has to be more than classify the job, write a position description, advertise it, have a board, have another board, have another board, have interviews which takes 15 to 18 months.  So it's the key five or six positions that my comment was really aimed at.
 

Mr. Salazar.  Okay.  But it would not be hiring a thousand new people that are qualified in IT?
 

Admiral Gauss.  No, sir.  For example, in my testimony, I recommended some qualifications for the Chief Information Security Officer.  If we could go out and canvas, if VA could go out and canvas industry, find a candidate, do a direct hire, you got the position filled.
 

Mr. Salazar.  Thank you, Mr. Chairman.  I yield back.
 

The Chairman.  Dr. Snyder.
 

Mr. Snyder.  Thank you, Mr. Chairman.
 

Mr. Gauss, in both your oral and your written statement, you refer to this data information as being, I think your words were a strategic capital asset.  And I wanted to explore that just a minute.
 

I saw the movie the Pirates of the Caribbean over the weekend in which Davy Jones loses his key.  And so they fight over this key.  It seems like he should have gotten a cell phone and say change the lock on my treasure chest.
 

If I lose my credit card and I throw it in the hallway, I guess you would define that as a strategic capital asset until I pick up the phone and notify someone that my credit card has been lost and at that point becomes essentially of no value.
 

I think there was a lot that I saw in the last few days that said why is it that the only thing that can never be changed in society is our Social Security number.
 

What are the practicalities or is that something that we ought to explore, that if a person is_ you know, let us say 26 million, that we actually had evidence that that information was lost permanently and 26 million losses of strategic capital asset.
 

Why shouldn't government be available to say, hey, no problem, we will change that number, issue you a new random, distinctive number that will only be yours for all time? And what are the problems?  Have you explored that or thought about that much?
 

Admiral Gauss.  Let us see.  Sir, I actually have not given a lot of thought to your question.  But I do agree with you.  Having once been an identity theft victim myself, it would have been very nice to have a new Social Security number rather than living with the risk.
 

But then there is chains through all sorts of databases, through IRS, through VA, my case through the Department of Defense, and how one would administer that across government would require some thought.  But I do agree with you that that makes a lot of sense.
 

Mr. Snyder.  Obviously I am mentioning that not_that is not something we could do in this bill because then we get into jurisdiction issues.  But one thing we are doing in this bill there is asking for, I think, a six-month study to explore like why does the VA even use Social Security numbers.  Why does it not do a distinctive personal identifying number so that, you know, no credit card company is going to say, oh, good news, I got your VA number.  Well, that is not your Social Security number.  It would be a separate issue.  So we are going to explore that.
 

It seems like that there may need to be a broader government look at if somebody has had an identify theft problem, why can't that number be immediately declared, hey, we have given this person a new number and that number is no longer recognized as related to that person.  But that would have to be a study for another bill or another time.
 

The Chairman.  Would the gentleman yield?
 

Mr. Snyder.  Yes.
 

The Chairman.  We have had testimony.  As a matter of fact, one of our colleagues has a bill out there just to do that, so you can no longer use the Social Security number.
 

And during the July break, I went and met with Dr. Spafford who serves on PITAC.  It is the Presidential's Information Advisory Committee.  And he said he felt that there would be a massive upheaval in the systems right now for us to just go blanket you are no longer permitted to use the Social Security number.
 

And immediately I asked him, I said what is your identification number here at Purdue University.  Is it your Social Security number?  Let me see your ID.  And he started smiling.  He said, well, eight years ago, we moved away from that.  And so they went through that judgmental process. And he said, please, I think it is best for you to examine all the alternatives and what the issues are rather than just do a blanket change.  And that is the reason it is in the bill.  So I wanted the gentleman to know.
 

Mr. Snyder.  No.  And I agree with what we are doing in the bill.  When we talk about massive upheavals, a massive upheaval would have been if we had found out that those 26 million names had been sold in batches of 200,000 all over the world and that there were already 13.7 million credit cards that had been actively activated based on_ I mean, that would have been an upheaval.
 

The Chairman.  True.  But the reference of massive upheaval is the seamless transition that we are doing between two of the largest departments of government_ 
 

Mr. Snyder.  Yeah.  No.  I understand.
 

The Chairman.  _and patient medical records and trying to figure out how to do that if one department is going to change and DoD does not.
 

Mr. Snyder.  No.  I understand.
 

The issue of speed, Mr. Gauss, and you put a lot of emphasis on speed, and isn't this something_ and I understand the importance of doing things with rapidity, but we have had several false starts through the years thinking that the Department of Veterans Affairs was going to get this right and that has not worked out.
 

I mean, isn't this the time to say we want to have it done right even if it takes longer than six months?
 

Admiral Gauss.  I share a different view.  When I was at VA, I convinced the Secretary to centralize the IT within the Department in August of 2002.  I testified in front of the Oversight Subcommittee at the end of September of 2002 that we would have it in place by the end of November.
 

Well, what happened between it was those that wanted to ensure there was no collateral damage done put it into the VA concurrence process and it just dragged and dragged, and the advocates of the status quo put up obstruction after obstruction.
 

I have experience, personal experience in effecting change.  I was the commander of a Navy material acquisition command.  I found a major structural problem with the organization within 60 days of taking command.  I restructured an 8,500 person organization on one afternoon with the senior leadership on a Thursday, and we put it into effect the following Monday.
 

Now, granted, the first week was chaotic, but it took two months to sort out what needed to be done to do things right and results were seen on the waterfront within six months.
 

I am an advocate of speed even if in the process you do some collateral damage, else the advocates of business as usual will drag this thing out until there's a new Congress, a new Administration, new political appointees, and it will be the year 2010 before_ and there will be more hearings just like this.
 

So it is time to strike and it is time to strike fast in my opinion.
 

Mr. Snyder.  Thank you.
 

Mr. Stearns.  [Presiding]  Yes, Mr. Udall.  We show Mr. Udall after Dr. Snyder.
 

[The statement of Tom Udall appears on p.  ]

**********INSERT**********
 

Mr. Udall.  Just following up on what you said about moving quickly, I mean, would you make any suggestions to us in terms of the bill that is before the Committee, how to get this into place as quickly as possible, and are there any pitfalls in doing that?
 

Admiral Gauss.  One of my recommendations was to implement the legislation within 90 to 180 days, and there are specific portions in there like establish the offices for the Deputy Under Secretaries and fill them with qualified personnel and have a series of reports back to the Congress on progress made.  Transitioning the people from their current organizations to the new Under Secretary should happen within the same 90 to 180 days.
 

Since the government cannot move quite at the speed that industry does, there are certain things that will take time in order to move through the personnel system.  But in my opinion, this can be done within 180 days, and hold VA accountable for execution.
 

Mr. Udall.  The idea of creating and then filling the positions quickly, have there been problems with that in the past and how do you cut through that?
 

Admiral Gauss.  I try to recruit some people that I knew and trusted from outside of government, only a handful, two or three.  And if it was not for me personally sitting on people's desks through the HR system, what turned out to be a six-month ordeal would have turned into a year to 18- month ordeal.
 

Mr. Udall.  So basically you are saying it takes a lot of personal commitment by the managers to make sure personnel are put in place and that it is moved on quickly?
 

Admiral Gauss.  My experience with the VA is that they take the most conservative interpretation of HR policies and that perhaps with the assistance of the Office of Personnel Management with some forward thinking, OPM people helping VA, they could expedite the process.
 

Mr. McFarland.  I would like to add to that if I could.
 

Mr. Udall.  Please, please, Mr. McFarland.
 

Mr. McFarland.  One of my consternations in coming into government from the private sector with no previous experience was the speed of execution on the employment side, personnel side.
 

And for the first few months I was there inadvertently blamed OPM until I had an opportunity to sit down with an OPM executive one evening and talked about the consternation I had faced in my first three or four months at VA over these hiring policies and the things we had to go through to get simple positions filled.
 

And he made it very clear to me that these were not OPM problems, and he pointed out the fact that VA has its own set of very antiquated, old rules of procuring people and their own HR policies which are not OPM's issues.  They are VA's policies.
 

And I believe that until you fix some of those policies inside the agency, you will continue to have a long tenure in trying to fill personnel requests.
 

Mr. Udall.  Thank you very much, Mr. Chairman.
 

Mr. Stearns.  Will the gentleman yield?
 

Mr. Udall.  Yes, I will.  And I was going to say to the Chairman I think this is a good area that we ought to focus on.  But, please, I yield.
 

Mr. Stearns.  Well, I think what you have brought up is very important.  Can you go so far as to indicate what you think should be done?  You said these changes should be made.  If you could wave a magic wand, what would you do? Can you specifically outline them?
 

Mr. McFarland.  Well, one of the issues I struggled with is I believe OPM has electronic access to resumes, a repository that you can get on.  They have an arrangement with monster.com to recruit people.  None of those techniques are ever used at the VA that I am aware of.
 

Mr. Stearns.  And why wouldn't they be used?
 

Mr. McFarland.  Because VA has its own policy out of the HR Department on how the process of hiring goes.  It is VA's policy and that is the way it is.
 

Mr. Stearns.  So is it actually written in VA's policy that you cannot use an outside personnel to assist or get advice?
 

Mr. McFarland.  Every time I tried, I was told that was unacceptable.  It was not VA policy.
 

Mr. Stearns.  So not VA policy is sort of a blanket that chills across the board if a person wants to be innovative in trying to recruit is what you are saying?
 

Mr. McFarland.  One of the most frustrating points of my two and a half years there was that process.
 

Mr. Stearns.  Now, besides personnel, is it also true in procurement of supplies and things like that?  You sort of used the word procurement.  Well, it was primarily in the personnel.
 

Mr. McFarland.  Primarily in the area of personnel. The procurement aspects, sir, I am not sure we have enough time to delve into that.
 

Mr. Stearns.  But you also feel_I am not trying to push you into dangerous ground for yourself_ but you are also saying today that in the procurement process, the same type of blanket policy has sort of chilled the innovation that is needed for procurement?  Would that be a fair statement to say?
 

Mr. McFarland.  That would be fair in my opinion, sir.
 

Mr. Stearns.  And the same type of innovation that we need in the recruitment of personnel, we need in the innovation and procurement policies, too, for supplies and things like that?
 

Mr. McFarland.  I would agree.
 

Mr. Stearns.  Okay.
 

Mr. Filner.  If the gentleman will continue to yield.
 

Mr. Udall.  Yes.
 

Mr. Filner.  Those are, I think, subjects for further oversight.  I would tell Mr. Udall that in terms of your opening line of questioning, Mr. Buyer and I were talking with the staff here and we agreed to put these time lines, some of these time lines into the legislation that we will mark up on Thursday.  It is really important to have those in the bill, and I appreciate your getting that on the record.
 

Mr. Udall.  Thank you, Mr. Filner, and I can see that.  And then I was just following up on the problems that might occur as a result of that.
 

