[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]



 
                 ASSESSING INFORMATION SECURITY AT THE 
                  U.S. DEPARTMENT OF VETERANS AFFAIRS

=======================================================================

                                HEARING

                               before the

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 of the

                     COMMITTEE ON VETERANS' AFFAIRS
                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 19, 2010

                               __________

                           Serial No. 111-78

                               __________

       Printed for the use of the Committee on Veterans' Affairs



                  U.S. GOVERNMENT PRINTING OFFICE
57-022                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  



                     COMMITTEE ON VETERANS' AFFAIRS

                    BOB FILNER, California, Chairman

CORRINE BROWN, Florida               STEVE BUYER, Indiana, Ranking
VIC SNYDER, Arkansas                 CLIFF STEARNS, Florida
MICHAEL H. MICHAUD, Maine            JERRY MORAN, Kansas
STEPHANIE HERSETH SANDLIN, South     HENRY E. BROWN, Jr., South 
Dakota                               Carolina
HARRY E. MITCHELL, Arizona           JEFF MILLER, Florida
JOHN J. HALL, New York               JOHN BOOZMAN, Arkansas
DEBORAH L. HALVORSON, Illinois       BRIAN P. BILBRAY, California
THOMAS S.P. PERRIELLO, Virginia      DOUG LAMBORN, Colorado
HARRY TEAGUE, New Mexico             GUS M. BILIRAKIS, Florida
CIRO D. RODRIGUEZ, Texas             VERN BUCHANAN, Florida
JOE DONNELLY, Indiana                DAVID P. ROE, Tennessee
JERRY McNERNEY, California
ZACHARY T. SPACE, Ohio
TIMOTHY J. WALZ, Minnesota
JOHN H. ADLER, New Jersey
ANN KIRKPATRICK, Arizona
GLENN C. NYE, Virginia

                   Malcom A. Shorter, Staff Director

                                 ______

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                  HARRY E. MITCHELL, Arizona, Chairman

ZACHARY T. SPACE, Ohio               DAVID P. ROE, Tennessee, Ranking
TIMOTHY J. WALZ, Minnesota           CLIFF STEARNS, Florida
JOHN H. ADLER, New Jersey            BRIAN P. BILBRAY, California
JOHN J. HALL, New York

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Veterans' Affairs are also 
published in electronic form. The printed hearing record remains the 
official version. Because electronic submissions are used to prepare 
both printed and electronic versions of the hearing record, the process 
of converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.


                            C O N T E N T S

                               __________

                              May 19, 2010

                                                                   Page
Assessing Information Security at the U.S. Department of Veterans 
  Affairs........................................................     1

                           OPENING STATEMENTS

Chairman Harry E. Mitchell.......................................     1
    Prepared statement of Chairman Mitchell......................    32
The Honorable David P. Roe, Ranking Republican Member............     2
    Prepared statement of Congressman Roe........................    32
Hon. Steve Buyer.................................................     4

                               WITNESSES

U.S. Government Accountability Office, Gregory C. Wilshusen, 
  Director, Information Security Issues..........................     7
    Prepared statement of Mr. Wilshusen, and Valerie C. Melvin, 
      Director, Information Management and Human Capital Issues..    34
U.S. Department of Veterans Affairs:

  Belinda J. Finn, Assistant Inspector General for Audits and 
    Evaluations, Office of Inspector General.....................     9
      Prepared statement of Ms. Finn.............................    40
  Hon. Roger W. Baker, Assistant Secretary for Information and 
    Technology and Chief Information Officer, Office of 
    Information and Technology...................................    19
      Prepared statement of Mr. Baker............................    43

                   MATERIAL SUBMITTED FOR THE RECORD

Post-Hearing Questions and Responses for the Record:

  Hon. Harry E. Mitchell, Chairman, Subcommittee on Oversight and 
    Investigations, Committee on Veterans' Affairs, to Hon. Gene 
    L. Dodaro, Acting Comptroller General, U.S. Government 
    Accountability Office, letter dated May 20, 2010, and 
    response letter from Gregory C. Wilshusen, Director, 
    Information Security Issues, and Valerie C. Melvin, Director, 
    Information Management and Human Capital Issues. U.S. 
    Government Accountability Office.............................    48
  The Honorable Harry E. Mitchell, Chairman, Subcommittee on 
    Oversight and Investigations, Committee on Veterans' Affairs, 
    to Hon. George J. Opfer, Inspector General, U.S. Department 
    of Veterans Affairs, letter dated May 20, 2010, and response 
    letter dated June 21, 2010...................................    53
  The Honorable Harry E. Mitchell, Chairman, and Hon. David P. 
    Roe, Ranking Republican Member, Subcommittee on Oversight and 
    Investigations, Committee on Veterans' Affairs, to Hon. Eric 
    K. Shinseki, Secretary, U.S. Department of Veterans Affairs, 
    letter dated May 20, 2010, and VA responses..................    56


   ASSESSING INFORMATION SECURITY AT THE U.S. DEPARTMENT OF VETERANS 
                                AFFAIRS

                              ----------                              


                        WEDNESDAY, MAY 19, 2010

             U.S. House of Representatives,
                    Committee on Veterans' Affairs,
              Subcommittee on Oversight and Investigations,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:06 a.m., in 
Room 334, Cannon House Office Building, Hon. Harry E. Mitchell 
[Chairman of the Subcommittee] presiding.
    Present: Representatives Mitchell, Space, Walz, Alder, and 
Roe.
    Also Present: Representative Buyer.

             OPENING STATEMENT OF CHAIRMAN MITCHELL

    Mr. Mitchell. Good morning and welcome to the Committee of 
Veterans' Affairs Subcommittee on Oversight and Investigation 
hearing on Assessing Information Security at the U.S. 
Department of Veterans Affairs (VA). This hearing will come to 
order.
    I ask unanimous consent that all Members have 5 legislative 
days to revise and extend their remarks and that statements may 
be entered into the record. Hearing no objection, so ordered.
    Today we will examine the current status of information 
security at the VA and its ability to protect itself against 
both malicious and accidental sensitive information breaches.
    The Department of Veterans Affairs employs a sophisticated 
computing infrastructure to store the health and financial 
records of millions of American veterans and their families. 
Each day, there is the potential for millions of attempts to 
gain unauthorized access to government computers that hold this 
information through unsecured ports and other means.
    The risks to the VA of not implementing a sound information 
security program are considerable and, unfortunately, have 
already been seen through several situations in the past.
    Just recently we have learned of two data breaches. In 
Texas, 3,265 veterans' records were compromised when 
information went missing from a facility conducting lab tests. 
In a second instance in Texas, a VA contracted company had a 
laptop stolen, comprising the records of 644 veterans.
    These recent data breaches are proof that VA still has a 
long way to go in ensuring our Nation's veterans that their 
most sensitive information is being safely stored and handled.
    The Federal Information Security Management Act of 2002, or 
FISMA, is a critical and evolving mandate designed to help 
Federal Government entities, including the VA, protect 
personally identifiable and otherwise sensitive information.
    In March of this year, the Office of Management and Budget 
(OMB), released its fiscal year 2009 report on FISMA. 
Unfortunately, the VA ranked dead last among other FISMA 
monitored agencies in areas such as the percentage of log-in 
users trained on information security awareness and also in the 
issuance of personal identity verification.
    Additionally, the OMB report also lists that VA is one of 
six Federal agencies identified as having a material weakness.
    It is clear that the VA has a wide range of areas in which 
it must improve its information security infrastructure. 
Strengthening interagency network connections, access to 
controls, and improving configuration management are some of 
the things that will yield positive results in securing VA's 
computing network.
    In light of the recent data breaches in Texas and OMB's 
recent release of its fiscal year 2009 FISMA report, there is 
no better time to review VA's information security posture and 
hear from the Department on how they plan to address the 
challenges they face securing the personal information of our 
Nation's veterans.
    I am pleased that both the VA Office of Inspector General 
(OIG) and the U.S. Government Accountability Office (GAO) are 
here to shed light on additional improvements that the VA can 
make. I look forward to their testimony.
    [The prepared statement of Chairman Mitchell appears on p. 
32.]
    Mr. Mitchell. Before I recognize the Ranking Republican 
Member for his remarks, I would like to swear in our witnesses. 
And I ask all witnesses from both panels to please stand and 
raise their right hand.
    [Witnesses sworn.]
    Mr. Mitchell. Thank you.
    I would now like to recognize Dr. Roe for opening remarks.

             OPENING STATEMENT OF HON. DAVID P. ROE

    Mr. Roe. Thank you, Mr. Chairman, and I appreciate you 
having this very important hearing.
    And before we start, I would like to introduce a very close 
friend of mine, a highly decorated Vietnam veteran who is 
visiting in Washington, Mack McKinney.
    Mack, if you would stand. I certainly appreciate your 
service.
    [Applause.]
    Mr. Roe. Mack is a Sergeant Major. And, Ranking Member 
Buyer and Mr. Chairman, Mack did it on the ground in Vietnam.
    And thank you for your friendship.
    The security of the information the Federal Government has 
under its purview is of high importance. Recognizing that 
importance, Congress passed several Acts to increase security 
awareness throughout Federal agencies including the Department 
of Veterans Affairs.
    In 2002, Congress passed the Federal Information Security 
Management Act, which permanently reauthorized the framework 
laid out by previous legislative initiatives such as the 
Computer Security Act of 1987, the Paperwork Reduction Act, 
that must be the oxymoron of all oxymorons right there, the 
Information Technology Reform Act of 1996, and the Government 
Information Security Reform Act of 2000.
    The enactment of FISMA was a critical step to ensure the 
continuation of requirements and, therefore, the ability to 
effectively identify and track the Federal Government's 
information and security system status.
    Prior to 2001, the VA Office of Inspector General and other 
outside agencies had expressed concern and identified material 
weaknesses regarding information security management at VA.
    Since 2001, OIG reviews of VA FISMA compliance continued to 
identify significant information security vulnerabilities that 
placed VA at risk of denial of service attacks and disruption 
of mission critical systems and unauthorized access to 
sensitive data.
    Numerous security weaknesses were identified, but generally 
not corrected by VA even after the OIG identified repeated 
weaknesses over several years.
    One glaring example of this state of affairs was 
demonstrated by a fiscal year 2004 report where the OIG made 16 
recommendations to VA to strengthen information security 
management, which remained opened at least up until May 23rd, 
2006.
    Since the data breach of May 2006, the second largest in 
the Nation and the largest in the Federal Government, we have 
seen the centralization of VA's information management 
including information security.
    These efforts have continued through the current 
Administration under Assistant Secretary Baker's lead. I 
appreciate the massive undertaking by both the previous 
Administration and the current Administration to tighten the 
controls on protecting the data of our Nation's veterans.
    However, while progress has been made in centralizing the 
information technology (IT) Department at the VA, I am 
uncertain how much progress has been made in protecting 
information managed by the Department.
    In reviewing the FISMA reports issued by OMB over the past 
7 years, I am concerned about the VA's status with respect to 
information security.
    In May of 2006, the VA did not even file a report on its 
FISMA compliance.
    In 2007, the VA received an F on its FISMA compliance.
    Most glaring is the recent 2009 FISMA report which shows 
that even though VA has over 500 FTEs assigned to security 
related duties, it had the lowest percentage of log-in users 
trained in information security, 65 percent, and the lowest 
percentage of personal identifying verification credentials 
issued by the Agency, less than 5 percent to employees and 
contractors.
    I am highly concerned that VA is just not taking 
information security seriously enough. The protection of the 
personal information of our Nation's veterans should be a high 
priority at the Department. We do not want another security 
breach at the Department and we certainly do not want another 
one that would reach the level of the May 2006 breach. But if 
VA continues on its current path, we may just have that.
    On April 28th, 2010, my staff was alerted to a stolen 
laptop which had access to VA medical center data. This 
contractor owned the laptop, which was unencrypted and possibly 
contained the personal identification information of 
approximately 644 veterans.
    Upon further investigation, we learned that in November 
2009, the Department issued a directive for VA to incorporate 
VA Acquisition Regulations (VAAR) Clause 852.273-75, which 
provides security requirements for unclassified information 
technology resources.
    The VA reviewed 22,729 contracts to determine whether the 
contracts required the inclusion of this clause. Sixty-four 
hundred required the inclusion of VAAR contracts that has the 
clause inserted. That is 88 percent. Five hundred and seventy-
eight contractors refused to sign the clause, 9 percent, and an 
additional 197 still require the clause.
    I have many questions over this issue, some of which I hope 
we can answer in today's hearing.
    Why was the clause not enforced prior to 2009?
    Did Heritage Health Solutions have the clause included in 
their contract?
    What are VA's plans as far as the 578 contractors who 
refuse to sign the clause when added to their contract? Number 
four, what was the primary reason that most of the contractors 
refused to sign on to the additional clause? And, finally, what 
is VA going to do to tighten the controls on contractor-owned 
equipment that is regularly accessing the VA networks and 
storing data related to our Nation's veterans?
    To place our veteran information at risk is irresponsible. 
These men and women have fought for our Nation, have placed 
their own lives in jeopardy to secure our freedom, and we repay 
them by tossing caution to the wind with respect to their 
personal information. This is totally unacceptable.
    VA must take immediate action to secure our veterans' 
information and to ensure that all contracts requiring access 
to any data at the VA include the protections our veterans need 
and require.
    Thank you again, Mr. Chairman, and I yield back.
    [The prepared statement of Congressman Roe appears on p. 
32.]
    Mr. Mitchell. Thank you.
    Mr. Walz.
    Mr. Walz. I will yield.
    Mr. Mitchell. Okay. Mr. Buyer.

             OPENING STATEMENT OF HON. STEVE BUYER

    Mr. Buyer. Mr. Chairman, I would ask unanimous consent that 
I may participate in today's hearing and I will ask questions 
at the end of all Members of the Committee.
    Mr. Mitchell. Without objection.
    Mr. Buyer. I would also ask unanimous consent to give an 
opening statement.
    Mr. Mitchell. Without objection.
    Mr. Buyer. All right. Thank you very much.
    I appreciate you allowing me to join in the O&I 
Subcommittee hearing. As you know, the protection of personal 
information of the Nation's veterans has been a high priority 
of mine actually for the last decade.
    During the 109th Congress, in order to address the serious 
deficiencies in data protection for personally identifying 
information maintained by the VA, I introduced legislation 
entitled the ``Veterans Identity and Credit Security Act of 
2006'', H.R. 5835, which passed the House by a vote 408 to 
zero.
    This legislation was later incorporated into legislation 
that became Public Law 109-461. It is my hope that this Public 
Law would provide the VA with the necessary tools with which to 
combat information security flaws at the VA.
    In August of 2006, the VA issued VA Directive 6500, which 
detailed the steps by which the Department would provide 
compliance with system security measures.
    And on September 18th of 2007, the Department issued 
national rules of behavior for employees and contractors to use 
as a means to secure the data contained in VA's information 
systems.
    Upon further investigation, we learned that in November of 
2009, the Department issued an additional directive for VA to 
incorporate VA Acquisition Regulation 852-273.75 into all 
contracts where this type of information might be accessed.
    I applaud Secretary Shinseki and Assistant Secretary Baker 
for taking these measures to protect our Nation's veterans and 
their personal information. Unfortunately, the recent data 
breaches in April are a stark reminder that the VA and Congress 
must always be vigilant in protecting this information wherever 
it may exist.
    The details of these breaches clearly indicate that the VA 
is still unable to adequately protect veterans' personal 
information. It also shows that senior managers do not know 
what their responsibilities are and that responsibilities are 
not clearly defined especially between the contracting process 
and the information security management process.
    So that is why, Mr. Chairman, I am really pleased that you 
have not only our Chief Procurement Officer here but also our 
Chief Information Officer (CIO) so we can understand the 
delineations of their responsibilities.
    Mr. Chairman, I am here to determine if there was something 
we missed in the legislation that we passed 4 years ago. So I 
am hopeful that the Administration can advise us if there are 
any particular needs or if, in fact, there are problems with 
the legislation or where did we go wrong. How do we improve 
this situation? And I also want to hear about where we go about 
fixing the current situation with regard to the contracts.
    This most current breach involves a contractor that had 69 
contracts in 13 Veterans Integrated Service Networks (VISNs) 
involving over 30 VA medical centers. Twenty-five of these 
contracts were missing security clauses. The contractor signed 
all certificates of compliance. Nobody at the VA checked and 
verified to my knowledge. I want to know who at the Veterans 
Health Administration (VHA) was asleep at the wheel. Where is 
the accountability and, in fact, who is accountable, who is 
responsible?
    When Secretary Shinseki ordered a review of 22,729 VHA 
contracts last February, over 6,000 were missing the basic IT 
security clause. These contracts were modified over a period of 
7 months to include the security clauses. It appears to me that 
no one at VHA contracting verified any compliance in spite of 
certificates of compliance by contractors. Disciplined 
contracting in the VA is dysfunctional and clearly broken. It 
is highly decentralized and with almost total absence of 
contract review or oversight. What is going to happen to the 
578 contractors who refused to sign the modification to their 
contracts to put the information security clause in place?
    And who is going to step forward and pay for such 
compliance if, in fact, they do not want to or if we have got 
ourselves in a position whereby maybe they are providing a 
particular medical service, and I am leaning over to the VHA, 
to say that the service that they provide is so important, yet 
they refuse to sign the clause, what are you going to do and 
who is going to pay for what or do they feel that they have 
leverage over us that we are going to pay for the IT?
    I do not know. I am interested to see how you are going to 
be able to work that out or if you are going to have to 
reprogram monies or you have got monies to be able to do this 
type of thing.
    I want to thank you, Mr. Chairman, for holding this hearing 
and to the Ranking Member.
    The record clearly shows that on May 6th, 2006, the data 
breach occurred. This was the largest in the Federal Government 
and the second largest in American history. This Committee 
worked side by side in a bipartisan manner to strengthen the IT 
security at VA. And I look forward to working with you to 
resolve this matter.
    I also want to thank Roger Baker. You stepped forward into 
the breach. I am not here to beat you up at all. I recognize 
that this is work in progress. This is maintenance. And I am 
not downplaying this. I know this is a very large system. We 
worked very hard to centralize this IT.
    I also recognize that you have not had the most cooperation 
or the best effort of cooperation from VHA over the years. You 
know, they have done everything imaginable in my personal 
opinion to derail the centralized effort. And they also have 
not been as forthcoming with regard to security compliance and 
assurances that I think they should.
    So you stepping into this breach, accepting 
responsibilities, and then you ensuring that not only your eyes 
but the eyes of the men and women who then serve directly under 
you in your lines of authority put their eyes at the VISN and 
the medical centers into that process extremely important.
    And you recognize that. And I want to applaud you for doing 
that. So when your CIO at the medical center wants to put their 
eyes into that medical contract and the Chief Medical Officer 
then sitting at that board table said get your nose out of my 
business, no, no, no, no, no, no. It is your business.
    And you were in the room when we designed this. And that is 
why I am glad that you are in charge when problems arise too. 
So you and I and this Committee are on the same page. And I 
applaud you for that.
    I also want to thank the GAO and the OIG for your work. I 
read your reports last night.
    Thank you, Mr. Chairman. I yield back.
    Mr. Mitchell. Thank you.
    At this time, I would like to welcome panel one to the 
witness table. And joining us on the first panel is Greg 
Wilshusen, Director of Information Security Issues at the U.S. 
Government Accountability Office, accompanied by Valerie 
Melvin, Director of Information Management and Human Capital 
Issues.
    I would also like to welcome Belinda Finn, Assistant 
Inspector General for Audits and Evaluations, Office of 
Inspector General, U.S. Department of Veterans Affairs. Ms. 
Finn is accompanied by Michael Bowman, Director of Information 
Technology and Security Audits in the Office of Inspector 
General.
    I ask that all witnesses stay within 5 minutes for their 
opening remarks. Your complete statements will be made part of 
the hearing record.
    At this time, I would like to welcome and recognize Mr. 
Wilshusen.

   STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 
    SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; 
    ACCOMPANIED BY VALERIE C. MELVIN, DIRECTOR, INFORMATION 
     MANAGEMENT AND HUMAN CAPITAL ISSUES, U.S. GOVERNMENT 
ACCOUNTABILITY OFFICE; AND BELINDA J. FINN, ASSISTANT INSPECTOR 
    GENERAL FOR AUDITS AND EVALUATIONS, OFFICE OF INSPECTOR 
 GENERAL, U.S. DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY 
 MICHAEL BOWMAN, DIRECTOR, INFORMATION TECHNOLOGY AND SECURITY 
                       AUDITS, OFFICE OF 
        INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS 
                            AFFAIRS

               STATEMENT OF GREGORY C. WILSHUSEN

    Mr. Wilshusen. Chairman Mitchell, Members of the 
Subcommittee, thank you for the opportunity to participate at 
today's hearing on VA's information security program.
    Since 1997, GAO has identified information security as a 
governmentwide high risk issue. This has been particularly true 
at VA where the Department has been challenged in protecting 
the confidentiality, integrity, and availability of its 
computer systems and information.
    At previous hearings before this Subcommittee, we have 
testified on some of these challenges. Today we will discuss 
VA's progress in implementing information security and 
complying with FISMA.
    Mr. Chairman, for over a decade, VA has faced long-standing 
information security weaknesses that have left it vulnerable to 
disruptions in critical operations, fraud, and inappropriate 
disclosure of sensitive information. Nevertheless, the 
Department has made limited progress in resolving these 
weaknesses.
    In September 2007, GAO reported that shortcomings in the 
implementation of several departmental initiatives to 
strengthen security could limit their effectiveness. At that 
time, we made 17 recommendations for improving the Department's 
security practices including, for example, developing guidance 
for its information security program and documenting related 
responsibilities.
    VA has implemented five of those recommendations and has 
efforts underway to address 11 of the remaining 12. We plan to 
follow-up this year with the Department to determine whether it 
has fully implemented our recommendations.
    For the 13th year in a row, VA's independent auditor 
reported that inadequate system controls over financial systems 
constituted a material weakness in fiscal year 2009. Among 24 
major Federal agencies, VA was one of six to report such a 
material weakness.
    Deficiencies were reported in each of the five major 
categories of information security controls including, for 
example, access controls, which are intended to ensure that 
only authorized individuals can read, alter, or delete data, 
configuration management controls which provide assurance that 
only authorized programs are implemented, and segregation of 
duties which reduce the risk that one individual can 
independently perform inappropriate activities without 
detection.
    Also for fiscal year 2009, the VA Office of Inspector 
General designated the Department's information security 
program as a major management challenge. Of 24 major agencies, 
VA was 1 of 20 to have information security so designated.
    In March 2010, we reported that Federal agencies including 
VA had made limited progress in implementing the governmentwide 
initiative to deploy a standardized set of configuration 
settings on Windows workstations. We determined that VA had 
satisfied certain requirements of the initiative but had not 
fully implemented other key requirements.
    Accordingly, we recommended that VA, among other things, 
complete implementation of its approved set of configuration 
settings and acquire and deploy a tool to monitor compliance 
with those settings. VA concurred with our recommendations and 
indicated that it plans to implement them by September 2010.
    VA's progress in implementing FISMA-related control 
activities has also been mixed. For example, from fiscal year 
2006 through 2009, the Department reported a dramatic increase 
in the percentage of systems for which a contingency plan was 
tested. However, during the same period, the Department 
reported decreases in the percentage of employees who had 
received information security training.
    Compared to 23 other major agencies, VA's performance in 
implementing these control activities was equal to or higher in 
some areas and lower in others.
    In summary, Mr. Chairman, effective security controls are 
essential to securing the systems and information on which VA 
depends to carry out its mission. The Department continues to 
face challenges in resolving long-standing weaknesses. 
Overcoming these challenges will require sustained leadership, 
management commitment, and effective oversight.
    Until VA fully and effectively implements a comprehensive 
security program and mitigates known vulnerabilities, its 
computer systems and sensitive information will remain exposed 
to an unnecessary and increased risk of unauthorized use, 
disclosure, tampering, and theft.
    This concludes our opening statement. And Ms. Melvin and I 
would be happy to answer your questions.
    [The prepared statement of Mr. Wilshusen and Ms. Melvin 
appears on p. 34.]
    Mr. Mitchell. Thank you very much.
    Ms. Finn.

                  STATEMENT OF BELINDA J. FINN

    Ms. Finn. Thank you, Chairman Mitchell.
    Chairman Mitchell and Members of the Subcommittee, thank 
you again for the opportunity to discuss our work on VA's 
implementation of an agency-wide information security program.
    With me today is Mr. Michael Bowman, Director of 
Information Technology and Security Audits for the OIG.
    In March 2010, we issued our report on the fiscal year 2009 
assessment of FISMA implementation. That report included 40 
recommendations for improving VA's information security 
program.
    Seven years after FISMA's enactment, we continue to find 
significant deficiencies with information system security 
controls that could have potentially alarming consequences.
    While VA has made progress defining policies and 
procedures, it faces significant challenges implementing 
effective controls over system and network access, system 
interconnections, configuration management, and contingency 
planning practices.
    For example, during our testing of access controls, we 
identified significant weaknesses that expose VA mission 
critical systems to unauthorized access. We found numerous weak 
or default passwords on application servers, databases, and 
networking devices at most VA facilities. These weak or default 
passwords can allow malicious users to easily gain unauthorized 
access to mission critical systems.
    For example, using a default password, a hacker could 
easily access a Microsoft database with administrative rights 
and change data or establish a back door to allow future entry 
into the database.
    Second, our testing of system interconnections revealed a 
significant number of external connections that VA had not 
identified and were not actively monitoring. This lack of 
comprehensive monitoring of these connections represents a 
significant risk that a hacker could penetrate the network and 
systems over an extended period of time without being detected.
    Configuration management controls ensure that only 
authorized, tested, and adequately protected systems operate on 
our protected networks.
    We identified significant problems with software updates, 
virus protection, and other controls that resulted in unsecure 
web application servers, servers hosting vulnerable third-party 
applications, and excessive user access on critical database 
platforms.
    These weaknesses could again allow malicious users to 
exploit the vulnerabilities and gain unauthorized access to VA 
systems.
    Finally, our review of the contingency planning processes 
revealed many instances where VA facilities did not validate 
that personnel could restore mission critical systems at a 
remote processing site as planned. Without in-depth and 
realistic contingency plan testing, VA cannot be certain that 
it can readily restore systems in the event of a disaster or 
service disruption.
    Weaknesses in information security, policies, and practices 
can expose critical systems and data to unauthorized access and 
disclosure.
    While VA has made progress defining policies and 
procedures, implementing effective controls to protect systems 
and data from unauthorized access, alteration, or destruction 
represents a significant challenge in VA's highly decentralized 
and complex infrastructure.
    We believe that the VA systems will remain at increased 
risk until VA fully addresses our recommendations and 
implements an effective information security program.
    Mr. Chairman, that would conclude my oral statement. Mr. 
Bowman and I will be happy to answer any questions that you or 
other Members of the Subcommittee may have.
    [The prepared statement of Ms. Finn appears on p. 40.]
    Mr. Mitchell. Thank you.
    Mr. Wilshusen, we learned recently of an incident in which 
the VA contractor's laptop, their computer that was unencrypted 
with veterans' information was lost or stolen.
    What can the VA do to ensure that its contractors 
effectively secure the system and information that they operate 
or process on the VA's behalf? And is the VA doing anything 
about this?
    Mr. Wilshusen. Well, as you know, under FISMA, agencies are 
responsible for assuring the security over their systems and 
information including those that are operated by contractors 
and other third parties or information that those contractors 
and third parties possess on behalf of the Agency. VA can do a 
number of things and should be doing a number of things to 
protect that information.
    First of all, it should be including and incorporating 
security requirements into its contracts with its contractors. 
It should also assure and require that contractors certify that 
they are meeting the requirements of the contract.
    But, importantly, it should also establish mechanisms for 
an independent confirmation that contractors are actually 
performing as they should be and as they are required to do 
under the contract.
    Clearly establishing and implementing a mechanism for 
monitoring contract performance and compliance will be critical 
to assure that agencies, I am sorry, that contractors are 
implementing those controls.
    And then if there are instances where contractors are not 
complying with the required security measures, then they should 
be held accountable.
    And that is one of the areas, as I understand it, even 
though we have not yet looked at VA's actions in this area at 
present, the last we looked at VA was back in September 2007 
where we identified a number of vulnerabilities with its 
information security program, but that is one area certainly 
that is important for VA to assure that contractors are 
implementing the appropriate security requirements over its 
information systems.
    Mr. Mitchell. It seems like several of the high-profile 
data breaches affecting veterans' information occurred as a 
result of physical theft of IT resources such as a laptop 
computer or thumb drive.
    What can the VA do to protect veterans and itself from 
these types of security incidents?
    Mr. Wilshusen. Well, you are absolutely correct. For 
example, the May 2006 data theft involved the physical theft of 
an external hard drive and laptop as well as the more recent 
one from the contractor. And, indeed, that across government is 
one of the types of incidents that results in significant data 
loss.
    And what VA can do is a number of things. One is ensuring 
that those laptops have strong authentication on them that 
require, for example, two factor authentication. So someone who 
steals a laptop would need to not only know a particular piece 
of information such as a password or a PIN number but also 
possess either a token or some sort of biometric that would 
allow only one user then to access and authenticate to that 
system.
    Certainly another key point is encrypting the data on the 
laptop. That is essential. VA has made progress with that on 
the Agency's laptops.
    In 2007, we did a test where we tested 248 laptops at eight 
locations and found that they had encrypted the laptops for 
244, about 98 percent of the laptops. But those were Agency 
laptops. Where they often have had issues is when the 
contractors have not encrypted data on the laptops.
    Another key thing is just to limit and restrict the amount 
of sensitive information that is contained or stored on these 
laptops. They should only--the information should only be on 
the laptop for the limited period of time that is required and 
the amount of sensitive information should only be stored on 
the laptop to the extent that it is for authorized, legitimate 
business purposes.
    Other types of controls that should be in place on laptops 
include just general maintenance including that they have 
intrusion prevention systems or personal firewalls on the 
laptops, that the laptops are protected with current antivirus 
software, and all security patches have been installed on those 
systems.
    Mr. Mitchell. Thank you.
    Dr. Roe.
    Mr. Roe. Thank you. Thank you, Mr. Chairman.
    Obviously the VA has an enormous job in managing hundreds 
of millions, if not billions of bits of information. And let me 
suggest to you that that is a good thing because one of the 
problems we have had is being able to quickly get claims done 
and this is important.
    The advantage of paper is you cannot haul out 26 million of 
them under your arms and carry them out. You just physically 
cannot do it. So before the VA was slow, but it was very 
difficult to lose much information. Someone might take a chart 
or two home, but they are not going to take 26 million of them 
home like a guy did on his laptop.
    And it appears to me that the problem is that we do not or 
have not had adequate encryption and so forth on all the pieces 
of information. And it is important sometimes for these folks 
to take the work home.
    Let me give you an example. A physician friend of mine at 
the VA, he is not allowed to take his laptop away with him, 
which he would go away for, let us say, a week or two vacation. 
He would work at that time and expedite things. He is a 
gastroenterologist. He is a consultant. They are way behind on 
those consults. He could do a lot of work. But he cannot take 
it with him because of this issue that occurred with the 26 
million people.
    And it is also incredibly expensive when that happened. I 
know I was one of the veterans who got the letter. And I think 
one mail-out was $14 million. Two mail-outs went out. That was 
$28 million to let veterans know that, hey, guess what, we 
goofed, we let your information with your Social Security 
number and so forth get out there on the World Wide Web. Not a 
real good feeling. And I think we have to do better.
    I guess one of the questions I have, and you made some 
great points in here and in your testimony, your written 
testimony, the VA continues to report significant information 
security shortcomings and you go through these, and my question 
is, why have they not been corrected? I mean, it has clearly 
been pointed out, so why has it not been done?
    Mr. Wilshusen. I think there is probably a number of 
different reasons why they have not. One of the issues is in 
years past, VA has been decentralized, particularly with the 
organization of responsibilities for information security. With 
the 2006 legislation and bill, I am sorry, Act that was passed, 
that helped to centralize some of that responsibility within 
the CIO's and Chief Information Security Officer's (CISO's) 
offices. And that was a key moment, I think.
    Certainly another key area is prior to May 2006 when that 
incident occurred, the emphasis on information security may not 
have been as great as subsequent to that. So since 2006, there 
has been some progress. Certainly they now have very capable 
individuals in place as Congressman Buyer has pointed out with 
the new CIO.
    Mr. Roe. I guess the question I have with that is this, is 
that the FISMA Act had been passed along with----
    Mr. Wilshusen. Oh, yes.
    Mr. Roe [continuing]. Four or five things I mentioned ahead 
of that time, it appears that nobody was paying any attention 
to the problem and did not take it seriously and still, even 
after a huge breach like that, apparently not serious enough 
that it is still not going on.
    And, Ms. Finn, just a thought occurred to me when you were 
speaking. You raised a tremendous point. If a hacker, because 
our Web site was hacked in my office here in DC, if you could 
hack into a VA data system and you said, I think, in your 
testimony that you could change information, could you change 
information about me as a veteran if I am in that system and 
then file a false claim? It looks to me like that would be easy 
to do if the data were changed.
    Ms. Finn. I would say if a hacker got into that particular 
database, that quite likely they could do that.
    Mr. Roe. So you could go in there and change your 
information about where you served or what disability you might 
have? I mean, that is a tremendous opportunity for fraud.
    Ms. Finn. Yes. I will say that I do not know that we saw 
specific vulnerabilities in those large databases.
    Mr. Roe. I guess my question was, if you do not have the 
security system, because, I mean, everybody's e-mail has a 
password and a user name, and is there any way to know that 
that has happened? I mean, could it have been breached and 
anybody not even know?
    Ms. Finn. Yes, it could have.
    Mr. Bowman. We did work on some of those mission critical 
systems and we found instances where audit logs were not being 
maintained. So if systems were actually infiltrated, there were 
not records identifying that and responding to it.
    We also identified instances where the databases on some of 
these larger systems did have default credentials. So probably 
the risk is more from the internal threat than it is from the 
internet, but the threat does exist.
    Mr. Roe. I think the reason, before I yield back, Mr. 
Chairman, I think this is important because as a physician, we 
make decisions based on what is in those records. And if those 
records are manipulated in a negative way, you will end up 
making very bad decisions. The more I listen to this and read 
the testimony last night, the more critical I realized this was 
to get this right.
    So I yield back.
    Mr. Mitchell. Thank you.
    Mr. Walz.
    Mr. Walz. Thank you, Mr. Chairman and Ranking Member Roe, 
and the Ranking Member of the full Committee, for your 
attention to this and your work on it.
    I, like Dr. Roe, was one of those veterans that received 
the letters and I hear much about this.
    I want to thank all of you for your commitment and public 
service and also your commitment to good governance and 
oversight and to all of our folks here from the VA. This room 
is absolutely committed to the best care of our veterans. That 
goes without question. We are here to figure out how to do 
that.
    So, Assistant Secretary Baker, I share the Ranking Member's 
admiration for you. And I guess he used the right term in this 
regard, stepping into the breach. And I do appreciate that.
    A couple questions I have. And in recognizing that we are 
making progress and where there is other things, my concern and 
where I am coming from, the broken record in me, as we move 
forward to the smart policy of seamless transition, this issue 
is going to become even more important, the idea of the virtual 
lifetime record, the electronic record, the idea of sharing 
between U.S. Department of Defense (DoD) and VA have become 
even more important.
    And I am trying to find out here that balancing absolute 
security and access because one of the problems I find in rural 
areas is the access issue for our county veteran service 
officers and things like this.
    I just came from a meeting where I sat down purposely to 
talk of this information security side from the private sectors 
with Thomson Reuters folks. And they were talking about, yes, 
the encryption, yes, all those things, but also the 
credentialing side of things, that there is that other level of 
safeguard of who has got access to this and why.
    I guess my question is, and this might be to Ms. Finn, have 
any of these breaches occurred with people like in my State, 
one of the 26 States that has county veteran service officers, 
are co-located veterans service organization (VSO) 
representatives at the VA, have any of the breaches of data 
come out of those folks? Can you speak to that with any 
authority?
    Ms. Finn. No, sir. I am afraid I cannot. I would have to do 
some research in order to answer your question.
    [The VA OIG subsequently submitted the following 
information:]

