b'<html>\n<title> - THE U.S. DEPARTMENT OF VETERANS AFFAIRS INFORMATION TECHNOLOGY REORGANIZATION: HOW FAR HAS VA COME?</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n                THE U.S. DEPARTMENT OF VETERANS AFFAIRS\n                 INFORMATION TECHNOLOGY REORGANIZATION:\n                          HOW FAR HAS VA COME?\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           SEPTEMBER 26, 2007\n\n                               __________\n\n                           Serial No. 110-47\n\n                               __________\n\n       Printed for the use of the Committee on Veterans\' Affairs\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n39-456 PDF                 WASHINGTON DC:  2008\n---------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n\n                    BOB FILNER, California, Chairman\n\nCORRINE BROWN, Florida               STEVE BUYER, Indiana, Ranking\nVIC SNYDER, Arkansas                 CLIFF STEARNS, Florida\nMICHAEL H. MICHAUD, Maine            JERRY MORAN, Kansas\nSTEPHANIE HERSETH SANDLIN, South     RICHARD H. BAKER, Louisiana\nDakota                               HENRY E. BROWN, Jr., South \nHARRY E. MITCHELL, Arizona           Carolina\nJOHN J. HALL, New York               JEFF MILLER, Florida\nPHIL HARE, Illinois                  JOHN BOOZMAN, Arkansas\nMICHAEL F. DOYLE, Pennsylvania       GINNY BROWN-WAITE, Florida\nSHELLEY BERKLEY, Nevada              MICHAEL R. TURNER, Ohio\nJOHN T. SALAZAR, Colorado            BRIAN P. BILBRAY, California\nCIRO D. RODRIGUEZ, Texas             DOUG LAMBORN, Colorado\nJOE DONNELLY, Indiana                GUS M. BILIRAKIS, Florida\nJERRY McNERNEY, California           VERN BUCHANAN, Florida\nZACHARY T. SPACE, Ohio\nTIMOTHY J. WALZ, Minnesota\n\n                   Malcom A. Shorter, Staff Director\n\nPursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public \nhearing records of the Committee on Veterans\' Affairs are also \npublished in electronic form. The printed hearing record remains the \nofficial version. Because electronic submissions are used to prepare \nboth printed and electronic versions of the hearing record, the process \nof converting between various electronic formats may introduce \nunintentional errors or omissions. Such occurrences are inherent in the \ncurrent publication process and should diminish as the process is \nfurther refined.\n\n\n                            C O N T E N T S\n\n                               __________\n\n                           September 26, 2007\n\n                                                                   Page\nThe U.S. Department of Veterans Affairs Information Technology \n  Reorganization: How Far Has VA Come?...........................     1\n\n                           OPENING STATEMENTS\n\nChairman Bob Filner..............................................     1\n    Prepared statement of Chairman Filner........................    55\nHon. Steve Buyer, Ranking Republican Member......................     2\nHon. Stephanie Herseth Sandlin, prepared statement of............    55\nHon. Henry E. Brown, Jr., prepared statement of..................    56\nHon. Ginny Brown-Waite, prepared statement of....................    56\nHon. John T. Salazar, prepared statement of......................    57\n\n                               WITNESSES\n\nU.S. Government Accountability Office:\n    Valerie C. Melvin, Director, Human Capital and Management \n      Information Systems Issues.................................     4\n    Gregory C. Wilshusen, Director, Information Security Issues..     4\n        Prepared statement of Ms. Melvin and Mr. Wilshusen.......    57\nU.S. Department of Veterans Affairs:\n    Hon. Robert T. Howard, Assistant Secretary for Information \n      and Technology and Chief Information Officer, Office of \n      Information and Technology.................................    21\n        Prepared statement of General Howard.....................    71\n    Arnaldo Claudio, Executive Director, Office of IT Oversight \n      and Compliance, Office of Information and Technology.......    21\n        Prepared statement of Mr. Claudio........................    72\n    Paul A. Tibbits, M.D., Deputy Chief Information Officer, \n      Office of Enterprise Development, Office of Information and \n      Technology.................................................    33\n        Prepared statement of Dr. Tibbits........................    73\n    J. Ben Davoren, M.D., Ph.D., Director of Clinical \n      Informatics, San Francisco Veterans Affairs Medical Center, \n      Veterans Health Administration, U.S. Department of Veterans \n      Affairs....................................................    36\n        Prepared statement of Dr. Davoren........................    76\n\n                       SUBMISSIONS FOR THE RECORD\n\nMitchell, Hon. Harry E., a Representative in Congress from the \n  State of Arizona, statement....................................    78\nU.S. Department of Veterans Affairs, Bryan D. Volpp, M.D., \n  Associate Chief of Staff, Clinical Informatics, Veterans \n  Affairs Northern California Healthcare System, Veterans Health \n  Administration, statement......................................    79\n\n                   MATERIAL SUBMITTED FOR THE RECORD\n\nPost Hearing Questions and Responses for the Record:\nHon. Bob Filner, Chairman, Committee on Veterans\' Affairs, to \n  Hon. Gordon Mansfield, Acting Secretary, U.S. Department of \n  Veterans Affairs, letter dated October 3, 2007.................    81\n\n\n                    THE U.S. DEPARTMENT OF VETERANS\n                     AFFAIRS INFORMATION TECHNOLOGY\n                  REORGANIZATION: HOW FAR HAS VA COME?\n\n                              ----------                              \n\n\n                     WEDNESDAY, SEPTEMBER 26, 2007\n\n                     U.S. House of Representatives,\n                            Committee on Veterans\' Affairs,\n                                                    Washington, DC.\n\n    The Committee met, pursuant to notice, at 9:58 a.m., in \nRoom 334, Cannon House Office Building, Hon. Bob Filner \n[Chairman of the Committee] presiding.\n    Present: Representatives Filner, Snyder, Herseth-Sandlin, \nHare, Salazar, Walz, Buyer, Stearns, Brown of South Carolina, \nBrown-Waite, Bilbray, and Lamborn.\n\n              OPENING STATEMENT OF CHAIRMAN FILNER\n\n    The Chairman. This meeting of the House Committee on \nVeterans\' Affairs is called to order. Today, the Committee will \nbe looking at the U.S. Department of Veterans Affairs (VA) \nInformation Technology (IT) Reorganization: How Far Have We \nCome?\n    Obviously, this is a very important issue. And we will be \nlooking at the progress of VA in centralizing its IT efforts.\n    We want to explore the progress that the VA has made in its \nefforts to be what Secretary Nicholson called the ``gold \nstandard\'\' of information security among Federal agencies, a \ngoal that was enunciated in the wake of a data breach last year \nthat involved over 25 million veterans and succeeding incidents \nincluding one recently in Birmingham, Alabama.\n    We understand that such a centralization will not happen \novernight. We are not asking you to do this overnight. But we \nare asking, and our veterans are demanding, that the VA be held \naccountable for getting the job done.\n    This past June, the U.S. Government Accountability Office \n(GAO), while praising the commitment from senior leadership, \nfound fault with a number of areas in the VA\'s efforts, efforts \nthat hinder the VA\'s ability to successfully reach its \nreorganization goals.\n    These include rejecting the GAO\'s recommendation that VA \ncreate a dedicated implementation team responsible for day-to-\nday management of major change initiatives. Instead, the VA is \napparently dividing the responsibility among two organizations \nin this new structure. And the GAO was concerned that this \napproach would not work. Many of us on this Committee share \nthat sense.\n    More recently, GAO reported that out of 17 recommendations \nmade by the VA Inspector General (IG), 16 had not yet been \nimplemented. Implementing these recommendations is essential if \nthe VA is to protect private information and meet its \nobligations under the Federal Information Security Management \nAct (FISMA).\n    In the final analysis, we must remember that IT is merely a \ntool, a tool used by the VA in furtherance of its mission of \ncaring for veterans. This Committee has continued to work in a \nbipartisan fashion to encourage the VA to centralize its IT \nefforts. These efforts, we think, will lead to concrete \nbenefits for both the VA, taxpayers, and most importantly, our \nveterans.\n    Our charge is to ensure that while VA is carrying out its \nmission, it does so with the best and most up-to-date \ntechnology that the 21st century provides, while securing that \ntechnology from outside manipulation and preventing improper \ndisclosure of our veterans\' confidential information.\n    We must at the same time foster creativity and innovation \nand the use of electronic medical records and other systems \nthat have put VA at the forefront of medical care. These are \nnot easy tasks. We are heartened by many of the steps the VA \nhas undertaken, but remain concerned that more should be done, \nand could be done, at a faster pace.\n    We remain hopeful that the VA can simultaneously provide \nour veterans the greatest security, management, and healthcare. \nUndoubtedly, the efficient and effective management and \noperation of VA IT efforts will result in tangible benefits for \nour veterans.\n    I would yield for an opening statement to the Ranking \nMember of our Committee, Mr. Buyer. And you have 5 minutes.\n    [The prepared statement of Chairman Filner appears on p. \n55.]\n\n             OPENING STATEMENT OF HON. STEVE BUYER,\n                   RANKING REPUBLICAN MEMBER\n\n    Mr. Buyer. Thank you very much, Mr. Chairman. First I would \nlike to address the issue regarding the Vietnam Veteran\'s \nMemorial Wall. I was heartbroken to learn about the callous act \nof vandalism that resulted in the damage to the Vietnam \nVeteran\'s Memorial Wall on September 7th.\n    For every person that has ever stood before that wall, you \ncan reflect upon your feelings and emotions as you stood before \nthe 147 black granite panels. I could not help but sense and \nfeel the humility of a grateful Nation and how small one feels \nstanding before the granite.\n    What I will say publicly to the vandal is that you are \nnothing but a coward. These are cowardly acts to stand before \nthat wall and to throw such a substance and attempt to deface \nthe Vietnam Veteran\'s Memorial Wall.\n    The reality is that despite that act, you have no impact \nupon history. You have no impact upon the families who embraced \ntheir loved ones, that gave their lives for this country.\n    So to the coward, you can either step forward and accept \nresponsibility for your act or forever crawl back under the \nrock from which you came.\n    Right now I would like to thank the Chairman. He and I \nworked together last year along with other Members of the \nCommittee. And I want to publicly thank Mr. Evans, in our \nefforts to centralize the IT architecture within the VA.\n    Mr. Chairman, I would like to thank you for responding to \nmy request. More in particular, I compliment your timeliness in \nholding this hearing, with the exit and retirement now of the \nVA Secretary. I think it is just a wonderful time for us to get \nan update.\n    It is important for us to look back over the past year and \nsee how the VA has implemented the instructions given in Public \nLaw 109-461 and moved its IT infrastructure to a centralized \nmodel. This is the first step for any large, Federal department \nor agency of government.\n    We held a lot of hearings on VA\'s data breach, Mr. Filner. \nAnd so as we talk about the centralization of the IT \ninfrastructure, it is also about security assurances. And I \ncan\'t--when I think about the challenges that the Chief \nInformation Officer (CIO) of the VA has, it is extraordinary.\n    And so while I compliment you, Mr. Chairman, for holding \nthis hearing and getting the input, we also have to be \ncognizant of the task at hand and how long it is going to take \nto perfect a centralized model.\n    And patience is one thing that is going to be very hard for \nus to have, and for me in particular, because of my 7 years of \ninterest in the issue. But I recognize how long it is going to \ntake.\n    The goal of Public Law 109-461 was to provide the means to \nallow growth and development to move forward with a main \ncentral IT structure in which new, improved technologies and \nmethodologies can be encouraged and shared throughout the VA. \nThe new law also brought fiscal discipline to VA IT for the \nfirst time.\n    What I am interested in finding out today is how the \ncentralized model is being implemented. And whether there has \nbeen any cultural resistance from local facilities toward \ncentralizing.\n    I am also interested in learning what new technologies are \nbeing used. How will these technologies enhance the VA\'s \nability to provide faster, better, and safer services to our \nNation\'s veterans? What measures are being used to protect the \nidentity of our veterans when they seek treatment or benefits \nfrom the VA?\n    I was very concerned when I learned about the 2006 Federal \nInformation Security Management Act report being delayed and \nthe VA receiving an incomplete in its FISMA reporting \nrequirements. I trust that this will not occur again in 2007 \nreporting period.\n    I am also concerned about the continuing problems in IT \nsecurity, which are detailed in the weekly Network Security \nOperations Center reports received by this Committee.\n    The Birmingham VA research breach involves more than a \nmillion Medicare and Medicaid providers. I would like to know \nhow the IT vulnerabilities that we have seen in VA\'s research \ncommunity are going to be addressed, so that incidents such as \nthis no longer occur.\n    Last week, the GAO testified before the Senate Veterans\' \nAffairs Committee and made 17 recommendations to the Secretary. \nThose recommendations aimed at improving the effectiveness of \nVA\'s efforts to strengthen information security practices by \ndeveloping and documenting processes, policies, procedures, and \ncompleting the implementation of key initiatives.\n    For instance, why is the Veterans Health Administration\'s \n(VHA\'s) waiver for not encrypting physicians\' laptops and other \ndevices still in effect? I am looking forward to hearing the \nstatus of each of these recommendations from both the GAO and \nthe VA.\n    Mr. Chairman, I would like to thank the witnesses for \ncoming to testify before the Committee, and General Bob Howard \nwho took the reins for the VA IT infrastructure during a wave \nof change.\n    I compliment you, sir. It is under his watch that the goals \nand policies set up by Public Law 109-461 are being \nimplemented. And I look forward to hearing from you and \ncontinue to work with you.\n    General, I also want you to rely upon your military \nexperience, because once you have made your advance, you have \ntaken ground. And now that you have someone leaving, i.e., the \nSecretary, as an agent of change, other individuals are seeking \nto take ground back.\n    So you are going to have to defend. And I recognize that. \nAnd at the first moment, please pick up the phone, call the \nChairman, call me. We want to work with you to make sure that \nyou have the ability to implement the law.\n    And I would say to the witnesses, I had an opportunity last \nnight to read your testimony. I have a Commerce Committee \nhearing on my other issue dealing with counterfeit drugs. And \nso I am going to have to excuse myself.\n    But thank you, Mr. Chairman.\n    The Chairman. Thank you. Any other opening statements. Dr. \nSnyder? Mr. Walz? Mr. Brown? Mr. Lamborn?\n    All Members have 5 legislative days to revise and extend \ntheir remarks and all written statements will be made part of \nthe record. Hearing no objection, so ordered.\n    Our first panel this morning is from the U.S. Government \nAccountability Office. Ms. Valerie Melvin is the Director of \nthe Human Capital and Management Information Systems Issues \nOffice. Mr. Gregory Wilshusen, is the Director of Information \nSecurity Issues. And accompanying you is Ms. Oliver. If you \nwill introduce her, Ms. Melvin. Your written statements will be \nmade a part of the record, so if you can keep oral remarks to \nabout 5 minutes, that would be great.\n\n STATEMENTS OF VALERIE C. MELVIN, DIRECTOR, HUMAN CAPITAL AND \n    MANAGEMENT INFORMATION SYSTEMS ISSUES, U.S. GOVERNMENT \n  ACCOUNTABILITY OFFICE; AND GREGORY C. WILSHUSEN, DIRECTOR, \n  INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY \n  OFFICE; ACCOMPANIED BY BARBARA OLIVER, ASSISTANT DIRECTOR, \n HUMAN CAPITAL AND MANAGEMENT INFORMATION SYSTEMS ISSUES, U.S. \n                GOVERNMENT ACCOUNTABILITY OFFICE\n\n                  STATEMENT OF VALERIE MELVIN\n\n    Ms. Melvin. Mr. Chairman and Members of the Committee, \nthank you for inviting us to discuss VA\'s information \ntechnology realignment and actions toward strengthening its \ninformation security program.\n    With me today, as you have noted, is Mr. Greg Wilshusen, \nGAO\'s Director of Information Security Issues, and Ms. Barbara \nOliver, Assistant Director for VA IT issues.\n    In serving our Nation\'s veterans, VA relies heavily on \ninformation technology, for which it spends about $1 billion \nannually.\n    However, the Department has long been challenged in IT \nmanagement, having experienced cost, schedule, and performance \nproblems in its information systems initiatives, as well as \nsecurity breaches that threaten to compromise sensitive and \npersonally identifiable information.\n    To provide greater authority and accountability over its \nresources, VA is realigning its organization to centralize IT \nunder the Chief Information Officer, relying on a defined set \nof improved management processes to standardize operations. VA \nbegan this realignment in October 2005 and plans to complete it \nby July 2008.\n    Over the past year, we have assessed and reported on the \nrealignment. And just last week, as you noted, released a \nreport on the Department\'s information security. At your \nrequest, our testimony today summarizes our findings in these \ntwo important areas.\n    In short, VA has made progress in moving to a centralized \nstructure by fully or partially addressing all but one of six \ncritical factors that we identified for a successful \ntransformation such as this realignment.\n    Among its actions, the Department has ensured top \nleadership commitment to the initiative and established a \ngovernance structure to manage resources. However, it continues \nto operate without a single dedicated implementation team to \noversee this important change.\n    And in addition, while improved IT management processes are \na cornerstone of the realignment, VA has not kept to its \ntimeline for implementing the processes and thus, has not made \nsignificant progress, having only piloted two of the thirty-six \nplanned processes.\n    At the same time, VA has ongoing programs and system \ndevelopment initiatives that depend on effective management and \nuse of IT resources, the essence of this realignment. Our \nrecent studies have noted measures of progress in its efforts. \nBut essential work remains, including addressing numerous and \nlongstanding information security weaknesses.\n    Our report, released last week, notes that although VA has \nmade progress in strengthening information security, much work \nremains to resolve its security weaknesses.\n    The Department has undertaken several major initiatives to \nstrengthen information security practices and secure personally \nidentifiable information, including continuing efforts to \nrealign its management structure, establishing an information \nprotection program, and improving its incident management \ncapability.\n    Yet while these initiatives have led to progress, their \nimplementation has shortcomings. For example, although a new \nsecurity management structure exists, improved security \nmanagement processes have not yet been completely developed and \nimplemented.\n    In addition, this new security management structure divides \nresponsibility for information security functions between two \norganizations, but with no documented process for the two \noffices to coordinate with each other.\n    Further, the Department has made limited progress in \naddressing prior recommendations to improve security that we \nand its Inspector General have made. Although VA has taken \ncertain steps, it has not yet completed the implementation of \n22 out of 26 prior recommendations.\n    In summary, Mr. Chairman, VA is making progress on its IT \nrealignment. But important work remains to ensure that \neffective management processes exist and that its IT programs \nand initiatives are fully and successfully implemented.\n    In our view, an implementation team and established \nmanagement processes are crucial to the overall success of the \nrealignment, without which the Department is in danger of \nmissing its 2008 targeted completion date and of not realizing \nthe potential benefits of this initiative.\n    Similarly, until the Department addresses the shortcomings \nin its IT security program, it will have limited assurance that \nit can protect its systems and information from unauthorized \ndisclosure, misuse, or loss.\n    This concludes our prepared statement. We would be pleased \nto respond to any questions that you may have.\n    [The prepared statement of Ms. Melvin and Mr. Wilshusen \nappears on p. 57.]\n    The Chairman. Thank you. There are no other prepared \nstatements from the panel?\n    Ms. Melvin. No. This is our statement.\n    The Chairman. Thank you. And I appreciate you undertaking \nthis. It has been very helpful.\n    Dr. Snyder, do you have any questions?\n    Mr. Snyder. Yes.\n    The Chairman. Go ahead. I will wait.\n    Mr. Snyder. I think you all make a great contribution in \nthese areas.\n    I am always struck that somebody like us that can sit on \nthese panels and, you know, make--we are prone to make \naccusatory comments about administrative agencies and their \nfailures to do certain things.\n    I couldn\'t do this. I don\'t have the skills to do what we \nare asking the VA. Can you all do this? If you were plucked out \nand put in Secretary Nicholson\'s slot, could you do this, what \nyou are asking this system to do?\n    Ms. Melvin. Sir, this initiative is a complicated one.\n    Mr. Snyder. Yeah.\n    Ms. Melvin. It is one that from its inception, we have \nnoted would take a lot of dedication. Was one in which VA was \nstepping out in a way that few other agencies have, in fact, \ndone.\n    It is an effort that will require tremendous discipline, \ntremendous coordination, and exceptional communication on the \nDepartment\'s part to ensure that all of its management is \ninvolved, all of its users are adequately considered. That \nthere is the necessary governance in place and the discipline \nprocess is in place to ensure that this can be undertaken.\n    Mr. Snyder. Was that a no? Regardless of----\n    Ms. Melvin. It means that it is a very complicated process \nthat----\n    Mr. Snyder. I think it is.\n    Ms. Melvin [continuing]. Will require a lot of effort on \nthe Department\'s part.\n    Mr. Snyder. I think it is. I think the problem with it too \nis it is complicated. It is a challenge. And you outline, I \nthink, some kind of hard attributes of the process. But it is \nabout leadership, I think, and getting people to buy into it.\n    Did you--have you all looked at what the downside for \nveterans\' healthcare is if these things are not being done?\n    Ms. Melvin. Obviously, this overall initiative, it is in \nplace so that the Department can have more effective processes \nfor managing all of the initiatives that it is undertaking.\n    Certainly one of those, for example, is its veterans health \ninformation system. All of these initiatives are impacted by \nthe efforts that are being undertaken and the sense that VA has \npreviously operated in a centralized manner. And in moving--I \nam sorry, in a decentralized manner.\n    And in moving to centralization, it will be critical to \nmake sure that the processes exist so that requirements can be \nunderstood effectively, identified effectively, and that \nsolutions are in place to address them.\n    When you are looking at that, obviously there is the chance \nthat if this is not undertaken properly, if it is not put in \nplace in a discipline manner that allows all of the \nadministration\'s IT needs to be addressed in a manner that \nsupports the veterans, it could, in fact, impact veterans \nthrough the systems that are either put in place effectively or \nnot put in place effectively.\n    Mr. Snyder. I spent several hours sitting in an airport \nyesterday, because of something that happened with Memphis \nradar that shut down planes over several States. There was no--\nnothing--it was earlier at the Little Rock Airport. Nothing was \ncoming in or going out.\n    And if you had asked us, I would think most of us would say \nwell, there has got to be some redundancy in some system--in \nthe system. We can handle whatever kind of technical problem. \nAnd yet,these kinds of things get so complicated that it can \nbe--it can get so complicated it is difficult for a group of \ncivilians here to provide that kind of oversight.\n    So we count on you all to do that for us. And I always \nstruggle a little bit about what exactly do I think is the \nclear next step for them to take. What do I think they should \nbe doing.\n    And it comes down to me as a matter of almost the personal \nleadership of the people at the top, the people that are at the \nhighest position of leadership at the VA. This has got to be a \nnumber one priority, maybe second only to veterans\' healthcare, \nor it is not going to get done.\n    Why I sometimes read these reports, they almost get so dry, \nwhich is I think what your approach is. That is what we want \nyou to do. But that we forget about the dynamic leadership that \ncan make this kind of thing occur through a big system.\n    Thank you for your contribution. I don\'t have any further \ncomments, Mr. Chairman.\n    The Chairman. Thank you. Mr. Stearns.\n    Mr. Stearns. Thank you, Mr. Chairman. I sort of tend to \nthink that we can solve this problem. General Motors, a large \ncorporation, is able to keep track of their security. They set \nup a security database with a security chief officer. They are \nable to coordinate with all the plants, not just in the United \nStates but around the world.\n    IBM, as I understand, is a subcontractor to you folks. And \nIBM has been successful in setting up internally their own IT \nnetwork.\n    So I don\'t think it is without the realm of possibility. In \nfact, if the private sector came in and did this, wholly I \nsuspect they could get it done.\n    I think Dr. Snyder\'s probably correct, it is one of \nleadership. But it also inherently difficult with \nbureaucracies, because it has been decentralized. And these \nbureaucracies are not talking to each other. But I am \noptimistic that you can get it done.\n    In May 2006, VA experienced the largest data breach in the \nhistory of the Federal Government. In January 2007, VA \nBirmingham, Alabama, suffered a breach of unbelievable \nmagnitude involving any practitioner that has ever billed \nMedicare or Medicaid.\n    My question is, is the VA data at risk today? \nNotwithstanding where we are, is the VA data at risk today? Can \nyou tell me ``yes\'\' or ``no\'\' ?\n    Mr. Wilshusen. Yes, it is, sir.\n    Mr. Stearns. And is that agreed by all three of you? Was \nthat pretty much the unanimous consent of all of you that the \nVA data is at risk?\n    Ms. Melvin. Based on my understanding of the work that Mr. \nWilshusen has done, I would say yes.\n    Mr. Stearns. Now, Mr. Wilshusen, why don\'t you explain why \nyou think it is at risk?\n    Mr. Wilshusen. Okay, certainly. First of all, I would like \nto note that VA has made important progress in improving its \ninformation security practices and policies. However, much more \nneeds to be done.\n    For example, VA has not yet fully implemented two of our \nfour prior recommendations, including one to complete a \ndepartment-wide information security program.\n    In addition, it has not yet fully implemented 20 of 22 \nrecommendations made by the Inspector General (IG) with regard \nto improving information security.\n    For example, it has not yet completed the activities to \nappropriately restrict access to its information, computer \nsystems, and networks. It has not yet implemented appropriate \nphysical security safeguards to protect its information \ntechnology resources and facilities, nor has it ensured that \nall authorized--that only authorized changes and upgrades have \nbeen made to computer programs.\n    Until these recommendations are implemented, unnecessary \nrisk exists that personal information of veterans and others, \nincluding medical providers, such as--or such medical \nproviders, will be exposed to data tampering, fraud, and \nunauthorized or inappropriate disclosure.\n    Mr. Stearns. Based upon what you said, would you be willing \nto track the VA\'s progress in implementing their consolidation \nplan and report back to us on a regular basis?\n    Mr. Wilshusen. Yes, we would. Yes, I would.\n    Mr. Stearns. What are the short-term, mid-term, long-term \nconsequences and vulnerabilities for the delay in VA\'s \nintegration and consolidation plan? And I guess--go ahead.\n    Ms. Melvin. In terms of VA\'s centralization, the concerns \nthat we have relate to the extent to which the Department \nimplements the critical processes that it has identified for \nthis initiative.\n    The Department has identified 36 processes that are \ncritical or the foundation I should say to the overall--having \nan overall discipline process in place that allows it to \noversee and account for its IT investments.\n    In the immediate, we noted that the Department has, in \nfact, put a governance structure in place, so that they have \nsome immediate levels of responsibility.\n    However, in looking out over the initiative as it continues \nto carry out this implementation, we have concerns from a \nlonger term relative to how they are actually--or the progress \nthat they are making, I should say, in actually fielding the \nleadership for the positions that it has. The extent or the \ntime frame in which it would get its management processes in \nplace.\n    At the same time that the Department is undertaking this \nrealignment, as I mentioned in my statement, its systems \ndevelopment initiatives and programs are still being \nundertaken.\n    So in the long term, having this system in place and having \nit in place the sooner the better relative to its impact on the \noverall initiatives that it is undertaking and how effectively \nit can continue to move forward with those project for systems \ndevelopment.\n    Mr. Stearns. Have you seen any bureaucratic or cultural \npush back toward this implementation in the administration?\n    Ms. Melvin. We have heard through our assessment that there \nhas been concern from the clinicians, for example within the \nVeterans Health Administration, that in doing this, some of \ntheir innovation will be stifled.\n    And I think this is driven by their past experience in the \ninitial--the development of the initial VistA system. However, \nwhat we have stated through our work is that if the Department \nis able to move forward and maintain momentum in terms of \nhaving an effective communication strategy in place, having the \noverall leadership in place relative to the many offices that \nit has identified.\n    For example, they have identified 25 offices that are being \nput in place to implement and execute the 36 management \nprocesses that will give it a disciplined approach to managing \nits investments and resources.\n    However, at the time of our review, those--not all of those \noffices had been filled. I think it is somewhere in the range \nof probably 15 or more either had not been filled or had been \nfilled only in an acting capacity.\n    Our concern with that is that without the stable \nleadership, the Department does not put itself on a solid and a \nsustainable foundation for being able to carry through with the \nrealignment itself. And then certainly to execute all of the \nprocesses that are necessary to carry out its investments and \nits projects.\n    Mr. Stearns. Thank you, Mr. Chairman.\n    The Chairman. Thank you. Mr. Walz, your witness.\n    Mr. Walz. Thank you, Mr. Chairman. And thank you to each of \nyou for being here. It is a very important service that you \nprovide. And every time we testify in this Committee, I think \nit is very important for us to always remember the ultimate \ngoal here is the service to our veterans and making sure that \nis possible.\n    And I think I associate myself with Mr. Snyder--Dr. \nSnyder\'s comments on this. It is all too easy to point fingers \nat this. And this is a--this is a large task.\n    And I also associate myself to a certain degree with my \ncolleague, Mr. Stearns, that I believe this can be fixed. \nAlthough his faith in the private sector, seems to forget the \nletter that I received in June of 2005 when my MasterCard data, \nalong with 40 million others, were compromised.\n    So it cuts both ways. It is a difficult task. But it is one \nthat I think we are hitting on, and some of the questions got \nasked. But I just have two questions that I am concerned about.\n    I represent the Southern Minnesota district that includes \nthe Mayo Clinic. And I have had a lot of talks on this issue, \non the VA side of things, on the quality of the VistA system \nand their medical records, which is arguably the best in the \nworld.\n    My concern is, and you hit on it to a certain degree, do \nyou have a concern that any of this is going to be the movement \nforward we have had on the VistA system, the electronic medical \nrecords, and our push to seamless transition with the U.S. \nDepartment of Defense (DoD) is going to be affected by this \nrealignment? If you could comment on that in your opinion.\n    Ms. Melvin. Obviously, in undertaking the realignment, the \nkey will be making sure that the Central Office of Information \nand Technology, which is the key point at which the \ncentralization is taking place, is in touch, if you will, with \nthe administration, in this case the Veterans Benefits \nAdministration (VBA). I\'m sorry, Veterans Health \nAdministration.\n    And what we have seen in our work and what we have \nadvocated through the success factors that we have emphasized \nas a part of our most recent study, was the need for the \nDepartment to have adequate communication and a balance \nrelative to ensuring that the requirements, the needs of the \nadministrations, are adequately identified, heard, and dealt \nwith as a part of the overall efforts that are undertaken.\n    Obviously, that means that the Department has to get in \nplace its main office that is identified to serve as the \nconduit of communication between the administrations and the \ncentral office.\n    At the time of our assessment, that office had not been \nstaffed and its leadership had not been put in place. So we \nview that as critical to making sure that they have the \nnecessary balance for making--for ensuring that administration \nneeds are identified, that solutions are identified to address \nthose needs, and that there is a necessary follow up to ensure \nthat the delivery takes place in terms of services provided \nthrough the IT that the central office supports.\n    Mr. Walz. And my--just my final question here. And this is \nI guess a bit more subjective. I come from--my background is in \ncultural studies and this issue of culture or what is there. I \nknow when the issue came out of the data breach, I also \nreceived a letter on that as a veteran for my data breach.\n    And it seemed like at that point though there was a \nslowness to it, a reluctance to move on this. Do you get a \nfeeling, and this as I said is very subjective? I have \ncomplimented many of the Members who have taken over on this in \na very difficult time.\n    And I feel that there is a--maybe there is a shift in the \nculture of understanding this. And I am convinced that this is \ncentral before we can move forward, if they really understand \nthat. If you may--if you could comment on that.\n    Ms. Melvin. I would agree with you. Definitely key to this \nis the cultural transformation that is necessary, along with \nthe actual implementation of new processes.\n    Key to that, again, as I have mentioned earlier, is \ncommunication. We do feel that that is one of the critical \naspects that has to take place. In our work, we found that the \nDepartment has taken some efforts toward trying to improve its \ncommunication in dealing with the administrations.\n    But there is still more work that can be done through \nensuring, as I mentioned earlier, that its business \nrelationship management office is staffed up. That the \nnecessary individuals are in place in positions there to serve \nas the conduit of communication, through actual information \nsharing and making sure that the users understand what it is \nthat the Department is trying to accomplish and how they plan \nto do that. And the impact of how that change to centralization \nwill affect the Department from the standpoint of identifying \nbusiness requirements, addressing the requirements.\n    Only until they have had an opportunity to really \ncommunicate and reach agreement and understanding on those \naspects will there be a cultural change, will there be what I \nwould say is more user buy into this overall initiative.\n    Mr. Wilshusen. And I would just add from an information \nsecurity perspective that the tone at the top has increased \nsignificantly with regard to taking corrective actions to \nimplement effective security controls since the May 2006 data \ntheft.\n    I think that was a watershed event, which really caused and \nhighlighted the need for strong information security control. \nAnd we have seen a shift throughout the entire organization in \nthe terms of--particularly with reporting incidents of \npotential data breaches or loss of information. Just prior to \nand subsequent to that May 2006 event, for example, the number \nof reported incidents doubled over the 5 months following it, \nversus the 5 months preceding that point.\n    In addition, the number of initiatives that the VA has \nundertaken to improve security, and they are making progress. \nMany of them have not yet--many of those initiatives have not \nyet been completed. But they are taking steps to implement \nstronger controls.\n    Mr. Walz. Great. Well I thank you. I yield back, Mr. \nChairman.\n    The Chairman. Mr. Brown, any questions?\n    Mr. Brown of South Carolina. Thank you, Mr. Chairman. And \nthank you to the witnesses for coming this morning. I know this \nis a major concern of mine and of course of all the veterans \naround the country.\n    Do you think we are--we are better off today than we were \nback in 2006?\n    Mr. Wilshusen. With regard to the----\n    Mr. Brown of South Carolina. Security.\n    Mr. Wilshusen [continuing]. Security of----\n    Mr. Brown of South Carolina. Right.\n    Mr. Wilshusen [continuing]. Their personal information, I \nbelieve VA has taken steps to improve information security. And \nthese steps include encrypting the information on thousands of \nlaptops, initiating a remedial action plan to identify and to \ntake corrective steps to improve the security controls, but \nmuch more still needs to be done.\n    There are still significant and unnecessary risks to \nveterans\' information. But I believe that they are taking steps \nin the right direction.\n    Mr. Brown of South Carolina. Do we have a system in place \nthat we can identify if there is a breach at some point in \ntime?\n    Mr. Wilshusen. Well there are technical controls that are \navailable to look for and to detect anomalous behavior and \nwhether or not there have been breaches, if you will, or \nintrusions into the systems in networks of VA.\n    VA, I believe, is in the process of acquiring and \ninstalling intrusion prevention systems on various devices that \nwill help prevent and to detect such occurrences.\n    Mr. Brown of South Carolina. Well I believe in the past we \nhave had like people taking their laptops home and this sort of \nthing. So I was just trying to----\n    Mr. Wilshusen. That is correct. And that is why the \nphysical security controls and the use of encryption on \nportable media and laptops is so important, because you \ncorrectly state that many of the or several of the most \nsignificant security breaches were the result of physical theft \nof equipment.\n    And so it is important that VA first inform and train their \nstaff on what the proper controls are over that equipment and \nover that information and to put in the appropriate controls to \nprevent them from occurring.\n    Mr. Brown of South Carolina. And how long do you think it \nwill take to implement a system that we can feel comfortable \nwith that our records are secure?\n    Mr. Wilshusen. VA, in its remedial action plan, has \nidentified over 400 action items in which it is undertaking to \nimprove various different aspects of information security.\n    Some of those actions extend out to June--or I am sorry, \nout to 2009. Even upon completion of those actions, many of \nwhich are to develop or update a policy or procedure, the true \ntest of determining whether or not the agency has effective \ninformation security controls is whether or not they \neffectively execute those policies and procedures.\n    And, as my father once told me, and I am paraphrasing him \nnow, `` The road to insecurity is paved with good intentions.\'\' \nAnd developing policies and procedures shows what the \nmanagement\'s intentions are with regard to securing \ninformation.\n    But it gets down to the detail of actually implementing \nthose on a sustainable, ongoing and consistent basis throughout \nthe organization.\n    Mr. Brown of South Carolina. We don\'t recognize the \ncultural education we must perform. Is there anything that we \ncan do as Members of Congress to help expedite that process?\n    Mr. Wilshusen. Well, one, the passage of the Veterans \nBenefits Healthcare and Information Technology Act of 2006, I \nthink, was a positive step forward. And in addition to holding \nthese types of hearings, holding VA officials accountable for \ntheir actions and maintaining a dialog with them, with you and \nyour staffs with the VA officials to assure that appropriate \nactions are being taken.\n    Mr. Brown of South Carolina. Thank you very much.\n    Mr. Wilshusen. You\'re welcome.\n    The Chairman. Ms. Herseth Sandlin.\n    Ms. Herseth Sandlin. Thank you, Mr. Chairman. Thank you for \nyour testimony today. I would like to pick up a little bit \nwhere Mr. Stearns had asked your willingness, GAO\'s \nwillingness, to track the VA\'s progress and report back. And \nyou had answered ``yes.\'\' And I appreciate that.\n    But let me ask you this, I assume that in doing that, your \njob would be easier if the VA would actually dedicate an \nimplementation team to manage the change, so that you had a \nteam you were directly working with, which is the team within \nthe Department that\'s supposed to be tracking the progress and \nmanaging the change.\n    So could you confirm for me that the VA has not yet acted \non that critical success factor?\n    Ms. Melvin. As it pertains to the realignment initiative, \nthe VA has not put what we would desire to see in terms of a \nsingle dedicated implementation team to manage that overall \neffort.\n    It does have multiple offices designated to oversee the \nrealignment effort. Our concern is that there is not a single \nbody that is dedicated to ensuring that there is the necessary \noversight for the--managing, for example, the schedule against \ngoals and timeframes for accomplishment. Identifying shortfalls \nand being able to ensure that there is a consistent \ncoordination throughout the Department relative to how these \nare handled.\n    We feel that it is important also in terms of having some \nconsistency through leadership changes that occur so that the \nDepartment has a voice that speaks for the overall realignment. \nAnd that ensures, from an oversight perspective, that it is \noccurring as it should.\n    Ms. Herseth Sandlin. So I think you answered my other \nquestion. There is no timetable other than the July 2008 date \nupon which this is to be completed. But there are no quarterly \nobjectives. There is no, as you said, single entity in place to \nhelp set the objectives, track the progress.\n    What has been the Department\'s reaction to your concern \nabout the lack of that type of entity that would help \neffectively manage the transformation?\n    Ms. Melvin. The Department has stated that it is taking \nsome actions, for example, toward business processes in terms \nof identifying timeframes. And they prioritized some of those. \nBut we have not seen specific dates attached to those.\n    But when it comes to the realignment team in and of itself, \nthe Department has effectively stated that it would agree to \ndisagree with us on the need for a single dedicated team.\n    They have not indicated that they wouldn\'t have multiple \nteams working. But, again, our desire would be to see a single \ndedicated team that can ensure a coordinated oversight for this \ninitiative.\n    Ms. Herseth Sandlin. Well, Mr. Chairman, I would just \nsuggest that in light of the Secretary\'s resignation, and of \ncourse our continued hope that there is the tone at the top \nwith the Under Secretary\'s, the deputy assistant secretaries, \nto improve the system.\n    I actually think that given the transition here, the lack \nof stable leadership at the top. And I do think Secretary \nNicholson, working with this Committee, working with the \nRanking Member, working with Committee Staff last year when \nthis problem presented itself and how we go about the \ninformation security objectives, I was very committed to it.\n    My concern is the transition. And so I think it highlights \nthe importance of a single dedicated board, governance board, \nwithin the VA in light of that transition. And would hope that \nwith our oversight that we can, with the testimony we will be \nhearing from the later panels, continue to work with them to--\nif you would agree.\n    And if the Ranking Member and Mr. Stearns and other Members \nof the Committee agree with the GAO assessment as I do, that a \nsingle dedicated entity is of the utmost importance in helping \nmanage the transformation that we work through our oversight \nand our discussions with the VA to see that that would happen \nto try to stay as on top of the July 2008 deadline as possible.\n    And I would yield back.\n    The Chairman. Thank you. Just to follow up, I mean, when \nyou say you have agreed to disagree, is there a reason? What is \ntheir reason?\n    Ms. Melvin. I think they can best answer that. But in \ntalking to them through our assessment, they feel--felt \nstrongly that the offices that they are putting in place, and \nthey have identified two specific offices, they feel that those \noffices are capable of providing the necessary oversight and \ncoordination for this effort.\n    Our concern is that this is an extremely large initiative \nthat involves many processes, that involves many layers of \nmanagement and the need for solid and extensive communication \nthroughout the organization. And certainly established \ntimeframes that can be monitored closely and that the \norganization have some consistency in how it measures and \ntracks performance toward achieving its overall goal for 2008.\n    The Chairman. And of the two major teams, one of them is--\nits top position is vacant, right?\n    Ms. Melvin. Yes, that\'s correct.\n    The Chairman. Thank you. Mr. Bilbray.\n    Mr. Bilbray. Thank you, Mr. Chairman. You know, Mr. \nChairman, all the concerns about the information systems kind \nof reminds me of the fact that ever since man started messing \nwith technology, there has been a fear of it, and a threat of \nit, and, obviously, an opportunity.\n    I mean, fire would be a good example. I think that there \nare a lot of people in Washington if they had been the caveman \nwith the first fire, it would have been outlawed, restricted, \nand banished from the world.\n    I think the keys we are looking for though is that we first \nof all needed something that is expandable and transformable. \nIt has got to be able to adapt to the situations.\n    And actually the Chairman and I went through years in local \ngovernment working the same issue, the city of San Diego, \ntrying to work out emergency response information systems, the \ncounty doing the same thing. And Mr. Chairman, I would just \nlike to let you know that though you worked hard at the city, \nthe city now has accepted that the county system is so much \nmore effective and is adopting that system for their emergency \ninformation system. To have--I can\'t pass up the chance to take \na cheap shot.