Thank you very much and yield back.
 

Mr. Stearns.  The gentleman yields back.
 

If the members will indulge me just for a moment, we would like to welcome our newest Committee member, Mr. Brian Bilbray.
 

Mr. Bilbray returned to Congress following a June 6th special election in the 50th District in California.  A native of San Diego, he brings to his constituency a unique level of experience, having served the people of San Diego County as a Mayor, County Supervisor, and then as a Congressman.
 

His two decades of business and local government service were instrumental in developing San Diego's aggressive initiatives regarding environmental protection, pollution control, and economic development.
 

Mr. Bilbray has been at the forefront of the battle to protect the Mount Soledad Veterans War Memorial, and he has cosponsored legislation with Congressman Duncan Hunter to make this a national war memorial, allowing it to remain for San Diego to enjoy for generations to come.  I believe it will be on the floor tomorrow, if I understand right.
 

So with great admiration, we welcome you, Brian, to our Committee.  It is a wonderful and bipartisan Committee. This morning, we will draft legislation prepared in response to the theft in May of personal data belonging to as many of 26.5 million veterans and 2.2 million servicemembers as well as family members.
 

You are welcome to join us this morning, and we just welcome having you the opportunity to serve with us.
 

Mr. Bilbray.  Thank you.
 

Mr. Filner.  Will the gentleman yield?
 

Mr. Stearns.  Be glad to yield.
 

Mr. Filner. When the Congressman was a Supervisor in San Diego County, I was a City Councilman in the City of San Diego and our districts completely overlapped.  We worked together on virtually everything.  He taught me how to ride horses and to surf.  I taught him how to read and write, I think.  So we will bring a new spirit of comradeship, as he likes to call it, to this Committee.
 

Mr. Stearns.  Well, that is a high commendation, Mr. Bilbray, to get from Mr. Filner, or low as we might want to consider it.  So you are certainly welcome.  And just delighted on behalf of Mr. Buyer, who is the Chairman, to have you sit with us today.
 

Mr. Bilbray.  Thank you, Mr. Chairman.  And before you take that as a compliment, you have not seen my literary accomplishments or Mr. Filner surfing or horseback riding.
 

Mr. Stearns.  Mr. Bradley, I think has just left.
 

And, Ms. Herseth.
 

[The statement of Stephanie Herseth appears on p.  ]

**********INSERT**********
 

Ms. Herseth.  Thank you, Mr. Chairman.  And welcome, Mr. Bilbray.  I thank the two of you for being back to the Committee and answering some of the questions that I know my colleagues have already asked about some of what the Committee has been working on.
 

And I appreciate Chairman Buyer's leadership here and getting a piece of legislation that all members of the Committee can evaluate to address some of the very difficult challenges we clearly face with information security in the Department of Veterans Affairs.
 

But let me go a bit further because you may have heard me in a prior hearing ask a little bit beyond what we have here at the Department of Veterans Affairs, what we may have at other federal agencies.
 

You may have seen the article in the Post today about all of these other agencies that have had some problems.  I also serve on the Agriculture Committee and even the Agriculture Department is subject to these attempts to hack into the system or the potential that information is compromised.
 

And my question, I guess, goes to whether or not you think that the Congress, not necessarily this Committee, can use the draft bill here as perhaps a model for what other committees could do, but should we be looking beyond this to a broader act or action by the Congress to address compliance with FISMA across agencies, and should we try to do this for all agencies at the same time or in light of some of the unique issues we have at the VA that Mr. McFarland talked about, should we focus in on the Department of Veterans Affairs, try to achieve within 180 days the type of organizational change that you suggest, Mr. Gauss, that we could do to hold up then as a model for what needs to be done and using the types of professionals that we bring in to effectuate this change for other agencies then to follow?
 

So I guess my question is, should we try to do this all at once or should we focus in and try to do this quickly with speed at the VA and then move to address this problem and other challenges that exist at other federal agencies?
 

Admiral Gauss.  I believe the points that you make about it apply to a broader part of government are right on target.  My personal recommendation is to use this as the model for expanding and move out with speed to fix the problem.
 

Mr. McFarland.  My feeling is the same.  I do not think there is anything necessarily unique at VA about the potential problems that you deal with in this area.  I think they are the same in every agency.
 

So I think that if you move out with speed as Dr. Gauss says and deal with the VA's issues, I think you have the ability to move those changes and that experience across the rest of government very easily.
 

Ms. Herseth.  I very much appreciate your responses because even as this article points out, the potential of compromised data at the VA got the most attention nationally.  And I think that in light of an attempt to do this across the government in every agency may be a bit overwhelming because I think to do this with the speed that I think it needs to be done is going to be a challenge enough.
 

And if we are able to do it and with this Committee's focus on the issue with the aggressive oversight we have been exercising the last few weeks, if we keep the heat on, we make sure it gets done, then as you both say, it can serve as a model that we then share with our colleagues and other committees or on those that we also serve on, but also that broader action that may be necessary in light of what every other agency seems to face and keeping a pace with the need to secure this type of information.
 

So I appreciate it.  That is the only question I have. I would yield back.  And, again, appreciate your testimony and your expertise.
 

The Chairman.  Ms. Herseth, you and I have not had an opportunity to talk, and we discussed it right before we came into the room.  Mr. Filner and I and staff are working with government reform and oversight.  The FISMA provisions would have a joint referral upon introduction to government oversight, and they are working with us.  And the intention would be that they are going to waive jurisdiction over the FISMA provisions to use, and we are going to mark up this bill on Thursday and try to get it to the floor next week.
 

Does that meet your approval?
 

Ms. Herseth.  Well, it certainly does.  I mean, I wanted to get their perspective based on, I think, other folks they have worked with and other agencies, and appreciate, understanding that there would be joint referral over some of the provisions in the bill.
 

But I think that we have been the most aggressive under your leadership and working with Mr. Filner and people on both sides of the aisle of staying on this issue, knowing that other agencies are similarly affected.  It just has not gotten the same kind of attention that some of the problems we have had here at the VA.  And that rather than trying to address this government-wide, we address it at the VA first and use it as the model as both of the witnesses suggested.
 

Thank you.
 

The Chairman.  And your line of questioning, when I look back to the seven hearings we did with regard to the General Counsel and his operations, you are going to have latitude and freedom in a hearing we will have with the General Counsel's Office with regard to the last lost backup tape and the laisser-faire attitude and lack of policies within the General Counsel's Office.  And we are going to take that up in September.  So I look forward to your expertise.
 

Mr. Bilbray, you are recognized.
 

Mr. Bilbray.  Mr. Chairman, I pass at this time.
 

The Chairman.  Mr. Stearns.
 

Mr. Stearns.  Mr. Chairman, I wonder if I could have additional time just to ask both yourself, your counsel, as well as the Democrats if they would allow or consider making a part of the base bill my suggestion that would include e- mail as a part of method of notification.
 

And this notification could be worked out in such a way that the personal identifiable information is not included in it, but it would at the same time give conspicuous notice that some of their data was lost and so that they would be notified of it.  And it might be such that this e-mail might be in lieu of or in combination of the written notification.
 

So if it is possible at this late date, whether you and your counsel, Mr. Chairman, think this should be appropriate as an amendment or it could be part of the base bill.  Maybe this would be appropriate since we heard a little bit from our witnesses today to get a comment.
 

The Chairman.  Well, Mr. Stearns, I listened to counsels respond to you, and I appreciate your work in the Commerce Committee that you have done and you are grappling with the same issues that we are.
 

You are correct.  In our draft legislation, we do not go with specificity under the notification provisions.  We can go exactly as you are recommending, first written and then secondly e-mail if it is available.  I do not have objections to that.
 

I will yield to Mr. Filner.
 

Mr. Tucker.  Regarding the concern with emails being implicated in so-called "phishing" schemes, there could be protections incorporated into that provision.
 

The Chairman.  I do not know even what that means.
 

Mr. Stearns.  Well, sometimes when you send an e- mail, it requires a reply and sometimes that reply is used to identify who the person is and then they try and steal the identity.  But there is a lot of ways to do this.  In fact, you could send it encrypted and then it could be decrypted at the site.
 

But I think after hearing these folks talk about the antiquated procedures with procurement of personnel and supplies, and we have this internet and it is going to be broad band, it is going to be probably ten or fifteen years from now, not only will everybody have an e-mail and it will be broad band, but that will be the form of communications.
 

So I do not think we should rule out the possibility of the internet being used and e-mail being used too.  So it is just my suggestion that I think the bill would be ahead of everybody else.
 

The Chairman.  I think, Mr. Stearns, you should please offer the amendment that was incorporated in your bill in the Commerce Committee, give that to our staff, and we will work this out.  I do not think there should be a problem here.
 

Mr. Stearns.  Okay.  That is good.  I appreciate your concern.
 

The Chairman.  Okay.  To authorize a second round, if anybody has it, only because of the level of expertise we have in front of us.
 

During one of the hearings, we had testimony that VHA was granted a waiver for laptops in the name of patient safety and healthcare delivery.
 

Gentlemen, do you believe that this will affect patient safety and healthcare delivery?
 

Mr. McFarland.  No, I do not.
 

Admiral Gauss.  The only possible way it could adversely affect patient care is if the money to buy the PCs necessary to comply with the policy came out of patient care dollars.  If on the other hand, it came out of their development pots of money, there would be no adverse impact to patient care.
 

The Chairman.  So doctors and their laptops, they need to bring them in and they need to have them checked? Is that what you are telling us?
 

Admiral Gauss.  I am going one step further that doctors should be given VA laptops that are properly configured with all the security devices for any connection into the VA network and that the use of home computers should be prohibited.
 

The Chairman.  Would this be an example when you say that the CIO needs to be at the table rather than subordinated?  I mean, if you have the attention, the Secretary has resources.  He has the Secretary Deputy. He calls in his three Under Secretaries.
 

But the CIO presently is in a subordinated position and he is not at that meeting.  And the Under Secretary for Health makes an argument on patient safety as to why his doctor should be exempted from a particular policy, yet the CIO is not even at the table.
 

Admiral Gauss.  The argument, I believe, needs to be heard by the Secretary and not subordinated in staff work that is then withheld from the Secretary's view.  And putting an Under Secretary at the table with the Secretary would get these issues in the open, I believe.
 

The Chairman.  All right.  I am going to be a good listener here.  Admiral Gauss, you talked about the implementation.  What would be a reasonable time table for the implementation of this bill?
 

Admiral Gauss.  Mr. Chairman, I believe that establishing the office, establishing the offices of the Deputy Under Secretaries, recruiting and placing people into those positions, realigning the personnel under the new structure should all be done within 90 to 180 days.  If this were industry, it would be less than 90 days.  But there are some procedural things in HR that may take longer.
 

While you were out, I related a story of where in government, I reorganized a command of 8,500 people, and the new structure was defined on a Thursday afternoon and it was implemented the following Monday.
 