    L  In response to your question, we contacted VA for 
information related to security incidents. VA provided the OIG 
with information on security incidents for the period of 
February 2010 through May 2010. During this limited period, no 
cases of VSOs gaining unauthorized electronic access to VA's 
internal systems and networks were reported. However, in one 
instance, an individual misused authorized access to the 
Patient Inquiry Database. We understand that the Office of 
Information and Technology is working to limit access to the 
database so that a similar incident does not occur again. To 
answer the question for a broader time period, we would have to 
defer to VA to provide any additional information.

    Mr. Walz. Well, if we could get that because I think we are 
seeing the answer is, is there have not been any.
    And my question is, I have limited access for these folks 
even something as simple as a DD-214 and then you get into the 
compensation and pension side of things that we need to speed 
the transition for benefits. My experts, my veterans, my folks 
that are county veteran service officers are being denied 
access on the basis of it could be a security breach.
    As we move forward on this and as you hear details and as 
we find wherever our Achilles heel is in strengthening this, we 
have to be very cognizant of we can lock this stuff away in a 
vault, but if the right people do not have access to see it, we 
still cause damage to our veterans. And I want to know how we 
get that. And I do not know if anyone has any comments.
    The Ranking Member brought up a great point in seeing that 
this might be an opportunity with the DoD folks or whatever to 
strengthen that. I guess maybe I was being a little more 
pessimistic and seeing that this is going to compound the 
problem and make it more difficult.
    Do you see this as a challenge or an opportunity? And maybe 
when Assistant Secretary Baker and his folks come up, they may 
comment too.
    Mr. Wilshusen. I would say it is both an opportunity and a 
challenge. Certainly the sharing of information will help get 
information to the people who need it when they need it and 
making sure that the information is accurate at that time.
    It is also a challenge, though, to assure that those 
individuals only receive the information that they need and to 
assure that they are the correct people in receiving that 
information. And that is where with information sharing and 
providing appropriate security, there is always that balance.
    Mr. Walz. Do we do a good job on this credentialing or who 
has this? I keep hearing of these contractors and stuff. I am 
wondering, do these people need to--there are cases where they 
need to take it home. I think Dr. Roe is right.
    But are we credentialing the right people? Is there that 
side of the security or is this all a software physical 
infrastructure side of things issue or is it more of a cultural 
attitude on protection of data?
    Could anyone speak to that as you see it?
    Ms. Finn. I think it is definitely a cultural issue and 
that has been the biggest change that I have seen in VA over 
the last 3\1/2\ years in information security. The struggle to 
establish the policies and procedures that addressed, the need 
for encryption on devices was huge. And it was a big culture 
shift.
    Mr. Walz. Because I think the public sees this and they 
said encrypt the dang things and do not let anybody get in and 
do not have default passwords and everything will be fixed.
    What I am hearing, what I am feeling is that is not enough, 
that there still needs to be this credentialing, there still 
needs to be a culture shift on data security. And we need to 
make sure that access to the right information to the right 
people is still granted. Is that true?
    Ms. Finn. Yes, sir. I would agree. The biggest 
vulnerability I think for data is at the end user, you know, 
the laptop that is not encrypted. And as you said, it is easy 
to have 26 million records or data about individuals' privacy 
information.
    Mr. Walz. And, again, I appreciate all the work you are 
doing and all the folks that are here.
    I yield back, Mr. Chairman.
    Mr. Mitchell. Thank you.
    Mr. Buyer.
    Mr. Buyer. Thank you very much.
    With regard to the security awareness training, where is 
this type of training done? So, in other words, at a medical 
center, a new employee comes in, who is responsible for that 
type of training?
    Ms. Finn. In VA for VA employees and I believe contractors 
also, we take an online course many times. It goes through the 
principles of information security and awareness and the 
vulnerabilities.
    Mr. Buyer. And who is responsible to ensure that that 
training actually took place or the person actually did it 
online?
    Ms. Finn. Well, I as the supervisor am responsible for 
ensuring that the people who work for me take it.
    Mr. Buyer. Okay.
    Ms. Finn. So for an employee within my own organization, we 
would monitor it.
    Mr. Buyer. Who within a medical center?
    Ms. Finn. Ultimately I would assume that it would be the 
Director of the medical center, through the various departments 
in the hospital.
    Mr. Buyer. Uh-huh. And what role or responsibility would 
the CIO at the medical center have to ensure that everyone is 
compliant?
    Ms. Finn. I am not certain whether they would receive a 
report or not. So I think probably VHA would be more able to 
address that and tell you how that works.
    Mr. Buyer. Okay. All right. I am here trying to figure out 
the best process.
    Okay? So, you know, when we talked about the centralizing, 
the purpose of centralizing and coming up with delineations of 
responsibilities, you know, I guess I am trying to--I agree 
with Roger Baker here that if, in fact, if it has the word 
computer on it, he owns it, you know. And so if, in fact, there 
is some training out there that is required, even if it comes 
under VHA, that CIO at that medical center, it is his business 
to get in somebody else's business.
    So you cannot stovepipe this type of stuff. Would you agree 
with that? I am trying to figure out, you know, you cannot just 
say, well, you are a supervisor, you have new employees, you 
just have to make sure it happens. Okay? Where does the 
accountability function come in? How do we do the check in the 
box? I do not want to build bureaucracies here, but I am trying 
to----
    Ms. Finn. Well, I think it is important that accountability 
is on everybody, that it is not just the CIO's problem.
    Mr. Buyer. Okay. It is not happening. You say that in your 
report.
    Ms. Finn. Yes.
    Mr. Buyer. So how do we get to there?
    Ms. Finn. How do we get to hold everybody accountable?
    Mr. Buyer. Yes.
    Ms. Finn. That will take a concerted push from all across 
the organization.
    Mr. Buyer. Well, I will tell you what. If we make sure that 
Roger Baker completely understands that if it deals with 
computers and it is security awareness and assurances, he owns 
it.
    And if it means that those of whom work for him at the 
VISNs and at the medical centers, if he has to get a little 
rough with the Chief Medical Officer or whomever at that 
medical center, if they are responsible, that is his business.
    Is that a good idea to do that or is that a bad idea to do 
that?
    Ms. Finn. I think I will take the high road and say I think 
it is a very intriguing idea. And I would have to look at the 
implementation over time to see how that would work out.
    Mr. Buyer. Well, I look at, you know, your report. 
Basically it comes back, sir, and says mixed reviews.
    Mr. Wilshusen. Right.
    Mr. Buyer. So I am trying to figure out if, in fact, we are 
saying to Roger Baker that you own it, he steps forward and 
says I accept responsibility, right, well, and then if you have 
individuals within VHA or in contracting want to go, ooh, not 
me, you know what, then whom?
    And if Roger Baker is going to say it is me, then he is not 
saying it is just me. He is saying it is my lines of authority. 
And if, in fact, it is his lines of authority, then sitting at 
that table when that Director sits at the head of the table and 
he has all of his staff there, that CIO has to be off the heels 
and on their toes and in people's business if, in fact, it is a 
computer system, right? I mean, am I----
    Mr. Wilshusen. What I would just say is that, you know, 
certainly the CIO under law, and this is including FISMA's 
responsibilities that it assigns to specific individuals, to 
the head of the Agency, to senior agency program managers as 
well, as well as the CIO, senior agency program officials also 
have responsibilities to ensure that security is appropriately 
implemented within their sphere of influence and over the IT 
resources supporting their program.
    The CIO, of course, is responsible for implementing the 
different aspects of an agency-wide information security 
program, which includes computer security and awareness 
training. And the CIO is also supposed to assist and help 
assure that the senior program managers are performing their 
responsibilities.
    So I would just submit that it is important for the CIO and 
those individuals that are responsible for ensuring that 
information security activities such as providing computer 
security awareness training to their employees are held 
accountable to assure that they, in fact, do that. One way to 
do that is to make that part of their performance appraisal 
system.
    Mr. Buyer. Bingo.
    Mr. Wilshusen. Is it part of the responsibilities of those 
individuals and are they being held accountable?
    Mr. Buyer. We talked about that 4 years ago.
    Mr. Wilshusen. That is exactly right.
    Mr. Buyer. Okay?
    Mr. Wilshusen. And we made that recommendation----
    Mr. Buyer. I remember this conversation.
    Mr. Wilshusen [continuing]. In the 2007 report. You know, 
to the extent that VA has implemented that particular aspect of 
that is one of the things we will be following up this year.
    Mr. Buyer. Mr. Chairman and to the Ranking Member here, 
that is an extremely important thing. I mean, that is something 
we do not have to legislate, you know. The Executive Branch can 
actually put this in. And I will be interested when the VHA 
comes up and testifies. We can ask them.
    We should not be handing out bonuses, right, you know, to 
individuals of whom are not in compliance with the law? And if 
we actually put it in their performance reviews or it is one of 
their line items, right, and they have not, then guess what, 
you get dinged. I mean, boy, you can get somebody's attention 
pretty quick, you know, and we do not have to legislate that. I 
mean, the Executive Branch can lean forward on it.
    And your point is very well taken. We have talked about 
that. I really do not know what has happened over the last few 
years with regard to that particular issue.
    But I yield back. Thank you.
    Mr. Mitchell. Thank you.
    Dr. Roe.
    Mr. Roe. Just one brief comment. What the Ranking Member is 
stating I think very clearly is those of us who have been in 
the military understand the chain of command. If you have two 
silver bars, the guy with one silver bar will say, yes, sir, 
no, sir, yes, ma'am, no, ma'am. We understand that. We get it. 
And so it is the chain of command.
    And my question, Mr. Chairman, is in the testimony here is 
in addition, Congress enacted the Veterans Benefit Health care 
and Information Technology Act of 2006 after a serious loss of 
data earlier that year revealed a weakness in the VA's handling 
of personal information.
    Under the Act, VA's Chief Information Officer is 
responsible for establishing, maintaining, monitoring 
Department-wide information security policies, procedures, 
control techniques, training and inspection requirements as 
elements of the Department's information security program. And 
that is very clear to me. Whoever that person is, whatever that 
name is, they are the ones. The buck stops on their desk. And, 
I mean, it seems very clear to me that that is what you do.
    And I agree with you 100 percent that we should not be 
handing out bonuses. It is clearly stated right here in your 
testimony where this responsibility is.
    And I guess my question is, why did it happen?
    I yield back.
    Mr. Buyer. Would the gentlemen, would you yield to me for a 
second?
    Mr. Roe. I will.
    I will yield, Mr. Chairman.
    Mr. Buyer. When we designed this system, the reason that we 
sort of took the CIO and said, okay, we have them at the top 
and we are going to take the CIO out of this direct--actually, 
we did a direct chain of responsibility and authorities.
    I did not want a Medical Director to sit there when the CIO 
gives some push back to that CIO to be big-footed, you know. If 
there is a real serious concern, I do not want the Medical 
Director to big-foot him. That CIO works for the VISN CIO and 
works directly for Roger Baker. So we designed that system. It 
is sort of like the OIG being outside the system for the 
accountability function.
    And that is why I guess I am leaning right now on saying I 
think it is a good thing the way we have designed this system 
for that CIO at the medical center to get in people's business. 
I mean, it is his job. That is the reason we designed it that 
way.
    And you know what? It does not make them very popular at 
the table. But, you know, they just have to do that. And we 
designed it to be like that.
    I yield back.
    Mr. Roe. I yield back.
    Mr. Mitchell. Thank you.
    And I want to thank the panel this morning and appreciate 
your service very much as all of us do in this Committee. Thank 
you.
    I would like to welcome panel two to the witness table. And 
for our second panel, we will hear from the Honorable Roger 
Baker, Assistant Secretary for Information and Technology and 
Chief Information Officer, U.S. Department of Veterans Affairs.
    Mr. Baker is accompanied by Jaren Doherty, Acting Deputy 
Assistant Secretary of Information Protection and Risk 
Management, Office of Information and Technology (OI&T); Jan 
Frye, Deputy Assistant Secretary for Acquisition and Logistics; 
and Fred Downs, Jr., Chief Procurement and Clinical Logistics 
Officer for the Veterans Health Administration.
    And I would like to recognize Mr. Baker up to 5 minutes. 
And, please, keep your testimony within 5 minutes because your 
whole testimony will be part of the record.
    Mr. Baker. Thank you, Mr. Chairman.
    Mr. Mitchell. Thank you.

   STATEMENT OF HON. ROGER W. BAKER, ASSISTANT SECRETARY FOR 
   INFORMATION AND TECHNOLOGY AND CHIEF INFORMATION OFFICER, 
   OFFICE OF INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF 
 VETERANS AFFAIRS; ACCOMPANIED BY JAREN DOHERTY, ACTING DEPUTY 
    ASSISTANT SECRETARY FOR INFORMATION PROTECTION AND RISK 
    MANAGEMENT, OFFICE OF INFORMATION AND TECHNOLOGY, U.S. 
 DEPARTMENT OF VETERANS AFFAIRS; JAN R. FRYE, DEPUTY ASSISTANT 
SECRETARY FOR ACQUISITION AND LOGISTICS, OFFICE OF ACQUISITION, 
   LOGISTICS, AND CONSTRUCTION, U.S. DEPARTMENT OF VETERANS 
 AFFAIRS; FREDERICK DOWNS, JR., CHIEF PROCUREMENT AND CLINICAL 
    LOGISTICS OFFICER, VETERANS HEALTH ADMINISTRATION, U.S. 
                 DEPARTMENT OF VETERANS AFFAIRS