\n    My question to you though, the laptop situation was sort of \ninteresting. With all the encryption on there, wouldn\'t it be \nso much more secure if with these mobile information modes, \nthat only the person who is authorized to use that or who \nsupposedly has it delegated to them, if the technology was \nthere to where only they could activate the system, wouldn\'t \nthat be even a step further in securing the information of the \nveterans?\n    Mr. Wilshusen. Yes, it is. Certainly that would be like the \nfirst step in protecting sensitive information is to make sure \nthat only those individuals who have a legitimate business need \nfor access have access.\n    And once that is granted, then to have other controls to \nenforce that level of access. And then also to protect the \ninformation such as using encryption and other technologies to \nprotect it--while it is being stored on laptops and other \ndevices.\n    Mr. Bilbray. How many of our mobile and how many of our \nstationary now are going or do have biometric access control \nsystems?\n    Mr. Wilshusen. I don\'t know the precise number in terms of \nhow many of the laptops or other devices have biometric \ncapabilities on them at VA.\n    Mr. Bilbray. Many laptops have as an option biometric \naccess that have had it for over a decade. And after what \nhappened with the laptops, I just think it is almost like any \nbusinessman would say we are going to go to this option now, \njust as a matter of fact.\n    And I would really challenge, if we haven\'t done it, why we \nhaven\'t done it. And really look at the fact that here are \nthose simple little things that the private sector would be \ndoing at the snap of a hat. But we are always lagging behind in \nthe hope that we will go over to that.\n    I mean, frankly, I don\'t know of a major manufacturer of a \nlaptop who does not provide the option that a thumbprint can be \nused as the primary access before the machine would even turn \non. And I would sure like to see if we are moving forward with \nthose little things that can really make a difference.\n    If somebody steals a laptop and can\'t even turn the thing \non, that is even better than encryption control.\n    I yield back, Mr. Chairman.\n    The Chairman. Thank you. Mr. Hare.\n    Mr. Hare. Thank you, Mr. Chairman. I apologize for getting \nhere a little bit late. I had another meeting. So if you have \ncovered these, I hope you will bear with me. But I am just \ninterested in the answers that you might have here.\n    What are the main reasons that you found for lack of a \nsingle integration team to oversee this implementation?\n    Ms. Melvin. The main reason was that the Department, as I \nmentioned earlier, just felt that it had the necessary offices \nin place to carry out the oversight and monitoring of the \nimplementation.\n    But, again, as was stated previously, one of those offices \nis vacant at this time. And our concern is that with the \nmagnitude of this overall effort, there is a need for a \ncoordinated oversight through a single dedicated implementation \nteam.\n    Mr. Hare. Do you think there is a correlation between the \nlack of staffing in these key leadership positions and the \ndelay in establishing the management processes?\n    Ms. Melvin. I think it is certainly--if it has not had an \nimpact, will have an impact on the Department\'s ability to meet \nits timeframes for getting the processes in place. The \nindividuals that it has identified and the offices that it has \nidentified are the ones that are supposed to implement and \nexecute these processes.\n    The Department has acknowledged that they are behind in \ndoing that. But we do feel strongly that it is important to \nhave the staff there to carry out the processes or you are \nunlikely to have a disciplined approach to managing the \ninvestments and resources.\n    Mr. Hare. What other hitches do you think--what are the \nother hitches that are causing the delay in developing the 36 \nmanagement processes?\n    Ms. Melvin. I am sorry, what are the delays?\n    Mr. Hare. What other hitches are causing do you think----\n    Ms. Melvin. The issues that are causing it?\n    Mr. Hare. Uh-huh.\n    Ms. Melvin. What--in talking with VA\'s management, we were \ntold that--and quite frankly they do recognize that they are \nbehind in implementing the processes. What they identified were \nsome concerns relative to really the definition of the \nprocesses that the contractor recommended for them. And the \nneed to redefine and reassess what those processes were \nrelative to their offices in place.\n    Also they identified the need to really look at the \nprocesses relative to responsibilities and ensuring that they \nclearly discerned which offices would be responsible for key \nactivities under those processes.\n    And in some cases, they are still clarifying who has key \nresponsibilities. The Office of Information and Technology \nwon\'t have full responsibility, for example, for all of the \nfinancial management processes, as the Department has an office \nof management that oversees its overall budget. So they are \nworking through those issues.\n    And then as you mentioned earlier, a key concern of ours \nwas the--that the 25 or so offices that they have identified to \nimplement and execute the processes have not yet been fully \nstaffed and don\'t all have full leadership to direct them.\n    Mr. Hare. Have they indicated when they would be staffed?\n    Ms. Melvin. When they will be staffed?\n    Mr. Hare. Mm-hmm.\n    Ms. Melvin. We did not get information on when they would \nbe staffed.\n    Mr. Hare. Okay.\n    Ms. Melvin. They did indicate that they were looking into \nthe staffing. That they saw this as a difficult process that \nthey would need to work through.\n    Mr. Hare. Thanks. And my last question is how much \ncollaboration and communication did you find that there is or \nis not between the two implementation teams?\n    Ms. Melvin. I believe that the implementation teams are \ncollaborating with one another. I don\'t think our assessment \nlooked fully at exactly how all of the collaboration is \noccurring.\n    We do maintain, however, that there has to be collaboration \nacross those. And it has to be extensive relative to the \nprocesses, relative to the overall staffing of the offices that \nneed to take place.\n    Again, however, from our standpoint, we would like to see \nmore assurance that there is the necessary coordination that \nwould be gained through having a single devoted body to \noverseeing this effort.\n    Mr. Hare. Okay. Thank you very much. I yield back, Mr. \nChairman.\n    The Chairman. Thank you. Ms. Brown-Waite.\n    Ms. Brown-Waite. Thank you very much. I had votes in \nFinancial Services. And that is why I was late.\n    I don\'t care which one answers this. And you may or may not \nhave the information with you. But I understand the VA says \nthat they have encrypted 16,000 laptops. Is that correct?\n    Mr. Wilshusen. I am not aware of that particular number. \nBut they have an initiative underway where they are encrypting \nthousands of laptops. I don\'t know if 60,000 is the correct \nnumber.\n    Ms. Brown-Waite. No, 16.\n    Mr. Wilshusen. Oh, 16.\n    Ms. Brown-Waite. That they have encrypted----\n    Mr. Wilshusen. Okay.\n    Ms. Brown-Waite [continuing]. 16,000, which brings me to \nthe other part of my question. If it is 16,000, that is out of \nhow many laptops that the VA has?\n    Mr. Wilshusen. Well----\n    Ms. Brown-Waite. Do you----\n    Mr. Wilshusen [continuing]. The total number of laptops, I \ndon\'t have that information. But I do know there is a sizable \nnumber of laptops that have not been encrypted. Many of these \nare being considered medical devices.\n    And right now the VA\'s policy is not clear as to which \ndevices or laptops should, in fact, be encrypted. And that is \none of the recommendations that we are making that they clarify \nthat policy.\n    Ms. Brown-Waite. So medical information may be out there \nwithout encryption. Is that what you are----\n    Mr. Wilshusen. That would be the case.\n    Ms. Brown-Waite. Okay, another question. There are many \ninstances where there are laptops not owned by the VA but used \nby VA personnel, and/or perhaps contractors, or the VA research \ncommunities. Are they still unencrypted?\n    Mr. Wilshusen. I don\'t know. Our assessment did not look at \nthe encryption of non-VA equipment. But if individuals or \ncontractors have sensitive Veterans Administration information \nor sensitive veterans\' information on them, on behalf of VA, \nthose laptops should be protected to the same level as required \nby VA.\n    Under the Federal Information Security Management Act, VA \nis responsible for assuring that the systems and equipment that \nare being operated on its behalf by others, should be protected \nto prevent and protect against unauthorized use, access, and \ndisclosure of information.\n    Ms. Brown-Waite. Let me ask another question. There is a \nprogram out there that you can buy. It is called ``Go to My \nPC.\'\' If a VA employee is at home and uses this kind of a ``Go \nto My PC,\'\' and there may be confidential information on their \npersonal computer (PC) at the VA workplace, can they gain \naccess to their PC in the VA workplace from a remote location?\n    Mr. Wilshusen. Well I am not familiar with the specific \nprogram, but--that you mention. But certainly implementing \nappropriate controls over remote access to VA information on VA \ndevices is a consideration that VA needs to address and \nimplement appropriate controls. Obviously, there are a number \nof individuals within the VA community that do access \ninformation remotely. And assuring that those--that VA has \nimplemented remote controls is very important.\n    Ms. Brown-Waite. And you have brought this to their \nattention?\n    Mr. Wilshusen. We and the Inspectors General. One of the \nvulnerabilities to VA systems is the access to data systems and \nnetworks. And that is a vulnerability that has been long \nstanding in nature. And VA is taking certain actions to help \nimprove its network security. But those actions are still on \ngoing and underway.\n    Ms. Brown-Waite. Thank you very much. I yield back the \nbalance of my time.\n    The Chairman. Thank you. And, again, thank you for your \nreport. You know, we talk with regard to the Iraqi War about \nbenchmarks. And I couldn\'t imagine anybody doing worse than our \ngovernment in meeting those benchmarks in Iraq. Except now you \nhave an agency that has done even worse.\n    As I read your report, out of the 36 management processes \nthat were set out to have been completed, out of the 17 \nrecommendations of the Inspector General, one has been \ncompleted.\n    I am amazed. Here we are, almost a year and a half after \nthis crisis. And it is as if once the crisis passed, everything \ngoes back to normal. I still don\'t understand the lack of \nprogress on this. It is as if well, you know, we have had our \nhearings, so they will forget about it. And we don\'t have to do \nmuch.\n    Again, I don\'t know what the reason for it is. You talked \nabout 25 or so key positions to deal with this. And you \nestimate around 15 are vacant. Two implementation teams that \nhave split responsibilities. Security still a major concern.\n    I mean, if you had to summarize the reasons for this lack \nof progress, how would you do so? Is it lack of leadership? Is \nit lack of resources? What is going on here that we are, a year \nand 4 months or 5 months after this incredible problem and we \nhaven\'t made very much progress it sounds like?\n    Ms. Melvin. I would start by saying that the Department\'s \ntop leadership has certainly committed to this particular \neffort.\n    What we found, I think, when we look across VA and our work \nover the agency in the past times, one of the things that we \nhave noted has been just overall project management as being an \nissue that the Department has to deal with. It is something \nthat they have grappled with over time.\n    In this particular case, again, I would say that, you know, \nthis is a very complex effort. It does require a lot of \ncoordination. It does require a lot of communication on the \nDepartment\'s part.\n    And I think in terms of the actions that they are taking \nthrough their overall project management steps to lead this \neffort and to guide it through, there have been things that the \nDepartment needs to still address. Certainly in getting its \nleadership in place, knowing what resources it has, and to make \nsure that those resources are there to help it carry through \nwith the implementation until they get some of those basic \nprocesses for communication, for leadership addressed and the \nstaffing in place, the Department is at risk that it won\'t be \nable to get its disciplined approach in place through the 36 \nprocesses that it still has to implement.\n    The Chairman. Well, it may be complex. But this is not \nrocket science. And Mr. Stearns said it. These are rather \nordinary problems that every company faces every single day in \nour society, every Nation faces it.\n    Has the VA used consultants from the private sector on all \nthis? They must have. If I were the Secretary or the President, \nof course we would be better off if that were the case, I would \ncall in Bill Gates or somebody from Microsoft and say, ``Look, \nas your contribution to the national security of our Nation, \nfix this for us as a donation.\'\' I am sure they would do it. I \nthink in 90 days they could solve this problem.\n    Mr. Stearns. Bill Gates could probably----\n    The Chairman. Yes.\n    Mr. Stearns [continuing]. Bring in his team. I can\'t \nresist, Mr. Chairman. Are you recommending immediate \nwithdrawal?\n    The Chairman. From Iraq or from the VA?\n    Mr. Stearns. The VA.\n    The Chairman. Immediate redeployment.\n    Mr. Stearns. Redeployment, okay.\n    Ms. Melvin. Mr. Chairman, in response to your comment, I \nwould state that during our assessment, where we saw the \nDepartment\'s realignment contractor very much involved with \nthis effort and taking a dedicated stand relative to helping \nthe Department define its processes and get to a certain point, \nwe did feel that the Department was making progress on this \neffort. Our concern is as the Department continues to move \nforward, that it has the necessary leadership in place, that it \nhas the necessary staffing and communication in place to \nsustain the effort to not backtrack, if you will, through not \nhaving a coordinated oversight for this effort.\n    So we have seen some progress in the past. But certainly we \nwould agree that there is a tremendous amount of effort that is \nstill necessary. And it does take sustained and dedicated \nleadership oversight, accountability, and appropriate \ncommunications to make that happen.\n    The Chairman. Mr. Stearns has suggested shock therapy to \nthis--to the culture. And I guess we want to know what kind of \nshock can we administer?\n    Mr. Stearns. What could we as the Members of Congress here \ndo? I mean, we are asking some very difficult questions. And we \nare sort of frustrated, as you can expect here. What could we, \nas Members of Congress, do to sort of expedite this?\n    You are alluding to the fact that this culture is--\neverybody is protecting their own turf. And this bureaucracy is \nso immense that no one can get through it.\n    We don\'t even know how many laptops there are. So if you \ndon\'t know how many laptops there are, you don\'t have any idea \nhow big the problem is.\n    So considering what the GAO found, Chairman Filner\'s \ncorrect. Two of six critical success factors identified as \nessential to successful transformation have been accomplished. \nBut that leaves four that have not.\n    And as mentioned earlier, 22 of the 26 recommendations from \nthe Department\'s Inspector General have not been implemented. \nSo only four have.\n    And it goes on to even caution its limited assurance that \nit can protect its system and information from the unauthorized \ndisclosure, misuse, or loss of personal, identifiable \ninformation. I mean, that is a pretty strong statement.\n    And here we are frustrated, because we have been having \nhearings on this. We talked about it. And so, I mean, is there \nanything that the U.S. Government elected official should do \nthat we are not doing?\n    Ms. Melvin. I think beyond the oversight, that you should \ncontinue, obviously, there is room for looking at particular \ncases in terms of how VA actually implements this process.\n    And really perhaps taking--making some dedicated case \nstudies, if you will, of how this effort really plays out and \nthe impact of the realignment efforts on key initiatives that \nthe Department might be undertaking would be an approach to \nreally getting a handle and a good feel for just how \neffectively the realignment is being executed.\n    Mr. Stearns. Thank you, Mr. Chairman.\n    The Chairman. As you heard, there are bells for votes that \nwe have to take. Just two votes. So we are going to have to \nrecess. We do appreciate the expertise of the GAO in this \nmatter. We would ask you not to be shy about recommending \nthings that we might do in the future.\n    And I will say to the next panel, which is the VA, you are \ngoing to have now 20 minutes before we get back here. Throw \naway your prepared remarks. And deal with these questions in a \ncandid way.\n    I mean, what is going on with all these vacancies? Why \ncan\'t, if Mr. Bilbray is right, a simple thing like biometrics \nbe used? Why has there been slow implementation of all these \nrecommendations? What is your reason for these two \nimplementation teams? Why is security still a risk?\n    These are questions that every veteran has assumed that we \nhad taken care of after the crisis. And they--we are the \nrepresentatives of those veterans for assuring them that. And \nnow it turns out we can\'t assure them that that is the case.\n    So I would like you to address those issues in just a \ncommon sense way without hiding behind all the bureaucracy. And \nlet us have a conversation when we return in about 15 minutes \nfor the second panel.\n    Thank you so much for the----\n    Ms. Melvin. Thank you, Mr. Chairman.\n    [Recess.]\n    The Chairman. We will continue this meeting of the House \nCommittee on Veterans\' Affairs and move on to panel two who we \nthank again for their contributions to this discussion.\n    We welcome Assistant Secretary for Information and \nTechnology at the Department of Veterans Affairs General \nHoward. And Mr. Claudio is the Executive Director for the \nOffice of IT Oversight and Compliance.\n    To summarize what I had said earlier, Mr. Howard, you are a \nGeneral. Just give the orders and make it happen. You are on.\n\n STATEMENTS OF HON. ROBERT T. HOWARD, ASSISTANT SECRETARY FOR \n   INFORMATION AND TECHNOLOGY AND CHIEF INFORMATION OFFICER, \n   OFFICE OF INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF \n  VETERANS AFFAIRS; AND ARNALDO CLAUDIO, EXECUTIVE DIRECTOR, \n OFFICE OF IT OVERSIGHT AND COMPLIANCE, OFFICE OF INFORMATION \n     AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS; \n  ACCOMPANIED BY ADAIR MARTINEZ, DEPUTY ASSISTANT SECRETARY, \n     INFORMATION PROTECTION AND RISK MANAGEMENT, OFFICE OF \n  INFORMATION AND TECHNOLOGY; AND CHARLES DE SANNO, ASSOCIATE \n   DEPUTY ASSISTANT SECRETARY OF INFRASTRUCTURE ENGINEERING, \n   OFFICE OF INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF \n                        VETERANS AFFAIRS\n\n                 STATEMENT OF ROBERT T. HOWARD\n\n    General Howard. Sir, you had mentioned earlier that you \ndidn\'t want me to give an opening statement, so we can dispense \nwith that. You mentioned earlier not to give an opening \nstatement so----\n    The Chairman. No, I just----\n    General Howard [continuing]. I dispensed with that.\n    The Chairman. However you feel you can--you want to deal \nwith this.\n    General Howard. Okay, sir.\n    The Chairman. I was just making a suggestion.\n    General Howard. Yes, sir. There are two other individuals \nat the table with me this morning, sir: Adair Martinez is my \nDeputy Assistant Secretary for Information Protection and Risk \nManagement, and Charlie De Sanno to my far right is the \nDirector of Region IV and also Infrastructure Engineering. So \nthey are here with us as well.\n    I will read my testimony. I can get into addressing the \nissues as you requested. And first, sir, I don\'t know if you \nnoticed or not, when you were giving your opening statement, I \nhad to leave the room and my apologies for that. I had to take \na phone call from the Secretary in fact.\n    Sir, where would you like me to begin? I think perhaps a \ngood start point would be the issue of the processes, because, \nobviously, that was an issue that the GAO was concerned about, \nand a number of the Members were concerned as well.\n    And so I would like to comment a little bit on that. First \nof all, as stated by the GAO, you know, we realize the \nimportance of these processes. There is no question about that.\n    But they are right. We have--we have not been as speedy as \nwe would like in implementing those. There are reasons for \nthat. I am going to cover some that we are well on the way on.\n    But one of the reasons that has delayed us to some degree \nis this, we created the organization. We moved 6,000-plus \npeople in all of that. We have a new appropriation. You know, \nwe have things in place now to help make this happen.\n    But what we have also inherited are the problems that were \nout there. And there are a number of them. And those have moved \nright up in priority.\n    A good example of that is asset management. You know, the \nOversight Committee had a hearing on that a few weeks ago. That \nis a real problem. We have had to put a lot of energy on that.\n    And so my leaders, and I will get to who they are in just a \nminute, are putting a lot of heat on them to fix a number of \nproblems that we have uncovered, because what the organization \nhas done, in addition to a number of things, it has made more \nclear, you know, what is going on within the VA with respect to \ninformation and technology.\n    It has also provided us better control, you know, over \nfixing these things. And you are right, we are not there yet. \nWe have a lot of work to do. And, obviously, the control over \nthe appropriation is also very helpful.\n    But this issue of visibility has caused us to see a number \nof problems that must be fixed. We have seen, for example, that \nwe have the haves and the have-nots. There are some activities \nwithin the VA that have paid attention to information \ntechnology in the past and stayed up to date and all of that. \nAnd there are others that have not. You know, in a \ndecentralized operation, if you are a director of a facility, \nit is up to you, you know, where you spend your money and where \nyou apply the emphasis.\n    And there is a mixed situation out there right now. And you \nknow one of the goals of our organization is to try and \nstandardize that.\n    And so focusing in on the problems has definitely caused a \nslowdown in the implementation of some of these processes.\n    However, with that said, let me address a couple of issues. \nFirst of all, the one issue that we disagreed with the GAO is \nestablishing a group to make this happen. We--I disagreed with \nthat, because quite frankly, my military experience, you know, \nwe have--we have a number of Deputy Assistant Secretaries. I \nhave five of them in fact that are responsible for certain \nareas.\n    And we want those individuals to implement these processes, \nfor example, my Deputy Assistant Secretary for Information \nProtection and Risk Management, Adair Martinez. There is a \nprocess that we must implement called incident response. This \nis in her area. She has got to do that. She is going to \nimplement that, and gain ownership of it, be responsible for \nit, and all of that.\n    If you look at the--all the way over to enterprise \noperations and infrastructure, you know, where Charlie De Sanno \nhappens to be located, there are a number of processes that \nhave to be implemented there.\n    Let me give you a perfect example. They are called SLAs, \nservice level agreements. We have had a number of meetings so \nfar in trying to hone in on what is the service level that we \nagreed to, you know, with the customer? Those have to be \nadjudicated. You know, how long does your computer stay up? The \npane screen, you know, pane on the screens and all of that. The \npassword timeouts, and what have you, all have to be agreed \nwith. Downtime, you know, what are we on the hook for with \nrespect to downtime.\n    These are service level agreements where discussions have \nalready taken place. There are two additional offices though. \nSo by and large, my key leadership, the monkey is on their \nback, you know, to implement processes that are in their areas. \nAnd we have divided that up. Each one of my Deputy Assistant \nSecretaries knows of the 36 processes. Thirty-six processes, \nthey know the ones that they are responsible for.\n    In addition to that, we actually do have an organization \ncalled Organization Management. It is the remnants of the team \nthat actually formed the reorganization itself. That box is \nstill there. Unfortunately it is empty. The individual left \nabout a week ago. But I intend to fill that. I do need someone \nas my conscience, if you will. I don\'t necessarily need them \ndown into the weeds, you know, doing all of the detail. But I \ndo need someone. So that part of it that GAO came up with, I \ndon\'t disagree with.\n    Now in addition, we have a Quality and Performance Office. \nThe individual in charge of that office right now is Martha \nOrr. She handles the monthly performance reviews and what have \nyou. The focus for processes, the focus for all 36 processes is \nout of her office.\n    Again, she is not responsible for implementing each one of \nthem. But she is responsible for coordinating the activity to \nkeeping our eye on how these are going and what have you.\n    The Chairman. You may be getting there. But I didn\'t hear \nthe word ``timeline\'\' or, you know, ``goal\'\'--a timeline for \nany of this or a goal. And the problem I always have with the \nword ``process\'\' is that a process is always ongoing.\n    General Howard. Yes, sir.\n    The Chairman. What about the results? What are we getting \nout of this process, and when is the timeframe within which we \nare going to do it?\n    General Howard. Sir, let me focus in on a couple of them. \nSLAs, service level agreements. In fact, just several days ago \nthe individual in charge of that briefed me on his timeline.\n    And, you know, I can\'t recall the exact dates. But it is \nsomewhere in the November, you know, end of November, end of \nOctober, beginning of November timeframe to come to agreement, \nyou know, with VHA, with VBA, on what these are and then start \nimplementing them.\n    And, in fact, some of them are already implemented. \nParticularly in--like for example, in region four. So there are \ntimelines associated with some of those. And that one is an \nexample.\n    Incident response, sir, we have a process for incident \nresponse. It is in place. Now what we don\'t have is a thick \ndocument explaining all this. But we absolutely have a \nresponsive capability to work incidents.\n    In fact, Adair Martinez is in charge of that. She actually \nstarted it herself, organized the teams that meet weekly. She \npersonally approves the weekly summary that is sent to \nCongress. Incidents do come in. They come into our NSOC, our \nnetwork and security operations center. It is to the point now \nwhere this is routine, a routine process.\n    The one additional thing that we have to do is make sure we \nare folding in non-security incidents. And we are beginning to \ndo that.\n    On security management, handbook 6500. It was signed out \nabout a week ago. This is the security program for the VA. And, \nyou know, I don\'t know if your Committee has had an opportunity \nto look at it yet or even if we have sent you a copy. But we \ncertainly will. But this is now in place. You know, sir, it has \ntaken--do you know how many years the VA\'s been working on this \nthing? How about ten. We have been trying to get this handbook \ncalled ``6500\'\' out the door for a long, long time. We have it. \nIt has rules of behavior in it.\n    In fact, I have already met with the unions on this rules \nof behavior issue. These are very important for employees to \nsign. So the security management process is beginning to \nhappen.\n    The other one that I would like to mention is the \ncompliance management. And, again, we don\'t necessarily have \none book that says compliance management. But in a minute I am \ngoing to ask Arnaldo Claudio to explain the process he has put \nin place, because it is very robust. It is very effective. And \nit is making a difference. It is in compliance.\n    The IT strategy, you know, we have completed a draft of our \nIT strategy. It is within several weeks of being approved. The \nother one I would like to mention is IT management. Some \ndiscussion took place about the governance structure. There is \na governance structure in place.\n    The GAO report, unfortunately it was written at a time \nwhere we had not implemented that. We have. Those meetings have \ntaken place in developing the FY09 budget in fact. We have had \na number of meetings with all three of the governance boards \nthat we have put in place, to include the IT leadership board, \nwhich I chair along with the Under Secretaries.\n    And so I wanted to just--sir, I wanted to paint a picture \nthat, you know, we are really not sleeping. I mean, we are \ndoing work. We are not there yet. I agree with you. But there \nis a lot of activity going on.\n    And one more thing I would like to say, sir, and that is it \ngoes back to the problems that I mentioned. I am trying to \nmaintain some balance. You know, I can beat the heck out of \nthese people and make them focus on processes solely. Or I can \ntry to balance their workload and make them solve these \nproblems. And at the same time, put the processes in place.\n    And that is kind of what we have to do. And, unfortunately, \nit has resulted in a bit of a delay on some of these processes. \nBut, again, some of them are already in place.\n    [The prepared statements of General Howard and Mr. Claudio \nappear on p. 71 and p. 72.]\n    The Chairman. Mr. Bilbray had mentioned earlier, and I \nalways can\'t vouch for his accuracy, but he said it is easy to \nput biometrics on a laptop. Is that in your book there? Is he \nright? And do we----\n    General Howard. Sir, we----\n    The Chairman [continuing]. Have it in a book?\n    General Howard. We have looked--we have looked very hard at \nbiometrics. And I can tell you that one of the concerns \nactually comes from the medical community, because sometimes \nthese are not perfect. You know, they are not as foolproof as \nyou might think. You know, it is pretty close, but it is not \n100 percent.\n    We have looked at biometrics. The--it will not work as \nsmoothly as you would like with the encryption application that \nwe have placed on our laptops. We have Guardian Edge hard drive \nencryption. If a VA laptop is left out on the parking lot, it \nis useless. It has got full hard drive encryption on it. It is \nuseless to anybody. You can\'t get in. You simply can\'t get in.\n    So that part of it is very robust on the laptop side. We do \nhave biometric thumb drives. In fact, I have one in my \nbriefcase. You know, we have mandated the use of encrypted \nthumb drives across the VA. And one of them happens to be an \nencrypted version. I mean, a biometric version that can be \nused.\n    So we have--we have employed that to some degree. In the--\nand while I am on this issue of protecting the information or \nwhat have you, we have had a number of initiatives underway. \nAnd have worked very hard during this fiscal year to put \ncontracts in place for the software as well as the \nimplementation of that software, the rollout. I am going to \nmention a few.\n    We have put monitoring software now. And I think at an \nearlier meeting I may have mentioned the importance of that. I \nknow I did to Jeff and Art. This Port Monitoring software, the \ncontract was put in place about a week ago. We are not rolling \nthat out.\n    That means whatever you stick in a port on a VA laptop, we \nare going to know what it is. And we are going to stop the use \nof it if you don\'t have a VA approved encrypted thumb drive, \nfor example, you can\'t use it on a--in a VA computer.\n    Now, obviously, it is going to take time to roll that out. \nWe have enough licenses to cover all of the VA in that \nparticular one. Another one is called Rescue, the remove \nenterprise security compliance update environment. This one, if \nyou are sitting in your kitchen somewhere, you will not be able \nto download personally identifiable information. We will stop \nthat. You can see it if you have authority through a secure \ntunnel, through a virtual private network (VPN) tunnel, you \nwill be able to see the information and do your work. But you \nwon\'t be able to download it, because we will stop it with this \nparticular product.\n    We are monitoring the network for Social Security numbers. \nYou know, you read the reports that we send up here every week. \nAnd you can see that unencrypted emails have been a problem, \nyou know, sending Social Security numbers in the clear.\n    We are monitoring that now. In fact when we first started \nmonitoring it, there were almost 7,000 incidents of likely \nSocial Security numbers, you know, trafficking through the \nnetwork. We put a warning sign on the computers. You know, \nboom, it will come up as soon as you try to do that. Give you a \nwarning.\n    And since that time, it has gone down. We are now blocking \nthose messages. We have gradually moved to the point where if \nyou try to send a Social Security number in an email it will be \nblocked. On email encryption, you know, right now in the VA to \ninclude Blackberries, we have PKI, public key infrastructure.\n    It is very good. But it is not as robust as the product \nthat we are now implementing. In fact, IBM just won the \ncontract, I believe, Charlie, right?\n    Mr. De Sanno. That is correct.\n    General Howard. For RMS, Rights Management System?\n    Mr. De Sanno. Yes.\n    General Howard. That is a product that will--you can send \nan email in the clear. But the attachment is encrypted. It \ngives you a much better--much more flexible capability to work \nencrypted email in a variety of ways, a very important one.\n    We have software in place now for port-to-port \ntransmission. You know, the VistA system when it was developed, \ndid not take security into consideration as much as we would \nhave today. So we now have in place a host-to-host secure \ncapability that we have been working on as well. And the final \none that I would like to mention in this whole area of trying \nto protect information and be more standard about that is the \nDell Computer contract that we just put in place. And you are \naware of that, standardized desktops. The Office of Management \nand Budget (OMB) has mandated that desktops will be \nstandardized throughout the government agencies.\n    This will provide a much better capability. It is a lease \ncontract. We will every two or three years refresh the \nequipment. And we will be able to monitor it much better. We \nwill be able to put whatever we want on it. The people who are \nworking the computer will have much less control over what they \ndo.\n    This will be enormously helpful to us, not only in terms of \nstandardizing things, but helping us with this issue of \nsecurity. It will be very helpful. And, in fact, Charlie just \nthis morning showed me the sites that we are likely to start \nrolling this out beginning this particular fiscal year.\n    And there are other activities. The one I would like to \nmention also has to do with training and educating the people, \nbecause as we have mentioned in this Committee before, sir, I \nknow the Secretary has, you know, the real key here no matter \nall this--all these tools that we put in place, the bottom line \nis are the people paying attention? Are they using the tools \nthe right way? Are they properly educated? Do they care?\n    We have seen improvement in that area. We do have a way to \ngo. Education programs are better now. They are in place. We--I \nstrongly believe that our directors throughout the VA are \nserious about educating and training their people.\n    And that is a very key aspect, not just the IT people; it \nis everybody who deals with, you know, personally identifiable \ninformation. And quite frankly, that is very extensive \nthroughout the VA as you can certainly appreciate. I don\'t know \nif that is helpful, sir. But there is a lot going on. And \nsometimes you don\'t get the complete picture.\n    The Chairman. I appreciate that. You identified Mr. De \nSanno as head of region four.\n    Mr. De Sanno. Northeast, sir.\n    The Chairman. Region--what region four?\n    Mr. De Sanno. Sir, the----\n    The Chairman. I mean, not the Veterans Integrated Services \nNetwork (VISN) four?\n    Mr. De Sanno. No. The regions are numbered from the West \nCoast to the East Coast. So region four is comprised of VISNs \none through five and VA\'s central office.\n    General Howard. What Charlie is describing, sir, is the way \nwe have organized the information technology----\n    The Chairman. So we have regions to coordinate the regional \ncoordinators.\n    Mr. De Sanno. Well, yes. We have--well, you know, in an \nimmense healthcare system like the VA, we segment the business \ninto various management structures. So we have a regional \ndirector and chief technology officer responsible for the \nregional activity.\n    General Howard. Sir, the reason we have done that refers to \nspan and control. When we took over all 6,000 people, the way \nthe VISNs are, you know, they are throughout the country and \nthey are not regionalized. That is much too big a span and \ncontrol in my opinion.\n    So we put down four regions. There are regional directors \nin charge of each one. CIOs at a facility level report to that \nregional director. I meet with them quite often. The four \nregional directors report to my Deputy Assistant Secretary for \nOperations.\n    That is how it works. And, in fact, it is a pretty good \ncontrol structure. Communication is very good in that \nstructure. The communication problem we see is with our \ncustomers. You know, that is the part we need to work on \nbetter.\n    But within the IT community, we have visibility about what \nis going on. And I broke the region--the country into those \nregions simply as a matter of better span and control.\n    The Chairman. Okay. Let\'s look at the three measurements \nthat were mentioned in the earlier testimony.\n    We had 17 recommendations by the IG. We have 36 management \nprocesses that you were working on. We had 25 key positions of \nwhich, again, the report that we heard, 15 out of those are \nvacant.\n    Only two of the management processes have been fulfilled in \none of the seventeen recommendations. So what is your timeline \nfor completing that process?\n    General Howard. Sir, the----\n    The Chairman. When are you going to fill these positions? \nWhen are you----\n    General Howard. Sir, quite honestly, I am not sure what \npositions they are referring to. I do know some that are empty. \nBut I don\'t have the list in front of me, all 15. The--one of \nthe issues there has to do with the human resources (HR) \nprocess itself.\n    The Chairman. Yeah, that bothers me. Is the GAO still here? \nIs Ms. Melvin still here? The report states there are--that \nthere are 25 recognized--that you identified 25 key positions \nfor carrying out these processes, and about 15 of them were \nvacant. And you are not even sure which ones she is talking \nabout.\n    General Howard. Sir----\n    The Chairman. So there is a problem there. I mean----\n    General Howard. Sir, I don\'t. I can\'t get to the number 25. \nWhat I would like to do, if it is okay with you, sir, is answer \nfor the record.\n    You know, we can get from GAO exactly those positions and \ntell you----\n    The Chairman. Okay. But as I understood it, and my \nunderstanding may have been wrong, but as I read the report, \nyou identified these 25 positions. The GAO didn\'t make them up. \nThey came from you. And so I assume you are aware of your \norganization and how we got to that figure.\n    General Howard. Sir, as I sit here today, it is not 25.\n    The Chairman. What is it?\n    General Howard. Sir, I would like to answer that for the \nrecord, sir.\n    [The information was provided from General Howard is in the \nresponse to Question 1 in the post-hearing questions for the \nrecord, which appears on p. 82.]\n    The Chairman. Right.\n    General Howard. Because I want to match it exactly to what \nappeared in the GAO report, if that is okay with you.\n    The Chairman. Okay. Sir, I asked about a timeline on----\n    General Howard. And you mentioned--you mentioned what \ndifficulties we are having with respect to hiring. Part of it \nis just the HR process itself. This is very time consuming.\n    An earlier Member mentioned, you know, the ease with which \nIBM or Microsoft could deal with this. And he is exactly right. \nWe are not a private company. I came from a private sector. And \nwe can hire and fire at lightning speed in comparison to the \nway we have to work in the government, particularly for senior \npositions.\n    For example, one position that we have been struggling with \nis a very, very important one. It is cyber security. We have \nbeen through iterations. Three lists of people in the last--the \nlast list we had actually selected someone. And they declined \nat the last minute to come in.\n    We now have the latest list. And we are within weeks of \nmaking a selection. We got a much--we went out further, \nexpanded our search, and we have a much better list. So you \nasked about why are we so slow, that is one of the reasons. It \nsimply takes time to hire people in the U.S. Government.\n    Sir, the timeline for filling positions, again, I would \nlike to look at the detail there and respond for the record, \nbecause I need to be accurate in what I tell you. Because I \nneed to see where we are on the hiring of some of these.\n    [The information on timelines for filling positions was \nprovided from General Howard is in the response to Question 1 \nin the post-hearing questions for the record, which appears on \np. 82.]\n    General Howard. I mentioned cyber security. We were pretty \nclose on that. The timeline on that one, for example, is a \ncouple of weeks. You know, maybe 4 weeks at the max. We will \nhave a name. And then it has got to work--it has got to work \nthrough the process, because this is a senior position. And it \nhas got to work through, you know, our senior leadership and \nOffice of Management and Budget and the Office of Personnel \nManagement (OPM).\n    The Chairman. Well, how about these 36 management \nprocesses? The----\n    General Howard. Sir, I am committed to have implemented \nthese by the summer of 2008. You know, that is the--July of \n2008 is when we--is when we complete our reorganization. And \nthat is what I am committed to implementing.\n    A number of them have already been implemented. We just \nneed to capture in written form what we are actually doing, the \nincident response one is a good example. But that is what I am \non the hook for.\n    [The additional information was provided from General \nHoward is in the response to Question 2 in the post-hearing \nquestions for the record, which appears on p. 85.]\n    The Chairman. Okay. Just for the record, this is from the \nGAO testimony on page 15: ``As part of the new organizational \nstructure the Department identified 25 offices whose leaders \nwill report to the five deputy assistant secretaries, and are \nresponsible for carrying out the new management processes and \ndaily operations. However, as of early September, seven of the \nleadership positions for these 25 offices were vacant, and four \nwere filled in an acting capacity.\'\'\n    So I assume we know what positions we are talking about.\n    General Howard. Yes, sir. And some of them, as I said, was \nan acting capacity. And that is why I wouldn\'t consider those \nas being unfilled.\n    For example, my position for Enterprise Strategy Policy \nPlans and Programs is filled right now in a temporary way by \nScott Craig. He is a very strong person. He has been my \nenterprise architecture guy for years in the VA. So it isn\'t \nlike the position is empty. I do have--I do have someone in \nthere.\n    The Chairman. You just don\'t do the same thing as an acting \nas compared to a permanent employee. We had this crisis \nsituation now 16 months ago. And, I mean, if I were the \nSecretary, if I were you, I would have been calling us up and \nsaying, we\'ve done this or we\'ve done that. It has been only 5 \nmonths since this loss. And we have all the computers \nencrypted; it is now 8 months and we have this reorganization. \nIt is now 10 months and so on.\n    We don\'t hear from you until we call you. It is as if you \nsay, well, no way around it, I guess we have to tell these guys \nnow how many positions we filled. And everything just goes on \nas if it is a normal situation. That\'s what it looks like to \nme.\n    There is not a sense of urgency that we had last year. And \nthe fear that was so rampant throughout the veterans\' community \nthat their personal data may have been stolen or their identity \nmay have been compromised was palpable. We simply must have a \nfast response on this stuff.\n    If there are things that are getting in the way of doing \nthat, just tell us and we will try to make it easier. We are \nworking together on this; it is not just grilling you every 3 \nmonths about what is happening. We want to help you accomplish \nthis.\n    Mr. Bilbray.\n    Mr. Bilbray. Thank you, Mr. Chairman. Mr. Howard, I was \nsitting here just--and I made a flippant remark to the Chairman \nabout the days when we were in local government. But I just \nrealized there was a reason why.\n    When we were looking at IT and upgrading systems, we \nfinally abandoned doing it in house. And started putting it out \nfor bids for private companies to come in and competitively \nbid, because there was a degree of urgency then.\n    And I guess the Chairman\'s concern is the fact that, yeah, \nthese things go on and nobody is accountable. Also no one is \nfired. Except maybe you want to get rid of the guy at the top. \nBut we all know mid-management is where these things are really \ndone.\n    I would just like to follow up, and I don\'t mean to ping on \nthis thing, but you made a comment about the fact that \nmedical--there were people in the medical field who were \nconcerned about the biometric confirmation for access. Why \nwould they be concerned about biometric confirmation for \naccess?\n    Except maybe the fact is do they understand what we are \ntalking about? It is access to the--into the computer, not \nnecessarily access into the records?\n    General Howard. Sir, it is reliability issue. You know, in \nsome cases it doesn\'t work right away. You may have to work \nyour thumb a few more times. I mean, it is not as rapid. And in \nthe medical community that is a concern.\n    Mr. Bilbray. And the laptop--the laptop though, that is not \nwhere they are using it is it?\n    General Howard. Sir, I think you may be referring to the \nlaptops associated with medical devices that are not encrypted. \nThis is a problem for us. And the issue is this, a lot of your \nmedical equipment these days does have integral to it a laptop \nor at least some kind of software. And these devices have to be \napproved through the Food Drug Administration.\n    You have to be very careful about what you put on that \nmachine. In fact, you can\'t put some things on.\n    Mr. Bilbray. Yeah. I understand that. Let me stop you and \nback up a little bit. We just made a huge leap from the \nmedical--basically the veterans\' records, not--but the \nveterans\' records on laptops that are being carried, being \ntaken home, are being carried on airplanes, are being stolen.\n    That is a huge leap to go from the equipment at a medical \nfacility and the access into that system. I just go back to the \nfact that we have so many of these laptops out there. We don\'t \neven know how many we have now, because you got----\n    General Howard. There are 18,000----\n    Mr. Bilbray. Eighteen thousand----\n    General Howard [continuing]. VA laptops.\n    Mr. Bilbray [continuing]. VA. How many private laptops that \nhave VA access?\n    General Howard. Sir, I don\'t know the answer to that.\n    Mr. Bilbray. Yeah. And I think we agreed that needs----\n    General Howard. It is vulnerable. Yes, sir. However, I will \nsay this, there is a directive. In fact, I believe it is 06-5 \nor something. I can\'t remember the number. Where--this is the \nwaiver issue.\n    That in order for the physicians to continue to do their \nwork, we did put a waiver in place with the proviso, with the \ndirective, that they have to protect their laptop in the same \nmanner that the VA has.