b'<html>\n<title> - U.S. DEPARTMENT OF VETERANS AFFAIRS INFORMATION TECHNOLOGY INVENTORY MANAGEMENT</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n                  U.S. DEPARTMENT OF VETERANS AFFAIRS\n\n              INFORMATION TECHNOLOGY INVENTORY MANAGEMENT\n\n=======================================================================\n\n\n                                HEARING\n\n                               before the\n\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                                 of the\n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 24, 2007\n\n                               __________\n\n                             Serial 110-36\n\n                               __________\n\n       Printed for the use of the Committee on Veterans\' Affairs\n\n\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n\n37-474 PDF                 WASHINGTON DC:  2008\n---------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing\nOffice  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800\nDC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, \nWashington, DC 20402-0001\n\n\n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n\n                    BOB FILNER, California, Chairman\n\nCORRINE BROWN, Florida               STEVE BUYER, Indiana, Ranking\nVIC SNYDER, Arkansas                 CLIFF STEARNS, Florida\nMICHAEL H. MICHAUD, Maine            JERRY MORAN, Kansas\nSTEPHANIE HERSETH SANDLIN, South     RICHARD H. BAKER, Louisiana\nDakota                               HENRY E. BROWN, JR., South \nHARRY E. MITCHELL, Arizona           Carolina\nJOHN J. HALL, New York               JEFF MILLER, Florida\nPHIL HARE, Illinois                  JOHN BOOZMAN, Arkansas\nMICHAEL F. DOYLE, Pennsylvania       GINNY BROWN-WAITE, Florida\nSHELLEY BERKLEY, Nevada              MICHAEL R. TURNER, Ohio\nJOHN T. SALAZAR, Colorado            BRIAN P. BILBRAY, California\nCIRO D. RODRIGUEZ, Texas             DOUG LAMBORN, Colorado\nJOE DONNELLY, Indiana                GUS M. BILIRAKIS, Florida\nJERRY McNERNEY, California           VERN BUCHANAN, Florida\nZACHARY T. SPACE, Ohio\nTIMOTHY J. WALZ, Minnesota\n\n                   Malcom A. Shorter, Staff Director\n\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                  HARRY E. MITCHELL, Arizona, Chairman\n\nZACHARY T. SPACE, Ohio               GINNY BROWN-WAITE, Florida, \nTIMOTHY J. WALZ, Minnesota           Ranking\nCIRO D. RODRIGUEZ, Texas             CLIFF STEARNS, Florida\n                                     BRIAN P. BILBRAY, California\n\nPursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public \nhearing records of the Committee on Veterans\' Affairs are also \npublished in electronic form. The printed hearing record remains the \nofficial version. Because electronic submissions are used to prepare \nboth printed and electronic versions of the hearing record, the process \nof converting between various electronic formats may introduce \nunintentional errors or omissions. Such occurrences are inherent in the \ncurrent publication process and should diminish as the process is \nfurther refined.\n\n\n                            C O N T E N T S\n\n                               __________\n\n                             July 24, 2007\n\n                                                                   Page\nU.S. Department of Veterans Affairs Information Technology \n  Inventory Management...........................................     1\n\n                           OPENING STATEMENTS\n\nChairman Harry E. Mitchell.......................................     1\n    Prepared statement of Chairman Mitchell......................    29\nHon. Ginny Brown-Waite, Ranking Republican Member................     3\n    Prepared statement of Congresswoman Brown-Waite..............    30\nHon. Timothy J. Walz.............................................     4\n\n                               WITNESSES\n\nU.S. Government Accountability Office, McCoy Williams, Director, \n  Financial Management and Assurance.............................     5\n    Prepared statement of Mr. Williams...........................    31\nU.S. Department of Veterans Affairs:\nHon. Robert T. Howard, Assistant Secretary for Information and \n  Technology, and Chief Information Officer......................    14\n    Prepared statement of Mr. Howard.............................    38\nHon. Robert J. Henke, Assistant Secretary for Management.........    16\n\n                       SUBMISSIONS FOR THE RECORD\n\nSpace, Hon. Zachary T., a Representative in Congress from the \n  State of Ohio..................................................    39\nStearns, Hon. Cliff, a Representative in Congress from the State \n  of Florida, statement..........................................    39\n\n                   MATERIAL SUBMITTED FOR THE RECORD\n\nReport:\nUnited States Government Accountability Office, Report to \n  Congressional Requesters, July 2007, entitled, ``Veterans \n  Affairs: Inadequate Controls over IT Equipment at Selected VA \n  Locations Pose Continuing Risk of Theft, Loss, and \n  Misappropriation,\'\' GAO-07-505.................................    41\nTables and Figures from GAO-07-505 [The Tables and Figures are \n    included in the GAO report and will not be reprinted.]\nPost Hearing Questions and Responses for the Record:\nHon. Harry E. Mitchell, Chairman, and Hon. Ginny Brown-Waite, \n  Ranking Republican Member, Subcommittee on Oversight and \n  Investigations, to Hon. R. James Nicholson, Secretary, U.S. \n  Department of Veterans Affairs, letter dated July 20, 2007, \n  requesting the VA to provide the most recent equipment \n  inventory certification letters from all facility directors \n  [The information was provided to the Subcommittee and will be \n  retained in the Committee files.]..............................    73\n\n\n                  U.S. DEPARTMENT OF VETERANS AFFAIRS\n\n\n\n                    INFORMATION TECHNOLOGY INVENTORY\n\n\n\n                               MANAGEMENT\n\n                              ----------                              \n\n\n                         TUESDAY, JULY 24, 2007\n\n            U. S. House of Representatives,\n      Subcommittee on Oversight and Investigations,\n                            Committee on Veterans\' Affairs,\n                                                    Washington, DC.\n\n    The Subcommittee met, pursuant to notice, at 2:07 p.m., in \nRoom 334, Cannon House Office Building, Hon. Harry E. Mitchell \n[Chairman of the Subcommittee] presiding.\n    Present: Representatives Mitchell, Walz and Brown-Waite.\n\n             OPENING STATEMENT OF CHAIRMAN MITCHELL\n\n    Mr. Mitchell. Good afternoon. Welcome to the Subcommittee \non Oversight and Investigations, and today\'s hearing is on \ninformation technology (IT). This hearing will come to order.\n    I want to thank everyone for coming here today. I am very \npleased that so many folks could attend this oversight hearing \non the U.S. Department of Veterans Affairs (VA) information \ntechnology inventory issues. We know that VA has serious \nproblems with keeping track of its IT inventory. This is not \njust a dollar issue, although it is certainly that; it is also \na security and privacy issue. VA\'s inventory deficiencies mean \nthat VA cannot assure that private medical and other \ninformation belonging to the Nation\'s veterans remains private.\n    We are going to begin the hearing today by hearing from the \nU.S. Government Accountability Office (GAO) and their GAO \nreport, and this is the report that is being released today: \nInadequate Controls over IT Equipment at Selected VA Locations \nPose Continuing Risk of Theft, Loss and Misappropriation. This \nwas just released today, showing the results of its testing of \ninventory systems and procedures at four VA locations.\n    The results are not pretty. As you can see from the chart, \nand there is a chart over here, most of you cannot see it here, \nbut Members on the dais can see it. The sample location GAO \ntested showed that from 6 to 28 percent of IT items listed as \nbeing in inventory could not be located. The Washington, DC, VA \nMedical Center could not find an astonishing 28 percent of the \nIT items in inventory. The missing items at the four locations \nhad a combined value of $6.4 million.\n    Sad to say, this is not a recent problem. In July 2004, GAO \nreported that the six VA medical centers it audited did not \nhave reliable property databases. GAO followed up on these \nsites as part of its current report and concluded that more \nthan $13 million in IT equipment was still missing from those \nsites. Incredibly, an inventory being conducted by one of these \nsites in response to the 2004 GAO report is still not complete.\n    If this were not bad enough, GAO further reports that VA \nhas seriously flawed policies and procedures. Again, the chart \nillustrates the extent of the problem. One line says \n``incorrect user organization.\'\' That means the inventory \nsystem is incorrectly identified to whom the equipment was \nassigned.\n    Look at the numbers: 80 percent of the Washington, DC, \nmedical facility, 69 percent in Indianapolis, 70 percent in San \nDiego.\n    VA\'s central headquarters does better, only 11 percent, but \nmore than makes up for this with physical location of 44 \npercent of its IT equipment misidentified in its inventory \ndatabase.\n    The issue of security could not be better illustrated than \nby a photograph you see over here, and there is a photograph, a \nblowup. And this photograph is of an IT equipment storeroom at \nVA central headquarters. It seems hardly necessary for GAO to \nhave pointed out that this storeroom did not meet VA\'s \nrequirements for motion intrusion detection alarm, secure \ndoors, locks and special access keys.\n    Security is no small matter, and we are not concerned only \nabout hardware. GAO found hard drives at two of the four \nlocations that were designated as excess property to be \ndisposed of. It still had hundreds of veterans\' names and \nSocial Security numbers. This is completely unacceptable.\n    At this time, I ask unanimous consent that the complete GAO \nreport be entered into the record. Seeing no objection, so \nordered.\n    [The report, GAO-07-505, entitled, ``Veterans Affairs: \nInadequate Controls over IT Equipment in Selected VA Locations \nPose Continuing Risk of Theft, Loss and Misappropriation,\'\' \nappears on p. 41.]\n    Mr. Mitchell. I can assure you, we will be back to hear \nthis. We intend to ask GAO to conduct other checks of VA\'s \ninventory system in a few months\' time, and if another hearing \nturns out to be necessary, we will have another one.\n    Last week, Ms. Brown-Waite and I sent a letter to the VA--\nand this is part of our letter--requesting copies of the most \nrecent annual equipment inventory certification letters from \nall facility directors. We also requested a list of all \nfacility directors who did not provide certification for \ncompleting their annual inventories. I would like to thank the \nVA for their prompt response.\n    At this time, I ask unanimous consent that Ms. Brown-\nWaite\'s and my letter be entered into the record. Seeing no \nobjection, so ordered.\n    [The July 20, 2007, letter to U.S. Department of Veterans \nAffairs Secretary Nicholson, appears on p. 73.]\n    Mr. Mitchell. Before I recognize the ranking Republican \nMember for her remarks, I would like to swear in our witnesses, \nand I would like to ask all witnesses if they would please come \nforward and rise, both the first panel and the second panel. If \nyou would, all please rise.\n    [Witnesses sworn].\n    Mr. Mitchell. Thank you.\n    [The prepared statement of Chairman Mitchell appears on p. \n29.]\n    Mr. Mitchell. I now recognize Ms. Brown-Waite for opening \nremarks.\n\n          OPENING STATEMENT OF HON. GINNY BROWN-WAITE\n\n    Ms. Brown-Waite. I thank the Chairman very much, and I also \nthank those who will be presenting today. My goal for this \nhearing is not just to learn where VA is relative to the \ncurrent IT inventory management, but to learn where and how \nthey are working to improve security controls, maintenance and \nmanagement of their equipment.\n    The July 2007 GAO report, which the Chairman just had \nadmitted to the record, increased my growing concern over VA\'s \ncontrol over its inventories from my reading of the weekly \nSecurity Operations Center (SOC) reports. The GAO report \nreflected four specific sites for their report. During this \nstudy fewer than half of the items GAO selected for testing \ncould be located, and most of the items were information \ntechnology equipment.\n    GAO found that the four VA locations reported over 2,400 \nmissing IT equipment items valued at about $6.4 million. These \nwere identified in inventories performed during fiscal years \n2005 and 2006.\n    Equally troubling in the information in the report was that \nmissing items were not always reported right away, and in some \ninstances, not for several years. At one of the locations, as \nshown on the easel, 28 percent of the items surveyed during the \nGAO audit were missing.\n    Mr. Chairman, I find the lack of control over equipment \ncompletely unacceptable. Here in the House of Representatives \nour acquisition offices perform annual equipment inventories in \nall offices. The Chief Administrative Officer\'s staff comes \ninto our offices either to tag equipment we have purchased, \nremove equipment we no longer use, or inventory the equipment \nunder our control. By keeping a centralized acquisition and \ninventory process, the House is able to maintain tight control \nover its equipment inventory. Given the results of the GAO \nreport, it appears that the VA is unable to do likewise.\n    According to the report, there is also a lack of user-level \naccountability for the IT equipment due to weak overall control \nof the equipment environment. The IT personnel and IT \ncoordinators do not have physical possession or custody of all \nthe IT equipment under their purview. Therefore, they are not \nheld accountable for IT equipment determined to be missing \nduring physical inventories.\n    In my opinion, Mr. Chairman, there needs to be \naccountability for inventories from the chief executive officer \nclear down the line to the user who is ultimately using the \nproduct. But I guess you could also say ``using or losing the \nproduct.\'\'\n    The weekly SOC reports consistently show missing IT-related \nitems from the VA\'s inventories, whether it is listing old \nequipment that possibly had been disposed of after it was no \nlonger of use to the VA, or new equipment that had been stolen.\n    I am heartened to note that the VA is working with local \nand Federal law enforcement to track down and retrieve newer \nstolen equipment, but dismayed to see the number of equipment \nitems that were either transferred to other facilities and not \ntracked or disposed of without proper notation in the equipment \ninventories.\n    As of February 28th, the GAO report found four case-study \nlocations covered in their report that were--2,400 IT equipment \nitems weren\'t found, it was revealed, with a combined original \nacquisition value of about $6.4 million, as a result of \ninventories VA performed during fiscal years 2005 and 2006.\n    Based on information GAO obtained through March 2, 2007, \nthe five case-study locations previously audited had identified \nover 8,600 missing IT equipment items, with a combined original \nacquisition value of over $13.2 million. GAO reported that the \nmissing IT items represent record keeping errors, the loss, \ntheft or misappropriation of IT equipment.\n    The GAO also cited that, because most of the nine case-\nstudy locations had not consistently performed required annual \nphysical inventories or completed reports of survey promptly, \nwhich prevented the reporting of missing IT equipment in some \ninstances for several years. I am also surprised when I see a \nreport--see a SOC report reporting the first instance of \nlisting a missing piece of IT equipment from the mid-nineties; \noperating systems for this equipment would be totally out of \ndate long ago, and it leaves me wondering just how long the \nequipment was actually missing before it was reported.\n    Mr. Chairman, this is not the first time that GAO has \nreported on deficiencies in information technology equipment \ncontrols. In 2004, there was a similar report on VA medical \ncenters entitled Internal Control Over Selected Operating \nFunctions Needs Improvement. In this report, GAO indicated that \nthe six VA medical centers they audited lacked a reliable \nproperty control database. One of the medical centers reviewed \nalso was included in the most recent report, and yet those \nissues still remain.\n    I look forward to today\'s hearing and hearing from today\'s \nwitnesses and those accompanying them on how VA plans on moving \nforward, and how quickly and efficiently we can hope and \nencourage them to follow up on GAO\'s recommendation.\n    I thank you, Mr. Chairman. I yield back the balance of my \ntime.\n    [The prepared statement of Congresswoman Brown-Waite \nappears on p. 30.]\n    Mr. Mitchell. Thank you.\n    Mr. Walz?\n\n           OPENING STATEMENT OF HON. TIMOTHY J. WALZ\n\n    Mr. Walz. Thank you, Mr. Chairman, thank you to the Ranking \nMember, and thank you to our panelists for being here today at \nthis incredibly important hearing. Those of us that go out and \ntalk to our veterans, this issue is still very, very important \nand at the forefront of what they are concerned about.\n    I am one of those 26 million veterans who received the \ninfamous letter saying my information may have been \ncompromised, and what this does, from the sinking feeling of \nloss of personal security and the concern over data theft, is \nconcern for the individual. It has a very corrosive effect on \ntrust in the VA in general, and that is the part I am most \nconcerned about.\n    I am here today welcoming all of us as team players to \nfigure out how we get at this, but I think each of the Members \nup here is sensing the frustration amongst our constituents and \nour veterans that this is another one of those issues we speak \nof often, yet see very little movement forward.\n    So this is, to me, an absolute priority. We have to make \nsure that faith in the VA system remains strong and that data \nsecurity is protected.\n    So with that I look forward to these panels, and thank you \nagain, Mr. Chairman, for holding this hearing.\n    Mr. Mitchell. Thank you, Mr. Walz.\n    At this time, I ask unanimous consent that all Members have \n5 legislative days to submit a statement for the record. Seeing \nno objection, so ordered.\n    Mr. Mitchell. I will now proceed to Panel 1. Mr. McCoy \nWilliams is the Director of Financial Management and Assurance \nfor the U.S. Government Accountability Office. Mr. Williams\' \nteam was responsible for writing this troubling report on VA\'s \nIT inventory management. We look forward to hearing his views \non what VA needs to do to improve inventory controls.\n    Mr. Williams, if you would proceed but also keep in mind \nthat we would like to keep this at 5 minutes.\n\nSTATEMENT OF McCOY WILLIAMS, DIRECTOR, FINANCIAL MANAGEMENT AND \n ASSURANCE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE, ACCOMPANIED \n BY GAYLE L. FISCHER, ASSISTANT DIRECTOR, FINANCIAL MANAGEMENT \n      AND ASSURANCE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Williams. Thank you. Mr. Chairman, Members of the \nSubcommittee, Ms. Fischer and I thank you for the opportunity \nto discuss our recent audit of controls over IT equipment at \nthe Department of Veterans Affairs.\n    In light of reported weaknesses in VA inventory controls \nand reported thefts of laptop computers and data breaches, the \nadequacy of such controls has been an ongoing concern. Today, I \nwill summarize the results of our recent work, the details of \nwhich are included in our audit report, which the Subcommittee \nis releasing today. This audit followed a July 2004 report in \nwhich we identified weak practices and lax implementation of \ncontrols of equipment at the six VA medical centers we audited.\n    For today\'s testimony, I will provide the highlights of our \ncurrent findings related to three key issues: first, the risk \nof theft, loss or misappropriation of IT equipment at selected \nVA locations; second, whether selected VA locations have \nadequate procedures in place to assure physical security and \naccountability over IT equipment and excess property disposal \nprocess; and third, what actions VA management has taken to \naddress identified IT equipment inventory control weaknesses.\n    First, we concluded that for the four case-study locations \nwe audited, there was an overall lack of accountability for IT \nequipment. Based on our tests of IT equipment inventory \ncontrols, we estimated that the percentage of inventory control \nfailures related to missing items ranged from 6 percent at the \nIndianapolis Medical Center to 28 percent at the Washington, \nDC, Medical Center.\n    In addition, we determined that VA property management \npolicy does not establish accountability with individual users \nof IT equipment. Consequently, our control tests identified a \npervasive lack of user level accountability across the four \ncase-study locations and significant errors in recorded IT \ninventory information concerning user organization and \nlocation.\n    Our analysis of the results of physical inventories \nperformed by the four case-study locations in our current audit \nidentified over 2,400 missing IT equipment items with a \ncombined original acquisition value of about $6.4 million. In \naddition, the five locations we previously audited had reported \nover 8,600 missing IT equipment items, with a combined original \nacquisition value of over $13.2 million.\n    Further, we found that missing IT items were often not \nreported for several months, and in some cases, several years, \nbecause most of the case-study locations had not consistently \nperformed physical inventories or promptly completed the \nrequired report of survey.\n    Second, Mr. Chairman, our limited tests of computer hard \ndrives in the excess property disposal process at the four \ncase-study locations found no data on those hard drives that \nwere certified as sanitized. However, file dates on the hard \ndrives we tested indicate that some of them had been in the \ndisposal process for several years without being sanitized, \ncreating an unnecessary risk that sensitive personal and \nmedical information could be compromised.\n    We also found numerous unofficial IT equipment storage \nlocations in VA headquarters area office buildings that did not \nmeet VA physical security requirements. For example, at some VA \nheadquarters locations excess computer equipment was stored in \nopen, unsecured areas.\n    Finally, VA has made limited progress in addressing these \nproblems since our July 2004 report, including, among other \nthings, clarifying property management policies and \ncentralizing IT functions under the new Chief Information \nOfficer (CIO) organization. However, the Department has not yet \nensured consistent implementation of effective controls for \naccountability of IT equipment inventory.\n    Mr. Chairman, until these shortcomings are addressed, VA \nwill continue to face major challenges in safeguarding IT \nequipment and sensitive personal data stored on this equipment \nfrom loss, theft and misappropriation.\n    In conclusion, Mr. Chairman, strengthening the overall \ncontrol environment and establishing specific IT controls will \nrequire a renewed focus, oversight and continuing commitment \nthroughout the organization.\n    This concludes our prepared statement. Ms. Fischer and I \nwould be very happy to answer any questions that you or other \nMembers of the Subcommittee may have at this time. Thank you.\n    [The prepared statement of Mr. Williams appears on p. 31.]\n    Mr. Mitchell. Thank you, Mr. Williams.\n    In your first--in your most recent report, the GAO \nconcluded that poor accountability and weak control environment \nhave left the four VA case-study organizations vulnerable to \ncontinuing theft, loss and misappropriation of IT equipment and \nsensitive personal data. This conclusion is no different than \nwhat the GAO reached in 2004. Is that true?\n    Mr. Williams. That is true, Mr. Chairman. While the \nconclusion is the same, if you look at the specific numbers as \nfar as the amount of items that we were unable to find in the \naudit that we did in 2004, there has been some improvement \nthere, but there is still a lot of work to be done. Given that \namount of timeframe, there are some things that you would have \nexpected to have been completed by this time based on those \nfindings, but the conclusion is definitely the same.\n    Mr. Mitchell. In your opinion, what is the VA\'s problem. \nWhy hasn\'t anything really been done?\n    Mr. Williams. I think, to address this problem, there are \ntwo or three things that need to be done; and I think one of \nthe things that I would start out with is that there needs to \nbe accountability, as we have stated in the report, at the \nindividual level.\n    When you have got accountability that is not assigned to \nthe individuals in a situation which, as I like to say, when \neverybody is accountable, you end up with no one being \naccountable. Then you need to make sure that you have policies \nand procedures that are in place that are consistent throughout \nthe organization, and they are carried out.\n    It is one thing to have policies and procedures in place, \nbut you want to make sure you have that oversight to make sure \nthose policies and procedures are being implemented by \nmanagement in the organization.\n    Mr. Mitchell. Thank you. A bad inventory system obviously \nraises concern about wasting taxpayers\' money, but there are \nalso security concerns, concerns that are particularly acute \ngiven the VA\'s recent episodes on data loss.\n    Your report describes concerns with the security of private \nveteran data. Please tell us about how the VA\'s inadequacy of \ntheir inventory system creates a danger for data loss.\n    Mr. Williams. I think one of the examples that I just \nfinished talking about in my opening statement was, we did not \nfind any data on those hard drives that had been identified as \nbeing sanitized. The problem comes in, the risk comes in when \nyou have hard drives that are waiting to be sanitized, and \nthose are in file cabinets or in storage bins and they have \nbeen there for years.\n    So when you leave those hard drives there, there is always \nthe risk that someone can come along and take it and extract \nthat information and use it for reasons that are not good.\n    The other concern that we had was the security around the \nlocations where the items were actually stored. As you can tell \nfrom one of the pictures that we have here, that there are \ncertain requirements as far as what type of security is \nsupposed to be associated with this type of equipment. Rooms \nare supposed to be locked, and so forth, there are supposed to \nbe floor-to-ceiling walls so that individuals cannot get over \nand take some of these items out.\n    So that is the concern we have. You want to make sure that \nyou have got those controls in place so that this sensitive and \nvery important data is properly protected and not in the \nhands--the possibility of its being in the hands of someone \nthat would use it for bad purposes.\n    Mr. Mitchell. You mentioned just a second ago about the \nimportance of user-level accountability and how important that \nis. You also pointed out that they don\'t have it in the VA \nexcept for IT equipment that is taken off-site.\n    What is the current process the VA has for assigning \ncustody for IT equipment?\n    Mr. Williams. As we stated in the report, there is a \nprocess in which you basically get a hand receipt for items \nthat you are going to be--I guess mobile items, things you take \noffsite.\n    The concern that was raised in our review of that \nparticular area--and I will let Ms. Fischer chime in on the \nspecific numbers if I am off. I think we requested about 15 \nitems to look at, items to identify if the policy was actually \nbeing followed, if there was actually a hand receipt for those \nitems being taken off; and of that number, I think six items we \nwere unable to get the hand receipt--the documentation to show \nthe support for this is a receipt for this item being taken \nout.\n    There were about nine other items; I think six of those \nnine we basically found that the documentation was recorded \nafter the fact, I believe. And for two of the items we found it \nwas valid. So out of those 15, we were only able to identify 2 \nin which the process had actually been followed.\n    Mr. Mitchell. One very quick follow-up, if the Subcommittee \nwill indulge me here.\n    How difficult would it be to implement a user \naccountability system?\n    Mr. Williams. I think it would take some time to set that \nsystem up initially, but from a cost-benefit standpoint, once \nyou get that particular process set up and you do that \ninventory on an annual basis, or whatever basis that you decide \nyou want to do it, I think it is a process that could be \nfollowed and implemented throughout the organization.\n    We have it at my organization. Once a year I get a call and \nI am notified that there is an inventory that is going to be \nperformed. When that piece of equipment was assigned to me, I \nsigned off on a sheet of paper and basically stated that, McCoy \nWilliams, you are responsible for this particular computer, \nthis particular device or what have you. It is only a matter of \ntime, of another person coming through, independent \nverification; they will look at the Code that is on the \nequipment and basically check it off as being in my control.\n    So I don\'t think it is a major, major problem. I will let \nMs. Fischer add.\n    Ms. Fischer. Mr. Chairman, I do want to point out that the \nWashington, DC, Medical Center implemented user level \naccountability for their IT equipment during March of 2007 as \nwe were wrapping up our work. We have looked at their policy. \nIt looks pretty good.\n    When a user signs for accountability of their IT equipment, \nthey are acknowledging at least eight rules and guidelines that \nthey are attesting to that they will follow; and you might want \nto ask your witnesses today in Panel 2 how that is working for \nthem.\n    Mr. Mitchell. Thank you.\n    At this time I would like to recognize Ms. Brown-Waite.\n    Ms. Brown-Waite. Thank you, Mr. Chairman. I first of all \nthank both of you for being here.\n    Mr. Williams. Thank you.\n    Ms. Brown-Waite. Mr. Williams, is it that the policies VA \ncurrently has aren\'t being followed or that they need totally \nnew policies?\n    Mr. Williams. I wouldn\'t say that they need totally new \npolicies, but I think there need to be some revisions to the \npolicies to strengthen some of the controls. But there are also \nsome controls that they currently have in place in those \npolicies that we found were not being followed, so I would say \nit is a combination.\n    Ms. Brown-Waite. A combination.\n    Let me ask you this. In your report you mention the fact \nthat VA policy mandates that a report of survey be appointed \nwhen there is a possibility that a VA employee may be assessed \npecuniary liability or disciplinary action as a result of loss, \ndamage or destruction of property and the value of the property \nis $5,000 or more.\n    Are you aware, has this board survey ever been appointed \nand has anybody ever been held accountable for missing items?\n    Mr. Williams. We will take this one jointly.\n    Ms. Fischer. They have appointed boards of survey to \nfurther investigate items that are identified as missing in \ntheir physical inventories. We don\'t know of any specific \ninstances where individuals have been held liable for lost \nequipment. However, VA probably has that information. You could \nask the witnesses on Panel 2 if they have examples of that.\n    Ms. Brown-Waite. If I may follow up with another question \nfor Ms. Fischer, the report mentions a problem with purchase \ncards.\n    Could you explain why IT equipment bought with a government \npurchase card was not recorded in the property records?\n    Ms. Fischer. Yes, Congresswoman Brown-Waite. Their policy \ndid not require the purchase card holders to notify the \nproperty officers when they acquired computer equipment with \nthe purchase card. So it was put into service and never entered \nin the inventory records.\n    We made a recommendation, and VA has stated that they will \nhave that policy in place this month. Our recommendation was \nthat they, of course, implement that requirement.\n    Ms. Brown-Waite. And were they receptive to implementing \nthat requirement? It just--to the average citizen out there, it \njust seems as if one hand does not know what the other hand is \ndoing when it comes to inventory in the VA. It really does seem \nthat way. And the sad part of it is, that translates into fewer \ndollars actually being used for the veterans, which I know \ntroubles every Member of this Subcommittee up here. So is \nthat----\n    Mr. Williams. Let me take that.\n    I would start by saying that having read VA\'s testimony for \ntoday, I think that if those actions that have been identified \nin today\'s testimony are followed through on, it looks like \nthat is putting them on track to address these problems that we \nhave identified back in 2004, as well as the problems that we \nhave identified in our report that is being released today. \nThat means that it is probably too soon to tell at this \nparticular point in time.\n    We have laid out the issues and we have laid out the \nrecommendations. I think that this is a good first start, based \non what I see in the testimony today. The proof will be in the \nactions that will follow down the road to see if these \nrecommendations are actually implemented.\n    Ms. Brown-Waite. Based on what we have heard so far, how is \nthe team able to find most of the equipment when VA didn\'t know \nwho had the equipment or where it was?\n    Ms. Fischer. They were pretty familiar with the process by \nthe time we did our second audit; and they had a team \naccompanying us, and when items could not be located, they sent \npeople out to look for, say, turn-in documentation that may \nexist where items hadn\'t been updated in inventory as being \ndisposed of. They looked at where IT equipment was plugged into \nthe networks. Sometimes the central system could tell them \nwhere that equipment was located. And in some cases they did a \nfull facility search.\n    VA headquarters actually sent teams to the field to \ndetermine whether some of the IT equipment had been transferred \nto field locations without updating the inventory record. So \nall of these human intervention efforts helped them locate some \nof the items we couldn\'t initially identify during our \ninventory.\n    Mr. Williams. May I add a point to that, because I was \ninvolved in the 2004 inventory also; and I remember to this \ndate one location that I actually visited, and we had the same \ntype of assistance in which VA staff would actually go to the \nvarious locations, and we would try to identify the properties \nand all.\n    At this one particular location I recall my staff and I \npulled up to the building and basically introduced ourselves \nand stated what we were there for, and we basically got the \nold-fashioned cold shoulder that you\'re here during my lunch \ntime and this is not an important event for me.\n    I would add the attitude this time, I think, based on Ms. \nFischer\'s team going out, is the organization understands the \nimportance of taking these inventories and why it is important \nyou have these good records for the property that is in your \ncontrol.\n    Ms. Brown-Waite. With that, I yield back.\n    Mr. Mitchell. Thank you.\n    Mr. Walz?\n    Mr. Walz. Thank you, Mr. Williams and Ms. Fischer. I really \nappreciate this; I appreciate the work that you are doing on \nthis.\n    I, for one, again can\'t stress enough that I believe that \nthe work that the VA is doing and all the good that it is doing \nis almost immeasurable. But any time we have these types of \nissues, it totally undermines everything we are doing. So the \ncriticalness of this and the sense of urgency is very much here \nwith this Subcommittee.\n    I want to just lay out a bit of a scenario and talk to you \nabout this, having had some experience in Federal Government. \nBut I think--Mr. Williams had me intrigued with his idea of \nthis individual accountability thing.\n    At one time, when I was a lowly GS-7, I was in charge of \nmanaging a national Guard armory, and I can remember signing \nthose property books and being in charge of those, and I was \nthe only one there and there were millions of dollars of \nequipment, from howitzers to mop heads, and they were all on \nthe property books. I had to be accountable for every single \none of them.\n    I can remember turning an armory upside down looking for \nlittle radiac meters they gave us to see radiation in there \nthat we weren\'t sure how to use them, but they had been given \nto us and they had a value; and the checklist and the \naccountability on that was so strong. I was absolutely there, \nand I actually processed some of these, on myself and others, a \nstatement of charges if things were lost and they were under \nyour care; and sometimes they were accidental and they would \nfind out what happened and you would be cleared because it got \nrun over accidentally in a training exercise. But there was no \ndoubt in my mind somebody was watching, and I was accountable, \nand my commander, for every single piece of equipment. And this \nwas back in 1989 when you had the big green printout sheets \nthat would come.