The Chairman.  Mr. McFarland, would you concur? Would it be prudent for us to put in this legislation a specific time period for implementation?
 

Mr. McFarland.  Sir, I not only think it is prudent, I think it is necessary.
 

The Chairman.  All right.  In one of our other hearings_ gosh, in my mind, they all kind of run together; they came so fast_ Ms. Herseth, I think it was the Secretary, it was the Secretary who was testifying, and at the time the laptop and the storage device had been found, we did not know what the forensic results were.  We kind of knew at first blush it appeared as though it was not accessed.  Her chief concern was, you know, should we cover the 26.5 million, give them their assurances, and go ahead and spend the dollars.
 

We have learned subsequently.  Congress has received a letter from the Director of OMB withdrawing now the request for the $160 million from Congress.  And at the time, in direct response to Ms. Herseth, I mentioned the ID/IQ contracting process.
 

And GSA is going to be following you and your testimony here today about these blanket purchase agreements whereby we can take care of these breaches of the past, and we sophisticate and implement a centralized model recognizing that breaches are going to occur in the future because we are dealing with humans.
 

Are we going on the right path, gentlemen?  Are we proceeding?  Is this the best way, you think, to handle this?
 

Mr. McFarland.  Yes, sir, I believe it is.
 

The Chairman.  Good.
 

Admiral Gauss.  I concur.
 

The Chairman.  All right.  Well, Ms. Herseth, you were an impetus to good change by your questions, so I want to thank you for that.
 

Mr. Filner.
 

Mr. Filner.  No further questions.  In your absence, I had assured Mr. Udall that we had discussed and had committed to putting time frames into this legislation.
 

Also, there are some things that we might even have  more specificity. 
 

The Chairman.  More specificity?
 

Mr. Filner.  On some of them, very specific things to even give lesser time and have reports back to us on a regular basis.  I think that will probably be in the draft legislation or legislation for markup on Thursday.
 

Thank you, Mr. Chairman.
 

The Chairman.  Thank you.
 

Any other members seek recognition of this panel?
 

My last question would be this new directive that the Secretary has implemented, have either of you gentlemen seen the new directive with regard to authorities of the CIO?
 

Mr. McFarland.  No, sir, I have not.
 

The Chairman.  6504?
 

Admiral Gauss.  No, sir, I have not either.
 

The Chairman.  Okay.  Well, all right.  I think if you had seen it, you would have said I wish I could have had it.
 

I want to thank you very much for your testimony.  It is valuable.  And I appreciate your support of the bill and your counsel to us in the drafting of the legislation. Thank you very much.
 

Admiral Gauss, you may go back to work.
 

Mr. McFarland, you may go back to fishing.
 

Our third panel represents the views of the Administration.  We have before us the Deputy Secretary for the Department of Veterans Affairs, Mr. Gordon Mansfield. From the General Services Administration, we have Mr. James Williams, the Associate Administrator for the Federal Acquisition Service, who will discuss what offerings they are providing under their contract.
 

Mr. Secretary, welcome back.  You are recognized.


STATEMENTS OF HON. GORDON MANSFIELD, DEPUTY SECRETARY, DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY JOHN THOMPSON, DEPUTY GENERAL COUNSEL, DEPARTMENT OF VETERANS AFFAIRS; AND JAMES A. WILLIAMS, ASSOCIATE ADMINISTRATOR FOR THE FEDERAL ACQUISITION SERVICE, U.S. GENERAL SERVICES ADMINISTRATION



STATEMENT OF HON. GORDON MANSFIELD

 

Mr. Mansfield.  Thank you, Mr. Chairman.  I am pleased to provide the Department's views on eight bills all intended to protect the personal privacy of veterans and others affected by the May 3rd, 2006, theft of computer equipment containing veterans' personal data.
 

While you had also invited our views on the draft bill your staff shared last week, I regret that time has not permitted us to have cleared positions on its many provisions.  We will supply those for the record once the necessary Executive Branch coordination is completed.
 

Initially I wish to point out that the eight bills covered in my testimony were introduced before the stolen computer hardware was recovered.  As you know and as mentioned, the FBI has concluded with a high degree of confidence that, based upon its forensic examination and other evidence developed during its investigation, the veterans' data were not accessed or compromised prior to their recovery.
 

The actual communication says that on June 28th, 2006, the stolen laptop computer and external hard drive were recovered intact.  Based on the facts gathered thus far during the investigation as well as on the results of the FBI and the VA OIG computer forensics examination, the FBI and the VA OIG are highly confident that the files on the external hard drive were not compromised.
 

That development has eliminated the need for much of what is proposed in the legislationS, and while we understand the concerns that engendered these eight bills, we do not support their enactment.
 

Mr. Chairman, with concern for time, I can go ahead and summarize, I think, all of the bills in three categories. That is, some of them that deal with the credit monitoring or insurance or other notifications, as I said, are now not required, we believe, based on the FBI information.
 

The other area is penalties for either criminal or civil areas.  The Secretary, as you know, has testified that he believes that we need further assistance in that area, and I know you are proceeding.  However, I have no cleared positions on those that were presented.
 

And then the last issue that has been discussed here deals with the personal identifier.  And, again, while I do not have an Executive Branch position, I can tell you that it is a subject of discussion and one that we think requires not just a decision that deals with the VA but deals with the total Executive Department as well as with private commerce because it is interrelated in finance and other issues.
 

As I have indicated in my testimony, we have implemented many of the provisions of the various bills.  VA is strongly committed to providing all available protections to the safety and security of personal information of veterans and their beneficiaries.
 

As we continue to work on improvements in our systems and procedures, we will be pleased to work with your Committee in fostering methods to achieve a level of information security that is responsible and necessary.
 

The Secretary has determined that the VA will move forward with data breach analysis service to protect veterans, and we should be finished with that RFP soon.
 

That concludes my testimony.  I would be glad to answer your questions, sir.
 

The Chairman.  Would you wish to submit it for the record?
 

Mr. Mansfield.  Yes, please.
 

Mr. Williams.  Yes.
 

The Chairman.  Both answer in the affirmative. Hearing no objection, so ordered.
 

Mr. Williams, you are recognized.
 

[The statement of Gordon Mansfield appears on p.  ]

**********INSERT**********


STATEMENT OF JAMES A. WILLIAMS

 

Mr. Williams.  Thank you.  Good afternoon, Chairman Buyer, Ranking Member Filner, and members of the Committee. I am Jim Williams, Commissioner of the Federal Acquisition Service of the General Services Administration, GSA.
 

I am pleased to have this opportunity to appear before you today to discuss the program that we have put in place to assist agencies in being able to respond to data protection and credit protection scenarios.
 

GSA helps federal agencies better serve the public by offering the best value, superior workplaces, expert solutions, acquisition services, and management policies. One of the most important ways that we do this is through the multiple award MAS Program.
 

Through the MAS Program, GSA establishes contracts with firms large and small to provide commercial products and services to the government at competitive prices.  The schedules can be used by all federal agencies as a streamlined convenient, money-saving, and time-saving tool for obtaining the commercial goods and services they need. When combined with E-Buy, GSA's electronic request for quote system, the process is also transparent.
 

One of the key features of the MAS Program allows agencies to establish blanket purchase agreements.  These BPAs are used to fill recurring needs for supplies or services while taking advantage of quantity discounts, saving administrative time, and reducing paperwork.
 

One MAS Program Schedule which is particularly appropriate to discuss in light of the reasons we are here today is the Financial and Business Services Schedule.  This is a schedule of approximately 425 contracts representing expertise in financial areas.  This schedule also includes 21 contractors with expertise in credit reporting and at least three firms with expertise in credit monitoring.
 

As this hearing and the Committee's draft legislation signify, identify theft is a serious issue.  When an agency experiences a data loss, there can be serious problems for our employees and the citizens of this nation.  The federal government must be in a position to respond to situations quickly and effectively.
 

With GSA's BPA for credit monitoring in place, an affected agency has quick and ready access to the industry experts it needs.  This way, all agencies facing a data breach will have a fast and cost-effective remedy available.
 

On July 10th, 2006, GSA invited 21 contractors under the Financial and Business Services Schedule to compete for multiple blanket purchase agreements.  Under this competition, these 21 firms have been asked to propose three different levels of remedy based on the extent of the risk of exposure.
 

The firms have been asked to quote different levels of credit monitoring services ranging from basic or single monitoring to comprehensive coverage, reports called three- in-one, which cover all three of the major credit bureaus.
 

A key feature will be that based on the degree of vulnerability, risk and protection, ordering agencies will be able to select the most appropriate level of credit monitoring services.
 

Responses to this BPA request are due on Monday, July 24, 2006.  GSA will then evaluate the responses to be sure we award the companies demonstrating the knowledge, understanding, and technical capability required to perform the credit monitoring services.  We plan to make those awards in August and expect several federal agencies to begin placing orders the same month.
 

In conclusion, I would like to state that this situation is a good example of the important mission that GSA plays in helping our government stop identity theft and protect the privacy of individuals.  We are mobilizing and providing a shared services solution so that we can leverage the government's buying power, drive down prices, drive up service delivery, and provide a fast and agile response to security breaches.
 

I am very proud of the hard work that the GSA team has already put into this effort, and look forward to a highly successful award of several BPAs next month.  We join the Committee in its commitment to better protect sensitive personal information of our veterans.
 

I look forward to any questions you might have.  Thank you.
 

Mr. Bilbray.  [Presiding]  Thank you, Mr. Williams.
 

[The statement of James A. Williams appears on p.  ]

**********INSERT**********
 

Mr. Bilbray.  Why don't we defer it over to the Ranking Member at this time.  Mr. Filner.
 

Mr. Filner.  Thank you.  
 

I just have to say, Mr. Mansfield, I have great respect for you.  I know your history.  But I am really disappointed in your testimony today.
 

You could have come here and said we are doing the following at VA to atone for this mistake and change our culture.  You could have said we have taken the following personnel actions because we had some violations of what we considered to be good practice and several employees let us down.  You could have said, you know, we have made the following decisions in regard to policies that we did not have before.  You could have said that we are offering even more assurance to our veterans.  And you just came and said, "well, the laptop has been found, eight bills are irrelevant.  I do not have any comment on your bill, the hell with you."
 

Should I interpret what you did in any other way?
 

Mr. Mansfield.  I think that you should recognize that I have sat at this table many times in many guises and not one time did I come down here without fully respecting what this Committee is, who it is, and what their job is, and try and fulfill the role that I am supposed to fulfill as a Deputy Secretary.
 

Mr. Filner.  This is a hearing on a draft bill to deal with a major disaster in your department and you have nothing to say?  That is my question.
 

Mr. Mansfield.  Sir, that draft bill was given to us a short while ago.  In fact, I think you are still working on parts of it.  As you know_ 
 

Mr. Filner.  You said you have been informed about it.
 