    Mr. Baker. Ranking Member Buyer, Ranking Member Roe, 
Members of the Committee, thanks for the invitation to talk 
about FISMA. Thank you for introducing the folks that are with 
me today.
    And rather than recapping my written testimony, given 
Congressman Buyer's letter to Secretary Shinseki this past week 
and the addition of Mr. Downs and Mr. Frye to the panel, I 
would like to use my time for my oral testimony to recap some 
of the changes being made at VA in the information protection 
area.
    Last year, I tasked my Information Protection and 
Operations staffs with implementing technologies that would 
provide our Central Network Security Operation Center with 
visibility to every device on our network. Currently our plan 
calls for this work to be completed by September 30th of this 
year.
    This visibility is essential to allow us to ensure that our 
policies are being followed throughout the enterprise and 
monitored, that unauthorized devices are not allowed to connect 
to the VA network, that all non-medical data devices are 
encrypted, that all VA systems have intrusion protection 
software operational, that all VA systems are configured to 
prevent non-encrypted memory sticks, and that all devices have 
had the latest patches applied.
    This capability will address a large portion of the 
outstanding recommendations from our FISMA audits, help us 
better protect our networks and information. It will bring us 
further along the path towards our goal of being among the best 
organizations public or private in information protection.
    As recent events have shown, however, we cannot be 
satisfied with protecting veterans' personal information just 
on the VA network and VA-owned devices. Providing care and 
benefits for our veterans requires that VA partner with over 
22,000 private sector companies across the United States to 
form our complete supply chain and that we share information 
with them that will allow us to help provide those services.
    Our policy which is stronger than any similar sized private 
sector organization that I am aware of is that these supply 
chain partners must follow VA's information protection policies 
including encryption of mobile devices.
    Each contract we sign with a supply chain partner that 
involves information exchange must contain a clause requiring 
their adherence to VA Directive 6500.
    As you are aware, a laptop computer containing the 
unencrypted information from over 600 veterans was stolen from 
the automobile of a VA partner company employee on April 22nd 
of this year. This information was not encrypted despite the 
fact that contracts with the company included the required 
security clause and that the company had certified to the VA 
that they were in compliance with the clause.
    While VA is conducting a formal root cause analysis to 
determine all the changes that we need to make, we have 
immediately implemented several changes to address weaknesses 
in our execution identified by this event.
    First, at the request of Mr. Downs and VHA, staff from the 
Office of IT Oversight and Compliance (ITOC) within my 
organization will deploy to selected sites to review all 
contracts and ensure that the necessary contract clause for 
information security has been included in all contracts where 
information is exchanged.
    I would note the way we selected those sites is they are 
the ones that did not have the clause with that particular 
vendor. So they kind of self-selected.
    I am explaining the purview of my information security 
officers at each site to include the review of all contracts 
where any information is exchanged. Previously their scope had 
been limited to IT contracts.
    I have instructed my IT Oversight and Compliance leadership 
to include a review of all contracts again where information is 
exchanged as part of the information security audit they 
perform at each VA facility. As with the Information Security 
Officers (ISOs), this had been previously limited to IT 
contracts.
    And as part of their review, the ITOC folks will also 
randomly select a number of contracts at each facility for a 
more in-depth audit of that partner's compliance with VA's 
security policies including on-site inspections.
    These steps put VA in an unprecedented position of auditing 
our supply chain partners to ensure compliance with our 
information protection policies. While it is impossible to 
audit all of our partners, these steps should provide us with 
substantially improved insight into the level of protection 
provided to veterans' personal information anywhere it exists 
in our extended enterprise.
    Even when we achieve our overall information security goal 
of being comparable to the best private sector organizations, 
data breaches will remain an unfortunate fact of life.
    Today the majority of data breach incidents we report to 
this Committee on a monthly basis are paper, not electronic in 
nature. For that reason, we have established a data breach 
handling process and office that I believe are among the best, 
if not the best in the country.
    We have established mandatory annual security and privacy 
training for all VA employees and we have installed information 
security and privacy officers at each of our facilities to 
ensure a local focus on those issues.
    We are working to establish a culture that encourages 
everyone to come forward when a data breach is suspected so 
that it can be quickly and effectively dealt with.
    We recognize that we are far from perfect and that we have 
a long way to go to achieve our information protection goals. 
But I hope this Committee will recognize the work of the many 
VA employees and contractors, people of good will and earnest 
effort, who have already brought about a substantial 
improvement to our information protection capabilities.
    I thank the Committee for your long-term support and your 
long-term attention to these issues. And my colleagues and I 
look forward to your questions. Thank you.
    [The prepared statement of Mr. Baker appears on p. 43.]
    Mr. Mitchell. Thank you, Mr. Baker.
    And I do recognize and I think everyone here recognizes the 
hard work that the VA employees are doing.
    A couple quick questions. In fiscal year 2009, the VA had 
the lowest of any reporting agencies of government log-in users 
who are trained on information security awareness.
    And what is the reason for this low number?
    Mr. Baker. Congressman, I am better prepared to speak to 
where we are today than----
    Mr. Mitchell. Okay, sure.
    Mr. Baker [continuing]. That number. But we can go forth on 
numbers.
    Mr. Mitchell. Right.
    Mr. Baker. One of the reasons that I understand is that in 
the past we had not removed contractors from the database that 
were no longer contractors at the company or at the 
organization and so they would remain in those that looked like 
they needed training and they were not available to take the 
training.
    But rather than go through those, let me tell you where we 
were as of yesterday.
    Mr. Mitchell. Okay.
    Mr. Baker. Of the 453,000 people that we viewed as needing 
to take the security training, we had a compliance certificate 
for 413,389 of them. That is roughly 91 percent. On privacy 
training, of the 417,000 we viewed as needing to have a 
certificate, we had 375,000 that were viewed as compliant or 
about 90 percent.
    Those are the numbers that I was provided when I asked 
yesterday. As was pointed out, we have an automated database 
for tracking all this. Our learning management system is where 
all this training is done, so we are able to keep track of who 
takes the training.
    In particular, a discussion that we are having right now is 
with all of the new school folks, all the new trainees coming 
through, roughly 100,000. How will they be quickly trained 
including mandatory security and privacy training and ensure 
that they are in compliance as they come through the door?
    And my understanding is that over the next couple of 
months, we will bring about 100,000 of those folks into the VA. 
They have to take that training before they are allowed on the 
VA systems. And we are currently working that particular issue.
    So I think our numbers have gone up by what I am seeing.
    Mr. Mitchell. And along the same line, I do not want to go 
back to see where we are from today. The Federal Desktop Core 
Configuration, FDCC, said that in the past, the VA ranked very 
low, 22 out of 24.
    Can you explain why the VA only had between 26 and 35 
percent of its workstations and laptops in compliance? I assume 
that is past also and that you are also abating that?
    Mr. Baker. I know that number has gone up. A lot of that 
has been affected by the fact that with our desktop lease, we 
have been replacing old desktop systems with newer ones that 
can meet the core configuration.
    There are a couple of systemic things that we do have. We 
have a number of applications that are critical to us that have 
to be granted waivers. I believe that is viewed as being in 
compliance with the waiver, but the waiver has to be granted.
    And let me ask Mr. Doherty if he has any comments further 
from that standpoint.
    Mr. Doherty. We have actually spent the last year and a 
half going through FDCC in detail. We have granted over 30 
waivers. And what a waiver is is it changes the FDCC compliance 
requirement at the National Institute of Science and Technology 
so that it will not break any of our applications or disrupt 
any of our processes.
    We are currently at about 70 percent of all of our 
workstations implemented and we are implementing the FDCC as 
part of the desktop replacement. And that should be completely 
finished by the end of next fiscal year.
    Mr. Mitchell. Very good.
    Dr. Roe.
    Mr. Roe. Just a couple.
    First of all, Mr. Baker, you have an enormous job in front 
of you. My hat is off to you for that, to make sure you have 
security on how many 10s of thousands of computers there must 
be in the system.
    Mr. Baker. About 450,000.
    Mr. Roe. Four hundred and fifty thousand, wow.
    I know that my experience with an electronic medical record 
is in our own practice with 350 employees involved, we, to my 
knowledge, so far in 3 years of that system, we have not had 
any security breaches. And basically we are very careful about 
who gets in. And everyone is trained.
    I think the training is absolutely paramount and to 
emphasize to people how important this is, that now with the 
capacity of people outside the site to hack and get in, that 
information of veterans which should be no one's but the 
veteran's personal information should be shared with anyone.
    I want to make sure I understood this. By September of 
2010, that is only about 90 days from now----
    Mr. Baker. That is right.
    Mr. Roe [continuing]. All this is supposed to be taken care 
of? I mean, we are going to----
    Mr. Baker. I would not go so far as to say it will all be 
taken care of. Visibility to the desktop will provide us with 
the ability to monitor a number of things that we have had to 
trust to this point.
    I frequently use the Ronald Reagan phrase of trust but 
verify at this point. We will have electronic access to review 
every desktop on the network and verify that they are in 
compliance with the things that we believe they should be in 
compliance with.
    So I think it gives us a much greater belief that, for 
example, their patching levels are at the right level. They are 
not going to get viruses they should not get, that they are 
configured in such a way that unauthorized devices cannot come 
into the network, and we have had issues with that in the past, 
that those devices that are supposed to be encrypted are, in 
fact, encrypted. So it is a level of confidence that no CIO at 
VA has ever been able to provide before.
    I know I testified in front of this Committee a few months 
ago and was asked I believe by Congressman Buyer that question. 
If I am going to provide you with a certain statement, you 
know, we are in high 90s compliance, then I am going to do that 
when I have not just people throughout the organization 
reporting that to me on paper, but when I have an organization 
that can look at those devices and say we are in 99.95 percent 
compliance on this issue. And that is where we are going by the 
September 30th date.
    Mr. Roe. Well, that is impressive. I think the thing that 
just me sitting here now a year and a half is that, you know, 
we had the, and this has nothing to do with you, but the Vision 
Center of Excellence which a year ago in March, I think we had 
our first hearing and we are now a year later and I cannot tell 
it has moved off the mark very much.
    And I know we were told that DoD and VA at Great Lakes were 
going to be able to interface and all that by this fall and now 
it probably will not happen.
    So I really believe the security breach is one of the most 
important issues that we face because of identity theft that is 
going on in the country now.
    I know that my wife used a credit card here in Washington, 
DC, on her last visit and because that was out of the ordinary, 
when I went home to use it, you could not use it. I mean, they 
were very careful about how they--and I appreciate that as a 
consumer.
    And as a veteran, I appreciate the VA's best effort at 
being able to make sure that we do not lose valuable data from 
veterans that have served.
    I yield back my time.
    Mr. Mitchell. Thank you.
    I will let Mr. Zach Space get a little oriented here and I 
will ask Mr. Buyer if he would like to go. Well, he just walked 
in, so let him get settled here. Go ahead.
    Mr. Buyer. Okay. Thank you.
    Mr. Baker, you were sitting here when I had a discussion 
with the first panel and, you know, the reaction from the OIG 
with regard to who, I am sort of paraphrasing this now, but who 
is going to be responsible for the protection of certain 
information. Obviously their reaction was that the supervisor, 
direct supervisor. Well, I will agree.
    But as soon as that information ends up in the IT 
environment, does it not change? I am going to throw that now 
to you.
    Mr. Baker. Yes. I believe at this point, and I will freely 
admit that this incident has caused us to look at the scope of 
control that IT has taken on these things, but recognizing 
that, we have recognized that we need to accept responsibility 
for protecting veterans' information wherever it exists in our 
very extended supply chain as the VA.
    And that means going beyond writing the policy which has 
been the primary role of IT, you know, from the past and into 
looking at everywhere it is going, not just in the IT systems 
of the VA, but throughout all of our partners and their IT 
systems.
    I would also point out, to make this point again, paper is 
becoming even more interesting than electronic for us. There 
are a lot of things we can do to lock down our electronic 
systems.
    I agree with Congressman Roe's point that paper is slower, 
but paper is also harder to detect from an information breach 
standpoint. And so it is an interesting point.
    Back to your point, yes, we have extended the controls at 
this point and we will take that responsibility.
    Mr. Buyer. Secretary Frye, you oversee VHA contracting, 
correct?
    Mr. Frye. I do not oversee VHA----
    Mr. Buyer. You do not?
    Mr. Frye. No, I do not oversee VHA contracting. We have a 
decentralized system across the VA and VHA has their own 
authority to let contracts and administer those contracts.
    Mr. Buyer. Okay. So I should ask this question of Mr. 
Downs. Is that what you are doing? You are kicking the guy to--
--
    Mr. Frye. No, I am not, sir. I write policy.
    Mr. Buyer. Well, let me ask--pardon?
    Mr. Frye. I write policy. I am responsible for formulation 
and promulgation of policy across the VA. But I do not own the 
contracts per se for VHA. That is the point I am trying to get 
across.
    Mr. Buyer. And the point I am about to try to get across is 
you should. I dislike the decentralized process. I dislike it. 
I detest it. And I would prefer to have testimony by someone 
that would say I own it, not just I give policy. I would love 
to be able to change the law that says he owns it. I detest, I 
am going to repeat, I detest this decentralized model.
    When we move into our procurement reform, Mr. Chairman, I 
am hopeful that we can work together to move to more 
centralization.
    Now, the contractor in question that experienced a stolen, 
unencrypted laptop had 69 contracts involving 13 VISNs and 30 
VA medical centers. Each of these contracts were separately 
negotiated and 25 lacking the required security clauses. This 
is not a good example of a decentralized contracting system.
    Now, Mr. Downs, you are the Chief Procurement Officer for 
VHA, correct?
    Mr. Downs. That is correct.
    Mr. Buyer. Now, can you tell us what your responsibilities 
are with respect to contracting and the procurement process in 
VHA?
    Mr. Downs. Yes, sir. I am the Chief Procurement and 
Logistics Officer for VHA. And my job is to oversee the 
complete supply chain within VHA, logistics, the acquisition, 
procurement, and prosthetics, which all go to support the 
medical care system.
    And I have a Deputy in each one of those positions, 
procurement, logistics, and prosthetics. They are the ones then 
who are responsible for making sure that the policies are 
carried out within VHA at all levels.
    And in the procurement area, we have centralized all of 
those contracting officers to my direct chain of command. We 
will finish that with all the other purchasing elements in VHA 
by the end of this fiscal year.
    Mr. Buyer. However we are going to do this, Mr. Chairman, 
we have got Secretary Frye. He is sitting in the Central 
Office. He is the guy that directly responds to the Secretary. 
And I am trying to figure out how we link this so we have 
better command and control. I am not there yet. I am looking 
for ideas on how best to do this as we move forward with our 
legislation.
    The Acquisition Service Center in VISN 9 at Murfreesboro, 
Tennessee, comes directly under you; does it not, Mr. Downs?
    Mr. Downs. Yes.
    Mr. Buyer. So now that you said that you are centralizing, 
these contracting officers then, do they work for you?
    Mr. Downs. Yes, they do work through the chain of command. 
The way I have set it up, we have the Deputy Procurement 
Officer and then we have set up three service area officers 
divided so we have span of control. And within that one is a 
Central SAO, Central Area Officer. And so those contracting 
officers and----
    Mr. Buyer. So are the contracts then that are let at the 
Acquisition Service Center then reviewed at a higher level?
    Mr. Downs. Yes, sir.
    Mr. Buyer. Okay. When they are reviewed at a higher level, 
I mean, obviously they know now about the security clauses that 
are required, but for whatever reason, that was not picked up, 
right? Contracts were being let without that and we are having 
to go back in and do the modifications?
    Mr. Downs. In some cases. But, again, it is a question of 
what type of contract was it. When we went through our review 
last year of the 23,000 contracts and there were 6,000 
contracts that did not have the security clause that we felt 
needed to be inserted, we asked for certification that that be 
done.
    And the certification came to us last year and said that 
those they believed needed the IC or the security clause had 
been added. There were questions on some others. There were 578 
where the vendor refused or did not believe that they had to 
sign that clause or have it assigned to them.
    So we then went into a mode where we had to look and see, 
well, what is the reason behind that, is it valid. And not all 
were required to have that clause. The remaining contracts of 
this 578 were critical to our medical centers' ability to 
provide patient care.
    And they are either for the direct health care services 
with our nursing homes, our hospice physicians, academic 
affiliations, or in direct support of our health care 
maintenance on medical equipment for MRIs, CT scanners, for 
instance.
    And we had to weigh that because the risk of not having the 
contracts was high and the guidance was simply not clear on the 
applicability of the clause to health care contracts. That was 
hard for people to figure out, particularly where those medical 
doctors were covered by the Health Insurance Portability and 
Accountability Act or where the VA did not own the data.
    So we consulted with legal, privacy, and the ISOs and the 
consensus was VA Handbook 65 was being revised to clarify the 
clause. And so we are waiting for that to occur.
    Mr. Buyer. Do you own compliance responsibility?
    Mr. Downs. Excuse me, sir?
    Mr. Buyer. Do you own compliance responsibility?
    Mr. Downs. Yes, within VHA.
    Mr. Buyer. You do? What are the consequences for a 
contractor's false certificate of compliance?
    Mr. Downs. When a contractor has----
    Mr. Buyer. Yes.
    Mr. Downs [continuing]. False compliance, then I would have 
to work with General Counsel to determine what, after due 
process, what had to be done.
    Mr. Buyer. And what actions have you taken against those 
contractors out there that have false certificates?
    Mr. Downs. Well, on this recent occurrence, we have issued 
a--the show cause letters have gone out to all of those 55 
contracts with this particular vendor. And when we get results 
back from the show cause, we will then meet with the Office of 
Acquisition and Logistics (OAL) and we will meet with the 
General Counsel.
    Mr. Buyer. At what point in this process do you communicate 
with Roger Baker? If you are saying, okay, I have 
responsibility with compliance, he has some overlying 
responsibility, too, because he is looking to make sure that 
things are going to be taking place, how do you two 
communicate?
    Mr. Downs. Absolutely. We talk on a regular basis as far as 
that goes. But this particular issue here was a security 
clause. We have looked at what we have to do to strengthen our 
ability to ensure that IT clause is in there, clarify it. So he 
has initiated an audit process, which I will let him discuss. 
So his folks will be reviewing the contracts.
    We have sent orders out to our contracting officers that on 
every contract that they suspect or even close to being either 
IT security or patient information sensitive, they will meet 
with the ISO and have a discussion as to whether this 
particular contract does need that clause or not.
    Mr. Buyer. May I ask one more?
    All right. You have articulated very well with regard to 
teams that you have put together with regard to this issue on 
compliance and the medical services provided is, quote, so 
important.
    So much of our medical technology also incorporates IT. 
Okay? So some of the radiological systems that you have also 
mentioned is IT.
    I am trying to figure out here, Mr. Chairman, how are we 
going to ensure compliance. I mean, if we have a contractor out 
there that is saying I am not going to sign your mod, you are 
doing some contracting for maybe a radiological service out 
there and they are saying we are not going to sign.
    You have a CIO sitting at the medical center that says to 
the Medical Director, you are not in compliance. How do we 
resolve this? Seriously, gentlemen. How do you resolve that? 
How do you do that?
    Mr. Baker. If I could, that is the challenge at large 
across the organization with this information. The primary 
purpose for the information is to provide care to veterans. We 
have to protect that information from unwanted access at the 
same time that we provide it to anyone who wants to do it.
    You touched on the point of medical devices which adds 
another layer of complexity because many of the medical devices 
are certified by the Food and Drug Administration (FDA) in a 
particular configuration to operate a certain way.
    Mr. Buyer. Medical devices meaning medical technology?
    Mr. Baker. Medical technology. We have to be very careful 
from an IT perspective how we interact with the medical 
technology.
    For example, we cannot apply patches to that technology 
because it could have unknown effects on the performance of, 
say, an MRI machine or something along those lines. It adds 
another level of complexity and it is something that I believe 
VHA is tackling in advance of the rest of the country.
    You know, we see it. We are working together on it. But to 
that point, it is a mutual. It is IT and it is medical and it 
exemplifies the whole discussion around VHA and OI&T related to 
information. How do we do great medical care and protect the 
information at the same time?
    Mr. Buyer. I do not know. Seriously, I do not know and that 
is why we are going to lean to you to do that because you have 
to safeguard. You are the guardian, right? Both of you, you are 
the guardian of that. I am going right at you, Mr. Chairman. 
You are the policy guy.
    Mr. Frye. Yes. Mr. Buyer, there is a methodology where we 
would unilaterally apply the security clause to a contract, 
whether the contractor likes it or not, and he can come back to 
us under the changes clause and protest that perhaps and 
attempt to charge us for insertion of that clause. We were very 
clear, I believe, on our instructions to the contracting 
officers to do that.
    Now, I think the 570 some contracts that Mr. Downs talked 
about had other issues, at least based on what I have been 
told. In some cases, for instance, under fee basis, the 
physicians that a veteran would see are not under contract. And 
so the fee-basis provider owns that information. The VA does 
not. There is no contract in place. So we would not put a 
clause in any contract because there is no contract.
    So that is an issue that Mr. Downs has been working with 
General Counsel. But clearly if we have a contractor that is 
recalcitrant, who refuses to accept the clause, we can either 
terminate the contract or we can unilaterally apply it and let 
them come back to us under the changes clause.
    Mr. Buyer. Thank you, Mr. Chairman.
    Mr. Mitchell. Thank you.
    Just to kind of follow-up, why do you not just put the 
security clause in every contract and let them, as you said, 
challenge it?
    Mr. Frye. That is a good question, Mr. Chairman. Here is 
what we did. In November of 2008, we put the security clause in 
our electronic contract writing system so that every contract 
that is now written in the VA has that clause in it. The only 
way it can be removed is by a conscious decision by a 
Contracting Officer. So they have to take a positive step to 
remove it from any contract they develop.
    The contracts we are talking about are those contracts that 
were let before November of 2008. There was a decision made by 
Mr. Baker's predecessor not to include that clause, the 
security clause, in any contracts that were let prior to 
November of 2008.
    When our new Secretary came on board, Secretary Shinseki 
said, hey, we have some risk here and working with Mr. Baker, 
they decided to go back retroactively and apply this clause to 
those contracts that did not have them.
    So, in fact, we looked at nearly 30,000 contracts and 
22,700 of those were in VHA. The rest of them were in 
organizations that fall under my purview.
    Mr. Mitchell. Let me just ask one quick question. Are these 
contracts for life?
    Mr. Frye. No, sir.
    Mr. Mitchell. How often do you renegotiate them?
    Mr. Frye. Normally when we put contracts in place, we put a 
contract in place with a base year and option years. And those 
option years usually consist of 4 years so that we get a total 
of 5 years out of a contract if we decide to exercise those 
options. Yeah. The base lasts for 1 year and the clause that we 
put in the contract lasts for the entire life of the contract 
if we exercise the options.
    Mr. Mitchell. Thank you.
    Mr. Space.
    Mr. Space. Thank you, Mr. Chairman.
    Just as a follow-up, if you know, why would Assistant 
Secretary Baker's predecessor determine to take out the 
security provisions from the contract?
    Mr. Baker. I do not think it was a taking out. I think it 
was which contracts does it apply to effective today. And the 
decision was made that it would apply to all new and that at 
that point, they would not go back and look retroactively.
    I would tell you that, I think the culture at VA has 
changed incredibly under the new Administration, under 
Secretary Shinseki. It is a much more cooperative arrangement 
between OI&T and VA. And it is very clear that we will continue 
to operate that way while Secretary Shinseki is on the 10th 
floor.
    I think I probably have more ability to work with VHA and 
encourage them to look at things a certain way than my 
predecessor did.
    Mr. Space. Great. And I certainly want to agree with you 
that General Secretary Shinseki has, I think, begun to change 
the culture at the VA in a very positive way. But I have to 
tell you I am a little bit disturbed by how some of these 
breaches were handled and I will explain if you will allow me.
    I have a copy of the letter that was sent to those veterans 
whose identities or personal information have been compromised 
as the result of either the theft of the laptop or the loss of 
the binder in Texas.
    And in that letter, first of all, it is from the Veterans 
Health Administration and not from the VA. I just really felt 
that this was such an important issue that perhaps some, and 
this is meant as no disrespect to Mr. Downs at all, but I felt 
that this was such that perhaps it should have gone higher up 
the chain in terms of creating the illusion of importance which 
it is very important.
    Also, you know, if you read the language in the letter, it 
seems to implicitly put blame on a contractor. It refers to a 
Heritage provided unencrypted laptop.
    And, you know, one of the things that I really feel very 
strongly about and I think that one of the things about the VA 
culture that Secretary Shinseki has been working very 
effectively on is understanding that at times, you have to 
stand up and accept responsibility when a mistake has been 
made.
    When that happens, the likelihood of that mistake being 
repeated goes down dramatically. And for what it is worth, you 
know, I would have liked to have seen maybe a more honest or 
open expression of the circumstances surrounding the security 
lapse.
    And I guess along those same lines, apart from this letter, 
was there any other effort made to notify those veterans whose 
identity or private information may have been compromised?
    Mr. Baker. The letter is the primary notification to the 
veteran. We take a lot of care in finding an address for those 
veterans, recreating what information was there and making 
certain that we know which veterans to notify.
    We have not yet determined if we will put out a what in 
this case would be a national press release on this. This is an 
interesting breach because of the way it, if you will, impacts 
with the High Tech Act. The recent implementation of the High 
Tech Act says that over 500 people in a jurisdiction triggers 
an automatic press release in that jurisdiction.
    Mr. Space. Uh-huh.
    Mr. Baker. In this case, there were 10s of people in each 
of a variety of jurisdictions. So while legally in the reading 
of the High Tech Act the advice we have gotten is, well, 
legally it does not trigger it. We have not made a management 
decision as to whether we will press release at this point.
    Mr. Space. Yeah. And that is a decision that you will have 
to make, but it would seem to me that issuing a press release 
would certainly be in compliance with the spirit of those 
provisions.
    I know that from the information I have that approximately 
3,200 veterans had their personal information exposed, but my 
understanding is that is the result of the loss or theft of a 
binder and clipboard on April 24th. Is that a correct figure?
    Mr. Baker. I do not know the date specifically, but that is 
basically correct, yes.
    Mr. Space. Do we know how many veterans may have had their 
personal information exposed as a result of the laptop theft?
    Mr. Baker. It was just over 600.
    Mr. Space. Okay.
    Mr. Baker. Do we know the exact? Six forty-four, I think, 
is the right number.
    Mr. Space. And there has been no effort to reach out 
personally to these veterans on the telephone or via anything 
other than a letter?
    Mr. Baker. Beyond a letter, I am not aware of anything 
further done, no.
    Mr. Space. Okay. All right. Thank you, Mr. Baker.
    I yield back.
    Mr. Mitchell. Thank you.
    Mr. Buyer.
    Mr. Buyer. I have a liability question. Secretary Frye, 
with regard to your policy and you have a contractor of whom is 
now responsible for a breach, what is the policy with regard to 
going back against the contractor for the cost that we have now 
incurred with regard to notification and credit monitoring?
    Mr. Frye. That is a very important question. We do have 
recourse against the contractor. First of all, we could 
terminate the contractor for default. And we may do that in 
this case. As Mr. Downs has said, we have already issued show 
cause letters.
    Second, we are going to take some action against them with 
regards to past performance and enter that into the database 
that is used nationally to talk about past performance to other 
contracting officers when they attempt to let a contract.
    Thirdly, we have remedies in court. And, of course, I do 
not get involved with those. We let counsel take care of those. 
But there are remedies in court in case we suffer damage that 
requires us to take them to Federal Court.
    Mr. Buyer. Thank you.
    Mr. Downs, then you are going to take the position then, 
you issue your show cause letters and you are going to go after 
these contractors to recoup the costs? Is that what you are 
attempting to do?
    Mr. Downs. When the response comes back from the show 
cause, we will sit down with General Counsel because we will 
have to follow their guidance on what is best to do. And, of 
course OAL is involved with that. Mr. Frye's office and Mr. 
Baker's office will be involved with that because this is a 
team effort as we try to work our way through this so that we 
are able to make corrections and ensure that it does not happen 
in the future and, if so, then what is our best course of how 
we would address it. But, yes, sir.
    Mr. Buyer. Mr. Chairman, not only are we put on notice with 
regard to these contractors, but we are willing to hold them 
responsible and recoup the costs where they are going to 
participate with the compliance on security assurances.
    I yield back. Thank you.
    Mr. Baker. Sir, if I could just make one point to the 
credit of the contractor. They self-reported this and they have 
been very cooperative from the point forward. It does not 
mitigate what they did not do right, but since their name has 
come out, I do want to point out that they have been very 
helpful in identifying, for example, who were the veterans who 
needed to receive the letter.
    You know, if you look at the timeline on this, they 
notified VA very quickly. And as we build that culture, it is 
important that we encourage people to report because we cannot 
mitigate the issue unless we know about it.
    So having said that, to Congressman Space's point, having 
in essence said the contractor is responsible, VA also is 
responsible. We need to make certain that our culture allows 
them to report and encourages that type of approach to things.
    So thank you.
    Mr. Mitchell. Thank you.
    You know, it is one thing to have hearings like this to try 
to find out what is going on, but we would like to have you 
follow-up at least by September of where you are on all of 
this, the progress you are trying to make, and give us a report 
back the status of your work.
    Mr. Baker. Sir, given the date for this is supposed to be 
September 30th, would October 15th be an adequate date?
    Mr. Mitchell. That would be fine.
    Mr. Baker. Great.
    Mr. Mitchell. Thank you.
    I want to thank all of you for your service to this country 
as well as to the veterans of this country. And we appreciate 
everything you are doing and keep up the good work.
    Thank you.
    Mr. Baker. Thank you.
    [Whereupon, at 11:40 a.m., the Subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