\n    With the ability we know now to organize data, it seems \namazing to me, because every month a random inventory, a \npartial inventory of our whole inventory would come out to us \nand we would have to physically sign off at the end. It \nbehooved you to be organized, to know where this was and to \nknow there was a day of reckoning if it was not there.\n    My question is, especially on a large scale like that--\nthere were thousands of armories across the United States, and \nif you don\'t think these inventories were detailed, it was down \nto every single socket in tool kits, and if you didn\'t have the \n3/16th socket, no matter what else you had, somebody wanted to \nknow about it and somebody was going to pay for it.\n    So my question to you is, it seems to me the ability to do \nthis and the best practices and the checklist are out there. We \nhad to close the shop at the end of the day; that included \nsecurity of the primitive technology at the time. But it was \nlocked in the vault, it was signed off, it was secured; and \nwhen I opened that vault, my signature went on that. And those \nsheets were checked when someone would come through, and we \ndidn\'t brush you off because when someone came to say they were \ngoing to look, we had to provide it and knew we had to provide \nit.\n    So my question to you is, I know the ability to deliver \nthis, at least I feel, is there; and I know that the culture at \nthat time was for me to make sure I delivered it.\n    Is there anything about what I am saying on this that is \napplicable to the VA?\n    Mr. Williams. I will start by saying, in addition to having \nresponsibility for the financial management at the VA, I also \nhave responsibility for financial management at the Department \nof Defense and Homeland Security, so I am familiar with those \nproperty books that you are talking about.\n    No, you are not being unreasonable in anything that you \nsaid, because I see that type of activity taking place now at \nthe various agencies I have responsibility for. There are other \nproblems as far as having good systems to keep track of those \nproperty books and all that we have reported on, but that \nprocess is one that can be done, and it is not something that \nyou have to do everything, wall to wall, at one time.\n    There are various ways in which you can rotate doing that \ninventory, maybe this unit this month, this unit that month, \nand so forth. If it is looking like it is going to interfere \nwith your operations, you just shut everything down and try to \ndo it.\n    There are various ways that it can be done, but nothing you \nhave said is unreasonable to expect, nothing that you have said \nis unreasonable, and in my mind that couldn\'t be done to get \nthis accountability down to the individual levels and have \nindividuals accountable for the property that has been assigned \nto them.\n    Mr. Walz. And I guess my final question is, just thinking \nof how these things rolled down as we have issues. After the \nbreach in the laptop computer and the 26 million individual \nrecords, or roughly what the number was, we saw--I think VA and \nthe government responded, and what they did was, they started \nstrengthening those Health Insurance Portability and \nAccountability Act rules, making sure privacy was there. And \nnow I see what I think is an unintended consequence in our \ncounty service officers who are having a hard time accessing \nthe VA system in terms of they now have to get the sign-off \nfrom them for power of attorney and those types of things.\n    I am wondering, have we gone over on that or is that just \npart of strengthening this system?\n    Mr. Williams. That is something you have to look at. When \nyou are looking at a control environment and you are putting \ncontrols in place, you have to look at everything from a cost-\nbenefit standpoint, and you don\'t want to put anything in place \nthat is actually going to cost you more than the benefits that \nyou are going to expect to derive. So it is a balancing act.\n    Mr. Walz. I thank you.\n    And I yield back, Mr. Chairman. Thank you.\n    Mr. Mitchell. Thank you.\n    Ms. Brown-Waite?\n    Ms. Brown-Waite. The one question that I was going to ask, \nwhich may be very similar, is, in our offices we are required \nto keep track of anything over $500 as part of the inventory. \nIs part of VA\'s problem that a lot of the missing equipment was \nunder not $500, but $5,000, that it was never actually \ninventoried before? Is that part of the problem?\n    Mr. Williams. Part of the problem is that a lot of these \nitems are under that $5,000 window that we are talking about. \nBut we did find some items missing that were over the $5,000 \namount. But there are a lot of computers and things along this \nline that cost $2,000, $1,000, what have you. These are items \nthat you can easily walk out the door with, and that is why we \nfeel that it is important that, as we recommended, I think, in \nthe 2004 report, you properly identify those items that are \nsensitive and less than $5,000 and make sure you put the \ncontrols in place so that those items that can easily walk out \nthe door, that you have got some controls around them so you \nknow where they are and you have got individuals that are \naccountable for those individual items.\n    Ms. Brown-Waite. When I asked about the dollar amount and \nfound out that it is $5,000 for inventory for the VA, I was \ntold that they inventory vehicles, ammunition, weapons, \ncanines. What is the value of a canine? And the reason I am \nasking this is, think about it, that canine is not going to \njeopardize anyone\'s security out there. But I just find it very \nstrange that that was the response that we got.\n    Mr. Williams. I will be honest with you, I asked my staff \nthe same question before the hearing today from the standpoint \nof--well, my first question was, am I properly pronouncing \nthis? I thought it was maybe some other type of equipment. But \nmy understanding is that these are valuable assets that are \nused in the process of carrying out VA operations, so they are \nactually classified as assets that fall into that sensitive \ncategory as defined by VA.\n    Ms. Brown-Waite. I am sure that they are. My canine at home \nis priceless. But the point being that while my Bentley at home \nmay be priceless--that is my dog\'s name, not my vehicle--\ncertainly the canines do not have identifying information that \ncould be misused; and I guess I am questioning the priority of \nthe inventory.\n    Mr. Williams. Yes.\n    Ms. Brown-Waite. And I just found it so totally strange \nthat canines are inventoried, but computers aren\'t. Laptops and \nBlackberries and other things aren\'t. The average citizen out \nthere is asking, What the heck is going on up there?\n    I thank you very much.\n    Mr. Williams. Thank you.\n    Mr. Mitchell. Mr. Walz, any other questions?\n    Mr. Walz. I just had one more question and I may know this \nanswer, but I am going to get it from the experts.\n    What I am reading on the San Diego facility, it talked \nabout the personnel there created their cuff records. Can you \ntell me what that is?\n    Ms. Fischer. They were maintaining cuff records at San \nDiego and at VA headquarters, and these were records maintained \noutside the central inventory system for various reasons. At \nSan Diego, the IT staff did not have access to the property \nsystem, so they felt the need to keep their own records to show \nwhen they removed a computer for repair or moved one to another \nlocation, so they could track it.\n    They were trying to keep accountability there. The problem \nwas, they didn\'t have access to the central system, so they \ncouldn\'t update the central system for those changes; and so \nthe central inventory system was out-of-date because of that.\n    Mr. Walz. But it would be unfair to characterize this as a \nsecond set of books?\n    Ms. Fischer. It was, in fact, a second set of records. Both \nsets of records, the central system and the cuff records, are \nconsidered official records.\n    Mr. Walz. Okay.\n    Mr. Williams. I would add, if you are looking at a good \ncontrol environment, you would want the records to be in your \nmain system, you wouldn\'t want to be relying on cuff records. \nYou would like to have it in your official system in a good, \ninternal control environment.\n    Mr. Walz. Very good.\n    Ms. Fischer. The cuff records were on somebody\'s personal \ncomputer on a spread sheet.\n    Mr. Walz. They were making an effort at accountability \nbecause the system was hindering them from doing what they \nneeded to do.\n    Ms. Fischer. They were the only ones that had access to the \nrecords they created, so they weren\'t available for management \ninformation.\n    Mr. Walz. Thank you.\n    I yield back, Mr. Chairman.\n    Mr. Mitchell. Thank you very much. Thank you for your \ntestimony and for being here today.\n    At this time I would like to welcome Panel 2 to the witness \ntable. Mr. Robert T. Howard is the Assistant Secretary for \nInformation and Technology at the VA and the Department\'s CIO. \nAssistant Secretary Howard is a former Major General in the \nArmy Corps of Engineers and joined the VA in 2006 to head up \nthe IT reorganization project. The Subcommittee has been most \nhappy with Mr. Howard\'s progress in this project, but we \nunderstand that there is still a long way to go. We look \nforward to hearing Assistant Secretary Howard\'s testimony.\n    And, Mr. Howard, would you please introduce the rest of \nyour staff?\n\n STATEMENTS OF HON. ROBERT T. HOWARD, ASSISTANT SECRETARY FOR \nINFORMATION AND TECHNOLOGY, AND CHIEF INFORMATION OFFICER, U.S. \n   DEPARTMENT OF VETERANS AFFAIRS; AND HON. ROBERT J. HENKE, \nASSISTANT SECRETARY FOR MANAGEMENT, U.S. DEPARTMENT OF VETERANS \n   AFFAIRS; ACCOMPANIED BY ADAIR MARTINEZ, DEPUTY ASSISTANT \n SECRETARY, INFORMATION PROTECTION AND RISK MANAGEMENT, OFFICE \n    OF INFORMATION AND TECHNOLOGY; ARNIE CLAUDIO, DIRECTOR, \n  INFORMATION TECHNOLOGY OVERSIGHT AND COMPLIANCE, OFFICE OF \n  INFORMATION AND TECHNOLOGY; RAY SULLIVAN, DIRECTOR OF FIELD \n  OPERATIONS, OFFICE OF INFORMATION AND TECHNOLOGY; SANDFORD \n  GARFUNKEL, DIRECTOR, VETERANS INTEGRATED SERVICE NETWORK 5, \nVETERANS HEALTH ADMINISTRATION; LARRY BIRO, DIRECTOR, VETERANS \n INTEGRATED SERVICE NETWORK 7, VETERANS HEALTH ADMINISTRATION; \n   FERNANDO O. RIVERA, DIRECTOR, WASHINGTON, DC, VA MEDICAL \n  CENTER, VETERANS HEALTH ADMINISTRATION; AND STEVE ROBINSON, \nCHIEF, ACQUISITION AND MATERIEL MANAGEMENT SERVICE, WASHINGTON, \n  DC, VA MEDICAL CENTER, VETERANS HEALTH ADMINISTRATION, U.S. \n                 DEPARTMENT OF VETERANS AFFAIRS\n\n               STATEMENT OF HON. ROBERT T. HOWARD\n\n    Mr. Howard. Yes, sir. Thank you, Mr. Chairman. I would like \nto thank you for the opportunity to testify on IT asset \nmanagement within the Department of Veterans Affairs.\n    Mr. Mitchell. Is your microphone on?\n    Mr. Howard. Yes, sir. Anyway, I do thank you for the \nopportunity to testify today on IT asset management within the \nDepartment of Veterans Affairs.\n    I am joined today by Mr. Bob Henke, Assistant Secretary For \nManagement, and I am also accompanied by Ms. Adair Martinez, my \nDeputy Assistant Secretary for Information Protection and Risk \nManagement; Mr. Ray Sullivan, my Director of Field Operations; \nMr. Arnie Claudio, my Director of IT Oversight and Compliance.\n    In the group behind me are Mr. Sandford Garfunkel, Director \nof Veterans Health Administration\'s (VHA\'s) Veterans Integrated \nServices Network (VISN) 5; Mr. Larry Biro, of VISN-7, Mr. \nFernando Rivera, Director of the Washington, DC, VA Medical \nCenter; and Mr. Steve Robinson, Chief Acquisition and Materiel \nManagement Service for the Washington, DC, VA Medical Center.\n    Sir, IT asset management is a critically important issue \nthat also, as you have mentioned, has a direct bearing on our \nability to enhance information protection throughout VA. As you \nknow, the recent GAO report on VA\'s IT asset management found \ninadequate controls and risk associated with threat, loss and \nmisappropriation of IT equipment at selected VA locations. In \nthat report, GAO found inadequate accountability and included a \nnumber of very important recommendations with which we agree.\n    As the Chief of Information and Technology for VA, I am \nresponsible for ensuring compliance with the integrity and \nsecurity of VA\'s IT assets. I understand that when poor IT \ninventory procedures exist, both the loss of expensive \nequipment as well as the loss of any sensitive information \nresident in the equipment could occur.\n    This is a situation of the utmost importance. It is a \nsituation that we are working hard to remedy. We are prepared \nto answer your questions today about procedures that already \nexist, as well as more rigorous and standard procedures that \nare being implemented.\n    The GAO findings demonstrate a need for more emphasis and \nvigilance in this area. With the establishment of a single IT \nauthority in the VA we are now in a much better posture to \nimprove the IT asset management situation, and we have a number \nof actions already under way. We currently have several systems \nin VA that capture IT assets, and we are working to standardize \nthis and move to a single IT management system.\n    We have been able to locate some of the equipment that was \nreported missing. For example, regarding the items of missing \nequipment that were assigned to the previous Office of \nInformation and Technology, we have been able to locate most of \nthem. We assembled a team to conduct a search for missing \nitems--network equipment servers, digital cameras, and so \nforth--that were assigned to the Office of Information and \nTechnology prior to the consolidation of IT in the VA.\n    At the end of this review, which took place over a 3-month \nperiod, the team had located about 90 percent of the equipment; \nand though much of the equipment was found, the lack of \naccountability was clearly evident. You should not have to go \nthrough that in order to find your equipment.\n    To improve our asset management and accountability within \nVA, a special team has been established to develop standard \nprocedures; a new directive and accompanying handbook on the \ncontrol of information technology equipment within the VA have \nbeen prepared, and we have already implemented some of the \nprocedures they describe. The directive and handbook will \nprovide clear direction on all aspects of IT asset management.\n    Additionally, we have expanded the responsibility of my \nOffice of Information Technology Oversight and Compliance. This \noffice was established in February of 2007 to conduct on-site \nassessments of IT security, privacy and records management at \nVA facilities. As of today, the office has completed over 58 \nassessments, and the oversight of physical security for IT \nassets is now a part of their assessment routine. The results \nof the reviews will help us support and strengthen VA IT \nsecurity controls.\n    This office ensures that facilities are aligned with the \nNational Institute of Standards and Technologies\' recommended \nsecurity controls for Federal information systems.\n    We must also increase awareness at the individual user \nlevel regarding accountability for IT equipment. The new \ndirective and handbook mentioned earlier will require employees \nwho have been assigned VA IT equipment to sign a receipt for \nthe IT equipment in their possession. Supervisors will be held \nresponsible for common equipment that is not assigned to \nindividuals. The receipt used is the printout of the equipment \ninventory list which describes equipment assigned to employees \nby name. These procedures have already been implemented.\n    We have begun to deploy network monitoring software. This \nis a very critical aspect of this issue, sir, that will help us \ndetect and monitor any device that is connected to the VA \nnetwork. Special procedures are also being implemented for \nequipment that may be considered expendable, but which must be \naccounted for, not because of the cost, but because the \nequipment has the potential for storing sensitive information. \nAn example of such low-cost IT equipment that must be tracked \nare the encrypted thumb drives being distributed throughout the \nVA.\n    In closing, I want to assure you, Mr. Chairman, that we \nwill remain focused in our efforts to improve all aspects of \nthe information technology environment in VA, including the \noverall accountability and control of IT equipment, as well as \ncertain medical equipment that could potentially store \nsensitive information.\n    It is about the sensitive information that we are \nparticularly concerned. This will not only reduce the loss of \nexpensive equipment, but also the potential loss of sensitive \ninformation the equipment may contain.\n    Thank you for your time and the opportunity to speak to you \non this issue and we would be pleased to answer any questions \nyou may have.\n    Mr. Mitchell. Thank you, Mr. Howard.\n    [The prepared statement of Mr. Howard appears on p. 38.]\n    Mr. Mitchell. Mr. Henke, do you care to make a statement?\n\n               STATEMENT OF HON. ROBERT J. HENKE\n\n    Mr. Henke. Sir, just two or three brief points and then we \nwill turn to your questions, if you don\'t mind.\n    Sir, from my perspective as the agency\'s Chief Financial \nOfficer, any internal control deficiency, whether it is \nmaterial or not to our financial posture, our financial \nstatements, has my attention.\n    First, in the GAO report, we concurred on all 12 of the \nrecommendations and moved to change our policies and purchase \ncard policies and modify our inventory system to add user level \naccountability to it.\n    The second thing I would like to point out is that my \ninternal auditors also do property reviews at VA medical \ncenters. We have visited 14 medical centers to date this year, \nand in some of their findings they found stations that have \nzero discrepancies--zero discrepancies on their equipment \ninventories. What that tells me is that this can be done with \nthe right amount of management attention. Salt Lake City, Utah, \nzero percent discrepancies; Muskogee, Oklahoma, 3.2 percent \ndiscrepancies; Wilmington, Delaware, 4.5 percent. So with \nmanagement attention it can be done.\n    Number three, we are going through a Sarbanes-Oxley-type \nprocess we\'re in year 2 of a 3-year process where we look at \ninternal controls over our financial reporting. One of the \nprocesses we are looking at this year is property and \nequipment. We had some results come back, fairly mixed results. \nWe told the teams, the national auditors we have and my \nauditors, to go out and do more site assessments and come back \nwith more information.\n    Finally, sir, I would like to point out that you mentioned, \nand Ms. Brown-Waite mentioned, the 2005 and 2006 inventories \nthat were being done. We have results for 2007 to date, on \ninventories, and we can speak to those. The results are very \ndifferent, and I can speak to the point that I believe the \ninstitution has gotten religion about accounting for IT \nequipment.\n    Mr. Mitchell. Thank you. I just have a couple questions.\n    Mr. Howard, your organization has devoted a great deal of \ntime to ensuring that the personal data of veterans is \nprotected from disclosure. Encryption of the data is one of the \nmain defenses against disclosure; do you agree with that?\n    Mr. Howard. Yes, sir.\n    Mr. Mitchell. If GAO reports that your inventory records \nare incomplete and inaccurate, how do you know if all IT \nequipment requiring encryption has been encrypted?\n    Mr. Howard. Sir, not all the IT equipment has been \nencrypted. In fact, some of it, we cannot encrypt. An example \nof that is IT equipment that is actually a part of a medical \ndevice that we cannot necessarily place encryption.\n    I would agree with you that encryption is an extremely \nimportant tool and we need to encrypt everything we possibly \ncan, but there are some items that you can\'t, which means there \nare other methodologies you have to follow.\n    The basic rule that we have established in the VA is that \nsensitive equipment--sensitive information, rather, must be in \na protected environment at all times or it must be encrypted. \nWhat I mean by that is, for example, if the Veterans Benefit \nAdministration--they deal with paper, lots of paper; you can\'t \nencrypt it. But you also must protect it in a protected \nenvironment--listings of names and Social Security numbers, and \nwhat have you.\n    So although encryption is an extremely important tool, and \nwe are expanding that to the maximum possible degree, it is not \nthe final answer. You still have to have some procedures that \nmust be followed where encryption can\'t help you.\n    Mr. Mitchell. Thank you. Let me ask a further question \nhere. Are you aware of a single instance in which the problems \nwith the VA inventory system that the GAO has very clearly \nidentified that have existed for years have resulted in any \ndisciplinary action by anyone at the VA.\n    Mr. Howard. Sir, we got into that discussion this morning. \nThe answer is ``yes.\'\' I don\'t know about disciplinary, but I \nwill tell you that people have been held pecuniarily liable for \nmissing equipment; I don\'t know the numbers per se, but I do \nknow that that is true.\n    Mr. Mitchell. All right. One last question before I turn it \nover.\n    GAO\'s review of physical inventories performed by the \nlocations tested in 2004 and 2005 and its 2007 audit found the \ntest location reported significant loss of IT equipment as a \nresult of their own inventories. In particular, the Los Angeles \nMedical Center reported losses of 8,402 items with an original \nacquisition value of nearly $12.5 million.\n    Please explain, if you can, how a single medical center \nmanaged to lose $12 million worth of IT equipment.\n    Mr. Howard. I don\'t know specifically what occurred at that \nparticular facility. But what we see, quite frankly, are a \nnumber of the items that you have addressed earlier. And that \nis the movement of items; the equipment may be there, but it is \nmoved somewhere else and you lose track of it. The real \nquestion is, is it truly missing or has it been moved somewhere \nelse.\n    And the numbers--for example, in my own organization, in \nlast August of 2006 internal, right after the May breach, we \ndirected an internal inventory take place. About 1,900 items \ncould not be located to the amount of almost $8 million. We put \na team to run around try to find that stuff, and brought it \ndown to about 440 items, which we will implement a report and \nsurvey on.\n    Now we should not have had to do that, but it gives you an \nidea of how transient this equipment is and very easy to move \naround. Which brings me to the point that it is not only going \naround with a clipboard or a scanner; software--you know, \nnetwork monitoring software, is absolutely critical to solving \nthis problem, because the equipment is too mobile. If it moves \ndown the hall and gets plugged into the network, you need it \nsee that right away. And there is software out that we will \nactually have deployed in certain parts of the VA that is \ntremendously helpful in keeping track of this item of \nequipment.\n    With respect to the particular facility involved, it is \nprobably a combination of things, poor inventory procedures, as \nwell as not keeping up with the inventory on a quarterly basis.\n    Mr. Mitchell. What kind of actions are you taking to \ncorrect those problems?\n    Mr. Howard. If you want me to describe the new procedures \nwe are putting in place, I can do that. It is different from \nthe way it is handled right now.\n    Mr. Mitchell. Maybe after everyone has a chance. My time is \nup.\n    Mr. Howard. Okay.\n    Mr. Mitchell. Ms. Brown-Waite?\n    Ms. Brown-Waite. I thank the Chairman.\n    Mr. Henke, the last time you were here I realized what a \ndifficult job you have, and that is changing the culture at VA.\n    GAO, in its report, stated that the VA\'s purchase card, \ncredit card, does not require IT equipment bought with the \npurchase card to be reported to property management officials, \nand as a result there is no assurance of any kind of \naccountability over this equipment. GAO has reported that this \nis a continuing problem at VA headquarters.\n    Why did the VA wait until GAO came out with this report \nbefore taking action?\n    Mr. Henke. Ma\'am, this is actually the subject we discussed \nat our last hearing when Mr. Walz asked me what things we can \ncould do better and differently on the purchase cards.\n    What we have done is changed--the policy already existed in \nthe property policy that you need to inventory things that are \nsensitive or above $5,000. It simply wasn\'t reflected in the \npurchase card policy. That is not to say that people shouldn\'t \nhave been doing it.\n    There was a policy out that said, if you buy a piece of \ngear, it doesn\'t matter how you buy it, you buy it with a \npurchase card or not, you have to put a bar code on it and \ninventory it. So this was just tightening up one of the holes \nwe found in our policies for purchase card holders to make \nthese purchases.\n    Another step that we have taken is--in part of \nconsolidation of IT is, Mr. Howard has determined that there \nwere too many purchases being made on purchase cards of IT \nequipment that were nonstandard. So we shut that down. He said, \nno more IT purchases using the purchase card; it was too loose. \nThose are the two steps we have taken to remediate that.\n    Ms. Brown-Waite. General Howard, I understand there is one \nfacility in the GAO report which did not include computer \nequipment valued under $5,000 in its last inventory.\n    Which facility was this and under which VISN is that?\n    Mr. Howard. Ma\'am, I believe that was VISN-16, Houston. I \nbelieve it was the result of improper instructions that took \nplace.\n    Ms. Brown-Waite. And what sort of direction from the VISN \nor to the VISN has been given?\n    Mr. Howard. Ma\'am, I am not sure how that situation has \nbeen corrected. There is clear instruction regarding sensitive \nitems. In fact, there is a memo that Mr. McFarland and Tim \nMcClain signed out on October of 2005 that listed and discussed \nequipment that was less than $5,000. So the instruction is \nclear; there is a directive that goes all the way back to that \ntimeframe about what sensitive items are that must be included \nin inventories. In fact, we are now expanding that list as part \nof our new procedures.\n    Ms. Brown-Waite. Is it standardized now? If you don\'t know \nwhere the equipment is, how do you know what is on the laptops?\n    Mr. Howard. Ma\'am, you are exactly right. The items of \nequipment that are listed in the previous memo that I just \nmentioned, the directive from October 2005 does cite personal \ncomputers and other equipment that we understand in IT; in \nfact, most of it is IT-type equipment, but it is not complete \nenough. The list that we have now is much more extensive, that \nwe intend to follow.\n    Ms. Brown-Waite. Let me also follow up with a question that \nI asked the GAO and that is about a board of survey in the VA \nto take possible disciplinary action as a result of loss, \ndamage or destruction of property.\n    Has this been formulated? Is anyone responsible? Because \nlet me tell you that when I owned a business, if I gave one of \nmy employees a computer, they clearly knew that that was their \nresponsibility. But apparently this responsibility level just \ndoesn\'t appear to be evident at the government level. So tell \nme exactly what is being done.\n    Mr. Howard. There have been reports of survey and people \nhave been held pecuniarily liable. I don\'t know about the \ndisciplinary part, but the requirement to pay has occurred.\n    To what extent, I don\'t have that information right now, \nma\'am. We can get that for you.\n    Ms. Brown-Waite. Mr. Chairman, I would like to ask them to \nget that information to the Committee so we can know that \naccountability at the user level is truly taking place, \nbecause--and you guys need to convey that clearly. Here is a \ncomputer, here is a BlackBerry; it is your responsibility not \nto lose it, not to misplace it. You are going to be held \nfinancially responsible.\n    I think the Subcommittee deserves to know that information, \nwho actually has been held responsible, personal \nresponsibility.\n    Thank you. With that I yield back.\n    [The following information was provided by VA:]\n\n          A request was made to provide Representative Brown-Waite with \n        a list of those employees who have been held pecuniary liable \n        for lost and/or damaged VA equipment VA-wide.\n          The Veterans Health Administration (VHA), Prosthetics and \n        Clinical Logistics Office (10FL) consulted with the Office of \n        General Council regarding the release of a list of employee \n        names associated with this request. We were advised that the \n        Privacy Act protects information retrieved by a person\'s name \n        or other identifier. Therefore, VA cannot disclose such \n        information without the prior written consent of an individual, \n        or unless another exception applies. One exception permits \n        disclosure to either House of Congress, 5 U.S.C. Sec.  \n        552a(b)(9).\n          The Office of Management and Budget is charged by law with \n        implementing the Privacy Act, and has determined that Section \n        (b)(9) does not authorize the disclosure of a Privacy-Act \n        protected record to an individual member of Congress (see OMB \n        Guidelines, 40 Federal Register 28,948 and 28,955). Thus, the \n        exception provides authority to disclose records only to \n        requests from Chairs of Congressional Oversight Committees for \n        authorized oversight purposes. To that end, we offer the \n        attached summary and spreadsheet containing the requested data \n        (see attachments).\n          [The attachment is being retained in the Committee files.]\n\n    Mr. Mitchell. Thank you.\n    Mr. Walz?\n    Mr. Walz. Thank you, Mr. Chairman. And thank you, General \nHoward, for being here. And thank you for your service, and \nthank you for taking on at a difficult time. I know you have \nbeen on your job slightly longer than I have been on mine here. \nYou came at a critical time, you came at a time when \nexpectations for change were very high.\n    I think the same could be same for Mr. Henke, and I \nappreciate your taking on this challenge; and I hope in the \nspirit of why we are here, working together. The ultimate \noutcome is all that matters, taking care of our veterans the \nbest that we possibly can while safeguarding taxpayer dollars \nand resources.\n    So in that spirit, just a couple of things I wanted to ask. \nHow do you think the GAO did on this report? In your opinion, \nhow do you view it? Do you think it was a fair assessment of \nwhat is happening, and is it going to be helpful in helping \ncorrect this?\n    Mr. Howard. Sir, the GAO is always fair.\n    Sir, it is clearly going to help us, there is no doubt \nabout that. Not only reports like this that put emphasis on \nvery significant problems that we must deal with, but our own \ninternal efforts.\n    I mentioned the oversight and compliance that Arnie Claudio \nhas been doing, the SOC reports. Quite frankly, we know who is \nlosing computers and we--in fact, we have got a whole list of \nthat, as the Subcommittee does. You were provided the weekly \nsummaries and we can pull that information from our database to \nfind out what is happening with this particular piece of \nequipment. In fact, we have already started to collect that \ninformation; I don\'t have it right now, but the point is that \noversight examination is very, very important.\n    But, sir, I would like to add one thing. The oversight and \nthe examinations, investigations, highlight the problem, but \nsometimes we understaff support-type activities. Organizations \ntend to do that. I don\'t know for sure. I am looking very hard \nthrough the new IT organization.\n    As you know, we own all the IT folks and we are examining \nwhat we have. Where are they? Do we need more or less, or do we \nneed to move people around? And my guess is that this area of \nIT, of asset management, is not adequately staffed; that is my \npersonal opinion, and we are looking hard at that.\n    Mr. Walz. That is what we need to know. I want you to know \nthat that is what we see as our responsibility. We need to know \nwhat you need. I would say that the willingness of this \nSubcommittee to listen and work together is probably almost \nboundless, except for the one I know puts a huge constraint on \nyou is time and patience on this right now. I know that you \nneed those things to a certain degree, but my question to you \nmight be, what do I tell my veterans in Minnesota, what is \ngoing on, and reassure them of the faith, and that is what we \nare looking for. So I really appreciate your attitude on that.\n    This one might be better for Mr. Sullivan. I just wanted to \nknow if you could give me--what would it look like for me as an \nemployee at any of the facilities, how would I start the day \ngetting into my technology and how would I end the day?\n    I know in my office the computers are shut off, they are \nbacked up, they are password secured; and anything that is done \nbehind that is done with the rolling passwords on the key chain \nthing.\n    I am just wondering what would it look like out there in \nthe VA system?\n    Mr. Sullivan. Exactly the same for us. You would need to \ncome in in the morning. You would need to go through your \npassword authentication. If you step away from your computer \nfor any length of time or you don\'t use it, it goes into \nautomatic lock mode, and you would need to come back and unlock \nit. At the end of the day you would log off your computer. We \ntend to leave our computers turned on so we can do automatic \npatching and assessment at night.\n    Some of the tools that we are talking about, we build an \ninventory when you log on so we know that you have a computer, \nwe know where it is physically in that building. If it \ndisappears from the network for a long period of time, it could \nbe that it was turned off, but it sends an alert, so we can \nfollow up.\n    Those are the technologies we are looking to standardize \nacross the Agency.\n    Mr. Walz. Where is this equipment going? Is this theft or \nis this misplacement?\n    Mr. Howard. Sure, some of it is theft. But theft is a minor \nproblem; I think the bigger problem is keeping up with it.\n    Let me give you a good example, computers excessed--in \nfact, Ray could probably pile on a little more on this. \nComputers that are excessed, are no longer useful, some \nprevious operating system or whatever; you know yourself that \nis pretty fast, the turnover of equipment like that.\n    Mr. Walz. Right.\n    Mr. Howard. We have to go through certain procedures. We \nhave to pull the hard drive, you have to cleanse it \nforensically, which means several times, it is a 4-hour drill \nto go through and clean that off. But then the equipment may \nget offered to redistribution within the VA, redistribution \namong other government agencies, redistribution to charity \ninstitutions. And you have to go through all these, just so. It \nis sitting there in the room as you go through all these \nprocedures; you can\'t just get rid of it necessarily, you have \nto follow these procedures. And, quite frankly, sir, that is \ntaking us too long, we need to move quicker on that.\n    Ray can tell you instances where he knows for sure items \nwere turned in as excess, no longer required, and they sat \nthere for long periods of time. That means the IT community and \nthe logistics disposal community need to work hand-in-glove to \nmake sure there is follow-up.\n    To do that, I intend to energize my ISOs, Information \nSecurity Officers, to do that follow-up with the material \nmanagement people who handle the redistribution of assets. That \nis kind of out of our hands at that point. Very important \ncapability, but it is part of the problem that we need to get \nour arms around.\n    Mr. Walz. Thank you.\n    And I yield back, Mr. Chairman.\n    Mr. Mitchell. Thank you.\n    Mr. Henke, you are the Assistant Secretary For Management, \nand Mr. Howard, you are the Assistant Secretary For Information \nand Technology, and yet neither of you, as I understand it, has \nline authority over the logistic folks at the medical centers \nand other facilities who are responsible for inventory. Is that \na problem?\n    Mr. Howard. Sir, let me take that. Not for me, because I do \nhave line authority over the CIOs. And the procedure that I \nmentioned to you before--I can now summarize that if you would \nlike, the procedure that we will put in place. But it starts \nwith the director of the facility--the director of the facility \ndoes not work for me, but they are responsible for all \nactivities that occur at the facility, to include all the \nequipment that is there, the people, everything.