Mr. Mansfield.  You know I am not here as a free agent.  I have to fulfill the role that I am given and that involves executive agency coordination.
 

Mr. Filner.  You could have just said we are not participating because we do not have anything yet. 
 

Mr. Mansfield.  Sir, I would be more than happy to tell you the steps that we have been taking.  The Secretary has been down here.  His last testimony indicated that.
 

We are going forward with a reorganization that involves the transfer of 4,610 people to the centralized order of the IT.  The Secretary has directed, as the Chairman indicated, a new authority to make sure that the CIO has the ability to enforce that.
 

We have gone forward with the direction that in addition a CFO should be hired in that office so that the IT can follow the finances of the IT budget that Congress has given us. In addition to that, we have got a training officer in line, and we are going forward with many, many changes.
 

Mr. Filner.  Have you made a decision on the recommendations of the IG report?
 

Mr. Mansfield.  The IG report has been delivered to the Secretary.  He has responded.  And the Secretary has indicated in his response that actions are going forward.  Some of those involve changes, as I have indicated, in the IT organization.  Some of them are personnel actions that I am not at liberty to discuss in public.
 

Mr. Filner.  Your testimony shows how important it is to have the time lines in this legislation and to have you respond to us within X number of days because if it was up to you, you would never respond.
 

I yield back, Mr. Chairman.
 

Mr. Bilbray.  Mr. Mansfield, look.  I will say this as someone who knows the Ranking Member quite personally. If you were not here today, he would be the first one to raise holy cane for you not being present.
 

So in all fairness, even though he may not like your testimony, I am sure on second thought, he would much prefer to have you here to be able to address personally rather than you not being present at all.
 

I would ask, Secretary, that over the past several weeks, we have listened to many experts from government, academia, and the industry to learn more about the challenges of effective information management and information security.
 

From all of this, we have come to a common theme of effectively address the challenges of information security, we have to centralize IT governance.  We have to consolidate IT expertise.  We have to assess the classified data so that we know what is sensitive and what is not, and who is authorized to access it.  We need to develop a well-defined security policy and use technology to ensure compliance of the policy.
 

Given the data breaches that occurred eight weeks ago, what has VA done on those four issues?  This is your chance to be able to answer his questions.
 

Mr. Mansfield.  Well, sir, as I mentioned, in the area of reorganization, we continue with a planned reorganization that dates back to a year ago, last July. And just last week, we signed a contract with IBM to help us move forward on a plan that actually then Assistant Secretary McFarland put forward to have us reorganize the Department over the period of the next six to eighteen to twenty-four months.
 

I think there was some question here about whether we should do it immediately or we should do it in a measured way without outside expertise that will be provided by IBM to make sure that we do do it right and we do do it so it takes hold.  So that is one action that has taken place.
 

The Secretary, as I indicated, has issued a directive that the CIO, the Acting or the Assistant Secretary for IT will have complete authority throughout the Department to enforce the FISMA and other security regulations, and that document has been delivered and is in effect.  That is one change.
 

The other issue is that going back to last April before the event, there was a direction that the IT be given an augmentation that would allow him to have a CFO office so that he could supervise the dollars that are now under his control both for the maintenance and operation domain and for the development domain.  And those are some of the issues that we have taken to attempt to move forward.
 

In addition to that, the Secretary has directed that we look at the elements that caused the breach, that we make sure that we do everything possible to ensure that we recognize that we have the trust of these veterans in our hands and we need to make sure that we do the job that should be done to make sure that that is protected.
 

Mr. Bilbray.  So your outreach to the private sector would be through IBM?
 

Mr. Mansfield.  Sir, in a planned reorganization, in a reorganization that was planned starting a year ago, we have moved forward.  And the last element in that is that we hired a major contractor to come in and oversee the reorganization, as I said, basically planned by former Assistant Secretary McFarland to move this Department into a situation where you have a centralized operation and maintenance domain.  That is the 4,610 individuals plus approximately 560 unfilled slots that will be moved under the direct authorization and control of the Assistant Secretary for IT.
 

At the same time, we are moving the development program for the Veterans Health Administration into a centralized situation under VHA's direction, and that is about 806 individuals.
 

And then in the area of Veterans Benefits Administration, we are moving about 253 individuals into a centralized domain for their development program.
 

And that is the process that we are using to move forward.  IBM will come in and under the process of the RFP that we put out help us make sure that we get this total reorganization of the Department started moving forward, in place and working.
 

And, sir, I would make the point that while Admiral Gauss can talk about collateral damage, when I hear the words collateral damage, I think about our veterans' hospital system and the fact that I cannot afford any collateral damage in developing a program that deals with hospitals and doctors and people going through that situation.  That is not a place where you can afford collateral damage.  So we have to make sure we recognize that as we move forward.
 

Mr. Bilbray.  Well, Mr. Secretary, I have been involved with government data files since I was 25 years old and supervised the operation of different government agencies with the data files.  And one thing I have learned is that all of us in government, I do not care if it is city, county, state, or feds, are so far behind what the private sector is doing.  So I have a major concern.
 

IBM is your private sector source for cutting-edge approach to this problem?
 

Mr. Mansfield.  Yes, sir.  That is true.  They are the ones that were picked in a process again that we have to live under because it is the federal procurement process and the contracting process.  And it has taken the time that it has taken to make sure that we do it right and have them in place.
 

But I would also make the point that not necessarily as a part of their selection process, but IBM itself went through this process for their whole total corporate effort not too long ago.
 

Mr. Bilbray.  The question, though, is that IBM is for the reorganization of the structure, not necessarily for the security of the data?
 

Mr. Mansfield.  Sir, we are making sure that in addition to IBM, there are other corporate entities.  Some of those have already been involved.  I do not have the total picture here with me, but_ 
 

Mr. Bilbray.  Okay.  Let me ask you a question.
 

Mr. Mansfield.  _we do have people coming in to deal strictly with the security issue or will have.
 

Mr. Bilbray.  One of the things that we looked at when we did the telecommunication bill a few years ago_  seems like decades now and, you know, Congressman Stearns was right on top of it_ was this issue of biometric confirmation for accessing the data.
 

You know, with everything that we did last year with Real ID and telling state agencies that they have to start tooling up and using biometric confirmation, are you looking at any system requiring biometric confirmation before access?
 

Mr. Mansfield.  Sir, I would have to go back and get the experts to come here and talk to you about that.
 

Mr. Bilbray.  Okay.  My concern is_
 

Mr. Mansfield.  I know we are looking across the board, though, but I would make sure that I got the answers.  So I will bring the answer back to you.  I will talk to the experts.
 

Mr. Bilbray.  Okay.  It does not take brain surgery to do fingerprint reading with a computer, you know.  I mean, they have been doing that since 1978 out on the west coast.
 

Mr. Mansfield.  Right.  I do know that it has been a subject of discussion with the acting IT and some of his senior staff and other members in the Department.  I cannot tell you that we have somebody specifically implementing that in a specific time frame.
 

Mr. Bilbray.  Okay.  And it is not just you.  I mean, I will tell you I am concerned when I go in the Pentagon. It's still using the same access system that it had on 9/11. I know they are talking about changing it, but it still scares me to death that the access system has not been modified over there either, so it is not just your operation.  It is inherent to a government bureaucracy of not wanting to go to cutting-edge.
 

You know, given the VA's current function functioning with an acting CAO and that the Director of the Office of Cyber Security recently resigned, what executives do you have in charge in the effort right now today?
 

Mr. Mansfield.  I have to be careful about the terminology.  So we have Major General Bob Howard down in IT in an acting capacity.
 

Mr. Bilbray.  Is he operating day to day?
 

Mr. Mansfield.  Pardon me, sir?
 

Mr. Bilbray.  Is he in charge of the day-to-day operation?
 

Mr. Mansfield.  Yes, sir.  He is supervising the day-to-day operations.  And, again, he is going forward on a confirmation on the other side of the Hill, and we have to recognize the protocol that needs to be in place as far as what definitions_ 
 

Mr. Bilbray.  Now, could I assume that he is looking at the securing of the veterans' data day to day?
 

Mr. Mansfield.  Yes, he is.  And we have individuals in an acting capacity.  Mr. Sullivan is in place in OCIS and he has been seconded by a Mr. Gephardt to replace the folks that have just recently left us.
 

Mr. Bilbray.  I think the big question my veterans would ask, Mr. Secretary, is the VA less vulnerable today than they were on May 3rd?
 

Mr. Mansfield.  Less vulnerable in a sense of it would be harder for this to happen, yes, sir, I believe it is.  The Secretary put in place a whole week of cyber-security - awareness activities.  We moved up the date for all the personnel to go through the training on cyber security and privacy.
 

The reports that came in to me showed that 99.2 percent or something of the workforce has done that.  Those folks that are called to active duty because they have a National Guard or reserve capacity are exempted from it and people that are home sick or on sick leave are exempted.  So I think we have got most people covered with that.
 

And part of the process that the Secretary has directed and the IT is starting to put in place is an additional officer down there to deal with education and training to make sure that we can carry this effort out not just one week of the year but every day and every week and every month throughout the year to make sure that the people remember each and every day what the importance of this issue is and that they pay attention to the rules and that they follow them.
 

Mr. Bilbray.  What is the status of the directive 6500?
 

Mr. Mansfield.  It is still in process, sir, and I will have it.
 

Mr. Bilbray.  How long has it been in process?
 

Mr. Mansfield.  Sir, I am going to have to go back, and I promise you I will report back to your senior staff today.
 

Mr. Bilbray.  Okay.  The rumor is three years.
 

Mr. Mansfield.  Pardon me?
 

Mr. Bilbray.  The rumor is that we have been working on this for three years.
 

Mr. Mansfield.  Yes, sir.
 

Mr. Bilbray.  Sure would be nice if we had it done before the next Administration_ 
 

Mr. Mansfield.  I think the Secretary's directive on authority is a part of that, but I will double check for you.
 

Mr. Bilbray.  Okay.  And not to pick on you.
 

Mr. Williams, have you received any requests from the VA on any breach analysis contracts?
 

Mr. Williams.  Congressman, we are talking to the VA even as late as last night about a potential contract for data breach analysis.  We are also working with OMB on that.
 

Mr. Bilbray.  Okay.  The Committee wants to be able to better monitor and assist the Department in making progress on the sensitive data files for veterans.
 

What actions and milestones is the Department able to commit today for securing these veterans' sensitive data?
 

Mr. Mansfield.  Mr. Chairman, there are two or three actions that are in process based on directions that the Secretary gave and that were given to the administrations and staff offices.
 

One is to go through a follow-up to a current directive that we have on the books that allows us to take each and every work description, job description and go through that to figure out what the access level for that person should be to sensitive data and then define from that access level what type of clearance we need to have for that person.  And that process is under the direction of Human Resources and is moving forward with IT obviously giving some information as to what the access levels should be.
 