\n    In other words, we have Guardian Edge full drive--full hard \ndrive encryption on VA laptops. If you are a physician in the \nVA using your own personal laptop, you have to have equivalent \nhard drive encryption on your laptop. That is a mandate.\n    Let me say one more thing, sir, one of the technical items \nthat I mentioned earlier will be helpful to us to prevent you \nfrom downloading anything on your laptop. And that is being put \nin place right now. You know, that was a very important \ncontract that we have been working on for months. We now have \nit.\n    We will have help from the private sector. In fact, we have \nhelp from the private sector at all of these areas. But that \nwill not only--not only protect the information. You won\'t be \nable to put it on your laptop, because we will not allow it. \nAnd that will be very helpful to us.\n    Mr. Bilbray. Okay. Mr. Howard, you know, the Chairman was \nquestioning why--you know, about this issue of the biometrics. \nAnd the way I ran into it, because I have a district with a lot \nof high-tech biotech people that want privacy for their \ninformation, need security. And they use this as a matter of \nfact.\n    And all my point was is that the security of the \ninformation of a company working on a new substitute for whole \nblood or doing something on cancer research, that information \nbeing secure is no more important than the right of a veteran \nto have their personal information secure.\n    And that is why I brought up this issue of if the private \nsector can do it, if the laptop computer companies are making \nthis technology available as an option, it just seems like \ncommon sense that if we want to talk about truly securing, then \nwe don\'t ever depend on one gatekeeper.\n    I mean, those of us that build jails know that you always \nhave multiple catch systems so that when they are going through \none, the other one will catch them down the line.\n    And I just ask us, again, the technology is out there. The \nprivate sector has been doing it. It is available on the \ngeneral market. It is not rocket science. And we still are \nfinding arguments to not use technology that the private sector \nhas found very effective out there.\n    And I just ask us to, again, not to be scared of \ntechnology, but to embrace it. Not to put out the fire, because \nit may burn somebody. But realize that without it, a whole lot \nof people are going to go cold. I just think that we need to \ntool up on that.\n    And I just leave you, again with the argument that maybe \nthe problem is, is that we have a system where you can\'t go in \nand fire people who are not performing and making sure that you \ncan come to us with a more effective report.\n    General Howard. Yes, sir. Sir, I don\'t agree--disagree with \nyou on the technical issue. I really don\'t. And as I mentioned, \nwe are using biometric in the--particularly in the thumb drive \narea.\n    I would ask--in fact, Charlie De Sanno, in addition to \ndirecting region four, he is my systems engineer. All this \ntechnical stuff that we are testing and rolling out and all \nthat, a lot of that has come out of region four. And I would \njust like--if it would be okay, sir, for Charlie to just \nelaborate a bit on that.\n    In fact, right behind him is Jim Breeling. Jim is also up \nin region four. He is actually a physician. And between the two \nof them, they can elaborate quite a bit on some good things \nthat are going on.\n    Go ahead, Charlie.\n    Mr. De Sanno. Thank you, Mr. Howard. Excuse me. I think \nprior Mr. Howard gave you a good run down as to the products \nthat the organization has procured.\n    And I think the point certainly needs to be made that with \nthe reorganization of IT within the VA, certainly the \ninfrastructure that Mr. Howard discusses, the haves and the \nhave-nots, come into play significantly in a number of ways.\n    So we talk about speed to market. We talk about how quickly \nthe VA can react to your requirements, to the veterans\' \nrequirements. And all of that is extremely valid point.\n    The problem that we have in the organization is that we \nfirst need to create a foundation to create our house. And it \ntook some time to execute, to design that foundation. So when \nyou look at any one technology, like biometrics, and you say \nhey, why isn\'t the VA using biometrics?\n    Well, we have a strategy behind everything we do. What you \nare really talking about is dual factor authentication and \nsecuring of the personal information that may exist on that \nhard drive.\n    The Personal Identity Verification (PIV) initiative with \nsmart cards is going to be rolled out. And our architecture, \ngiven the mandate to use these smart cards, do work very nicely \nwith our encryption.\n    Furthermore, with the PC lease and the standard desktop, \nthe secure desktop image that we are ``architecting\'\' that is \nin line with standards, government-wide standards for security, \nwe don\'t store any data on these mobile devices. The mobile \ndevices and desktops and laptops, those data will be stored in \na secure data center that is backed up.\n    And in addition, Mr. Howard references rescue. And with \nthis product, we can ensure that the devices that are attaching \nto the VA network are not only secure but contain no data.\n    And if those devices aren\'t secure, we put them through a \nwhite room, a clean room, where we ensure that the Microsoft \npatches are up to date, other virus vulnerabilities are \nremediated.\n    And if we can\'t do it, ensuring we give that user a quick \nresponse time, we segment them. And we put them in a virtual \nenvironment.\n    So I agree as Mr. Howard does overall with the strategy. I \nwant you to know that we have thought out this process. And we \nknow that protecting veterans\' information is absolutely \ncritical.\n    There is a strategy behind what we are doing. And the \nfoundation that we are putting in will be used to build all \ninformation technology for now and in the future years.\n    General Howard. Sir, this fiscal year is a key year for us. \nFY--you know, you asked about timelines. FY08, in fact the GAO \nmentioned this plan we have with 400 actions and all that.\n    You know, your guys have copies of that. FY 2008, although \nsome of the timelines go beyond--our 2008 really is a key year. \nIt really is.\n    And we expect to see very dramatic improvements in this \nwhole area, because we got the tools in place now to help \nenforce some of this stuff that we did not have before.\n    Mr. Bilbray. Do you have the money to pull this off though. \nI worry about the fact that I have seen again and again where \nwe have done this. We have the mainframe set up, we get it all \nlined up, and then it doesn\'t connect. And we end up like the \nIRS did with a billion dollar system that doesn\'t work.\n    General Howard. Sir, we do--we do have the money, unless \nsomebody takes it away from me, which they haven\'t yet. I mean, \nI feel reasonably comfortable. We are okay there.\n    The Chairman. Thank you, Mr. Bilbray. We thank you all for \nbeing here. As you heard, we have another set of votes. We are \ngoing to recess for 15 minutes. And then we will hear from the \nnext panel.\n    Please understand our sense of frustration. We want it \nyesterday. None of us underestimates the difficulty. But \nwithout goals, without timelines, by pointing to the next \nfiscal year, it is always a process and it never gets done. And \nwe want it done. If you need more resources to do it, you need \nto ask us.\n    Thank you again for being here. And we will start with \npanel 3 in about 15 minutes.\n    General Howard. Thank you, sir.\n    [Recess.]\n    The Chairman. I apologize for having to hold you all \nmorning. I appreciate your being here. The third panel is \ncomprised of Dr. Paul Tibbits, Deputy Chief Information \nOfficer, Office of Enterprise Development, U.S. Department of \nAffairs. And Doctor Ben Davoren, Director of Clinical \nInformatics. Is that right? Is that a new word? You\'ll have to \ndefine it for me. At the San Francisco VA Medical Center. \nPlease, I appreciate you staying through the afternoon here.\n\n STATEMENTS OF PAUL A. TIBBITS, M.D., DEPUTY CHIEF INFORMATION \n     OFFICER, OFFICE OF ENTERPRISE DEVELOPMENT, OFFICE OF \n    INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS \nAFFAIRS; AND J. BEN DAVOREN, M.D., PH.D., DIRECTOR OF CLINICAL \n  INFORMATICS, SAN FRANCISCO VETERANS AFFAIRS MEDICAL CENTER, \n  VETERANS HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS \n                            AFFAIRS\n\n                STATEMENT OF PAUL TIBBITS, M.D.\n\n    Dr. Tibbits. Thank you so much for the opportunity to \ntestify in the realignment process in the Office of Information \nand Technology (OI&T) and to share with you the progress made \nin VA as a result of the centralization of development \nactivities.\n    Joining me on this panel is Dr. Ben Davoren, Director of \nClinical Informatics in San Francisco and Dr. Jim Brieling. You \nhave just heard testimony from Assistant Secretary Howard \nregarding our realignment progress and the need for more work \nto transition from a decentralized to a centralized \norganization.\n    I would like to share with you our progress establishing an \nIT governance plan, strengthening development processes--\ndevelopment process improvement efforts, and fostering \ninnovation.\n    You have heard also General Howard refer to his seven \npriorities or you would have had he used his prepared remarks. \nBut in any case, I would like to discuss with you those that \ndirectly apply to us in development.\n    First with respect to establishing a well-led, high-\nperforming IT organization, we are pursing improvement of the \ndevelopment of workforce throughout the Office of Enterprise \nDevelopment.\n    To improve the VA IT development workforce, we are \ninstituting real-time coaching and mentoring by industry \nexperts in best practices in systems development to \ninstitutionalize these practices in the VA.\n    Second, standardizing IT infrastructure and IT business \nprocesses throughout the VA provides a baseline for measuring \neffectiveness of our development process. It is the first step \nto reduce time to deliver applications, reduce costs to develop \napplications, implement process performance measures, and \nincrease productivity of the development of workforce. And it \nis certainly very hard work.\n    We are using independent industry consultants to guide us \nthrough this self-improvement initiative.\n    Third, let me address establishing programs that make VA\'s \nIT system more interoperable and compatible. Interoperability \nbegins with a common understanding of terminology.\n    The IT development organization will be collaborating more \nclosely with the Administrations in the use of business \nmodeling to perform--I\'m sorry, to provide a uniform basis of \ndeveloping a shared understanding of new ways to serve veterans \nand the information required to do so.\n    We are engaging with the administrations and with DoD to \nstrengthen and accelerate data standardization activities \nwithin VA and with DoD. We are exploring ways to focus on high \npriority patient groups, such as traumatic brain injury and \npost traumatic stress disorder, while continuing the hard work \nof semantic analysis, reconciliation, and the consolidation of \nmultiple data feeds between VA and DoD. Fourth, we are focused \non managing the VA IT appropriation to ensure sustainment and \nmodernization of our IT infrastructure and more focused \napplication development to meet the requirements of our \nbusiness units.\n    We are applying life cycle and total cost of ownership \nmanagement practices to all development projects, to account \nfor all costs of implementation and operations, as a foundation \nfor budget formulation.\n    We are moving toward clear line-of-sight alignment with the \nVA strategic plan and the Performance Accountability Report by \nre-shaping OMB 300 exhibits in fiscal year 2010, a creation of \nthe first multi-year IT budget in VA, and strengthening our \nrelationship with the requirements processes of the \nAdministrations and staff offices.\n    With respect to governance, we have established a \nparticipative transparent IT governance process at the senior \nexecutive level of the VA. We have created a set of \norganizational principles and governance structures and \npractices that surface business strategy; facilitate accurate \nproject cost, benefit, and risk estimation, and provided the \ndecision-making framework that focuses attention on the most \ncritical projects. We are developing management dashboards to \nimplement early warnings of issues with system development.\n    The single IT appropriation sets a context for competition \namong new ideas, since some are not affordable. This creates \nthe perception at the hospital level that many good ideas are \ndisregarded despite ``local needs,\'\' and that the flexibility \navailable to VISN and hospital directors to use healthcare \nfunds for information technology is constrained.\n    This disregards the rest of the story. Solutions developed \nlocally, with a few exceptions, were rarely deployed across all \nVA medical centers, resulting in some centers not getting the \nadvantage of these IT capabilities.\n    Furthermore, many needs were thought of as local, when in \nfact they were enterprise-wide requirements. Under the single \nIT authority and single appropriation, IT appropriation, we \noperate in an environment of financial transparency. Funds \ndedicated to sustainment, extending legacy systems to meet \nurgent needs of returning warriors, and to modernize our \ncomputing environment are now visible to senior VA executives.\n    Unmanaged local innovation makes the implementation of \nenterprise solutions quite difficult. Many IT products are \noperating in various VA medical centers, with no support \nmechanism to proliferate the more successful of them to all \nother medical centers.\n    In close collaboration with VHA, we are moving to create a \nprocess to identify new ideas at the local level, facilitate \ncollaboration among field developers and VA medical center \nhealthcare professionals, and to develop new software products \nin a non-production environment in an unconstrained manner.\n    In order to enter the live production environment and \nassure deployability across VA, certain technical assessments, \nbusiness values, security, and patient safety assessments will \nbe made and any remediation necessary applied.\n    The migration from the VistA legacy system to the \nHealtheVet platform entails complex development. This form of \ninnovation must be centrally managed. It is too large for local \ninitiatives alone to accomplish.\n    In addition, some forms of new IT support require an \nanalysis of end-to-end processes to serve veterans, such as \ntransition from DoD to VA, again not necessarily--not easily \naccomplished at the local level given complex data \nstandardization and security issues that are involved. We are \nattempting to strike the right balance.\n    We have had some problems. But we have also gained valuable \nvisibility over unknown IT--heretofore unknown IT activities, a \ndefinite improvement.\n    We also now know more about IT funding details across the \nVA and have a greater ability to protect sensitive veterans\' \ninformation.\n    In closing, let me say that we want your ideas. I want to \nassure you, Mr. Chairman, that a successful IT realignment \nactivity is a key goal within the VA.\n    We have accomplished many things this past year but much \nmore remains to be done. I appreciate having this opportunity \nto discuss this with you and will gladly respond to your \nquestions.\n    [The prepared statement of Dr. Tibbits appears on p. 73.]\n\n            STATEMENT OF J. BEN DAVOREN, M.D., PH.D.\n\n    Dr. Davoren. Medical informatics or clinical informatics is \nthe science of information management, including all of \nterminology as well as human computer interfaces and so forth. \nSo it is actually quite broad. It is not yet a medical \nspecialty but it is being considered for one as we speak.\n    Good afternoon, Mr. Chairman, and Members of the Committee. \nI do want to thank you for this opportunity to provide my \npersonal perspective of the OIT reorganization that began in \n2005. But the views that I present today are my own and do not \nnecessarily represent the views of the VHA.\n    By way of training, I am an oncologist. But I have been a \nmember of the clinical work group that has helped guide the \ncomputerized patient record system development in VHA since \n1999.\n    In response to the Secretaries proposal for IT realignment, \nmany employees at medical centers expressed concerns about the \ndetails of the plan. And in particular, they felt that the \nregionalization of IT resources would create new points of \nfailure that could not be controlled by the sites experiencing \nthe impact of those. And that system redundancy required to \nprevent this was never listed as a prerequisite to \ncentralization of critical patient care IT resources.\n    From my point of view, it was clear to me that the focus of \nreorganization was on technical relationships and not on how \nthe missions of VHA could be communicated to the new OIT \nstructure. And I communicated this to my facility director and \nVISN director at that time.\n    The IT reorganization has had a direct impact on VHA\'s four \nprincipal missions: patient care, education, research, and \nsupporting the Department of Defense.\n    With respect to the primary patient care mission, the good \nnews has been that new policies and procedures, in particular \nregarding encryption of sensitive information, have been very \nwell-publicized and have heightened the awareness of all care \nproviders as to the critical nature of the information that \nthey, that we, use everyday.\n    The bad news is that centralization of physical IT \nresources to the regional data processing centers has directly \nled to more system downtime for individual medical centers than \nthey have ever had before, resulting in hundreds of \nsimultaneous threats to the safety of our veteran patients.\n    Disagreements about whether new clinical application \nrequests are IT or not-IT has delayed implementations. With \nrespect to the education mission, the good news, again, is that \nawareness has been heightened for staff and students about the \ninformation that we use and the need to protect it in all \nsettings.\n    However, rules on encryption of all portable devices, such \nas thumb drives, rather than just on encrypting sensitive \ninformation, have made it cumbersome to go about common work, \nsuch as giving academic talks where no scientific information \nis present. And collaboration by video conferencing has been \ncurtailed.\n    With respect to the research mission, plan standardization \nof VHA databases may well and should create significant and \nvery welcomed research opportunities. Though at this time, I \ndon\'t have any specific progress to be able to report.\n    In terms of our role in supporting the Department of \nDefense, I believe that initiatives to enhance electronic data-\nsharing between VHA and DoD have proceeded appropriately from \nthe field perspective.\n    But in my opinion, there has been a lack of transparent \ncommunication between VHA and the reorganizing OIT structure. \nAt present, economies of scale that were a cornerstone of the \nrealignment proposal have not been communicated to the facility \nlevel where the work of VHA occurs.\n    The focus on security and data integrity has led to a \nnumber of new requirements with impacts that generate \nsignificant concern without a clear pathway to resolution. In \nmy view, there also remains a tremendous uncertainty about how \nto work with our longstanding IT colleagues to address local or \nregional clinical care, research, or educational needs.\n    These arise on an almost daily basis as the result of new \nmandates from accrediting bodies, VA performance measures \ninternally, or Congressional action.\n    A word about the down time on August 31st. The new region \none of OIT-supported facilities experienced the most \nsignificant technological threat to patient safety VA ever had. \nA 9-hour downtime during standard business hours that crippled \nthe clinical and other information systems of 17 different VHA \nmedical facilities.\n    During the downtime, it became clear that many assumptions \nabout the Regional Data Processing Center model were erroneous.\n    Specifically, rather than creating a redundancy to protect \nfacilities from system problems, a new single point of failure \ncaused a problem that could never have been replicated without \nthis Regional Data Processing Center model having been created.\n    In my view, the OIT realignment process begun in 2005 for \nthe right reasons has been focused on technical IT issues and \nthe reporting structure of its new 6,000-strong employee force \nand not on linking IT strategic planning with organizational \nstrategic planning.\n    Mr. Chairman this concludes my statement. And I will be \npleased to answer any questions you may have.\n    [The prepared statement of Dr. Davoren appears on p. 76.]\n    The Chairman. I didn\'t notice a lot of publicity about this \ndowntime incident.\n    Dr. Davoren. On August 31st?\n    The Chairman. I don\'t remember it. The press didn\'t cover \nthis, did they? Why do you think that was?\n    Dr. Davoren. It consumed our day, but I am unclear on what \nthe press did or did not cover.\n    The Chairman. I mean you call it the most significant \ntechnological threat to patient safety the VA has ever had. You \nwould think somebody would have made a--I think we would have \nhad a Congressional hearing on it actually.\n    So you are saying that the path that the VA took in terms \nof two different streams was very useful in that situation. Is \nthat what you were saying? Phrase it for a layman so I can \nunderstand it.\n    Dr. Davoren. I am not sure I understand the question \ncompletely.\n    The Chairman. You said that we caused--I assume because of \nthe centralized nature, a failure led to a very----\n    Dr. Davoren. That\'s right.\n    The Chairman [continuing]. Deep problem. And then you \nsaid--I see. I misunderstood what you said. ``A problem that \ncould never have been replicated.\'\'\n    Dr. Davoren. Right.\n    The Chairman. I don\'t know what that means.\n    Dr. Davoren. In other words, before the regionalization of \nIT resources with individual--the actual systems that contain \nthe patient information in a distributed fashion at the medical \ncenters, it would have been impossible to have 17 medical \ncenters simultaneously have their clinical information systems \nunavailable. But that was the case.\n    The Chairman. Okay. So you are saying the centralization \nhas ended up with this downside.\n    Dr. Davoren. The--yeah. Centralization of the physical IT \nresources.\n    The Chairman. Okay. That was the theme of your statement \nthat the local kinds of needs may be either overlooked or \nwashed out in terms of this.\n    Dr. Davoren. That there isn\'t a clear pathway of \ncommunication. And----\n    The Chairman. How would you remedy that?\n    Dr. Davoren. Well, I think--I think there are a few key \nareas. From the facility level, the changes that have occurred \nin terms of our collaboration with our IT colleagues, it is not \nclear exactly what we can and can\'t do when we approach problem \nsolving at the medical center.\n    We have a number of--we have a number of internal and \nexternal bodies that tell us that things need to change as \nmedical care evolves. And many of the processes that we have \ninvolve an IT component.\n    So if we have a new discharge process for example, because \nwe know our hospitals are very, very full, there may be some \nhuman resources as a project--a process action team, as we call \nthem, typically looks at the causes of a problem. And looks for \nareas where we might be able to solve them.\n    So a very, very full hospital trying to improve the \ndischarge process is a key item. We may find that we actually \nneed to hire a discharge planning nurse or a pharmacist. We may \nneed to set aside some physical space. And we may need to make \nsome changes or we would like to make some changes to how the \ncomputer system works, generates output for some of these \npeople at the time of discharge.\n    In the past, that was--we had a team. They all worked for \nthe medical center. And so this whole process would be put \ntogether. Now that team, on paper for sure, no longer exists. \nSo the question is at this point, for our region in particular, \nif we can\'t make local changes to our internal VistA system, it \nis not clear what the communication method is back to the \nresources that now live in OIT to accomplish that.\n    The Chairman. What did you call--you had some coordinator \nof beds. You had a title to help----\n    Dr. Davoren. For the discharge planning?\n    The Chairman. Yes. What was the title?\n    Dr. Davoren. So a number of VAs have looked at this process \nbecause it is so critical. So there are discharge planners----\n    The Chairman. Discharge planners.\n    Dr. Davoren [continuing]. Who are frequently----\n    The Chairman. You should call them ``ombudsmen.\'\'\n    Dr. Davoren. I will make a note of this.\n    The Chairman. The only guy who laughed was the guy I pay. I \nam told by the counsel that you have used the chemotherapy \nsoftware as a good example to highlight some of this. Tell us \nabout this.\n    Dr. Davoren. Right. As a highlight of where the \ncommunications process is very unclear, it--there is a product \nthat happens to be called IntelliDose. I am an oncologist, so I \ndo write for chemotherapy.\n    And this is a particular software that integrates with the \nVistA system, with the core VA system, for writing chemotherapy \nthat the existing VistA system cannot do. And that immediately \nplanned VistA systems will not do.\n    So there is a system that has been piloted at the San Diego \nVA and integrated with VistA over the last couple of years to \nreally work the bugs out in a real-life setting.\n    And the--in the VHA structure, the Impaired Decision Making \nCapacity (IDMC) that was referred to earlier this morning, \nwould--did make a decision about a year ago that it was ready \nfor prime time if you will. The software was mature enough in \nits integration that it could be used at other medical centers \nbesides the pilot site.\n    We wrote a proposal after reviewing the software for my \nnetwork, VISN 21. We got the clinical buy in. We saw a number \nof demonstrations to be sure this is what we wanted to do. And \nI wrote a proposal for the project.\n    It was, by my own interpretation of the rules of what is or \nis not IT, really more of a medical device and not an IT \nexpenditure. But that was not agreed with by the VISN CIO \nnecessarily. And that as we wrote the proposal and were able to \nget funding, then suddenly a few weeks ago it was determined \nthat this really ought to go back to the IDMC for not just \ntheir review and approval, but for review and approval for \nnational funding.\n    And the Western States Network Consortium that was--in \nregion one, so the West Coast networks decided that perhaps \nthis might be one of the pilot projects they would like to do \nat a regional level. So the particular proposal that I put \ntogether was on hold.\n    So what this has the effect of saying is that we had a \ncommunity sense of what needed to be done. We had a pilot \nproject that proved--that proof of concept. We were ready to go \nforward for FY08. But now there is a new layer of review that \nis not entirely clear to me what exactly it is that makes this \nlooks like it may not be--until 2009 or 2010.\n    So it is going back to the IDMC body that originally says \nit was okay to get with a new task for the IDMC. I recognize \nthat is very circular. But I am just trying to convey the sense \nthat from the field perspective, the communication about what \nreally needs to be done to implement something that our \npatients need now is very, very unclear.\n    The Chairman. How long have you been with the VA?\n    Dr. Davoren. I have been with the VA for 12 years.\n    The Chairman. Do you feel secure in your job? I am about to \ndo something that has not been done. So I want to make sure I \nget your----\n    Dr. Davoren. I have told people I will find out whether or \nnot I am a political appointee at this very hearing. So--but \ngenerally yes I do.\n    The Chairman. I should do this. General Howard, can you \njust come back to the table for a second. I am not going to \nhave an argument between you. But you have heard us yelling \nabout centralization, right? And there have been qualms.\n    We went from a very decentralized system, which had \nproblems. Now we are moving to a very centralized system. And \nwe hear there are problems with this approach. This is not the \nfirst person to raise these concerns. How do we find the \nbalance there?\n    General Howard. Yes, sir. Let me----\n    The Chairman. And without, you know, reacting to every \nscream, we do one thing, and then we have gone too far, and now \nwe have a scream about going the other way. And, you know, it \nis not a helpful process.\n    General Howard. No, sir. But I would--I will say that there \nis a process in VHA for elevating requirements to the very \nsenior level. I mean, there is. And, in fact, I have actually \nparticipated in meetings of the Committee that does that.\n    I can\'t recall the individual who chairs that Committee \nright now. But it used to be Dr. Bob Lynch. Lynch has since \nleft the VA. But there is a new individual now. I can\'t recall \nhis name.\n    But that body is in place. They had functions to \nprioritize, you know, whether an issue is a class three \nrequirement that needs to be put in place or any requirement \nfrom within VHA. That is the Committee that decides how those \nitems are prioritized.\n    However with that said, there still exists at the facility \nlevel the capability to try out ideas and that sort of thing. \nAnd in fact, I will ask Paul Tibbits to describe the process. \nHe mentioned it in his testimony that we in VHA are putting in \nplace to make sure innovation does occur and continues to occur \nat the facility level.\n    But at some point in time, you have to begin to gather that \nup and expand it throughout the VA or else----\n    The Chairman. No. I understand that. But as I heard Dr. \nDavoren say--I mean, we have added, for example years, to a \npotentially very helpful therapy to try to test it or use it.\n    And so are we adding this level of bureaucracy that will \ntake--I mean, clearly you want something to spread good things \nquickly. But----\n    General Howard. Mm-hmm.\n    The Chairman [continuing]. You want to also balance that \nwithout having good things coming to the surface without a \nbureaucracy interfering.\n    General Howard. Yes, sir. There--from an OIT standpoint, \nthere is no--there is no OIT layer between Dr. Davoren and Mike \nCuspin. We are not in that. We are in our own layer. You know, \nwe have our own reporting process. But any requirement within \nVHA does not have to go through OIT. It can go all the way up \nto the top.\n    Now at some point in time, obviously we are engaged in the \nexamination of that issue to first of all see if it is \npossible, see if there is funding available, and what have you.\n    The visibility issues, though, is key. You mentioned, you \nknow, the decentralized way of doing business in the past. If I \nwas a hospital director, in the past and before the IT \nappropriation, I did what I needed to do, you know, out of the \nmedical money available. If I needed to spend it on IT I did. I \nmean, it was actually, if you were a hospital director, was not \na bad environment. It was pretty good.\n    The trouble is it was not very efficient. And the Congress \nactually got pretty upset with that kind of operation. And that \nis what we are trying to standardize. We are not--we are trying \nto standardize this. But at the same time, not kill innovation. \nWe definitely do not want to do that.\n    We want to put a better process in place to control it a \nlittle bit more so that the good ideas do bubble to the top and \nget used throughout the VA. And the ones that maybe are not \nvery good, are finally just cut off. I mean, that is kind of a \nresearch environment that has to be----\n    The Chairman. Well, but another way to ask about that \nbalance, I mean, again, it was mentioned, this region one \ndowntime----\n    General Howard. Mm-hmm.\n    The Chairman [continuing]. That we lost the whole region. I \nmean, is that an example of over-centralization or not?\n    General Howard. It is to prevent----\n    The Chairman. How are we going to prevent that from \noccurring again?\n    General Howard. Sir, actually the--it is the regional data \nprocessing program. And it actually existed before the IT \ncentral. It was the VHA initiative that goes back a number of \nyears.\n    And the idea, the central idea, was to better protect the \ninformation, you know, in well-protected data centers, tier \nfour data centers.\n    Obviously at this point in time, we are responsible for \nthat program. You know, it came over to us. So everything that \nhappened at Sacramento is on our watch. You know, we were \nresponsible for that.\n    What we are discovering--and just to comment on that, \nclearly, you know, we put a team in to examine what happened. \nThe fact is the tiger team is still at work to examine the \ndetails of all that. I have an independent review that is about \nto get underway, because there is more to this than meets the \neye.\n    We are very concerned about in the design of the program, \nfor whatever reason, the proper backup at facility level was \nnot adequately considered. We can see that now.\n    In other words, some facilities had a better capability to \nread, not write, but read information on their backup system \nthan other sites did. You know, why was that dichotomy there?\n    And maybe we skimped from a resource standpoint. But we \nhave an effort underway now to examine not just Sacramento, but \nthe whole program to see exactly what we are doing and build in \na more robust backup capability at the facility level. We have \nthat underway and include the other data centers as well, you \nknow, the corporate data centers.\n    So we are stepping back to take a hard look at this program \nto see exactly what we are doing. Some aspects of it are good. \nThe idea of protecting the information is very good.\n    But you can\'t permit--you know, permit a condition that \nallows a hospital to go down for 8 hours. That is ridiculous. \nWe cannot allow that to happen. We understand that. And we are \ngoing to take steps to do it. It may involve more funding. And \nwe just don\'t know that at this time.\n    The Chairman. Any more comments on this issue, Dr. Davoren.\n    Dr. Davoren. On the down time?\n    The Chairman. Or on any of the issues we just raised.\n    Dr. Davoren. Right. I think, you know, ultimately the--if \nthe end user needs, my needs and those of the people that I \nwork with to directly care for the veteran in front of them, \nare the driver for processes that happen to include IT as a \npart of them. That the structure needs to be in place and more \ntransparent to those of us who are in the field for how we \ncan--how we can relay our innovative ideas as well as our \nconcerns about day-to-day operations through the whole \nstructure, through both our own VHA structure as well as the \ncommunication points to OIT. And from the field from the \nfarthest point on the West Coast represented here that that is \nnot in place.\n    The Chairman. Okay. I hope we keep that in mind as we go \nthrough this process. And we should bring in more people from \nthe field to give us their sense of what is going on.\n    So thank you for your candid comments.\n    I just--Dr. Tibbits, if I just--this thing about DoD and VA \njust flabbergasts me. You know, in concept, interoperability is \neasy. But we have been talking about it for probably a couple \nof decades. Why is it so difficult?\n    I mean, could a General Howard or a Bill Gates come in and \njust say do it? What is so difficult about just ordering these \ntwo systems to talk to one another? I see some people shaking \ntheir heads that it couldn\'t happen that way. But why is that \nso--what am I missing here as a layman?\n    Dr. Tibbits. Thank you for the question. It is an excellent \nquestion. And there are several ways to answer the question. \nAnd let me step through them quickly. And then allow more time \nfor discussion if you wish.\n    At the end of the day, the reason it is not so simple to \njust say go do it is the vocabulary problem. The vocabulary \nproblem is an intense problem. If you can think of ``Roget\'s \nThesaurus\'\' of the Department of Defense. It has got its--it \nwould have its own thesaurus. If you think of ``Roget\'s \nThesaurus\'\' of the VA, it would have its own thesaurus.\n    And without putting those two things together, it is \nextremely difficult to get interoperability to happen in the \nway many people want it. So if you back down from that and \nstart saying, all right, are there simplifying constructs that \nwe can use? So without getting our thesaurus----\n    The Chairman. Can\'t you have the ``Howard Thesaurus\'\' and--\n--\n    Dr. Tibbits. The what?\n    The Chairman. ``Howard Thesaurus.\'\'\n    General Howard. You wouldn\'t be able to understand it.\n    Dr. Tibbits. Well, we could. But what that creates, \nunfortunately, is a third thesaurus. And while, yes, if in \nfact--in fact that is a strategy. And if we got all parties to \nagree to that third one and mapped the third one, that would \nactually be progress.\n    But I want to back down from that and say there are \nsimplifying constructs. And those simplifying constructs \ninvolve not going for the full degree of information \ninteroperability. So a computer can actually recognize the \ninformation. But simply transmit electronic information back \nand forth that the computer can\'t read, but a human being can. \nBut it is still in the computer. All right?\n    So we have done that. We have gone down to a lesser degree \nof information interoperability. And there is a great deal of \nclinical information that is going back and forth and scheduled \nto be augmented over the next few months between the two \ndepartments.\n    And Mr. Bestor and Mr. Wu are very familiar with many of \nthose initiatives, VA Health Information Exchange, Federal \nHealth Information Exchange. Lots of information going back and \nforth there.\n    The other piece of it is organizational. And let me just \ntouch on that.\n    The Chairman. I am sorry, go ahead.\n    Dr. Tibbits. Let me just touch on that lightly. \nOrganizational--I have personally been involved in looking at \nthe organizational implications of what you are saying for many \nyears, both when I was in DoD I spent a lot of time working on \nVA DoD collaboration. I had 26 years in the Navy Medical \nDepartment, 18 of which were on medical informatics I might \nadd.\n    I spent a lot of time on VA DoD collaboration issues. After \nthat, I supported the Presidential Task Force and looked at DoD \ncollaboration and wrote the chapter actually on seamless \ntransition.\n    One of the issues then we focused on, and we still focus on \nnow, is there are two cabinet level agencies. And who exactly \nis it that is going to tell two cabinet-level agencies on a \npractical day-to-day basis to collaborate with each other?\n    And when we go up the executive branch, what do we find? We \nfind OMB in the White House. We were never convinced that as a \npractical matter of getting two cabinet agencies to collaborate \nwith each other, either OMB or the White House, were really \nvery effective management tools in the sense that that actually \nhas to be managed. At a policy level, they may be quite \neffective. But to really get that to happen, is very difficult \ncircumstance.\n    So I guess thirdly I would say requirements are important. \nWhat are we trying to exchange information for? And there is \ntwo big buckets here that I want to put in front of you.\n    One is to better serve veterans. The other is to save \nmoney. It is very important to look at those two objectives \nseparately and figure out which one or both or which is it we \nare after and in what degree of priority.\n    If our primary objective is to serve veterans\' needs, a \nprogram structure would evolve from that and has evolved from \nthat, which focuses on the data, the clinical data, what is in \nthe record, how the veteran and how the servicemember was \ntreated in exchanging that back and forth.\n    If one is interested in saving money, then a whole \ndifferent paradigm has to be taken, which looks at software and \nsoftware development. And are we developing software together, \nwe, VA and DoD, that would save money, that would allow us to \nreuse the software perhaps between both departments.\n    But that in and of itself, would not standardize the data \nso that we could have the information and operability necessary \nto serve veterans\' needs.\n    So being clear about those objectives between the two \ndepartments, addressing the issues of how we get two \ndepartments from an organization perspective to collaborate \nwith each other, and then forcing attention and more and more \nattention on the terminology issues to get the two departments \nto speak the same languages, are basically the three levels of \nissues that are relevant to your question.\n    The Chairman. If we actually solved this thing, you \nwouldn\'t have a job anymore. That is the real problem here I \nthink. Just kidding, sir.\n    Dr. Tibbits. I would be glad to relinquish my job and solve \nthat, because I have been after this issue and this job for too \nlong. And I can\'t tell you how much I appreciate your question.\n    No, we are solving it.\n    The Chairman. Again, as a layman, I mean, you use \n`` Thesaurus I.\'\' What is the plural of thesaurus, a thesauri? \nThesauramatics is probably a specialty. There is probably a \nspecialty in the study of a thesaurus. You had one and two. And \nyou--I suggested a third. Why isn\'t `` Thesaurus I\'\' adopted?\n    Dr. Tibbits. Well----\n    The Chairman. I am told VistA is the best system in the \nworld. So why doesn\'t the DoD adopt VistA?\n    Dr. Tibbits. That doesn\'t solve the terminology problem. \nThat is why. And let me try to exemplify that for you in terms \nthat perhaps all of you--everyone will be familiar with. And \nlet me use email as an example.\n    I assume many of you in the room today are familiar with \nMicrosoft Exchange and use Microsoft Exchange for email, \nOutlook, Microsoft Outlook. I assume many of you at one time \nmay have been familiar or used Lotus Notes. Two very different \nprograms. Two very different sets of software. But yet \ninformation can be exchanged between the two of them, because \nif both users speak English terminology, if both users use the \nsame standard protocols for transmission, TCPIP (Transmission \nControl Protocol Internet Protocol), a little techno babble, if \nboth of those standards are in place, then information \ninteroperability can happen very clearly with the software on \nboth ends, sender and receiver being completely different.\n    If on the other hand, you use Microsoft Outlook, and you \nattempt to send email to a Frenchman who is also using \nMicrosoft Outlook, identical code on both ends, identical \nsoftware, the same computer system, if you will, on both end, \nsender and receiver. You even use the same protocol, so the \nmessage will get through.\n    If you speak only English, and the recipient speaks only \nFrench, there will be no information interoperability with \nidentical code on both ends.\n    That is exactly the situation we have now. If you take \nVistA, and the reverse is also true if you take Alta, either \nway. If you take VistA and power shoot it in the Department of \nDefense today, either it will have to be repopulated, the files \nand tables, with the terminology of the Department of Defense \nin order for them to be able to use it. Or they will have to \nchange their entire terminology libraries to be able to use it \nwith our terminology in it, which would be a massive change in \npolicy, how they manage people, how they manage their budgets, \nhow they do assignments, how they send people to theater, how \nthey order band-aids. All would have to change to the VA\'s \nterminology model.\n    The Chairman. Couldn\'t I send my English email through a \ntranslator?\n    Dr. Tibbits. Yes. And that is the terminology mapping. And \nto build those--that is--that is the thesaurus work of putting \nthe two thesaurus\' together. And either----\n    The Chairman. But then the Frenchman would understand me, \nright?\n    Dr. Tibbits. That is correct. But that is the hard work. \nAnd that is why it takes so long.\n    The Chairman. That is hard. Okay, it just sounds easy to \nme.\n    Dr. Tibbits. Very hard. Very--those are very large data \nsets. Imagine every drug. That--when we standardized drugs, \nthat is just one domain. When we standardize allergies, that is \njust one domain. When we standardize vital signs, that is just \none domain. And that is what we are doing.\n    And by the way, at the end of the day, we may not have \nnecessarily addressed the data for traumatic brain injury. Why \nnot? Because if you were to ask me well what have you done by \nway of standardization for traumatic brain injury, my answer \nwould be, well, we have standardized drugs, we have \nstandardized allergies, and we have standardized vital signs \nfor them. Okay, Doc, but can you send the electro encephalogram \nback and forth? Well the answer is no. We didn\'t quite get to \nthe wave form domain yet.\n    So my answer is both. Continue with the hard work of the \nthesaurus work. Continue with that. Keep that going. While at \nthe same time, we superimpose on it a problem-oriented \napproach.\n    Take the big problems first, traumatic brain injury, PTSD, \namputation, and look at a combination of both structure and \nunstructured data so that we actually have information \ninoperability, some of which is computable, some of which is \nnot computable. But a physician can still read and develop our \ndata exchange plans that way, so it is a combination of both as \na simplifying and acceleration technique to address the key \nproblems that are important to veterans today.\n    The Chairman. Thank you. That was very helpful. I \nappreciate it.\n    Mr. Wu, did you have a question? You may. Please.\n    Mr. Wu. Chairman Filner, we appreciate the accommodation \nfor counsel to ask several questions. I will defer the \nquestions to General Howard, since we argue all the time. And \nwe don\'t need to do that here.\n    A little history. I don\'t need to ask Dr. Tibbits any \nquestions, because he and I argued about the incompatibility or \ncompatibility of DoD and VA for the last 10 years. And I was \nasking the same questions you were asking him before.\n    But I will ask Dr. Davoren. I now know who I want to come \nto as a hematology oncologist if I become afflicted. And I \nappreciate that.\n    The Chairman. It is oncologomatics is what he is----\n    Mr. Wu. But your testimony concerns us. And I think, Mr. \nBestor, the staff director on the majority side, and I have had \nthis conversation before. He says, ``I have pride of \nauthorship.\'\' Since we did the Omnibus Act that did the \nintegration consolidation, and Mr. Buyer put 6 years into it.\n    It is not that I don\'t have an appreciation for what you \nare talking about, what you want to do on the software program \nfor chemotherapy protocols and so forth. I would just ask you \nthis, how many in the VA system of 152 hospitals that deal with \noncology, that deal with chemotherapy protocols, whether they \nare in clinical trials, that there aren\'t hospitals that are \nusing some software now similar to what was demoed successfully \nin San Diego, not saying which is best, and how are they in the \nqueue?\n    What if you have five different systems out there doing the \nsame thing? Should we have five systems? Should we have one?\n    Dr. Davoren. At this point, I can tell you that there \naren\'t any other integrated software systems in the VA \nspecifically for this application. That is for me, that is what \nmakes it such a no-brainer.\n    I think the issue for the bake-off, if you will, of \ncompeting products is very important. I think there are many \nlayers to this, however. Every--there is a saying that you have \nheard probably too many times in this room that when you have \nseen one VA, you have seen one VA.\n    And that software by itself, does--it can enforce a \nspecific clinical business process. But typically it is \ninvested in a particular way of doing business.\n    So, for example, if you look at the discharge process I \ntalked about before, there are some places that may address \nthis with some changes in physical space. There are places that \nmay address this in changes of personnel and responsibilities, \nhiring nurses, hiring pharmacists, hiring a number of people.\n    And they may also feel that there is an IT component that \nneeds to be modified in those. And that doesn\'t mean that the \nIT component that is developed there is actually applicable to \nthe way that another VA does business with the same exact \nproblem.