\n    But it doesn\'t stop there. In fact, we have already \nimplemented the procedure where the CIO, the senior IT official \nat the facility, is the custodian of IT equipment, the guy who \nworks for me, up through Ray Sullivan. And I do have authority \nover that person, believe me.\n    What does he or she do? It doesn\'t stop there either, \nbecause he or she, working with the director, has to designate \ncustodians at the very service levels. The head of radiology, \nyou are responsible for the IT equipment that is in your \njurisdiction.\n    Now, the CIO and the IT people at that facility assist in \nit, but the CIO has got to take a very active role at the \nfacility level to include mandating that individuals sign for \ntheir individual equipment and that the service chief, be it \nthe head of radiology or whatever, signs for the common \nequipment that cannot necessarily be assigned to a particular \nindividual.\n    That is the procedure that we are putting in place. In \nfact, Ray is responsible for the directive and handbook; it is \nin draft, but we have already implemented the procedures. I \nhave told my people, don\'t wait on this thing, you do it. We \nactually have this working group together with the \nadministrations and the staff agencies and Bob\'s people. We are \nin agreement that this is the direction we need to go.\n    But, sir, the software also has to be implemented, that Ray \ndescribed earlier, to contract this stuff because it can move \naround so easily. One computer is down the hallway, but--all of \na sudden, you lost it, but boom, when you stick it in the \nnetwork, it shows right up again. This is extremely important \nfor an all-encompassing solution.\n    Mr. Mitchell. Thank you very much.\n    This question is for Mr. Biro.\n    Mr. Biro. Yes?\n    Mr. Mitchell. You are the Director for VISN-7. I have been \ntold you decided to take this inventory issue very, very \nseriously and do something about it; is that correct?\n    Mr. Biro. Yes.\n    Mr. Mitchell. And would you tell us what you did?\n    Mr. Biro. Well, I have only been in VISN-7 for 4 months. It \nstarted with VISN-7 at Birmingham, with the loss of data at \nBirmingham. They started an inventory that was very thorough, \nand I continued to support having that inventory completed, \nwhich took in over 55,000 items with focus on those that had \nPII, personal identifiable information.\n    We were down to about less than 20,000 items. For the items \nwe couldn\'t find, my contribution is that, I asked for a second \ninventory; and we used teams of both information systems people \nand facility people, and we also mixed those teams up so they \ncame from different facilities. So in 3 weeks, we knocked that \nlist down to less than 500 items.\n    My other contribution is that, I am insisting on reports of \nsurvey that have been talked about over and over again, be \ncompleted on that final missing equipment list, and that the \nappropriate disposition take place on that equipment, that we \npursue this to the end. That is going to be done within less \nthan 30 days; they are winding those down.\n    To your question, then, we will look at if we can find \npeople that need to be held accountable for that through that \nprocess. Everything that has been said we have--we have \nsoftware, the best way to find the equipment. Much of it is \nseeing where it has been used last and where it has been, \nbecause it moves all over. The biggest problem is the \nportability of it, but a lot is detective work. This is the \nkind of detective work I use in 7, and I also was using in 19. \nEverywhere I have worked, something has been cited and as best \npractice.\n    Salt Lake City has a perfect inventory. I used to work in \nVISN-4; they have a very good inventory. So it is paying \nattention to details and insisting on that high level of \nperformance.\n    Mr. Mitchell. Thank you. Sometimes this Subcommittee has a \nreputation for being very hard on the VA. We all want what is \nbest for the veterans and taxpayers; they deserve nothing but \nexcellence. Although we may be demanding, I really want to \nrecognize what you deserve, and that is congratulations on the \nwork that you are doing. You are a positive example of what can \nbe done, and I want to thank you for that.\n    Also, is there any reason why what you have done in VISN-7 \ncouldn\'t be done at other VISNs?\n    Mr. Biro. No, there is no reason. My fellow--other 20 \nnetwork directors are working on this very hard. We just got \nsome direction today--some more. Internal controls are \nextremely important, and we are working on them. I am known as \nthe leader of that effort.\n    Mr. Mitchell. Thank you very much.\n    Mr. Biro. So I am working on it.\n    Ms. Brown-Waite. If Mr. Garfunkel could come forward, \nplease, I understand that you recently were promoted to VISN-5 \ndirectorship. I guess congratulations are in order.\n    I also understand that you were the last Director of \nWashington\'s VA Medical Center where the most current GAO \nreport wasn\'t too kind about the way IT inventory was managed \nthere.\n    Would you care to comment on why your last facility\'s IT \ninventory sample indicated 28 percent missing items, 80 percent \nincorrect user organization identifiers and 57 percent \nincorrect location of the equipment?\n    Mr. Garfunkel. Yes, ma\'am, thank you.\n    First of all, no matter what I say, let me say these \nnumbers are totally unacceptable. In the 2004 GAO audit, we had \nsomething like an 87 percent ``couldn\'t locate the equipment\'\'; \nthat was down to 28 percent. I am very glad to say, as of April \n2007, we now are at 4 percent.\n    So we have taken this audit very seriously. As GAO has \ntestified, we now have personnel hand receipts responsible \nthrough class 3 software that was developed and we have lots of \nequipment that was--in fact, we know was surplussed in previous \nyears--that should have been taken off the equipment inventory \nlists (EILs), that we thought were taken off the EILs, and it \nturns out that they were not.\n    So we have done the reports of survey that have identified \nthose issues, and I think we have taken very swift and definite \naction since that time to assure that we have a good system in \nplace to identify this equipment.\n    Ms. Brown-Waite. So what you are saying is, you were at 87 \npercent missing?\n    Mr. Garfunkel. I believe the 2004 audit was something like \n87 percent missing, yes.\n    Ms. Brown-Waite. And the 28 percent found this time is \ngood?\n    Mr. Garfunkel. No, ma\'am.\n    Ms. Brown-Waite. And all of a sudden, we are down to 4 \npercent?\n    Tell me why the great discrepancy between what GAO found \nand what you are trying to convey to us now that is down to 4 \npercent.\n    Mr. Garfunkel. Well, since the GAO audit, we identified \nwhich equipment was, in fact--that we know, in fact, was \nsurplussed. We bar-coded our equipment and the doors so we know \nwhat--by scanning the door, we know where the equipment is \nlocated. And we know what equipment belongs in there, so we can \nidentify all the equipment.\n    We have begun the process of having individuals sign for \ntheir individual pieces of equipment, so they will be held \nresponsible for it.\n    Ms. Brown-Waite. When did this procedure go into effect? \nBecause obviously between 2004 and now it is--there were some \npretty sloppy procedures going on.\n    Mr. Garfunkel. Yes, ma\'am, they were pretty sloppy \nprocedures, although obviously there was improvement from the \n2004 audit.\n    We face lots of issues. I don\'t want to make a lot of \nexcuse for it. We implemented some actions. We identified the \nequipment we had that is no longer on station; we know what \nhappened to it, and we have now put some very strong processes \nin place.\n    Mr. Claudio came to our facility in, I believe, February, \nand while he had some recommendations, he felt we had pretty \ngood processes in place for IT security.\n    Ms. Brown-Waite. Now, is it accurate that in the new VISN \nthat you have four hospitals and 15 Community Based Outpatient \nClinics?\n    Mr. Garfunkel. I believe that is correct, ma\'am, yes.\n    Ms. Brown-Waite. And how long have you been VISN Director?\n    Mr. Garfunkel. A couple months.\n    Ms. Brown-Waite. And you don\'t know for sure?\n    Mr. Garfunkel. No--it is correct, yes.\n    Ms. Brown-Waite. Well, obviously I hope that the lack of \naccountability at the other center here at Washington VA \nMedical Center is not going to be continued in your new role as \nVISN director.\n    What practices are you putting into effect in VISN that you \nare now the director of?\n    Mr. Garfunkel. Well, I think we are certainly going to \nfollow Mr. Biro\'s example to make sure we have 100 percent \nwall-to-wall inventory at every facility. The VA at Maryland \nhealthcare system, they are doing that over the next couple of \nweeks. We will implement the process of hand receipts as new \npolicies come out, and we will make sure these inventories are \ndone on a regular basis.\n    Obviously, this issue has my attention and I will make sure \nit has the attention of medical directors and others and make \nsure we do the best job we can.\n    Ms. Brown-Waite. Mr. Henke or Mr. Howard--I don\'t know who \nto ask this of, so--are we going to have standard procedures \nthroughout the VA so that Mr. Biro\'s best management practices \nare carried out throughout the entire VA? Are we going to have \nall of these separate accounting systems out there that will be \na future problem for you all?\n    Mr. Howard. Ma\'am, we are moving to a centralized system. \nIt will take time. I think you know that there are various \nsystems used; VHA uses one system, National Cemetery \nAdministration another, there are differences.\n    Several weeks ago the deputy secretary made the decision on \nthe new enterprise-wide asset management application called \nMaximo; that is the one that we will begin to implement, that \nis for all assets. However, in the IT arena, we will need a \nsupplement to that. The reason for it is, for normal asset \nmanagement you need numbers: You need where it is, you need how \nmuch it costs, when you got it, that sort of stuff. For IT, you \nneed much more information: What is on the device, is there any \nsoftware, is it up to date, any personal identifiable \ninformation. You need to be able to see inside the item of \nequipment and know much more.\n    So we need to augment that enterprise capability with the \nIT asset management system. And, in fact, we have got an \nrequest for information (RFI) on the street right now to get \nfeedback on--we know what is out there; in fact, we already \nhave licenses for some of these items.\n    Nevertheless, we have got an RFI on the street. We need \nthat capability to augment the asset management enterprise \nsolution that is being put in place. We are talking about a \nprocess that we have to go through to remove the existing \nsystems and introduce the new system that will take place, a \nWeb-based system.\n    Ms. Brown-Waite. Do you have a time line? As soon as that \nquestion is answered, I will yield back.\n    Mr. Howard. On the Maximo, I think it is about a year and a \nhalf.\n    Bob?\n    Yeah. Actually, the Maximo implementation is part of Bob\'s \norganization, it is part of the FLITE program, the Financial \nLogistics Integrated Technology Enterprise program--the \nlogistic subset is what I am now speaking to--that will \ninterface with the financial system that is the other very \nimportant part.\n    The IT system that we use must be able to feed that, it \nmust provide feeds of certain elements of data that can, in \nturn, be linked to the financial system. That is where we are \nheading. It will go beyond a year, that is for sure; it is \nvery, very complicated. That is because we have to remove the \nexisting systems as we implement the new one.\n    Ms. Brown-Waite. Thank you.\n    Mr. Mitchell. Mr. Walz?\n    Mr. Walz. Thank you, Mr. Chairman. Just one more question.\n    Again, it goes back to if this Subcommittee wants to \nprovide anything that we can provide, but the time and patience \nthing is starting to wear on people. I am just noticing on the \nGAO report that the Tampa, Florida, inventory--am I right, that \nthat is not completed? 14 months, ongoing, it is showing?\n    Mr. Howard. Sir, I am not sure on Tampa exactly where that \nstands, but the procedures for the inventory process, the way \nit currently should work, it is a rolling inventory. In other \nwords, each quarter--in fact, those were the documents that we \nprovided the Committee today to indicate where the folks are in \nterms of their inventories. Every quarter, they are supposed to \nhave so much done and they sign off on that and send it in to \nheadquarters. The folks that you are referring to, sir, have \nbeen doing that.\n    We have the first two quarters of 2007, the reports--I \nbelieve we have them. Bob is looking at them right here; in \nfact, we have a little color code here. Obviously, if you are \ngreen, you are up to speed, you have in excess of 90 percent of \nyour inventory done for the quarter.\n    We have a few red folks who may not be keeping up to speed, \nand these reports are provided by VHA, in this case, every \nquarter.\n    Mr. Walz. The thing that counsel is talking to me about is, \nthe data I am getting is, you are showing ``unknown,\'\' it is \nshowing ``number of missing items, unknown\'\'; ``acquisition of \nmissing items, unknown\'\'; ``data on report of survey, not yet \nprepared.\'\'\n    What you are saying is, there is information supplementing \nthis that we don\'t have or I haven\'t been given?\n    Mr. Henke. Yes, sir, you are looking at--the facility \nperformed audits in 2005 and 2006, found discrepancies, they \nhave a report, they have to survey it off the books, they have \nto get rid of it, find it, reconcile.\n    What we have here is a current status across VHA of fiscal \nyear 2007 inventories; it tells me that we have got to date.\n    If I could----\n    Mr. Walz. But this would not have an outside eye like GAO \nlooking at it? This would still be internal?\n    Mr. Henke. That is my understanding, sir. Those are the \ninternal audits that Tampa did during 2005 and 2006 in their \nclean-up work to bring those to closure, to rest and do the \nsurveys----\n    Mr. Walz. It is safe to say at the 14-month period they \nwere not done?\n    Mr. Henke. I believe that is correct, if my review of the \nreport is accurate.\n    Mr. Walz. Am I wrong to think that is a long time?\n    Mr. Henke. You are not.\n    Mr. Howard. No. 2006, we know there were some that didn\'t \nmake it; they were in the red category.\n    Mr. Henke. One more datapoint. For current information, \nthrough the second quarter, we across VHA had planned to \ninventory 4,000 equipment lists--not 4,000 items but 4,000 \nlists of equipment. We performed 90 percent of those, so 3,618 \nlists were inventoried. The results came back and we had--out \nof 391,000 pieces of equipment on those lists, we came back \nmissing 0.85 percent, so that\'s significantly different from \n2005 and 2006 reports that you may be looking at. So it shows \nfocus on the effort.\n    Mr. Walz. So there is a curve that says it is improving and \nthat is what we will see.\n    Mr. Henke. Yes, sir. Management\'s attention is focused on \nit to get the problem solved.\n    Mr. Walz. I yield back, Mr. Chairman.\n    Mr. Mitchell. Anything else anybody would like to add?\n    Let me just say, I appreciate your candidness and your \nwork. As I said earlier, what we are here to do is to try to \nmake sure that the veterans get what is due to them, delivery \nof services, as well as the taxpayers not getting shortchanged. \nWe are concerned about excellence in all these fields.\n    We are also very pleased to hear that what you are doing \nseemed to be in the right direction. Let me just say part of \nthe name of this Subcommittee is ``oversight and \ninvestigations.\'\' We are not here--it seems to me to find out \nwhat laws need to be made, but is seems we are talking about \npolicies that you can implement and policies that you can do \nand carry out for the betterment of veterans, as well as \ntaxpayers.\n    We appreciate that effort and what you are doing, and I \njust want you to know what we can do is investigation and \noversight, and we are looking to the GAO to help us out. \nHopefully, when we come back with another report, things are \ngreat.\n    Ms. Brown-Waite. Mr. Chairman, I would ask to be able to \nask one other question and that is of General Howard.\n    What other VISNs actually have exhibited some proactive, \nrather than reactive, initiatives to really address what \nappears to have been a, hopefully in the past, laissez faire or \nlackadaisical approach to IT control? What other VISNs are \nexemplary?\n    Mr. Howard. Ma\'am, one for sure, in addition to Larry Biro \nin VISN-7; Max Lewis up in VISN-20 is doing a very good job. I \nwould cite that VISN; in fact, that is where Ray Sullivan \nplants himself, that is where his office is up there in the \nPacific Northwest.\n    Ms. Brown-Waite. So we have two that are truly being \nproactive?\n    Mr. Howard. Yes, ma\'am. There are others, but those come to \nmind.\n    Ms. Brown-Waite. How do we get the message across to them \nthat the taxpayers do care about the inventory and the dollars \nthat we are being asked every year to increase for VA?\n    And when some of my colleagues talk about waste, fraud and \nabuse, I know some of the equipment is just--when someone else \nleft, someone else picked up that computer and started using \nit, but you know, getting a handle on this is important. It is \nnot just the equipment dollars, it clearly is also the \navailability on those computers, of identifying information \nthat--if you don\'t know where the IT equipment is, you don\'t \nknow what is on it and it is missing, you don\'t know what you \nare missing. That is part of the problem.\n    And getting that message out there is certainly our job, \nbut it certainly is your job. I would just encourage to you do \nthat, do a best management practices, get them moving. I know \nthat culture in the VA is very difficult to jump-start, but you \nneed to do it, you absolutely need to do it gentlemen.\n    Mr. Mitchell. Thank you. This concludes our hearing, and I \nappreciate very much all the witnesses being here today and \nthank you again.\n    Mr. Howard. Thank you, sir.\n    Mr. Henke. Thank you.\n    [Whereupon, at 3:41 p.m., the Subcommittee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n             Prepared Statement of Hon. Harry E. Mitchell,\n         Chairman, Subcommittee on Oversight and Investigations\n    This hearing will come to order.\n    Thank you all for coming today. I am pleased that so many folks \ncould attend this oversight hearing on VA information technology \ninventory issues. We know that VA has serious problems with keeping \ntrack of its IT inventory. This is not just a dollar issue, although it \ncertainly is that. It is also a security and privacy issue. VA\'s \ninventory deficiencies mean that VA cannot ensure that private medical \nand other information belonging to the nation\'s veterans remains \nprivate.\n    We are going to begin today by hearing from the General Accounting \nOffice concerning GAO\'s report, Inadequate Controls over IT Equipment \nat Selected VA Locations Pose Continuing Risk of Theft, Loss, and \nMisappropriation, released just today, showing the results of its \ntesting of inventory systems and procedures at four VA locations. The \nresults are not pretty. As you can see from the chart, the sample \nlocations GAO tested show that from 6 to 28 percent of IT items listed \nas being in inventory could not be located. The Washington, DC VA \nmedical center could not find an astonishing 28 percent of the IT items \non inventory. The missing items at the four locations had a combined \nvalue of $6.4 million.\n    Sad to say, this is not a recent problem. In July 2004 GAO reported \nthat the six VA medical centers it audited did not have reliable \nproperty databases. GAO followed up on these sites as part of its \ncurrent report and concluded that more than $13 million in IT equipment \nwas still missing from those sites. Incredibly, an inventory being \nconducted by one of the sites in response to the 2004 GAO report is \nstill not completed.\n    If this were not bad enough, GAO further reports that VA has \nseriously flawed policies and procedures. Again, the chart illustrates \nthe extent of the problem. One line says ``incorrect user \norganization\'\'--that means the inventory system incorrectly identified \nto whom the equipment was assigned. Look at the numbers--80 percent at \nthe Washington DC medical facility, 69 percent in Indianapolis, and 70 \npercent in San Diego. VA\'s central headquarters does better--``only\'\' \n11 percent, but more than makes up for this with the physical location \nof 44 percent of its IT equipment misidentified in its inventory \ndatabase.\n    The issue of security could not be better illustrated than by the \nphotograph you see over there. That photograph is of an IT equipment \nstoreroom at VA\'s central headquarters. It seems hardly necessary for \nGAO to have pointed out that this storeroom did not meet VA\'s \nrequirements for motion intrusion detection, alarms, secure doors, \nlocks, and special access keys.\n    Security is no small matter, and we are not concerned only about \nhardware. GAO found hard drives at two of the four locations that were \ndesignated as excess property to be disposed of that still had hundreds \nof veteran names and Social Security numbers. This is completely \nunacceptable.\n    I can assure you, we will all be back here. We intend to ask GAO to \nconduct another check of VA\'s inventory system in a few months time, \nand if another hearing turns out to be necessary, we will have one.\n    Last week, Ms. Brown-Waite and I sent a letter to the VA requesting \ncopies of the most recent annual equipment inventory certification \nletters from all facility directors. We also requested a list of all \nfacility directors who did not provide certification for completing \ntheir annual inventories. I would like to thank the VA for their prompt \nresponse to this request.\n\n                                 <F-dash>\n             Prepared Statement of Hon. Ginny Brown-Waite,\n                       Ranking Republican Member\n    Thank you, Mr. Chairman for yielding.\n    Mr. Chairman, my goal for this hearing is not just to learn where \nVA is relative to their current IT inventory management, but to learn \nwhere and how they are working to improve security, controls, \nmaintenance and management of their IT equipment. The July 2007 GAO \nreport, increased my growing concerns over VA\'s control over its \ninventories, from reading the weekly SOC.\n    The GAO report selected four specific sites for their report. \nDuring this study, fewer than half of the items GAO selected for \ntesting could be located, and most of the items were information \ntechnology (IT) equipment. GAO found that the four VA locations \nreported over 2,400 missing IT equipment items, valued at about $6.4 \nmillion, identified in inventories performed during fiscal years 2005 \nand 2006. Missing items were not always reported right away, and in \nsome cases, not for several years. At one of the locations, 28 percent \nof the items surveyed during the GAO audit were missing.\n    Mr. Chairman, I find this lack of control over equipment completely \nunacceptable. Here in the House of Representatives, our acquisition \noffices perform annual equipment inventories in all offices. The Chief \nAdministrative Officer\'s staff comes into our offices either to tag \nequipment we have received, remove equipment we no longer use, or \ninventory the equipment under our control. By keeping a centralized \nacquisition and inventory process, the House is able to maintain tight \ncontrol over its equipment inventory. Given the results of the GAO \nreport, it appears the VA is unable to do likewise.\n    According to the GAO report, there is also a lack of user-level \naccountability for IT equipment, due to weak overall control of the \nequipment environment. The IT personnel and IT coordinators do not have \npossession (physical custody) of all IT equipment under their purview, \ntherefore, they are not held accountable for IT equipment determined to \nbe missing during physical inventories. In my opinion, Mr. Chairman, \nthere needs to be accountability for inventories from the Chief \nExecutive Officer clear down the line to the user who is ultimately \nusing the product.\n    The weekly SOC reports consistently show missing IT related items \nfrom the VA\'s inventories, whether it is listing old equipment that \npossibly had been disposed of after it was no longer of use to the VA, \nor new equipment that had been stolen. I am heartened to note that the \nVA is working with local and federal law enforcement to track down and \nretrieve newer stolen equipment, but dismayed to see the number of \nequipment items that were either transferred to other facilities and \nnot tracked, or disposed of without the proper notation in the \nequipment inventories.\n    As of February 28, 2007, the GAO report found the four case study \nlocations covered in their current audit reported over 2,400 missing IT \nequipment items with a combined original acquisition value of about \n$6.4 million as a result of inventories VA performed during fiscal \nyears 2005 and 2006. Based on information GAO obtained through March 2, \n2007, the five case study locations previously audited had identified \nover 8,600 missing IT equipment items with a combined original \nacquisition value of over $13.2 million. GAO reported that the missing \nIT items represent record keeping errors, the loss, theft or \nmisappropriation of IT equipment. The GAO also cited that because most \nof the nine case study locations had not consistently performed \nrequired annual physical inventories or completed Reports of Survey \npromptly, which prevented the reporting of missing IT equipment in some \ninstances for several years. I am always surprised when I see a SOC \nreporting the first instance of listing a missing piece of IT equipment \nfrom the mid-nineties. Operating Systems for this equipment would be \ntotally out of date long ago, and it leaves me wondering just how long \nthe equipment was actually missing before reported on the SOC.\n    Mr. Chairman, this is not the first time that GAO has reported on \ndeficiencies in information technology equipment controls. In July \n2004, GAO issues a report titled VA Medical Centers: Internal Control \nover Selected Operating Functions Needs Improvement. In this report, \nGAO indicated that the six VA medical centers they audited lacked a \nreliable property control database, which did not produce a complete \nand accurate record of current inventory and compromised effective \nmanagement and security of agency assets. One of the medical centers \nreviewed, was also reviewed in the most recent report, and yet issues \nremain. I look forward to hearing from today\'s witnesses, and those who \nare accompanying them on how the VA is going to move forward to gain \ntighter control over its inventory, and how they plan to follow up on \nGAO\'s recommendations.\n    Thank you, and I yield back my time.\n\n                                 <F-dash>\n            Prepared Statement of McCoy Williams, Director,\n                  Financial Management and Assurance,\n                 U.S. Government Accountability Office\n                             GAO HIGHLIGHTS\n           Lack of Accountability and Control Weaknesses Over\n                 IT Equipment at Selected VA Locations\nWhy GAO Did This Study\n    In July 2004, GAO reported that the six Department of Veterans \nAffairs (VA) medical centers it audited lacked a reliable property \ncontrol database and had problems with implementation of VA inventory \npolicies and procedures. Fewer than half the items GAO selected for \ntesting could be located. Most of the missing items were information \ntechnology (IT) equipment. In light of these concerns and recent thefts \nof laptops and data breaches at VA, this testimony focuses on (1) the \nrisk of theft, loss, or misappropriation of IT equipment at selected \nlocations; (2) whether selected locations have adequate procedures in \nplace to assure accountability and physical security of IT equipment in \nthe excess property disposal process; and (3) what actions VA \nmanagement has taken to address identified IT inventory control \nweaknesses. GAO statistically tested inventory controls at four case \nstudy locations.\nWhat GAO Recommends\n    GAO\'s companion report (GAO-07-505), released with this testimony, \nincludes 12 recommendations to improve VA-wide policies and procedures \nwith respect to controls over IT equipment, including record keeping \nrequirements, physical inventories, user-level accountability, and \nphysical security. VA agreed with GAO\'s findings, noted significant \nactions under way, and concurred on the 12 recommendations.\nWhat GAO Found\n    A weak overall control environment for VA IT equipment at the four \nlocations GAO audited poses a significant security vulnerability to the \nnation\'s veterans with regard to sensitive data maintained on this \nequipment. GAO\'s Standards for Internal Control in the Federal \nGovernment requires agencies to establish physical controls to \nsafeguard vulnerable assets, such as IT equipment, which might be \nvulnerable to risk of loss, and federal records management law requires \nfederal agencies to record essential transactions. However, GAO found \nthat current VA property management policy does not provide guidance \nfor creating records of inventory transactions as changes occur. GAO \nalso found that policies requiring annual inventories of sensitive \nitems, such as IT equipment; adequate physical security; and immediate \nreporting of lost and missing items have not been enforced. GAO\'s \nstatistical tests of physical inventory controls at four VA locations \nidentified a total of 123 missing IT equipment items, including 53 \ncomputers that could have stored sensitive data. The lack of user-level \naccountability and inaccurate records on status, location, and item \ndescriptions make it difficult to determine the extent to which actual \ntheft, loss, or misappropriation may have occurred without detection. \nThe table below summarizes the results of GAO\'s statistical tests at \neach location.\n\n\n----------------------------------------------------------------------------------------------------------------\n                                              Washington, DC,    Indianapolis      San Diego     VA headquarters\n              Control failures                 medical center   medical center   medical center      offices\n----------------------------------------------------------------------------------------------------------------\nMissing items in sample                                  28%               6%              10%              11%\n----------------------------------------------------------------------------------------------------------------\nIncorrect user organization                              80%              69%              70%              11%\n----------------------------------------------------------------------------------------------------------------\nIncorrect user location                                  57%              23%              53%              44%\n----------------------------------------------------------------------------------------------------------------\nRecord keeping errors                                     5%               0%               5%               3%\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\nNotes: Each of these estimates has a margin of error, based on a two-sided, 95 percent confidence interval, of\n  <plus-minus>10 percent or less. Because the four test locations did not record all IT equipment items in their\n  inventory records, our estimated failure rates relate to current (recorded) inventory and not the population\n  of all IT equipment at those locations.\n\n\n    GAO also found that the four VA locations reported over 2,400 \nmissing IT equipment items, valued at about $6.4 million, identified \nduring physical inventories performed during fiscal years 2005 and \n2006. Missing items were often not reported for several months and, in \nsome cases, several years. It is very difficult to investigate these \nlosses because information on specific events and circumstances at the \ntime of the losses is not known. GAO\'s limited tests of computer hard \ndrives in the excess property disposal process found hard drives at two \nof the four case study locations that contained personal information, \nincluding veterans\' names and Social Security numbers. GAO\'s tests did \nnot find any remaining data after sanitization procedures were \nperformed. However, weaknesses in physical security at IT storage \nlocations and delays in completing the data sanitization process \nheighten the risk of data breach. Although VA management has taken some \nactions to improve controls over IT equipment, including strengthening \npolicies and procedures, improving the overall control environment for \nsensitive IT equipment will require a renewed focus, oversight, and \ncontinued commitment throughout the organization.\n\n                               __________\n\nMr. Chairman and Members of the Subcommittee:\n\n    Thank you for the opportunity to discuss our recent audit of \ncontrols over information technology (IT) equipment at the Department \nof Veterans Affairs (VA). In light of reported weaknesses in VA \ninventory controls and reported thefts of laptop computers and data \nbreaches, the adequacy of such controls has been an ongoing concern. \nToday, I will summarize the results of our recent work, the details of \nwhich are included in our audit report, which the Subcommittee is \nreleasing today. \\1\\ This audit followed a July 2004 report \\2\\ in \nwhich we identified weak practices and lax implementation of controls \nover equipment at the six VA medical centers we audited. As a result, \npersonnel at the VA medical centers located fewer than half of the 100 \nitems we selected for testing at each of five medical centers and 62 of \n100 items at the sixth medical center. Most of the items that could not \nbe located were computer equipment.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Veterans Affairs: Inadequate Controls over IT Equipment at \nSelected VA Locations Pose Continuing Risk of Theft, Loss, and \nMisappropriation, GAO-07-505 (Washington, DC: July 16, 2007).\n    \\2\\ GAO, VA Medical Centers: Internal Control over Selected \nOperating Functions Needs Improvement, GAO-04-755 (Washington, DC: July \n21, 2004).\n---------------------------------------------------------------------------\n    For today\'s testimony, I will provide the highlights of our current \nfindings related to\n\n    <bullet>  the risk of theft, loss, or misappropriation \\3\\ of IT \nequipment \\4\\ at selected VA locations;\n    <bullet>  whether selected VA locations have adequate procedures in \nplace to assure physical security and accountability over IT equipment \nin the excess property disposal process; \\5\\ and\n    <bullet>  what actions VA management has taken to address \nidentified IT equipment inventory control weaknesses.\n---------------------------------------------------------------------------\n    \\3\\ As used in this testimony, theft and misappropriation both \nrefer to the unlawful taking or stealing of personal property, with \nmisappropriation occurring when the wrongdoer is an employee or other \nauthorized user.\n    \\4\\ For the purpose of our test work, we defined IT equipment as \nany equipment capable of processing or storing data, regardless of how \nVA classifies it. Therefore, medical devices that would typically not \nbe classified as IT equipment, but may capture, process, or store \npatient data, were considered IT equipment for this audit.\n    \\5\\ As used in this testimony, the term excess property refers to \nproperty that a federal agency leases or owns that is not required to \nmeet either the agency\'s needs or any other federal agency\'s needs.\n\n    My statement is based on our report on VA IT inventory controls, \nwhich you are releasing today. \\6\\ As part of our audit, we \nstatistically tested IT equipment inventory at selected case study \nlocations. In addition, our investigator inspected physical security at \nIT equipment storage sites. We performed our audit procedures in \naccordance with generally accepted government auditing standards, and \nwe performed our investigative procedures in accordance with quality \nstandards for investigators as set forth by the President\'s Council on \nIntegrity and Efficiency.\n---------------------------------------------------------------------------\n    \\6\\ GAO-07-505.