        Prepared Statement of Hon. Harry E. Mitchell, Chairman, 
              Subcommittee on Oversight and Investigations

    Thank you to everyone for attending today's Oversight and 
Investigations Subcommittee hearing entitled, Assessing Information 
Security at the U.S. Department of Veterans Affairs.
    Today, we will examine the current status of information security 
at the VA and its ability to protect itself against both malicious and 
accidental sensitive information breaches. The Department of Veterans 
Affairs employs its sophisticated computing infrastructure to store the 
health and financial records of millions of American veterans and their 
families. Each day, there is the potential for millions of attempts to 
gain unauthorized access to government computers that hold this 
information through unsecure ports and other means.
    The risks to the VA of not implementing a sound information 
security program are considerable, and unfortunately, have already been 
seen through several situations in the past. Just recently, we have 
learned of two data breaches: In Texas, 3,265 veteran's records were 
compromised when information went missing from a facility conducting 
lab tests. In a second instance in Texas, a VA contracted company had a 
laptop stolen compromising the records of 644 veterans. These recent 
data breaches are proof that the VA still has a long ways to go in 
ensuring our Nation's veterans that their most sensitive information is 
being safely stored and handled.
    The Federal Information Security Management Act of 2002 or FISMA is 
a critical and evolving mandate designed to help Federal Government 
entities, including the VA, protect personally identifiable and 
otherwise sensitive information. In March of this year, the Office of 
Management and Budget (OMB) released its FY 2009 report on FISMA. 
Unfortunately, the VA ranked dead last among other FISMA monitored 
agencies in areas such as the percent of log-in users trained on 
information security awareness, and also in the issuance of personal 
identity verification. Additionally, the OMB report also lists the VA 
as one of 6 federal agencies identified as having a material weakness.
    It is clear that the VA has a wide range of areas in which it must 
improve its information security infrastructure. Strengthening 
interagency network connections, access controls, and improving 
configuration management are some of the things that will yield 
positive results in securing VA's computing network. In light of the 
recent data breaches in Texas and OMB's recent release of its FY 2009 
FISMA report, there is no better time to review VA's information 
security posture, and hear from the Department how they plan to address 
the challenges they face in securing the personal information of our 
Nation's veterans.
    I am pleased that both the VA Office of Inspector General and the 
Government Accountability Office are here to shed light on additional 
improvements that the VA can make. I look forward to your testimony.

                                 
  Prepared Statement of Hon David P. Roe, Ranking Republican Member, 
              Subcommittee on Oversight and Investigations

    Thank you Mr. Chairman. I appreciate you holding this important 
hearing.
    The security of the information the Federal Government has under 
its purview is of paramount importance. Recognizing that importance, 
Congress passed several acts to increase security awareness throughout 
federal agencies, including the Department of Veterans Affairs. In 
2002, Congress passed the Federal Information Security Management Act 
(FISMA), which permanently reauthorized the framework laid out by 
previous legislative initiatives such as the Computer Security Act of 
1987, the Paperwork Reduction Act of 1995, the Information Technology 
Reform Act of 1996 (Clinger-Cohen), and the Government Information 
Security Reform Act of 2000. The enactment of FISMA was a critical step 
to ensure the continuation of requirements and therefore the ability to 
effectively identify and track the Federal Government's information and 
system security status.
    Prior to 2001, the VA Inspector General (IG) and other outside 
agencies had expressed concern and identified material weaknesses 
regarding information security management at VA. Since 2001, IG reviews 
of VA FISMA compliance continued to identify significant information 
security vulnerabilities that placed VA at risk of denial of service 
attacks, disruption of mission-critical systems, and unauthorized 
access to sensitive data. Numerous security weaknesses were identified, 
but generally not corrected by VA, even after the IG identified repeat 
weaknesses over several years. One glaring example of this state of 
affairs was demonstrated by the FY 2004 report where the IG made 16 
recommendations to VA to strengthen information security management, 
which remained open at least up to May 23, 2006.
    Since the data breach of May 2006, the second largest in the Nation 
and the largest in the Federal Government, we have seen the 
centralization of VA's information management, including information 
security. These efforts have continued through the current 
administration under Assistant Secretary Baker's lead. I appreciate the 
massive undertaking by both the previous Administration and the current 
Administration to tighten the controls on protecting the data of our 
Nation's veterans. However, while progress has been made in 
centralizing the IT Department at the VA, I am uncertain how much 
progress has been made in protecting the information managed by the 
department.
    In reviewing the FISMA reports issued by OMB over the past 7 years, 
I am concerned about VA's status with respect to information security. 
In May 2006, the VA did not even file a report on its FISMA compliance. 
In 2007, the VA received an ``F'' on its FISMA compliance. Most glaring 
is the recent 2009 FISMA report, which shows that even though VA has 
over 500 FTE assigned to security-related duties, it has the lowest 
percentage of log-in users trained in information security (>65 
percent), and the lowest percentage of Personal Identity Verification 
credentials issued by the agency (<5 percent) to employees and 
contractors.
    I am highly concerned that VA is just not taking information 
security seriously enough. The protection of the personal information 
of our Nation's veterans should be a high priority at the Department. 
We do not want another security breach at the Department, and we 
certainly don't want one that would reach the level of the May 2006 
breach. But if VA continues on its current path, we may have just that.
    On April 28, 2010, my staff was alerted to a stolen laptop which 
had access to VA medical center data. This contractor owned laptop was 
unencrypted, and possibly contained the personal identifying 
information (PII) of approximately 644 veterans. Upon further 
investigation, we learned that in November of 2009, the Department 
issued a directive for VA to incorporate VA Acquisition Regulation 
(VAAR) clause 852.273-75, which provides for the ``Security 
Requirements for Unclassified Information Technology Resources.'' VA 
reviewed 22,729 contracts to determine whether the contracts required 
the inclusion of this clause--6,440 required the inclusion of VAAR 
852.273-75, 5,665 contracts have the clause inserted (88 percent), 578 
contractors refused to sign the clause (9 percent) and an additional 
197 still require the clause (3.1 percent).
    I have many questions over this issue, some of which I hope we can 
answer in this hearing: (1) Why was the clause not enforced prior to 
November 2009; (2) Did Heritage Health Solutions have the clause 
included in their contract; (3) What are VA's plans as far as the 578 
contractors who refused to sign the clause when added to their 
contract; (4) What was the primary reason that most of these 
contractors refused to sign onto the additional clause; and finally (5) 
What is VA going to do to tighten the controls on contractor owned 
equipment that is regularly accessing the VA networks and storing data 
relating to our Nation's veterans?
    To place our veterans information at risk is irresponsible. These 
men and women have fought for our Nation, have placed their own lives 
in jeopardy to secure our freedom, and we repay them by tossing caution 
to the wind with respect to their personal information. This is totally 
unacceptable. VA must take immediate action to secure our veterans 
information, and to ensure that all contracts requiring access to any 
data at the VA include the protections our veterans need and require.
    Again, thank you Mr. Chairman, and I yield back my time.