\n    That doesn\'t mean it doesn\'t need to be addressed. But in \nway of answering your question, it is not clear at the--at the \npoint of care for the veteran in front of you that it matters \nwhether or not the exact tool that you use is the same in San \nFrancisco as it is in Puget Sound, as it is in New Orleans.\n    Mr. Wu. All right. I can appreciate that. On the down time, \nChairman Filner, it was very disturbing to see a network of \nhospitals down or be without access to clinical information. I \nthink that is profound.\n    But I would ask you this, and I was relieved when those \nregional process data process centers went into place. Chairman \nFilner, I will tell you that I was detailed to the special \ninvestigative Committee on Katrina. And that was a good news \nstory for the VA, because out of Louisiana State University, \nout of Tulane, out of Baptist Hospital, out of Charity, every \none of their medical records were destroyed when the flood came \nthrough. The VA was able to download their medical records, \nwhich were on servers in the sub-basement.\n    What is significant about that is that is where the sub-\nbasement is located. The front step of the VA hospital is four \nfeet below sea level. So I can\'t imagine how far down further \nthe sub-basement was.\n    The point of the matter was they brought them, they \ndownloaded the tapes, put them on a laundry truck, if I \nremember correctly, took them to the Superdome, and airlifted \nthem out of there to Houston, where they were downloaded.\n    Houston could not use the tapes, because the VistA system \nwas different. It was tweaked locally. I think it was about 3 \nto 4 days before they could bring it back up, plus they lost \nall their images, their radiographic images, the x-rays.\n    And at that time, the question we had on the special \nCommittee was--and it was a good news story and a bad news \nstory for the VA--what happened? Why wasn\'t all the VA data \navailable, because what I didn\'t realize is that all the data \nat each hospital, San Francisco is yours, and resides in San \nFrancisco.\n    If I am in Walla Walla or I am in San Diego and I have a \npatient that came in from San Francisco to San Diego, I have to \nreach in to the server that is at your hospital to get the data \non that patient. It is not in any central depository where I \ncan go and grab that data as a VA practitioner.\n    So they made the regional centers, supposedly I thought, as \na redundant backup so that if one hospital goes down, you can \nretrieve that information automatically.\n    Now something dramatically, intrinsically went wrong with \nthis meltdown. And that is unacceptable. You can\'t let that \nhappen again.\n    But the question I ask of you is did that regionalization \nand centralization happen before General Howard had to inherit \nthat issue? So that was there. That is set up. That \ninfrastructure and that internal control and security was in \nplace.\n    Now what he had to do was mitigate that. If he has \ninherited that mess and if there is a problem with it, he is \ngoing to have to fix it. And we are going to have to give him \nthe money. These members are going to have to vote on that. And \ngive him that kind of money to make sure that never happens \nagain.\n    But the question I have for you is, before centralization, \nhow much down time did you have? Every hospital I know has had \ntheir systems crash. Our system in our Committee has crashed \nfor a couple of days at a time where we couldn\'t retrieve \nanything.\n    So when you say that you have more downtime since \ncentralization, and these regional data processing systems were \nin before centralization, how do you then address that the \ncentralization is the cause of that downtime?\n    Dr. Davoren. I am not sure that centralization in terms of \nOIT reorganization is the cause of that. Centralization of the \nresources did create a new point of failure.\n    And the local facility understanding was, and we have been \ntold this in fact, and there is a memorandum from December of \n2006 that I don\'t have with me, but I can retrieve, that it \nwould be essentially a seamless transition from the Sacramento \nRegional Data Processing Center for us to the Denver Regional \nData Processing Center.\n    So what I would say is that what you have said is exactly \ntrue. But the control on August 31st of moving the plan that we \nall understood at the field level was that when there was a big \ncatastrophe such as what happened, we would be moved over to \nthe Denver backup. That did not happen. And we did have the \nlongest down--this is the longest unplanned downtime that we \nhave ever had in San Francisco since we have had an electronic \nmedical record.\n    We have had two planned down times during major system \nupgrades, well coordinated, incredibly well set up in advance \non weekends that were 8 hours in duration. But this was 9 hours \nfor us unplanned. The longest that we have ever had.\n    Mr. Wu. Are you a researcher also?\n    Dr. Davoren. Somewhat. I mostly do clinical work and \ninformatics.\n    Mr. Wu. Are you familiar with the breach at Birmingham in \nresearch?\n    Dr. Davoren. Yes.\n    Mr. Wu. Do you have any idea what that is going to cost the \nVA to mitigate?\n    Dr. Davoren. No.\n    Mr. Wu. What about $26 million? Do you think there should \nbe some personal responsibility of whoever does that?\n    Dr. Davoren. I think that the--one of the good news points \nthat I said before is that the mentality has been a major--a \nmajor emphasis of what has gone on with the reorganization in \nterms of the security initiatives to get people to really pay \nattention to the level of detail of knowledge that they have \nabout everything that is at our fingertips.\n    The same quality that makes sensitive information so \nsensitive is what makes it necessary for us to know it in an \ninstant.\n    Mr. Wu. I appreciate your testimony about, what doesn\'t \nneed to be encrypted on thumb drives, what is in meetings and \npresentations. But how do the IT security people know what is \non those unencrypted thumb drives?\n    This is the security event report that comes out every week \nto Congress, to this Committee, to Chairman Filner and Mr. \nBuyer. We get them. Not all of them are great. Some are, you \nknow, incidental. Some are--I don\'t even know why they report \nthem. But they report everything.\n    For your testimony, what should and shouldn\'t be encrypted? \nWho determines that? And is that on a personal recognizance of \nthe physician or the practitioner or the VA employee? How do \nyou then know what is on there? What isn\'t on there?\n    We have a report of a cardiologist losing his thumb drive \nin the Midwest, with 26,000 names on it. What should happen, do \nyou think, to that individual after they certified that they \nwould not do that?\n    Dr. Davoren. Well, I am not as familiar enough with the \nactual channels for discipline that might be appropriate in \nsuch a case. I think that we have made good moves to try and \nkeep people from keeping such information on devices. But, \nobviously, it can happen. I think everything is, in fact, a \nrisk benefit assessment.\n    If you encrypt the desktops as has been proposed, if it \ntakes me 25 minutes to get into the data that I need, I am \ngoing to tell you as a clinician, I don\'t believe that is worth \nit. But the data is much more secure that way. And you will \nhave prevented other people from seeing it even if I can\'t use \nit for the veteran in front of me.\n    So I think everything is about a balance. So I think in \norder to answer your question, the--how does the information \nsecurity officer know everything that is on the thumb drive, \nwith current technology, I don\'t believe there is a way to do \nso. So I believe that there is a certain amount of policy and \nprocedure that always exists independent of the actual \ntechnical action that is taken.\n    But I think it is just as important that we have the \navenues of communication open to be able to discern when those \nbecome or appear to be punitive at the end result and when they \nappear to be completely justified.\n    But I don\'t know that I am qualified to tell you exactly \nwhat should happen.\n    Mr. Wu. I can appreciate that. And I thank Chairman Filner.\n    The Chairman. Thank you, Mr. Wu, for your contributions. I \njust want to give our counsel a couple of questions. And then \nwe will----\n    Mr. Bestor. I don\'t have a phone book. So I can\'t read from \nthat. And I wouldn\'t suggest that Art was doing that either. \nSorry.\n    But actually, Dr. Tibbits, I wanted to ask you a couple of \nquestions about the seamless transfer of information between \nDoD and VA, because obviously that is a big issue. There a lot \nof resources being spent on it.\n    The first thing about the possibility that VistA could be \nused by DoD, of course, nobody would suggest that you just \nparachute VistA into DoD. Presumably there would have to be \nsome kind of development of DoD--of VistA to be--to make it \npossible for DoD to use it.\n    Clearly there are requirements that DoD has like readiness \nthat the VA--and I keep hearing readiness is the big one. There \nis a chart on my wall of the information systems in DoD. It is \nonly eight-and-a-half by eleven. But it has got at least, I \ndon\'t know, 100-150 different little points on it.\n    Obviously, there would be a development process that one \nwould have to go through. But it is the case that something \nlike 75 percent of new docs have had some experience on VistA, \nbecause they go through a VA rotation during their residencies \nthese days.\n    And it is also true that a development process might be \nable to address those. The question is why isn\'t that being \ndone? I mean, why--what is it about VistA that makes DoD so \nresistant to even looking at that as the in patient--well, not \nin patient, as the clinical medical record?\n    Dr. Tibbits. Well, that is also a very good question. And \nthere are probably lots of things. So let me--I guess I am \ngoing to basically think out loud with you.\n    I would also, obviously, encourage you to ask DoD that \nquestion, because I don\'t want to speak for them----\n    Mr. Bestor. Obviously.\n    Dr. Tibbits [continuing]. As to what is in their mind with \nrespect to VistA.\n    So let me speak about objectives again and start off there. \nYour preamble included, I think, information sharing or \nsomething or serving veterans in--leading into your question.\n    I would say that were we able to do the development work to \nput VistA into the Department of Veterans Affairs in some way, \nshape, or form, might be a very good idea. And I am going to \ncome back to that in a minute. It might be a very good idea and \nmight be feasible.\n    I just want to go back for a moment, however, to my earlier \ndiscussion about email and the Englishman and the Frenchman. \nLet us not make the mistake that no matter how much development \nworks goes on to put VistA into the Department--into DoD. No \nmatter how much work goes on and if it is feasible, do not make \nthe mistake of believing that that will accomplish information \ninteroperability. It will not. It will do other things.\n    You mentioned, for example, most doctors who go through \ntraining today in the United States in some way, shape, or form \ngo through the VA. True. Therefore, most of them have used \nVistA. True. And, in fact, most of them like it. True.\n    Okay. So what would putting VistA in the Department of \nDefense do today? It would probably reduce the training burden \nfor those doctors over there, because they are already familiar \nwith VistA. It might improve penetration of information \ntechnology into healthcare delivery in the Department of--in \nDoD, because VistA has a much higher success rate with respect \nto penetration and to healthcare than Alta does in the \nDepartment of Defense.\n    So some very good things might happen by doing that. Just \ndon\'t put your eggs in that basket with respect to information \ninteroperability between the two departments. It won\'t \naccomplish that.\n    The information interoperability between the two \ndepartments has got to deal with the data and how the data goes \nbetween the two departments, whether we put VistA over there or \nnot.\n    Now with respect to some other considerations, let me bring \nyou all around to the notion of templates and structured data. \nWe in the Department of Veterans Affairs right now are \nbeginning more and more to use templates. We are beginning to \nuse templates for the assessment of patients for the purpose of \ndisability determination. Those are coming largely out of Steve \nBrown in Nashville with the Compensation and Pension Exam \nProgram initiative. The acronym explanation, which I don\'t \nremember. Clinical evaluation, something or other.\n    Anyway, lots of good work going on with respect to \ntemplates there. So we are moving in that direction.\n    One of the major stumbling points, there are several, but \none of the major stumbling points on the Alta side in DoD is \nthat over there doctors hate templates. And the very--one of \nthe high, high, high design objectives of Alta, irrespective of \nwhat clinicians in the clinic wanted, was to have machine-\nreadable concepts captured when the clinician put data into the \nsystem, the history, the physical, all the unstructured stuff, \nthe text. My chief--I got sick 3 days ago when I hit my head on \nthe door, and so forth, and so forth.\n    To do all that in machine-readable terminology so that the \nsystem could do two things, automatically read that stuff and \nsuggest codes so that the implantable cardioverter-\ndefibrillator and current procedural terminology coding would \nhappen automatically. Could be suggested to the doctor. The \ndoctor attests to the legitimacy of the coding. That is for \nproductivity measurement.\n    And the second thing is for syndromic surveillance with \nrespect to bioterrorism. So when all those symptoms, I have \nfever, I have a headache, are in there in machine-readable \nterms that the computer can understand, the computer can then \nbegin to do epidemiologic surveillance even if the doctor\'s \ndiagnosis is wrong. It doesn\'t depend any longer on the \ndoctor\'s diagnosis, incomplete or wrong, because symptoms can \ndirectly be searched. That requires machine-readable data \nentry, the thesaurus we talked about before.\n    Well that creates an incredible imposition on physicians \nwith respect to their normal workflow when they are seeing \npatients. They hate it by and large.\n    So there is this very interesting sort of debate of \nobjectives, I guess, between the two departments where we are \nmoving toward templates. DoD is figuring out how to move \nsomewhat away from templates. And do a little bit less of it. \nAnd where that balance is going to fall, I don\'t know.\n    Now let me go to theater. Yes, with respect to military \nsupport of medical--I\'m sorry, medical support of military \noperations that is clearly a unique mission the Department of \nDefense has, which we do not have.\n    The human form factors of what a computer looks like. Is it \na Blackberry? Is it a big machine? Is it a desktop? How big the \nscreen is. Does it operate in the mud? Can it operate in the \nrain? All those kind of factors. How screen--how fast the \nscreen paint time is.\n    Communications, in theater, while communications may not be \nuniversally available in the United States, it is a whole lot \nmore reliable in the United States than it is in Afghanistan.\n    So all the applications in Afghanistan have to be modified \nfor unreliable communications. That is a mission the Department \nof Veterans Affairs does not have.\n    So when applications are being considered in economies of \nscale and all that kind of stuff, are both departments really \nsure that by trying to converge on the application software \nitself, we are making the best economic decision.\n    Let me give you an example, a truck. Suppose you had to \ndesign a truck that had to operate in the mud effectively and \ndrive efficiently through downtown Washington, DC. I would \ncontend that the form factors on that truck might be such that \nand something had to pass between the two trucks. Let us say \nthey\'re both ambulances, and you had to pass patients between \nthe two.\n    I would contend that a whole lot of engineering analysis \nwould have to go on to determine is one truck with a certain \nbit of modifications the most efficient way to design this new \nvehicle so that it works both in the mud, and Afghanistan, and \nin downtown Washington, DC, or is it cheaper and more \neffectively to simply design two trucks where the back doors \nfit each other and we can pass the patient through it?\n    I would contend that is not a foregone conclusion. And it \nhas to be thought through.\n    The Chairman. Actually, Doctor, I can think of a response \nto that analogy, but I don\'t want to keep us all here. You and \nI are going to be talking a lot.\n    Dr. Tibbits. Great.\n    The Chairman. So we can talk about that some more. You \nknow, it is really about information exchange. It is not--\nwouldn\'t you want the same size bolts and all that kind of \nstuff. But let us not go there.\n    Let me ask you about this interoperability thesaurus. \nTell--the Clinical Data Repository/Health Data Repository \n(CHDR) the VA is working on, is that the thesaurus work that \nyou are talking about, the updated repository?\n    Dr. Tibbits. Yes. That is the thesaurus work on our side.\n    The Chairman. Right. And the Clinical Data Repository (CDR) \nis the thesaurus work on DoD\'s side, correct.\n    Dr. Tibbits. That is correct.\n    The Chairman. And we are looking at timeframes that are 8 \nyears out?\n    Dr. Tibbits. Could possibly be, which is why I am \nsuggesting we need a simplifying construct to accelerate that \nwork.\n    The Chairman. Okay. I am not sure what you mean by ``a \nsimplifying construct.\'\' You can have interim solutions even if \nyou are continuing to work toward that long-term goal.\n    Dr. Tibbits. Exactly right. And----\n    The Chairman. And is that what you mean?\n    Dr. Tibbits. Yeah. It is what I mean. And those interim \nsolutions, if we focus on information interoperability for the \npurpose of serving veterans----\n    The Chairman. Right.\n    Dr. Tibbits [continuing]. And don\'t distract ourselves at \nthe application software level and worry about what will work \nin theater and all that stuff. If we don\'t distract ourselves \nwith that question, focus on the information number one. Number \ntwo, focus on what the high-priority problems are today that we \nneed to fix for servicemembers and veterans.\n    The Chairman. Right.\n    Dr. Tibbits. Traumatic brain injury, PTSD, amputation. What \nis the information exchange that has to go on between the two \ndepartments to optimally handle those conditions?\n    The Chairman. Right.\n    Dr. Tibbits. That is a list. Some of that list could, in \nfact, be computable. Some of it may be computable already \ntoday. Some of that list might not be computable, but \nexchangeable today in non-computable fashion, fine.\n    And some of that list might not yet have been addressed. \nBut could be addressed in a non-computable fashion, so we don\'t \nneed a thesaurus solution.\n    The Chairman. Right.\n    Dr. Tibbits. But those layers of composite approaches that \nI just described could be put in place in an organized manner \nand plan that would greatly accelerate the information exchange \nbetween the two departments. And alleviate as to some extent of \nthis critical path thesaurus work that is going to--it is by \ndefinition going to still take a long time.\n    The Chairman. Right.\n    Dr. Tibbits. One more comment. I would suggest, and I have \nsuggested by the way, the Administration has put a very high \npriority in VA/DoD collaboration. I assume you all know that. \nBoth the Deputy Secretaries of both departments meet weekly on \nthis subject. I am part of that process with Secretary England \nand Secretary Mansfield. They have their four-stars in the \nbuilding meeting with the Undersecretaries, and so forth, and \non our side as well.\n    I have suggested to that group, and DoD has agreed, that we \nwill also undertake another level of assessment with respect to \ninteroperability. And you mentioned the two key elements, the \nhealth data repository and the clinical data repository, which \ntoday are connected together by a wire over which we transmit \nstandardized data called CHDR.\n    The Chairman. Right.\n    Dr. Tibbits. CHDR.\n    The Chairman. Right.\n    Dr. Tibbits. My proposition to the Department of Defense is \nwhy don\'t we simply put a workgroup together, which we now have \ndone by the way. Why don\'t we put a workgroup together to look \nat the entire constructive Health Data Repository, the entire \nconstructive of the CDR? See if we can eliminate those two \nthings as two separate constructs and simply create one common \ndatabase under both medical records.\n    If we can create one common database under both medical \nrecords, then the application software doesn\'t matter anymore.\n    The Chairman. Right.\n    Dr. Tibbits. DoD can use their Alta. We could use our \nVistA. Indian Health Service, if we wanted to, they could use \ntheir Indian Health Service applications. If we all put stuff \nin the same database, we will have achieved the information \ninteroperability objectives we need to serve veterans. And \ncompletely end this debate about whose application is better or \nmore suited to the target environment.\n    The Chairman. Right. And so what is the timeframe? Suppose \ntomorrow they say do it. How long does it take to do it?\n    Dr. Tibbits. To put those two databases together?\n    The Chairman. Yes.\n    Dr. Tibbits. I would say it is going to give--I would say \nit is going to take us probably 6 months to have an answer as \nto whether it is feasible and will save us time.\n    My hypothesis is that it will be feasible and it will save \nus time. That is a hypothesis that remains to be confirmed.\n    The Chairman. Okay. And is what you just described doing \ntesting that hypothesis?\n    Dr. Tibbits. Yes. That is the study that is going on.\n    The Chairman. Okay.\n    Dr. Tibbits. Yes. We have launched that study. Yes.\n    The Chairman. Thank you very much. I think we have learned \na lot. I appreciate your input. You read too much Dr. Seuss, \nwill it work in the mud? Will it work on the scud? Will it work \nwith a lot of blood? His widow lives in my district. So I am \ngoing to bring this to her.\n    But thank you very much. Thank you very much Mr. Wu. Thank \nyou, Mr. Bestor. We have a lot of work. Everybody is impatient. \nSo if you need more resources to go faster, let us know please.\n    General, do you have anything to add?\n    General Howard. Sure. We just appreciate your support. And \nwe are in constant communication with your staff. And if we \nneed help, rest assured we will come forward.\n    The Chairman. Thank you, sir. This hearing is adjourned.\n    [Whereupon, the Committee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n                 Prepared Statement of Hon. Bob Filner,\n             Chairman, Full Committee on Veterans\' Affairs\n    Thank you all for coming here today for this hearing on VA\'s \ninformation technology reorganization efforts. We will examine the \nprogress the VA has made in centralizing its IT efforts.\n    We shall explore the progress the VA has made in its efforts to be \nthe ``gold standard\'\' of information security among Federal agencies, a \ngoal enunciated by Secretary Nicholson in the wake of last year\'s data \nbreach involving over 25 million veterans and the incident earlier this \nyear in Birmingham, Alabama.\n    This Committee understands that IT centralization will not happen \novernight, nor are we asking it to, but we are asking--and our veterans \nare demanding--that the VA to be held accountable for getting the job \ndone.\n    This past June, the Government Accountability Office (GAO), while \npraising the commitment from senior leadership, found fault with a \nnumber of areas in the VA\'s \nefforts, areas that hinder the VA\'s ability to successfully reach its re\norganization goals.\n    They included . . . rejecting GAO\'s recommendation that VA create a \ndedicated implementation team responsible for day-to-day management of \nmajor change initiatives. Instead, VA is apparently dividing the \nresponsibility among two organizations in the new structure. GAO was \nconcerned that this approach would not work, and so is this Committee.\n    More recently, GAO reported that of 17 recommendations made by the \nVA Inspector General, 16 had not yet been implemented. Implementing \nthese recommendations is essential if the VA is to protect private \ninformation and meet its obligations under the Federal Information \nSecurity Management Act (FISMA).\n    In the final analysis, we must remember that IT is merely a tool, a \ntool used by the VA in furtherance of its mission of caring for \nveterans. This Committee has continued to work in a bipartisan fashion \nto encourage the VA to centralize its IT efforts. These efforts will \nlead to concrete benefits for both the VA, taxpayers, and most \nimportantly our veterans.\n    As we look to the VA to better manage its IT efforts, and to take \nthe lead in data security efforts, we must also ensure these efforts do \nnot unduly harm the VA\'s mission of providing healthcare and benefits \nto our veterans.\n    Our charge is to ensure that while VA is carrying out its mission, \nit does so with the best and most up-to-date technology the 21st \ncentury provides, while securing that technology from outside \nmanipulation and preventing improper disclosure of our veterans\' \nconfidential information.\n    VA, at the same time, must continue the creativity and innovation \nin the use of electronic medical and other systems that has put VA at \nthe forefront of medical care. These are not easy tasks. We are \nheartened by many of the steps the VA has undertaken, but remained \nconcerned that more should be done, and could be done . . . faster.\n    We remain hopeful that the VA can simultaneously provide our \nveterans the greatest security, management and healthcare. Undoubtedly, \nthe efficient and effective management and operation of the VA IT \nefforts will realize tangible benefits for our veterans.\n\n                                 <F-dash>\n         Prepared Statement of Hon. Stephanie Herseth Sandlin,\n      a Representative in Congress from the State of South Dakota\n    Thank you Chairman Filner and Ranking Member Buyer for holding \ntoday\'s hearing to evaluate the VA\'s reorganization of its information \ntechnology infrastructure and management.\n    Considering the numerous hearings that this Committee dedicated \nlast year to investigating the VA\'s information technology problems, it \nis only right that we take this opportunity to follow-up on the \nprogress of VA\'s reorganization efforts. This Committee, and Congress \nas a whole, have a responsibility to remain vigilant in its oversight \nrole to ensure the VA continues to move forward in its pledge to \nprotect the private information of our Nation\'s veterans.\n    I share the frustration of my colleagues regarding the repeated \nfailures to change the VA\'s information organizational structure and \nthe recurring instances of lost personal information.\n    I thank Mr. Howard and Mr. Claudio for testifying today. I have \nheard good things about your commitment to providing a secure \ninformation technology environment. In order for this Committee to \nproperly conduct its oversight responsibilities we must be able to \nengage in an open and honest discussion. It is extremely valuable for \nthe Committee to hear from those of you on the frontline working to \nbring down the institutional barriers of VA\'s current IT organizational \nstructure.\n    While the VA has taken important steps toward completing \ninformation technology realignment, many questions remain unanswered \nand many changes to the VA\'s policies, regarding the handling of \nsensitive information, will need to be made.\n    I hope that today\'s hearing will shed some light on these \nunanswered questions and lead to better safeguarded information \nsecurity systems at the VA.\n    We must work to ensure that the personal information of our \nNation\'s veterans is protected and these widely reported security \nincidents never happen again.\n    Thank you again Mr. Chairman. I look forward to hearing from \ntoday\'s witnesses.\n\n                                 <F-dash>\n            Prepared Statement of Hon. Henry E. Brown, Jr.,\n     a Representative in Congress from the State of South Carolina\n    Mr. Chairman and Ranking Member Buyer, thank you for calling this \nhearing to examine the VA\'s information technology management \nstructure. I hope that this Committee will take a serious step in \naddressing one of the biggest challenges facing the Department today; \nimproving the capabilities of VA\'s information technology system, while \nstrengthening security measures.\n    As the Congress and this Committee looks at VA\'s information \ntechnology reorganization and the progress that they have made as a \nresult of establishing a centralized management system, I am hopeful \nthat we will do so in a way that focuses on the bipartisan concern we \nhave for the wellbeing of our Nation\'s veterans. I believe that \nimproving access to healthcare, providing benefits, and implementing \ninformation technology go hand-in-hand as we work to ensure that our \nNation\'s veterans have all the resources they need to make a seamless \ntransition into civilian life.\n    In closing, Mr. Chairman, I look forward to hearing from our \nwitnesses this morning and the discussion that we will have on this \nimportant issues. Again, Mr. Chairman, thank you for the time, which I \nnow yield back.\n\n                                 <F-dash>\n             Prepared Statement of Hon. Ginny Brown-Waite,\n         a Representative in Congress from the State of Florida\n    Thank you Mr. Chairman,\n    I want to thank all of our witnesses here today for testifying \nbefore this Committee. There has been a great deal of focus placed on \nthe use of Information Technology at the Department of Veterans \nAffairs. The VA relies heavily on information technology to carry out \nits important mission of serving our Nation\'s veterans.\n    The VA undertook an ambitious process to recentralize its IT \nfunctions in 2003 and learned many valuable lessons as a result. This \nhas led Secretary Nicholson to approve a federated IT management system \nfor the VA. In this new federated system, the VA divided operations and \nmaintenance from systems development. Innovative thinking like this is \nneeded to ensure that the VA is meeting the needs of veterans in an \neffective and efficient manner.\n    Overhauling the IT system at the VA has been a long and difficult \nprocess and completion of the realignment is scheduled for July 2008. \nHowever, a June 2007, GAO report states, that the VA risks jeopardizing \nthe success of these efforts and may not realize the long-term benefits \nof the realignment if they do not comply with the recommendations made \nby the GAO. I look forward to hearing more about these recommendations \nfrom both the GAO and the VA here today.\n    Once again, I welcome you to the hearing and look forward to \nhearing your thoughts on the issue before us today.\n\n                                 <F-dash>\n              Prepared Statement of Hon. John T. Salazar,\n        a Representative in Congress from the State of Colorado\n    Thank you Mr. Chairman.\n    Mr. Chairman, I\'m a potato farmer, and in the 30 years that I\'ve \nbeen farming I\'ve seen how technology has changed farming operations \nall over the world.\n    Change and advancement are inevitable when it comes to technology. \nIt\'s the nature of the beasts.\n    A farmer can spend hundreds of thousands of dollars on a single \npiece of equipment, but unless that farmer knows how to manage that \nmachine and manages it correctly, that tractor will destroy the crops \nthe farmer is attempting to harvest.\n    We could have the most advanced technology in the world, but it\'s \nuseless if we fail to manage it properly.\n    A year ago, we heard about an employee of the VA who had his laptop \nstolen, potentially compromising the personal records of over 2 million \nveterans.\n    Since then, important steps have been taken by the VA to minimize \nthe possibility of these types of things from happening in the future. \nSome of these steps have been taken voluntarily by the VA and some have \nbeen mandated by Congress.\n    Last year, there were major changes in the management of IT affairs \nat VA, and this hearing is a chance to get a reading on the impact of \nthat change.\n    This hearing and the multiple hearings we\'ve had in the last few \nyears like this one are about more than just the IT department in a \ngovernment agency.\n    The records being kept by VA belong to real people; men and women \nwho served our country during both times of peace and times of \nconflict.\n    I look forward to the testimony from our witnesses. I hope to get a \nbetter sense of where the Department is and where it plans to go with \nthe technology it has in its hands.\n\n                                 <F-dash>\n           Prepared Statement of Valerie C. Melvin, Director,\n        Human Capital and Management Information Systems Issues,\n                 U.S. Government Accountability Office\n\n  Veterans Affairs--Sustained Management Commitment and Oversight are \n    Essential to Completing Information Technology Realignment and \n                   Strengthening Information Security\n\n                             GAO Highlights\n\nWhy GAO Did This Study\n    The Department of Veterans Affairs (VA) has encountered numerous \nchallenges in managing its information technology (IT) and securing its \ninformation systems. In October 2005, the department initiated a \nrealignment of its IT program to provide greater authority and \naccountability over its resources. The May 2006 security incident \nhighlighted the need for additional actions to secure personal \ninformation maintained in the department\'s systems.\n    In this testimony, GAO discusses its recent reporting on VA\'s \nrealignment effort as well as actions to improve security over its \ninformation systems. To prepare this testimony, GAO reviewed its past \nwork on the realignment and on information security, and it updated and \nsupplemented its analysis with interviews of VA officials.\nWhat GAO Recommends\n    In recent reports, GAO made recommendations aimed at improving VA\'s \nmanagement of its realignment efforts and information security program.\nWhat GAO Found\n    VA has fully addressed two of six critical success factors GAO \nidentified as essential to a successful transformation, but it has yet \nto fully address the other four, and it has not kept to its scheduled \ntimelines for implementing new management processes that are the \nfoundation of the realignment. That is, the department has ensured \ncommitment from top leadership and established a governance structure \nto manage resources, both of which are critical success factors. \nHowever, the department continues to operate without a single, \ndedicated implementation team to manage the realignment; such a \ndedicated team is important to oversee the further implementation of \nthe realignment, which is not expected to be complete until July 2008. \nOther challenges to the success of the realignment include delays in \nstaffing and in implementing improved IT management processes that are \nto address longstanding weaknesses. The department has not kept pace \nwith its schedule for implementing these processes, having missed its \noriginal scheduled timeframes. Unless VA dedicates a team to oversee \nthe further implementation of the realignment, including defining and \nestablishing the processes that will enable the department to address \nits IT management weaknesses, it risks delaying or missing the \npotential benefits of the realignment.\n    VA has begun or continued several major initiatives to strengthen \ninformation security practices and secure personally identifiable \ninformation within the department, but more remains to be done. These \ninitiatives include continuing the department\'s efforts to reorganize \nits management structure; developing a remedial action plan; \nestablishing an information protection program; improving its incident \nmanagement capability; and establishing an office responsible for \noversight and compliance of IT within the department. However, although \nthese initiatives have led to progress, their implementation has \nshortcomings. For example, although the management structure for \ninformation security has changed under the realignment, improved \nsecurity management processes have not yet been completely developed \nand implemented, and responsibility for the department\'s information \nsecurity functions is divided between two organizations, with no \ndocumented process for the two offices to coordinate with each other. \nIn addition, VA has made limited progress in implementing prior \nsecurity recommendations made by GAO and the department\'s Inspector \nGeneral, having yet to implement 22 of 26 recommendations. Until the \ndepartment addresses shortcomings in its major security initiatives and \nimplements prior recommendations, it will have limited assurance that \nit can protect its systems and information from the unauthorized \ndisclosure, misuse, or loss of personally identifiable information.\n\n                               __________\n\nMr. Chairman and Members of the Committee:\n\n    Thank you for inviting us to participate in today\'s hearing on the \nDepartment of Veterans Affairs (VA) realignment of its information \ntechnology management structure and actions toward strengthening its \ninformation security program. In carrying out its mission of serving \nour Nation\'s veterans, the department relies heavily on information \ntechnology (IT), for which it expends about $1 billion annually. As you \nknow, however, VA has encountered persistent challenges in IT \nmanagement, having experienced cost, schedule, and performance problems \nin its information system initiatives, as well as losses of sensitive \ninformation contained in its systems. We have reported that a \ncontributing factor to VA\'s challenges in managing projects and \nimproving security was the department\'s management structure, which \nuntil recently was decentralized, giving the administrations \\1\\ and \nheadquarters offices \\2\\ control over a majority of the department\'s IT \nbudget.\n---------------------------------------------------------------------------\n    \\1\\ The VA comprises three administrations: the Veterans Benefits \nAdministration, the Veterans Health Administration, and the National \nCemetery Administration.\n    \\2\\ The headquarters offices include the Office of the Secretary, \nsix Assistant Secretaries, and three VA-level staff offices.\n---------------------------------------------------------------------------\n    In October 2005, VA initiated a realignment of its IT program to \nprovide greater authority and accountability over its resources. In \nundertaking this realignment (due for completion in July 2008), the \ndepartment\'s goals are to centralize IT management under the \ndepartment-level Chief Information Officer (CIO) and standardize \noperations and the development of systems across the department through \nthe use of new management processes based on industry best practices. \nThis past June we reported on the department\'s realignment initiative, \nnoting progress as well as the need for additional actions to be \ncompleted. \\3\\ Just last week, we also released a report on VA \ninformation security, which included an assessment of the realignment \nwith regard to the department\'s information security practices. \\4\\\n---------------------------------------------------------------------------\n    \\3\\ GAO, Veterans Affairs: Continued Focus on Critical Success \nFactors Is Essential to Achieving Information Technology Realignment, \nGAO-07-844 (Washington, D.C.: June 15, 2007).\n    \\4\\ GAO, Information Security: Sustained Management Commitment and \nOversight Are Vital to Resolving Longstanding Weaknesses at the \nDepartment of Veterans Affairs, GAO-07-1019 (Washington, D.C.: Sept. 7, \n2007).\n---------------------------------------------------------------------------\n    At your request, my testimony today will summarize the department\'s \nactions to realign IT management and our findings regarding the \ndepartment\'s information security program. In developing this \ntestimony, we reviewed our previous work on the department\'s \nrealignment and efforts to strengthen information security. We also \nobtained and analyzed pertinent documentation and supplemented our \nanalysis with interviews of responsible VA officials to determine the \ncurrent status of the department\'s realignment efforts. All work on \nwhich this testimony is based was conducted in accordance with \ngenerally accepted government auditing standards.\nResults in Brief\n    VA has fully addressed two of six critical success factors we have \nidentified as essential to a successful transformation, but it has not \nkept to its timelines for implementing new management processes that \nare the foundation of the realignment. Consequently, the department is \nin danger of not being able to meet its 2008 targeted completion date. \nThe department has ensured commitment from top leadership and \nestablished a governance structure to manage resources, both of which \nare critical success factors. However, the department continues to \noperate without a single, dedicated implementation team to manage the \nrealignment; such a dedicated team is important to oversee the further \nimplementation of the realignment. Other challenges to the success of \nthe realignment include delays in staffing and in implementing the IT \nmanagement processes that are the foundation of the realignment. The \ndepartment has not kept pace with its schedule for implementing these \nprocesses, having missed its original scheduled timeframes. Unless VA \ndedicates a team to oversee the further implementation of the \nrealignment, including defining and establishing the processes that \nwill enable the department to address its IT management weaknesses, it \nrisks delaying or missing the potential benefits of the realignment.\n    VA has made progress in strengthening information security, but \nmuch work remains to resolve longstanding security weaknesses. The \ndepartment has begun or has continued several major initiatives to \nstrengthen information security practices and secure personally \nidentifiable information \\5\\ within the department. These initiatives \ninclude continuing the department\'s efforts, as described above, to \nrealign its management structure; developing a remedial action plan; \nestablishing an information protection program; improving its incident \nmanagement capability; and establishing an office responsible for \noversight and compliance of IT within the department. However, although \nthese initiatives have led to progress, their implementation has \nshortcomings. For example, a new security management structure has been \nimplemented, but improved security management processes have not yet \nbeen completely developed and implemented; in addition, the new \nsecurity management structure divides the responsibility for the \ndepartment\'s information security functions between two organizations, \nwith no documented process for the two offices to coordinate with each \nother. Further, the department has made limited progress in addressing \nprior GAO and Inspector General recommendations to improve security: \nalthough VA has taken steps to address these, it has not yet completed \nthe implementation of 22 out of 26 prior recommendations.\n---------------------------------------------------------------------------\n    \\5\\ Personally identifiable information, which can be used to \nlocate or identify an individual, includes things such as names, \naliases, and Social Security numbers.\n---------------------------------------------------------------------------\n    In the reports covered by this testimony, we have made numerous \nrecommendations aimed at improving the department\'s management of its \nrealignment and information security program. VA has agreed with these \nrecommendations and has begun taking or plans to take action to \nimplement them. If this implementation is properly executed, it could \nhelp the department to realize the expected benefits of the \nrealignment, as well as to better secure its information and systems.\nBackground\n    VA\'s mission is to promote the health, welfare, and dignity of all \nveterans in recognition of their service to the nation by ensuring that \nthey receive medical care, benefits, social support, and lasting \nmemorials. Over time, the use of IT has become increasingly crucial to \nthe department\'s effort to provide benefits and services. VA relies on \nits systems for medical information and records for veterans, as well \nas for processing benefit claims, including compensation and pension \nand education benefits.\n    In reporting on VA\'s IT management over the past several years, we \nhave highlighted challenges the department has faced in enabling its \nemployees to help veterans obtain services and information more quickly \nand effectively while also safeguarding personally identifiable \ninformation. A major challenge was that the department\'s information \nsystems and services were highly decentralized, giving the \nadministrations a majority of the IT budget. \\6\\ In addition, VA\'s \npolicies and procedures for securing sensitive information needed to be \nimproved and implemented consistently across the department.\n---------------------------------------------------------------------------\n    \\6\\ For example, according to an October 2005 memorandum from the \nformer CIO to the Secretary of Veterans Affairs, the CIO had direct \ncontrol over only 3 percent of the department\'s IT budget and 6 percent \nof the department\'s IT personnel. In addition, in the department\'s \nfiscal year 2006 IT budget request, the Veterans Health Administration \nwas identified to receive 88 percent of the requested funding, while \nthe department was identified to receive only 4 percent.\n---------------------------------------------------------------------------\n    As we have previously pointed out, \\7\\ it is crucial for the \ndepartment CIO to ensure that well-established and integrated processes \nfor leading, managing, and controlling investments in information \nsystems and programs are followed throughout the department. Similarly, \na contractor\'s assessment of VA\'s IT organizational alignment, issued \nin February 2005, noted the lack of control over how and when money is \nspent. \\8\\ The assessment noted that the focus of department-level \nmanagement was only on reporting expenditures to the Office of \nManagement and Budget and Congress, rather than on managing these \nexpenditures within the department.\n---------------------------------------------------------------------------\n    \\7\\ GAO-07-844.\n    \\8\\ Gartner Consulting, OneVA IT Organizational Alignment \nAssessment Project ``As-Is\'\' Baseline (McLean, Virginia; Feb. 18, \n2005).\n---------------------------------------------------------------------------\nCentralized IT Organization\n    In response to the challenges that we and others have noted, the \ndepartment officially began its effort to provide the CIO with greater \nauthority over IT in October 2005. At that time, the Secretary issued \nan executive decision memorandum granting approval for the development \nof a new management structure for the department. According to VA, its \ngoals in moving to centralized management are to enable the department \nto perform better oversight of the standardization, compatibility, and \ninteroperability of systems, as well as to have better overall fiscal \ndiscipline for the budget.\n    In February 2007, the Secretary approved the department\'s new \norganizational structure, which includes the Assistant Secretary for \nInformation and Technology, who serves as VA\'s CIO. As shown in figure \n1, the CIO is supported by a principal deputy assistant secretary and \nfive deputy assistant secretaries--new senior leadership positions \ncreated to assist the CIO in overseeing functions such as cyber \nsecurity, IT portfolio management, systems development, and IT \noperations.\n  Figure 1--Office of Information and Technology Organizational Chart\n[GRAPHIC] [TIFF OMITTED] T9456A.001\n\n    Source: VA\n    Note: DAS = Deputy Assistant Secretary\n\n    In addition, the Secretary approved an IT governance plan in April \n2007 that is intended to enable the Office of Information and \nTechnology to centralize its decisionmaking. The plan describes the \nrelationship between IT governance and departmental governance and the \napproach the department intends to take to enhance IT governance. The \ndepartment also made permanent the transfer of its entire IT workforce \nunder the CIO, consisting of approximately 6,000 personnel from the \nadministrations. Figure 2 shows a timeline of the realignment effort.