\n---------------------------------------------------------------------------\nSummary\n    Our statistical tests of IT equipment inventory controls at our \nfour VA case study locations identified a total of 123 missing IT \nequipment items, including 53 computers that could have stored \nsensitive data. Our estimates of the percentage of inventory control \nfailures related to these missing items ranged from 6 percent at the \nIndianapolis medical center to 28 percent at the Washington, DC, \nmedical center. \\7\\ In addition, we determined that VA property \nmanagement policy does not establish accountability with individual \nusers of IT equipment. Consequently, our control tests identified a \npervasive lack of user-level accountability across the four case study \nlocations and significant errors in recorded IT inventory information \nconcerning user organization and location. As a result, we concluded \nthat for the four case study locations we audited, essentially no one \nwas accountable for IT equipment.\n---------------------------------------------------------------------------\n    \\7\\ Each of these estimates has a margin of error, based on a two-\nsided, 95 percent confidence interval, of <plus-minus>7 percent or \nless.\n---------------------------------------------------------------------------\n    Our analysis of the results of physical inventories performed by \nthe current four case study locations \\8\\ identified over 2,400 missing \nIT equipment items, with a combined original acquisition value of about \n$6.4 million. In addition, the five other locations we previously \naudited had reported over 8,600 missing IT equipment items with a \ncombined original acquisition value of over $13.2 million. Further, we \nfound that missing IT items were often not reported for several months \nand, in some cases, several years, because most of the case study \nlocations had not consistently performed physical inventories or \ncompleted Reports of Survey \\9\\ promptly.\n---------------------------------------------------------------------------\n    \\8\\ The Washington, DC, medical center was covered in both audits.\n    \\9\\ The Report of Survey system is the method used by VA to obtain \nan explanation of the circumstances surrounding loss, damage, or \ndestruction of government property other than through normal wear and \ntear.\n---------------------------------------------------------------------------\n    Our limited tests of computer hard drives in the excess property \ndisposal process at the four case study locations found no data on \nthose hard drives that were certified as sanitized. \\10\\ However, file \ndates on the hard drives we tested indicated that some of them had been \nin the disposal process for several years without being sanitized, \ncreating an unnecessary risk of compromising sensitive personal and \nmedical information. We also found numerous unofficial IT equipment \nstorage locations in VA headquarters area office buildings that did not \nmeet VA physical security requirements. For example, at some VA \nheadquarters locations, excess computer equipment was stored in open or \nunsecured areas.\n---------------------------------------------------------------------------\n    \\10\\ VA information resource management (IRM) personnel and \ncontractors follow National Institute of Standards and Technology \n(NIST) Special Publication 800-88 guidelines as well as more stringent \nDepartment of Defense (DoD) policy in DoD 5220.22-M, National \nIndustrial Security Program Operating Manual, ch. 8, Sec.  8-301, which \nrequires performing three separate erasures for media sanitization.\n---------------------------------------------------------------------------\n    Since our July 2004 report, VA management has taken some actions \nand has other actions under way to strengthen controls over IT \nequipment, including clarifying property management policies \\11\\ and \ncentralizing functional IT units under the new Chief Information \nOfficer (CIO) organization. Even with these improvements, the \ndepartment had not yet established and ensured consistent \nimplementation of effective controls for accountability of IT equipment \ninventory, and IT inventory responsibilities are not well-defined. \nUntil these shortcomings are addressed, VA will continue to face major \nchallenges in safeguarding IT equipment and sensitive personal data on \nthis equipment from loss, theft, and misappropriation. Our companion \nreport released today includes 12 recommendations to VA to improve the \noverall control environment and strengthen key internal control \nactivities and to increase attention to protecting IT equipment used in \nVA operations. VA generally agreed with our findings, noted significant \nactions under way, and concurred on the 12 recommendations.\n---------------------------------------------------------------------------\n    \\11\\ VA Handbook 7127/4 Sec.  5302.3, ``Inventory of Equipment in \nUse.\'\'\n---------------------------------------------------------------------------\nInadequate IT Inventory Control and Accountability Pose Risk of Loss, \n        Theft, and Misappropriation\n    Our tests of IT equipment inventory controls at four case study \nlocations, including three VA medical centers and VA headquarters, \nidentified a weak overall control environment and a pervasive lack of \naccountability for IT equipment items across the locations we tested. \nAs summarized in table 1, our statistical tests of key IT inventory \ncontrols at our four case study locations found significant control \nfailures. None of the case study locations had effective controls to \nsafeguard IT equipment from loss, theft, and misappropriation.\n\n\n              Table 1--Current IT Equipment Inventory Control Failure Rates at Four Test Locations\n----------------------------------------------------------------------------------------------------------------\n                                              Washington, DC,    Indianapolis      San Diego     VA headquarters\n              Control failures                 medical center   medical center   medical center      offices\n----------------------------------------------------------------------------------------------------------------\nMissing items in sample                                  28%               6%              10%              11%\n----------------------------------------------------------------------------------------------------------------\nIncorrect user organization                              80%              69%              70%              11%\n----------------------------------------------------------------------------------------------------------------\nIncorrect user location                                  57%              23%              53%              44%\n----------------------------------------------------------------------------------------------------------------\nRecord keeping errors                                     5%               0%               5%               3%\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\nNotes: Each of these estimates has a margin of error, based on a two-sided, 95 percent confidence interval, of\n  <plus-minus>10 percent or less. Because the four test locations did not record all IT equipment items in their\n  inventory records, our estimated failure rates relate to current (recorded) inventory and not the population\n  of all IT equipment at those locations.\n\n\n    Our statistical tests identified a total of 123 lost and missing IT \nequipment items across the four case locations, including 53 IT \nequipment items that could have stored sensitive personal information. \nSuch information could include names and Social Security numbers \nprotected under the Privacy Act 1974 \\12\\ and personal health \ninformation accorded additional protections from unauthorized release \nunder the Health Information Portability and Accountability Act 1996 \n(HIPAA) and implementing regulations. \\13\\ Although VA property \nmanagement policy \\14\\ establishes guidelines for holding employees and \nsupervisors pecuniarily (financially) liable for loss, damage, or \ndestruction because of negligence and misuse of government property, \nexcept for a few isolated instances, none of the case study locations \nassigned user-level accountability for IT equipment. Instead, these \nlocations relied on information about user organization and user \nlocation, which was often incorrect and incomplete. Under this lax \ncontrol environment, missing IT equipment items were often not reported \nfor several months and, in some cases several years, until the problem \nwas identified during a physical inventory.\n---------------------------------------------------------------------------\n    \\12\\ Privacy Act 1974, codified, as amended, at 5 U.S.C. Sec.  \n552a.\n    \\13\\ HIPAA, Pub. L. No. 104-191, Sec.  264, 110 Stat. 1936, 2033-34 \n(Aug. 21, 1996). The Secretary of Health and Human Services has \nprescribed standards for safeguarding medical information in the HIPAA \nMedical Privacy Rule. See 45 C.F.R. pt. 164.\n    \\14\\ VA Handbook 7125, Materiel Management General Procedures, \nSec.  5003 (Oct. 11, 2005).\n---------------------------------------------------------------------------\nInventory Tests Identified Significant Numbers of Missing Items\n    Our statistical tests of IT equipment existence at the four case \nstudy locations identified a total of 123 missing IT equipment items. \nThe 123 missing IT equipment items included 44 at the Washington, DC, \nmedical center; 9 at the Indianapolis medical center; 17 at the San \nDiego medical center; and 53 at VA headquarters. Our statistical tests \nof missing equipment found that none of the four test locations had \neffective controls.\n    Missing IT equipment items pose not only a financial risk but also \na security risk associated with compromising sensitive personal data \nmaintained on computer hard drives. The 123 missing IT equipment items \nincluded 53 that could have stored sensitive personal information, \nincluding 19 from the Washington, DC, medical center; 3 from the \nIndianapolis medical center; 8 from the San Diego medical center; and \n23 from VA headquarters. Because of a lack of user-level accountability \nand the failure to consistently update inventory records for inventory \nstatus and user location changes, VA officials at our test locations \ncould not determine the user or type of data stored on this equipment \nand therefore the risk posed by the loss of these items.\nPervasive Lack of User-Level Accountability for IT Equipment at Case \n        Study Locations\n    VA management has not enforced VA property management policy and \nhas generally left implementation decisions up to local organizations, \ncreating a nonstandard, high-risk environment. Although VA property \nmanagement policy establishes guidelines for user-level accountability, \n\\15\\ the three medical centers we tested assigned accountability for \nmost IT equipment to their information resource management (IRM) or IT \nServices organizations, and VA headquarters organizations tracked IT \nequipment items through their IT inventory coordinators. However, \nbecause these personnel did not have possession (physical custody) of \nall IT equipment under their purview, they were not held accountable \nfor IT equipment determined to be missing during physical inventories. \nBecause of this weak overall control environment, we concluded that at \nthe four case study locations essentially no one was accountable for IT \nequipment.\n---------------------------------------------------------------------------\n    \\15\\ VA Handbook 7125, Materiel Management General Procedures, \nSec.  5003.\n---------------------------------------------------------------------------\n    Absent user-level accountability, accurate information on the using \norganization and location of IT equipment is critical to maintaining \neffective asset visibility and control over IT equipment items. \nHowever, as table 1 shows, we identified high failure rates in our \ntests for correct user organization and location of IT equipment. \nBecause property management system inventory records were inaccurate, \nit is not possible to determine the timing or events associated with \nlost IT equipment as a basis for holding individual employees \naccountable.\n    Although our Standards for Internal Control in the Federal \nGovernment \\16\\ requires timely recording of transactions as part of an \neffective internal control structure and safeguarding of sensitive \nassets, we found that VA\'s property management policy \\17\\ neither \nspecified what transactions were to be recorded for various changes in \ninventory status nor provided criteria for timely recording. Further, \nIRM and IT Services personnel responsible for installation, removal, \nand disposal of IT equipment did not record or assure that transactions \nwere recorded by property management officials when these events \noccurred.\n---------------------------------------------------------------------------\n    \\16\\ GAO, Standards for Internal Control in the Federal Government, \nGAO/AIMD-00-21.3.1 (Washington, DC: November 1999).\n    \\17\\ VA Handbook 7127/3, Material Management Procedures, pt. 1, \nSec.  5002-2.3, and VA Handbook 7127/4, Material Management Procedures, \npt. 4, Sec.  5302.3.\n---------------------------------------------------------------------------\nErrors in IT Equipment Inventory Status and Item Description \n        Information\n    We found errors related to the accuracy of other information in IT \nequipment inventory records, including equipment status (e.g., in use, \nturned-in, disposal), serial numbers, model numbers, and item \ndescriptions. As shown in table 1, estimated overall error rates for \nrecord keeping were lower than the error rates for the other control \nattributes we tested. Even so, the errors we identified affect \nmanagement decision making and create waste and inefficiency in \noperations. Many of these errors should have been detected and \ncorrected during annual physical inventories.\nPhysical Inventories by Case Study Locations Identified Thousands of \n        Missing IT Equipment Items Valued at Millions of Dollars\n    To assess the effect of the lax control environment for IT \nequipment, we asked VA officials at the case study locations covered in \nboth our current and previous audits to provide us with information on \nthe results of their physical inventories performed after issuance of \nrecommendations in our July 2004 report, including Reports of Survey \ninformation on identified losses of IT equipment. As of February 28, \n2007, the four case study locations covered in our current audit \nreported over 2,400 missing IT equipment items with a combined original \nacquisition value of about $6.4 million as a result of inventories they \nperformed during fiscal years 2005 and 2006. Based on information \nobtained through March 2, 2007, the five case study locations we \npreviously audited had identified over 8,600 missing IT equipment items \nwith a combined original acquisition value of over $13.2 million, $12.4 \nmillion of which was identified at the Los Angeles medical center. \nBecause inventory records were not consistently updated as changes in \nuser organization or location occurred and none of the locations we \naudited required accountability at the user level, it is not possible \nto determine whether the missing IT equipment items represent record \nkeeping errors or the loss, theft, or misappropriation of IT equipment. \nFurther, missing IT equipment items were often not reported for several \nmonths and, in some cases, several years. Although physical inventories \nshould be performed over a finite period, at most of the case study \nlocations, these inventories were not completed for several months or \neven several years while officials performed extensive searches in an \nattempt to locate missing items before preparing Reports of Survey to \nwrite them off. According to VA Police and security specialists, \\18\\ \nit is very difficult to conduct an investigation after significant \namounts of time have passed because the details of the incidents cannot \nbe determined.\n---------------------------------------------------------------------------\n    \\18\\ VA medical centers and other facilities have a VA Police \nService, which provides law enforcement and physical security services, \nincluding security inspections and criminal investigations. The VA \nheadquarters building does not have a police service. VA headquarters \nlaw enforcement duties are the responsibility of the Federal Protective \nService.\n---------------------------------------------------------------------------\n    The timing and scope of the physical inventories performed by the \ncase study locations varied. For example, the Indianapolis medical \ncenter had performed annual physical inventories in accordance with VA \npolicy for several years. The Washington, DC, medical center performed \na wall-to-wall physical inventory in response to our July 2004 report. \nIn this case, inventory results reflected several years of activity \ninvolving IT inventory records that had not been updated and lost and \nmissing IT equipment items that had not previously been identified and \nreported. In addition, the San Diego and Houston medical centers had \nnot followed VA policy for including sensitive items, such as IT \nequipment valued at less than $5,000, in their physical inventories.\nPhysical Security Weaknesses Increase Risk of Loss, Theft, and \n        Misappropriation of IT Equipment and Sensitive Data\n    Our investigator\'s inspection of physical security at officially \ndesignated IT warehouses and storerooms at our four case study \nlocations that held new and used IT equipment found that most of these \nstorage facilities met the requirements in VA Handbook 0730/1, Security \nand Law Enforcement. However, not all of the formally designated \nstorage locations at two medical centers had required motion detection \nalarm systems and special door locks. We also found numerous instances \nof informal IT storage areas at VA headquarters that did not meet VA \nphysical security requirements. In addition, although VA requires that \nhard drives of IT equipment and medical equipment be sanitized prior to \ndisposal to prevent unauthorized release of sensitive personal and \nmedical information, we found weaknesses in the disposal process that \npose a risk of data breach related to sensitive personal information \nresiding on hard drives in the property disposal process that have not \nyet been sanitized.\nWeaknesses in Procedures for Controlling Excess Computer Hard Drives\n    VA requires that hard drives of excess computers be sanitized prior \nto reuse or disposal because they can store sensitive personal and \nmedical information used in VA programs and activities, which could be \ncompromised and used for unauthorized purposes. For example, our \nlimited tests of excess computer hard drives in the disposal process \nthat had not yet been sanitized found hundreds of unique names and \nSocial Security numbers on VA headquarters computers and detailed \nmedical histories with Social Security numbers on computer hard drives \nat the San Diego medical center. Our limited tests of hard drives that \nwere identified as having been subjected to data sanitization \nprocedures did not find data remaining on these hard drives. However, \nour limited tests identified some problems that could pose a risk of \ndata breach with regard to sensitive personal and medical information \non hard drives in the disposal process that had not yet been sanitized. \nFor example, our IT security specialist noted excessive delays--up to 6 \nyears--in performing data sanitization once the computer systems had \nbeen identified for disposal, posing an unnecessary risk of losing the \nsensitive personal and medical information contained on those systems.\nPhysical Security Weaknesses at IT Storage Locations Pose Risk of Data \n        Breach\n    VA Handbook 0730/1, Security and Law Enforcement, prescribes \nphysical security requirements for storage of new and used IT \nequipment, requiring storerooms to have walls to ceiling height, \noverhead barricades that prevent ``up and over\'\' access from adjacent \nrooms, motion intrusion detection alarm systems, and special key \ncontrol, meaning room door lock keys and day lock combinations that are \nnot master keyed for use by others. Most of the designated IT equipment \nstorage facilities at the four case study locations met VA IT physical \nsecurity requirements; however, we identified deficiencies related to \nlack of intrusion detection systems at the Washington, DC, and San \nDiego medical centers and inadequate door locks at the Washington, DC, \nmedical center. In response to our findings, these facilities initiated \nactions to correct these weaknesses.\n    We also found numerous informal, undesignated IT equipment storage \nlocations that did not meet VA physical security requirements. For \nexample, at the VA headquarters building, our investigator found that \nthe physical security specialist was unaware of the existence of IT \nequipment in some storerooms. Consequently, these storerooms had not \nbeen subjected to required physical security inspections. Further, \nduring our statistical tests, we observed one IT equipment storeroom in \nthe VA headquarters building IT Support Services area that had a \nseparate wall, but no door. The wall opening into the storeroom had \nyellow tape labeled ``CAUTION\'\' above the doorway. The storeroom was \nwithin an IT work area that had dropped ceilings that could provide \n``up and over\'\' access from adjacent rooms, and it did not meet VA\'s \nphysical security requirements for motion intrusion detection and \nalarms and secure doors, locks, and special access keys. In another \nheadquarters building, we observed excess IT equipment stacked in the \ncorners of a large work area that had multiple doors and open access to \nnumerous individuals. We also found that VA headquarters IT \ncoordinators used storerooms and closets with office-type door locks \nand locked filing cabinets in open areas to store IT equipment that was \nnot currently in use. The failure to provide adequate security leaves \nthe information stored on these computers vulnerable to data breach.\nStatus of VA Actions to Improve IT Equipment Management\n    Mr. Chairman, although VA strengthened existing property management \npolicy \\19\\ in response to recommendations in our July 2004 report, \nissued several new policies to establish guidance and controls for IT \nsecurity, and reorganized and centralized the IT function within the \ndepartment under the CIO, additional actions are needed to establish \neffective control in this area. For example, pursuant to \nrecommendations made in our July 2004 report, VA updated its property \nmanagement policy to clarify that IT equipment valued at under $5,000 \nis to be included in annual inventories. However, as noted in this \ntestimony and described in more detail in our companion report, VA had \nnot taken action to assure that these items were, in fact, subjected to \nphysical inventory. In addition, the new CIO organization has no formal \nresponsibility for medical equipment that stores or processes patient \ndata and does not address roles or necessary coordination between IRM \nand property management personnel with regard to inventory control of \nIT equipment. The Assistant Secretary for Information and Technology, \nwho serves as the CIO, told us that the new CIO organization structure \nwill include a unit that will have responsibility for IT equipment \nasset management once it becomes operational. However, this unit has \nnot yet been funded or staffed. To assure accountability and \nsafeguarding of sensitive IT equipment, effective implementation will \nbe key to the success of VA IT policy and organizational changes.\n---------------------------------------------------------------------------\n    \\19\\ VA Handbook 7127/4, Materiel Management Procedures (Oct. 11, \n2005).\n---------------------------------------------------------------------------\n    Our companion report released today made 12 recommendations to VA \nto strengthen accountability of IT equipment and minimize the risk of \ntheft, loss, misappropriation, and compromise of sensitive data. These \nincluded recommendations for revising policies related to record \nkeeping requirements to document essential inventory events and \ntransactions, ensuring that physical inventories are performed in \naccordance with VA policy, enforcing user-level accountability for IT \nequipment, and strengthening physical security of IT equipment storage \nlocations. VA management agreed with our findings and concurred with \nall 12 recommendations. In VA\'s written comments provided to us, it \nnoted actions planned or under way to address our recommendations.\nConcluding Remarks\n    Poor accountability and a weak control environment have left the \nfour VA case study organizations vulnerable to continuing theft, loss, \nand misappropriation of IT equipment and sensitive personal data. To \nprovide a framework for accountability and security of IT equipment, \nthe Secretary of Veterans Affairs needs to establish clear, \nsufficiently detailed mandatory agency wide policies rather than \nleaving the details of how policies will be implemented to the \ndiscretion of local VA organizations. Keys to safeguarding IT equipment \nare effective internal controls for the creation and maintenance of \nessential transaction records; a disciplined framework for specific, \nindividual user-level accountability, whereby employees are held \naccountable for property assigned to them, including appropriate \ndisciplinary action for any lost equipment; and maintaining adequate \nphysical security over IT equipment items. Although VA management has \ntaken some actions to improve inventory controls, strengthening the \noverall control environment and establishing and implementing specific \nIT equipment controls will require a renewed focus, oversight, and \ncontinuing commitment throughout the organization. We appreciate VA\'s \npositive response to our current recommendations and planned actions to \naddress them. If effectively implemented, these actions will go a long \nway to assuring that the weaknesses identified in our last two audits \nof VA IT equipment will be effectively resolved in the near future.\n    Mr. Chairman and Members of the Subcommittee, this concludes my \nstatement. I would be pleased to answer any questions that you may have \nat this time.\nContacts and Acknowledgments\n    For further information about this testimony, please contact McCoy \nWilliams at (202) 512-9095 or <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="aaddc3c6c6c3cbc7d9c79beacdcbc584cdc5dc84">[email&#160;protected]</a> Contact points for \nour Offices of Congressional Relations and Public Affairs may be found \non the last page of this statement. Major contributors to this \ntestimony include Gayle L. Fischer, Assistant Director; Andrew \nO\'Connell, Assistant Director and Supervisory Special Agent; Abe \nDymond, Assistant General Counsel; Monica Perez Anatalio; James D. \nAshley; Francine DelVecchio; Lauren S. Fassler; Dennis Fauber; Jason \nKelly; Steven M. Koons; Christopher D. Morehouse; Lori B. Tanaka; Chris \nJ. Rodriguez; Special Agent Ramon J. Rodriguez; and Danietta S. \nWilliams. In addition, technical expertise was provided by Keith A. \nRhodes, Chief Technologist, and Harold Lewis, Assistant Director, \nInformation Technology Security, Applied Research and Methods.\n\n                                 <F-dash>\n              Prepared Statement of Hon. Robert T. Howard,\n Assistant Secretary for Information Technology and Chief Information \n              Officer, U.S. Department of Veterans Affairs\n    Thank you, Mr. Chairman. I would like to thank you for the \nopportunity to testify on IT asset management within the Department of \nVeterans Affairs. I am joined today by Mr. Robert J. Henke, Assistant \nSecretary for Management. I am also accompanied by:\n\n    <bullet>  Ms. Adair Martinez, my Deputy Assistant Secretary for \nInformation Protection and Risk Management\n    <bullet>  Mr. Ray Sullivan, my Director of Field Operations\n    <bullet>  Mr. Arnie Claudio, my Director for IT Oversight and \nCompliance\n    <bullet>  Mr. Fernando O. Rivera, Director of the Washington DC VA \nMedical Center and\n    <bullet>  Mr. Steve Robinson, Chief Acquisition and Materiel \nManagement Service for the Washington DC VA Medical Center\n\n    IT asset management is a critically important issue that also has a \ndirect bearing on our ability to enhance information protection \nthroughout VA. As you know, a recent GAO report (GAO report 07-505) on \nVA\'s IT asset management found inadequate controls and risk associated \nwith theft, loss, and misappropriation of IT equipment at selected VA \nlocations. In that report, GAO found inadequate accountability and \nincluded a number of important recommendations--with which we agree.\n    As the Chief Information Officer for VA, I am responsible for \nensuring compliance with the integrity and security of VA\'s IT assets. \nI understand that when poor IT inventory procedures exist, both the \nloss of expensive equipment, as well as the loss of any sensitive \ninformation resident on the equipment, could occur. This is a situation \nof the utmost importance. It is a situation that we are working hard to \nremedy. I am prepared to answer your questions today about procedures \nthat already exist, as well as more rigorous and standard procedures \nthat are being implemented.\n    The GAO findings demonstrate a need for more emphasis and vigilance \nin this area. With the establishment of a single IT authority in the \nVA, we are now in a much better posture to improve the IT asset \nmanagement situation and have a number of actions already underway. We \ncurrently have several systems in VA that capture IT assets, and we are \nworking to standardize this and move to a single IT asset management \nsystem.\n    We have been able to locate some of the equipment that was reported \nmissing. For example, regarding the items of missing equipment that \nwere assigned to the previous Office of Information and Technology \norganization, we have been able to locate most of them. We assembled a \nteam to conduct a search for missing items (e.g. network equipment, \nservers, digital cameras, and so forthetera) that were assigned to the \nOffice of Information and Technology prior to the consolidation of IT \nin VA. At the end of this review, which took place over a 3-month \nperiod, the team had located about 90 percent of the equipment and \nalthough much of the equipment was found, the lack of accountability \nwas clearly evident.\n    To improve our asset management and accountability within VA, a \nspecial team has been established to develop standard procedures. A new \nDirective and accompanying Handbook on the Control of Information \nTechnology Equipment within the VA have been prepared and we have \nalready implemented some of the procedures they describe. The Directive \nand Handbook will provide clear direction on all aspects of IT asset \nmanagement.\n    Additionally, we have expanded the responsibilities of my Office of \nInformation Technology Oversight and Compliance. This office was \nestablished in February 2007 to conduct on-site assessments of IT \nsecurity, privacy and records management at VA facilities. As of today, \nthe office has completed over 58 assessments. The oversight of physical \nsecurity for IT assets is now a part of their assessment routine. The \nresults of the reviews will help us support and strengthen VA IT \nsecurity controls. This office ensures that facilities are aligned with \nthe National Institute of Standards and Technology\'s recommended \nsecurity controls for Federal Information Systems.\n    We must also increase awareness at the individual user-level \nregarding accountability for IT equipment. The new Directive and \nHandbook, mentioned earlier, will require employees, who have been \nassigned VA IT equipment, sign a receipt for the IT equipment in their \npossession. Supervisors will be held responsible for common equipment \nthat is not assigned to individuals. The receipt used is the printout \nof the Equipment Inventory List, which describes equipment assigned to \nemployees by name. These procedures have already been implemented. We \nhave also begun to deploy network monitoring software that will help us \ndetect and monitor any device that is connected to the VA network.\n    Special procedures are also being implemented for equipment that \nmay be considered ``expendable\'\' but which must be accounted for, not \nbecause of the cost, but because the equipment has the potential for \nstoring sensitive information. An example of such low-cost IT equipment \nthat must be tracked are the encrypted thumb drives being distributed \nthroughout the VA.\n    In closing, I want to assure you Mr. Chairman that we will remain \nfocused in our efforts to improve all aspects of the Information and \nTechnology environment in the VA--including the overall accountability \nand control of IT equipment. This will not only reduce the risk of loss \nof expensive equipment but also the potential loss of sensitive \ninformation the equipment may contain. Thank you for your time and the \nopportunity to speak on this issue. I would be happy to answer any \nquestions you may have.\n\n                                 <F-dash>\n                                      Congress of the United States\n                                                     Washington, DC\n                                                      July 24, 2007\n\nDear Members of the House Veterans\' Affairs Committee Subcommittee on \nOversight and Investigations,\n\n    I would like to submit for the record my most sincere apologies for \nmy absence this afternoon. An unexpected family emergency has called me \naway from my Congressional duties. While I would like very much to be \nin attendance to review the GAO and VA testimony regarding IT Inventory \nManagement, I must attend to my daughter who has fallen ill.\n    I appreciate your understanding on this matter. Please know that I \nremain committed as ever to the important work of this Subcommittee and \nthose that is serves.\n\n            Sincerely,\n                                                         Zack Space\n                                                 Member of Congress\n\n                                 <F-dash>\n                  Statement of the Hon. Cliff Stearns,\n         a Representative in Congress from the State of Florida\nMr. Chairman,\n\n    Thank you for holding this very important hearing regarding \ninventory management of the VA\'s IT equipment. I have long been \nconcerned regarding the security of personal information at the VA, \nparticularly with regard to the immediate need to equip each laptop \nwith basic security encryption. However, there is a critical oversight \nwe must address before we can fully encrypt all VA laptops, and that is \nwe do not know how many laptops there are to secure! The VA has yet to \ncomplete a full and accurate accounting of all its IT equipment and \nsystems. Without that, it is a fool\'s errand to pursue real IT \nsecurity.\n    On February 28, 2007, we heard testimony from Mr. Gregory Wilshusen \nof the GAO that the Department of Veterans Affairs needed to address \nlongstanding weaknesses in its IT security. He testified that the GAO \nhad made several recommendations in 2002 for improving security \nmanagement, including the basic restriction of access to IT equipment \nand network to only authorized users. However, Mr. Wilshusen summarized \nthat, ``In the auditors\' report on internal controls prepared at the \ncompletion of VA\'s 2006 financial statement audit, information \ntechnology security controls were identified as a material weakness \nbecause of serious weaknesses related to access control, segregation of \nduties, change control, and service continuity. These areas of weakness \nare virtually identical to those that we had identified years \nearlier.\'\' And here we are again to hear basically the same testimony \nas a result of yet another investigation of IT security by the GAO.\n    In its most recent report, the GAO stated that the six VA medical \ncenters it audited lacked a reliable property control database and had \nproblems with implementation of VA inventory policies and procedures. \nThey then make several recommendations, such as clarifying existing \npolicy regarding sensitive items that must be accounted for in the \nproperty control records; providing a more comprehensive list of the \ntype of personal property assets that are considered sensitive for \naccountability purposes; and reinforcing the VA\'s requirement to attach \nbar code labels to agency property. Unfortunately, GAO\'s tests of \nphysical inventory controls at four VA locations identified 123 missing \nIT equipment items that could have stored sensitive data, including 53 \nmissing computers! At these locations, investigators discovered there \nwere over 2,400 missing IT equipment items, totaling around $6.4 \nmillion. Immediate reporting of missing items as recommended by the GAO \nin 2002 is clearly not followed through in practice, as many missing \nitems were not reported for several months and, in some cases, several \nyears.\n    This dangerous mix of a lack of user accountability and hopelessly \ninaccurate records creates an environment that will lead to further \nloss of equipment, and makes another security breach highly likely. For \nthese IT security weaknesses to have been identified and yet \nunaddressed for over five years is frankly inexcusable. I look forward \nto hearing from our panel of witnesses regarding what steps they are \ntaking now to correct this problem, and how they will work to ensure \nthat this round of recommendations are implemented department wide.