We already have had in place in the Veterans Health Administration an activity that takes all but the last part of this, and the Veterans Benefit Administration was starting it.  So we have a process in place that we are using to add on the access for sensitive information and then from there define what the clearance level is.
 

In addition to that, as we have indicated, we have gone out for a data call to find out exactly how many laptops we have, how many laptops are owned by the VA, and bring those in so that we can, when the lawsuits allow us to and General Counsel may have to talk to that, to be able to clean those down.
 

And then also the question that came up here earlier about whether VA doctors should have VA owned laptops is one that the Secretary has made a decision that they shall, but we need to figure out what the number is and then the decision is how do we go forward and purchase the equipment that is needed and make sure that the training that is required to use this takes place and we go forward with what is required in our new order and our new ability to protect information.
 

The problem we have right now and the reason I granted waivers is we have got doctors that may have operated on a patient at ten o'clock in the morning and a nurse or an attending physician may be calling them at home at ten o'clock at night and that doctor wants to be able to access the information that is available throughout the day in that file so he can get a sense of what orders he should be giving to that nurse or attending physician.
 

And that is one of these issues where again collateral damage is an issue that we need to take into account and recognize that we have a hospital system we are running here and the effort is to make sure that we can get those doctors identified and the appropriate equipment in their hands as soon as possible.  And that is underway.
 

Mr. Bilbray.  The current policy basically says the General Counsel's Office is responsible for its own data security.  And there has been no standard operating procedure on the policy on the Regional Counsel's Offices.
 

Why was there no policy on the data security of the Regional Counsel's Offices?
 

Mr. Mansfield.  Sir, I make the point that under the reorganization, the GC's IT folks are responsible to the Office of Information Technology.  There is no doubt that we have some catching up to do as we bring all these people all over the country, approximately, I think, 420 some, into the fold, make sure that they are all following the same directions and orders and make sure that they all understand what they have to do.
 

This is the first time that we have pulled these folks together as an IT workforce.  And we have also direct in October there will be the first national conference, national training conference for all these IT folks so that we can help them understand what the processes are and what the needs are and have them move forward.
 

Mr. Bilbray.  What are the barriers that are preventing the Department from moving forward to implementing the Goldman-Sachs and CitiGroup's recommendations on centralization and consolidation of IT infrastructure?
 

Mr. Mansfield.  Well, you have heard some of the prior discussion here.  It has been about some of the issues that we have to deal with.  And I would make the point that, as I said, we are in the middle_ 
 

Mr. Bilbray.  I just want to make sure that when we come down the pike so that you can identify right now where your problems are that we may be able to help.  But where is the barriers of executing those recommendations?
 

Mr. Mansfield.  Well, as I said, part of it is we are required and we are following the federal rules for acquisition to make sure that, you know, the correct RFPs are put together and that we go through the process for selecting these folks so that we do not wind up in court over that.
 

You have heard some discussion here about personnel issues.  And I can make the point that a year ago, it took us 145 to 165 days to hire an SES person on board, you know, a regular schedule, not a political.
 

Today with efforts going forward under Human Resources, we are down to 94 days to hire SES from the time of the announcement to the closure.  Part of that time is when the files are in OPM for their final approval as they have an SES position.
 

In an effort to help move forward the IT arena, I have directed the Director of Human Resources, the Assistant Secretary to put together a special group that will concentrate on IT and will be devoted to IT in an effort to fill their high-level, mid-level, and low-level positions across the board.
 

In addition to that, as we look at how we need to reorganize in addition to what we had originally planned, one of the things that we know, for example, to fulfill the FISMA requirements is the ability not only for enforcement by the Information Security Officers but also ability at least on a regional basis to have folks that can go out and do checkups on what is going on in the area.  And those people also will have authority to ensure that the facility Director follows the instructions that are given if we come in to do an audit on IT capabilities.
 

So there are many changes going into place, and we are dealing with the normal issues of fulfilling the general service requirements and the procurement requirements and the contracting requirements, et cetera, et cetera.
 

Mr. Bilbray.  Well, thank you.  I want to thank the gentle lady from the great State of South Dakota for her patience.  I will recognize her at this time.
 

Ms. Herseth.  Thank you, Mr. Chairman.
 

Understanding the time it takes to get some of the positions through and the coordination, since we are marking this bill up on Thursday, we will still, you know, await the views on the bill, not the draft bill.
 

And do you anticipate and can you give us some sort of time table in which we might be able to see the views on the bill after it is marked up on Thursday?  Would it maybe be sometime next week before the August recess or do you know if it is going to be August?
 

Mr. Mansfield.  Madam Congresswoman, part of the process here requires that I have a final product in my hand that I can then have my General Counsel look at.  And then the process also requires that there be some intergovernmental, you know, review of this.  And that is done by OMB.  So that means OMB gets the final product. Until I have a final product, I cannot pass it on to them. I cannot come here and release the information on behalf of the Executive Department until I get that clearance.
 

Ms. Herseth.  Okay.  So you will have a final product obviously Thursday when we mark it up.  In terms of just getting some views, I am hoping_ 
 

Mr. Mansfield.  Let me_
 

Ms. Herseth.  Let me just interrupt.  I understand the situation you are in.  I do not take necessarily the same perspective on it that Mr. Filner does.  I understand that this is going to take some time.
 

However, in light of the previous testimony, in light of the article today, with all these other agencies having these problems, in light of the need to move, in light of the fact that you and the Secretary have been responsive to the IG report_ your response to the recommendations are in here_ I am just hopeful that we will see a desire on your and Secretary's end to expedite the process of making all that coordination happen so that we can get the views of the Executive Branch on the provision of creating the Office of the Under Secretary of Information Security, that we can get the Administration's views on what will be in the bill as it relates to, you know, what we owe to the veterans in the case of a breach.
 

And perhaps you cannot respond to these questions, but I feel that what the Secretary brought in a couple of weeks ago in giving the authority, including enforcement, that we were seeking, that we thought would have helped, that that is essentially de facto what we are trying to do in creating the Office of the Under Secretary so we do not have this problem with a different political appointee at some time in the future, that serving as Secretary of the VA, that we have to then wait for the same kind of memo and the same kind of sign-off, and that we also have some explanation given the hard work that has already been done in the agency in responding to the IG report and recommendations of how what has already happened, what the planned actions are, how that fits in with what we hope to achieve if we get the full House and the Senate to agree that the bill that we mark up on Thursday is going in the right direction to achieve the kind of expedited manner of going forward that can be of assistance to other federal agencies.
 

Mr. Mansfield.  I will get it as soon as I can, and I promise you I will go back and make one more concerted effort to see what we can get.  I think we now have a product in hand that will allow us to work on it.
 

I want to make the point that this is an issue that is of the first priority in this Department and we are doing everything we can to attempt to move forward and solve this and hopefully start the process of getting back in a favorable position with the veterans whom we let down when this happened.
 

And as an aside, I would make the point that I have dealt with Mr. Filner again on both sides of this table for a long time, and I have no problem with listening to or answering his questions.
 

Ms. Herseth.  I appreciate that.  I think it is always helpful when members of the Committee, you know, pose a fair a question as possible for our witnesses to answer. And I am not suggesting that other members of this Committee do not always make a good-faith effort to do that.  I just think we all have different approaches.  And we have to work together.
 

I mean, part of the problem here is that there has been this obstruction that people discuss within some departments of the VA.  And it is important to me that rather than taking these constantly adversarial positions of the Committee versus those at the departments that are trying to make this happen, that at this point, we set that aside to the extent that we have had disagreements there, that we recognize we are really in a bind not only at the VA but with other federal agencies and how far behind we are of getting a grasp of this problem, and that we do everything possible to recognize that I think we are on the same page of wanting to move forward here, but that just as the VA may have its institutional barriers of breaking through and making this happen, this institution and both chambers and how we interact, you know, need to move quickly here as well.
 

And my hope is that because we are marking up on Thursday that if we can get you all to coordinate in an expedited way with those views that that gives us then a chance to move quickly in September in the full House sending a clear message to the Senate that you have had your opportunity to give your views, that we have made whatever changes we think need to be made on the House floor through amendments, and that Congress can move quickly here, too, in working in coordination with the recommendations of the IG, the actions that you have already taken, and that we keep this one outside of any politics that can be anticipated prior to November so that we do not have to wait until after November to actually make the type of progress and moving with the type of speed that I think you want to move, that I want to move, that the Chairman wants to move, the Committee staff wants to move, that your staff wants to move.
 

So that is the reason I bring it up, because I am hoping that we have that to guide us then in early September to move quickly the way that_ Congress should move as quickly as we want you to be moving within the agency.
 

Thank you, Mr. Chairman.  I yield back.
 

Mr. Bilbray.  Thank you.
 

Mr. Secretary, I appreciate your time.  I just hope you understand that though media may not be talking about this like the issue of armoring the Humvees when our soldiers were being hit by roadside bombs, the veterans out there feel like they are at risk just as much and that the security of data files that can be tapped in for huge financial benefits to anybody who wants to do it or can get into it needs to be given a very high priority, that the veterans not only deserve to have their armor for their sensitive information in place protecting them, but please understand that there are people out there who recognize that data mining information, financial access has huge potential to not only do damage to the individuals who take it but also to financially benefit those who could crack in.
 

And I think we are all learning that the criminal elements that would love to have access to this are not just people that we would perceive as the traditional mob mentality, but also are organized, not organized crime, but organized terrorists would love to be able to generate the kind of revenue that information sharing illegally could generate.
 

So I hope that you recognize that even though the media is not talking about it, the degree of urgency should reflect the same kind of degree of urgency to protect the veterans' files as we were hearing about protecting the active-duty Humvees.
 

And I just remember the Chairman of Armed Services literally making phone calls flying back from Iraq trying to get that out there.  I would sure love to see that kind of urgency when it comes to protection of our veterans' critical information.
 

Mr. Mansfield.  Sir, the Secretary has stated at this table, and I will repeat it, that this is the highest urgency for us.  We understand that we have to do the job of protecting veterans' information, and we are doing everything we can and we are working as cooperatively as we can and as fast as we can with this Committee because we know that in this area that we are in lockstep, we have the same interests at heart here.
 

Mr. Bilbray.  I just want you to remember that the same barriers to getting the job done apply to the armoring project, exactly the same barriers, that there are procedures that they have to go through.  Just understand that that kind of urgency needs to be there because we do not want to have another story and have the media on top of you after another breach has happened.  We would rather that that pressure be put on now and avoid that problem in the future.
 

I thank you very much, all of you gentlemen, for being here today and testifying.
 

Mr. Mansfield.  Thank you, Mr. Chairman.
 

Mr. Bilbray.  Thank you.
 

Mr. Williams.  Thank you.
 

Mr. Bilbray.  We have the next panel.
 

The Chairman.  Our final panel is comprised of several veterans service organizations and military service organizations with an interest in this legislation.
 