\n         Figure 2--Timeline of Key Events for VA IT Realignment\n[GRAPHIC] [TIFF OMITTED] T9456A.002\n\n\nMultiple Factors Increasing Risk to Success of Realignment\n    Although VA has fully addressed two of six critical success factors \nthat we identified as crucial to a major organizational transformation \nsuch as the realignment, it has not fully addressed the other four \nfactors, and it has not kept to its scheduled timelines for \nimplementing new management processes that are the foundation of the \nrealignment. Consequently, the department is in danger of not being \nable to meet its target of completing the realignment in July 2008. In \naddition, although it has prioritized its implementation of the new \nmanagement processes, none has yet been implemented. In our recent \nreport, \\9\\ we made six recommendations to ensure that VA\'s realignment \nis successfully accomplished; the department generally concurred with \nour recommendations and stated that it had actions planned to address \nthem.\n---------------------------------------------------------------------------\n    \\9\\ GAO-07-844.\n---------------------------------------------------------------------------\nVA Has Not Fully Addressed All Critical Success Factors\n    We have identified critical factors that organizations need to \naddress in order to successfully transform an organization to be more \nresults oriented, customer focused, and collaborative in nature. \\10\\ \nLarge-scale change management initiatives are not simple endeavors and \nrequire the concentrated efforts of both leadership and employees to \nrealize intended synergies and to accomplish new organizational goals. \nThere are a number of key practices that can serve as the basis for \nFederal agencies to transform their cultures in response to governance \nchallenges, such as those that an organization like VA might face when \ntransforming to a centralized IT management structure.\n---------------------------------------------------------------------------\n    \\10\\ GAO, Results-Oriented Cultures: Implementation Steps to Assist \nMergers and Organizational Transformations, GAO-03-669 (Washington, \nD.C.: July 2, 2003); and Highlights of a GAO Forum: Mergers and \nTransformation: Lessons Learned for a Department of Homeland Security \nand Other Federal Agencies, GAO-03-293SP (Washington, D.C.: Nov. 14, \n2002).\n---------------------------------------------------------------------------\n    The department has fully addressed two of six critical success \nfactors that we identified (see table 1).\n\n\n                   Table 1--Current Status of VA\'s Actions to Address Critical Success Factors\n----------------------------------------------------------------------------------------------------------------\n               Critical success factor                                Status as of September 2007\n----------------------------------------------------------------------------------------------------------------\nEnsuring commitment from top leadership                   Fully addressed: Secretary Nicholson approved the new\n                                                          organization structure and the transfer of employees.\n----------------------------------------------------------------------------------------------------------------\nEstablishing a governance structure to manage              Fully addressed: Secretary Nicholson approved the IT\n resources                                                     governance plan, and VA established three new IT\n                                                        governance boards that began meeting earlier this year.\n----------------------------------------------------------------------------------------------------------------\nLinking IT strategic plan to organization strategic    Partially addressed: The department has developed a draft\n plan                                                   IT strategic plan and expects to finalize it in October\n                                                                                                          2007.\n----------------------------------------------------------------------------------------------------------------\nUsing workforce strategic management to identify       Partially addressed: VA has identified job requirements,\n proper roles for all employees                         has begun to develop career paths for IT staff, and has\n                                                          not yet established a knowledge and skills inventory.\n----------------------------------------------------------------------------------------------------------------\nCommunicating change to all stakeholders                 Partially addressed: VA increased communication on the\n                                                           realignment, but has not staffed a key communication\n                                                                                                        office.\n----------------------------------------------------------------------------------------------------------------\nDedicating an implementation team to manage change               Not addressed: The department does not have an\n                                                                 implementation team to manage the realignment.\n----------------------------------------------------------------------------------------------------------------\nSource: GAO.\n\n\n    Ensuring commitment from top leadership. The department has fully \naddressed this success factor. As described earlier, the Secretary of \nVA has fully supported the realignment. He approved the department\'s \nnew organizational structure and provided resources for the realignment \neffort.\n    However, the Secretary recently submitted his resignation, \nindicating that he intended to depart by October 1, 2007. While it is \nunclear what effect the Secretaries departure will have on the \nrealignment, the impending departure underscores the need for \nconsistent support from top leadership through the implementation of \nthe realignment, to ensure that its success is not at risk in the \nfuture.\n\n    Establishing a governance structure to manage resources. The \ndepartment has fully addressed this success factor. The department has \nestablished three governance boards, which have begun operation. The VA \nIT Governance Plan, approved April 2007, states that the establishment \nand operation of these boards will assist in providing the department \nwith more cost-effective use of IT resources and assets.\n    The department also has plans to further enhance the governance \nstructure in response to operational experience. The department found \nthat the boards\' responsibilities need to be more clearly defined in \nthe IT Governance Plan to avoid overlap. That is, one board (the \nBusiness Needs and Investment Board) was involved in the budget \nformulation for fiscal year 2009, but budget formulation is also the \nresponsibility of the Deputy Assistant Secretary for IT Resource \nManagement, who is not a member of this board. According to the \nPrincipal Deputy Assistant Secretary for Information and Technology, \nthe department is planning to update its IT Governance Plan within a \nyear to include more specificity on the role of the governance boards \nin VA\'s budget formulation process. Such an update could further \nimprove the structure\'s effectiveness.\n\n    Linking IT strategic plan to organization strategic plan. The \ndepartment has partially addressed this success factor. VA has drafted \nan IT Strategic Plan that provides a course of action for the Office of \nInformation and Technology over 5 years and addresses how IT will \ncontribute to the department\'s strategic plan. According to the Deputy \nDirector of the Quality and Performance Office, the draft IT strategic \nplan should be formally approved in October 2007. Finalizing the plan \nis essential to helping ensure that leadership understands the link \nbetween VA\'s organizational direction and how IT is aligned to meet its \ngoals.\n\n    Using workforce strategic management to identify proper roles for \nall employees. The department has partially addressed this success \nfactor. The department has begun to identify job requirements, design \ncareer paths, and determine recommended training for the staff that \nwere transferred as part of the realignment. According to a VA \nofficial, the department identified 21 specialized job activities, such \nas applications software and end user support, and has defined \ncompetency and proficiency targets \\11\\ for 6 of these activities. \nAlso, by November 2007, VA expects to have identified the career paths \nfor approximately 5,000 of the 6,000 staff that have been centralized \nunder the CIO. Along with the development of the competency and \nproficiency targets, the department has identified recommended training \nbased on grade level. However, the department has not yet established a \nknowledge and skills inventory to determine what skills are available \nin order to match roles with qualifications for all employees within \nthe new organization. It is crucial that the department take the \nremaining steps to fully address this critical success factor, so that \nthe staff transferred to the Office of Information and Technology are \nplaced in positions that best suit their knowledge and skills, and the \norganization has the personnel resources capable of developing and \ndelivering the services required.\n---------------------------------------------------------------------------\n    \\11\\ Competency refers to required capabilities for performing \nspecialized job activities, such as business process reengineering or \ndatabase administration. Proficiency targets indicate the level at \nwhich the individual can perform these activities.\n\n    Communicating change to all stakeholders. The department has \npartially addressed this success factor. The department began \npublishing a bimonthly newsletter in June to better communicate with \nall staff about Office of Information and Technology activities, \nincluding the realignment. However, the department has not yet fully \nstaffed the Business Relationship Management Office or identified its \nleadership. This office is to serve as the single point of contact \nbetween the Office of Information and Technology and the \nadministrations; in this role, it provides the means for the Office of \nInformation and Technology to understand customer requirements, promote \nservices to customers, and monitor the quality of the delivered \nservices. A fully staffed and properly led Business Relationship \nManagement Office is important to ensure effective communication \nbetween the Office of Information and Technology and the \nadministrations.\n    Communicating the changed roles and responsibilities of the central \nIT organization versus the administrations is one of the important \nfunctions of the Business Relationship Management Office. These changes \nare crucial to software development, among other things. Before the \ncentralization of the management structure, each of the administrations \nwas responsible for its own software development. For example, the \ndepartment\'s health information system--the Veterans Health Information \nSystem and Technology Architecture (VistA)--was developed in a \ndecentralized environment. The developers and the doctors, closely \ncollaborating at local facilities, developed and adapted this system \nfor their own specific clinic needs. The result of their efforts is an \nelectronic medical record that has been fully embraced by the \nphysicians and nurses. However, the decentralized approach has also \nresulted in each site running a stand-alone version of VistA \\12\\ that \nis costly to maintain; in addition, data at the sites are not \nstandardized, which impedes the ability to exchange computable \ninformation. \\13\\\n---------------------------------------------------------------------------\n    \\12\\ VA has achieved an integrated medical information system \nthrough the use of the Computerized Patient Record System in VistA, \nwhere authorized users are able to access patient healthcare data from \nany VA medical facility.\n    \\13\\ Computable data are in a format that a computer application \ncan act on, for example, to provide alerts to clinicians (of such \nthings as drug allergies) or to plot graphs of changes in vital signs \nsuch as blood pressure. VA has standardized its pharmacy and allergy \ndata in its health data repository.\n---------------------------------------------------------------------------\n    Under the new organization structure, approval of development \nchanges for VistA will be centralized at the Veterans Health \nAdministration headquarters and then approved for development and \nimplementation by the Office of Information and Technology. The \ncommunications role of the Business Relationship Management Office is \nthus an important part of the processes needed to ensure that users\' \nrequirements will be addressed in system development.\n\n    Dedicating an implementation team to manage change. The department \nhas not addressed this success factor. A dedicated implementation team \nthat is responsible for the day-to-day management of a major change \ninitiative is critical to ensure that the project receives the focused, \nfull-time attention needed to be sustained and successful. \\14\\ VA has \nnot identified such an implementation team to manage the realignment. \nRather, the department is currently managing the realignment through \ntwo organizations: the Process Improvement Office under the Quality and \nPerformance Office (which will lead process improvements) and the \nOrganizational Management Office (which will advise and assist the CIO \nduring the final transformation to a centralized structure). However, \nthe Executive Director of the Organizational Management Office \\15\\ has \nrecently resigned his position, leaving one of the two responsible \noffices without leadership.\n---------------------------------------------------------------------------\n    \\14\\ GAO-07-844.\n    \\15\\ This official was previously the Director of the IT \nRealignment Office.\n---------------------------------------------------------------------------\n    In our view, having a dedicated implementation team to manage major \nchange initiatives is crucial to successful implementation of the \nrealignment. An implementation team can assist in tracking \nimplementation goals and identifying performance shortfalls or schedule \nslippages. The team could also provide continuity and consistency in \nthe face of any uncertainty that could potentially result from the \nSecretaries resignation.\n    Accordingly, in our recent report we recommended that the \ndepartment dedicate an implementation team to be responsible for change \nmanagement throughout the transformation and that it establish a \nschedule for the implementation of the management processes.\nDepartment Is Behind Schedule in Implementing IT Management Processes\n    As the foundation for its realignment, VA plans to implement 36 \nmanagement processes in five key areas: enterprise management, business \nmanagement, business application management, infrastructure, and \nservice support. These processes, which address all aspects of IT \nmanagement, were recommended by the department\'s realignment contractor \nand are based on industry best practices. \\16\\ According to the \ncontractor, they are a key component of the realignment effort as the \nOffice of Information and Technology moves to a process-based \norganization. Additionally, the contractor noted that with a system of \ndefined processes, the Office of Information and Technology could \nquickly and accurately change the way IT supports the department.\n---------------------------------------------------------------------------\n    \\16\\ Specifically, these processes are derived from the IT \nGovernance Institute\'s Control Objectives for Information and related \nTechnology (CobiT<SUP>\'</SUP>) and Information Technology \nInfrastructure Library (ITIL) as configured by the Process Reference \nModel for IT (PRM-IT) from a VA contractor.\n---------------------------------------------------------------------------\n    The department had planned to begin implementing the 36 management \nprocesses in March 2007; however, as of early May 2007, it had only \nbegun pilot testing two of these processes. \\17\\ The Deputy Director of \nthe Quality and Performance Office reported that the initial \nimplementation of the first two processes will begin in the second \nquarter of 2008.\n---------------------------------------------------------------------------\n    \\17\\ These are the risk management and solution test and acceptance \nprocesses.\n---------------------------------------------------------------------------\n    The Principal Deputy Assistant Secretary for Information and \nTechnology acknowledged that the department is behind schedule for \nimplementing the processes, but it has prioritized the processes and \nplans to implement them in three groups, in order of priority (see \nattachment 1 for a description of the processes and their \nimplementation priority). According to the Deputy Director of the \nQuality and Performance Office, the approach and schedule for process \nimplementation is currently under review. Work on the 10 processes \nassociated with the first group is under way, and implementation plans \nand timeframes are being revised. This official told us that initial \nplanning meetings have occurred and primary points of contact have been \ndesignated for the financial management and portfolio management \nprocesses, which are to be implemented as part of the first group. The \ndepartment also noted that it will work to meet its target date of July \n2008 for the realignment, but that all of the processes may not be \nfully implemented at that time.\n    According to the Principal Deputy Assistant Secretary for \nInformation and Technology, the department has fallen behind schedule \nwith process implementation for two reasons:\n\n    <bullet>  The department underestimated the amount of work required \nto redefine the 36 process areas. Process charters for each of the \nprocesses were developed by a VA contractor and provide an outline for \noperation under the new management structure. Based on its initial \nreview, the department found that the processes are complicated and \nmultilayered, involving multiple organizations. In addition, the \ncontractor provided process charters and descriptions based on a \ncommercial, for-profit business model, and so the department must \nreadjust them to reflect how VA conducts business.\n    <bullet>  With the exception of IT operations, the Veterans Health \nAdministration operates in a decentralized manner. For example, the \nbudget and spending for the medical centers are under the control of \nthe medical center directors. In addition, the Office of Information \nand Technology only has ownership over about 30 percent of all \nactivities within the financial management process. For example some \nelements within this process area (such as tracking and reporting on \nexpenditures) are the responsibility of the department\'s Office of \nManagement; \\18\\ this office is accountable for VA\'s entire budget, \nincluding IT dollars. Thus, the Office of Information and Technology \nhas no authority to direct the Office of Management to take particular \nactions to improve specific financial management activities.\n---------------------------------------------------------------------------\n    \\18\\ The Assistant Secretary for Management, who leads the Office \nof Management, is the department\'s Chief Financial Officer.\n\n    The department faces the additional obstacle that it has not yet \nstaffed crucial leadership positions that are vital to the \nimplementation of the management processes. As part of the new \norganizational structure, the department identified 25 offices whose \nleaders will report to the five deputy assistant secretaries and are \nresponsible for carrying out the new management processes in daily \noperations. However, as of early September, 7 of the leadership \npositions for these 25 offices were vacant, and 4 were filled in an \nacting capacity. According to the Principal Deputy Assistant Secretary \nfor Information and Technology, hiring personnel for senior leadership \npositions has been more difficult than anticipated. With these \nleadership positions remaining vacant, the department will face \nincreased difficulties in supporting and sustaining the realignment \nthrough to its completion.\n    Until the improved processes have been implemented, IT programs and \ninitiatives will continue to be managed under previously established \nprocesses that have resulted in persistent management challenges. \nWithout the standardization that would result from the implementation \nof the processes, the department risks cost overruns and schedule \nslippages for current initiatives, such as VistA modernization, for \nwhich about $682 million has been expended through fiscal year 2006.\nVA Has Much Work Remaining To Resolve Long-Standing Security Weaknesses\n    Recognizing the importance of securing Federal systems and data, \nCongress passed the Federal Information Security Management Act (FISMA) \n\\19\\ in December 2002, which sets forth a comprehensive framework for \nensuring the effectiveness of information security controls over \ninformation resources that support Federal operations and assets. Using \na risk-based approach to information security management, the Act \nrequires each agency to develop, document, and implement an agencywide \ninformation security program for the data and systems that support the \noperations and assets of the agency. According to FISMA, the head of \neach agency has responsibility for delegating to the agency CIO the \nauthority to ensure compliance with the security requirements in the \nact. To carry out the CIO\'s responsibilities in the area, a senior \nagency official is to be designated chief information security officer \n(CISO).\n---------------------------------------------------------------------------\n    \\19\\ FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-\n347 (Dec. 17, 2002).\n---------------------------------------------------------------------------\n    The May 2006 theft from the home of a VA employee of a computer and \nexternal hard drive (which contained personally identifiable \ninformation on approximately 26.5 million veterans and U.S. military \npersonnel) prompted Congress to pass the Veterans Benefits, Healthcare, \nand Information Technology Act of 2006. \\20\\ Under the act, the VA\'s \nCIO is responsible for establishing, maintaining, and monitoring \ndepartmentwide information security policies, procedures, control \ntechniques, training, and inspection requirements as elements of the \ndepartmental information security program. The Act also includes \nprovisions to further protect veterans and servicemembers from the \nmisuse of their sensitive personally identifiable information. In the \nevent of a security incident involving personally identifiable \ninformation, VA is required to conduct a risk analysis, and on the \nbasis of the potential for compromise of personally identifiable \ninformation, the department may provide security incident \nnotifications, fraud alerts, credit monitoring services, and identity \ntheft insurance. Congress is to be informed regarding security \nincidents involving the loss of personally identifiable information.\n---------------------------------------------------------------------------\n    \\20\\ Veterans Benefits, Healthcare, and Information Technology Act \nof 2006, Pub. L. No. 109-461 (Dec. 22, 2006).\n---------------------------------------------------------------------------\n    In a report released last week, \\21\\ we stated that although VA has \nmade progress in addressing security weaknesses, it has not yet fully \nimplemented key recommendations to strengthen its information security \npractices. It has not implemented two of our four previous \nrecommendations and 20 of 22 recommendations made by the department\'s \ninspector general. Among the recommendations not implemented are our \nrecommendation that it complete a comprehensive security management \nprogram and inspector general recommendations to appropriately restrict \naccess to data, networks, and VA facilities; ensure that only \nauthorized changes are made to computer programs; and strengthen \ncritical infrastructure planning to ensure that information security \nrequirements are addressed. Because these recommendations have not yet \nbeen implemented, unnecessary risk exists that personally identifiable \ninformation of veterans and other individuals, such as medical \nproviders, will be exposed to data tampering, fraud, and inappropriate \ndisclosure.\n---------------------------------------------------------------------------\n    \\21\\ GAO-07-1019.\n---------------------------------------------------------------------------\n    The need to fully implement GAO and IG recommendations to \nstrengthen information security practices is underscored by the \nprevalence of security incidents involving the unauthorized disclosure, \nmisuse, or loss of personal information of veterans and other \nindividuals (see table 2). These incidents were partially due to \nweaknesses in the department\'s security controls. In these incidents, \nwhich include the May 2006 theft of computer equipment from an \nemployee\'s home (mentioned earlier) and the theft of equipment from \ndepartment facilities, millions of people had their personal \ninformation compromised.\n\n\n Table 2--Number of Incidents by Type Reported to VA\'s Network and Security Operations Center from January 2003\n                                                to November 2006\n----------------------------------------------------------------------------------------------------------------\n   Type of incident involving the loss of personal information       2003        2004        2005      2006 \\a\\\n----------------------------------------------------------------------------------------------------------------\nRecords lost or misplaced                                                19          58          41         316\n----------------------------------------------------------------------------------------------------------------\nRecords or hardware stolen                                                7           9          14          65\n----------------------------------------------------------------------------------------------------------------\nImproper disposal of records                                             10          27          10          80\n----------------------------------------------------------------------------------------------------------------\nUnauthorized access                                                      60         120         112         255\n----------------------------------------------------------------------------------------------------------------\nUnencrypted e-mails sent                                                  8          13          16         170\n----------------------------------------------------------------------------------------------------------------\nUnintended disclosure or release                                         22          48          24         199\n----------------------------------------------------------------------------------------------------------------\nTotal number of incidents                                               126         275         217       1,085\n----------------------------------------------------------------------------------------------------------------\nSource: GAO analysis of VA data on incidents.\n\\a\\ Numbers reported are from January 1, 2006, to November 3, 2006.\n\n\n    While the increase in reported incidents in 2006 reflects a \nheightened awareness on the part of VA employees of their \nresponsibility to report incidents involving loss of personal \ninformation, it also indicates that vulnerabilities remain in security \ncontrols designed to adequately safeguard information.\n    Since the May 2006 security incident, VA has begun or has continued \nseveral major initiatives to strengthen information security practices \nand secure personally identifiable information within the department. \nThese initiatives include the realignment of its IT management \nstructure, as discussed earlier. Under the realignment, the management \nstructure for information security has changed. In the new \norganization, the responsibility for managing the program lies with the \nCISO/Director of Cyber Security (the CISO position has been vacant \nsince June 2006, with the CIO acting in this capacity), while the \nresponsibility for implementing the program lies with the Director of \nField Operations and Security. Thus, responsibility for information \nsecurity functions within the department is divided.\n    VA officials indicated that the heads of the two organizations are \ncommunicating about the department\'s implementation of security \npolicies and procedures, but this communication is not defined as a \nrole or responsibility for either position in the new management \norganization book, nor is there a documented process in place to \ncoordinate the management and implementation of the security program. \nBoth of these activities are key security management practices. Without \na documented process, policies or procedures could be inconsistently \nimplemented throughout the department, which could prevent the CISO \nfrom effectively ensuring departmentwide compliance with FISMA. Until \nthe process and responsibilities for coordinating the management and \nimplementation of IT security policies and procedures throughout the \ndepartment are clearly documented, VA will have limited assurance that \nthe management and implementation of security policies and procedures \nare effectively coordinated and communicated. Developing and \ndocumenting these policies and procedures are essential for achieving \nan improved and effective security management process under the new \ncentralized management model.\n    In addition to the realignment initiative, the department also has \nothers under way to address security weaknesses. These include \ndeveloping an action plan to correct identified weaknesses; \nestablishing an information protection program; improving its incident \nmanagement capability; and establishing an office to be responsible for \noversight of IT within the department. However, implementation \nshortcomings limit the effectiveness of these initiatives. For example:\n\n    <bullet>  VA\'s action plan has task owners assigned and is updated \nbiweekly, but department officials have not ensured that adequate \nprogress has been made to resolve items in the plan. Specifically, VA \nhas extended the completion date at least once for 38 percent of the \nplan items, and it did not have a process in place to validate the \nclosure of the items. In addition, although numerous items in the plan \nwere to develop or revise a policy or procedure, 87 percent of these \nitems did not have a corresponding task with an established timeframe \nfor implementation.\n    <bullet>  VA installed encryption software on laptops at facilities \ninconsistently; however, VA\'s directive on encryption did not address \nthe encryption of laptops that were categorized as medical devices, \nwhich make up a significant portion of the population of laptops at \nVeterans Health Administration facilities. In addition, the department \nhas not yet fully implemented the acquisition of software tools across \nthe department.\n    <bullet>  VA has improved its incident management capability since \nMay 2006 by realigning and consolidating two incident management \ncenters, and made a notable improvement in its notification of major \nsecurity incidents to U.S.-CERT (the U.S. Computer Emergency Readiness \nTeam), the Secretary, and Congress, but the time it took to send \nnotification letters to individuals was increased for some incidents \nbecause VA did not have adequate procedures for coordinating incident \nresponse and mitigation activities with other agencies and obtaining \nup-to-date contact information.\n    <bullet>  VA established the Office of IT Oversight and Compliance \nto conduct assessments of its facilities to determine the adequacy of \ninternal controls and investigate compliance with laws, policies, and \ndirectives and ensure that proper safeguards are maintained; however, \nthe office lacked a process to ensure that its examination of internal \ncontrols is consistent across VA facilities.\n\n    Until the department addresses recommendations to resolve \nidentified weaknesses and implements the major initiatives it has \nundertaken, it will have limited assurance that it can protect its \nsystems and information from the unauthorized use, disclosure, \ndisruption, or loss.\n    In our report released last week, we made 17 recommendations to \nassist the department in improving its ability to protect its \ninformation and systems. These recommendations included that VA \ndocument clearly define coordination responsibilities for the Director \nof Field Operations and Security and the Director of Cyber Security and \ndevelop and implement a process for these officials to coordinate on \nthe implementation of IT security policies and procedures throughout \nthe department. We also made recommendations to improve the \ndepartment\'s ability to protect its information and systems, including \nthe development of various processes and procedures to ensure that \ntasks in the department\'s security action plans have timeframes for \nimplementation.\n    In summary, effectively instituting a realignment of the Office of \nInformation and Technology is essential to ensuring that VA\'s IT \nprograms achieve their objectives and that the department has a solid \nand sustainable approach to managing its IT investments. VA continues \nto work on improving such programs as information security and systems \ndevelopment. Yet we continue to see management weaknesses in these \nprograms and initiatives (many of a longstanding nature), which are the \nvery weaknesses that VA aims to alleviate with its reorganized \nmanagement structure. Until the department fully addresses the critical \nsuccess factors that we identified and carries out its plans to \nestablish a comprehensive set of improved management processes, the \nimpact of this vital undertaking will be diminished. Further, the \ndepartment may not achieve a solid and sustainable foundation for its \nnew IT management structure.\n    Mr. Chairman and Members of the Committee, this concludes our \nstatement. We would be happy to respond to any questions that you may \nhave at this time.\nContacts and Acknowledgements\n    For more information about this testimony, please contact Valerie \nC. Melvin at (202) 512-6304 or Gregory C. Wilshusen at (202) 512-6244 \nor by e-mail at <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b0ddd5dcc6d9dec6f0d7d1df9ed7dfc6">[email&#160;protected]</a> or <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="46312f2a352e3335232821062127296821293068">[email&#160;protected]</a> Key contributors \nto this testimony were made by Barbara Oliver, Assistant Director; \nCharles Vrabel, Assistant Director; Barbara Collier, Nancy Glover, \nValerie Hopkins, Scott Pettis, J. Michael Resser, and Eric Trout.\n\n                               __________\n               Attachment 1. Key IT Management Processes\n                   To Be Addressed in VA Realignment\n    In the following table, the priority group number reflects the \norder in which the department plans to implement each group of \nprocesses, with one being the first priority group.\n\n\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                 IT management      Implementation\n                          Key area                                  process         priority group                       Description\n--------------------------------------------------------------------------------------------------------------------------------------------------------\nEnterprise management                                                IT strategy                2   Addresses long- and short-term objectives, business\n                                                                                                     direction, and their impact on IT, the IT culture,\n                                                                                                        communications, information, people, processes,\n                                                                                                              technology, development, and partnerships\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                   IT management                2    Defines a structure of relationships and processes\n                                                                                                                  to direct and control the IT endeavor\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                 Risk management       See note a       Identifies potential events that may affect the\n                                                                                                             organization and manages risk to be within\n                                                                                                      acceptable levels so that reasonable assurance is\n                                                                                                     provided regarding the achievement of organization\n                                                                                                                                             objectives\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                    Architecture                2   Creates, maintains, promotes, and governs the use of\n                                                                      management                        IT architecture models and standards across and\n                                                                                                          within the change programs of an organization\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                       Portfolio                1   Assesses all applications, services, and IT projects\n                                                                      management                    that consume resources in order to understand their\n                                                                                                                           value to the IT organization\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                              Security management               2         Manages the department\'s information security\n                                                                                                        program, as mandated by the Federal Information\n                                                                                                                Security Management Act (FISMA) of 2002\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                 IT research and                3         Generates ideas, evaluates and selects ideas,\n                                                                      innovation                               develops and implements innovations, and\n                                                                                                    continuously recognizes innovators and learning from\n                                                                                                                                         the experience\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                              Project management                1   Plans, organizes, monitors, and controls all aspects\n                                                                                                        of a project in a continuous process so that it\n                                                                                                                                achieves its objectives\n--------------------------------------------------------------------------------------------------------------------------------------------------------\nBusiness management                                                  Stakeholder                1   Manages and prioritizes all requests for additional\n                                                                    requirements                            and new technology solutions arising from a\n                                                                      management                                                       customer\'s needs\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                        Customer                3         Determines whether and how well customers are\n                                                                    satisfaction                            satisfied with the services, solutions, and\n                                                                      management                                     offerings from the providers of IT\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                       Financial                1   Provides sound stewardship of the monetary resources\n                                                                      management                                                    of the organization\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                              Service pricing and               3            Establishes a pricing mechanism for the IT\n                                                                        contract                       organization to sell its services to internal or\n                                                                  administration                     external customers and to administer the contracts\n                                                                                                          associated with the selling of those services\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                               Service marketing                3         Enables the IT organization to understand the\n                                                                       and sales                       marketplace it serves, to identify customers, to\n                                                                                                             ``market\'\' to these customers, to generate\n                                                                                                    ``marketing\'\' plans for IT services and support the\n                                                                                                       ``selling\'\' of IT services to internal customers\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                      Compliance                2          Ensures adherence with laws and regulations,\n                                                                      management                      internal policies and procedures, and stakeholder\n                                                                                                                                            commitments\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                Asset management                1    Maintains information regarding technology assets,\n                                                                                                    including leased and purchased assets, licenses, and\n                                                                                                                                              inventory\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                       Workforce                2    Enables an organization to provide the optimal mix\n                                                                      management                    of staffing (resources and skills) needed to provide\n                                                                                                     the agreed-on IT services at the agreed-on service\n                                                                                                                                                 levels\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                   Service-level                2     Manages service-level agreements and performs the\n                                                                      management                       ongoing review of service achievements to ensure\n                                                                                                         that the required and cost-justifiable service\n                                                                                                           quality is maintained and gradually improved\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                      IT service                1        Ensures that agreed-on IT services continue to\n                                                                      continuity                        support business requirements in the event of a\n                                                                      management                                             disruption to the business\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                        Supplier                3   Develops and exercises working relationships between\n                                                                    relationship                     the IT organization and suppliers in order to make\n                                                                      management                      available the external services and products that\n                                                                                                      are required to support IT service commitments to\n                                                                                                                                              customers\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                       Knowledge                3       Promotes an integrated approach to identifying,\n                                                                      management                    capturing, evaluating, categorizing, retrieving, and\n                                                                                                    sharing all of an organization\'s information assets\n--------------------------------------------------------------------------------------------------------------------------------------------------------\nBusiness application management                                         Solution                2   Translates provided customer (business) requirements\n                                                                    requirements                             and IT stakeholder-generated requirements/\n                                                                                                    constraints into solution-specific terms, within the\n                                                                                                       context of a defined solution project or program\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                               Solution analysis                1   Creates a documented design from agreed-on solution\n                                                                      and design                    requirements that describes the behavior of solution\n                                                                                                       elements, the acceptance criteria, and agreed-to\n                                                                                                                                           measurements\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                  Solution build                3       Brings together all the elements specified by a\n                                                                                                      solution design via customization, configuration,\n                                                                                                        and integration of created or acquired solution\n                                                                                                                                             components\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                               Solution test and       See note a            Validates that the solution components and\n                                                                      acceptance                                 integrated solutions conform to design\n                                                                                                      specifications and requirements before deployment\n--------------------------------------------------------------------------------------------------------------------------------------------------------\nInfrastructure                                                 Service execution                2   Addresses the delivery of operational services to IT\n                                                                                                     customers by matching resources to commitments and\n                                                                                                          employing the IT infrastructure to conduct IT\n                                                                                                                                             operations\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                Data and storage                3      Ensures that all data required for providing and\n                                                                      management                    supporting operational service are available for use\n                                                                                                        and that all data storage facilities can handle\n                                                                                                      normal, expected fluctuations in data volumes and\n                                                                                                     other parameters within their designed tolerances.