\n\n            Thank you.\n\n                                 <F-dash>\n                 U.S. GOVERNMENT ACCOUNTABILITY OFFICE,\n                   REPORT TO CONGRESSIONAL REQUESTERS\n                               July 2007\nVeterans Affairs: Inadequate Controls over IT Equipment at Selected VA \n Locations Pose Continuing Risk of Theft, Loss, and Misappropriation, \n                               GAO-07-505\nGAO Highlights\n    Highlights of GAO-07-505, a report to congressional requesters\nWhy GAO Did This Study\n    In July 2004, GAO reported that the six Department of Veterans \nAffairs (VA) medical centers it audited lacked a reliable property \ncontrol database and had problems with implementation of VA inventory \npolicies and procedures. Fewer than half the items GAO selected for \ntesting could be located. Most of the missing items were information \ntechnology (IT) equipment. Given recent thefts of laptops and data \nbreaches, the requesters were concerned about the adequacy of physical \ninventory controls over VA IT equipment. GAO was asked to determine (1) \nthe risk of theft, loss, or misappropriation of IT equipment at \nselected locations; (2) whether selected locations have adequate \nprocedures in place to assure accountability and physical security of \nIT equipment in the excess property disposal process; and (3) what \nactions VA management has taken to address identified IT inventory \ncontrol weaknesses. GAO statistically tested inventory controls at four \ncase study locations.\nWhat GAO Found\n    A weak overall control environment for VA IT equipment at the four \nlocations GAO audited poses a significant security vulnerability to the \nnation\'s veterans with regard to sensitive data maintained on this \nequipment. GAO\'s Standards for Internal Control in the Federal \nGovernment requires agencies to establish physical controls to \nsafeguard vulnerable assets, such as IT equipment, which might be \nvulnerable to risk of loss, and federal records management law requires \nfederal agencies to record essential transactions. However, GAO found \nthat current VA property management policy does not provide guidance \nfor creating records of inventory transactions as changes occur. GAO \nalso found that policies requiring annual inventories of sensitive \nitems, such as IT equipment; adequate physical security; and immediate \nreporting of lost and missing items have not been enforced. GAO\'s \nstatistical tests of physical inventory controls at four VA locations \nidentified a total of 123 missing IT equipment items, including 53 \ncomputers that could have stored sensitive data. The lack of user-level \naccountability and inaccurate records on status, location, and item \ndescriptions make it difficult to determine the extent to which actual \ntheft, loss, or misappropriation may have occurred without detection. \nThe table below summarizes the results of GAO\'s statistical tests at \neach location.\n\n\n                          Current IT Inventory Control Failures at Four Test Locations\n----------------------------------------------------------------------------------------------------------------\n              Control failures                 Washington, DC    Indianapolis      San Diego      VA HQ offices\n----------------------------------------------------------------------------------------------------------------\nMissing items                                            28%               6%              10%              11%\n----------------------------------------------------------------------------------------------------------------\nIncorrect user organization                              80%              69%              70%              11%\n----------------------------------------------------------------------------------------------------------------\nIncorrect location                                       57%              23%              53%              44%\n----------------------------------------------------------------------------------------------------------------\nRecord keeping errors                                     5%               0%               5%               3%\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\nNotes: Each of these estimates has a margin of error, based on a two-sided, 95 percent confidence interval, of\n  <plus-minus>10 percent or less.\n\n\n    GAO also found that the four VA locations reported over 2,400 \nmissing IT equipment items, valued at about $6.4 million, identified \nduring physical inventories performed during fiscal years 2005 and \n2006. Missing items were often not reported for several months and, in \nsome cases, several years. It is very difficult to investigate these \nlosses because information on specific events and circumstances at the \ntime of the losses is not known. GAO\'s limited tests of computer hard \ndrives in the excess property disposal process found hard drives at two \nof the four case study locations that contained personal information, \nincluding veterans\' names and Social Security numbers. GAO\'s tests did \nnot find any remaining data after sanitization procedures were \nperformed. However, weaknesses in physical security at IT storage \nlocations and delays in completing the data sanitization process \nheighten the risk of data breach. Although VA management has taken some \nactions to improve controls over IT equipment, including strengthening \npolicies and procedures, improving the overall control environment for \nsensitive IT equipment will require a renewed focus, oversight, and \ncontinued commitment throughout the organization.\nWhat GAO Recommends\n    GAO makes 12 recommendations to improve VA-wide policies and \nprocedures with respect to controls over IT equipment, including record \nkeeping requirements, physical inventories, user-level accountability, \nand physical security. VA agreed with GAO\'s findings, noted significant \nactions under way, and concurred on the 12 recommendations.\n                               __________\n                                CONTENTS\n\n                                                                   Page\nLetter...........................................................    45\n\n    Results in Brief.............................................    46\n    Background...................................................    48\n    Inadequate IT Inventory Control and Accountability Pose Risk \n      of Loss, Theft, and Misappropriation.......................    51\n    Physical Security Weaknesses Increase Risk of Loss, Theft, \n      and Misappropriation of IT Equipment and Sensitive Data....    60\n    VA Actions to Improve IT Management and Controls Have Been \n      Limited....................................................    63\n    Conclusions..................................................    64\n    Recommendations for Executive Action.........................    64\n    Agency Comments and Our Evaluation...........................    65\n\nAppendix I: Objectives, Scope, and Methodology...................    65\n\nAppendix II: Comments from the Department of Veterans Affairs....    68\n\nAppendix III: GAO Contact and Staff Acknowledgments..............    72\n\nTables\n\n    Table 1: Current IT Equipment Inventory Control Failure Rates \n      at Four Test Locations.....................................    52\n    Table 2: Number of Missing IT Equipment Items at Four Test \n      Locations, Including Items That Could Have Stored Sensitive \n      Information................................................    53\n    Table 3: Number of Missing IT Equipment Items by Headquarters \n      Office and Missing Items That Could Have Stored Sensitive \n      Personal Data and Information..............................    55\n    Table 4: Estimated Percentage of IT Inventory Control \n      Failures Related to Correct User and Location at the Four \n      Test Locations.............................................    56\n    Table 5: Estimated Percentage of Other IT Inventory Record \n      Keeping Failures at Four Test Locations....................    57\n    Table 6: Summary of Physical Inventories and Missing IT \n      Equipment Identified by the Four Current Case Study \n      Locations as of February 28, 2007..........................    59\n    Table 7: Summary of Physical Inventories and Missing IT \n      Equipment Identified by Five Case Study Locations \n      Previously Audited as of March 2, 2007.....................    60\n    Table 8: Population of VA IT Equipment at Locations Selected \n      for Testing................................................    66\n    Table 9: Number of Computer Hard Drives in the Property \n      Disposal Process Selected for Testing at Four Locations....    67\n\nFigures\n\n    Figure 1: VA\'s IT Property Management Process................    49\n    Figure 2: Photograph of Unsecured IT Equipment Storeroom in \n      the VA Headquarters Building...............................    62\nAbbreviations\n\nAEMS/MERS: Automated Engineering Management System/Medical Equipment \nRepair Service\nCFR: Code of Federal Regulations\nCIO: Chief Information Officer\nCMR: consolidated memorandum receipt\nDoD: Department of Defense\nEIL: equipment inventory listing\nFMFIA: Financial Managers\' Financial Integrity Act 1982\nHHS: Department of Health and Human Services\nHIPAA: Health Information Portability and Accountability Act 1996\nIFCAPS: Integrated Funds Distribution Control Point Activity, \nAccounting, and Procurement System\nIRM: information resource management\nIT: information technology\nMRI: magnetic resonance imaging\nNARA: National Archives and Records Administration\nNIST: National Institute of Standards and Technology\nUSB: universal serial bus\nUSC: United States Code\nVA: Department of Veterans Affairs\nVHA: Veterans Health Administration\nVISN: Veterans Integrated Service Network\n\n                                 <F-dash>\n                             U.S. Government Accountability Office:\n                                               Washington, DC 20548\n                                                      July 16, 2007\n\nThe Honorable Bob Filner\nChairman\nThe Honorable Steve Buyer\nRanking Member\nCommittee on Veterans\' Affairs\nHouse of Representatives\n\nThe Honorable Harry E. Mitchell\nChairman\nThe Honorable Ginny Brown-Waite\nRanking Member\nSubcommittee on Oversight and Investigations\nCommittee on Veterans\' Affairs\nHouse of Representatives\n\n    In light of reported weaknesses in Department of Veterans Affairs \n(VA) inventory controls and reported thefts of laptop computers and \ndata breaches, you were concerned about the adequacy of controls over \nVA information technology (IT) equipment. In July 2004, we reported \\1\\ \nthat the six VA medical centers we audited lacked a reliable property \ncontrol database, which did not produce a complete and accurate record \nof current inventory and compromised effective management and security \nof agency assets. We found that key policies and procedures established \nby VA to control personal property provided facilities with substantial \nlatitude in conducting physical inventories \\2\\ and maintaining their \nproperty management systems, which resulted in reduced property \naccountability. For example, VA\'s Handbook 7127/3, Materiel Management \nProcedures \\3\\ allowed the person responsible for custody of VA \nproperty to attest to the existence of that property rather than \nrequiring independent verification. Also, personnel at some locations \ninterpreted a policy that established a $5,000 threshold for property \nthat must be inventoried as a license to ignore VA requirements to \naccount for sensitive, lower cost items that are susceptible to theft \nor loss, such as personal computers and peripheral equipment. Personnel \nat the VA medical centers, which are part of the Veterans Health \nAdministration (VHA), located fewer than half of the 100 items we \nselected for testing at each of five medical centers and 62 of 100 \nitems at the sixth medical center. Most of the items that could not be \nlocated were computer equipment. Based on our work, we concluded in our \nJuly 2004 report that these weak practices, combined with lax \nimplementation, resulted in low levels of accountability and heightened \nrisk of loss.\n---------------------------------------------------------------------------\n    \\1\\ GAO, VA Medical Centers: Internal Control over Selected \nOperating Functions Needs Improvement, GAO-04-755 (Washington, DC July \n21, 2004).\n    \\2\\ Physical inventory is the process of reconciling personal \nproperty records with the property actually on hand.\n    \\3\\ Department of Veterans Affairs, VA Handbook 7127/3, Materiel \nManagement Procedures.\n---------------------------------------------------------------------------\n    During 2006, VA employed nearly 235,000 employees and relied on an \nundetermined number of contractors, volunteers, and students to support \nits operations. VA provided these individuals a wide range of IT \nequipment, \\4\\ including desktop and laptop computers, monitors and \nprinters, personal digital assistants, unit-level workstations, local \narea networks, and medical equipment with memory and data processing/\ncommunication capabilities. VA information resource management (IRM) \nand property management personnel share responsibility for management \nof IT equipment inventory.\n---------------------------------------------------------------------------\n    \\4\\ For the purpose of this audit, we defined IT equipment as any \nequipment capable of processing or storing data, regardless of how VA \nclassifies it. Therefore, medical devices that would typically not be \nclassified as IT equipment, but may capture, process, or store patient \ndata, were considered IT equipment for this audit.\n---------------------------------------------------------------------------\n    This report responds to your request that we perform follow-up work \nto determine (1) the risk of theft, loss, or misappropriation \\5\\ of IT \nequipment at selected VA locations; (2) whether selected VA locations \nhave adequate procedures in place to assure physical security and \naccountability over IT equipment in the excess property disposal \nprocess; \\6\\ and (3) what actions VA management has taken to address \nidentified IT equipment inventory control weaknesses. In assessing the \nrisk of theft, loss, or misappropriation of IT equipment, you also \nasked that we consider the results of physical inventories performed by \nthe four case study locations covered in this audit and the six medical \ncenters we previously audited. \\7\\\n---------------------------------------------------------------------------\n    \\5\\ As used in this report, theft and misappropriation both refer \nto the unlawful taking or stealing of personal property, with \nmisappropriation occurring when the wrongdoer is an employee or other \nauthorized user.\n    \\6\\ As used in this report, the term excess property refers to \nproperty that a federal agency leases or owns that is not required to \nmeet either the agency\'s needs or any other federal agency\'s needs.\n    \\7\\ The Washington, DC, medical center was also covered in our 2004 \nreport.\n---------------------------------------------------------------------------\n    To achieve our first two objectives, we used a case study approach, \nselecting VA medical centers located in Washington, DC, Indianapolis, \nIndiana, and San Diego, California; associated clinics; and VA \nheadquarters organizations for our test work. To determine the risk of \ntheft, loss, or misappropriation of IT equipment at these locations, we \nstatistically tested IT equipment inventory to determine the \neffectiveness of controls relied on for accurate recording of inventory \ntransactions, including existence (meaning IT equipment items listed in \ninventory records exist and can be located), user-level accountability, \nand inventory record accuracy. As requested, we also obtained and \nanalyzed the results of physical inventories performed by the case \nstudy locations covered in our current and our previous audits. In \naddition, our investigator assessed physical security of IT equipment \nstorerooms and procedures for reporting lost and missing items to VA \nlaw enforcement officials at our four current case study locations. To \ndetermine if the four case study locations had adequate procedures in \nplace for proper disposal of excess IT equipment, we assessed \nprocedures for security and accountability of excess IT equipment and \nindependently tested a limited selection of computer hard drives for \nproper removal of data and compliance with VA property management \npolicies. We performed sufficient procedures to determine that \ninventory data at the test locations were reliable for the purpose of \nour audit. \\8\\ We conducted our audit and investigation from September \n2006 through March 2007. We performed our audit procedures in \naccordance with generally accepted government auditing standards, and \nwe performed our investigative procedures in accordance with quality \nstandards for investigators as set forth by the President\'s Council on \nIntegrity and Efficiency. We obtained agency comments on a draft of \nthis report. A detailed discussion of our objectives, scope, and \nmethodology is included in appendix I.\n---------------------------------------------------------------------------\n    \\8\\ The universe of IT equipment items for the four test locations \ndid not include the population of all IT equipment at those locations. \nTherefore, we can project our test results to the universe of current, \nrecorded IT equipment inventory at each location, but not the \npopulation of all IT equipment. Our tests were specific to each of the \ncase study locations and cannot be projected to VA IT equipment \ninventory as a whole.\n---------------------------------------------------------------------------\nResults in Brief\n    A weak overall control environment and pervasive weaknesses in \ninventory control and accountability at the four locations we audited \nput IT equipment at risk of theft, loss, and misappropriation and pose \na continuing security vulnerability to our Nation\'s veterans with \nregard to sensitive data maintained on this equipment. Our Standards \nfor Internal Control in the Federal Government\\9\\ requires agencies to \nestablish physical control to secure and safeguard vulnerable assets, \nsuch as equipment that might be vulnerable to risk of loss or \nunauthorized use. Further, federal records management law and \nregulations require agencies to create and maintain records of \nessential transactions, including property records, as part of an \neffective internal control structure. However, we found that current VA \nproperty management policy does not provide guidance for recording IT \nequipment inventory transactions as events occur. We also found that \ncertain other VA policies have not been enforced, including policies \nrequiring (1) user-level accountability; (2) annual inventories of \nsensitive items, including IT equipment; (3) adequate physical \nsecurity; and (4) immediate reporting of lost and missing items. Our \nstatistical tests of IT equipment inventory controls at our four VA \ncase study locations identified a total of 123 missing IT equipment \nitems, including 53 computers that could have stored sensitive data. We \nestimate the percentage of inventory control failures related to these \nmissing items to be 6 percent at the Indianapolis medical center, 10 \npercent at the San Diego medical center, 28 percent at the Washington, \nDC, medical center, and 11 percent for VA headquarters organizations. \n\\10\\ In addition, although VA property management policy establishes \nguidelines for user-level accountability, we found a pervasive lack of \nuser-level accountability across the four case study locations, and \nsignificant errors in recorded IT inventory information concerning user \norganization and location. As a result, for the four case study \nlocations, we concluded that under the lax control environment, \nessentially no one was accountable for IT equipment. The lack of user-\nlevel accountability and inaccurate records on status, location, and \nitem descriptions make it difficult to determine the extent to which \nactual theft, loss, or misappropriation may have occurred without \ndetection at the case study locations.\n---------------------------------------------------------------------------\n    \\9\\ GAO, Standards for Internal Control in the Federal Government, \nGAO/AIMD-00-21.3.1 (Washington, DC November 1999).\n    \\10\\ Each of these estimates has a margin of error, based on a two-\nsided, 95 percent confidence interval, of <plus-minus>7 percent or \nless.\n---------------------------------------------------------------------------\n    Our follow-up on the results of physical inventories performed by \nthe four case study locations included in our current audit and the \nfive other case study locations from our previous audit found that the \ncase study locations identified thousands of missing IT equipment items \nvalued at tens of millions of dollars. For example, the four case study \nlocations included in our current audit reported over 2,400 missing IT \nequipment items, with a combined original acquisition value of about \n$6.4 million. Information we obtained as of March 2, 2007, showed that \nthe five other locations we previously audited had identified over \n8,600 missing IT equipment items with a combined original acquisition \nvalue of over $13.2 million. One of the four case study locations in \nour current audit and three of the five other case study locations \ncovered in our previous audit had not yet completed Reports of Survey \n\\11\\ on losses identified in their physical inventories. Because none \nof the nine case study locations consistently recorded transactions as \nchanges in IT equipment inventory status and location occurred, it is \nnot possible to determine the disposition of IT equipment items that \ncannot be located. When attempts to locate missing IT equipment items \nwere unfruitful, the losses were administratively reported for record \nkeeping purposes, including the authorization to write them off in the \nproperty records. According to VA Police and security specialists, \\12\\ \nwhen losses are not immediately identified and reported, it is very \ndifficult to conduct an investigation because information about the \nspecific events and circumstances of the losses is no longer available.\n---------------------------------------------------------------------------\n    \\11\\ The Report of Survey system is the method used by VA to obtain \nan explanation of the circumstances surrounding loss, damage, or \ndestruction of government property other than through normal wear and \ntear.\n    \\12\\ VA medical centers and other facilities have a VA Police \nService, which provides law enforcement and physical security services, \nincluding security inspections and criminal investigations. The VA \nheadquarters building does not have a police service. VA headquarters \nlaw enforcement duties are the responsibility of the Federal Protective \nService.\n---------------------------------------------------------------------------\n    Our limited tests of computer hard drives in the excess property \ndisposal process at the four case study locations found no data on \nthose hard drives that were certified as sanitized. \\13\\ However, at \ntwo of the four test locations, we found that hard drives not yet \nsubjected to data sanitization contained hundreds of names and Social \nSecurity numbers. Further, file dates on the hard drives we tested \nindicate that some of them had been in the disposal process for several \nyears without being sanitized, creating an unnecessary risk that \nsensitive personal and medical information could be compromised. \nExcessive delays in completing data sanitization processes and \nnoncompliance with VA physical security policy heighten the risk of \ndata breach related to sensitive personal information residing on hard \ndrives in the excess property disposal process. For example, we found \nnumerous unofficial IT equipment storage locations in VA headquarters \narea office buildings that did not meet VA physical security \nrequirements. One IT storeroom at the VA headquarters building did not \nhave a door. At other VA headquarters buildings, we found IT equipment \nstored in open areas, closets, and filing cabinets. These storage \nlocations did not meet VA physical security requirements for secure \nwalls, doors, locks, special keys, and intrusion detection alarms.\n---------------------------------------------------------------------------\n    \\13\\ VA IRM personnel and contractors follow National Institute of \nStandards and Technology (NIST) Special Publication 800-88 guidelines \nas well as more stringent Department of Defense (DoD) policy in DoD \n5220.22-M, National Industrial Security Program Operating Manual, ch. \n8, Sec.  8-301, which requires performing three separate erasures for \nmedia sanitization.\n---------------------------------------------------------------------------\n    Since our July 2004 report, VA management has taken some actions \nand has other actions under way to strengthen controls over IT \nequipment. For example, on October 11, 2005, VA revised its Materiel \nManagement Procedures\\14\\ to emphasize that requirements for annual \ninventories of sensitive items valued at under $5,000 include IT \nequipment. On August 4, 2006, VA issued a new directive entitled \nInformation Security Program, which requires, in part, periodic \nevaluations and testing of the effectiveness of all management, \noperational, and technical controls and calls for procedures for \nimmediately reporting and responding to security incidents. In December \n2006, VA\'s new Chief Information Officer (CIO) centralized functional \nIT units across local VA organizations under the CIO organization. \nDespite these improvements, the department has not yet established and \nensured consistent implementation of effective controls for \naccountability of IT equipment inventory, and IT inventory \nresponsibilities shared by IRM and property management personnel are \nnot well-defined. Until these shortcomings are addressed, VA will \ncontinue to face major challenges in safeguarding IT equipment and \nsensitive personal data on this equipment from loss, theft, and \nmisappropriation.\n---------------------------------------------------------------------------\n    \\14\\ VA Handbook 7127/4 Sec.  5302.3, ``Inventory of Equipment in \nUse.\'\'\n---------------------------------------------------------------------------\n    This report contains 12 recommendations to VA to further improve \nthe overall control environment and strengthen key internal control \nactivities and to increase attention to protecting IT equipment used in \nVA operations. In comments on a draft of this report, VA generally \nagreed with our findings, noted significant actions under way, and \nconcurred on the 12 recommendations. VA also provided technical \ncomments. VA\'s comments, including its technical comments, are \ndiscussed in the Agency Comments and Our Evaluation section of this \nreport. VA\'s written comments are reprinted in appendix II.\nBackground\n    VA\'s mission is to serve America\'s veterans and their families and \nto be their principal advocate in ensuring that they receive medical \ncare, benefits, and Social support in recognition of their service to \nour nation. VA, headquartered in Washington, DC, is the second largest \nfederal department and has over 235,000 employees, including \nphysicians, nurses, counselors, statisticians, computer specialists, \narchitects, and attorneys. VA carries out its mission through three \nmajor line organizations--VIHA, Veterans Benefits Administration, and \nNational Cemetery Administration--and field facilities throughout the \nUnited States. VA provides services and benefits through a nationwide \nnetwork of 156 hospitals, 877 outpatient clinics, 136 nursing homes, 43 \nresidential rehabilitation treatment programs, 207 readjustment \ncounseling centers, 57 veterans\' benefits regional offices, and 122 \nnational cemeteries.\nPreviously Reported Weaknesses in IT Inventory Controls\n    Our July 2004 report found significant property management \nweaknesses, including weaknesses in controls over IT equipment items \nvalued at under $5,000 that are required to have inventory control. In \nthat report, we made several recommendations for improving property \nmanagement, including actions to (1) clarify existing policy regarding \nsensitive items that are required to be accounted for in the property \ncontrol records, (2) provide a more comprehensive list of the type of \npersonal property assets that are considered sensitive for \naccountability purposes, and (3) reinforce VA\'s requirement to attach \nbar code labels to agency personal property.\nVA\'s IT Property Management Process\n    The Assistant Secretary for Information and Technology serves as \nthe CIO for the department and is the principal advisor to the \nSecretary on matters relating to IT management in the department. Key \nfunctions in VA\'s IT property management process are performed by IRM \nand property management personnel. These functions include identifying \nrequirements; ordering, receiving, and installing IT equipment; \nperforming periodic inventories; and identifying, removing, and \ndisposing of obsolete and unneeded IT equipment. Figure 1 illustrates \nthe IT property management process. In general, this is the process we \nobserved at the four VA locations we audited.\n    The steps in the IT property management process are key events, \nwhich should be documented by an inventory transaction, financial \ntransaction, or both, as appropriate. Federal records management law, \nas codified in Title 44 of the U.S. Code and implemented through \nNational Archives and Records Administration (NARA) guidance, requires \nfederal agencies to adequately document and maintain proper records of \nessential transactions and have effective controls for creating, \nmaintaining, and using records of these transactions. \\15\\\n---------------------------------------------------------------------------\n    \\15\\ 44 U.S.C. Sec. Sec.  3101 and 3102, and implementing NARA \nregulations at 36 C.F.R. Sec.  1222.38. This is consistent with the \nmore general requirement for agencies to establish internal controls \nunder 31 U.S.C. Sec.  3512 (c), (d), commonly known as the Federal \nManagers\' Financial Integrity Act 1982 (FMFIA), and GAO/AIMD-00-21.3.1.\n\n             Figure 1--VA\'s IT Property Management Process\n[GRAPHIC] [TIFF OMITTED] 37474B.001\n\n\n    Source: GAO.\nRequest and Ordering of IT Equipment\n    IRM personnel determine IT equipment requirements for a particular \nVA medical center or headquarters office based on strategic planning, \nmedical center or office needs, specific requests, and budgetary \nresources. IRM personnel then submit requests to the cognizant Veterans \nIntegrated Service Network (VISN), \\16\\ the CIO, and VA headquarters in \nWashington, DC, for approval. For VA medical centers, the VISN \ngenerally purchases or leases IT equipment to realize economies of \nscale, but individual medical centers also may place incidental orders \nto meet their needs. In addition, headquarters offices may place \nindividual orders or use purchase cards to acquire IT equipment. \nMedical equipment with IT capability is generally acquired through \nprocurement contracts. When contracting personnel create a purchase \norder and submit it to the vendor, contracting personnel are required \nto send a copy of the purchase order to the appropriate property \nmanagement personnel to notify them of a new order.\n---------------------------------------------------------------------------\n    \\16\\ VHA has 21 VISNs that oversee medical center activities within \ntheir area, which may cover one or more states.\n---------------------------------------------------------------------------\n    When the vendor delivers ordered IT equipment to the loading dock, \nproperty management warehouse personnel inspect the boxes for visible \nsigns of damage, and after accepting delivery, store IT equipment until \nthey can transfer it to IRM personnel. Warehouse personnel confirm \nreceipt and acceptance in the Integrated Funds Distribution Control \nPoint Activity, Accounting, and Procurement System (IFCAPS), which then \nnotifies the Financial Management System so that payment can be made to \nthe vendor. Once the receipt is confirmed within IFCAPS, warehouse \npersonnel notify IRM personnel of the delivery and arrange a transfer \nof the equipment to them. Upon transfer, an IRM official signs the \nreceipt document, signifying acceptance of custody for the IT \nequipment.\nRecording of IT Equipment Acquisitions in Inventory Records\n    VA medical center property management personnel use information \nfrom the purchase order, including item name, item description, model \nnumber, manufacturer, vendor, and acquisition cost, to create property \nrecord(s) in the Automated Equipment Management System/Medical \nEquipment Repair Service (AEMS/MERS) for new IT equipment acquisitions. \n\\17\\ AEMS/MERS is a general inventory management system that is local \nto each VA medical center. Headquarters personnel also use purchase \norder information to enter records of new IT equipment in the Inte-\nGreat<SUP>TM</SUP> Property Manager system. Property management \npersonnel also identify the department responsible for the IT equipment \nby recording an equipment inventory listing (ElL) code at VA medical \ncenters and a consolidated memorandum receipt (CMR) code at \nheadquarters. Once property records are created, property management \npersonnel generate a bar code label for each piece of IT equipment. IRM \npersonnel may prepare the equipment for issuance to specific users by \ninstalling VA-specific software and configurations prior to \ninstallation. In addition, VA medical center biomedical engineering \npersonnel may test medical equipment for electrical safety before \nplacing it in service.\n---------------------------------------------------------------------------\n    \\17\\ VA Handbook 7127, Materiel Management Procedures (Sept. 19, \n1995), required that all sensitive items, including those valued under \n$5,000, be inventoried regardless of cost. According to VA Handbook \n7127/1 (Oct. 21, 1997), records of property costing $5,000 or greater \nwill be maintained in AMES/MERS. In addition to assets valued over \n$5,000, VA Handbook 7124/4 (Oct. 11, 2005) added a further explanation \nthat sensitive items include handheld and portable telecommunication \ndevices, printers, data storage equipment (e.g., desktop and laptop \ncomputers), video imaging equipment, cell phones, radios, motor \nvehicles, and firearms and ammunition.\n---------------------------------------------------------------------------\nIssuance and Replacement of IT Equipment\n    IRM personnel or, in some cases, contractor personnel deliver new \nIT equipment to the appropriate service or location for installation. \nIRM or contractor personnel also remove and replace old IT equipment \nthat has been approved for replacement. At some VA facilities, a bar \ncode label is affixed to a door jam or other physical element of the \nspecific location in which the IT equipment has been installed to \ndocument item locations in the property management system. Once the new \nequipment is installed, IRM or contractor personnel transfer the \nreplaced equipment to an IRM storage room pending disposal.\nPhysical Inventories of IT Equipment and Reports of Survey\n    VA policy \\18\\ mandates that each VA facility take physical \ninventory of its accountable property using one of two methods. The \nfirst method determines when the next inventory will be taken based on \nthe accuracy rate for each EIL or CMR during the previous inventory. If \nan EIL or CMR was found to have an accuracy rate of 95 percent or \nabove, the VA facility may inventory that EIL or CMR in 12 months. If \nthe EIL or CMR has an accuracy rate of less than 95 percent, the VA \nfacility must inventory that EIL or CMR within 6 months. The second \nmethod permits physical inventories to be performed on an exception \nbasis. Under this method, a VA facility uses property management system \ndata to identify the item bar codes that were scanned since the last \ninventory. If items have been scanned since the last inventory, they \nmay be excluded from the current physical inventory.\n---------------------------------------------------------------------------\n    \\18\\ VA Handbook 7127/4, Materiel Management Procedures (Oct. 11, \n2005).\n---------------------------------------------------------------------------\n    When a VA facility determines that items listed in inventory cannot \nbe located, those items are listed on a Report of Survey and facility \npersonnel convene a Board of Survey. Reports of Survey are provided to \nmedical center VA Police or the Federal Protective Service officers at \nVA headquarters, as appropriate. The Report of Survey documents the \ncircumstances of loss, damage, or destruction of government property. \nVA policy \\19\\ mandates that a Board of Survey be appointed when there \nis a possibility that a VA employee may be assessed pecuniary liability \nor disciplinary action as a result of loss, damage, or destruction of \nproperty and the value of the property involved is $5,000 or more. The \nBoard of Survey reviews the Report of Survey, which identifies IT \nequipment that is unaccounted for and explains efforts made to account \nfor the missing items. An approved Report of Survey provides necessary \nsupport for writing off lost and missing items. For items on the Report \nof Survey, VA personnel are supposed to update the use status in the \nproperty management system from ``in-use\'\' to ``lost.