First we will hear from Mr. Peter Gaytan, the Director of Veterans Affairs Rehabilitation for the American Legion.
 

Next we will hear from Colonel Bob Norton, the National Commander for the Military Officers Association of America.
 

We will then hear from Louis Irvin, the Acting Deputy Executive Director for PVA.
 

And, finally, Mr. Larry Madison, the Deputy Legislative Director for the Retired Enlisted Association.
 

Gentlemen, thank you.
 

And, Mr. Gaytan, you are now recognized.


STATEMENTS OF PETER GAYTAN, DIRECTOR FOR VETERANS AFFAIRS AND REHABILITATION, THE AMERICAN LEGION; ROBERT F. NORTON, DEPUTY DIRECTOR OF GOVERNMENT RELATIONS, MILITARY OFFICERS ASSOCIATION OF AMERICA; LOUIS IRVIN, ACTING DEPUTY EXECUTIVE DIRECTOR, PARALYZED VETERANS OF AMERICA; LARRY MADISON, DEPUTY LEGISLATIVE DIRECTOR, THE RETIRED ENLISTED ASSOCIATION



STATEMENT OF PETER GAYTAN

 

Mr. Gaytan.  Thank you, Mr. Chairman.
 

The American Legion is encouraged that Congress and the Administration are carefully reviewing the lapse in procedure that led to the largest information security breach in the history of VA.
 

However, VA must now do everything possible to ensure that the personal information of America's veterans, active duty, Guard, and reserve personnel is never stored, packaged, or transferred in a method that will allow such an enormous loss to result from the laps in judgment of a single VA employee.
 

This loss of more than 26 million veterans' records to include spouses, active duty, Guard, and reserve members is an inexcusable betrayal of trust, and VA must now implement new policies, procedures, and processes needed to ensure proper IT security.
 

And the American Legion appreciates the opportunity to comment on the proposed legislation being considered here today.
 

The Chairman.  Do all of you have written testimony? All of you answer in the affirmative.
 

Would you like it submitted for the record?  All answer in the affirmative.
 

Hearing no objection, so ordered.
 

Mr. Gaytan.  Thank you, sir.
 

The American Legion is supportive of this proposed legislation and the attitude of Secretary Nicholson which are in agreement with the VA OIG report recommendations, specifically taking whatever administrative action deemed appropriate concerning the individuals involved, establishing one clear, concise VA policy on safeguarding protected information, modifying mandatory cyber security and privacy awareness training, ensuring that all position descriptions are evaluated and have proper sensitivity level designations, and that required background investigations are completed in a timely manner, also establishing VA-wide policy for contracts that ensures contractors are held to the same standards as VA employees, establishing VA policy and procedures that provide clear, consistent criteria for reporting, investigating, and tracking incidents of loss, theft, or potential disclosure of protected information.
 

Regarding specific recommendations of this proposed legislation, the American Legion supports including spouses on the list of individuals protected in this legislation if personal information is compromised.
 

Also, regarding the provision of credit protection services and fraud resolution services, the American Legion supports language that will ensure monetary reimbursement for any negative financial impact resulting from compromised personal information.
 

Also, the American Legion supports a protection plan that can be implemented even after the one-year time limit proposed in this legislation.
 

Finally, the American Legion wants legislative assurances made to veterans that if their information is compromised by VA, unless is it undeniably the result of some other cause, the VA or federal government will assume the responsibility of any loss incurred by the veteran or relevant family members.  We want to avoid the need for veterans to ever have to prove it was the fault of VA that their information was compromised.
 

The data theft that occurred in May has served as a monumental wake-up call to the nation.  VA can no longer ignore the needs to improve its IT security directives.
 

Mr. Chairman, I think you brought that issue up several years ago and you have been fighting for IT issues within VA to be upgraded at the least, and now we know that there is a need not only for upgrading that IT, but also ensuring that security provisions exist in the VA's directives.  And we applaud you for that, sir.
 

Also, the American Legion wants solid assurance that funding for the IT overhaul within VA will not be paid for with money from other VA programs.
 

In my remaining time, Mr. Chairman, if you will, I want to mention the importance of the information that was gathered in the OIG report.  And I urge you as Chairman of this Committee and any other member on the Committee if you have not reviewed the information in that OIG report, if you have the time, do it yourself.  If not, get your staff to do it.  If you do not have time, call the American Legion.  We will give you a brief synopsis of some of the other issues within the Department of Veterans Affairs that were brought to light as a result of that IG report.
 

The issues in the agency go a lot deeper than what happened with the theft of one computer.  The reasons behind not only the theft of that computer but the lax in control of information, the assumption that taking that information home was permitted and also the huge delay in reporting time from the theft of that information up the chain of command within VA can be attributed to personnel issues that need to be addressed within the Department of Veterans Affairs.
 

And I urge you and your staff and the members of this Committee to review that important information in that IG report.
 

Mr. Chairman, I thank you again for the opportunity for the American Legion to present our opinions on this terrible breach of security within the Department of Veterans Affairs.  And I am here to answer any questions if needed.
 

The Chairman.  Thank you very much for your testimony.
 

Colonel Norton, you are recognized.
 

[The statement of Peter Gaytan appears on p.  ]

**********INSERT**********


STATEMENT OF ROBERT F. NORTON

 

Colonel Norton.  Thank you, Mr. Chairman.
 

On behalf of the 360,000 members of the Military Officers Association of America, I am honored to have this opportunity to present our association's views on the Veterans Identity and Protection Act of 2006.
 

Mr. Chairman, I would like to offer four points for the Committee's consideration on the legislation at hand and then I would be happy to take your questions.
 

First, MOAA supports the establishment of the position of Under Secretary for Information Services in the VA.  We believe the CIO position offers potential for advancing the goal of seamlessly transferring data and information securely from the Armed Forces to the VA.
 

MOAA recommends that the Committee consider specifying in the bill language regarding the role of the VA CIO in the context of the joint VA/DoD Executive Council.  That body, as the Committee knows, provides oversight on cooperative activities between DoD and VA.  Until we get the seamless transition goal right, we believe that the military and veterans' communities will not be well served in terms of their healthcare and benefits.
 

No doubt DoD has lost confidence in the VA to protect sensitive information.  The VA CIO must work to restore a strong partnership with the Defense Department.
 

Second, if adopted by Congress, the Under Secretary of Information Security should make as a priority action informing and educating veterans about the credit protection and fraud resolution services identified in the bill.
 

We appreciate the fact that the Committee intends to authorize these services at no cost to veterans and survivors in the event of a data breach of personal information.
 

Third, we believe all government agencies that use the Social Security account number as a record identifier should begin now to develop alternative identifiers that pose less risk of security theft.
 

We understand, Mr. Chairman, of course, that such an effort as discussed earlier today poses enormous challenges. But if other large bureaucracies such as the State of Virginia can develop alternative ID numbers for State residents to place on their driver's licenses, federal agencies should strive to offer at least the same level of protection.
 

Finally, in our view, a key measure of effectiveness for the CIO position will be its integration into the complex VA bureaucracy.  As you know, this will be_ and this was discussed at length in earlier panels_ this will be no easy task.  Veterans know that navigating the three line operations of the VA, health, benefits, and memorial affairs, is difficult at best.  Adding another bureaucratic layer into this system is fraught with many challenges and even risk.  But we believe that a single manager is needed to ensure the security of veterans' personal information and to advance the effective business integration of the VA.
 

This concludes my testimony, Mr. Chairman, and I appreciate the opportunity to appear before you today.  I look forward to your questions.
 

The Chairman.  Mr. Irvin, you are recognized.
 

[The statement of Robert F. Norton appears on p.  ]

**********INSERT**********


STATEMENT OF LOUIS IRVIN

 

Mr. Irvin.  Thank you, Mr. Chairman and members of the Committee.
 

I would like to take the opportunity to thank you for the availability to speak here today.  We appreciate the extensive amount of work that has gone into review of VA's IT process along with the recent data theft and occurrence.
 

It is incumbent upon the VA and Congress to ensure that this does not happen again and to ensure that the interests of the veterans are protected.  PVA recognizes that the need to reform the VA information management services is paramount.
 

We do support the idea of strengthening the authority of the Chief Information Officer.  However, we do not believe the importance of this individual should rise to the level equivalent of the Under Secretaries for Health, Benefits, and the National Cemetery Administration.
 

Information services functions as a support service to these entities.  Information technology is not a mission- level program within the Department.
 

The responsibility of the CIO are much like those of an Assistant Secretary for Operations, Security, and Preparedness.  The Assistant Secretary ensures that the life and property of both veterans and VA employees is protected. Personal information is clearly as important.
 

We do believe all the functions and responsibilities of the CIO should be consolidated as outlined in the legislation.  We support centralizing the creation and implementation of policies and procedures including information security within the CIO's program.
 

We think it is important that control of activities and systems that support information services should be retained within VHA, VBA, and NCA.  Furthermore, the management of all mission applications, information resources, personnel, and infrastructure should be retained at that level as well.
 

Although the CIO would manage the information systems policy of the entire VA, he would not necessarily know what systems and applications work best to actually provide healthcare or benefits information.  Information technology is not the mission of the VA.  It is the tool that individuals responsible for the mission should have the authority to manage their tools the best way they see fit.
 

PVA fully supports the data breach reporting requirements established by this legislation.  We also recognize the need to put in place credit protection services as outlined in the legislation.  It is important that if veterans' personal data is stolen in the future that their credit be protected from criminal behavior.
 

However, it is important to emphasize that the VA must notify veterans immediately if a data breach occurs.  It should be done within days, not weeks.  The three weeks it took to notify the public with the most recent data theft is wholly unacceptable.
 

PVA does not believe it is necessary to move forward with credit monitoring and other protections if it is clearly determined that none of their personal information has been compromised.
 

The VA has been fortunate to recover the stolen hardware on which the data was stored.  We do strongly caution, however, that any data breach in the future be immediately viewed as if it has been compromised.  At such time, veterans are given the opportunity to access a credit monitoring process supplied by the VA.  This is imperative in reestablishing the trust that has been lost through this ordeal.
 

We must also emphasize that if VA is to provide these services due to a data breach in the future that separate funding must be appropriated to provide these services.
 

Finally, we believe that as this legislation moves forward, the Committee should ensure that this legislation offers the same types of protections to those men and women who are currently serving.
 

PVA would like to thank you for the opportunity to testify today.  We would be happy to answer any questions that you may have.
 

The Chairman.  At the end of a long hearing, it is only proper that the Master Sergeant fill in all the details.  You are recognized, Larry.
 

[The statement of Louis Irvin appears on p.  ]

**********INSERT**********


STATEMENT OF LARRY MADISON

 

Mr. Madison.  Thank you, Mr. Chairman, members of the Committee, for this opportunity to provide testimony for the record to the House Committee on Veterans' Affairs.
 