                                 
   Prepared Statement of Gregory C. Wilshusen, Director, Information
     Security Issues, and Valerie C. Melvin, Director, Information 
  Management and Human Capital Issues, U.S. Government Accountability 
                                 Office
        INFORMATION SECURITY: Veterans Affairs Needs to Resolve 
                        Long-Standing Weaknesses
                             GAO Highlights

Why GAO Did This Study
    Since 1997, GAO has identified information security as a 
governmentwide high-risk issue. This has been particularly true at the 
Department of Veterans Affairs (VA), where the department has been 
challenged in protecting the availability, confidentiality, and 
integrity of its information and systems. Since the 1990s, GAO has 
highlighted the challenges the department has faced, including the need 
to safeguard personal information.
    GAO was asked to testify on VA's progress in implementing 
information security and the department's compliance with the Federal 
Information Security Management Act of 2002 (FISMA), a comprehensive 
framework for securing federal information resources. In preparing this 
testimony, GAO analyzed prior GAO, Office of Management and Budget, VA 
Office of Inspector General, and VA reports related to the department's 
information security program.
What GAO Recommends
    In previous reports over the past several years, GAO has made 
numerous recommendations to VA aimed at improving the effectiveness of 
the department's efforts to strengthen information security practices 
and toensure that security issues are adequately addressed.
What GAO Found
    VA has made limited progress in resolving long-standing 
deficiencies in securing its information and systems. In September 2007 
and also March 2010, GAO reported that VA had begun or had continued 
work on several initiatives to strengthen information security 
practices, but that shortcomings in the implementation of those 
initiatives could limit their effectiveness. VA has also consistently 
had weaknesses in major information security control areas. As shown in 
the table below, VA was deficient in each of five major categories of 
information security controls as defined in the GAO Federal Information 
System Controls Audit Manual.

             Security Weaknesses for Fiscal Years 2006-2009
------------------------------------------------------------------------
  Security Control Area      2006        2007        2008        2009
------------------------------------------------------------------------
Access control                         
------------------------------------------------------------------------
Configuration management               
------------------------------------------------------------------------
Segregation of duties                  
------------------------------------------------------------------------
Contingency planning                   
------------------------------------------------------------------------
Security management                    
------------------------------------------------------------------------
Source: GAO analysis based on VA and Inspector General reports.

    Further, in VA's fiscal year 2009 performance and accountability 
report, the independent auditor stated that, while VA continued to make 
progress, IT security and control weaknesses remained pervasive and 
continued to place VA's program and financial data at risk. The 
independent auditor also noted that VA's controls over its financial 
systems constituted a material weakness (a significant deficiency that 
can result in an undetected material misstatement of the department's 
financial statements.)
    Since 2006, VA's progress in fully implementing the information 
security program required under FISMA has been mixed. For example, from 
2006 to 2009, the department reported a dramatic increase in the 
percentage of systems for which a contingency plan was tested. However, 
during the same period, the department reported a decrease in the 
percentage of employees who had received security awareness training.
    Until VA fully and effectively implements a comprehensive 
information security program and mitigates known security 
vulnerabilities, its computer systems and sensitive information 
(including personal information of veterans and their beneficiaries) 
will remain exposed to an unnecessary and increased risk of 
unauthorized use, disclosure, tampering, theft, and destruction.

                               __________

    Mr. Chairman and Members of the Subcommittee:
    Thank you for inviting us to participate in today's hearing on 
information security at the Department of Veterans Affairs (VA). Since 
1997, we have identified information security as a government wide 
high-risk issue and emphasized its importance in protecting the 
availability, confidentiality, and integrity of the information 
residing on federal information systems.\1\ Since the 1990s, we have 
highlighted challenges the department has faced, including the need to 
safeguard personal information.
---------------------------------------------------------------------------
    \1\ GAO, High-Risk Series: An Update, GAO-09-271 (Washington, D.C.: 
January 2009) and Information Security: Agencies Continue to Report 
Progress, but Need to Mitigate Persistent Weaknesses, GAO-09-546 
(Washington, D.C.: July 17, 2009).
---------------------------------------------------------------------------
    In our testimony today, we will discuss VA's progress in 
implementing information security and the department's compliance with 
the Federal Information Security Management Act of 2002 (FISMA).\2\ In 
preparing this testimony, we analyzed prior GAO, Office of Management 
and Budget (OMB), VA Office of Inspector General (OIG), and VA reports 
related to the department's information security program for fiscal 
years 2006 through 2009. We conducted our review from April to May 2010 
in the Washington, D.C., area in accordance with generally accepted 
government auditing standards. Those standards require that we plan and 
perform the audit to obtain sufficient, appropriate evidence to provide 
a reasonable basis for our findings based on our audit objectives. We 
believe that the evidence obtained provides a reasonable basis for our 
findings based on our audit objectives.
---------------------------------------------------------------------------
    \2\ FISMA was enacted as title III, E-Government Act of 2002, Pub. 
L. No.107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002).
---------------------------------------------------------------------------
Background
    VA's mission is to promote the health, welfare, and dignity of all 
veterans in recognition of their service to the Nation by ensuring that 
they receive medical care, benefits, social support, and memorials. 
According to recent information from the Department of Veterans 
Affairs, its employees maintain the largest integrated health care 
system in the Nation for more than 5.6 million patients, provide 
compensation and pension benefits for nearly 4 million veterans and 
beneficiaries, and maintain nearly 3 million gravesites at 163 
properties. The use of IT is crucial to the department's ability to 
provide these benefits and services, but without adequate protections, 
VA's systems and information are vulnerable to those with malicious 
intentions who wish to exploit the information.
    To help protect against threats to federal systems, FISMA sets 
forth a comprehensive framework for ensuring the effectiveness of 
information security controls over information resources that support 
federal operations and assets. The framework creates a cycle of risk 
management activities necessary for an effective security program. In 
order to ensure the implementation of this framework, FISMA assigns 
responsibilities to OMB that include developing and overseeing the 
implementation of policies, principles, standards, and guidelines on 
information security and reviewing and approving or disapproving agency 
information security programs, at least annually. It also assigns 
specific responsibilities to agency heads, chief information officers, 
inspectors general, and the National Institute of Standards and 
Technology (NIST), in particular requiring chief information officers 
and inspectors general to submit annual reports to OMB.
    In addition, Congress enacted the Veterans Benefits, Health Care, 
and Information Technology Act of 2006,\3\ after a serious loss of data 
earlier that year revealed weaknesses in VA's handling of personal 
information. Under the act, VA's Chief Information Officer is 
responsible for establishing, maintaining, and monitoring department 
wide information security policies, procedures, control techniques, 
training, and inspection requirements as elements of the department's 
information security program. It also reinforced the need for VA to 
establish and carry out the responsibilities outlined in FISMA, and 
included provisions to further protect veterans and servicemembers from 
the misuse of their sensitive personal information and to inform 
Congress regarding security incidents involving the loss of that 
information.
---------------------------------------------------------------------------
    \3\ Veterans Benefits, Health Care, and Information Technology Act 
of 2006, Pub. L. No. 109-461, 120 Stat. 3403, 3450 (Dec. 22, 2006).
---------------------------------------------------------------------------
VA Has Made Limited Progress in Addressing Information Security 
        Weaknesses
    For over a decade, VA has faced long-standing information security 
weaknesses as identified by GAO, the VA's OIG, and by the department 
itself. These weaknesses have left VA vulnerable to disruptions in 
critical operations, theft, fraud, and inappropriate disclosure of 
sensitive information. VA's efforts to address these deficiencies have 
had limited progress to date.
    In September 2007, we reported that VA had begun or had continued 
several initiatives to strengthen information security practices within 
the department, but that shortcomings with the implementation of those 
initiatives could limit their effectiveness.\4\ At that time, we made 
17 recommendations for improving the department's information security 
practices. We verified that VA had implemented five of those 
recommendations, including developing guidance for the information 
security program and documenting related responsibilities. VA has 
efforts under way to address 11 of the remaining 12 recommendations. 
These efforts include ensuring remedial action items are completed in 
an effective and timely manner, implementing guidance on encryption, 
and developing and documenting procedures to obtain contact information 
for individuals whose personal information has been compromised in a 
security breach. We plan to assess whether the department's actions 
substantially implement these 11 recommendations, and whether VA is now 
taking action on the twelfth recommendation to maintain an accurate 
inventory of all IT equipment that has encryption installed.
---------------------------------------------------------------------------
    \4\ GAO, Information Security: Sustained Management Commitment and 
Oversight Are Vital to Resolving Long-standing Weaknesses at the 
Department of Veterans Affairs, GAO-07-1019 (Washington, D.C.: Sep. 7, 
2007).
---------------------------------------------------------------------------
    In March 2010, we reported \5\ that federal agencies, including VA, 
had made limited progress in implementing the Federal Desktop Core 
Configuration (FDCC) initiative to standardize settings on 
workstations.\6\ We determined that VA had implemented certain 
requirements of the initiative, such as documenting deviations from the 
standardized set of configuration settings for Windows workstations and 
putting a policy in place to officially approve these deviations. 
However, VA had not fully implemented several key requirements. For 
example, the department had not included language in contracts to 
ensure that new acquisitions address the settings and that products of 
IT providers operate effectively using them. Additionally, VA had not 
obtained a NIST-validated tool to monitor implementation of 
standardized workstation configuration settings. To improve the 
department's implementation of the initiative, we made four 
recommendations: (1) complete implementation of VA's baseline set of 
configuration settings, (2) acquire and deploy a tool to monitor 
compliance with FDCC, (3) develop, document, and implement a policy to 
monitor compliance, and (4) ensure that FDCC settings are included in 
new acquisitions and that products operate effectively using these 
settings. VA concurred with all of our recommendations and indicated 
that it plans to implement them by September 2010.
---------------------------------------------------------------------------
    \5\ GAO, Information Security: Agencies Need to Implement Federal 
Desktop Core Configuration Requirements, GAO-10-202 (Washington, D.C.: 
March 12, 2010).
    \6\ In March 2007 the Office of Management and Budget (OMB) 
launched the Federal Desktop Core Configuration initiative to 
standardize and strengthen information security at federal agencies. 
Under the initiative agencies were to implement a standardized set of 
configuration settings on workstations with Microsoft Windows XP or 
Vista operating systems. OMB intended that by implementing the 
initiative, agencies would establish a baseline level of information 
security, reduce threats and vulnerabilities, and improve protection of 
information and related assets.
---------------------------------------------------------------------------
VA Continues to Report Significant Information Security Shortcomings
    Information security remains a long-standing challenge for the 
department. In 2009, for the 13th year in a row, VA's independent 
auditor reported that inadequate information system controls over 
financial systems constituted a material weakness.\7\ Among 24 major 
federal agencies, VA was one of six agencies in fiscal year 2009 to 
report such a material weakness.
---------------------------------------------------------------------------
    \7\ A material weakness is a significant deficiency, or combination 
of significant deficiencies, that results in more than a remote 
likelihood that a material misstatement of the financial statements 
will not be prevented or detected by the entity's internal control.
---------------------------------------------------------------------------
    VA's independent auditor stated that while the department continued 
to make steady progress, IT security and control weaknesses remained 
pervasive and placed VA's program and financial data at risk. The 
auditor noted the following weaknesses:

      Passwords for key VA network domains and financial 
applications were not consistently configured to comply with agency 
policy.
      Testing of contingency plans for financial management 
systems at selected facilities was not routinely performed and 
documented to meet the requirements of VA policy.
      Many IT security control deficiencies were not analyzed 
and remediated across the agency and a large backlog of deficiencies 
remained in the VA plan of action and milestones system. In addition, 
previous plans of action and milestones were closed without sufficient 
and documented support for the closure.

    In addition, VA has consistently had weaknesses in major 
information security control areas. As shown in table 1, for fiscal 
years 2006 through 2009, deficiencies were reported in each of the five 
major categories of information security controls \8\ as defined in our 
Federal Information System Controls Audit Manual.\9\
---------------------------------------------------------------------------
    \8\ Access controls ensure that only authorized individuals can 
read, alter, or delete data; configuration management controls provide 
assurance that only authorized software programs are implemented; 
segregation of duties reduces the risk that one individual can 
independently perform inappropriate actions without detection; 
continuity of operations planning provides for the prevention of 
significant disruptions of computer-dependent operations; and an 
agencywide information security program provides the framework for 
ensuring that risks are understood and that effective controls are 
selected and properly implemented.
    \9\ GAO, Federal Information System Controls Audit Manual (FISCAM), 
GAO-09-232G (Washington, D.C.: Feb. 2009).

         Table 1: Control Weaknesses for Fiscal Years 2006-2009
------------------------------------------------------------------------
    Security Control
        Category             2006        2007        2008        2009
------------------------------------------------------------------------
Access control                         
------------------------------------------------------------------------
Configuration management               
------------------------------------------------------------------------
Segregation of duties                  
------------------------------------------------------------------------
Contingency planning                   
------------------------------------------------------------------------
Security management                    
------------------------------------------------------------------------
Source: GAO analysis based on VA and Inspector General reports.

    In fiscal year 2009, for the 10th year in a row, the VA OIG 
designated VA's information security program and system security 
controls as a major management challenge for the department. Of 24 
major federal agencies, the department was 1 of 20 to have information 
security designated as a major management challenge. The OIG noted that 
the department had made progress in implementing components of an 
agency wide information security program, but nevertheless continued to 
identify major IT security deficiencies in the annual information 
security program audits. To assist the department in improving its 
information security, the OIG made recommendations for strengthening 
access controls, configuration management, change management, and 
service continuity. Effective implementation of these recommendations 
could help VA to prevent, limit, and detect unauthorized access to 
computerized networks and systems and help ensure that only authorized 
individuals can read, alter, or delete data.
    The need to implement effective security is clear given the history 
of security incidents at the department. VA has reported an increasing 
number of security incidents and events over the last few years. Each 
year during fiscal years 2007 through 2009, the department reported a 
higher number of incidents and the highest number of incidents in 
comparison to 23 other major federal agencies.
VA's Uneven Implementation of FISMA Limits the Effectiveness of 
        Security Efforts
    FISMA requires each agency, including agencies with national 
security systems, to develop, document, and implement an agency wide 
information security program to provide security for the information 
and information systems that support the operations and assets of the 
agency, including those provided or managed by another agency, 
contractor, or other source. As part of its oversight responsibilities, 
OMB requires agencies to report on specific performance measures, 
including the percentage of:

      employees and contractors receiving IT security awareness 
training, and those who have significant security responsibilities and 
have received specialized security training,
      systems whose controls were tested and evaluated, have 
tested contingency plans, and are certified and accredited.\10\
---------------------------------------------------------------------------
    \10\ Certification is a comprehensive assessment of management, 
operational, and technical security controls in an information system, 
made in support of security accreditation, to determine the extent to 
which the controls are implemented correctly, operating as intended, 
and producing the desired outcome with respect to meeting the security 
requirements for the system. Accreditation is the official management 
decision to authorize operation of an information system and to 
explicitly accept the risk to agency operations based on implementation 
of controls.