\'\' Updating the \nuse status allows for the generation of an exception report in case any \nof the items unaccounted for are subsequently located.\n---------------------------------------------------------------------------\n    \\19\\ VA Handbook 7125, Materiel Management General Procedures, pt. \n5, Sec.  5101-8.\n---------------------------------------------------------------------------\nApproval for Turn-in and Disposal\n    An IRM technician originates the request for turn-in of old IT \nequipment using VA Form 2237, ``Request, Turn-In, and Receipt for \nProperty or Services,\'\' or users may submit an electronic form 2237. \nPending final approval of VA Form 2237, electronic notification is \ngiven to property management and IRM personnel, who use this \ndocumentation to ensure that they are removing and disposing of the \ncorrect item(s). IRM or contractor personnel transfer the old IT \nequipment to an IRM storage room for hard drive sanitization and \nsubsequent reuse or disposal. Medical equipment with IT capability is \ngenerally traded in to the vendor for upgraded models after medical \ncenter IRM personnel have documented that data sanitization procedures \nwere completed.\n    Federal agencies, such as VA, are required to protect sensitive \ndata stored on their IT equipment against the risk of data breaches and \nthus the improper disclosure of personal identification information, \nsuch as names and Social Security numbers. Such information is \nregulated by privacy protections under the Privacy Act 1974 \\20\\ and, \nwhen information concerns an individual\'s health, the Health Insurance \nPortability and Accountability Act 1996 (HIPAA) and implementing \nregulations. \\21\\\n---------------------------------------------------------------------------\n    \\20\\ Privacy Act 1974, codified, as amended, at 5 U.S.C. Sec.  \n552a.\n    \\21\\ HIPAA required the Secretary of Health and Human Services \n(HHS) to submit to Congress detailed recommendations on standards \nrelated to the privacy of individually identifiable health information, \nincluding an individual\'s rights with respect to such information, \nprocedures for an individual to exercise those rights, and the \nauthorized uses and disclosures of such information by others, such as \nhealthcare providers and insurers. The HHS Secretary has prescribed \nsuch standards in the HIPAA Medical Privacy Rule. See Pub. L. No. 104-\n191, Sec.  264, 110 Stat. 1936, 2033-34 (Aug. 21, 1996), and \nimplementing regulations at 45 C.F.R. pt. 164.\n---------------------------------------------------------------------------\nRemoval of Data from Hard Drives\n    VA facilities have two options for removing data from hard drives \nof IT equipment in the excess property disposal process. Under the \nfirst option, the VA medical center removes the hard drives from the IT \nequipment and ships them to a vendor for sanitization (data erasing). \nThe vendor physically destroys any hard drives it cannot successfully \nerase. The vendor submits certification of hard drive sanitization or \ndestruction to IRM personnel and ships the sanitized hard drives back \nto the VA facility for disposal. Under the second option, VA IRM \npersonnel perform the procedures to sanitize the hard drives using VA-\napproved software, such as Data Eraser<SUP>TM</SUP>. IRM personnel \ncomplete VA Form 0751, ``Information Technology Equipment Sanitization \nCertification,\'\' to document the erasing of the hard drives. Hard \ndrives that Data Eraser<SUP>TM</SUP> software cannot successfully \nsanitize are held at the VA facility in IRM storage for physical \ndestruction by another contractor at various intervals throughout the \nyear.\nFinal Disposition of IT Equipment\n    After data have been removed from the hard drives, the hard drives \ncan be placed back into the IT equipment from which they were \npreviously removed so that the computers can be reused or shipped \ndirectly to a VA IT equipment disposal vendor. For IT equipment that is \nnot selected for reuse within VA, IRM personnel will notify cognizant \nproperty management personnel that the IT equipment is ready for final \ndisposal and property management personnel transfer the items to a \nwarehouse. VA facilities use different processes to handle the final \ndisposal of IT equipment. For example, property management personnel \nmay contact transportation personnel at the VA Central Office, who then \ncontact a shipper to take the IT equipment to a disposal vendor, or a \ndisposal vendor may pick up the IT equipment from the VA facility. \nDisposal vendors, including Federal Prison Industries, Inc., \\22\\ \ndetermine what IT equipment is to be donated to schools. Generally, \nwithin several days of the equipment being shipped to the disposal \nvendor, property management personnel change the status field of the \nequipment in the property management system from ``in-use\'\' to \n``turned-in\'\' and designate the property record as inactive.\n---------------------------------------------------------------------------\n    \\22\\ Federal Prison Industries, Inc. (also known as UNICOR) is a \nwholly owned U.S. government corporation, which operates factories and \nemploys inmates in federal prisons. See 31 U.S.C. Sec.  9101 (3)(E), 18 \nU.S.C. Sec. Sec.  4121-4129.\n---------------------------------------------------------------------------\nInadequate IT Inventory Control and Accountability Pose Risk of Loss, \n        Theft, and Misappropriation\n    Our tests of IT equipment inventory controls at four case study \nlocations, including three VA medical centers and VA headquarters, \nidentified a weak overall control environment and a pervasive lack of \naccountability for IT equipment items across the four locations we \ntested. Our Standards for Internal Control in the Federal Government \n\\23\\ states that a positive control environment provides discipline and \nstructure as well as the climate that influences the quality of \ninternal control. However, as summarized in table 1, our statistical \ntests of key IT inventory controls at our four case study locations \nfound significant control failures related to (1) missing IT equipment \nitems in our existence tests, (2) inaccurate information on user \norganization, (3) inaccurate information on user location, and (4) \nother record keeping errors. None of the case study locations had \neffective controls to safeguard IT assets from risk of loss, theft, and \nmisappropriation.\n---------------------------------------------------------------------------\n    \\23\\ GAO/AIMD-00-21.3.1.\n\n\n              Table 1--Current IT Equipment Inventory Control Failure Rates at Four Test Locations\n----------------------------------------------------------------------------------------------------------------\n                                              Washington, DC,    Indianapolis      San Diego\n              Control failures                 medical center   medical center   medical center  VA headquarters\n----------------------------------------------------------------------------------------------------------------\nMissing items in sample                                  28%               6%              10%              11%\n----------------------------------------------------------------------------------------------------------------\nIncorrect user organization                              80%              69%              70%              11%\n----------------------------------------------------------------------------------------------------------------\nIncorrect location                                       57%              23%              53%              44%\n----------------------------------------------------------------------------------------------------------------\nRecord keeping errors                                     5%               0%               5%               3%\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\nNotes: Each of these estimates has a margin of error, based on a two-sided, 95 percent confidence interval, of\n  <plus-minus>10 percent or less. Because the four test locations did not record all IT equipment items in their\n  inventory records, our estimated failure rates relate to current (recorded) inventory and not the population\n  of all IT equipment at those locations.\n\n\n    Moreover, our statistical tests identified a total of 123 lost and \nmissing IT equipment items across the four case locations, including 53 \nIT equipment items that could have stored sensitive personal \ninformation. Personal information, such as names and Social Security \nnumbers, is regulated by privacy protections under the Privacy Act 1974 \n\\24\\ and information concerning an individual\'s health is accorded \nadditional protections from unauthorized release under HIPAA and \nimplementing regulations. \\25\\ Although VA property management policy \n\\26\\ establishes guidelines for holding employees and supervisors \npecuniarily (financially) liable for loss, damage, or destruction \nbecause of negligence and misuse of government property, except for a \nfew isolated instances, none of the case study locations assigned user-\nlevel accountability. Instead, these locations relied on information \nabout user organization and user location, which was often incorrect \nand incomplete. In addition, although our standards for internal \ncontrol require timely recording of transactions as part of an \neffective internal control structure and safeguarding of sensitive \nassets, we found that VA\'s property management policy \\27\\ neither \nspecified what transactions were to be recorded for various changes in \ninventory status nor provided criteria for timely recording. Further, \nIRM and IT Services personnel responsible for installation, removal, \nand disposal of IT equipment did not record or assure that transactions \nwere recorded by property management officials when these events \noccurred. Under this lax control environment, missing IT equipment \nitems were often not reported for several months and, in some cases \nseveral years, until the problem was identified during a physical \ninventory.\n---------------------------------------------------------------------------\n    \\24\\ Privacy Act 1974, codified, as amended, at 5 U.S.C. Sec.  \n552a.\n    \\25\\ The HHS Secretary has prescribed standards for safeguarding \nmedical information in the HIPAA Medical Privacy Rule. See 45 C.F.R. \npt. 164.\n    \\26\\ VA Handbook 7125, Materiel Management General Procedures, \nSec.  5003 (Oct. 11, 2005).\n    \\27\\ VA Handbook 7127/3, Material Management Procedures, pt. 1 \nSec.  5002-2.3, and VA Handbook 7127/4, Material Management Procedures, \npt. 4, Sec.  5302.3.\n---------------------------------------------------------------------------\nInventory Tests Identified Significant Numbers of Missing Items\n    As shown in table 2, our statistical tests of IT equipment \nexistence at the four case study locations identified a total of 123 \nmissing IT equipment items, including 53 items that could have stored \nsensitive personal data and information. Although VA headquarters had \nthe highest number of missing items, none of the four test locations \nhad effective controls. Missing IT equipment items pose not only a \nfinancial risk but also a security risk associated with sensitive \npersonal data maintained on computer hard drives.\n\n\n  Table 2--Number of Missing IT Equipment Items at Four Test Locations, Including Items That Could Have Stored\n                                              Sensitive Information\n----------------------------------------------------------------------------------------------------------------\n                                              Washington, DC,    Indianapolis      San Diego\n                Test Results                   medical center   medical center   medical center  VA headquarters\n----------------------------------------------------------------------------------------------------------------\nNumber of missing items in each sample                    44                9               17               52\n----------------------------------------------------------------------------------------------------------------\nTotal missing items that could have stored                19                3                8               23\n sensitive data\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\nNote: After we completed our analysis, Washington, DC, medical center personnel provided documentation that one\n  of the missing items--a new computer monitor--had been located. This information is not reflected in the\n  table.\n\n\n    Because of the lack of user-level accountability and the failure to \nconsistently update inventory records for changes in inventory status \nand user location, VA officials at our test locations could not \ndetermine the user or type of data stored on the 53 missing IT \nequipment items that could have stored sensitive personal information \nand, therefore, the risk posed by the loss of these items. The details \nof our test work at each location follow.\nWashington, DC, Medical Center\n    Our physical inventory existence testing at the Washington, DC, \nmedical center identified an estimated 28 percent failure rate \\28\\ \nrelated to missing items in the recorded universe of 8,728 IT equipment \nitems. Our analysis determined that the primary cause of these high \ncontrol failure rates was a lack of coordination and communication \nbetween medical center IRM and property management personnel to assure \nthat documentation on IT items in physical inventory was updated in the \nproperty management system when changes occurred. VA records management \npolicy \\29\\ that implements federal records management law and NARA \nguidance \\30\\ requires the creation and maintenance of records of \nessential transactions, such as creating a timely record of newly \nacquired IT equipment in the property management system, and recording \ntimely updates for changes in the status of IT equipment, including \ntransfers, turn-ins, and replacement of equipment, and disposals.\n---------------------------------------------------------------------------\n    \\28\\ The two-sided, 95 percent confidence interval for this \nestimate is from 21 percent to 35 percent.\n    \\29\\ VA Directive 6300, Records and Information Management, Sec.  2 \n(Jan. 12, 1998).\n    \\30\\ 44 U.S.C. Sec. Sec.  3101 and 3102, and implementing NARA \nregulations at 36 C.F.R. Sec.  1222.38. This is consistent with the \nmore general requirement for agencies to establish internal controls \nunder 31 U.S.C. Sec.  3512 (c), (d), commonly known as FMFIA, and GAO/\nAIMD-00-21.3.1.\n---------------------------------------------------------------------------\n    The medical center\'s IT equipment inventory records included 550 \nolder IT equipment items that property management officials told us \nshould have been removed from active inventory. Because the inventory \nstatus fields for these items were either blank or indicated the items \nwere ``in use,\'\' we included these items in the universe of current \ninventory for purposes of our statistical sample. Of the 44 missing IT \nequipment items identified in our statistical tests at the Washington, \nDC, medical center, 9 items related to the 550 older IT equipment items \nof questionable status. Washington, DC, medical center officials \nasserted that because of their age, these items would likely have been \nturned in for disposal. However, because the property system had not \nbeen updated to reflect a turn-in or disposal and no hard copy \ndocumentation had been retained, it was not possible to determine \nwhether any of the 44 missing IT equipment items, including 19 items \nthat could have stored sensitive personal information, had been sent to \ndisposal or if any of them were lost or stolen.\n    For other IT equipment items that could not be located during our \nexistence testing, IRM or property management officials were able to \nprovide documentation created and saved outside the property management \nsystem that showed several of these items had been turned in for \ndisposal without recording the corresponding inventory transaction in \nthe property management system. In March 2006, the Washington, DC, \nmedical center initiated an automated process for electronic \nnotification and documentation of property turn-ins in the property \nmanagement system. If effectively implemented, the electronic process \nshould help resolve this problem going forward.\n    With regard to the use and type of data stored on the 19 computers \nthat our tests identified as missing, Washington DC, medical center \nofficials could not tell us the users or the types of data that would \nhave been on these computers. This is because local medical center \nproperty management procedures call for recording the local IRM \norganization as the user for most IT equipment in the property \nmanagement system, rather than the actual custodian or user of the IT \nequipment.\nIndianapolis Medical Center\n    The Indianapolis medical center had an estimated failure rate of 6 \npercent \\31\\ related to missing items in the recorded universe of 7,614 \nIT equipment items. However, our test results do not allow us to \nconclude that the center\'s controls over existence of IT equipment \ninventory are effective. Our statistical tests identified 9 missing IT \nequipment items, including 3 items that could have stored sensitive \npersonal and medical information. Of the 3 missing items that could \nhave stored sensitive information, medical center inventory records \nshowed that 2 of these items were medical devices assigned to the \nradiology unit. Although medical center officials provided us with \nturn-in documentation for one of these items-a magnetic resonance \nimaging (MRI) machine that had just been disassembled and removed from \nservice-the documentation did not match the bar code (property \nidentification number) or the serial number for our sample item, \nindicating possible record keeping errors. The user of the third item, \na computer, was not known.\n---------------------------------------------------------------------------\n    \\31\\ The two-sided, 95 percent confidence interval for this \nestimate is from 2 percent to 13 percent.\n---------------------------------------------------------------------------\n    In addition, our review of Indianapolis medical center purchase \ncard records determined that some IT equipment items that were not \nincluded in property inventory records had been acquired with a \ngovernment purchase card. We found that VA purchase card policy \\32\\ \ndoes not require cardholders to notify property management officials of \nthe receipt of property items acquired with a purchase card, including \nIT equipment. As a result, there is no asset visibility \\33\\ or \naccountability for these items. Further, there is no assurance that \nsensitive personal data, medical data, or both that could be stored on \nthese items are properly safeguarded.\n---------------------------------------------------------------------------\n    \\32\\ VA Handbook 1730/1, Use and Management of the Government \nPurchase Card Program (June 17, 2005).\n    \\33\\ Asset visibility refers to accurate and timely information on \nthe location, movement, status, and identifying information for \nproperty and equipment assets.\n---------------------------------------------------------------------------\nSan Diego Medical Center\n    We estimated an overall failure rate of 10 percent \\34\\ related to \nmissing items in the San Diego medical center\'s recorded universe of \n11,604 IT equipment items. Our statistical tests at the San Diego \nmedical center identified 17 missing IT equipment items, including 8 \nitems that could have stored sensitive personal data and information. \nSan Diego medical center officials could not tell us the user or type \nof data that would have been stored on the missing computers. San Diego \nmedical center officials noted that some of the missing items were \nolder IT equipment that would no longer be in use. However, without \nvalid turn-in documentation, it is not possible to determine whether \nthese IT equipment items were disposed of without creating the \nappropriate transaction record or if any of these items, including \nitems that could have stored sensitive personal and medical \ninformation, were lost, stolen, or misappropriated without detection.\n---------------------------------------------------------------------------\n    \\34\\ The two-sided, 95 percent confidence interval for this \nestimate is from 5 percent to 17 percent.\n---------------------------------------------------------------------------\n    Our tests also determined that San Diego medical center officials \nwere not following VA policy for physical inventory control and \naccountability of IT equipment. Consistent with a finding in our July \n2004 report, we found that the San Diego medical center had not \nincluded IT equipment items valued at less than $5,000 in annual \nphysical inventories. Although San Diego medical center property \nmanagement officials record IT equipment ordered through the formal \nproperty acquisition process in inventory records at the time it is \nacquired, absent an annual physical inventory, center officials have no \nway of knowing whether these items are still in use or if any of these \nitems were lost, stolen, or misappropriated. VA property management \npolicy \\35\\ requires that sensitive items, including computer \nequipment, be subjected to annual physical inventories. At the time of \nour IT equipment inventory testing in January 2007, San Diego medical \ncenter officials told us that consistent with requirements in VA \nHandbook 7127/4, they were initiating a physical inventory of all IT \nequipment items, including those items valued at less than $5,000.\n---------------------------------------------------------------------------\n    \\35\\ VA Handbook 7127/4, Materiel Management Procedures, pt. 1, \nSec.  5002.2 and pt. 4, Sec.  5302.3 (Oct. 11, 2005).\n---------------------------------------------------------------------------\n    In addition, our analysis of San Diego medical center purchase card \nrecords identified several purchases of IT equipment that had not been \nrecorded in the medical center\'s inventory records. As a result, our \nstatistical tests did not include these items. Because the medical \ncenter\'s IT Services and property management officials are not tracking \nIT equipment items that were acquired with government purchase cards, \nthere is no accountability for these items. As a result, San Diego \nmedical center management does not know how many of these items have \nnot been recorded in the property inventory records or how many of \nthese items could contain sensitive personal information. If San Diego \nmedical center officials properly perform their fiscal year 2007 \nphysical inventory, they should be able to locate and establish an \naccountable record for IT equipment items acquired with purchase cards \nthat are being used within their facility. However, additional research \nwould be required to identify all IT equipment items that were acquired \nwith a purchase card and are being used at employees\' homes or other \noffsite locations.\n    San Diego medical center IT Services personnel told us that they \ncreated and maintained informal ``cuff records\'\' outside the property \nmanagement system to document installation and removal of IT equipment \nbecause property management officials did not permit them to have \naccess to the property management system. In addition, IT Services \npersonnel did not provide information from their informal cuff records \nto property management officials so that they could update the formal \nrecords maintained in property management system. As a result, the \nformal IT equipment inventory records saved in the property management \nsystem remained out-of-date, while more accurate records were \nmaintained as separate IT Services files outside the formal system and \nwere not available for management decision making. Further, San Diego \nIT Services personnel were not provided handheld scanners so that they \ncould electronically update inventory records when they installed or \nremoved IT equipment. The San Diego medical center IT Services\' \ninformal cuff records create internal control weaknesses because they \ndo not provide reasonable assurance of furnishing information the \nagency needs to conduct current business.\nVA Headquarters Offices\n    We statistically tested a random sample of VA headquarters IT \nequipment items, which included IT equipment for each headquarters \noffice. Based on our sample, we estimate an 11 percent failure rate \n\\36\\ related to missing items in the VA headquarters recorded universe \nof 25,353 IT equipment items. In addition, our tests of VA headquarters \nIT inventory identified 53 missing IT equipment items, including 23 \ncomputers that could have stored sensitive personal information. VA \nheadquarters officials could not tell us the use or type of information \nthat would have been stored on the missing computers. Table 3 \nidentifies missing IT equipment items in our stratified sample by VA \nheadquarters office.\n---------------------------------------------------------------------------\n    \\36\\ The two-sided, 95 percent confidence interval for this \nestimate is from 8 percent to 15 percent.\n\n\n  Table 3--Number of Missing IT Equipment Items by Headquarters Office and Missing Items That Could Have Stored\n                                     Sensitive Personal Data and Information\n----------------------------------------------------------------------------------------------------------------\n                                                                Number of missing IT\n                        Test location                            items in stratified     Missing items with data\n                                                                       sample              storage capability\n----------------------------------------------------------------------------------------------------------------\nAcquisition and Materiel                                                      0 of 10                         0\n----------------------------------------------------------------------------------------------------------------\nGeneral Counsel                                                               2 of 10                   0 of 2\n----------------------------------------------------------------------------------------------------------------\nInformation and Technology                                                    9 of 94                   6 of 9\n----------------------------------------------------------------------------------------------------------------\nPolicy and Planning                                                           0 of 10                         0\n----------------------------------------------------------------------------------------------------------------\nVeterans Health Administration                                               27 of 95                   7 of 17\n----------------------------------------------------------------------------------------------------------------\nVeterans benefits Administration                                             24 of 93                  10 of 24\n----------------------------------------------------------------------------------------------------------------\nAll other \\a\\                                                                 1 of 32                   0 of 1\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\n\\a\\ All other includes 17 additional VA headquarters organizations. The missing item in this category related to\n  the Human Resource Management Office.\n\n\n    We found that the IT coordinators maintained informal spreadsheets, \nor cuff records, to track IT equipment assigned to their units instead \nof updating IT equipment records in the formal VA headquarters property \nsystem. As stated previously, the use of informal cuff records creates \nan internal control weakness because management does not have \nvisibility over this information for decision making purposes.\n    VA headquarters officials also told us that various headquarters \noffices acquire IT equipment using government purchase cards and that \nthese items are not identified and recorded in inventory unless they \nare observed coming through the mail room or they are identified during \nphysical inventories. As previously discussed, VA purchase card policy \ndoes not require purchase card holders to notify property management \nofficials at the time they receive IT equipment and other property \nacquired with government purchase cards.\nPervasive Lack of User-Level Accountability for IT Equipment at Case \n        Study Locations\n    VA management has not enforced VA property management policy and \nhas generally left implementation decisions up to local organizations, \ncreating a nonstandard, high-risk environment. Although VA property \nmanagement policy establishes guidelines for user-level accountability, \n\\37\\ the three medical centers we tested assigned accountability for \nmost IT equipment to their IRM or IT Services organizations, and VA \nheadquarters organizations tracked IT equipment items through their IT \ninventory coordinators. However, because these IT personnel and IT \ncoordinators did not have possession (physical custody) of all IT \nequipment under their purview, they were not held accountable for IT \nequipment determined to be missing during physical inventories. This \nweak overall control environment at the four case study locations \nresulted in a pervasive lack of user-level accountability for IT \nequipment.\n---------------------------------------------------------------------------\n    \\37\\ VA Handbook 7125, Materiel Management General Procedures, \nSec.  5003.\n---------------------------------------------------------------------------\n    Absent user-level accountability, accurate information on the using \norganization and location of IT equipment is key to maintaining asset \nvisibility and control over IT equipment items. The high failure rates \nin our tests for correct user organization and location of IT \nequipment, shown in table 4, underscore the lack of user-level \naccountability at the four case study locations. The lack of \naccountability has in turn resulted in a lax attitude about controlling \nIT equipment. As a result, for the four case study locations, we \nconcluded that under the current lax control environment, essentially \nno one was accountable for IT equipment.\n\n\n Table 4--Estimated Percentage of IT Inventory Control Failures Related to Correct User and Location at the Four\n                                                 Test Locations\n----------------------------------------------------------------------------------------------------------------\n                                                                   Incorrect user\n                        Test location                               organization         Incorrect user location\n----------------------------------------------------------------------------------------------------------------\nWashington, DC, medical center                                                    80%                       57%\n                                                                         (72% to 87%)              (49% to 64%)\n----------------------------------------------------------------------------------------------------------------\nIndianapolis, IN, medical center                                                  69%                       23%\n                                                                         (60% to 78%)              (15% to 33%)\n----------------------------------------------------------------------------------------------------------------\nSan Diego, CA, medical center                                                     70%                       53%\n                                                                         (61% to 78%)              (43% to 63%)\n----------------------------------------------------------------------------------------------------------------\nVA headquarters organizations                                                     11%                       44%\n                                                                          (8% to 15%)              (37% to 51%)\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\nNote: The percentages represent point estimates and the two-sided, 95 percent confidence interval.\n\n\n    Our statistical tests found numerous instances where inventory \nrecords were not updated when equipment was transferred to another VA \nunit, moved to another location, or removed from a facility. We also \nfound that critical inventory system data fields, such as user and \nlocation, were often blank. Completion of these data fields would have \ncreated records of essential transactions for IT inventory events. \nBecause property management system inventory records were incomplete \nand out-of-date, it is not possible to determine the timing or events \nassociated with lost IT equipment as a basis for holding individual \nemployees accountable.\n    In addition to failures in our tests for accurate user organization \nand location, we found that the inventory system data field for \nidentifying IT coordinators at headquarters units was often blank or \nincorrect. The IT coordinator role, which is unique to VA headquarters \noffices, is intended to provide an additional level of control for \ntracking and managing assignment of IT equipment within each \nheadquarters organizational unit. Our tests for accurate and complete \ninformation on headquarters IT coordinators found 85 errors out of a \nsample of 344 records tested. We estimated the failure rate for the IT \ncoordinator records at VA headquarters units to be 47 percent. \\38\\ \nFurther, although VA headquarters\n---------------------------------------------------------------------------\n    \\38\\ The margin of error, based on a two-sided, 95 percent \nconfidence interval is <plus-minus>3 percent.\n---------------------------------------------------------------------------\n    Officials told us they use hand receipts \\39\\ for user-level \naccountability of mobile IT equipment that can be removed from VA \noffices for use by employees who are on travel or are working at home, \nwe found this procedure was not used consistently. For example, we \nrequested hand receipts for 15 mobile IT equipment items in our \nstatistical sample that were being used by VA headquarters employees. \nThese items either could be or were taken offsite. We received nine \nhand receipts--one that had expired, six that were dated after the date \nof our request, and two that were valid. Officials at the three medical \ncenters we tested were able to provide hand receipts for IT equipment \nthat was being used by their employees at home.\n---------------------------------------------------------------------------\n    \\39\\ A hand receipt is a document used to assign individual custody \nof a government-furnished equipment item. At VA headquarters a hand \nreceipt includes the description and bar code number of the item, and \nit is signed by the employee responsible for the equipment and an \nauthorizing official.\n---------------------------------------------------------------------------\n    Officials at all four case study locations expressed concerns that \nit would be difficult and burdensome to implement user-level \naccountability for IT equipment, particularly in the case of shared \nworkstations used by multiple employees. However, Washington, DC, \nmedical center officials initiated actions to establish user-level \naccountability for individual employees and unit heads who have shared \nworkstations. In March 2007, Washington, DC, medical center officials \nimplemented a policy for user-level accountability and began training \ntheir employees on the new requirements. The new policy requires \nemployees to sign personal custody receipts for IT equipment assigned \nto them, and it requires supervisors to be responsible for IT equipment \nthat is shared among staff in their sections. The policy states that \nusers of IT equipment will be held accountable for acts deemed \ninappropriate or negligent and that employees are personally and \nfinancially responsible for loss, theft, damage, or destruction of \ngovernment property caused by negligence. VA headquarters officials \ntold us that they are considering approaches for implementing a VA-wide \npolicy for user-level accountability of IT equipment.\nErrors in IT Equipment Inventory Status and Item Description \n        Information\n    As shown in table 5, we also found some problems with the accuracy \nof IT equipment inventory records, including inaccurate information on \nstatus (e.g., in use, turned-in, disposal), serial numbers, model \nnumbers, and item descriptions. The estimated overall error rates for \nthese tests were lower than the error rates for the other control \nattributes we tested, and the Indianapolis medical center had no \nerrors.