\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                Event management                3   Identifies and prioritizes infrastructure, service,\n                                                                                                      business and security events, and establishes the\n                                                                                                                  appropriate response to those events.\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                    Availability                3   Plans, measures, monitors, and continuously strives\n                                                                      management                    to improve the availability of the IT infrastructure\n                                                                                                    and supporting organization to ensure that agreed-on\n                                                                                                                      requirements are consistently met\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                              Capacity management               3           Matches the capacity of the IT services and\n                                                                                                    infrastructure to the current and future identified\n                                                                                                                                  needs of the business\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                              Facility management               1     Creates and maintains a physical environment that\n                                                                                                     houses IT resources and optimizes the capabilities\n                                                                                                                          and costs of that environment\n--------------------------------------------------------------------------------------------------------------------------------------------------------\nService support                                                Change management                1        Manages the life cycle of a change request and\n                                                                                                       activities that measure the effectiveness of the\n                                                                                                     process and provides for its continued enhancement\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                              Release management                1       Controls the introduction of releases (that is,\n                                                                                                          changes to hardware and software) into the IT\n                                                                                                         production environment through a strategy that\n                                                                                                         minimizes the risk associated with the changes\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                   Configuration                1     Identifies, controls, maintains, and verifies the\n                                                                      management                              versions of configuration items and their\n                                                                                                                relationships in a logical model of the\n                                                                                                                            infrastructure and services\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                                    User contact                3    Manages each user interaction with the provider of\n                                                                      management                                   IT service throughout its life cycle\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                              Incident management               2   Restores a service affected by any event that is not\n                                                                                                       part of the standard operation of a service that\n                                                                                                          causes or could cause an interruption to or a\n                                                                                                               reduction in the quality of that service\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n                                                              Problem management                2      Resolves problems affecting the IT service, both\n                                                                                                                             reactively and proactively\n--------------------------------------------------------------------------------------------------------------------------------------------------------\nSource: GAO.\n\\a\\ The department indicated that this process had completed a pilot, but did not assign it to a priority group.\n\n\n                               __________\n  Appendix III: Information on Selected Security Incidents at VA from \n                     December 2003 to January 2007\n    The Department of Veterans Affairs (VA) had at least 1500 security \nincidents reported between December 2003 and January 2007 which \nincluded the loss of personal information. Below is additional \ninformation on a selection of incidents, including all publicly \nreported incidents subsequent to May 3, 2006, that were reported to the \ndepartment during this period and what actions it took to respond to \nthese incidents. These incidents were selected from data obtained from \nVA to provide illustrative examples of the incidents that occurred at \nthe department during this period.\n\n    <bullet>  December 9, 2003: stolen hard drive with data on 100 \nappellants. A VA laptop computer with benefit information on 100 \nappellants was stolen from the home of an employee working at home. As \na result, the agency office was going to recall all laptop computers \nand have encryption software installed by December 23, 2003.\n\n    <bullet>  November 24, 2004: unintended disclosure of personal \ninformation. A public drive on a VA e-mail system permitted entry to \nfolders/files containing veterans\' personal information (names, Social \nSecurity numbers, dates of birth, and in some cases personal health \ninformation such as surgery schedules, diagnosis, status, etc.) by all \nusers after computer system changes made. All folders were restricted, \nand individual services were contacted to set up limited access lists.\n\n    <bullet>  December 6, 2004: two personal computers containing data \non 2,000 patients stolen. Two desktop personal computers were stolen \nfrom a locked office in a research office of a medical center. One of \nthe computers had files containing names, Social Security numbers, next \nof kin, addresses, and phone numbers of approximately 2,000 patients. \nThe computers were password protected by the standard VA password \nsystem. The medical center immediately contacted the agency Privacy \nOfficer for guidance. Letters were mailed to all research subjects \ninforming them of the computer theft and potential for identity theft. \nVA enclosed letters addressed to three major credit agencies and \npostage paid envelopes. This incident was reported to VA and Federal \nincident offices.\n\n    <bullet>  March 4, 2005: list of 897 providers\' Social Security \nnumbers sent via e-mail. An individual reported e-mailing a list of 897 \nproviders\' names and Social Security numbers to a new transcription \ncompany. This was immediately reported, and the supervisor called the \ntranscription company and spoke with the owner and requested that the \nfile be destroyed immediately. Notification letters were sent out to \nall 897 providers. Disciplinary action was taken against the employee.\n\n    <bullet>  October 14, 2005: personal computer containing data on \n421 patients stolen. A personal computer that contained information on \n421 patients was stolen from a medical center. The information on the \ncomputer included patients\' names; the last four digits of their Social \nSecurity numbers; and their height, weight, allergies, medications, \nrecent lab results, and diagnoses. The agency\'s Privacy Officer and \nmedical center information security officer were notified. The use of \ncredit monitoring was investigated, and it was determined that because \nthe entire Social Security number was not listed, it would not be \nnecessary to use these services at the time.\n\n    <bullet>  February 2, 2006: inappropriate access of VA staff \nmedical records. A VA staff member accessed several coworkers\' medical \nrecords to find date of birth. Employee information was compromised and \nseveral records were accessed on more than one occasion. No resolution \nrecorded.\n\n    <bullet>  April 11, 2006: suspected hacker compromised systems with \nemployee\'s assistance. A former VA employee is suspected of hacking \ninto a medical center computer system with the assistance of a current \nemployee providing rotating administrator passwords. All systems in the \nmedical center serving 79,000 veterans were compromised.\n\n    <bullet>  May 5, 2006: missing backup tape with sensitive \ninformation on 7,052 individuals. An office determined it was missing a \nbackup tape containing sensitive information. On June 29, 2006, it was \nreported that approximately 7,052 veterans were affected by the \nincident. On October 11, 2006, notification letters were mailed, and \n5,000 veterans received credit protection and data breach analysis for \n2 years.\n\n    <bullet>  August 3, 2006: desktop computer with approximately \n18,000 patient financial records stolen. A desktop computer was stolen \nfrom a secured area at a contractor facility in Virginia that processes \nfinancial accounts for VA. The desktop computer was not encrypted. \nNotification letters were mailed and credit monitoring services \noffered.\n\n    <bullet>  September 6, 2006: laptop with patient information on an \nunknown number of individuals stolen. A laptop attached to a medical \ndevice at a VA medical center was stolen. It contained patient \ninformation on an unknown number of individuals. Notification letters \nand credit protection services were offered to 1,575 patients.\n\n    <bullet>  January 22, 2007: external hard drive with 535,000 \nindividual records and 1.3 million non-VA physician provider records \nmissing or stolen. An external hard drive used to store research data \nwith 535,000 individual records and 1.3 million non-VA physician \nprovider records was discovered missing or stolen from a research \nfacility in Birmingham, Alabama. Notification letters were sent to \nveterans and providers, and credit monitoring services were offered to \nthose individuals whose records contained personally identifiable \ninformation.\n\n                                 <F-dash>\n              Prepared Statement of Hon. Robert T. Howard,\n                Assistant Secretary for Information and\n               Technology and Chief Information Officer,\n   Office of Information and Technology, U.S. Department of Veterans \n                                Affairs\n    Thank you, Mr. Chairman. I would like to thank you for the \nopportunity to testify on the realignment progress in the Office of \nInformation and Technology (OIT).\n    This is such a crucial issue, and I appreciate the Committee\'s \ninterest. With me today from OIT is Arnie Claudio (Director, Oversight \nand Compliance). I am also accompanied by:\n\n    <bullet>  Adair Martinez (Deputy Assistant Secretary for \nInformation Protection and Management)\n    <bullet>  Jeff Shyshka (Deputy CIO for Enterprise Operations and \nInfrastructure)\n\n    And on a separate panel will be Paul Tibbits (Deputy CIO for \nEnterprise Development).\n    Firstly, I would like to thank you, Mr. Chairman, for giving me the \nopportunity to testify about the progress being made in OIT\'s \nrealignment. This Committee has demonstrated great support for and \ninterest in this issue, and we genuinely appreciate it.\n    Last week, during a similar hearing conducted by the Senate \nCommittee on Veterans\' Affairs, I began by talking about my top seven \npriorities as Assistant Secretary for the Office of Information and \nTechnology. Today, I would like to do that again as these priorities \nare guiding the realignment process we see taking place. Briefly, they \ninclude (1) establishing a well-led, high-performing, IT organization \nthat delivers responsive IT support to the three Administrations and \nCentral Office staff sections; (2) standardizing IT infrastructure and \nIT business processes throughout VA; (3) establishing programs that \nmake VA\'s IT system more interoperable and compatible; (4) effectively \nmanaging the VA IT appropriation to ensure sustainment and \nmodernization of our IT infrastructure and more focused application \ndevelopment to meet increasing and changing requirements of our \nbusiness units; (5) strengthening data security controls within VA and \namong our contractors in order to substantially reduce the risk of \nunauthorized exposure of veteran or VA employee sensitive personal \ninformation; (6) creating an environment of vigilance and awareness to \nthe risks of compromising veteran or employee sensitive personal \ninformation within the VA by integrating security awareness into daily \nactivities; and (7) remedying the Department\'s longstanding IT material \nweaknesses relating to a general lack of security controls. I assure \nyou that we are working hard to give these priorities the required \nattention.\n    As you know, the Government Accountability Office (GAO) recently \nreleased a report on our realignment progress and correctly identified \nthat there is more work to be done to have a successful transition from \na decentralized to a centralized organization. We have already begun \nimplementing some of their recommendations such as establishing an IT \ngovernance plan, continuing with process development, and expediting \nthe development of performance metrics to track realignment progress. \nImplementing these recommendations will certainly aid in the \nrealignment.\n    We have made, I believe, solid progress in other areas of this \nrealignment. We have dramatically improved incident response because of \nthe significant amount of policy guidance and training conducted on \ninformation protection. Since we have begun this, we have seen an \nincrease in self-reporting security and privacy violations and \nincidents. We are also making great improvements in the area of data \nprotection by encrypting over 18,000 laptops, implementing procedures \nfor issuing encrypted portable data storage devices, purchasing \nsoftware to address the encryption of data at-rest this month, reducing \nthe use of Social Security numbers, and reviewing and eliminating a \nsignificant amount of personally identifiable information VA currently \nholds. Regarding these last two points, VA has drafted two documents \noutlining plans to achieve both these goals. These plans were developed \nin accordance with the Office of Management and Budget (OMB) Memorandum \nM-07-16, ``Safeguarding Against and Responding to the Breach of \nPersonally Identifiable Information\'\' and will be included in this \nyear\'s Federal Information Security Management Act (FISMA) report. \nRegarding the FISMA report, not only will we submit one this year, (we \ngot an incomplete last year), but we have, for the first time, \ncompleted testing of over 10,000 security controls on our 603 computer \nsystems. Mr. Chairman, you will be pleased to know that we recently \nawarded a contract for extensive port monitoring, which will help us \nbetter control network access--a very important tool in our information \nprotection toolkit.\n    Through this realignment, we are also addressing the critical issue \nof asset management. As you remember, the House Veterans\' Affairs \nOversight and Investigations Committee recently held a hearing on VA\'s \nIT asset management based on a GAO report (report 07-505) which found \ninadequate controls and risk associated with theft, loss, and \nmisappropriation of IT equipment at selected VA locations. In that \nreport, GAO found many problems regarding the IT asset management \nenvironment and included a number of important recommendations--with \nwhich we agree and are implementing. We have completed a handbook on \nthe Control of Information Technology Equipment within the VA which \nincludes each of the recommendations made by GAO in its report. These \ndocuments are now being finalized within the Department, but we have \nalready implemented the procedures they describe. They will provide \nclear direction on all aspects of IT asset management.\n    For the past 6 months, tightening IT inventory control throughout \nVA has been the focus of a cross-functional Tiger Team. In addition, VA \nhas issued a memorandum requiring each VA facility to complete, by the \nend of December of this year, a wall-to-wall inventory of all IT \nequipment assets, including sensitive items, regardless of cost. \nReporting requirements have been established at the Facility, Regional \nand Field Operations levels to ensure that issues are identified and \naddressed early in the process. By way of support, we have established \nan IT Inventory Control Knowledge Center that is accessible by all VA \npersonnel. This website provides references, templates, definitions, \nfrequently asked questions and a link to contact the Tiger Team \ndirectly. Also, the Office of Oversight and Compliance is working with \nTiger Team members to develop a compliance checklist that will be used \nfor scheduled and unscheduled audits regarding IT assets. This initial \ninventory will help provide a VA IT asset baseline--something that has \nnot existed before and is a direct result of the realignment.\n    Lastly, an important and fair question to ask regarding this \nrealignment is how has it impacted the delivery of healthcare and \nbenefits to our veterans. In my opinion, there has been no significant \nchange in these two areas--which was a key objective of this \nreorganization--to do no harm. This is not to say we have not had \nproblems--we have. But we have also experienced improvements in our \nability to gain knowledge over IT activities that were not very visible \nin the past, in IT funding details across the VA, and in our ability to \nprotect the sensitive information of our veterans.\n    In closing, I want to assure you, Mr. Chairman, that a successful \nrealignment in OIT is a key goal within the VA. I have good people in \nmy office who all share this commitment and work hard to achieve it. We \nhave accomplished many things this past year but more remains to be \ndone. I appreciate having this opportunity to discuss this with you and \nwill gladly respond to your questions.\n\n                                 <F-dash>\n                 Prepared Statement of Arnaldo Claudio\n       Executive Director, Office of IT Oversight and Compliance\n   Office of Information and Technology, U.S. Department of Veterans \n                                Affairs\n    Thank you, Mr. Chairman and Members of the Committee. I appreciate \nthe opportunity to speak with you today on the topic of the \nDepartment\'s Information Technology (IT) reorganization and to share \nwith you the impact and progress that the Department of Veterans \nAffairs (VA) has achieved as a result of the establishment of the \nOffice of IT Oversight and Compliance (ITOC).\n    ITOC was established in February of 2007, as a response to the need \nfor the VA to enhance the protection of our veterans\' sensitive \ninformation. This concept was initially addressed by Professor Eugene \nH. Spafford, during his Congressional testimony shortly after the data \nbreach of May 2006; and later by the IBM study in their December 2006 \npublication entitled: High Level Target Organizational Structure on \nVA\'s IT realignment. Furthermore, in February of 2007, Secretary \nNicholson conveyed a strong message regarding the importance of \nproactively identifying, addressing and mitigating any risks that could \njeopardize the potential loss of veterans\' sensitive information.\n    To fulfill this vital requirement, ITOC is charged with providing \nindependent, objective, and quality oversight and compliance assessment \nservices in the area of information and technology to include Cyber \nSecurity, Records Management, Privacy and Physical Security.\n    The concept of ITOC is not entirely new to VA. Prior to ITOC\'s \nestablishment, a smaller scale initiative collocated within the Office \nof Cyber and Information Security (OCIS) known as the Review Inspection \nDivision (RID) existed.\n    In October 2002, the RID was created to fulfill the requirements \nset by the Office of Management and Budget (OMB), VA Directive 6210, VA \npolicy and Departmental commitments to Congress, which mandated \nsecurity audits (reviews and inspections) be conducted at every VA \nfacility on a recurring basis. Although RID was given a mission to \nreview the entire Department\'s cyber and information security program \nat all VA facilities, it was never given sufficient resources and \nauthority to carry out all but a small fraction of these tasks. \nStaffing was inadequate with only five VA employees and a handful of \ncontractors. Considering VA has over 1200 sites, RID was given an \nimpossible task to perform. In addition, none of the detailed reports \ncreated and forwarded to OCIS senior management were approved or \nforwarded to sites.\n    Today with the establishment of ITOC, that is no longer the case. \nWe are now resourced and equipped to identify issues and to address our \nobservations immediately after the completion of our assessments with \nthe hospital leadership including the facility Director, Chief \nInformation Officer, Information Security Officer, Privacy Officer and \nother important members of the hospital staff; and thereafter, we \nreport our findings directly to the VA CIO Mr. Robert Howard. The ITOC \nhas the robustness and appropriate strategic planning, focus, and \nvision necessary to successfully address the new paradigm facing VA.\n    Since its creation earlier this year, ITOC has grown from 7 to 128 \nemployees and, by the end of Phase 2 in FY 2009, it is expected to have \na total workforce of 165 employees. This is in itself a success story. \nMost government programs take years before they can be stood up and \nbecome fully operational. Our employees have been selected from a pool \nof talented subject matter experts from both industry and government.\n    The ITOC has achieved a great deal in just a few months and it is \nalready showing dramatic results and measurable benefits across VA. As \nof today, we have conducted over 100 assessments--a rate of 18 to 20 \nassessments per month, versus 2 per month compared to our predecessor \norganization.\n    We have experienced our share of significant challenges--but none \nso far that have proven impossible. The assessments performed by my \nstaff are very thorough. We are working together with VHA, VBA and NCA \nto correct and eliminate the existing deficiencies found by the \nInspector General (IG) and the General Accounting Office (GAO) over the \nlast few years.\n    As Executive Director, for the Office of IT Oversight and \nCompliance at VA, but first and foremost, as a veteran, I truly feel \nthe responsibility for ensuring compliance with the integrity and \nsecurity of VA\'s sensitive information and IT assets. I understand that \nsecurity awareness is a paradigm change--a change to our business \noperations culture and simply the way we do things. My staff and I have \nfound that the field facilities welcome our independent and objective \nassessments as the leadership across VA continues to drive home, to \neach employee, the importance of securing sensitive information. I am \nprepared to answer your questions today about what the Office of IT \nOversight and Compliance is doing to effect real change to improve VA\'s \nFISMA scorecard, as well as how we are working together with other VA \nAdministrations to mentor, train, coach and optimize our valuable \nresources to better serve our Nation\'s veterans.\n    In closing, I want to assure you, Mr. Chairman, and the members of \nthis Committee that we will continue to be diligent in our efforts to \nimprove and remedy VA\'s Information Technology environment. Thank you \nfor your time and the opportunity to speak on this issue. I would be \nhappy to answer any questions you may have.\n\n                                 <F-dash>\n              Prepared Statement of Paul A. Tibbits, M.D.\n   Deputy Chief Information Officer, Office of Enterprise Development\n   Office of Information and Technology, U.S. Department of Veterans \n                                Affairs\n    Thank you, Mr. Chairman. I would like to thank you for the \nopportunity to testify on the realignment progress in the Office of \nInformation and Technology (OIT) and to share with you the progress \nmade in VA as a result of the centralization of IT development \nactivities.\n    Joining me on this panel is Dr. Ben J. Davoren, Director, Clinical \nInformatics, from our San Francisco Medical Center.\n    This Committee has demonstrated great support for and interest in \nIT in the VA, and we genuinely appreciate it.\n    You have just heard testimony from Assistant Secretary Howard \nregarding the GAO report on our realignment progress and the need for \nmore work to be done to achieve successful transition from a \ndecentralized to a centralized organization. While General Howard \nfocused on the information protection aspects of the realignment, I \nwould like to share with you our progress in establishing an IT \ngovernance plan, strengthening development process improvement efforts, \nand fostering innovation.\n    You have also heard General Howard refer to his seven (7) \npriorities and how they are guiding the realignment process. I would \nlike to talk more about those priorities that have special significance \nto the Office of Enterprise Development. They include (1) establishing \na well-led, high-performing, IT organization that delivers responsive \nIT support to the three Administrations and Central Office staff \nsections; (2) standardizing IT infrastructure and IT business processes \nthroughout VA; (3) establishing programs that make VA\'s IT system more \ninteroperable and compatible; (4) effectively managing the VA IT \nappropriation to ensure sustainment and modernization of our IT \ninfrastructure and more focused application development to meet \nincreasing and changing requirements of our business units.\nCIO Priorities\n    First, with respect to establishing a well-led, high-performing IT \norganization that delivers responsive IT support to the three \nAdministrations and Staff Offices, we are pursuing improvement of the \ndevelopment workforce throughout the Office of Enterprise Development. \nIn so doing, development staff will be better prepared to act as \nknowledgeable consultants at the local level to assist healthcare \nproviders in development of innovation software solutions that are \nlikely to be technically sound and ready for national deployment.\n    To improve the capability of the VA IT development workforce we are \ninstituting real-time coaching and mentoring by industry experts in \nbest practices for systems development, to institutionalize these \npractices at the VA.\n    Improving workforce capability increases the staff\'s readiness to \nperform critical development processes, increases the likelihood of \nachieving desired results from performing the processes, and allows the \nVA to realize the benefits from the investment in process improvement \nfor all VA facilities.\n    Second, with respect to standardizing IT infrastructure and IT \nbusiness processes throughout VA, standardization of these processes \nprovides the baseline for measuring the effectiveness of its \ndevelopment process. It is the first step to reduce time to deliver \napplications, reduce costs to develop applications, implement business-\ndriven process performance measures, and increase productivity of the \ndevelopment workforce. And it is hard work.\n    For the IT development organization, our standardized processes are \nbased on industry best practices as codified in the Capability and \nMaturity Models from the Software Engineering Institute for both \nsoftware development and workforce competency. We are using independent \nindustry to guide us through this self-improvement initiative.\n    Third, let me address establishing programs that make VA\'s IT \nsystem more interoperable and compatible. Interoperability begins with \na common understanding of terminology. To establish this with \nsufficient precision, the IT development organization is collaborating \nclosely with the Administrations in use of business modeling to provide \na uniform basis of developing a shared understanding of new way to \nserve veterans and the information required to do so.\n    Next we are engaging with the Administrations and with DoD to \nstrengthen and accelerate data standardization activities within VA and \nwith DoD. We are exploring ways to focus on high priority patient \ngroups, such as traumatic brain injury and post traumatic stress \ndisorder, while continuing the hard work of semantic analysis and \nreconciliation and the consolidation of multiple data feeds between VA \nand DoD.\n    Fourth, we are focused on managing the VA IT appropriation to \nensure sustainment and modernization of our IT infrastructure and more \nfocused application development to meet increasing and changing \nrequirements of our business units. We are applying life cycle and \ntotal cost of ownership management practices to all development \nprojects, to account for all costs of implementation and operations, as \na foundation for budget formulation. We are moving toward clear, line-\nof-sight alignment with the VA strategic plan and the Performance \nAccountability Report by reshaping our OMB 300 exhibits in FY 2010, \ncreation of the first multi-year IT budget, and strengthening our \nrelationship with the requirements processes of the Administrations and \nStaff offices.\nGovernance\n    We have established a participative, transparent IT governance \nprocess at the senior executive level of the VA. Decisionmakers at the \nVA were not equipped with the framework for understanding the relative \nimportance of one dimension of project performance with respect to \nothers, leading to a bias toward financial metrics during process \nprioritization. Decisionmakers lacked key information with respect to \nproject benefits and total cost to make effective decisions on \npriorities. We have created a set of organizational principles and \ngovernance structures and practices that surface business strategy; \nfacilitate accurate project cost, benefit, and risk estimation, and \nprovide a decisionmaking framework that focuses attention on a subset \nof the most critical projects and delivers timely, accurate information \nto the VA\'s senior decisionmakers.\n    We are strengthening the use of earned value systems in our large \nprograms. We have undertaken independent assessment of the soundness of \nour approach to managing certain IT development projects and will \nexpand this activity.\n    We are developing management dashboards to implement early warning \nof issues with system development:\n\n    <bullet>  Project/program Status--tracking of project performance \nas compared to cost, schedule, and scope estimates.\n    <bullet>  Project/program data quality--Assesses the quality of \nsoftware releases, through analysis of defects found and problems \nnoted.\n    <bullet>  Project/program Return on Investment (ROI), earned value, \nand risk management--Compares real program ROI with estimated ROI, and \nuses earned value to serve as a leading indicator of deviation from \nforecasted cost and schedule.\n    <bullet>  Portfolio resource allocation--Determines the application \nof financial resources to various projects, to balance production \nacross multiple related initiatives.\n    <bullet>  Portfolio timelines--Provides an integrated view of \nprogram timelines, highlighting the programs that will attain \nsignificant milestones or be complete by a specific future date.\n    <bullet>  Portfolio mix--Displays the mix of project spending among \ngroups of related software applications.\n\n    We are focusing intense effort on managing the execution of funds \nin accordance with established plans, to ensure projects are adequately \nresourced, and learning lessons for improvements next year.\nPromote innovation\n    Challenges. The Secretary has migrated all IT activities under a \nsingle leadership authority, in part due to the need to drive \nstandardization and interoperability of applications and infrastructure \nacross VA. We need application development plans that employ industry \nbest practices and have the potential to accelerate the successful \ncompletion of IT projects, including implementation across the VA.\n    The centralized IT budget (the single IT appropriation) sets a \ncontext for competition among new ideas, since some are not affordable. \nThis creates the perception at the hospital that many good ideas are \ndisregarded despite ``local needs\'\', and that the flexibility available \nto VISN and hospital directors to use healthcare funds for IT is a \nconstraint. This view disregards the rest of the story. Solutions \ndeveloped locally were rarely deployed across all VA medical centers, \nresulting in some centers not getting the advantage of these IT \ncapabilities. Furthermore, many needs were thought of as local, when in \nfact they were enterprise-wide requirements, such as reports to support \nJoint Commission accreditation visits.\n    Under the single IT authority and single IT appropriation, we \noperate in an environment of financial transparency. Funds dedicated to \nsustainment, extending legacy systems to meet urgent needs of returning \nwarriors, and to modernize our computing environment are now visible to \nsenior VA executives. We have no formal mechanism to allocate funds to \nIT innovation. Unmanaged local innovation makes the implementation of \nenterprise solutions very difficult. Many IT products are operating in \nvarious VAMCs, with no support mechanism to proliferate the more \nsuccessful of them to all other medical centers.\n    In close collaboration with VHA, we are moving to create a \nmechanism to deal with this challenge. We have developed a process to \nidentify new ideas at the local level, facilitate collaboration among \nfield developers and VAMC healthcare professionals, to develop new \nsoftware products in a non-production environment in an unconstrained \nmanner. In order to enter the live production environment and assure \ndeployability across all VA sites, certain technical, business value, \nsecurity, and patient safety assessments will be made and any \nremediation necessary applied. There are effectively no constraints on \nthe trail development of new IT solutions; there are disciplined \nassessments prior to VA-wide implementation to assure safety and \ncontinuity of operations of the IT production environment.\n    The migration from the VistA legacy system to the HealtheVet \nplatform entails complex development, a new programming medium, a new \narchitecture, and establishment of a veteran-centric medical record \nversus the facility-centric nature of VistA. This form of innovation \nmust be centrally managed. It is too large for local initiatives alone \nto accomplish. In addition, some forms of new IT support require an \nanalysis of end-to-end processes to serve veterans, such as transition \nfrom DoD to VA, again not easily accomplished at the local level when \ncomplex data standardization and security issues are involved. We are \nattempting to strike the right balance.\n    Effective communication is critical to successful organizational \nchange. The migration of IT development personnel under a single IT \nauthority will need to be supported by a focused communications \nstrategy and plan to avoid disruption to VA\'s business operations and \nto achieve the benefits of new organization.\n    We are strengthening our communications strategy for the \ndevelopment staff.\n    There has been no significant change in the delivery of healthcare \nand benefits to veterans with this realignment. We have had some \nproblems, but we have also gained valuable visibility over unknown IT \nactivities--a definite improvement. We also now know more about IT \nfunding details across the VA and have a greater ability to protect the \nsensitive veterans\' information.\n    In closing, let me say that we want your ideas. I want to assure \nyou, Mr. Chairman, that a successful realignment of IT development \nactivities is a key goal within the VA. We have accomplished many \nthings this past year but more remains to be done. I appreciate having \nthis opportunity to discuss this with you and will gladly respond to \nyour questions.\n\n                                 <F-dash>\n           Prepared Statement of J. Ben Davoren, M.D., Ph.D.,\n                   Director of Clinical Informatics,\n             San Francisco Veterans Affairs Medical Center,\n  Veterans Health Administration, U.S. Department of Veterans Affairs\n    Good morning, Mr. Chairman and Members of the Committee. Thank you \nfor this opportunity to provide my personal perspective of the Veterans \nAffairs Office of Information and Technology (OI&T) reorganization that \nbegan in 2005. The views that I present today are my own and do not \nnecessarily represent the views of the VA Medical Center San Francisco, \nVeterans Integrated Service Network (VISN) 21, or the Veterans Health \nAdministration.\n    I would like to preface my testimony with VHA and OI&T\'s mutual \ngoals, and principles in the facilitation of the reorganization. In \naddition, the testimony will discuss realignment concerns I believe \nwere voiced from the field in 2005, my views of the impact of the \nrealignment on Veterans Health Administration\'s (VHA) missions, and the \nregional computer system downtime of August 31, 2007, as a paradigm.\nMutual Goals and Principles\n    As described in a GAO interim report of June 2007, the primary \ngoals of the OI&T reorganization were to centralize IT management under \na department-level Chief Information Officer, to standardize \noperations, and the development of systems across the Department using \nnew management processes based on industry best practices. The VA \nInspector General reported that the lack of a centralized structure was \na major impediment to successful IT management. Events related to the \nloss or potential loss of sensitive information reinforced VA\'s need to \nreorganize IT, especially in terms of data security processes.\n    The OI&T stated principles for the reorganization process were \nthat:\n\n    <bullet>  A single IT leadership management system would facilitate \nachievement of enterprise strategic objectives, standardization, \ncompatibility, interoperability, and fiscal discipline;\n    <bullet>  A process-focused organization and IT management system \nwould be aligned with best practices for IT processes, roles, metrics, \nand governance;\n    <bullet>  Strong integration between OI&T and the business offices \n(VHA, Veterans Benefit Administration, National Cemetery \nAdministration, and Staff Offices) would set IT strategy, determine \nrequirements, and implement solutions;\n    <bullet>  Approaches to legacy and new application development \nwould be synchronized;\n    <bullet>  New process-based organizational structure for the Office \nof the Assistant Secretary for Information and Technology would be \ndefined; and\n    <bullet>  IT realignment would transform VA into a service-based IT \norganization with a client-centric IT model that aligned IT with VA \nbusiness needs, priorities, and mission.\nConcerns Voiced From the Field in 2005\n    In response to the Secretaries proposals for IT realignment, I \nbelieve that employees at some medical centers expressed a number of \nconcerns about the details of the plan. In particular, I believe they \nfelt that the regionalization of IT resources would create new points \nof failure that could not be controlled by the sites experiencing the \nimpact, and that the system redundancy required to prevent this was \nnever listed as a prerequisite to centralization of critical patient \ncare IT resources. From my point of view as the Director of Clinical \nInformatics, it was clear to me that the focus of reorganization/\nrealignment was on technical relationships and not on how the missions \nof VHA would be communicated to the new OI&T structure. For example, \nrealignment success metrics were focused on Regional Data Processing \nCenter (RDPC) deliverables rather than facility needs. Finally, key \nfacility-based IT staff had been tightly integrated into local \nCommittees and planning groups as subject matter experts, but could no \nlonger be tasked directly by the facility Director to participate, and \nhad no clear OI&T-driven incentive to continue. Ultimately, the concern \nwas that in trying to create a new structure in the name of \n``standardization\'\', support would wane to a ``lowest common \ndenominator\'\' for all facilities, no matter how diverse their actual \nneeds were.\nImpact on VHA\'s Four Principal Missions\n    With respect to the primary patient care mission, the good news has \nbeen that new policies and procedures regarding encryption of sensitive \ninformation have been well-publicized and have heightened the awareness \nof all care providers as to the critical nature of the information they \nuse everyday. I think this has positively impacted the culture of VHA \nand improved respect for our veterans. The bad news is that \ncentralization of physical IT resources to the RDPCs has directly led \nto more system downtime for individual medical centers than they have \never had before, resulting in hundreds of simultaneous threats to the \nsafety of our veteran patients. In addition, it is my opinion that \ndisagreements over whether new proposals for clinical application or \ndevice procurement are ``IT\'\' or ``not-IT\'\' has markedly delayed \nupgrading of aging systems and implementation of new systems for \nveterans\' care.\n    With respect to the education mission, the good news is again that \nstandards for encryption of sensitive information have heightened the \nawareness of all staff and students as to the critical nature of the \ninformation they have at their fingertips and the need to protect it in \nall settings.\n    However, from my vantage, rules on encryption of all portable \ndevices, such as ``thumb drives\'\', rather than just on encrypting \nsensitive information, have made it cumbersome to go about common work, \nsuch as giving academic and scientific presentations where no sensitive \ninformation is present. Further, security rules for using network \nresources have stopped some Internet-based videoconferencing activities \nbetween VA and non-VA colleagues, while awaiting new funding cycles to \nprocure next-generation equipment.\n    With respect to the research mission, the proposed standardization \nof VHA databases as part of centralization may create significant \nresearch opportunities, and has been supported by the research \ncommunity though, at this time, no specific progress has been made. \nRules regarding encryption of transported sensitive information have \nbeen warmly received by the research community as a best practice. \nHowever, security rules for using network resources have stopped some \nInternet-based videoconferencing activities between VA and non-VA \ncolleagues. Some additional unique local IT resources have been \nrequired to maintain other research activities which utilize the \nInternet and I have concerns about how long they can continue.\n    In terms of our role in supporting the Department of Defense, I \nbelieve that initiatives to enhance electronic data-sharing between VHA \nand DoD have proceeded appropriately.\nImpact on VHA\'s Accomplishments and Morale\n    In my opinion, confirmed in many conversations with my peers, there \nhas been a lack of transparent communication between VHA and the \nreorganizing OI&T structure. At present, economies of scale that were a \ncornerstone of the OI&T realignment proposal have not been communicated \nto the facility level where the work of VHA occurs. The focus on \nsecurity and data integrity has led to a number of new requirements \nwith impacts that generate significant concern without a clear pathway \nto resolution. For example, to fully comply with security requirements \non our examination room PCs, we must log out of both a clinical \napplication such as our Computerized Patient Record System and the \nMicrosoft Windows operating system each time we leave the room even for \na moment, yet it may take as long as 12 minutes to log back on when we \nreturn. Given a 20 or 30 minute visit with their veteran patient, the \nclinician is thus forced to choose to ``do the right thing\'\' for either \nthe patient or the system, but cannot do both.\n    In my view, there remains a tremendous uncertainty about how to \nwork with our longstanding IT colleagues to address local or regional \nclinical care, research, or educational needs. These arise on an almost \ndaily basis as the result of new mandates from accrediting bodies, VA \nperformance measures, or Congressional action. Accountability for all \nthese activities remains with the individual Facility Directors, but \nthey no longer have the authority to task IT staff nor directly acquire \ntechnological resources that are a part of every new idea that is put \nforth to meet the new needs. There is a sense of great inertia that \noverrides the anticipation of great opportunities in the new OI&T \nstructure. I believe that this has greatly slowed the field development \nprocess that is the very foundation of our VA-created computer system, \nVistA.\nRegional Computer System Downtime of August 31, 2007\n    On August 31, 2007, the new ``Region One\'\' of OI&T-supported \nfacilities experienced the most significant technological threat to \npatient safety VA has ever had--a 9-hour downtime during standard \nbusiness hours that crippled the clinical and other information systems \nof 17 different VHA medical facilities. During the downtime, it became \nclear to me that many assumptions about the RDPC model were erroneous. \nSpecifically, rather than creating a redundancy to protect facilities \nfrom system problems, a new single point of failure caused a problem \nthat could never have been replicated without the RDPC model having \nbeen created. In this vein, the ability to ``failover\'\' from the RDPC \nin Sacramento to Denver, previously described as a major advantage to \nthe RDPC model, was never taken advantage of. Electronic contingency \nsystems, put in place as a part of the RDPC migration strategy, were \nunavailable or overwhelmed in four of the medical centers, despite \nprior experience that this was a known risk during the pilot phase of \nthe RDPC collocation project. Lastly, and of great concern to the \nmedical centers as a harbinger of future support, clinical need was \nexpected to be the driver of the service restoration process. Instead, \nhalf a day of troubleshooting and error log evaluation and analysis \nwent by before the shutdown and reboot process was initiated to \nactually fix the problem.