    Since fiscal year 2006, VA's progress in fully implementing the 
information security program required under FISMA and following the 
policies issued by OMB has been mixed. For example, from 2006 to 2009, 
the department has reported a dramatic increase in the percentage of 
systems for which a contingency plan was tested in accordance with OMB 
policy. However, during the same period, it reported decreases in both 
the percentage of employees who had received security awareness 
training and the percentage of employees with significant security 
responsibilities who had received specialized security training (see 
fig. 1). These decreases in the percentage of individuals who had 
received information security training could limit the ability of VA to 
effectively implement security measures.
    Figure 1: VA Key Performance Measures for Fiscal Years 2006-2009
[GRAPHIC] [TIFF OMITTED] T7022A.001

    For fiscal year 2009, in comparison to 23 other major federal 
agencies, VA's efforts to implement these information security control 
activities were equal to or higher in some areas and lower in others. 
For example, VA reported equal or higher percentages than other federal 
agencies in the number of systems for which security controls had been 
tested and reviewed in the past year, the number of systems for which 
contingency plans had been tested in accordance with OMB policy, and 
the number of systems that had been certified and accredited. However, 
VA reported lower percentages of individuals who received security 
awareness training and lower percentages of individuals with 
significant security responsibilities who received specialized security 
training (see fig. 2).
         Figure 2: Comparison VA to Governmentwide Performance 
                          for Fiscal Year 2009
[GRAPHIC] [TIFF OMITTED] T7022A.002

    In summary, effective information security controls are essential 
to securing the information systems and information on which VA depends 
to carry out its mission. The department continues to face challenges 
in resolving long-standing weaknesses in its information security 
controls and in fully implementing the information security program 
required under FISMA. Overcoming these challenges will require 
sustained leadership, management commitment, and effective oversight. 
Until VA fully and effectively implements a comprehensive information 
security program and mitigates known security vulnerabilities, its 
computer systems and sensitive information (including personal 
information of veterans and their beneficiaries) will remain exposed to 
an unnecessary and increased risk of unauthorized use, disclosure, 
tampering, theft, and destruction.
    Mr. Chairman, this concludes our statement today. We would be happy 
to answer any questions you or other Members of the Subcommittee may 
have.
Contacts and Acknowledgments
    If you have any questions concerning this statement, please contact 
Gregory C. Wilshusen, Director, Information Security Issues, at (202) 
512-6244, [email protected], or Valerie C. Melvin, Director, 
Information Management and Human Capital Issues, at (202) 512-6304, 
[email protected]. Other individuals who made key contributions include 
Charles Vrabel and Anjalique Lawrence (assistant directors), Nancy 
Glover, Mary Marshall, and Jayne Wilson.

                                 
   Prepared Statement of Belinda J. Finn, Assistant Inspector General
        for Audits and Evaluations, Office of Inspector General,
                  U.S. Department of Veterans Affairs

INTRODUCTION
    Mr. Chairman and Members of the Subcommittee, thank you for the 
opportunity to discuss the Office of Inspector General (OIG) work on 
VA's implementation of the Federal Information Security Management Act 
of 2002 (FISMA), which requires that VA develop, document, and 
implement an agency-wide information security program. Accompanying me 
is Mr. Michael Bowman, Director, Information Technology and Security 
Audits. In March 2010, we issued a report, Fiscal Year 2009--Federal 
Information Security Management Act Assessment, that provided 40 
recommendations for improving VA's information security program.
    Seven years after FISMA's enactment, we continue to report 
significant deficiencies with controls supporting VA's information 
security program, which could have potentially alarming consequences. 
While VA has made progress defining policies and procedures supporting 
its agency-wide information security program, it faces significant 
challenges implementing effective access controls, system 
interconnection controls, configuration management controls, and 
contingency planning practices designed to protect mission critical 
systems from unauthorized access, alteration, or destruction. Because 
of the significant security deficiencies, the OIG's independent 
financial statement auditors concluded that VA's implementation of its 
agency-wide information security program constitutes a material 
weakness for financial reporting. I will focus on VA's progress and the 
challenges it faces in implementing key elements of its information 
security program and system security controls.

BACKGROUND
    Sound information security practices are vital to the Federal 
Government because secure systems and networks are needed to support 
critical programs and operations. The need for a vigilant approach to 
information security is apparent as demonstrated by well publicized 
reports of information security incidents, the wide availability of 
hacking tools on the internet, and the advances in the effectiveness of 
attack technology. Without proper safeguards, VA computer systems are 
vulnerable to intrusions by groups with malicious intent, who can 
obtain sensitive information, commit fraud, disrupt operations, or 
launch attacks against other systems. In the past, VA has reported 
security incidents in which sensitive information has been lost or 
stolen, including personally identifiable information, exposing 
millions of Americans to the loss of privacy, identity theft, and other 
financial crimes.
    Concerned by reports of significant weaknesses in Federal computer 
systems, Congress passed FISMA in 2002, which requires agencies to 
develop and implement an information security program, evaluate 
security processes, and provide annual reports. FISMA sets forth a 
framework for establishing information security controls over systems 
that support Federal operations and requires annual independent 
evaluations by the Inspectors General or independent external auditors. 
To assess compliance with the requirements of FISMA, the Office of 
Management and Budget (OMB) prepares annual reporting instructions 
requiring each agency to provide information summarizing their ability 
to secure their information systems and data. Additionally, OMB 
requires the Inspectors General to independently evaluate the agency's 
performance in a number of security areas and provide their results to 
OMB as part of the annual reporting requirements under FISMA. 
Historically, OMB's annual reporting instructions have focused on 
whether agencies have developed appropriate policies, procedures, and 
practices supporting their information security program. While our work 
has addressed OMB's reporting requirements, we have also performed 
comprehensive testing of general and technical information security 
controls that are designed to protect VA's mission critical systems and 
data. We believe our audit findings and recommendations provide a solid 
foundation for improving the effectiveness of VA's information security 
program and assisting VA in meeting the information security objectives 
of FISMA.

OIG AUDIT RESULTS
    Our annual audit work includes determining the extent VA complies 
with FISMA's information security requirements, information security 
standards developed by the National Institute of Standards and 
Technology, and the annual reporting requirements from OMB. During our 
work, we assess VA's information security policies and procedures, 
observe operational controls, and test technical controls over general 
support systems and major applications.
Information Security
    Our fiscal year (FY) 2009 review found VA made progress 
implementing elements of its agency-wide information security program. 
In recent years, VA issued VA Directive and Handbook 6500, Information 
Security Program, to define high level policies and procedures 
supporting its agency-wide information security program. In FY 2009, VA 
initiated the formal certification and accreditation of approximately 
one-third of its major systems--a process designed to provide assurance 
that security controls are adequately protecting critical systems and 
data. Also, VA conducted privacy impact assessments on many systems 
with the goal of identifying and reducing unnecessary holdings of 
personally identifiable information throughout all VA systems. VA has 
also established a new risk assessment methodology that addresses 
deficiencies identified by the OIG in prior years. Recently, VA 
implemented some technological solutions, such as secure remote access, 
application filtering, and portable storage device encryption to 
improve the security control protections over its mission critical 
systems and data.
    In addition to our audit work, VA's Certification and Accreditation 
Program and internal security reviews have identified over 11,000 plans 
of action and milestones (action plans) that need to be addressed to 
remediate system security deficiencies. In the near term, VA must 
complete a large number of these action plans to provide assurance that 
system security controls adequately protect mission critical systems. 
Our testing identified a significant number of action plans that were 
prematurely closed without sufficient documentation or testing to 
demonstrate that system security weaknesses were fully addressed. 
Without adequate testing and supporting documentation, VA cannot 
justify the closure of the action plans or provide assurances that 
corresponding information security risks were fully mitigated or 
eliminated.

Access Controls
    During system testing, we identified significant weaknesses with 
access controls designed to protect VA mission critical systems from 
unauthorized access, alteration, and destruction. For example, we 
identified a large number of weak passwords on application servers, 
databases, and networking devices supporting systems at most VA 
facilities tested. The presence of weak passwords is a well-known 
security vulnerability that allows malicious users to easily gain 
unauthorized access to mission critical systems.
    We noted that password settings were not configured to enforce 
strong passwords on some financial management systems and domain 
controllers. As identification and authentication controls are primary 
defense mechanisms against password attacks, enforcement of a strong 
password policy is essential for preventing unauthorized access to 
these systems. We also identified numerous user accounts with 
unnecessary system privileges and unauthorized user accounts that were 
not supported with formal access authorizations. To enforce 
comprehensive access controls, VA needs to periodically review system 
user accounts to ensure that system permissions do not exceed the 
users' functional responsibilities.
    Network access controls are important for providing logical 
security over interconnected systems and data. We noted that most VA 
medical facilities were not appropriately using network segmentation to 
restrict access to their sensitive medical devices and network 
segments. Consequently, we were able to gain unauthorized access to 
sensitive sub-networks while at VA medical facilities and from remote 
locations throughout the enterprise. The proper use of network 
segmentation for restricting access to sensitive medical devices is 
critical for the security and operational stability at VA's medical 
centers.

System Interconnections
    During testing of system interconnections, we noted that VA had not 
identified, managed, or monitored a significant number of VA system 
connections. In many cases, VA had not maintained appropriate 
interconnection agreements to establish and govern the security 
requirements for those external network connections. VA is in the 
process of cataloging all system interconnections, but unknown system 
interconnections may exist. The lack of comprehensive monitoring of the 
external network interconnections prevents VA from effectively 
detecting and responding to network intrusion attempts in accordance 
with FISMA. Consequently, an attacker could penetrate VA's internal 
network and systems over an extended period of time without being 
detected. To improve its ability to monitor and respond to malicious 
network activity, VA plans to reduce and consolidate all external 
network connections into four major gateways over the next several 
years.

Configuration Management
    Configuration management controls ensure that only authorized, 
tested, and protected systems are placed into operation. We identified 
significant weaknesses with configuration management controls designed 
to protect VA's mission critical systems and data from unauthorized 
access, alteration, or destruction. More specifically, our testing 
revealed unsecure web application servers, critical application servers 
hosting vulnerable third-party applications and system software, and 
user permissions that exceed the user's functional responsibilities on 
critical database platforms.
    For example, we identified several instances of VA hosting unsecure 
web services that could allow a malicious user to exploit certain 
vulnerabilities and gain unauthorized access to VA systems. Our testing 
identified several VA Web sites using outdated encryption modules and 
one Web site accepting sensitive information over unencrypted internet 
sessions. We also noted several database platforms providing system 
functions or hosting outdated system software that could allow any 
system user to gain unauthorized access to mission critical data and 
potentially alter the operation of the database. To improve performance 
in this area, VA needs to implement a comprehensive enterprise-wide 
patch and vulnerability management program that will continuously 
identify and remediate security vulnerabilities impacting mission 
critical systems.

Contingency Plans and Testing
    Our review of system contingency plans and testing revealed many 
instances where VA facilities did not validate whether system owners 
could restore mission critical systems at a remote processing site to 
ensure continuity of operations. In its annual FISMA report to OMB, VA 
reported it had successfully tested the viability of 93 percent of its 
system contingency plans. Based on our sample, VA provided evidence 
that only 56 percent of its system contingency plans were successfully 
tested. Our information was derived from evaluating evidence of actual 
system contingency plan test results while VA compiled information 
reported from local managers.
    During testing, some VA facilities performed ``table-top'' testing 
which involved high level discussions of recovery procedures. However, 
``table-top'' testing does not involve deploying equipment and 
personnel, and should not be considered a substitute for full 
contingency plan testing. Without in-depth and realistic contingency 
plan testing, VA cannot provide assurance that mission critical systems 
can be readily restored in the event of a disaster or a service 
disruption.

Recommendations and Corrective Actions
    Our FY 2009 report provided 27 current recommendations to the 
Assistant Secretary for Information and Technology for improving VA's 
information security program. The report also highlighted 13 unresolved 
recommendations from prior years' assessments for a total of 40 
outstanding recommendations. During FY 2009, VA successfully addressed 
eight outstanding recommendations from our prior FISMA assessments.
    Overall, we recommended that VA focus its efforts in the following 
areas:

      Remediating information security weaknesses that 
contribute to the material weakness reported in the annual audit of 
VA's consolidated financial statements.
      Taking an agency-wide approach for addressing action 
plans as opposed to developing corrective actions based on specific 
sites and systems.
      Establishing effective processes for identifying and 
responding to malicious network activity.
      Implementing automated mechanisms for the continuous 
monitoring and remediation of security weaknesses impacting VA's 
mission critical systems.

    In response to our report, VA concurred with all findings and 
recommendations. The Assistant Secretary stated that action plans are 
currently being developed for each recommendation and detailed plans 
will be provided to the OIG in a separate response. The Assistant 
Secretary's response also stated that VA continues to make progress 
improving the effectiveness of its information security program. More 
specifically, VA's efforts have contributed to significant reductions 
in the number of outstanding plans of actions and milestones, a more 
effective risk assessment methodology, and improvements in privacy 
impact assessments for minor applications that hold sensitive data. The 
OIG will continue to evaluate VA's progress during the FY 2010 
assessment.

Conclusion
    Well publicized information security breaches at VA demonstrate 
that weaknesses in information security policies and practices can 
expose mission critical systems and data to unauthorized access and 
disclosure. While VA has made progress defining policies and procedures 
supporting its agency-wide information security program, its highly 
decentralized and complex system infrastructure poses significant 
challenges for implementing effective access controls, system 
interconnection controls, configuration management controls, and 
contingency planning practices that will adequately protect mission 
critical systems from unauthorized access, alteration, or destruction. 
Until VA fully implements key elements of its information security 
program and addresses our outstanding audit recommendations, VA's 
mission critical systems remain at an increased and unnecessary risk of 
attack or compromise.
    Mr. Chairman, this concludes my statement. We would be happy to 
answer any questions you or other Members of the Subcommittee may have.

                                 
     Prepared Statement of Hon. Roger W. Baker, Assistant Secretary
     for Information and Technology and Chief Information Officer,
   Office of Information and Technology, U.S. Department of Veterans 
                                Affairs

    Good morning Chairman Mitchell, Ranking Member Roe, and Members of 
the Subcommittee. Thank you for your invitation to discuss the current 
status of information security at the Department of Veterans Affair 
(VA) as well as VA's compliance with the Federal Information Security 
Management Act (FISMA) of 2002. With me today are Mr. Jaren Doherty, 
Acting Deputy Assistant Secretary for Information Protection and Risk 
Management, Mr. Jan Frye, Deputy Assistant Secretary for Acquisition & 
Logistics, and Mr. Fred Downs, Chief Procurement and Clinical Logistics 
Officer for the Veterans Health Administration representing VA. We are 
focused on moving the Department to a much more secure posture than 
that which currently exists.
    Information Security remains a critical challenge for both federal 
and private sector enterprises. While our ability to defend our 
networks and systems has increased, so too, has the sophistication of 
our attackers and the desire of those who use our systems for faster 
and broader access to the information and systems we protect.
    Four years after the 2006 theft of a Veterans Affairs laptop 
containing information on millions of veterans, that incident still 
reverberates throughout the IT organization and the entire VA. Over the 
last 4 years, thanks to the support of this Committee, we have made 
significant changes, including the implementation of an Information 
Protection organization of over 500 people, and of course, the 
consolidation of all IT assets under the Assistant Secretary. Those 
changes have been accompanied by a vast improvement in the information 
protection processes across the entire VA. Our overall improvement on 
the Department's security posture is accompanied by actual improvements 
in the security of our information assets. FISMA is focused on making 
sure we have done the correct thinking about the risks our systems face 
and the levels of protection each requires, as well as implemented 
solutions that actually improve security. VA has put in place a plan to 
employ many of the successful approaches and technologies used by 
effective, large-scale private sector organizations to ensure that we 
have visibility into and control over every aspect of our electronic 
enterprise. This approach is described later in my testimony.
    Our own challenges in information protection remain the scope and 
scale of the missions VA must accomplish. As we protect Veterans' 
health information from unwanted access, we must balance that with the 
fact that the same information must be available immediately to the 
professionals who need it to serve the Veteran. As we seek to control 
and protect our Veterans' information anywhere it exists within our 
extended supply chain (including private sector and federal sector 
partners), we must recognize the fact that the VA cannot perform its 
critical mission of caring for our Veterans without outside help and 
services. And while it is our desire to have already implemented a 
fully robust, comprehensive, audited, foolproof information security 
posture, our practical reality is that changing the infrastructure, 
policies, culture, and practices of the 850,000 people who show up 
every day across this Nation to serve our Veterans is a massive 
undertaking. Over the last 4 years, we have made quantifiable progress. 
Over the next year, we will make greater strides. Am I satisfied with 
where we are? No. Our goal must be to be the best in Federal 
Government, and comparable with good private sector enterprises, on our 
information security practices. With your support, we will continue to 
work very hard at achieving that goal during my tenure as CIO at VA.
    Even with all we have accomplished, we still experience security 
and privacy incidents-the large majority of them from paper-based 
incidents. Except for a few, these incidents usually involve the 
sensitive personal information on a small number of individuals. 
Nonetheless, we consider any data breach to be serious if Veterans' or 
employees' sensitive personal information is at risk--no matter the 
number. Many of these incidents are the result of human error and 
carelessness, which is why it is so important to establish a culture 
and a strong environment of awareness and individual responsibility. 
The training and education of our workforce is probably the single most 
important action. While it is impossible to predict or prevent every 
security or privacy incident, it is the primary goal of VA's 
information protection program.
    On September 18, 2007, VA completed the publication of VA Handbook 
6500. This handbook outlines the standard for the VA Information 
Security program; and successfully sets the tone for cyber security 
procedural and operational requirements Department-wide to ensure 
compliance with FISMA and the Information Security provisions of title 
38 of the U.S. Code. It also provides for the security of VA 
information and information systems.
    Today, with the strong support of this committee, a centralized and 
strengthened information protection program has been established to 
ensure safeguarding of all VA sensitive data and to fulfill our mission 
to:

        ``Serve our Veterans, their beneficiaries, employees and all VA 
        stakeholders by ensuring the confidentiality, integrity, and 
        availability of VA sensitive information and information 
        systems.''