\n\n\n       Table 5--Estimated Percentage of Other IT Inventory Record Keeping Failures at Four Test Locations\n----------------------------------------------------------------------------------------------------------------\n                                                     Inventory\n                  Test Location                       status       Serial number       Item       Total failures\n                                                    information                     description\n----------------------------------------------------------------------------------------------------------------\nWashington, DC, medical center                               1%              6%              0%              5%\n                                                     (0% to 4%)     (2% to 11%)      (0% to 5%)     (2% to 10%)\n----------------------------------------------------------------------------------------------------------------\nIndianapolis medical center                                  0%              0%              0%              0%\n                                                     (0% to 2%)      (0% to 4%)      (0% to 2%)      (0% to 4%)\n----------------------------------------------------------------------------------------------------------------\nSan Diego medical center                                     2%              1%              2%              5%\n                                                     (0% to 7%)      (0% to 6%)      (0% to 8%)     (2% to 12%)\n----------------------------------------------------------------------------------------------------------------\nVA headquarters organizations                                0%              2%              1%              3%\n                                                     (0% to 2%)      (1% to 7%)      (0% to 2%)      (1% to 6%)\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\nNote: The percentages represent point estimates and the two-sided, 95 percent confidence interval.\n\n\n    The errors we identified affect management decision making and \ncreate waste and inefficiency in operations. For example, inaccurate \ninformation on the status of IT equipment inventory items impairs \nmanagement\'s ability to determine what items are available or in use. \nErrors in item descriptions impair management decision making on the \nnumber and types of available items and timing for replacement of these \nitems, and serial number errors impair accountability. Further, \ninaccurate inventory information on the IT equipment item status, as \nwell as the location errors discussed above, caused significant waste \nand inefficiency during physical inventories. Many of these errors \nshould have been detected and corrected during annual physical \ninventories.\nPhysical Inventories by Case Study Locations Identified Thousands of \n        Missing IT Equipment Items Valued at Millions of Dollars\n    To assess the effect of the lax control environment for IT \nequipment, we asked VA officials at the case study locations covered in \nboth our current and previous audits to provide us with information on \nthe results of their physical inventories performed after issuance of \nrecommendations in our July 2004 report, including Reports of Survey \n\\40\\ information on identified losses of IT equipment. VA policy \\41\\ \nrequires that when property items are determined to be lost or missing, \nthey are to be listed in a Report of Survey and an investigation is to \nbe conducted into the circumstances of the loss before these items are \nwritten off in the property records. As of February 28, 2007, the four \ncase study locations covered in our current audit reported over 2,400 \nmissing IT equipment items with a combined original acquisition value \nof about $6.4 million as a result of inventories they performed during \nfiscal years 2005 and 2006. Based on information obtained through March \n2, 2007, the five case study locations we previously audited had \nidentified over 8,600 missing IT equipment items with a combined \noriginal acquisition value of over $13.2 million. Because inventory \nrecords were not consistently updated as changes in user organization \nor location occurred and none of the locations we audited required \naccountability at the user level, it is not possible to determine \nwhether the missing IT equipment items represent record keeping errors \nor the loss, theft, or misappropriation of IT equipment. Further, \nmissing IT equipment items were often not reported for several months \nand, in some cases several years, because most of the nine case study \nlocations had not consistently performed required annual physical \ninventories or completed Reports of Survey promptly. Although physical \ninventories should be performed over a finite period, at most of the \nnine case study locations these inventories were not completed for \nseveral months or even several years while officials performed \nextensive searches in an attempt to locate missing items before \npreparing Reports of Survey to write them off.\n---------------------------------------------------------------------------\n    \\40\\ The Report of Survey System is the method used by VA to obtain \nan explanation of the circumstances surrounding loss, damage, or \ndestruction of government property other than through normal wear and \ntear.\n    \\41\\ VA Handbook 7125, Materiel Management General Procedures, pt. \n5, Sec.  5101 and Sec.  5101-21.\n---------------------------------------------------------------------------\n    According to VA Police and security specialists, \\42\\ it is very \ndifficult to conduct an investigation at this point because the details \nof the incidents cannot be determined. As law enforcement officers, VA \nPolice are trained in investigative techniques that could potentially \ntrack and recover lost and missing items if promptly reported. Further, \nbecause VA Police are responsible for facility security, consistent \nreporting of lost and missing IT equipment to the Chief of Police at \neach VA medical center or federal law enforcement officers responsible \nfor building security at VA headquarters locations could identify \npatterns of vulnerability that could be addressed through upgraded \nsecurity plans.\n---------------------------------------------------------------------------\n    \\42\\ VA medical centers and other facilities have a VA Police \nService, which provides law enforcement and physical security services, \nincluding security inspections and criminal investigations. The VA \nheadquarters building does not have a police service. VA headquarters \nlaw enforcement duties are the responsibility of the Federal Protective \nService.\n---------------------------------------------------------------------------\nPhysical Inventories Performed by Four Case Study Locations Identify \n        Significant Numbers of Missing IT Equipment Items\n    The timing and scope of the physical inventories performed by the \nfour case study locations in our current audit varied. For example, the \nIndianapolis medical center had been performing annual physical \ninventories in accordance with VA policy for several years. As a \nresult, IT equipment inventory records were more accurate and physical \ninventories identified fewer missing items than most locations tested. \nThe Washington, DC, medical center performed a wall-to-wall physical \ninventory in response to our July 2004 report, which found that \npreviously performed physical inventories of IT equipment were \nineffective. In this case, inventory results reflected several years of \nactivity involving IT inventory records that had not been updated and \nlost and missing IT equipment items that had not previously been \nidentified and reported. Although the San Diego medical center had \nperformed periodic physical inventories, it had not followed VA policy \nfor including sensitive items, such as IT equipment valued at less than \n$5,000. As a result, the San Diego medical center\'s Reports of Survey \nare not a good indicator of the extent of lost and missing IT equipment \nat this location. The fiscal year 2006 VA headquarters physical \ninventory identified IT equipment items that may have been lost or \nmissing for several years without detection or final resolution. For \nexample, VA headquarters officials told us that during renovations of \nheadquarters offices 10 years ago, IT equipment was relocated to office \nspace designated as storerooms. When this space had to be vacated for \nrenovation, the IT equipment had to be relocated, and many items were \nsent to disposal. According to VA headquarters officials, \naccountability for individual IT equipment items was not maintained \nduring the renovation or disposal process. This weak overall control \nenvironment presents an opportunity for theft, loss, or \nmisappropriation to occur without detection.\n    As of February 28, 2007, based on inventories they performed during \nfiscal years 2005 and 2006, the four case study locations covered in \nour current audit reported over 2,400 missing IT equipment items with a \ncombined original acquisition value of about $6.4 million. Table 6 \nprovides information on the results of physical inventories performed \nby our four current case study locations.\n\n\n   Table 6--Summary of Physical Inventories and Missing IT Equipment Identified by the Four Current Case Study\n                                        Locations as of February 28, 2007\n----------------------------------------------------------------------------------------------------------------\n                                                                                                     Original\n                                                   Fiscal years      Dates of        Number of      acquisition\n                  Test location                    of inventory     Reports of     missing items     value of\n                                                                      Survey        identified     missing items\n----------------------------------------------------------------------------------------------------------------\nWashington, DC, medical center                    2005 thru 2006  Mar. 2006 thru          1,133      $1,758,096\n                                                                      Oct. 2006\n----------------------------------------------------------------------------------------------------------------\nIndianapolis medical center                                2005       Dec. 2004               6         $23,206\n                                                           2006       Oct. 2006             112         $79,230\n----------------------------------------------------------------------------------------------------------------\nSan Diego medical center*                                  2005       Dec. 2004              42        $135,344\n                                                           2006         Ongoing              15         $24,418\n----------------------------------------------------------------------------------------------------------------\nVA headquarters offices                                2006 and         Not yet           1,162      $4,385,444\n                                                        ongoing       finalized\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\n*The San Diego medical center IT Services personnel inventoried only items valued at $5,000 or more.\n\n\n    In response to our test work, in January 2007, the Washington, DC, \nmedical center prepared an additional Report of Survey to write off 699 \nolder IT equipment items valued at $794,835 that had not been located \nor removed from current inventory. The VA headquarters physical \ninventory had initially identified about 2,700 missing IT equipment \nitems, and officials told us that their research has resolved over half \nof the discrepancies. VA headquarters officials told us that they have \nnot yet prepared a Report of Survey because they believe some of their \nmissing IT equipment items may still be located.\nPhysical Inventories by Five Locations Previously Audited Also Identify \n        Significant Numbers of Missing IT Equipment Items\n    We also followed up with the five other case study locations \\43\\ \nthat we previously audited to determine the results of physical \ninventories performed in response to recommendations in our July 2004 \nreport. As of the end of our fieldwork in February 2007, the Tampa, \nFlorida, medical center had not yet completed its physical inventory. \nIn addition, the Houston, Texas, medical center\'s fiscal year 2005 \nphysical inventory procedures continued to exclude IT equipment valued \nunder $5,000 because the center had followed inaccurate guidance from \nits VISN.\n---------------------------------------------------------------------------\n    \\43\\ The Washington, DC, medical center was covered in both audits.\n---------------------------------------------------------------------------\n    Our standards for internal control require federal agencies to have \npolicies and procedures for ensuring that the findings of audits and \nother reviews are promptly resolved. In accordance with these \nstandards, managers are to (1) promptly evaluate findings from audits \nand other reviews, including those showing deficiencies and \nrecommendations; (2) determine proper actions in response to findings \nand recommendations; and (3) complete, within established timeframes, \nall actions that correct or otherwise resolve the matters brought to \nmanagement\'s attention. The failure to ensure that VA organizations \ntake appropriate, timely action to address audit findings and \nrecommendations indicates a significant control environment weakness \nwith regard to a ``tone at the top\'\' and does not set an example that \nsupports performance-based management and establishes controls that \nserve as the first line of defense in safeguarding assets and \npreventing and detecting errors.\n    Based on information obtained through March 2, 2007, the five case \nstudy locations we previously audited had identified over 8,600 missing \nIT equipment items with a combined original acquisition value of over \n$13.2 million. As noted in table 7, of the three medical centers that \ncompleted their physical inventories, the Los Angeles, California, \nmedical center reported over 8,400 missing IT equipment items valued at \nover $12.4 million.\n\n\n    Table 7--Summary of Physical Inventories and Missing IT Equipment Identified by Five Case Study Locations\n                                     Previously Audited as of March 2, 2007\n----------------------------------------------------------------------------------------------------------------\n                                                                                                 Original items\n                                           Fiscal year of   Dates of Reports      Number of        acquisition\n      Medical center test location            inventory         of Survey          missing      value of missing\n                                                                                                      items\n----------------------------------------------------------------------------------------------------------------\nAtlanta, GA                                 Ongoing since   Not yet prepared              195          $254,666\n                                                     2005\n----------------------------------------------------------------------------------------------------------------\nHouston, TX\\a\\                                       2005         Mar. 2005                 3           $79,703\n----------------------------------------------------------------------------------------------------------------\nLos Angeles, CA                                      2006   Not yet prepared            8,402       $12,424,860\n----------------------------------------------------------------------------------------------------------------\nSan Francisco, CA                                    2005    Oct. 2004 thru                68          $463,373\n                                                                  Dec. 2005\n----------------------------------------------------------------------------------------------------------------\nTampa, FL                                   Ongoing since   Not yet prepared          Unknown           Unknown\n                                                Jan. 2006\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\n\\a\\ The Houston medical center inventoried only items valued at $5,000 or more.\n\n\n    We found that Houston medical center property management policy did \nnot include IT equipment within its definition of sensitive items \nrequiring annual physical inventories. As a result, the Houston medical \ncenter inventoried items valued at $5,000 or more and reported three \nmissing IT equipment items valued at $79,703. Houston medical center \nofficials told us that they are now complying with VA policy to include \nall IT equipment in their current annual physical inventory effort. The \nAtlanta medical center identified 195 missing IT equipment items valued \nat $254,666, and the San Francisco medical center reported a total of \n68 missing IT equipment items valued at $463,373. Three of the five \nmedical centers-in Atlanta, Los Angeles, and Tampa-had not yet prepared \nReports of Survey on the missing items identified in their physical \ninventories.\nPhysical Security Weaknesses Increase Risk of Loss, Theft, and \n        Misappropriation of IT Equipment and Sensitive Data\n    Our investigator\'s inspection of physical security at officially \ndesignated IT warehouses and storerooms that held new and used IT \nequipment found that most of these storage facilities met the \nrequirements in VA Handbook 0730/1, Security and Law Enforcement. \nHowever, not all of the formally designated storage locations had \nrequired motion detection alarm systems and special door locks. In \nresponse to our findings, physical security specialists at the four \ncase study locations told us that they had recommended that the needed \nmechanisms be installed. We also found numerous instances of IT \nequipment storage areas at VA headquarters offices that had not been \nformally designated as IT storerooms, and these informal IT storage \nareas did not meet VA physical security requirements.\n    In addition, although VA requires that hard drives of IT equipment \nand medical equipment be sanitized prior to disposal to prevent \nunauthorized release of sensitive personal and medical information, we \nfound weaknesses in the disposal process that pose a risk of data \nbreach. \\44\\ For example, our tests of computer hard drives in the \nexcess property disposal process found that hard drives at two of the \nfour case study locations that had not yet been sanitized contained \nhundreds of names and Social Security numbers. We also found that some \nof the hard drives had been in the disposal process for several years \nwithout being sanitized, creating an unnecessary risk that sensitive \npersonal information protected under the Privacy Act 1974 \\45\\ and \npersonal medical information accorded additional protections under \nHIPAA \\46\\ could be compromised. Weaknesses in physical security \nheighten the risk of data breach related to sensitive personal \ninformation residing on hard drives in the property disposal process \nthat have not yet been sanitized.\n---------------------------------------------------------------------------\n    \\44\\ VA IRM personnel and contractors follow NIST Special \nPublication 800-88 guidelines as well as more stringent DoD policy in \nDoD 5220.22-M, National Industrial Security Program Operating Manual, \nch. 8, Sec.  8-301, which requires performing three separate erasures \nfor media sanitization.\n    \\45\\ Privacy Act 1974, codified, as amended, at 5 U.S.C. Sec.  \n552a.\n    \\46\\ Pub. L. No. 104-191, Sec.  264, 110 Stat. 1936, 2033-34 (Aug. \n21, 1996), and implementing regulations at 45 C.F.R. pt. 164.\n---------------------------------------------------------------------------\nWeaknesses in Procedures for Controlling Excess Computer Hard Drives\n    As previously discussed, VA requires that hard drives of excess \ncomputers be sanitized prior to reuse or disposal because they can \nstore sensitive personal and medical information used in VA programs \nand activities, which could be compromised or used for unauthorized \npurposes. For example, our limited tests of excess computer hard drives \nin the disposal process that had not yet been sanitized found 419 \nunique names and Social Security numbers on three of the six Board of \nVeterans Appeals hard drives and one record on one of two VHA hard \ndrives we tested. Our tests of five San Diego medical center hard \ndrives that had not yet been sanitized found that one hard drive held \nat least 20 detailed patient medical histories, including 5 histories \nthat contained Social Security numbers. Our limited tests of hard \ndrives that were identified as having been subjected to internal or \ncontractor data sanitization procedures did not find data remaining on \nthese hard drives.\n    However, our limited tests identified some problems that could pose \na risk of data breach with regard to sensitive personal and medical \ninformation on hard drives in the disposal process that had not yet \nbeen sanitized. For example, our IT security specialist found that five \nhard drives stored in a bin labeled by the San Diego medical center as \nholding hard drives that had not been erased had in fact been \nsanitized. The lack of proper segregation and tracking of hard drives \nin the sanitization process poses a risk that some hard drives could \nmake it through this process and be selected for reuse without having \nbeen sanitized. Further, based on the file dates on some of the \ncomputer hard drives that had not yet been sanitized at the San Diego \nand Indianapolis medical centers, our IT security specialist noted \nexcessive delays-up to 6 years-in performing data sanitization once the \ncomputer systems had been identified for removal from use and disposal. \nExcessive delays in completing hard drive sanitization and disposal \nprocedures pose an unnecessary risk when sensitive personal and medical \ninformation that is no longer needed is not removed from excess \ncomputer hard drives in a timely manner.\nPhysical Security Weaknesses at IT Storage Locations Pose Risk of Data \n        Breach\n    VA Handbook 0730/1, Security and Law Enforcement, prescribes \nphysical security requirements for storage of new and used IT \nequipment. Specifically, the Handbook requires warehouse-type \nstorerooms to have walls to ceiling height with either masonry or \ngypsum wall board reaching to the underside of the slab (floor) above. \nIRM storerooms are required to have overhead barricades that prevent \n``up and over\'\' access from adjacent rooms. Warehouse, IRM, and medical \nequipment storerooms are all required to have motion intrusion \ndetection alarm systems that detect entry and broadcast an alarm of \nsufficient volume to cause an illegal entrant to abandon a burglary \nattempt. Intrusion detection alarms for storerooms outside facility \ngrounds, such as outpatient clinics, are required to be connected \nremotely to a commercial security alarm monitoring firm, local police \ndepartment, or security office charged with building security. Finally, \nIRM storerooms also are required to have special key control, meaning \nroom door lock keys and day lock combinations that are not master keyed \nfor use by others.\n    Most of the designated IT equipment storage facilities at the four \ncase study locations met VA IT physical security requirements in VA \nHandbook 0730/1; however, we identified some deficiencies. For example, \nour investigator found that the Washington, DC, and San Diego medical \ncenter IRM equipment storerooms lacked motion intrusion detection alarm \nsystems and the Washington, DC, medical center IRM storeroom did not \nmeet door locking requirements. Based on our investigator\'s findings, \nphysical security specialists at the San Diego and Washington, DC, \nmedical centers told us they have recommended that required intrusion \ndetectors be installed in their IRM storerooms. In addition, the \nWashington, DC, medical center reduced the number of keys to its IRM \nstorerooms and changed storeroom locks to meet established \nrequirements. Designated IT equipment storage facilities at the \nIndianapolis medical center met VA physical security requirements.\n    Despite the established physical security requirements, we found \nnumerous informal, undesignated IT equipment storage locations that did \nnot meet VA physical security requirements. For example, our \ninvestigator observed an IT workroom at the Indianapolis medical center \nwhere new IT equipment was placed on the floor. This room lacked a \nmotion detection alarm system and the type of locking system prescribed \nin VA policy. Indianapolis VA Police told our investigator that such a \nlevel of security was not required for this room under VA policy, \nbecause it was not designated as a storeroom. In addition, at the VA \nheadquarters building, our investigator found that the physical \nsecurity specialist was unaware of the existence of IT equipment in \nsome storerooms. Thus, these storerooms had not been subjected to \nrequired physical security inspections. VA Police and physical security \nspecialists at our test locations agreed with our investigator\'s \nassessment that the physical security of these IT storerooms was \ninadequate..\n    During our statistical tests, we observed one IT equipment \nstoreroom in the VA headquarters building IT Support Services area that \nhad a separate wall, but no door. As shown in figure 2, the wall \nopening into the storeroom had yellow tape labeled ``CAUTION\'\' above \nthe doorway. The store room was within an IT work area that had dropped \nceilings that could provide ``up and over\'\' access from adjacent rooms, \nsuch as the employee store, and no alarm or intrusion detector. This \nstoreroom did not meet VA\'s physical security requirements for motion \nintrusion detection and alarms and secure doors, locks, and special \naccess keys.\n\n  Figure 2--Photograph of Unsecured IT Equipment Storeroom in the VA \n                         Headquarters Building\n[GRAPHIC] [TIFF OMITTED] 37474A.002\n\n\n    Source: GAO.\n\n    In another headquarters building, which housed VA\'s Office of \nGeneral Counsel, we observed excess IT equipment, including computers \nwith hard drives that had been awaiting turn-in and disposal for \nseveral months. This IT equipment was stacked in the corners of a large \nwork area that had multiple doors and open access to numerous \nindividuals, including vendors, contractors, employees, and others. \nBecause our limited tests found sensitive personal data and information \non hard drives that had not yet been sanitized, the failure to provide \nadequate security leaves this information vulnerable to data breach. \nFurther, because software that can be used to image, or copy, this \ninformation is readily available, it is important to provide adequate \nsecurity for these items. For example, imaging software, such as \n``Foremost,\'\' which was one of the imaging software products used by \nour IT security specialist, can be downloaded at no cost from the \nInternet and used to copy information from one hard drive to another in \na few minutes. Thus, it is possible for a data breach to occur without \ntheft of the IT equipment on which the data reside.\n    We also found that VA headquarters IT coordinators used storerooms \nand closets with office-type door locks to store IT equipment that was \nnot currently in use. Other headquarters organizations stored laptops \nthat were in the ``loaner pool\'\' for use by employees on travel or at \nhome in locked filing cabinets in open areas. In addition, during our \ntest work, we observed that very few IT equipment items had been \nsecured by locked cables. Physical security of IT equipment is of \nparticular concern at the VA medical centers because these centers \nprovide open access to visitors, students, contractors, and others. The \nlack of secure storage leaves this IT equipment and any sensitive \npersonal information stored on this equipment vulnerable to theft, \nloss, misappropriation, and data breach.\nVA Actions to Improve IT Management and Controls Have Been Limited\n    Although VA has strengthened existing property management policy \n\\47\\ in response to recommendations in our July 2004 report, issued \nseveral new policies to establish guidance and controls for IT \nsecurity, and reorganized and centralized the IT function within the \ndepartment under the CIO, these actions have not yet been fully \nimplemented. For example, the CIO has no formal responsibility for \nmedical equipment that stores or processes patient data. VA \nheadquarters CIO officials agree that this is an area of vulnerability \nthat needs to be addressed. In addition, the new CIO organization \nstructure does not address roles or necessary coordination between IRM \nand property management personnel with regard to inventory control of \nsensitive IT equipment items. The Assistant Secretary for Information \nand Technology, who serves as the CIO, told us that his staff is aware \nof this problem and the new CIO organization structure includes a unit \nthat will have responsibility for IT equipment asset management once it \nbecomes operational. However, this unit has not yet been funded or \nstaffed.\n---------------------------------------------------------------------------\n    \\47\\ VA Handbook 7127/4, Materiel Management Procedures (Oct. 11, \n2005).\n---------------------------------------------------------------------------\n    Regarding new policies, on October 11, 2005, VA revised its \nHandbook on materiel management procedures to emphasize that annual \ninventory requirements for sensitive items valued at under $5,000 \ninclude IT equipment, and specifically lists these items as including \ndesktop and laptop computers, CD drives, printers, monitors, and \nhandheld portable telecommunication devices. However, as noted in this \nreport, VA has not ensured that sensitive IT equipment items valued at \nless than $5,000 have been subjected to annual physical inventories. In \naddition, on March 9, 2007, at the time we began briefing VA management \non the results of our audit, VA\'s Office of Information and Technology \nissued a policy \\48\\ that includes assignment of user-level \naccountability for certain IT equipment, including external drives, \ndesktop and laptop computers, and mobile phones that can be taken \noffsite for individual use. However, this policy had not yet been \ncoordinated with property management officials who will be responsible \nfor implementing the policy.\n---------------------------------------------------------------------------\n    \\48\\ Universal Serial Bus (USB) Flash Drive User Guide 2.0 (Mar. 9, \n2007).\n---------------------------------------------------------------------------\n    On August 4, 2006, VA issued a new directive entitled Information \nSecurity Program, which requires, in part, periodic evaluations and \ntesting of the effectiveness of all management, operational, and \ntechnical controls and calls for procedures for immediately reporting \nand responding to security incidents. A thorough understanding of the \nIT inventory control process and required internal controls within this \nprocess will be key to effective testing and oversight. Managers were \nnot always aware of the inherent problems in their IT inventory \nprocesses discussed in this report, including the lack of required \ncontrols. Because the directive does not provide specific information \non how these procedures will be carried out, the CIO is developing \nsupplementary user guides. Effective implementation will be key to the \nsuccess of VA IT policy and organizational changes.\nConclusions\n    Poor accountability and a weak control environment have left the \nfour VA case study organizations vulnerable to continuing theft, loss, \nand misappropriation of IT equipment and sensitive personal data. To \nprovide a framework for accountability and security of IT equipment, \nthe Secretary of Veterans Affairs needs to establish clear, \nsufficiently detailed mandatory policies rather than leaving the \ndetails of how policies will be implemented to the discretion of local \nVA organizations. Keys to safeguarding IT equipment are effective \ninternal controls for the creation and maintenance of essential \ntransaction records; a disciplined framework for specific, individual \nuser-level accountability, whereby employees are held accountable for \nproperty assigned to them, including appropriate disciplinary action; \nand maintaining adequate physical security over IT equipment items. \nAlthough VA management has taken some actions to improve inventory \ncontrols, strengthening the overall control environment and \nestablishing and implementing specific IT equipment controls will \nrequire a renewed focus, oversight, and continuing commitment \nthroughout the organization.\nRecommendations for Executive Action\n    We recommend that the Secretary of Veterans Affairs require that \nthe medical centers and VA headquarters offices we tested and other VA \norganizations, as appropriate, take the following 12 actions to improve \naccountability of IT equipment inventory and reduce the risk of \ndisclosure of sensitive personal data, medical data, or both.\n    To help minimize the risk of loss, theft, and misappropriation of \ngovernment IT equipment used in VA operations, we recommend that the \nSecretary take the following eight departmentwide actions.\n\n    <bullet>  Revise VA property management policy and procedures to \ninclude detailed requirements for what transactions must be recorded to \ndocument inventory events and to clearly establish individual \nresponsibility for recording all essential transactions in the property \nmanagement process.\n    <bullet>  Revise VA purchase card policy to require purchase card \nholders to notify property management officials of IT equipment and \nother property items acquired with government purchase cards at the \ntime the items are received so that they can be recorded in property \nmanagement systems.\n    <bullet>  Establish procedures to require specific, individual \nuser-level accountability for IT equipment. In implementing this \nrecommendation, consideration should be given to making the unit head, \nor a designee, accountable for shared IT equipment.\n    <bullet>  Enforce user-level accountability and IT coordinator \nresponsibility by taking appropriate disciplinary action, including \nholding employees financially liable, as appropriate, for lost or \nmissing IT equipment.\n    <bullet>  Establish specific timeframes for finalizing a Report of \nSurvey once an inventory has been completed so that research on missing \nitems is completed expeditiously and does not continue indefinitely \nwithout meeting formal reporting requirements.\n    <bullet>  Establish a mechanism to monitor adherence by the San \nDiego and Houston medical centers and other VA organizations, as \nappropriate, to VA policy for performing annual inventories of \nsensitive items under $5,000, including IT equipment.\n    <bullet>  Require that IRM and IT Services personnel at the various \nmedical centers be given access to the central property database and be \nfurnished with hand scanners so they can electronically update the \nproperty control records, as appropriate, during installation, repair, \nreplacement, and relocation or disposal of IT equipment.\n    <bullet>  Require physical security personnel to perform \ninspections of buildings and storage facilities to identify informal \nand undesignated IT storage locations so that security assessments are \nperformed and corrective actions are implemented, where appropriate.\n\n    To assure inventory accuracy and prompt resolution of inventory \ndiscrepancies and improve security of IT equipment and any sensitive \ndata stored on that equipment, we recommend that the Secretary require \nthe CIO to take the following four actions.\n\n    <bullet>  Establish a formal policy requiring a review of the \nresults of annual inventories to ensure that IT equipment inventory \nrecords are properly updated and no blank fields remain.\n    <bullet>  Establish a process for reviewing Reports of Survey for \nlost, missing, and stolen IT equipment items to identify systemic \nweaknesses for appropriate corrective action.\n    <bullet>  Establish and implement a policy requiring IRM personnel \nand IT coordinators to inform physical security officers of the site of \nall IT equipment storage locations so that these store rooms can be \nsubjected to required inspections.\n    <bullet>  Establish and implement a policy for reviewing the \nresults of physical security inspections of IT equipment storerooms and \nensure that needed corrective actions are completed.\nAgency Comments and Our Evaluation\n    In written comments dated June 22, 2007, on a draft of this report, \nVA generally agreed with our findings, noted significant actions under \nway, and concurred on the 12 recommendations. For example, with regard \nto establishing detailed requirements for what transactions must be \nrecorded to document inventory events, VA stated that it is performing \na comprehensive update of department policies and procedures and plans \nto provide additional training and equipment audits, as necessary. With \nregard to establishing user-level accountability, VA stated that it is \ndeveloping a policy that will require (1) unit heads or their designees \nto sign for all IT equipment issued to their service/unit and (2) hand \nreceipts for IT equipment at the user-level.