All of us were shocked and alarmed in early May when it was announced that a laptop computer containing the personal data of nearly 29 million veterans, active-duty, Guard, and reserve personnel was stolen.  And although we are pleased that the laptop has been recovered and it appears that the data was not accessed, the problems regarding data security at the Department of Veterans Affairs still need to be corrected.  That is why we are pleased with the draft legislation that is the focus of this hearing today.
 

We want to thank you, Mr. Chairman, and all of the members of the Committee for the collective nonpartisan way in which you have sought to handle this crisis.  It was sincerely gratifying to watch the Committee work together in seeking to learn the details of the situation and then coming up with the proposed legislation.
 

Like many others, we were amazed to learn during the hearings held by this Committee about the warnings from the GAO and the VA's own Inspector General and Assistant Inspector General going back as far as 1997 concerning the weaknesses in the VA's information security systems.
 

That is why we have no doubt that the legislation under discussion today is necessary to ensure the corrections needed at the VA are accomplished and to help restore the faith of America's veterans in the security of their personal information that is kept by the Department.
 

In particular, we believe the creation of the position of Under Secretary for Information Services is vital if the task of increasing personal data security in the Department is to succeed.
 

During the testimony given by officials from the Department of Veterans Affairs before this Committee, it was painfully apparent that there was not a single individual who was in charge and responsible for data security.  The change envisioned in this legislation is a positive one that we believe is urgently needed.
 

In addition, we applaud and strongly support the reporting requirements outlined in the legislation.  We believe the annual compliance report to Congress and the monthly reports to the Secretary are urgently needed, and they send a signal to the Department about the seriousness with which this Committee and the Congress take this issue.
 

We note that the legislation provides for credit protection services for any individual whose personal data held by the VA was breached at no expense to the individual if the individual requests one of the credit protection services contained in the bill.  We believe this is a reasonable way to handle this issue and we support the provision.
 

We are pleased that the legislation directs the Secretary to enter into an agreement with one or more credit reporting agencies and this agreement will be in place so that any breaches in the future that place the personal data of veterans in jeopardy can be quickly and efficiently monitored by that agency if individual veterans request such service.
 

The last item we want to mention is the use of Social Security numbers for identification.  As you know, the draft legislation prohibits the use of the Social Security number of any individual to identify that individual unless the use thereof is required by law or the Secretary determines that such use is necessary for the identification of an individual.
 

It is our hope that this is the beginning of a process within the federal government of getting away from using an individual's Social Security number as a person's one and only ID.  Although we recognize the efficiency of using one number as the all-purpose identifier, it is obvious that doing so also increases the efficiency with which a stolen Social Security number can be used to commit identity fraud or other criminal behavior.
 

We hope this section of the draft legislation will be as carefully monitored as the other aspects of the bill because we can foresee a less than enthusiastic response for this provision from the IT persons within the Department.
 

Once again, TREA wants to thank the members of the Committee for your commitment to serving our veterans. Based on what we have learned, we believe this draft legislation will result in the personal data security that is needed for our veterans and is something which every member of this Committee can proudly point to when questioned about this issue by veterans in your districts.
 

This concludes my statement, and I will be happy to answer any questions you may have.
 

[The statement of Larry Madison appears on p.  ]

**********INSERT**********
 

The Chairman.  Gentlemen, thank you very much for your testimony.  And I did not get your testimony last night.  To let you know, in the future, the reason we ask for testimony, not only the staff want to see it, but they put together a briefing book for me and they give it to me the night before and I am able to read all of the testimony. And we can get it out to members.  And when we do not get it in time, it makes it challenging.
 

So we are just hearing it for the first time.  And what I am going to have to do is_ I have made notes here_ because we have a product and we have asked for your view on it. You have given some detailed recommendations, we will have to swing back through another wicket.  Okay?
 

So after this afternoon and then tomorrow, prior to this being introduced, we will examine your recommendations. Whether or not we incorporate them or not, it is worth another wicket.  And that is what we are going to do.
 

Gentlemen, you were here when Admiral Gauss and Mr. McFarland testified with regard to a recommendation about an implementation requirement and time line.
 

Would all of you concur with that testimony?  You can do it in the affirmative or the negative.  All right.  All agree.
 

With regard to Secretary Mansfield's testimony that an additional six-month review from the IG would be unnecessary because the IG, quote, regularly issues reports about data security practices within the VA and FISMA audits and consolidated financial statement audits performed annually, I ask for your thoughts.
 

Given the Department's track record in implementing recommendations from the Inspector General and GAO, would this be a prudent requirement?
 

Mr. Gaytan.  If I can, sir, for the American Legion, I mentioned a little bit about the information that is in the IG report, and the information that is in that report definitely requires another IG report in six months.
 

And they need to look further and they need to ask some new questions and ask the individual who did take the information home why they thought that they could take it home.  And the admission of the individual that took it home to the IG was that they had been taking the information home since 2003.
 

The Chairman.  So what I take from this then, from the question and your input, and I know I am preempting_ I apologize_ but that an implementation audit would be a prudent performance measure given the VA's track record?
 

Mr. Gaytan.  Yes, sir.
 

The Chairman.  All of you would agree with that?
 

Now, I believe we had some differences on the testimony with regard to the promotion to an Under Secretary.  So I want to make sure I get this.  The opinions on elevating the Assistant Secretary for Information Technology to the Chief Information Officer to an Under Secretary level, agree or disagree?
 

Mr. Gaytan?
 

Mr. Gaytan.  We agree.
 

The Chairman.  Mr. Norton?
 

Colonel Norton.  We agree.
 

The Chairman.  Mr. Irvin?
 

Mr. Irvin.  We disagree.
 

Mr. Madison.  We agree.
 

The Chairman.  Okay.  All right.  Ms. Herseth, you are recognized.
 

Ms. Herseth.  Thank you, Mr. Chairman.  I was going to probe a little bit more on that whole issue of elevating the CIO to an Under Secretary position.
 

Thank you, Mr. Gaytan.  I missed that part of your testimony since you were the first there.  So I was jotting down everyone's position.
 

Now, just to probe a little bit further, Mr. Madison, you think that it is essential, I mean, it is vital according to you and the Association to elevate the CIO to an Under Secretary position, correct?
 

Mr. Madison.  Yes, ma'am.  And I think the testimony from the two gentlemen in the second panel, I believe, underscored that.
 

Ms. Herseth.  And, Mr. Norton, I think you stated that you support elevating the CIO to an Under Secretary position, but you did express some concern about yet another bureaucratic layer in light of some of the other issues you have dealt with in some of the other departments, correct? But at the end of the day, you still support the elevation of the position?
 

Colonel Norton.  Yes.  We definitely support the elevation of the position.
 

Ms. Herseth.  And, Mr. Gaytan, could you elaborate just a little bit on why American Legion believes it is important to elevate the CIO to an Under Secretary?
 

Mr. Gaytan.  Yes, ma'am.  The American Legion feels that the current VA IT security directives, there are dozens of them that exist within the Department of Veterans Affairs.  And the personnel in the Department of Veterans Affairs are not sure which directives to follow, which ones that they should apply to their own information that they use in their jobs.
 

And the existing position of the IT Chief right now within the Department of Veterans Affairs has been unable to put their arms around that information and provide a clear and direct guidance to VA personnel on how they can handle personal information of those veterans that they have when doing their job.
 

So increasing the position that would have oversight over IT within the Department of Veterans Affairs cannot be detrimental.  We cannot be any worse than what we are currently working with right now.
 

I will refer back to the IG report and the information in there.  The individual who took the information home said that they were never told that they could not take it home. So that response alone is a direct need for VA to provide a clear description of their IT security issues regarding their personnel and what their personnel can and cannot do.
 

So increasing this position cannot be any worse than what we are dealing with right now.  So we do not see it as detrimental to what our objective here is and that is securing the information that VA personnel utilize in relationship to veterans' personal information.
 

Ms. Herseth.  Okay.  Thank you for that, the elaboration on the position.
 

So let me come back to you, Mr. Irvin.  And just to better understand PVA's position, because I think you support the enhanced authority.
 

Mr. Irvin.  Absolutely.
 

Ms. Herseth.  But do you have a concern, and this is what I was trying to get at a little bit earlier with Mr. Mansfield.  I feel that the Secretary's memo sets out to achieve de facto what we are trying to secure in the future by elevating that position.  So do you have any concern that we will run up against the same maybe bureaucratic obstacles with each new appointment of a new Secretary if there is a delay in reissuing that memo and having those enhanced authorities available to the CIO?
 

Mr. Irvin.  Well, yes, I do.  I think, you know, as you look at the structure within the Department, the Under Secretary positions are held at mission-level structure. Information technologies is a support of those business lines.  And I think if you create a structure where the support is at the same level as the mission, then the mission can sometimes evolve around the support.
 

And so I would think that, you know, the amount of emphasis placed on information technologies and security is due to the amount of attention that the Secretary, the Deputy Secretary, and the Under Secretaries will place on that.  That is why I think positioning at an Assistant Secretary level is the key.
 

I think the Deputy Secretary already indicated a lot of changes going on with VA.  I do not think that those changes would be enhanced by creating an Under Secretary position. So the authority can be put in place for the CIO without elevating to a mission-level program.
 

Ms. Herseth.  I respect your concerns there.  I maybe would harken back to the previous testimony from the second panel, though, as well.  And, again respecting your concerns in terms of the distinction between mission versus support.
 

But at the same time, I feel almost like this support function, if it is within that category, is so core not only to advancing the mission but also to addressing these problems that really are putting veterans at risk in different ways in light of advances in technology, that by at least having your CIO at the table, on the board that can work with the other Under Secretaries as they make the best case for any recommendations coming from the CIO that would seem to trump support over mission, I just feel it is important to have that person at the table, on the board. But if we do not have them on the board_ 
 

Mr. Irvin.  I think that could happen.  I think the Secretary could have that ability to do that with a person at the table.
 

Ms. Herseth.  But we would have to ensure that each Secretary_ 
 

Mr. Irvin.  But I do not think creating an Under Secretary_ I mean, there are people that sit at that table that are not Under Secretaries.  Am I incorrect in that? Maybe I am missing the structure.  But I think there are people that sit at that table that are not necessarily Under Secretaries.
 

Ms. Herseth.  Well, that may be the case.  Maybe that is something that we can pursue with staff.  But I do think that we still run into the problem that I expressed at the outset which is even if that is the case, that it is at the discretion of each Secretary, and we are just looking for some guarantee in the organizational structure that the Committee does not have to with each new appointment, whether that is two years, four years, six years, however long it is, with the particular testimony of the past number of weeks of the culture and obstacles and more_ well, that they are just great obstacles it seems within this particular agency than perhaps some other federal agencies, that even CIOs that have worked in different agencies have testified about that it may be important to make this organizational change.
 

But I recognize and respect the fact that you have offered the Committee your thoughts, the PVA's thoughts on how we could approach this a little bit differently, although it has been met with skepticism at least from me and perhaps some of your colleagues within the veterans service organization community.
 