\n    The after-action report, while done in a timely fashion and \ngenerally clear, did not address the two major concerns of the \nfacilities that had to deal with the impact of the downtime at all. \nSpecifically, how it could be that the RDPC model designed for \nredundancy could instead have been designed to create the single point \nof failure that facilities predicted 2 years earlier would paralyze \nthem? Why was the ``failover\'\' from the Sacramento RDPC to the Denver \nRDPC not initiated immediately when the magnitude of the impact was \nknown? Despite repeated queries about this on the official Region 1 \nVistA Outlook email thread designed to facilitate communication between \nOI&T and VHA facilities, I am unaware of whether this question was ever \nanswered.\n    In my view, the OI&T realignment process begun in VA in 2005 for \nthe right reasons has been focused on technical IT issues and the \nreporting structure of its new 6000-strong employee force. While there \nhas been measurable success in those areas, my perspective is that this \nhas not been the case for the planned linking of IT strategic planning \nwith organizational strategic planning and communication between all \nstakeholders in VA. Mr. Chairman this concludes my statement. I will be \npleased to answer any questions that you or other Members of the \nCommittee might have.\n\n                                 <F-dash>\n                  Statement of Hon. Harry E. Mitchell,\n         a Representative in Congress from the State of Arizona\n    Thank you Mr. Chairman.\n    Last week, the Government Accountability Office released their \nreview of the progress made in reorganizing information technology at \nthe VA.\n    In October 2005, the VA began centralizing its information \ntechnology management structure.\n    Shortly thereafter, in May 2006, a laptop theft from an employee\'s \nhome containing personal information brought the importance of this \nissue to light, and the Department\'s mismanagement of the situation \nshowed the urgency of centralization.\n    The GAO report showed that the Department has not yet implemented \nfull security protocols to protect veterans\' and medical providers\' \npersonal information.\n    It also highlighted the importance of an implementation team, which \nhas also been previously suggested and ignored by top officials in the \nDepartment.\n    Information security is not an issue that we can take lightly these \ndays.\n    Securing the personal information of our veterans should be a high \npriority, and any breach of government security should be taken \nseriously.\n    Following the compromised security of information at the VA in May \nof 2006, officials pledged stronger action, but the security breach \nthis past January shows that they have yet to deliver once again.\n    Arizona leads the nation in identity theft and this report only \nfurther concerns me about security at the VA.\n    I look forward to hearing how we can work together to address this \npressing issue.\n\n                                 <F-dash>\n                   Statement of Bryan D. Volpp, M.D.,\n            Associate Chief of Staff, Clinical Informatics,\n        Veterans Affairs Northern California Healthcare System,\n  Veterans Health Administration, U.S. Department of Veterans Affairs\n    Good morning Mr. Chairman and Members of the Committee. Thank you \nfor this opportunity to discuss the impact on patient care due to the \ndisruption to the VISTA and Computerized Patient Record System (CPRS) \nat the VA Northern California Healthcare System (VA NCHCS). The VA \nNCHCS is an integrated healthcare delivery system serving more 377,700 \nveterans dispersed over a wide area covering ten geographic sites. We \nserve approximately 70,000 unique veterans per year and average close \nto 2000 visits per day. VA NCHCS offers a comprehensive array of \nmedical, surgical, rehabilitative, primary, mental health and extended \ncare to veterans in Northern California. In addition, we provide \ninpatient acute and critical care services at the Sacramento site (50 \nbeds) and inpatient nursing home and subacute care (115 beds) at the \nMartinez site.\nDisruption to VISTA and CPRS\n    On August 31, 2007, at approximately 7:30 am on Friday, VA NCHCS \nexperienced a major disruption with the logons to our VistA and CPRS. \nThe disruption resulted from a problem at the Sacramento Regional Data \nProcessing Center (SRDPC) and affected 17 sites within VA NCHCS.\nContingency Plan for Disruptions\n    VA NCHCS immediately implemented our local contingency plan for \nfailure, which consists of three backup levels. The first level backup \nis a switch over from the Sacramento Data Center to the Denver Data \nCenter. The second level backup is a read-only version of the patient \ndata. And the final level of backup is a set of files stored on some \nlocal PCs that contains brief summaries of a subset of the patient data \nfor patients who are current inpatients or who have appointments in the \nnext 2 days. A key element in our contingency plan is that \ncommunication to the users on the cause and an estimate of length of \nthe downtime are to be made on a regular basis by IRM. This did not \noccur.\n    The contingency plans failed to stop the disruption. The switch \nover to the Denver Data Center did not occur. The read-only backup of \nthe patient data had been made unavailable earlier in the week of \nAugust 31 in order for the Regional Data Center staff to create a new \nversion of our test account. Test accounts are required to be refreshed \nevery 4-6 months at all VA sites. With failure of the first two backup \nlevels, we became reliant on the data stored on several local personal \ncomputers that could be printed. The data stored on the personal \ncomputers are health summaries. Health summaries are brief extracts of \nthe record for patients with scheduled appointments which contain \nrecent labs, medication lists, problem lists and recent notes along \nwith allergies and a few other elements of the patient record. The \ndisruption severely interfered with our normal operation, particularly \nwith inpatient and outpatient care, and pharmacy.\nDisruption Impact on Inpatient Care\n    The inpatient sites were immediately affected. The residents on \nrounds in all the impacted facilities were not able to access patient \ncharts to review the prior day\'s results, add or review orders. Nursing \nreports were interrupted because some of the handoffs from one shift to \nthe next are done by reviewing activities and progress in the \nelectronic record. Discharge planning for that morning was interrupted \nas well due to lack of electronic record availability. On the inpatient \nwards, there were many delays in medication administration and in \ndischarges. The delays included the following:\n\n    <bullet>  The medical staff was forced to write discharge \ninstructions and notes on paper.\n    <bullet>  The electronic lists of instructions and of medications \nwere not available for the patients being discharged.\n    <bullet>  Patients being discharged could not be given follow-up \nappointments at the time of discharge. The appointments had to be made \nlater and the patient notified by phone.\n    <bullet>  There were delays in obtaining discharge medications and \npatients remained on the wards longer than would normally be required.\n    <bullet>  The nurses administered medications to the patients and \nused the paper MAR to record the administration events. Initial \nmedication passes were interrupted and delayed until the paper copies \nof the Medication Administration Record (MAR) could be printed.\n\n    The use of the paper MAR continued well after the system came back \nup at around 4 pm. This occurred because there was a delay in the \nautomated updating of all the medications with new orders and changes. \nUntil both Pharmacy and Nursing can verify that the electronic lists \nhave been updated and are accurate, the electronic MAR cannot be used. \nOne inpatient did not meet inpatient criteria but could not be \ntransferred to the nursing home since adequate records were not \navailable. The patient stayed an extra 4 days and required an \nadditional nurse to stay in his room as a sitter until he could be \ntransferred.\nDisruption Impact on Outpatient Care\n    Outpatient activities were impacted within a few minutes after the \noutage. Although most clinics did not have scheduled patients until \n8:00 am, many providers who were beginning to prepare for clinic were \naffected almost immediately. Consent forms that had been done \npreviously for scheduled surgery and for other procedures were not \navailable since these are all done electronically. The providers with \npatient appointments early in the morning had no medical records to use \nfor these patients. For many of the patients, a medication list was \navailable on paper but the paper health summary backups had not yet \nbeen printed. We began to instruct the users to print the paper health \nsummaries for use in the clinics and on the wards just after 8:00 am. \nThese were distributed as quickly as possible but for patients with \nappointments at 8:00 am to 9:00 am, very few of these summaries were \navailable in time to provide the needed information to the provider \nwhile seeing the patient.\nDisruption Impact on Pharmacy\n    The pharmacy quickly became overloaded with prescriptions that they \nwere attempting to fill for patients. The labeling equipment and \nautomated dispensing equipment, both linked to VistA, were unavailable. \nThe pharmacy began to ask patients if they could wait to have the \nprescriptions mailed. This problem was made more difficult by the fact \nthat Monday, September 3, 2007, was Labor Day and the next transmission \nto the Centralized Mail Out Pharmacy (CMOP) would be on Tuesday, \nSeptember 4, 2007. In addition, the transmission to the CMOP for August \n31, 2007 was scheduled for 8:00 am. This also caused a delay in \npatients receiving medications. The prescription entries completed on \nAugust 30, 2007 by the pharmacy were not received at the CMOP for \nfulfillment until September 4, 2007.\nOther Impacts Resulting From the Disruption\n    The local health summaries for patients were printed in all clinic \nareas and on the wards which essentially created a temporary patient \nrecord. After 2 hours, most users began to record their documentation \non paper. For example:\n\n    <bullet>  Paper order forms were distributed and orders were being \nfaxed to Pharmacy and Radiology for inpatients and outpatients.\n    <bullet>  Paper prescriptions were written for outpatients.\n    <bullet>  Laboratory orders were written on paper and patients sent \nto the lab with paper copies of orders.\n    <bullet>  Multiple patients who had planned CT scans and who needed \na measure of kidney function prior to the procedures had to have their \nblood redrawn since the prior results were not available.\n    <bullet>  Consent forms were done on paper.\n    <bullet>  Vital signs and screenings for depression, post-traumatic \nstress disorder (PTSD) and other interventions were recorded on paper.\n    <bullet>  The cardiologists could not read any of the EKGs that had \nbeen done prior to the failure since these had not been printed and are \nusually reviewed and interpreted online.\n    <bullet>  Surgeons could not enter their operative notes in to the \nsurgery package. Consults could neither be ordered or responded to or \neven updated.\n    <bullet>  Appointments could not be made and, if a patient \ncanceled, there was no way to identify other patients to fill those \nslots.\n\n    Although the paper health summaries were available for patients \nwith scheduled appointments, there were no records at all available for \npatients who came to Urgent Care or to the Sacramento ER or walk-in \npatients at any of the clinics.\nPrior Computer Failures\n    Although we have had brief periods of scheduled and occasionally \nunscheduled computer failure in the past, many of these were isolated \nto one site or one building and none lasted as long as the disruption \nexperienced on August 31, 2007. Our contingency plans had been \nimplemented successfully as drills during many of these periods. During \nprior outages, the local IT staff had always been very forthcoming with \ninformation on the progress of the failure and estimated length even in \nthe face of minimal or no knowledge of the cause. To my knowledge, this \nwas absent during the most recent outage.\nDisruption Recovery\n    Once the disruption was resolved, a tremendous amount of work was \nundertaken to restore the integrity of the electronic record. \nLaboratory and pharmacy staff worked late that Friday night and over \nthe weekend to update the results and orders in the electronic record \nand to enter all the new orders and outpatient prescriptions. Complete \nrecovery in the pharmacy took over a week. Administrative staff worked \nfor over 2 weeks to complete the checkouts on all the patients who were \nseen that day. However, entering checkout data on all these patients \nmany days after the fact is potentially inaccurate. Many providers have \ngone back into CPRS and tried to reconstruct notes that summarize the \npaper notes that they wrote in order to mitigate the risk of missing \ninformation.\n    This work to recover the integrity of the medical record will \ncontinue for many months since so much information was recorded on \npaper that day. When you consider that hundreds of screening exams for \nPTSD, depression, alcohol use, and smoking, and entry of educational \ninterventions, records of outside results, discharge instructions and \nassessments are all now on paper and are not in a format that is easily \nfound in the electronic record, the burden of this one failure will \npersist for a long time. This adds an additional load for the staff to \nhave to pull up the paper records from that day and presents a risk \nthat some important facts or results collected on that day will be \nmissed at some point in the future. For example, consent forms done \nthat day for future procedures will not be in the same location as our \nusual consent forms since these were done on paper and scanned into the \nrecord during recovery.\n    In summary, there were severe impacts to patient care, timeliness \nof care and the integrity of the medical record due to the disruption \nand these affects will persist for some period of time into the future. \nMr. Chairman, this concludes my statement.\n\n                                 <F-dash>\n          POST HEARING QUESTIONS AND RESPONSES FOR THE RECORD\n\n                                     Committee on Veterans\' Affairs\n                                                    Washington, DC.\n                                                    October 3, 2007\n\nHonorable Gordon Mansfield\nActing Secretary\nU.S. Department of Veterans Affairs\n810 Vermont Ave., NW\nWashington, DC 20420\n\nDear Mr. Mansfield:\n\n    In reference to our Full Committee hearing VA IT Reorganization: \nHow Far Has VA Come? on September 26, 2007, I would appreciate it if \nyou could answer the enclosed hearing questions by the close of \nbusiness on November 14, 2007.\n    In an effort to reduce printing costs, the Committee on Veterans\' \nAffairs, in cooperation with the Joint Committee on Printing, is \nimplementing some formatting changes for materials for all full \ncommittee and subcommittee hearings. Therefore, it would be appreciated \nif you could provide your answers consecutively and single-spaced. In \naddition, please restate the question in its entirety before the \nanswer.\n    Due to the delay in receiving mail, please provide your response by \nfax to Debbie Smith at 202-225-2034. If you have any questions, please \ncall 202-225-9756.\n\n            Sincerely,\n                                                         BOB FILNER\n                                                           Chairman\nDT:ds\n\n                                ------                                \n\n                        Questions for the Record\n                   The Honorable Bob Filner, Chairman\n                  House Committee on Veterans\' Affairs\n                           September 26, 2007\n\n               VA IT Reorganization: How Far Has VA Come?\n\n    In the September 26, 2007, report of Valerie Melvin, Director of \nHuman Capital and Management Information Systems Issues at GAO (``GAO \nStatement\'\'), GAO stated:\n\n        As part of the new organizational structure, the department \n        identified 25 offices whose leaders will report to the five \n        deputy assistant secretaries and are responsible for carrying \n        out the new management processes in daily operation. However, \n        as of early September 2007, seven of the leadership positions \n        for these 25 offices were vacant, and four were filled in and \n        acting capacity.\n\n    Question 1: Please identify for each of those 25 offices:\n\n    a.  the name of the office and its function;\n    b.  the date on which the leadership position in each office was \nfilled and the person filling the position;\n    c.  for offices for which the leadership position is filled on an \nacting basis, the date on which the leadership position in each office \nwas filled on an acting basis, the person filling the position, and the \ndate by which the position will be permanently filled; and,\n    d.  for offices for which the leadership position is vacant, the \ndate by which the position will be permanently filled.\n\n    Response:\n\n\n----------------------------------------------------------------------------------------------------------------\n                                                                                                  Date Vacant\n                                                          Permanent Person   Acting Person &        Position\n                  Office Name/Function                    & Date Position          Date         Projected to be\n                                                               Filled                                Filled\n----------------------------------------------------------------------------------------------------------------\n1. Privacy and Records Management--Integrates privacy    Sally Wallace, 10/              N/A                N/A\n considerations into the way the Department of Veterans            1/2006\n Affairs (VA) uses technologies and handles\n information. Oversees compliance with Privacy Act of\n 1974, Freedom of Information Act, Health Insurance\n Portability and Accountability Act (HIPAA), Electronic\n Communications Privacy Act, Office of Management and\n Budget (OMB) Circular A-130, and Government Paperwork\n Reduction Act. Completes privacy impact assessments on\n new programs.\n----------------------------------------------------------------------------------------------------------------\n2. Cyber Security--Sets policy and oversees              Jaren Doherty, 2/\n implementation and operation of VA\'s information                  4/2008\n technology (IT) security program. Providing\n information security protection commensurate with risk\n and magnitude of harm resulting from unauthorized\n access, use, disclosure, disruption, modification or\n destruction of: (1) Information collected or\n maintained by or on behalf of VA, (2) Information\n systems used or operated by VA or by a contractor of\n VA or other organization on behalf of VA.\n----------------------------------------------------------------------------------------------------------------\n3. Education and Training--Oversees VA-wide cyber                  Terri Cinnamon,       N/A\n security training, education and awareness program, as         11/8/2007\n well as VA annual information security conference.\n Manages VA\'s internal information security working\n group. Ensures VA policies comply with regulatory\n requirements and legislated mandates.\n----------------------------------------------------------------------------------------------------------------\n4. Risk Management & Incident Response--Develops cost           Katherine                N/A                N/A\n effective strategies for IT risk management                    Maginnis,\n (encompassing IT risk, business continuity management          4/29/2007\n and information security management) for data\n processing environments under the control of the Chief\n Information Officer (CIO).\n----------------------------------------------------------------------------------------------------------------\n5. Business Continuity--Manage processes to identify     Andres Lopez, 10/               N/A                N/A\n potential threats to business continuity and develops            29/2007\n capability to effectively safeguards interest of its\n key stakeholders.\n----------------------------------------------------------------------------------------------------------------\n6. Enterprise Architecture--Develops an enterprise-wide            Scott Cragg,          N/A                N/A\n technical architecture that enables the business               8/22/2004\n activities of VA and facilitates the adaptation of\n technology to meet the changing business needs.\n----------------------------------------------------------------------------------------------------------------\n7. Business Relationship Management--Negotiates                    Vacant        Ross Smith,          3/31/2008\n business requirements on behalf of the administrations                             11/11/07\n with IT solution providers.\n----------------------------------------------------------------------------------------------------------------\n8. IT Strategy and E-Gov--Leads ad-hoc teams of            Loise Russell,                N/A                N/A\n information architects, in developing, best practices          4/24/2007\n and standards that will integrate paper processes into\n electronic systems.\n----------------------------------------------------------------------------------------------------------------\n9. Research and Innovation--Identifies new technologies            Vacant                N/A          12/1/2008\n that provide benefit to VA and enables improved level\n of service to veterans.\n----------------------------------------------------------------------------------------------------------------\n10. Portfolio Programming and Management--Assist in                Vacant        Tim Weigel,          3/31/2008\n developing IT project management plans, and investment                           11/11/2007\n protocols, to meet legislative requirements of Federal\n capital asset programs\n----------------------------------------------------------------------------------------------------------------\n11. Program Management--Oversees integrated IT                     Vacant   Michael Osband, 1/        3/31/2008\n management process, reviews milestones and assures IT                               28/2008\n projects are on schedule, within budget and meet\n performance criteria.\n----------------------------------------------------------------------------------------------------------------\n12. Information Technology Comptroller--Manages              Len Bourget,                N/A                N/A\n financial processes of the Office of Information and           2/18/2007\n Technology (OIT) including budget formulation and\n execution, cost accounting, cost recovery, cost\n allocations, charge-back models, and revenue\n accounting.\n----------------------------------------------------------------------------------------------------------------\n13. Human Resource Career Development--Aligns OIT human            Vacant     Thomas Barritt          2/28/2008\n resource management with VA\'s Office of Human Resource\n and Administration (HRA) and the Office of Personnel\n Management.\n----------------------------------------------------------------------------------------------------------------\n14. IT Capital Planning and Investment Management--                Vacant   Karen Kemmet, 7/1/        3/17/2008\n Plans and controls IT budgets; and evaluates financial                                 2007\n performance.\n----------------------------------------------------------------------------------------------------------------\n15. Asset Management--Provides users with hardware and   Gary Shaffer, 12/               N/A                N/A\n software needed to do their jobs in the most cost                 9/2007\n effective manner.\n----------------------------------------------------------------------------------------------------------------\n16. Vendor and Supplier Management--Develops,                      Vacant                N/A          12/1/2008\n implements, and manages sourcing strategies to improve\n the process of negotiating and managing IT contracts\n and evaluating vendor performance.\n----------------------------------------------------------------------------------------------------------------\n17. Veterans Health IT Development Program Executive               Vacant       Jackie Gill,          3/31/2008\n Office (PEO)--Manages IT development activities in                                9/15/2007\n support of the Veterans Heath Administration (VHA).\n----------------------------------------------------------------------------------------------------------------\n18. Veterans Benefits IT Development PEO--Manages IT             Richard Culp,\n development activities in support of the Veterans               4/1/2007\n Benefit Administration (VBA).\n----------------------------------------------------------------------------------------------------------------\n19. IT Development Resource Management PEO--Manages          Joseph Bond,\n development, integration and implementation of new              4/1/2007\n enterprise applications within resource management\n systems portfolio.\n----------------------------------------------------------------------------------------------------------------\n20. Memorial Affairs IT Development PEO--Manages the            Dan Pate,                N/A                N/A\n development, integration and implementation of new             9/30/2007\n enterprise applications within the National Cemetery\n Administration (NCA).\n----------------------------------------------------------------------------------------------------------------\n21. Field Operations and Security--Manages day-to-day    Raymond Sullivan,               N/A                N/A\n IT operations, data centers, IT services and IT               10/29/2006\n security across 4 geographic regions.\n----------------------------------------------------------------------------------------------------------------\n22. Infrastructure Engineering--Tests, evaluates and                     Charles DeSanno,N/A                N/A\n certifies software and hardware prior to deployment.            1/2/2007\n Responsible for change management, systems\n engineering, configuration management, release\n management, production control and maintenance.\n----------------------------------------------------------------------------------------------------------------\n23. Corporate Franchise Data Center--Provides IT                   Vacant       John Rucker,          3/17/2008\n services to VA medical centers, regional offices,                                  8/1/2007\n national cemeteries, and other VA and non-VA\n organizations.\n----------------------------------------------------------------------------------------------------------------\n24. Field Business Operations and Services--Controls          Gary Twedt,                N/A                N/A\n and improves the processes, services and outcomes             10/29/2006\n relative to end user support, network services and\n security services.\n----------------------------------------------------------------------------------------------------------------\n25. Network and Telecom--Providing telecommunication               David Cheplick, 7/    N/A                N/A\n systems to support VA requirements.                              22/2007\n----------------------------------------------------------------------------------------------------------------\n\n\n    Question 1(e): In addition, please provide organization charts \nshowing the reporting relationships of the 25 offices to the five \ndeputy assistant secretaries.\n\n    Response: See Attachment 1 on next page.\n                              Attachment 1\n[GRAPHIC] [TIFF OMITTED] T9456A.003\n\n\n    Question 2: Please provide a timeline for completion separately for \neach of the following three:\n\n    Question 2(a): The 36 new processes of the IT management processes, \nincluding the 9 of the 36 that the VA began implementing in March 2007.\n\n    Response: The 36 core IT business processes are undergoing process \nimprovement, ultimately resulting in the development of a series of \nimproved, standardized processes across all business lines. These \nimproved processes will be developed by teams of experts, documented, \nand disseminated across VA to ensure that they are repeatable by all VA \nIT entities. The availability of standard operating procedures will not \nonly ensure consistency from site to site, but will also prevent \nduplication of effort in developing them. VA process maturity levels \nwill evolve and improve over time based on continuous refinement and \nprocess improvement.\n    The timeline for the 36 core IT management processes calls for \nimplementation by July 2008. We have completed process redesign pilot \nprograms for two: (1) risk management and (2) solution test and \nacceptance. In addition, Process Manuals exist for 27 of the processes, \neither in draft or final version. Key meetings have been held for 20 of \nthe processes, with approximately 8 more planned for the week of \nFebruary 11, 2008. The attached spreadsheet provides the details for \neach of the 36 processes.\n    The approach and schedule for process implementation has been \nrevised, based upon lessons learned from the pilot programs and current \nimplementation experiences. We are streamlining the process improvement \napproach in order to meet the July 2008 timeframe.\n    Attachment 2 provides a listing of all 36 processes and the status \nof each.\n                              Attachment 2\n                Status of 36 New IT Management Processes\n                               3/13/2008\n\n----------------------------------------------------------------------------------------------------------------\n                                                                                        Status of Process\n                                                                               ---------------------------------\n                            Process                           Process  Manual       Procedure(s) or Guidance\n                                                                  Complete     ---------------------------------\n                                                                                   In Review         Complete\n----------------------------------------------------------------------------------------------------------------\nCapital Planning & Investment Control                                 <check>                           <check>\n----------------------------------------------------------------------------------------------------------------\nProject Management                                                      draft          <check>\n----------------------------------------------------------------------------------------------------------------\nService Level Management                                                draft          <check>\n----------------------------------------------------------------------------------------------------------------\nArchitecture Management\n----------------------------------------------------------------------------------------------------------------\nCustomer Satisfaction Management\n----------------------------------------------------------------------------------------------------------------\nData and Storage Management\n----------------------------------------------------------------------------------------------------------------\nIT Research & Innovation\n----------------------------------------------------------------------------------------------------------------\nIT Strategy                                                             draft\n----------------------------------------------------------------------------------------------------------------\nKnowledge Management\n----------------------------------------------------------------------------------------------------------------\nService Marketing and Sales\n----------------------------------------------------------------------------------------------------------------\nStakeholder Requirements Mgmt\n----------------------------------------------------------------------------------------------------------------\nAsset Management                                                      <check>          <check>\n----------------------------------------------------------------------------------------------------------------\nFinancial Management                                                    draft\n----------------------------------------------------------------------------------------------------------------\nSupplier Relationship Management\n----------------------------------------------------------------------------------------------------------------\nWorkforce Management                                                    draft\n----------------------------------------------------------------------------------------------------------------\nCompliance Management                                                 <check>                           <check>\n----------------------------------------------------------------------------------------------------------------\nChange Management                                                     <check>          <check>\n----------------------------------------------------------------------------------------------------------------\nConfiguration Management                                              <check>          <check>\n----------------------------------------------------------------------------------------------------------------\nFacility Management                                                     draft\n----------------------------------------------------------------------------------------------------------------\nRelease Management                                                    <check>          <check>\n----------------------------------------------------------------------------------------------------------------\nService Execution                                                       draft\n----------------------------------------------------------------------------------------------------------------\nAvailability Management                                                 draft\n----------------------------------------------------------------------------------------------------------------\nCapacity Management                                                     draft\n----------------------------------------------------------------------------------------------------------------\nEvent Management                                                        draft\n----------------------------------------------------------------------------------------------------------------\nIncident Management                                                     draft\n----------------------------------------------------------------------------------------------------------------\nProblem Management                                                      draft\n----------------------------------------------------------------------------------------------------------------\nService Pricing & Contract Admin                                        draft\n----------------------------------------------------------------------------------------------------------------\nUser Contact Management                                                 draft\n----------------------------------------------------------------------------------------------------------------\nSolution Test and Acceptance                                          <check>\n----------------------------------------------------------------------------------------------------------------\nSolution Analysis and Design                                          <check>\n----------------------------------------------------------------------------------------------------------------\nSolution Build                                                        <check>\n----------------------------------------------------------------------------------------------------------------\nSolution Requirements                                                 <check>\n----------------------------------------------------------------------------------------------------------------\nRisk Management                                                       <check>\n----------------------------------------------------------------------------------------------------------------\nIT Service Continuity Management                                        draft          <check>\n----------------------------------------------------------------------------------------------------------------\nSecurity Management                                                                    <check>\n----------------------------------------------------------------------------------------------------------------\nIT Management System Framework                                        <check>\n----------------------------------------------------------------------------------------------------------------\n\n\n    Question 2(b): The 20 out of the 22 information security-related \nrecommendations made by the inspector general in 2006, including any \nupdates on the status of the 2 of 22 implemented. The status and \ntargeted completion date of the 17 FISMA related findings made by the \nVA Office of Inspector General recommendations in its annual FISMA \nreport for fiscal year 2005, issued in September 2006.\n\n    Response: The 22 recommendations related to information security \nmade by the Inspector General in 2006 consist of:\n\n    <bullet>  The 17 recommendations in the Office of Inspector General \n(OIG) Fiscal Year (FY) 2005 Audit of VA Information Security Program \n(report number 05-00055-216 dated September 20, 2006); and\n    <bullet>  The five recommendations from the OIG Report: Review of \nIssues Related to the Loss of VA Information Involving the Identity of \nMillions of Americans (report number 06-02238-163 dated July 11, 2006).\n    <bullet>  In addition to the 22 recommendations, 13 recommendations \nwere made as a result of the OIG\'s FY 2006 audit work and are published \nin the OIG\'s FY 2006 Audit of VA\'s Information Security Program (report \nnumber 06-00035-222) dated September 28, 2007.\n\n    Recommendations number 6 and 12 from the OIG FY 2005 Audit of VA \nInformation Security Program (report number 05-00055-216 dated \nSeptember 20, 2006) have been closed out by the OIG. All of the \nrecommendations and status are listed below:\n    Target completion dates for corrective action have been included \nbelow, where available. Data Security--Assessment and Strengthening of \nControls Program (DS-ASC) personnel will be working with personnel \nresponsible for implementation of corrective action to obtain target \ncompletion dates for all OIG recommendations shown below.\nRecommendations from FY 2005 Audit of VA Information Security Program, \n        Report Number 05-00055-216, September 20, 2006\n    Recommendation 1. Implement a centralized IT management approach; \napply appropriate resources; establish, clarify, and modify IT policies \nand procedures pursuant to organizational changes; and implement and \nenforce security controls.\n\n    Status: Corrective Action Still in Process.\n\n    All IT personnel and the entire IT budget have been placed under \nthe control of the Assistant Secretary for OI&T, who serves as the VA \nCIO. Over the past year, the CIO has issued policies, procedures, and \ndirectives implementing this new, centralized management concept to \ninclude VA Directive 6500, Information Security Program and its \naccompanying handbook, VA Handbook 6500. Several other policies \nproviding guidance regarding implementation of IT security controls are \neither in draft or in concurrence.\n    In addition, the CIO is centrally managing implementation, \nenforcement, and remediation of IT security controls throughout VA via \nthe data security assessment and strengthening of controls (DS-ASC) \nprogram and has established the Office of IT Oversight and Compliance \n(ITOC) which consolidates existing IT security activities into one \noffice to assist in centralizing enforcement of IT security controls.\n\n    Recommendation 2. Develop and implement solutions for the \nestablishment of a patch management program.\n\n    Status: Corrective Action Still in Process. The enterprise \nframework (EF) will provide centralized IT infrastructure management by \nasset management and software delivery (inventory and configuration) \nand interface with the patch management process (portal and policy \ncompliance). The current project status is as follows:\n\n    <bullet>  Completed proof of concept with the integration of two \nVeteran\'s Integrated Service Networks (VISN). The second quarter of FY \n2007 focused on developing configuration and process baselines. This \nwas followed by deploying and integrating three additional VISNs, to \nform a centrally managed Region, during the third quarter of FY 2007 \nthrough the third quarter of FY 2008. This will be repeated in Regions \n2, 3, and 4.\n    <bullet>  VA has deployed a vulnerability and patch remediation \nsolution (i.e., Harris STAT Guardian and previously Citadel Hercules) \nthat the field has been using since 2003 to scan systems and remediate \ndeficiencies. VA has over 300 dedicated Harris STAT servers providing \nscan and automated patch capabilities across the VA IT enterprise \ntoday. This does not include other patch remediation tools that have \nbeen deployed locally such as systems management server and update \nexpert. VA has spent approximately $15M since 2003 on an enterprise-\nwide vulnerability and patch remediation solution. The long term \nsolution is to leverage the EF to provide this capability.\n\n    In addition, other completed actions to implement a patch \nmanagement program for the VA enterprise are as follows:\n\n    1.  Current practices have been gathered (completion date August \n2007).\n    2.  Patch management working group charter, process, and list of \ndeliverables have been developed (completion date October 2007).\n    3.  Patch management working group and working group lead have been \nidentified (completion date December 2007).\n    4.  Memorandum issued, titled Enterprise Patch Management \nRequirements, detailing VA\'s patch management program\'s roles and \nresponsibilities, key personnel contact information, and standard \noperating procedures for field implementation (completion date December \n2007).\n\n    Other actions that still need to be accomplished include:\n\n    1.  Review of all current patch management practices across VA, \ntarget date for completion is late March 2008.\n    2.  Development of VA patch management policy, target date for \ncompletion is May 2008.\n    3.  Development of a patch management program to support \nconfiguration management procedures, target date for completion is \nNovember 2008.\n    4.  Implementation of the patch management program and training \nplans enterprise wide, target date for completion is September 2009.\n\n    Recommendation 3: Identify and implement solutions for resolving \naccess control vulnerabilities, ensure segregation of duties, remind \nall sites to confirm virus protection fields are updated prior to \nauthorizing connection to their networks, and resolve all self-reported \naccess control weaknesses.\n\n    Status: Corrective Action Still in Process. VA IT Directive 06-1, \nData Security: Assessment and Strengthening of Controls, dated May 24, \n2006, established a program to remediate the IT security controls \nmaterial weakness. As a result the DS-ASC plan was developed to address \ndeficiencies. The target date for resolution of these deficiencies is \nthird quarter of FY 2008.\n\n    Recommendation 4: Review and update all applicable position \ndescriptions to better describe sensitivity ratings, better document \nemployee personnel records and contractor files to include signed \n``Rules of Behavior\'\' instructions, annual privacy and HIPAA training \ncertifications, and position sensitivity level designations.\n\n    Status: Corrective Action Still in Process.\n\n    With issuance of the Secretaries June 28, 2006 memorandum, the \nAssistant Secretary for OI&T now has complete responsibility and \nauthority for information security policies, procedures, and practices \nto include risk and sensitivity levels of employee position \ndescriptions.\n    Position descriptions and their corresponding sensitivity \ndesignations are being reviewed for consistency VA wide. Based on the \nresults of these reviews, self certifications from VA\'s organizational \ncomponents indicate that VA has requested approximately 95 percent of \nits required background investigations.\n    In addition, a VA national Rules of Behavior document is included \nin an appendix to the recently published VA Handbook 6500 and will be \nsigned by personnel with access to VA information systems and placed in \nthe appropriate file. VA reported to OMB that 95 percent of its \nemployees completed FY 2007 cyber security awareness training.\n\n    Recommendation 5: Timely request the appropriate levels of \nbackground investigations on all applicable VA employees and \ncontractors. Additionally, monitor and ensure timely requests for \nreinvestigations on all applicable employees and contractors.\n\n    Status: Corrective Action Still in Process.\n\n    Department wide, implementation of this recommendation is \napproximately 95 percent complete. The Department is awaiting input \nfrom the remaining organizations to certify that all required \nbackground investigations have been initiated.\n    In December 2006, the Office of Security & Law Enforcement within \nthe former Office of Policy, Planning and Preparedness published a \nnotice providing guidance for requesting the appropriate level of \nbackgrounds for contractors and the proper procedures for processing \nthese requests. Additionally, VA Directive 0710 was revised and has \nbeen placed in the concurrence process. The amended Directive 0710 \nprovides more detailed guidance for processing employee and contractor \nbackground investigations. VA Handbook 0710 is currently being revised \nand is planned to be completed within the next several months.\n    The Security and Investigations Center (SIC) has developed and is \nusing a computer tracking system that will automatically generate a \nnotice to the SIC staff when an employee or contractors is due a \nbackground reinvestigation. This tracking system will ensure that a \ntimely notice is sent to the employee or contractor when \nreinvestigation packets are due to be completed.\n\n    Recommendation 6: Provide our office the results of researching the \nbenefits and costs of deploying intrusion prevention systems (IPS) at \nall sites.\n\n    Status: Closed by the OIG.\n\n    Recommendation 7: Continue efforts to strengthen critical \ninfrastructure planning, complete the critical infrastructure \nprotection plan, and ensure infrastructure planning addresses Executive \nOrder 13231, and other information security requirements.\n\n    Status: Corrective Action Still in Process.\n\n    VA has completed the following critical infrastructure protection \nactions:\n\n    <bullet>  Security training was provided to the appropriate \npersonnel assigned to the Network and Security Operations Center \n(NSOC). The new hires will have training this year.\n    <bullet>  Encryption software was installed on all laptops by \nSeptember 2006.\n    <bullet>  The Critical Infrastructure Protection (CIP) division is \nimplementing the public key infrastructure (PKI) solution. Over 135,000 \nPKI certificates have been issued to date.\n    <bullet>  VA has a continuity of operations plan (COOP) and \ncomprehensive emergency program plan. OI&T participates in VA\'s annual \nmaster COOP plan test. Primary responsibility for the VA\'s master COOP \nplan rests with the Office of Operations, Security, and Preparedness \n(OSP). VA has issued Directive and Handbook 0320, Comprehensive \nEmergency Management Program. Both are dated March 24, 2005. VA also \nhas an OI&T COOP plan which was posted to VA Intranet in June 2003.\n    <bullet>  VA\'s critical infrastructure protection contingency plan \nreferences Homeland Security Presidential Directive--HSPD 7, Homeland \nSecurity Act 2002, National Response Plan, and National Incident \nManagement System (NIMS) plus other historical cyber security \nrequirements. The CIP division is working with the Office of Cyber \nSecurity to incorporate the requirements, recommendations and \nguidelines into the policies and procedures. Target completion date is \nAugust 2008.