\n    VA also provided technical comments regarding the information in \ntables 6 and 7. Specifically, VA stated that our data did not specify \nwhether the estimated value provided for missing IT equipment was based \non a depreciated loss value or a replacement value. Consistent with \nVA\'s reporting requirements for its Reports of Survey on lost personal \nproperty items, which include IT equipment, we used the original \nacquisition value for our estimates. Accordingly, we revised the column \nheadings in the tables to note that the reported dollar value of \nmissing items relates to the original acquisition value. Further, VA \nstated that some of the missing equipment included in our estimate may, \nin fact, have been properly disposed of but the proper documentation \nwas not available. As stated in our report, proper documentation of key \nequipment events, such as transfer, turn-in, and disposal, must be \ndocumented by an inventory transaction, financial transaction, or both, \nas appropriate. Because the property system had not been updated to \nreflect a transfer, turn-in, or disposal and no hard copy documentation \nhad been retained, it is not possible to determine whether any of the \nmissing IT equipment items had been properly sent to disposal, and VA \nhas no assurance that they were not lost or stolen.\n    As agreed with your offices, unless you announce its contents \nearlier, we will not distribute this report until 30 days from its \ndate. At that time, we will send copies to interested congressional \nCommittees; the Secretary of Veterans Affairs; the Veterans Affairs \nChief Information Officer; the Acting Secretary of Health, Veterans \nHealth Administration; and the Director of the Office of Management and \nBudget. We will make copies available to others upon request. In \naddition, this report will be available at no charge on the GAO Web \nsite at http://www.gao.gov.\n    Please contact me at (202) 512-9095 or <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d4a3bdb8b8bdb5b9a7b9e594b3b5bbfab3bba2">[email&#160;protected]</a>, if you \nor your staff have any questions concerning this report. Contact points \nfor our Offices of Congressional Relations and Public Affairs may be \nfound on the last page of this report. Major contributors to this \nreport are acknowledged in appendix III.\n\n                                                     McCoy Williams\n                                                           Director\n                                 Financial Management and Assurance\n\n                               __________\n\n             Appendix I: Objectives, Scope, and Methodology\n    Pursuant to a request from the Chairman and Ranking Minority Member \nof the House Committee on Veterans\' Affairs, we audited the Department \nof Veterans Affairs (VA) information technology (IT) equipment \ninventory controls. Our audit covered the following.\n\n    <bullet>  An assessment of the risk of loss, theft, and \nmisappropriation of VA IT equipment items based on statistical tests of \nVA IT equipment inventory at selected case study locations and our \ninvestigator\'s evaluations of physical security and VA law enforcement \ninvestigations of incidents of loss or theft.\n    <bullet>  Results of physical inventories of IT equipment performed \nby case study locations covered in this audit and our previous audit.\n    <bullet>  An assessment of the adequacy of VA\'s physical security \nand accountability procedures for IT equipment in the property disposal \nprocess.\n    <bullet>  Management actions taken or under way to address \npreviously identified IT equipment inventory control weaknesses.\n\n    We used as our criteria applicable law and VA policy, as well as \nour Standards for Internal Control in the Federal Government \\1\\ and \nour Internal Control Management and Evaluation Tool. \\2\\ To assess the \ncontrol environment at our test locations, we obtained an understanding \nof the processes and controls over IT equipment from acquisition to \nissuance and periodic inventories and disposal. We performed walk-\nthroughs of these processes at all four test locations. We reviewed \napplicable program guidance provided by the test locations and \ninterviewed officials about their IT inventory processes and controls.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Standards for Internal Control in the Federal Government, \nGAO/AIMD-00-21.3.1 (Washington, DC: November 1999). This document was \nprepared to fulfill our statutory requirement under 31 U.S.C. 3512 (c), \n(d), commonly known as the Federal Managers\' Financial Integrity Act \n1982, to issue standards that provide the overall framework for \nestablishing and maintaining internal control.\n    \\2\\ GAO, Internal Control Management and Evaluation Tool, GAO-0l-\n1008G (Washington, DC: August 2001). This document was prepared to \nassist agencies in maintaining or implementing effective internal \ncontrol and, when needed, to help determine what, where, and how \nimprovements can be implemented. Although this tool is not required to \nbe used, it is intended to provide a systematic, organized, and \nstructured approach to assessing the internal control structure.\n---------------------------------------------------------------------------\n    In selecting our case study locations, we chose one location-the \nWashington, DC, VA medical center-that had the most significant \nproblems identified in our July 2004 report and two other \ngeographically dispersed VA medical centers. We also tested inventory \nat VA headquarters as a means of assessing the overall control \nenvironment, or ``tone at the top.\'\' Table 8 shows the VA locations \nselected for IT equipment inventory control testing and the number and \nreported value of IT equipment items at each location.\n\n\n                    Table 8--Population of VA IT Equipment at Locations Selected for Testing\n----------------------------------------------------------------------------------------------------------------\n                                                               Sample size and number   Value of VA IT equipment\n                         VA location                          of VA IT equipment items          inventory\n----------------------------------------------------------------------------------------------------------------\nWashington, DC, medical center                                       168 of 8,728 \\a\\               $33,065,322\n----------------------------------------------------------------------------------------------------------------\nIndianapolis, IN, medical center                                        144 of 7,614                $29,101,577\n----------------------------------------------------------------------------------------------------------------\nSan Diego, CA, medical center                                           148 of 11,604               $48,077,071\n----------------------------------------------------------------------------------------------------------------\nVA headquarters                                                         344 of 25,353               $31,301,951\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis of VA facility IT equipment inventory.\nNote: The data represent current inventory at the time we pulled our samples. The reported value is the original\n  acquisition cost.\n\\a\\ Includes 4,127 leased IT equipment items.\n\n\n    To follow up on actions taken in response to recommendations in our \nJuly 2004 report for improving physical inventories, we obtained and \nreviewed information on physical inventory results at the four case \nstudy locations as well as the five other case study locations \npreviously audited.\n    We performed appropriate data reliability procedures, including an \nassessment of each VA test location\'s procedures for assuring data \nreliability, and tests to assure that IT equipment inventory was \nsufficiently complete for the purposes of our work. Our procedures and \ntest work identified a limitation related to IT equipment inventory \ncompleteness at our four test locations. IT equipment inventories at \nthe Indianapolis and San Diego medical centers and VA headquarters \norganizations did not include all IT equipment acquired with purchase \ncards or purchased directly from local vendors. Also, the Washington, \nDC, medical center inventory did not include one inventory category \nconsisting of 149 older computer monitors and workstations. This data \nlimitation prevented us from projecting our test results to the \npopulation of IT equipment inventory at each of our four test \nlocations. However, we determined that these data were sufficiently \nreliable for us to project our test results to the population of \ncurrent, recorded IT equipment inventory at each of the four locations.\n    From the universe of current, recorded IT equipment inventory at \nthe time of our tests, we selected stratified random probability \nsamples of IT equipment, including medical equipment with data storage \ncapability, at each of the three medical center locations. For the 23 \nVA headquarters organizations, we stratified our sample by 6 major \noffices and used a seventh stratum for the remaining 17 organizations. \nWith these statistically valid samples, each item in the population for \nthe four case study locations had a nonzero probability of being \nincluded, and that probability could be computed for any item. Each \nsample item for a test location was subsequently weighted in our \nanalysis to account statistically for all items in the population for \nthat location, including those that were not selected.\n    We performed tests on statistical samples of IT equipment inventory \ntransactions at each of the four case study locations to assess whether \nthe system of internal controls over physical IT equipment inventory \nwas effective (Le., provided reasonable assurance of the reliability of \ninventory information and accountability of the individual items). For \neach IT equipment item in our statistical sample, we assessed whether \n(1) the item existed (meaning that the item recorded in the inventory \nrecords could be located), (2) inventory records and processes provided \nadequate accountability, and (3) identifying information (property \nnumber, serial number, model number, and location) was accurate. We \nexplain the results of our existence tests in terms of control failures \nrelated to missing items and record keeping errors. The results of our \nstatistical samples are specific to each of the four test locations and \ncannot be projected to the population of VA IT transactions as a whole. \nWe present the results of our statistical samples for each population \nas (1) our projection of the estimated error overall and for each \ncontrol attribute as point estimates and (2) the two-sided, 95 percent \nconfidence intervals for the failure rates.\n    Our investigator supported our tests of IT physical inventory \ncontrols by assessing physical security and reporting of missing items \nfor purposes of law enforcement investigations. As part of our \nassessment, our investigator interviewed VA Police at the three medical \ncenters and federal agency law enforcement officers at VA headquarters \nabout reports and investigations of lost, stolen, and missing IT \nequipment. Our investigator also met with physical security specialists \nat each of the test locations to discuss the results of physical \nsecurity inspections and the status of VA actions on identified \nweaknesses.\n    To determine if the four test locations had adequate procedures for \ncontrol and removal of data from hard drives of IT equipment in the \nproperty disposal process, our IT security specialist selected a \nlimited number of computer hard drives for testing. We attempted to \ntest a total of 10 hard drives in each category-drives with data and \ndrives that had been sanitized-at each of the four test locations. \nBecause some hard drives we selected were damaged or computer systems \npulled for hard drive testing did not contain hard drives, the number \nof hard drives actually tested was less than the number we selected for \ntesting. At the San Diego medical center, 5 hard drives selected for \ntesting that were labeled as unerased had in fact been sanitized, and \nwe included these hard drives in our sanitization testing. Table 9 \nshows the numbers of hard drives tested at the four locations we \naudited.\n\n\n Table 9--Number of Computer Hard Drives in the Property Disposal Process Selected for Testing at Four Locations\n----------------------------------------------------------------------------------------------------------------\n             Test location medical centers                Drives with data   Sanitized drives        Total\n----------------------------------------------------------------------------------------------------------------\nWashington, DC                                                          4                  4                  8\n----------------------------------------------------------------------------------------------------------------\nIndianapolis                                                            5                  6                 11\n----------------------------------------------------------------------------------------------------------------\nSan Diego                                                              10                 15                 25\n----------------------------------------------------------------------------------------------------------------\nVA headquarters offices\n--------------------------------------------------------\nVeterans Health Administration                                          2                  1                  3\n----------------------------------------------------------------------------------------------------------------\nBoard of Veterans Appeals                                               6                  8                 14\n----------------------------------------------------------------------------------------------------------------\nOffice of Cyber Information Security                                    3                  1                  4\n----------------------------------------------------------------------------------------------------------------\nVA headquarters, subtotal                                              11                 10                 21\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis.\n\n\n    In performing these tests, our specialist used SMART<SUP>TM</SUP> \nand Foremost software. SMART<SUP>TM</SUP> is a software utility that \nhas been designed and optimized to support forensic data practitioners \nand information security personnel in pursuit of their respective \nduties and goals. SMART<SUP>TM</SUP> is currently used by federal, \nstate, and local law enforcement; U.S. military and intelligence \norganizations; accounting firms; and forensic data examiners. Foremost \nis a program used to recover files based on their headers, footers, and \ninternal data structures. Foremost, originally developed by the United \nStates Air Force Office of special Investigations and the Center for \nInformation Systems Security Studies and Research, is now available to \nthe general public. In addition, our investigator performed physical \nsecurity inspections and assessed accountability over computer hard \ndrives in the disposal process.\n    To identify management actions taken in response to previously \nidentified control weaknesses, we interviewed VA officials at our test \nlocations, walked through the IT inventory processes to observe \ncontrols as implemented, and met with VA\'s Chief Information Officer \n(CIO). We also obtained and reviewed copies of new and revised VA \npolicies and procedures.\n    We briefed VA managers at our test locations and VA headquarters, \nincluding VA medical center directors, VA headquarters information \nresource management and property management officials, and VA\'s CIO on \nthe details of our audit, including our findings and their \nimplications. On April 9, 2007, we requested comments on a draft of \nthis report. We received comments on June 22, 2007, and have summarized \nthose comments in the Agency Comments and Our Evaluation section of \nthis report. We conducted our audit work from September 2006 through \nMarch 2007 in accordance with generally accepted government auditing \nstandards, and we performed our investigative work in accordance with \nstandards prescribed by the President\'s Council on Integrity and \nEfficiency.\n\n                               __________\n\n     Appendix II: Comments from the Department of Veterans Affairs\n                           The Deputy Secretary Of Veterans Affairs\n                                                     Washington, DC\n                                                      June 22, 2007\n\nMr. McCoy Williams\nDirector\nInformation Management Issues\nU. S. Government Accountability Office\n441 G Street, NW\nWashington, DC 20540\n\nDear Mr. Williams:\n\n    The Department of Veterans Affairs (VA) has reviewed the government \nAccountability Office\'s (GAO) draft report: VETERANS AFFAIRS: \nInadequate Controls over IT Equipment at Selected VA Locations Pose \nContinuing Risk of Theft, Loss, and Misappropriation (GAO-07-505) and \ngenerally agrees with its findings. VA supports GAO\'s conclusion that \nimproving the overall control environment for sensitive information \ntechnology (IT) equipment requires renewed focus, oversight, and \ncontinued commitment throughout the organization.\n    The Department has already taken significant actions, including the \nrecent transformation of VA\'s IT program to a single authority under \nthe Chief Information Officer. This will enable the Department to \ncentralize and standardize IT equipment accountability policies and \nprocedures. and replicate identified IT inventory best practices across \nVA.\n    Accomplishing this task will require a concerted effort by many \ndifferent offices within the Department VA will analyze why VA medical \ncenter employees were found to have used their own systems to track IT \nequipment assigned to their units instead of updating records through \nVA\'s existing formal control system. Accordingly, the Department win \nconvene a formal work group to include representatives from at least \nthe Office of Information and Technology, Office of Acquisition and \nMateriel Management. the Office of Security and Law Enforcement, the \nVeterans Health Administration, and the Office of Human Resources and \nAdministration to ensure development of a comprehensive strategy to \naddress all of GAO\'s recommendations.\n    Additionally, during the past nine months VA Central Office (VACO) \nhas revised and implemented procedures to improve the reconciliation \nprocess of future annual VACO inventories. These procedures include \nrefresher training for all Equipment Inventory Listing (EIL) officials, \nincorporating property accountability and responsibility in New \nEmployee Orientation, and strengthening controls over the employee \nclearance process to ensure greater property accountability as \nindividuals depart VACO.\n    The Department is finalizing new policy directives that will \nrequire senior IT officials at the facility level to maintain an \ninventory of all IT equipment. The VA Office of Acquisition and \nMateriel Management provides current policy regarding the use and \nprotection of VA-owned IT equipment. Department officials will \nreinforce those policies across an business lines.\n    I appreciate your efforts to illuminate continuing weaknesses that \nundermine VA\'s efforts to protect the sensitive personal information \nthe Department needs to provide services to our Nation\'s veterans. The \nenclosure discusses each of GAO\'s recommendations in detail. It also \nsuggests some technical clarification for the report\'s overall \naccuracy.\n\n            Sincerely yours,\n                                                Gordon H. Mansfield\n\nEnclosure\n\n                               __________\n\n            DEPARTMENT OF VETERANS AFFAIRS (VA) COMMENTS TO\n          GOVERNMENT ACCOUNTABILITY OFFICE (GAO) DRAFT REPORT\nVETERANS AFFAIRS: Inadequate Controls over IT Equipment at Selected VA \n  Locations Pose Continuing Risk of Theft, Loss, and Misappropriation \n                              (GAO-07-505)\n   To help minimize the risk of loss, theft, and misappropriation of \ngovernment IT equipment used In VA operations, GAO recommends that the \nSecretary of Veterans Affairs take the following departmentwide actions\n<bullet>  Revise VA property management policy and procedures to \n        include detailed requirements for what transactions must be \n        recorded to document inventory events and to clearly establish \n        individual responsibility for recording all essential \n        transactions In the property management process.\n    Concur--VA is performing a comprehensive update of Department \npolicies and procedures on equipment management, and we will include \ndetailed requirements as appropriate.\n    To improve awareness of and compliance with existing policies and \nprocedures, the Veterans Health Administration (VHA) recently issued 11 \nstandard operating procedures with detailed guidance to supplement VA \npolicy and procedures on equipment management.\n    In addition, VA\'s Office of Acquisition and Materiel Management \n(OA&MM) is working with VHA. the Veterans Benefits Administration, the \nNational Cemetery Administration and the Office of Information and \nTechnology (OI&T) to identify specific ways to improve compliance with \nVA\'s policies and procedures on equipment management. Topics under \nreview include:\n\n    <bullet>  launch of a nationwide training program on equipment \naccountability;\n    <bullet>  review of logistical organizational structures;\n    <bullet>  implementation of a logistics certification program; and\n    <bullet>  issuance of a memorandum to facility directors \nemphasizing the importance of equipment management and recommended \nactions to strengthen local programs.\n\n    Finally, OA&MM is collaborating with VHA\'s Office of Business \nOversight to include additional areas of audit for equipment \nmanagement. This will also include a review of audit findings to \ndetermine where policies and procedures need enhancement.\n<bullet>  Revise VA purchase card policy to require purchase card \n        holders to notify property management officials of IT equipment \n        and other property items acquired with a government purchase \n        card at the time the items are received so that they can be \n        recorded in property management systems.\n    Concur--The Office of Finance will revise VA purchase card policy \nto require purchase card holders to notify property management \nofficials of IT equipment and other property items acquired with a \ngovernment purchase card at the time the items are received so that \nthey can be recorded in property management systems. Target completion \ndate is July 2007.\n    On page 7, under ``Requests and Ordering of IT Equipment,\'\' the \nsentence that begins online 7 is no longer applicable. Headquarters \noffices may no longer place individual orders or use purchase cards to \nacquire IT equipment per recent guidance from the Chief Information \nOfficer (CIO).\n<bullet>  Establish procedures to require specific, individual user-\n        level accountability for IT equipment In implementing this \n        recommendation, consideration should be given to making the \n        unit head, or a designee, accountable for shared IT equipment\n    Concur--The Office of Information and Technology is developing an \noperations policy that requires the senior IT official at a facility to \nmaintain an inventory of all IT equipment and to have the business/\nservice unit head or designee sign for all IT equipment issued to their \nservice/unit. Also, the policy will require issuing of hand receipts \nfor IT equipment at the user-level.\n<bullet>  Enforce user-level accountability and IT coordinator \n        responsibility by taking appropriate disciplinary action, \n        including holding employees financially liable, as appropriate. \n        for lost or missing IT equipment\n    Concur--For VA Central Office (VACO), O/A\'s Property Management \nDivision is responsible for processing Report of Surveys from Central \nOffice organizations for lost or damaged VA property. The Property \nManagement Division win expeditiously assign the Report of Survey to a \nSurvey Board to determine if the employee(s) should be held financially \nliable or if disciplinary actions should be taken as a result of the \nloss. damage. or destruction of the property.\n    When the Survey Board recommends that an employee should be held \nfinancially liable. a copy of the Report of Survey, complete findings \nand recommendations will be sent directly to the employee. instructing \nthem to submit a written concurrence or objections to the findings \nwithin 10 working days to the approving official. An employee\'s failure \nto submit a written reply to the approving official within 10 working \ndays will be submitted as acceptance of financial liability. Employees \nhave the right to have an adverse survey finding reviewed by higher \nauthority if requested within 10 working days after receiving \nnotification of findings. The decision of the higher approving \nauthority will be final. VA supervisors are responsible for ensuring \nthat their employees are held accountable for VA property assigned to \ntl1em in performance of their job. Supervisors are also responsible for \nany property not directly assigned to an individual employee in their \narea.\n    O/A\'s Property Management Division is also implementing new VACO \nprocedures to increase supervisory awareness and accountability for \nproperty lost, damaged. or destroyed by employees under their \nsupervision. when supported by findings and recommendations from the \nSurvey Board. This procedure includes the issuance of a memorandum from \nthe approving official and Report of Survey findings, to the employee\'s \nsupervisor with a courtesy copy to the second-line supervisor and \nEmployee Relations, Central Office Human Resources Service, \nrecommending that the supervisor take corrective action. including \ndisciplinary action as appropriate. against the employee. Employee \nRelations. Central Office Human Resources Service, will follow up with \nthe employee\'s immediate and second-line supervisors to ensure \nappropriate action Is taken within 45 calendar days.\n<bullet>  Establish specific timeframes for finalizing a Report of \n        Survey once an Inventory has been completed so that research on \n        missing Items Is completed In an expeditious manner and does \n        not continue indefinitely without meeting formal reporting \n        requirements.\n    Concur--OI& T is developing an operations policy that win include \nthe requirement that a Report of Survey will be completed within 15 \nworking days following completion of annual inventory. In VACO, after \nan annual Equipment Inventory is conducted. the Not Found Property \nReport must be reconciled within 15 days of receiving the report. (In \nthe past, the Office of Administration [OA] has honored organizational \nrequests to extend this timeframe for equipment believed misplaced \nrather than stolen.) Equipment that cannot be reconciled must \nimmediately be reported on a Report of Survey to the Property \nManagement Division. Property Management Division will immediately \nconduct an investigation on the missing equipment by forming a Board of \nSurvey. Recent memorandums to the various VACO department heads \naddressed these procedures. Details were also provided to Equipment \nInventory List (EIL) officials in VACO.\n<bullet>  Establish a mechanism to monitor San Diego, California, and \n        Houston, Texas, medical center and other VA organization \n        adherence as appropriate, to VA policy for performing annual \n        Inventories of sensitive Items under $5,000, including IT \n        equipment.\n    Concur--The Veterans Health Administration\'s (VHA) Prosthetics and \nClinical Logistics Office (P&CLO) is monitoring all VA medical centers \nto ensure adherence to policy requiring an annual inventory of all \nitems. To facilitate this effort, all facilities are required to report \ntheir Electronic Inventory List compliance on a quarterly basis to the \nDeputy Under Secretary for Health for Operations and Management \n(DUSHOM). This monitoring includes sensitive items under $5.000. P&CLO \nwill disseminate further direction to the field on sensitive items \nthrough annual training, reminders at the materiel management \nconference calls, and e-mails.\n<bullet>  Require that IRM and IT Services personnel at the various \n        medical centers be given access to the central property \n        database and be furnished with hand scanners so they can \n        electronically update the property control records, as \n        appropriate, during installation, repair, replacement, and \n        relocation or disposal of IT equipment.\n    Concur--VA\'s current asset management system (AEMS/MERS) allows for \nIRM and IT Services to be given restricted access to the AEMS/MERS \nsystem in order to record/update inventory records to reflect status \nand location. Hand scanners can be purchased locally as needed. \nNevertheless, VHA\'s P&CLO is working with the DUSHOM to disseminate a \nmemorandum to all VA medical centers directing them to give access to \nAEMS/MERS for all applicable information resource management and IT \nstaff involved in IT asset management. P&CLO and DUSOHOM will provide \ndirection in the memorandum to ensure open communication between IT \nstaff and logistics staff in coordination of either procuring bar code \nscanners or making available existing bar code scanners at the medical \ncenters. The memorandum will specify follow-up through regular \nconference calls and e-mails as required. Lastly, P&CLO is working with \nOI&T to establish better communication in defining roles and \nresponsibilities of frontline staff in updating the equipment records \nas appropriate.\n<bullet>  Require physical security personnel to perform inspections of \n        buildings and storage facilities to Identify Informal and \n        undesignated IT storage locations so that security assessments \n        are performed and corrective actions are Implemented, where \n        appropriate.\n    Concur--The current version of the Security and Law Enforcement \npolicy (0730/1) is referenced in this report. This version has \nundergone a large-scale revision and is in the Department concurrence \nprocess. There is a new requirement to the revised policy that each VA \nfacility establish a Security Management Committee (SMC). One of the \ntasks of the SMC is to develop a local strategic security plan (SSP). \nThe SSP is intended as a framework for identifying a facility\'s \nsecurity needs and resolutions.\n    We also wish to note that specific physical security requirements \nfor IT resources and spaces have been updated. In addition, IT spaces \nare now required to be protected with physical access control systems \n(PACS). In previous versions, this was an optional item.\n    To assure inventory accuracy and prompt resolution of inventory \ndiscrepancies and Improve security of IT equipment and any sensitive \ndata stored on that equipment, GAO recommends that the Secretary \nrequire the CIO to take the following four actions:\n<bullet>  Establish a formal policy requiring a review of the results \n        of annual Inventories to ensure that IT equipment inventory \n        records are properly updated and no blank fields remain.\n    Concur--OI&T is developing a policy that requires the senior IT \nofficial at a facility to maintain an inventory of all IT equipment and \nto have the business service unit head or designee sign for all IT \nequipment issued to their service/unit. The policy will require issuing \nof hand receipts for IT equipment at the user-level. The senior IT \nofficial at a facility will be required to complete an annual survey \nthat ensures IT equipment inventory records are complete and up-to-\ndate.\n<bullet>  Establish a process for reviewing Reports of Survey for lost, \n        missing, and stolen IT equipment Items to identify systemic \n        weaknesses for appropriate corrective action.\n    Concur--OI&T is developing a policy that will include the \nrequirement that a report of survey will be completed within 15 working \ndays following completion of annual inventory. The policy will also \nrequire an analysis of the reports to identify any weakness trends.\n<bullet>  Establish and implement a policy requiring IRM Personnel and \n        IT coordinators to inform Physical Security Officers of the \n        location of all IT equipment storage locations so that these \n        store rooms can be subjected to required inspections.\n    Concur--OI&T is developing a policy that will require the senior IT \nofficial at every facility to provide IT equipment storage locations to \nfacility security personnel to perform regular inspections.\n<bullet>  Establish and implement a policy for reviewing the results of \n        physical security inspections of IT equipment store rooms and \n        ensure that needed corrective actions are completed.\n    Concur--OI&T is developing a policy that will require senior IT \nofficials at every site to complete corrective actions addressed from \nall physical security inspections of IT equipment store rooms.\nTechnical comments:\n    Pages 4 and 20, and Tables 6 and 7, portray IT equipment that \ncannot be accounted for as having a combined potential financial loss \nin tile millions of dollars. However, the report does not specify \nwhether this cost estimate is provided as a depreciated loss value or a \nreplacement value. Distinguishing between the two is very important as \nit directly impacts the loss estimate value. For instance, if IT \nequipment was purchased in previous years, it depreciates at a \nsignificant determined rate. On the other hand, if GAO used replacement \ncosts to estimate the loss value. it needs to further clarify which \nyear values it used (i.e. 2002 values, 2005 values, or current 2007 \nvalues). In addition, the tally of unaccounted-for equipment that GAO \nused for its estimate of loss value was surmised as a result of this \naudit. However, VA could, in fact, have properly disposed of some of \nthe ``missing\'\' equipment, but the proper documentation of the disposal \nis just not available. If this is the case, then it should not be \nsubject to having a replacement cost associated with it.\n\n                               __________\n\n          Appendix III: GAO Contact and Staff Acknowledgments\nGAO Contact: McCoy Williams, (202) 512-9095 or <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8bfce2e7e7e2eae6f8e6bacbeceae4a5ece4fd">[email&#160;protected]</a>\nAcknowledgments:\n    In addition to the contact named above, Gayle L. Fischer, Assistant \nDirector; Andrew O\'Connell, Assistant Director and Supervisory special \nAgent; Abe Dymond, Assistant General Counsel; Monica Perez Anatalio; \nJames D. Ashley; Francine DelVecchio; Lauren S. Fassler; Dennis Fauber; \nJason Kelly; Steven M. Koons; Christopher D. Morehouse; Chris J. \nRodriguez; Special Agent Ramon J. Rodriguez; Lori B. Tanaka; and \nDanietta S. Williams made key contributions to this report.\n    Technical expertise was provided by Keith A. Rhodes, Chief \nTechnologist, and Harold Lewis, Assistant Director, Information \nTechnology Security, Applied Research and Methods.\n\n                                 <F-dash>\n                     COMMITTEE ON VETERANS\' AFFAIRS\n                                     Committee on Veterans\' Affairs\n                       Subcommittee on Oversight and Investigations\n                                                      July 20, 2007\n\nHonorable R. James Nicholson\nSecretary\nU.S. Department of Veterans Affairs\n810 Vermont Ave., NW\nWashington, DC 20420\n\nDear Secretary Nicholson:\n\n    On Tuesday, July 24, 2007, the Subcommittee on Oversight and \nInvestigations of the House Committee on Veterans\' Affairs will conduct \na hearing on IT Inventory Management. This hearing will be held at 2:00 \nPM in room 334 Cannon House Office Building.\n    The Subcommittee requests the most recent equipment inventory \ncertification letters from all facility directors. We also would like a \nlist of any facility directors who did not the latest annual provide \ncertification for completing their annual inventories.\n    Please contact Geoffrey Bestor, Esq., Staff Director of the \nSubcommittee on Oversight and Investigations, Committee on Veterans\' \nAffairs, at (202) 225-3569 if you have any questions.\n\n            Sincerely,\n                                                  HARRY E. MITCHELL\n                                                           Chairman\n\n                                                  GINNY BROWN-WAITE\n                                          Ranking Republican Member\n\n[The information was provided to the Subcommittee and will be retained \nin the Committee files.]\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'