But thank you for your testimony, and if there is any final point you would like to make.
 

Mr. Irvin.  I would just like to say something.  I think as the information technologies does evolve and you take a look at, for example, in the last 24 months with VHA's implementation of the electronic health record, which has really moved VA forward in a lot of ways in providing better healthcare, this is going to continue.  I mean, the information technology structure, I should say support will not be stagnant by any means in the future.
 

So as this continues to evolve, I think it is important that as the Committee looks at this in addressing this issue that it is clearly identified that this is a support for the mission of the Department.  That is where we come from. That is what we would like to stress here today.
 

Thank you.
 

Ms. Herseth.  Thank you, Mr. Chairman.  I yield back.

The Chairman.  Therein lies our challenge.  Therein lies my challenge.  And Lord knows patience is a virtue, and I have just run out at the end of seven years.  I have.  Too many hearings, too much testimony, too many, you know, IG reports, too many GAO reports.
 

Sometimes it takes an external factor in life to require change even in our personal lives.  And we have an incident that finally gets some attention to something and we can perfect some change from it.
 

I will be a good listener and I do not lock into status quos.  There are other departments and agencies that even will take support services and elevate them depending upon the size.  I mean, the only thing I will just ask is not to get locked in to, well, this is a substantive lane, that is a substantive lane, therefore, support functions have to be under them.  You know, sometimes we get our military thoughts and go in chain of commands.
 

The whole idea of empowerment of someone that can be the enabler and be the partner of enabling those three Under Secretaries to get their jobs done, if they subordinate instead of embrace, I do not know how I can achieve the results for which we all seek.
 

I am just being very candid with you and very honest on where I am.  And it is easy to come in and say, well, I think it should be this and here is why too.  I am just letting you know personally where I am coming from.  And I respect your opinion on it.  I just wanted you to know that from me.
 

Mr. Mansfield, thank you for sticking around and listening to the testimony of the VSOs.  And I apologize.  I was not in the room during your testimony.  I want to ask this panel and then I am going to ask you, Mr. Secretary, what your thoughts are.
 

We are going to also work on this idea of creating a scholarship for cyber security Ph.D.  You know, here we have a country not just the VA in the challenge.  You know, Gordon, congratulations.  You are the one that just got the attention of everybody.  It could have been the Department of Ag.  It could have been somebody else.  But it was you. But CitiGroup, name the company, others have had these challenges.  And as a country, if we are producing such low number of cyber security experts for our country, we are not meeting a need.
 

I cannot change a country in this legislation, but we can take a step to get our own house in order and then I can introduce legislation and go to the Ed and Labor Committee and see what I can do to open this up to help a country. But with regard to our own house, I will ask for your input on an idea to create a scholarship program for cyber security for the VA.
 

Mr. Gaytan.  I think there is a definite need for it and I think it is a great idea to offer anybody the opportunity to improve their education in this country.  But I like what you also prefaced your statement with by putting our own house in order first.
 

I would hate to see the desire to provide an educational opportunity in cyber security override our focus on the problems that exist in securing the IT and personal information of America's veterans that are handled by VA.
 

Colonel Norton.  I like the idea, Mr. Chairman.  I draw the analogy with the tremendous advances in VA healthcare delivery winning all kinds of quality and safety awards in recent years.  I think the VA could be an engine of change for the federal government and, to some extent, even for the private sector if there were an investment in these kinds of people who have the extraordinary capability to help improve the security of sensitive information.  The VA could lead in this way and then be sort of a seed bed for the rest of the federal government.
 

The Chairman.  Mr. Irvin.
 

Mr. Irvin.  Thank you, Mr. Chairman.
 

I, too, support the idea.  I think as information technologies evolve, having the top people available to support that is a good thing.  I think it offers a lot of opportunities within the Department to provide better services and efficiencies, and having better qualified staff and educative staff is definitely key to that mission.
 

Thank you.
 

The Chairman.  Mr. Madison.
 

Mr. Madison.  I support the idea, Mr. Chairman.  I think it makes a lot of sense.  The implementation of it would be interesting to see and see if there is anything comparable to it that exists right now, I am not sure, but I like the idea.
 

The Chairman.  You are right.  Minority council and I have just spoken_ and we will look at the scholarship programs that we do within VHA with regard to medical specialties.  We can look at that.
 

But in order to bring them on line so that they can assist the Department, I think in the first five years perhaps doing a loan forgiveness so we can try to immediately tap an expertise now and bring them in as we get the program on line.  So you are right about the implementation.  We will put our thinking caps on here and try to get to there.
 

Mr. Secretary, what are your thoughts?
 

Mr. Mansfield.  I wholeheartedly agree with the idea.  I think it is a follow-up to what we are doing with VHA programs.
 

I am also sitting here thinking about some of the soldiers at Walter Reed, Bethesda that could be brought into our IT program as interns.  I met one of them yesterday.  He is visiting.  He is going to summer school.  He is going back to college.  That is the kind of individual that hopefully we could also bring into this program through not just the VA program but also through VBA.
 

The Chairman.  We will put a veterans' preference in this.  I think that would be very good.
 

What?
 

Ms. Herseth.  Well, if I might take a point of personal privilege_ 
 

The Chairman.  Sure.
 

Ms. Herseth.  _in light of your question and the responses.  I would wholeheartedly endorse not just the scholarship but the idea of loan forgiveness.  We have a number of undergraduate and an increasing number of graduate programs at Dakota State University involving cyber security.
 

I received a demonstration there recently where you cannot even_ if you have a laptop and you type in your user name and password, the computer can recognize the manner in which you type it in.  You cannot even log onto the computer because it is keyboard recognition that they have integrated.
 

So I do think that in terms of that generation of students being very far advanced in what we can do as it relates to some of the testimony we got here earlier about laptops and how we make sure they have either got the encryption software and all of these other things that are available to us that we bring in these young people and give them these opportunities to address these problems quickly with a loan forgiveness type of program.
 

If I could pursue one other quick line of questioning before we go to vote.
 

The Chairman.  Hold your thought.  Is it on a different issue?
 

Ms. Herseth.  Yes.
 

The Chairman.  Mr. Secretary, if you could, over the next 24 hours give an assignment to someone to think about that and be in touch with the Committee.
 

Mr. Mansfield.  And report back?
 

The Chairman.  Yes.  Be in touch.  Sure.  Report back.  I mean, we just want to work with you rather than just say here is what you are going to do.  Give us your idea and we will come up with something.  All right.
 

Please.
 

Ms. Herseth.  Thank you, Mr. Chairman.
 

Just in the essence of time here, I just wanted to quickly pursue an area where there was also another difference in the testimony from the Under Secretary position, but also something you referenced earlier which was my last line of questioning in an earlier hearing about going forward with offering certain services even though it did not look like the information had been compromised in this letter to the speaker from Mr. Portman at OMB withdrawing the request for the resources necessary to offer those services to the 26 and half a million veterans.
 

Mr. Irvin, I believe you had mentioned in your written testimony that you said you did not think it was necessary to move forward with the credit monitoring and other protections for veterans if it is clearly determined that none of their personal information was compromised by this latest incident.
 

But, Mr. Gaytan, I think in your written testimony you said that the VA must follow through with its promise to provide one year of free credit monitoring to veterans.
 

Mr. Norton, Mr. Madison, do you have positions on that issue, and, Mr. Irvin, perhaps you could explain why PVA is not pushing for the free credit monitoring like the American Legion is or perhaps there is a difference of opinion you would like to explain for me?
 

Mr. Irvin.  I guess being the disagreer here, I will step forward first.  I think what I would like to make very clear is that what we have been provided, this data was not compromised.  As I further stated, though, I do have a concern in future data breach issues.  But, you know, I do not know the scientific clarity of that.  I am not a data analyst, so I cannot do that.
 

But if it is clear that this data has not been compromised and all the data and all the hardware has been recovered, then I think that I do not see how it can be necessary to go forward with credit monitoring for that specific instance.
 

But I do caution that in the future that the Department is not given 90 days to look to see if the data has been compromised.  I think that if there is a breach in the future that it is important to automatically assume that the data has been compromised and, therefore, things should go forward to provide credit monitoring for veterans.
 

Ms. Herseth.  Which is what I think the draft bill seeks to do.
 

So, Mr. Gaytan.
 

Mr. Gaytan.  Yes.  If I can explain the American Legion's support for credit checks for those individuals who were reported on this list of stolen data, it was also reported, we had initially heard, too, that the data was not accessed.  But then if you read the IG report, you also see that after the laptop was recovered, access to that information did not require a password.  They easily pulled up all the information on the veterans.
 

So we are erring on the side of the veterans in protecting them and ensuring that if any veteran feels they have been compromised as a result of this stolen information that they have the opportunity to seek, to choose assistance.
 

The Chairman.  Mr. Gaytan, as I understand, further forensics has been done.
 

Mr. Gaytan.  After that?
 

The Chairman.  Yes.  So I want you to know that you are commenting right now on something that is stale and much has been done since then. So you are formulating an opinion based on something that was already here. And what is unfortunate is is that this mile marker is not open to public disclosure right now.
 

Mr. Gaytan.  Yes, sir.
 

The Chairman.  I just want you to know that.  So there is a reason and a rationale as to why the Director of OMB came back to us and then said it is unnecessary for the $160 million.
 

Mr. Gaytan.  Okay.
 

The Chairman.  I just wanted you to know that only because I want to protect the integrity of the Legion.  I want you to be able to give an opinion based on present information.
 

Mr. Gaytan.  Yes, sir.
 

The Chairman.  And it is not there at the moment.
 

Mr. Gaytan.  That information did not reach the American Legion.  Well, I appreciate that.  But also the American Legion supports the offering of credit checks and credit protection for any veteran who may have been compromised.
 

And, again, we agree with PVA in any future instances where a veteran needs to do that, we support the legislative language in this piece of legislation that would protect veterans and allow them that security.
 

Ms. Herseth.  Well, I appreciate your response.  And my final comment is that I think that your testimony, appreciating what the Chairman just explained in terms of what is for public consumption, what is not, and the additional forensics, is that because of what we know of other incidents, which is sort of what I was getting at the other day, and knowing from the second panel that we are going in the right direction based on your commitment to look at the ID IQ contracting process, that because of these other incidents that may be out there that we are still gathering information on, that we do have a system in place that for any veterans in that subset, that if they request a credit check, that that is there.
 

So we appreciate your patience with how I have probed on that particular issue too.
 

Thank you, Mr. Chairman.
 

The Chairman.  Very good.  Thank you very much for your testimony.  The hearing is now concluded.
 

[The statement of John Boozman appears on p.  ]

**********INSERT**********
 

[The statement of Corrine Brown appears on p.  ]

**********INSERT**********
 

[Whereupon, at 1:43 p.m., the Committee was adjourned.]