\n    <bullet>  The CIP division is installing network intrusion \nprevention (NIP) devices capable of monitoring and blocking network \ntraffic. The VA NSOC is performing an analysis to see what other \nlocations can benefit from the NIP units. This is an ongoing process \nwhere we continuously re-evaluate to ensure the VA has adequate \ncoverage with regards to the NIPS.\n\n    Recommendation 8: Collaboratively test ITC COOPs in a joint effort \nwith all tenant groups (VHA, VBA, NCA, and other program offices) to \nensure that backup sites will support all mission related operations, \nand report test results to our office for further review.\n\n    Status: Corrective Action Still in Process.\n\n    The Corporate Franchise Data Center (CFD), Austin Campus (formerly \nthe Austin Automation Center or AAC) conducts COOP tests annually and \nhas integrated its COOP test with the organizations collocated at its \nfacility. The test includes the following:\n\n    1.  Verifying the ability of CFD, Philadelphia Information \nTechnology Center (ITC), and Hines ITC staff to recover the CFD Mission \nCritical and Essential Support systems currently replicated to the \nPhiladelphia and Hines ITCs. Examples of Mission Critical and essential \nSupport systems include applications such as PAID, VETSNET and FMS.\n    2.  Testing the ability of the CFD to use its workspace recovery \nfacility for CFD staff to remotely log onto CFD recovery platforms \nusing the OneVA virtual private network (VPN).\n    3.  Testing CFD, Philadelphia Insurance, and Veterans Benefits \nAdministration (VBA) Benefits Delivery Network (BDN) end-to-end \ntransmission of files between the Hines ITC, Philadelphia ITC, \nFinancial Services Center (FSC) Waco facility, and Treasury\'s \nHyattsville Processing Facility.\n    4.  Testing Beneficiary Identification and Records Locator System \n(BIRLS) functionality between the Hines and Philadelphia ITCs.\n\n    The last disaster recovery (DR) exercise for the CFD, Austin Campus \nwas conducted in August 2007; the next exercise is scheduled for August \n2008. Mission critical and essential support applications are tested \nwith resident organization input during the annual DR exercise. Table \ntop tests were performed on routine applications in 2007.\n    The Philadelphia ITC established an agreement between the ITC, \nPhiladelphia Regional Office and Insurance Center (ROIC), and the \nPhiladelphia VA Medical Center (VAMC) that established a command post \nat the VAMC for key ITC and ROIC personnel for disaster recovery \npurposes. The Philadelphia ITC conducted full DR tests for the VBA Web \napplications and the Insurance Payment System in April/May 2007. A BDN \ndisaster recovery test by Hines and Philadelphia staff was performed in \nPhiladelphia July 9-12, 2007. A joint exercise including tenants is \nplanned in 2008; however, this will be a simulated or desktop exercise \nand not a full DR test. The next VBA web application disaster recovery \ntest is scheduled for the May-June 2008 timeframe at Hines Information \nTechnology Center. We also plan to conduct the Insurance Payment System \ndisaster recovery test during this same timeframe.\n    The Hines ITC maintains a comprehensive DR plan for the legacy \nBenefits Delivery Network (BDN). The disaster recovery exercise in July \n2007 successfully demonstrated that the Bull and IBM BDN disaster \nrecovery infrastructure at the Philadelphia ITC is capable of executing \nthe BDN online and batch processing in the event of a real disaster. \nThis plan is exercised annually in the summer months. The Hines ITC \nconducted a joint table-top exercise in December 2007.\n\n    Recommendation 9: Address all self-reported deficiencies identified \nas the result of completed C&A and related review work.\n\n    Status: Corrective Action Still in Process.\n\n    In May 2006, the CIO issued VA IT Directive 06-1, Data Security: \nAssessment and Strengthening of Controls. This directive established a \nprogram to remediate IT security controls deficiencies. From this DS-\nASC plan was developed which addresses deficiencies resulting from \ncompleted certification and accreditation (C&A) work, details of which \nare contained in the plans of actions and milestones (POA&M) section of \nthe security management and reporting tool (SMART) database.\n    The Office of Oversight and Compliance has been established to \nensure continuity and followthrough on remediation of these \ndeficiencies.\n\n    Recommendation 10: Determine the extent to which uncertified \nInternet gateways continue to exist, and take actions to upgrade and \nterminate external connections susceptible to inappropriate access.\n\n    Status: Corrective Action Still in Process.\n\n    NCA shut down its Internet gateway on June 20, 2006.\n    VBA shut down its Internet gateway a year ago. VBA continue to \nmaintain a private T1 connection to benefits delivery discharge (BDD) \ncenters at two military facilities in Korea and Germany. VBA routes no \nother data traffic to them, and they are getting ready to ship \npreconfigured firewalls to these centers. The T1 connections will be \nremoved within the next 3 months and the traffic will route through a \nvirtual private network (VPN) when the firewalls are installed.\n    VHA\'s VISN 20, 21, and 22 have migrated its traffic to the \nenterprise cyber security infrastructure program (ECSIP) and have shut \ndown their external connections; however, VHA has identified additional \nexternal business connections that require business partner gateway \n(BPG) VPN connections. These connections are documented, justified, and \nsubmitted to the enterprise security cyber control board (ESCCB) for \napproval.\n    The Environmental Protection Agency (EPA) connection moved to the \nECSIP gateway and the moving of the remaining connections is contingent \non ESCCB approval. In March 2007, the AAC moved all of it\'s existing \nsite-to-site VPN connections to the AAC\'s Internet firewall, and then \nmoved the AAC\'s Internet firewall\'s and franchise firewall\'s internal \ninterfaces from the internal gateway to the VA wide area network (WAN). \nThis was necessary to complete the process of moving site-to-site VPNs \nand Internet facing web servers to the VA WAN for Internet access, thus \nallowing the shutdown of the supporting Internet service provider. \nESCCB approval is pending for a plan to migrate the Internet facing web \nservers as the next step in the process.\n    Significant progress is being made with migrating Corporate \nFranchise Data Center (CFD) (formerly Austin Automation Center) \nremaining customers off of the CFD Internet gateway. DoD traffic will \nbe migrated by the end of February 2008 and all other customers such as \nHome TeleHealth (HTH), Workman\'s Compensation, and the National \nArchives and Records Administration (NARA) will be completely migrated \nby June 30th, 2008.\n\n    Recommendation 11: Improve configuration management practices by \nidentifying, replacing, or justifying the continuance of older \noperating systems that are vulnerable to security breaches.\n\n    Status: Corrective Action Still in Process.\n\n    VA has been upgrading its computers to the Microsoft Windows XP \noperating system and also has been upgrading peripheral devices, as \nnecessary.\n    All VBA workstations are operating under Windows 2000, and all VBA \nservers are operating under Windows 2003. Implementation plans are \nunderway for workstation upgrades to Windows XP. However, the \nconversion to newer operating systems for VBA platforms is dependent \nupon upgrading the applications systems code to use the newer operating \nsystems capabilities. The applications upgrade has been estimated at \napproximately $2 million and will take approximately 2 years to \ncomplete. Application upgrading will begin and the conversion to a \nnewer operating system can be accomplished at the end of this upgrade \nprocess. VA is currently working to develop requests for waivers for \nthese applications until the application upgrade can be accomplished.\n    In VHA most desktop systems or IT servers use the latest operating \nsystem, Windows XP. The exceptions to this rule includes specialized \nequipment incorporating an operating system such as three V-Tel systems \nin VISN 17 using Windows 98 and one telephone switch in VISN 19 using \nWindows 98 as well as medical devices. The V-Tel systems and telephone \nswitch are connected via a virtual local area network (VLAN) that \nprovides isolation from the facility LAN which is being replaced. All \nmedical equipment, regardless of the operating system, is required by \nVHA policy to be connected to facility networks using the VA isolation \narchitecture. Some medical systems cannot be upgraded.\n    Configuration management has been addressed in the recently \npublished VA Handbook 6500. In addition, a plan to address \nconfiguration management deficiencies was completed in August 2007. \nMinimum configuration settings for information technology products were \nestablished in September 2007 and submitted in October 2007 to the \nconfiguration management technical working group (CM/TWG) for \nfinalization and approval in conjunction with enterprise change and \nconfiguration management processes. In September 2007 VA decided on \nreplacement requirements for personal equipment.\n    Field security operations are in the process of defining a process \nto standardize operating systems and applications. Processes are also \nbeing developed for monitoring system changes and their impacts. Target \ndate for completion is late March 2008 with final completion dependent \non the CM/TWG and the testing/procurement of an enterprise management \nframework (EMF) toolset to support these processes. The CM/TWG has a \ntarget completion date of September 30, 2008, to develop the needed \nchange control procedures, and the EMF project has a target completion \ndate of FY 2009, with pilot testing in the last quarter of FY 2008.\n\n    Recommendation 12: Complete actions to relocate and consolidate \nVACO\'s data Center.\n\n    Status: Closed by the OIG.\n\n    Recommendation 13: Develop and implement VA-wide application \nprogram/operating system change control procedures to ensure consistent \ndocumentation and authorization practices are deployed at all \nfacilities.\n\n    Status: Corrective Action Still in Process.\n\n    Change control, as a required security control defined in the \nNational Institute of Standards and Technology (NIST) Special \nPublication 800-53, is included in the recently published VA 6500 \nHandbook. A new technical oversight Committee has been established, \nchaired by the Office of Development, and will review the need for \nspecific and separate change control policy beyond the scope of VA \nHandbook 6500.\n    Additionally, the IT regional data processing change management \nprocess is establishing integrated change control and ultimately a full \nchange management process. The current outcome is a change management \nprocess with an interim definition established in a January 29, 2007 \nmemorandum--Regional Data Processing Information Technology Change \nManagement Interim Process--which focuses on change requests that may \nimpact the infrastructure or operating environment of the regional data \nprocessing. The work group will establish a full change management \nprocess and ultimately configuration management. This workgroup and \nprocesses are linked with VBA\'s architecture change and review board, \nAAC\'s change management process and change control board, and ESCCB. \nThis work group will look at incorporating other change control \nprocesses such as those used by VA developers. There is a process \ndefinition technical work group that will define the VA process for \nchange management.\n    Related actions that have been completed regarding implementation \nof change controls throughout the VA enterprise include:\n\n    1.  Current change control practices have been gathered, completion \ndate August 2007.\n    2.  Change control working group charter, process, and list of \ndeliverables have been developed, completion date October 2007.\n    3.  Change control working group and working group lead has been \nidentified, completion date December 2007.\n\n    Related actions that still need to be accomplished regarding change \ncontrols include:\n\n    1.  Review all current practices across VA focusing on the impact \nto operating systems including security, target date for completion is \nlate March 2008.\n    2.  Develop change control policy, target date for completion is \nMay 2008.\n    3.  Develop change control procedures, target date for completion \nis November 2008.\n    4.  Implement change controls and training plans VA wide, target \ndate for completion is September 2009.\n\n    Recommendation 14: Strengthen physical access controls to correct \npreviously reported physical access control deficiencies, develop \nconsistent standardized physical access control requirements, policies, \nand guidelines throughout VA.\n\n    Status: Corrective Action Still in Process.\n\n    The OSP has revised VA Directive and Handbook 0730, including \nAppendix B, Physical Security Requirements and Options. Along with \nother major changes, the revised 0730 document contains updated \nrequirements for the physical access of protect IT spaces, such as \ncomputer rooms and telecommunication/data connections. This directive \nis currently pending departmental concurrence. After concurrence is \nreceived, in accordance with title 38 section 901 it must then be \nsubmitted to the Department of Justice for review prior to publication. \nThe Office of Operations, Security and Preparedness anticipates it may \nnot be until the end of FY 2008 before the revised VA Directive and \nHandbook 0730 Directive and Handbook are released.\n    Physical and environmental controls have been addressed nationally \nin the recently published VA Handbook 6500. Resolution of physical \naccess control deficiencies is an iterative process. VA IT Directive \n06-1, Data Security--Assessment and Strengthening of Controls, dated \nMay 24, 2006, established a program to remediate the IT security \ncontrols material weakness. As a result the DS-ASC plan was developed \nto address the physical access control deficiencies mentioned above. \nTarget date for remediation of these deficiencies is the third quarter \nof FY 2008.\n    The Office of Information and Technology Office of Oversight and \nCompliance has been established to ensure continuity and followthrough \non remediation of physical access control deficiencies. In order to \nhighlight the necessary physical security requirements, the Office of \nInformation and Technology Oversight and Compliance (ITOC) worked \nclosely with representatives from the Office of Operations, Security \nand Preparedness to develop an Information Physical Security (IP) \nchecklist to be utilized by ITOC during assessments of VA facilities. \nThe IP checklist has been added to the assessment protocols. The \ninitial prototype was tested at a number of VA facilities and was well \nreceived by Facility Directors, CIOs, Information Security Officers, \nChiefs of Police, and others. An early observation indicates it will \nprove invaluable to direct attention to physical access issues. The \nITOC assessment teams are also continuing to stress the applicable \nsecurity controls from the NIST 800-53 protocols during the \nassessments.\n    An Information Memorandum, to be jointly issued by the Assistant \nSecretary for Operations, Security and Preparedness and the Assistant \nSecretary for Information and Technology, is being prepared. This joint \nmemorandum will form the basis of a physical security awareness \ncampaign. This memorandum is expected to be released sometime in mid-FY \n2008.\n\n    Recommendation 15: Reduce wireless security vulnerabilities by \nensuring sites have an effective and up-to-date methodology to protect \nagainst the interception of wireless signals and accessing the network. \nAdditionally, ensure the wireless network is segmented and protected \nfrom the wired network.\n\n    Status: Corrective Action Still in Process.\n\n    Wireless laptops on VA networks are protected and separated from \nthe wireless network by AirFortress. Methods used to protect the \ninterception of wireless signals and accessing the network are included \nin VA\'s Wireless and Handheld Device Security Guideline, Version 3.2, \ndated August 15, 2005.\n    VHA and VBA have installed AirFortress wireless security gateway to \nsecure their wireless LAN systems. All wireless data traffic is routed \nthrough the AirFortress wireless security gateway before it is \ntransmitted on VA network. The AirFortress wireless security gateway \nnot only provides encryption of data between the wireless client and \nthe security gateway, it also provides firewall functionality and \nlimits access to VA network to only authorized devices and users. Since \nfirewall functionality has already been provided as part of the \nAirFortress solution there is no need to install an additional firewall \nbetween AirFortress and VA network.\n    VA recognizes that any secure wireless LAN system will include a \nwired/wireless network border gateway security device that will enforce \nan access control policy between the wired and wireless network thereby \nlimiting access to only authorized users on authorized ports, all \nfeatures of a firewall.\n    However, additional work needs to be done in the wireless area. \nBlackberries and PalmPilots connecting to the network are not \nencrypted. Encryption for these devices is being piloted. In addition, \nthe NSOC is establishing a wireless assessment program that will \nidentify and assist the field with remediation of wireless security \nvulnerabilities.\n\n    Recommendation 16: Identify and deploy solutions to encrypt \nsensitive data and resolve clear text protocol vulnerabilities.\n\n    Status: Corrective Action Still in Process.\n\n    VA has taken several actions toward the protection of sensitive \ninformation. By September 15, 2006 the VA encrypted over 15,000 \nlaptops. Simultaneously, VA developed and implemented procedures to \nensure that all laptops have applied updated security policies and \nremoved all sensitive information that was not authorized to be stored \non the devices. This procedure will continue to occur throughout the \nDepartment routinely and is one measure VA has undertaken to protect \ninformation.\n    VA has begun deploying technology to ensure information is \nprotected and is identifying and leveraging existing technologies that \nwill contribute to protecting VA information. These technologies and \nthe status of their deployments are shown below:\n\n    <bullet>  Sanctuary port security and device control technology. \nSanctuary has been deployed and is operational in Region 4 \n(Northeastern United States). Sanctuary is actively restricting the use \nof non-VA approved universal serial bus devices on VA computers. The \ntechnical documentation, architecture design, server configuration, and \nproject documentation created during Region 4 deployment are being \nleveraged by the rest of the enterprise as they begin deployment of the \ntechnology. Region 3 (Southern/near Midwestern United States) will be \nthe next region to deploy Sanctuary and is in the process of procuring \nhardware to support its implementation. Subsequently, Region 1 (Western \nUnited States), Region 2 (Southwestern/far Midwestern United States), \nthe Corporate Franchise Data Center (Austin, Texas), VBA, and NCA will \ndeploy.\n    <bullet>  Microsoft Rights Management Services (RMS) technology to \nsafeguard digital information from unauthorized use. VA completed the \ndeployment of over 157,000 RMS clients across the enterprise in FY \n2007. VA procured robust hardware to support the operations of RMS for \nthe enterprise, thus enabling VA to use the current hardware for the \ninfrastructure for the RMS continuity of operations. VA has begun to \ntest the external provisioning component for RMS which will extend the \nRMS functionality of protecting emails and documents to VA business \npartners. Without the external provisioning component, VA business \npartners, such as the Department of Justice, cannot read email messages \nthat are sent with RMS security controls applied.\n    <bullet>  Attachmate host integration and secure network \ntransmission technology. In 2007 VA conducted pilot testing of \nAttachmate technology across all of VA\'s Regions. The pilot included \nthe installation and testing of the terminal emulator client in \nunencrypted mode and then encrypted mode. This technology will be able \nto encrypt information sent across VA network from applications such as \nVistA (veterans health information systems and technology \narchitecture), CPRS (computerized patient record system), and IFCAP/ETA \n(integrated funds distribution, control point accounting and \nprocurement/enhanced time and attendance). VA has developed the various \nconfigurations depending on how the product will be used to include the \ncorresponding technical documentation. The installation package and the \ntechnical documentation will be posted to a share point and made \navailable for sites to acquire this information and the file. Region 4 \nwill be the first to deploy the client in an encrypted mode throughout \ntheir region.\n    <bullet>  Cisco and BigFix secure remote access technology. The \nsecure remote access project, also known as the remote enterprise \nsecurity compliance update environment (RESCUE), proof of concept was \nsuccessfully completed in mid-October 2007. The RESCUE solution \nconsists of Cisco technology for enforcement and network access control \nand BigFix for remediation of non-compliant devices. Recently, VA NSOC \ninstalled a portion of the hardware to support RESCUE in the Reston \ngateway. In January 2008 a small user group test was conducted out of \nthe Reston gateway. Simultaneously, RESCUE hardware and software will \nbe installed in the remaining gateways by February 2008. The virtual \nprivate network (VPN) user-base will be migrated to the RESCUE solution \nby June 2008.\n\n    Recommendation 17: Conduct validation tests in conjunction with \nremediation efforts to ensure all information and data retained in the \nSMART database is accurate, complete, and reliable.\n\n    Status: Corrective Action Still in Process. ITOC performs \nvalidation tests of SMART database as part of their assessments. To \ndate numerous assessments have been conducted by ITOC. ITOC has \nvalidated internal processes and procedures in the identification and \naccuracy of POA&M items and has stressed to the field the need to \nensure updated information is incorporated into SMART. The ITOC \ninspection checklist has been modified to add additional task lines to \nverify entries in SMART. Target completion date is April 1, 2008.\nRecommendations from OIG Report: Review of Issues Related to the Loss \n        of VA Information Involving the Identity of Millions of \n        Americans, Report # 06-02238-163, Issued July 11, 2006\n    Recommendation 1: Establish one clear, concise VA Policy on \nsafeguarding protected Information when stored or not stored in VA \nautomated systems, ensure that the policy is readily accessible to \nemployees, and that employees are held accountable for non-compliance.\n\n    Status: Closed by the OIG based on the issuance of VA Handbook \n6500, Information Security Program, on September 18, 2007 and meeting \nwith OIG on September 7, 2007.\n\n    Recommendation 2: Modify the mandatory Cyber Security and Privacy \nAwareness training to identify and provide a link to all applicable \nlaws and VA policy.\n\n    Status: Corrective Action Completed. Cyber security and privacy \nawareness training modules have been updated. The privacy awareness \ntraining module has been updated and now contains links to applicable \nlaws and VA policy. It has been provided to the OIG for review. The FY \n2008 cyber security awareness training was made available on October 1, \n2007. All applicable VA policy and Federal laws are linked on the \nreference page of the online training course. VA is currently working \nwith the OIG to close out this Issue.\n\n    Recommendation 3: Ensure that all position descriptions are \nevaluated and have proper sensitivity level designations that there is \nconsistency nationwide for positions that are similar in nature or have \nsimilar access to VA protected information and automated systems, and \nthat all required background checks are completed in a timely manner.\n\n    Status: Corrective Action Still in Process.\n\n    <bullet>  New fields have been added to VA payroll system to \nreflect position risk/sensitivity levels for each VA position and \nbackground investigation levels for each employee.\n    <bullet>  The revised version of VA Directive 0710, Personnel \nSuitability and Security Program, is still in concurrence. In addition, \nthe accompanying handbook, VA Handbook 0710, is under development by \nOSP.\n\n    VA will ensure that all background investigations are requested, \nand as appropriate, adjudicated when completed, in the required \ntimeframes and will monitor the status of investigations performed by \noutside entities. VA cannot ensure background investigations are \ncompleted in a timely manner as VA does not conduct background \ninvestigations; these are performed by the Office of Personnel \nManagement.\n    Self-certifications from VA\'s organizational components indicate \nthat VA has requested approximately 95 percent of its required \nbackground investigations.\n\n    Recommendation 4: Establish VA-wide policy for contracts for \nservice that requires access to protected information and/or VA \nautomated systems, that ensures contractor personnel are held to the \nsame standards as VA employees, and that information accessed, stored \nor processed on non-VA automated systems is safeguarded.\n\n    Status: Closed out by the OIG based on the issuance of VA 6500 \nHandbook, Information Security Program, dated September 18, 2007.\n\n    Recommendation 5: Establish VA policy and procedures that provide \nclear, consistent for reporting, investigating, and tracking incidents \nof loss, theft, or potential disclosure of protected information or \nunauthorized access to automated systems, including specific timeframes \nand responsibilities for reporting within the VA chain-of-command and, \nwhere appropriate, to OIG and other law enforcement entities, as well \nas appropriate notification to individuals whose protected information \nmay be compromised.\n\n    Status: Closed by the OIG based on the issuance of VA Handbook \n6500, Information Security Program, on September 18, 2007 and meeting \nwith OIG on September 7, 2007.\nRecommendations from OIG\'s FY 2006 Audit of VA\'s Information Security \n        Program, Report Number 06-00035-222, dated September 28, 2007.\n    Recommendation 1: Provide for the maintenance of appropriate \ndocumentation of completed background investigations for employees and \ncontractors.\n\n    Status: Corrective Action Still in Process. Documentation of \ncompleted background investigations will be maintained for employees \nand contractors in accordance with VA policies and procedures.\n\n    Recommendation 2: Require contractors with access to VA systems to \ncomplete cyber security awareness training in accordance with OMB A-\n130.\n\n    Status: Corrective Action Still in Process. Paragraphs 2 and 3f of \nVA Directive 6500, Information Security Program, dated August 4, 2006, \nrequires annual security awareness training for all contractors with \naccess to VA sensitive information and information systems. VA 6500 \nHandbook, Information Security Program, issued on September 18, 2007, \nalso requires that contractors take this training.\n\n    In addition, VA has developed standard contract language to be used \nin all VA contracts regarding protection of VA information and \ninformation systems which will incorporate the requirement for \ncontractors to complete annual security awareness training. The \ncontractual language is still undergoing Departmental concurrence. \nTarget date for obtaining concurrence on this contract language is \nApril 2008.\n\n    Recommendation 3: Develop and implement a methodology to assess the \neffectiveness of VA\'s Intrusion Prevention Systems in protecting VA \nsystems and data from inappropriate access.\n\n    Status: Corrective Action Still in Process. VA will implement a \nmethod to evaluate the effectiveness of VA\'s IPS.\n\n    Recommendation 4: Develop a comprehensive COOP for OI&T and update \nand finalize the OI&T appendix within the VA Master COOP to include its \nessential functions, emergency relocation group, mission critical \nsystems, and vital records in accordance with the Federal Preparedness \nCircular 65, Federal executive branch Continuity of Operations.\n\n    Status: Corrective Action Still in Process. VA has a master COOP \nand comprehensive emergency program plan. Primary responsibility for \nVA\'s master COOP plan rests with the OSP. OI&T is a part of and \nparticipates in VA\'s annual master COOP plan tested.\n\n    OI&T has its own COOP plan which was posted to the VA Intranet in \nJune 2003. This plan is contained in OI&T Handbook 0320, Continuity of \nOperations, Planning Procedures and Operational Requirements. The \npurpose of the OI&T COOP plan is to:\n\n    a.  Provide command and control of IT assets during emergency \nsituations to ensure continuation of mission-critical and mission-\nessential operations.\n    b.  Provide a coordinated response and recovery effort to \neffectively mitigate an emergency or disaster.\n    c.  Ensure the Assistant Secretary for OI&T can perform its \nmission-critical and mission-essential responsibilities during and \nafter an emergency situation.\n    d.  Ensure the safety and welfare of VA IT staff both during and \nafter an emergency situation.\n    e.  Provide a mechanism for the prompt notification of all VA IT \npersonnel during an emergency situation.\n    f.   Reconstitute, as rapidly as possible, IT systems that are \nadversely affected due to an emergency or disaster.\n    g.  Develop mitigation strategies that will ensure the survival of \nVA\'s critical IT infrastructure.\n    h.  Support regular training and exercises designed to enable \npersonnel to perform assigned emergency management duties.\n    i.   Provide a standardized format for reporting the status of \nessential IT systems and functions.\n\n    This plan applies to all VA IT staff, and contractors, and its \nmission of supporting VA Central Office (VACO) with IT, information \nmanagement, record management, cyber security, and telecommunications. \nThe plan addresses emergency preparedness activities to ensure business \ncontinuity. Preparedness activities include plans, procedures, \nreadiness measures, and mitigation strategies that enhance VA\'s ability \nto respond to and recover from a designated emergency.\n    OI&T will complete the identification and prioritization of its \ncritical information assets, essential functions, emergency relocation \ngroup, mission critical systems, and vital records and will update and \nfinalize its appendix section within the VA master COOP to make it \ncurrent with the OI&T reorganization.\n\n    Recommendation 5: Ensure the C&A work is complete and that the C&A \ncertifications are supported by the work performed.\n\n    Status: Corrective Action Still in Process. Certification and \naccreditation (C&A) work for VA\'s information systems is complete. Re-\naccreditation for the vast majority of VA\'s systems (which were \naccredited in August 2005) is due to be completed in August 2008.\n\n    In 2006, VA contracted with an outside firm to perform an \nindependent validation and verification (IV&V) of its 2005 C&A effort. \nVA will review the issues and recommendations contained in the \ncontractor\'s IV&V report, along with the issues identified on pages 11-\n13 of this audit report, and make the appropriate revisions to VA\'s C&A \npolicy to ensure that future C&As are performed according to NIST 800-\n37.\n    In 2006, VA contracted with an outside firm to perform an \nindependent validation and verification (IV&V) of its 2005 C&A effort. \nVA has reviewed the issues and recommendations contained in the \ncontractor\'s IV&V report and will make the appropriate revisions to its \nongoing reaccreditation efforts to ensure that certification and \naccreditation efforts (C&A) are properly documented and cross-\nreferenced.\n\n    Recommendation 6: Develop a Department-wide configuration \nmanagement plan/security configuration policy.\n\n    Status: Corrective Action Still in Process. Configuration \nmanagement has been addressed in the recently published VA Handbook \n6500. Additional policy regarding this issue still needs to be \ndeveloped.\n\n    To date the following actions have been completed regarding \nimplementation of a configuration management plan for the VA \nenterprise: (1) current configuration management practices have been \ngathered (August 2007), (2) the current status of the VA configuration \nmanagement program policy and handbook have been determined (July \n2007), (3) a configuration management working group charter, process, \nand list of deliverables has been established/developed; and (4) a \nconfiguration management working group has been established and a \nworking group lead has been identified (December 2007).\n    Tasks that still need to be accomplished are: (1) a review of all \ncurrent configuration management practices across the VA enterprise \n(target completion date is late March 2008), (2) development of VA \nconfiguration management policy (target completion date is May 2008), \n(3) development of configuration management plans to support change \ncontrol procedures (target completion date is November 2008), and (4) \nexecution of configuration management implementation and training plans \nVA-wide, target completion date is September 2009.\n\n    Recommendation 7: Verify information categorization and risk \nassessments relating to sensitive information are in accordance with \nFIPS 199.\n\n    Status: Corrective Action Still in Process. VA IT Directive 06-1, \nData Security--Assessment and Strengthening of Controls, dated May 24, \n2006, established a program to remediate the IT security deficiencies. \nThe DS-ASC plan, was developed to address deficiencies. VA has \nestablished a data control board to classify VA data which will assist \nin the implementation of this recommendation.\n\n    Recommendation 8: Develop and fully implement procedures for \nprotecting sensitive information accessed remotely or removed from VA \nfacilities in accordance with NIST SP 800-53.\n\n    Status: Corrective Action Still in Process. VA IT Directive 06-1, \nData Security--Assessment and Strengthening of Controls, dated May 24, \n2006, established a program to remediate the IT security deficiencies. \nThis is already being partially addressed through the introduction of \nnew software.\n\n    Recommendation 9: Complete the implementation of two-factor \nauthentication in accordance with NIST SP 800-53.\n\n    Status: Corrective Action Still in Process. VA IT Directive 06-1, \nData Security--Assessment and Strengthening of Controls, dated May 24, \n2006, established a program to remediate IT security deficiencies. This \nissue has been provided to DS-ASC personnel for incorporation into the \nDS-ASC program. A consolidated program for identity management has \nalready been established to partially address this deficiency.\n\n    A target date has not been established. With the initiation of the \nDS-ASC contract award, milestones are being developed and target dates \nwill be established in the next 2 or 3 months.\n\n    Recommendation 10: Identify solutions and an implementation plan \nfor a workable time-out function for remote access through VPN in \naccordance with NIST SP 800-53.\n\n    Status: Corrective Action Still in Process. While this \nrecommendation is being addressed in the DS-ASC, it cannot be currently \nimplemented as the 30 minute time-out feature for inactivity does not \nalways work as intended with technology currently deployed. This \nlimitation can be attributed to the frequent system activity caused by \ncertain software products (e.g., host based IPS) which makes the VPN \nconnection appear to be active, therefore never reaching the 30 minutes \nthreshold of inactivity.\n\n    While the applications in use do timeout, the VPN sometimes does \nnot. VA feels that the timeout capability provided by the current suite \nof deployed software is enough to mitigate this risk. VA will search \nfor solutions to this issue in its next generation of RESCUE software.\n\n    Recommendation 11: Complete implementation of security control \nmeasures involving access to sensitive information by non-VA employees.\n\n    Status: Corrective Action Still in Process. This recommendation is \nbeing added as a task to the DS-ASC and will address the five areas of \nimprovement identified in the OI&T August 25, 2006 briefing to the \nformer Secretary.\n\n    Recommendation 12: Implement a standardized security program for \nuse by all of VA\'s national and regional data centers to facilitate \nmore consistent security program assessment and monitoring.\n\n    Status: Corrective Action Still in Process. A standardized security \nprogram for the data centers will be developed and implemented.\n\n    Recommendation 13: Institute mechanisms to notify all VA facilities \nof the specific security issues identified in this report and from \nfuture testing so that appropriate corrective actions can be taken on \nthese issues if they exist at other facilities.\n\n    Status: Corrective Action Still in Process. The OIG FY 2006 FISMA \naudit report has been distributed to personnel who have overall \nresponsibility for implementation of corrective action (champions and \nproject managers) shown in the data security-assessment and \nstrengthening of controls (DS-ASC) program. This report, and all \nsubsequent similar reports, will be posted to the VA Intranet by the \nend of March 2008 so that deficiencies identified in these reports can \nbe made available to OI&T personnel located at other VA facilities. An \ne-mail will be sent notifying OI&T personnel of each report\'s \navailability and VA Intranet location.\n\n    Question 3: What has been accomplished since June 2007 in fully \nimplementing the IT Governance plan? Are all governance boards in place \nand operating?\n\n    Response: Implementation of the IT governance plan is the \nresponsibility of the VA Executive Board, the Strategic Management \nCouncil (SMC) and VA senior leadership; not just OI&T. IT governance is \nan integral part of VA-wide governance and aligns to VA\'s business \nstrategies and objectives. Trust must be built among the stakeholders \nin the management of IT in VA. Implementing VA IT governance involves \nshared decisionmaking through the IT governance boards, based on the \nguiding principle of aligning IT strategy and goals to business \nstrategy and goals.\n    Since June 2007, each of the IT governance boards played an \nintegral part in identifying and prioritizing the myriad requirements \nthat the business units have to contend with. The Planning, Technology \nand Services (PATS) Board developed the FY 2009 program with input from \nthe business units and stakeholders. The Business Needs and Investment \nBoard (BNIB) developed FY 2008 execution strategy and FY 2009 funding \nrecommendations. The Information Technology Leadership Board (ITLB) \ncarried the message of the PATS and BNIB to the highest levels of VA\'s \nleadership and recommended that the Deputy Secretary approve the IT \nbudgets. The FY 2009 budget submission was unanimously approved by the \nSMC/VA Enterprise Board (VAEB).\n\n    Question 4: With respect to the VistA outage on August 31, 2007, \ndescribed in the testimony of Dr. Volpp, please state what actions are \nbeing taken to ensure that such an outage does not occur in the future. \nIn addition, state whether the ``failover\'\' function between the two \nwestern data centers is sufficient to ensure uptime of VistA sufficient \nto meet the healthcare needs of VHA, the reason(s) the ``failover\'\' \nfunction is or is not able to meet those needs, and, if the \n``failover\'\' is not sufficient to meet those needs, what remediation \nwill be undertaken.\n\n    Response: The root-cause of the outage on August 31, 2007 was lack \nof adherence to change management procedures by VA staff. Staff has \nbeen retrained in change management procedures and compliance is being \nclosely monitored. Senior management have communicated to staff that \nany future outage with similar cause may result in disciplinary actions \nagainst those individuals not adhering to the procedures.\n    The ``failover\'\' function is in place and able to meet the \nhealthcare needs of VHA in this region. Failover capability has been \nsuccessfully tested as recently as September 16, 2007.\n    Failover capability is a core system design requirement of the \nregional data processing program and as such is available if an event \noccurs that warrants that action. The design is intended for disaster \nsituations. Although it takes up to 4 hours to failover once the \ndecision is made to do so, sites do have ``read only\'\' capability \navailable. During the August 2007 outage, ``read only\'\' capability was \navailable to all affected sites.\n    The outage that took place on August 31, 2007 at the west coast \nRegional Processing Center (RPC) in Sacramento was precipitated by a \nchange that was made to the running environment without formal \napproval. Additionally, this unapproved change was made incorrectly--\nresulting in a number of systems being taken offline, rendering the \nentire system unavailable. Based on detailed analysis, the Department \nis instituting a number of improvements and architectural changes to \nthe RPC on the west coast in order to ensure efficient day to day \nprocessing, increased availability and enhancement of failover of \nresources in the event of a disaster. The RPC was originally \narchitected to ensure continuity of operations during a Katrina like \nepisode or other regional disaster. The Department has also engaged a \ncontractor for an independent analysis of the RPC. The results of that \nengagement have not been delivered as of yet. This information will \nalso be used to validate or enhance the department\'s architectural \ndecisions.\n    These changes in the RPC environment will ensure that VA moves \ncloser to a more highly available environment for the VistA systems \nthat serve the Department\'s medical centers and clinics. Already, the \nRPC on the east coast is providing very high availability. The \nscheduled and unscheduled downtime metrics for VistA in those data \ncenters fall into the ``Best In Class\'\' category as defined by \nGartner--their most stringent category. While hardware augmentation and \nrealignment of systems will improve availability in the west coast data \ncenters and with the VistA platform design in general--it should be \nnoted that the Department\'s aging VistA application must also be \nexamined.\n    The Department has launched an assessment team to review ``Class \n3\'\' applications. It is believed that certain class 3 code can \nnegatively affect the health and performance of a running VistA system. \nThe team embarked upon its analysis at a VA facility--the San Francisco \nVAMC--where the presence of Class 3 code is significant. We are \nexamining efficiency of Class 3 code, adherence to standards, and \nscalability qualities--in order to ensure efficient use ability at a \nRPC.\n    In closing, we believe the availability needs of the organization \nwill be met by the continued application of engineering enhancements to \nthe RPC infrastructure as well as the analysis and renovation of Class \n3 code. Disaster recovery failover capabilities have been in place \nsince the launch of the RPCs and will also continue to be enhanced by \nthe engineering changes being implemented already, with others on the \nimmediate horizon. In the end, however, the application is what \ndictates, in great part, limitations on performance and availability. \nThe current VistA application has roots and elements that are more than \n20 years old. Until the advent and full deployment of HealtheVet--which \nbrings significant renovation of the aging VistA code by rearchitecting \nusing industry best practices including Service Oriented Architecture \n(SOA)--overall availability for VistA can be optimized only to a point \nbut will still fall in Gartners\'s ``Outstanding\'\' or ``Best in Class\'\' \ncategories.\n\n    Question 5: GAO identified ``dedicating an implementation team to \nmanage change\'\' as a critical success factor to the department\'s \nimplementation of a centralized structure. The department is currently \nmanaging the realignment through two organizations: the Process \nImprovement Office under the Quality and Performance Office and the \nOrganizational Management Office. The Executive Director of the \nOrganizational Management Office has recently resigned his position, \nleaving one of the two offices without leadership. Please explain the \nfollowing:\n\n    Question 5(a): Why did VA decide to manage the realignment through \ntwo organizations rather than dedicating a single implementation team \nto manage change? What is the benefit to having two organizations over \none?\n\n    Response: Since the executive director of the Organization \nManagement Office resigned, the deputy director of the Office of \nQuality and Performance has been assigned the responsibility to advise \nthe principal deputy assistant secretary (PDAS) and Assistant Secretary \nfor OI&T on realignment issues in addition to continuing the process \nimprovement effort.\n    Overall, IT executive leadership team is responsible for meeting \nestablished performance goals related to the implementation of the IT \nrealignment. For example, the Information Protection and Risk \nManagement (IP&RM) organization is responsible for ensuring proper \npolicies and procedures are in place to protect personally identifiable \ninformation of both veterans and employees, as is ITOC. The Resource \nManagement (RM) organization is responsible for career management, \nfunds execution and asset management. Similarly, the Office of \nEnterprise Development (OED) ensures appropriate processes are \nimplemented as IT products are developed, Enterprise Operations and \nInfrastructure (EO&I) is measured on their compliance to service level \nagreements and the Office of Enterprise Strategy, Policy, Plans and \nPrograms (OESPP&P) ensures multi-year programming and project \nmanagement activities are implemented as well as developing and \ndescribing IT strategic plan goals. Each component of OI&T has \ndeveloped performance metrics, which will be tracked and managed to \nensure goals are met and performance shortfalls identified. \nAdditionally, processes for the 36 major IT business areas have been \ndefined and are in the initial implementation stages. Recently, OI&T \nhas streamlined the organizational management of the realignment to one \noffice, the Office of Quality and Performance. This organization will \nbe responsible for ensuring IT process implementation, performance \nmanagement, as well as program evaluation and analysis and will advise \nthe PDAS and Assistant Secretary for OI&T on realignment performance \ngoals and areas for improvement.\n\n    Question 5(b): Who will be held responsible in tracking \nimplementation goals and identifying performance shortfalls? Who will \nbe held accountable if the implementation goals are not met and \nperformance shortfalls are realized?\n\n    Response: Overall, the IT executive leadership team is responsible \nfor meeting established performance goals related to the implementation \nof the IT realignment. For example, IP&RM organization is responsible \nfor ensuring proper policies and procedures are in place to protect \npersonally identifiable information of both veterans and employees, as \nis ITOC. The RM organization is responsible for career management, \nfunds execution and asset management. Similarly, OED ensures \nappropriate processes are implemented as IT products are developed, \nEO&I is measured on their compliance to service level agreements and \nOESPP&P ensures multi-year programming and project management \nactivities are implemented as well as developing and describing IT \nstrategic plan goals. Each component of OI&T has developed performance \nmetrics, which will be tracked and managed to ensure goals are met and \nperformance shortfalls identified. Additionally, processes for the 36 \nmajor IT business areas have been defined and are in the initial \nimplementation stages. Recently, OI&T has streamlined the \norganizational management of the realignment to one office, the Office \nof Quality and Performance. This organization will be responsible for \nensuring IT process implementation, performance management, as well as \nprogram evaluation and analysis and will advise the PDAS and Assistant \nSecretary for IT on realignment performance goals and areas for \nimprovement.\n\n    Question 5(c): Who is currently advising and assisting the CIO \nsince the Executive Director of the Organizational Management Office \nresigned?\n\n    Response: The Deputy Director of the Office of Quality and \nPerformance is assigned the responsibility to advise and assist the \nPrincipal Deputy Assistant Secretary and Assistant Secretary for IT on \nrealignment issues.\n\n                                  <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'