    Our vision at OIT and within our Office of Information Protection 
and Risk Management is to provide world class information security and 
privacy for VA, Veteran information and all information systems 
operated by VA. We are making great strides towards this vision and 
achieving our information protection program goals which are to:

      Protect the overall VA information security and privacy 
posture to ensure confidentiality, integrity, and availability of 
information
      Integrate risk and performance management into 
information security and privacy governance processes
      Ensure alignment of VA security and privacy policy and 
standards with federal guidelines and best practices
      Enable the VA mission through integration of standardized 
information security and privacy processes
      Promote an environment where every employee's and 
contractor's action reflect the importance of information security
Office of Information Technology Oversight Compliance (ITOC)
    The Office of Information Technology Oversight and Compliance 
(ITOC) was established in 2007 and made an immediate impact VA-wide. 
ITOC used innovative assessment tools and created comprehensive 
checklists to establish review standards in nearly every aspect of IT 
operations. ITOC is a highly effective organization that provides 
critical information to the VA Chief Information Officer.
    Today, ITOC has 128 full-time employees, who have successfully 
completed 1332 assessments at VA facilities to include Medical Centers, 
Community Based Outreach Centers (CBOCs), Vet Centers, and Regional 
Offices; ITOC is also helping to effect real change to improve VA's 
FISMA compliance efforts, and continues to work with each VA 
Administration and staff office to mentor, train, and coach personnel 
to ensure a proactive organizational environment to protect sensitive 
information entrusted to us.
    ITOC efforts have had a measurable effect on improving VA's FISMA 
compliance efforts. ITOC performs the continuous monitoring phase of 
the Certification and Accreditation (NIST 800-37) of VA systems for IT 
security controls in an ever evolving environment with continual 
emerging threats against network security controls. In addition, ITOC 
assessments document known shortcomings or risks to VA's network and IT 
infrastructure through creation of Plan of Action and Milestones 
(POA&Ms). These POA&Ms are created in VA's Security Management and 
Reporting Tool (SMART) database which directly tracks and ensures there 
is proper resourcing for correction.
    Currently, ITOC works in collaboration with the Office of 
Information Protection Risk Management (IPRM) to conduct VA's Security 
Control Assessments (SCA). This combined endeavor maximizes our 
experience as well as technical knowledge to better ensure compliance.
Information Security and Risk Management Office
    After the 2006 laptop theft, VA promised to make protecting 
Veterans' data a priority. In response, VA quickly established IPRM to 
provide frontline defense of Veteran's sensitive data on a 365 day-a-
year, 24/7 basis for one of the Nation's largest Federal Government 
agencies and the largest health care provider in the country. IPRM's 
information security staff includes over 700 dedicated staff supporting 
over 300 VA facilities, almost 300,000 employees, and 333,000 
computers. IPRM's vanguard staff includes the Information Security 
Officers (ISOs), a facility-based staff whose primary role is to ensure 
end users are protecting sensitive data. Like ISO's, Privacy Officers 
are facility-based to ensure the use of personally identifiable 
information (PII) related to Veterans that is collected by VA is 
limited to the information that is legally authorized and necessary.
    IPRM's Network Security Operations Center (VA-NSOC) provides 
continuous round-the-clock monitoring of VA's network protecting, 
responding to, and reporting threats. These personnel are responsible 
for deterring, detecting, and defeating anything that might adversely 
affect VA networks and systems. On an average day, VA-NSOC monitors 
over 1.29 billion web requests per week and prevents over 1.7 million 
viruses a year frominfecting the VA network. VA-NSOC monitors23 million 
emails received by VA a week. From this total over 16.4 million emails 
are blocked due to their potential for cyber crime from bad reputation 
servers or because they are SPAM.
Investments Have Transformed An Agency's Performance
    To provide some historical context, in 2006 VA identified several 
weaknesses which included:

      Limited ability to scan our systems very limited Network 
Security Operations Center capabilities
      No investigative procedures for malicious software and 
forensics
      No visibility of routing architecture beyond the core VA 
Wide Area Network
      Limited Deployment of Network Intrusion Protection 
Systems (40 nationwide)
      No centralized patch reporting and validation process
      No visibility of the desktops within VA
      No disaster back-up site for the Security Operations 
Center
      No Change Management or Configuration Control mechanisms

    VA's security program has been almost completely re-invented since 
2006. Significant investments in centralization and infrastructure, 
staff, training, and VA-wide end user education have transformed VA's 
information security and privacy outcomes and FISMA performance. A 
metrics-based, customer-centric, performance-based approach, has 
enabled our security program to turn around its performance in 3 
years--a remarkable achievement by any standard.
    I will highlight some of the outcomes to show what VA has 
accomplished in the past 3 years:

      VA established a 24x7 monitoring and defense of VA 
enterprise network core
      There is 100 percent visibility and 24x7 monitoring of 
anti-virus consoles
      There is 100 percent visibility and 24x7 monitoring of 
host based intrusion prevention system consoles
      VA established 24x7 monitoring of 160 network intrusion 
prevention systems deployed Nationwide
      There are two geographically dispersed operations centers 
with full redundancy and fail over capabilities
      There is monitoring and management of 84 Terabytes of 
data a week routed over core Infrastructure
      There is monitoring and management of 41 Terabytes of 
data a week routed through internet gateways
      VA has established a fully mature change control process
Major Initiatives Will Position VA's Information Protection Program

    Two key investment programs for OI&T and IPRM in 2010 are achieving 
visibility to the desktop and complete medical device isolation 
architecture for VA medical devices. Both OI&T and IPRM have committed 
all available resources to accomplishing these top two priorities. 
These priorities are absolutely essential to creating a 21st century, 
world class security program.
VA Visibility to the Desktop Initiative
    Ongoing attacks against VA systems, coupled with pressure to use 
Web 2.0 technology, compelled VA to augment desktop visibility in order 
to provide adequate enterprise protection, and ultimately, safeguard 
the personal information of our Nation's Veterans.
    Our most important initiative to date is to mandate that the VA-
NSOC has visibility into all devices connected to the VA network by 
September 30, 2010. ``Visibility to the Desktop'' is defined as the 
ability to, at any given time, look at the status of all machines in 
the network from a central location at the enterprise level. This 
includes the hardware, software, patch level, level of security 
compliance, and membership of the administrative group. This is a huge 
security tool for us, and it means that VA can review and run reports 
on any of the 333,000 machines on our network. This also gives VA the 
ability to apply patches which will greatly improve the security of the 
network.
    Challenges to achieving this goal over the next 4 months will be 
trying to get consistent implementation and configuration of VA-
approved scanning and management tools across such a large field 
organization, as well as standardizing facility participation in VA-
wide reporting requirements. Again, I want to emphasize the entire OI&T 
operation is committed to this effort. Without full visibility, we 
cannot have an effective information security program--we must be able 
to see what is out there on our networks, identify the problems and 
risks, and provide the field with resources needed to tackle emerging 
issues.
    We have put together 30, 60 and 90 day plans to fix these 
inconsistencies while simultaneously leveraging all available resources 
in order to accomplish this vital task. VA leadership and field 
personnel met at an offsite retreat in Washington, DC, in March 2010, 
to determine the vision, priorities, and next steps to achieve this 
goal. VA has launched Phase 1 of the initiative which involves 
inventory, antivirus, host-based intrusion prevention system, patch 
management, and scanning and vulnerability management with the primary 
goal of protecting the VA network.
    Visibility to the Desktop Initiative will be achieved by providing 
agent-based, multi-dimensional automation with the following critical 
operational components:

      Installation and implementation of an enterprise tool 
that provides data scanning in real time for asset discovery, missing 
patches, remediation, identification of local administrators, 
operating, hardware and security system status, custom reports and 
identification of installed applications.
      Installation of an enterprise-wide forensic tool deployed 
to examine live systems on the network, provide E-Discovery, instantly 
capture volatile data in memory, remediate compromised systems and be 
able to search multiple machines for malware.
Protecting VA Medical Devices through Isolation Architecture
    VA faces a critical challenge in securing our medical devices from 
cyber threats--and securing them is among the highest priorities for 
VA. VA is the largest medical care provider in the Federal Government 
with over 50,000 networked medical devices. VA defines a medical device 
as any device that is used in patient health care for diagnoses, 
treatment, monitoring, or has gone through the Food and Drug 
Administration's (FDA) premarket review process. (Note: This usage is 
not necessarily the same as the use of the term 'device' in the Federal 
Food, Drug, and Cosmetic Act.)''
    The major challenge with securing medical devices is that, because 
their operation must be certified, the application of operating system 
patches and malware protection updates is tightly restricted. This 
inherent vulnerability can increase the potential for cyber attacks on 
the VA trusted network by creating risk to patient safety. When medical 
devices are not adequately protected, they can and have been 
compromised at VA. Over 122 medical devices have been compromised by 
malware over the last 14 months. These infections have the potential to 
greatly affect the world-class patient care that is expected by our 
customers. In addition to compromising data and the system, these 
incidents are also extremely costly to the VA in terms of time and 
money spent cleansing infected medical devices.
    In 2009, VA mandated that all medical devices at VHA facilities 
connected to the VA network implement a medical device isolation 
architecture (MDIA) using a virtual local area network (VLAN) 
structure. To accomplish this, IPRM has initiated a medical device 
protection program (MDPP). This program ensures there are pre-
procurement assessments for medical devices and outlines a 
comprehensive protection strategy that encompasses communications, 
training, validation, scanning, remediation, and patching for the 
medical devices.
    OIT and IPRM have committed to securing all VA medical devices 
through isolation architecture by December 31, 2010. Major baselines 
for the project have been established, and the VA's more than 50,000 
medical devices will all have isolation architecture established by the 
end of this year.
    In addition to the visibility to the desktop initiative and medical 
device isolation architecture, other VA IPRM security and FISMA 
priorities for 2010 are:

      Remediating unresolved Plan of Action and Milestones 
(POA&M) while focusing efforts on addressing high risk system security 
deficiencies and vulnerabilities
      Implementing control mechanisms to ensure sufficient 
supporting documentation is captured in the SMART database to justify 
POA&M closure
      Employing mechanisms to ensure VA password complexity 
standards are enforced on all systems across the enterprise
      Initiating periodic reviews of user accounts to identify 
and eliminate incompatible system functions, system permissions in 
excess of required functional responsibilities, and unauthorized system 
user accounts
      Implementing VLAN controls to appropriately restrict 
access to sensitive network subnets at VA medical centers (VAMCs)
      Identifying external network connections and ensuring 
appropriate Interconnection Security Agreements and Memorandums of 
Understanding are in place
      Applying automated mechanisms to periodically identify 
and remediate system security weaknesses on VA's network 
infrastructure, database platforms, and web application servers across 
the enterprise
      Executing procedures to ensure VA contracts contain 
information security compliance clauses consistent with the FISMA
      Implementing remediation plans to address system security 
weaknesses found during vulnerability assessments of VA systems
      Initiating periodic reviews of security violations and 
enabling system audit logs on VA financial management systems
      Establishing a system development and change control 
framework that will integrate information security throughout the 
lifecycle of each system
      Applying technological solutions to monitor security for 
all systems and network segments supporting VA programs and operations
      Developing and testing an integrated continuity of 
operations plan in accordance with VA Directive and Handbook 0320, 
Comprehensive Emergency Management Program
      Implement effective continuous monitoring process that 
will incorporate consistent test methods, test procedures, and other 
testing elements to more accurately measure security control 
effectiveness
      Creating mechanisms for updating key elements in system 
security plans to include inventory of systems such as hardware, 
software, database platforms, and system interconnections
      Developing a comprehensive system inventory listing and 
expanding data calls for identifying minor applications to include all 
VA lines of business

Conclusion
    In closing, protecting Veteran information is crucial to VA's 
mission. A breach in security can hinder our ability to perform 
critical operations, put Veterans at risk, and ultimately result in a 
loss of public trust. VA is making significant progress in creating a 
solid environment of vigilance and awareness regarding individual 
responsibility in the area of information protection--the centerpiece 
of our overall program.
    Moving forward, VA will continue to combat security threats through 
critical initiatives including Security Improvement Program, visibility 
to the desktop, medical device protection program, and our ongoing 
efforts to educate our VA end users. We will continue to take proactive 
steps to meet the daunting challenges of new technology, such as 
evolving social media, cloud computing, mobile media, and advanced 
interconnectivity. We will meet our milestones as outlined in this 
testimony, to build one of the top security programs in the Federal 
Government.
    I remain personally committed to continually working toward 
establishing a world class security environment wherein we can fully 
safeguard the sensitive and private information of our Veterans and 
employees-and all sensitive information entrusted to us.


                   MATERIAL SUBMITTED FOR THE RECORD

                                     Committee on Veterans' Affairs
                       Subcommittee on Oversight and Investigations
                                                    Washington, DC.
                                                       May 20, 2010

Honorable Gene L. Dodaro
Comptroller General
U.S. Government Accountability Office
441 G Street, NW
Washington, DC 20548

Dear Comptroller General Dodaro:

    Thank you for the testimony of Gregory C. Wilshusen, Director of 
Information Security Issues, accompanied by Valerie C. Melvin, Director 
of Information Management and Human Capital Issues at the U.S. House of 
Representatives Committee on Veterans' Affairs Subcommittee on 
Oversight and Investigations hearing that took place on May 19, 2010, 
entitled ``Assessing Information Security at the U.S. Department of 
Veterans Affairs.''
    Please provide answers to the following questions by Friday, July 
2, 2010, to Todd Chambers, Legislative Assistant to the Subcommittee on 
Oversight and Investigations.

    1.  In May 2006, VA suffered a debilitating security breach in 
which the personally identifiable information of over 26 million 
veterans and active duty personnel stored on a hard drive was stolen 
from the home of a VA employee. Is veterans' information more secure 
now that it was then?
    2.  You mentioned in your statement that VA is reporting an 
increasing number of security incidents. Why is that?

                a.  Does that mean VA's security controls are 
                ineffective?

    3.  How does VA's information security program compare to other 
Federal agencies?
    4.  What are the top three things that VA should focus on now to 
strengthen security over its systems and information?
    5.  VA is implementing its new IT project management guidance--the 
Project Management Accountability System (PMAS). What is the status of 
VA's PMAS implementation?

                a.  Does this guidance include any provisions for 
                information security?

    Thank you again for taking the time to answer these questions. The 
Committee looks forward to receiving your answers. If you have any 
questions concerning these questions, please contact Martin Herbert, 
Majority Staff Director for the Subcommittee on Oversight and 
Investigations at (202) 225-3569.

            Sincerely,

                                                  Harry E. Mitchell
                                                           Chairman

MH:tc
                               __________

                              U.S. Government Accountability Office
                                                    Washington, DC.
                                                       July 2, 2010

The Honorable Harry E. Mitchell
Chairman
Subcommittee on Oversight and Investigations
Committee on Veterans' Affairs
U.S. House of Representatives

Dear Chairman Mitchell:

    This letter responds to your request dated May 20, 2010, to provide 
answers to five questions related to the May 19, 2010, hearing on 
assessing information security at the Department of Veterans Affairs 
(VA). Your questions and our responses follow.

    Question 1: In May 2006, VA suffered a debilitating security breach 
in which the personally identifiable information of over 26 million 
veterans and active duty personnel stored on a hard drive was stolen 
from the home of a VA employee. Is veterans' information more secure 
now than it was then?
    In some respects veterans' information is more secure now than it 
was in May 2006, but it is still vulnerable to unauthorized disclosure 
and modification. In the 4 years since the 2006 security breach, VA has 
taken several steps to strengthen information security. In October 
2006, the department moved to a centralized management model as part of 
organizational changes implemented to improve service to veterans. In 
September 2007, we reported that VA was addressing the problem of 
unencrypted laptops, and that 244 of 248 laptops we examined at eight 
locations had been encrypted.\1\ VA also finalized guidance for 
developing, documenting, and implementing the elements of the 
information security program, and filled the position of chief 
information security officer. Additionally, VA has taken steps to 
clearly define responsibilities of key information security officials 
and to improve coordination among them. Another action that VA is 
currently undertaking is implementing the Federal Desktop Core 
Configuration initiative, which should help the department to better 
safeguard its workstations that use the Windows XP and Vista operating 
systems and protect sensitive information.
---------------------------------------------------------------------------
    \1\ GAO, Information Security: Sustained Management Commitment and 
Oversight Are Vital to Resolving Long-standing Weaknesses at the 
Department of Veterans Affairs, GAO-07-1019 (Washington, D.C.: Sep. 7, 
2007).
---------------------------------------------------------------------------
    However, much work remains to appropriately secure veterans' 
information. As recently reported by the VA Inspector General and VA's 
independent auditor, significant control weaknesses continue to exist 
in each of five major categories of security controls: (1) access 
controls, which are intended to ensure that only authorized individuals 
can read, alter, or delete data; (2) configuration management controls, 
which provide assurance that only authorized software programs are 
implemented; (3) segregation of duties, which reduces the risk that one 
individual can independently perform inappropriate actions without 
detection; (4) continuity of operations, which is intended to prevent 
significant disruptions of computer-dependent operations; and (5) an 
agencywide information security program, which is to provide the 
framework for ensuring that risks are understood and that effective 
controls are selected and properly implemented. For example, VA had 
deficiencies in the controls intended to prevent, limit, and detect 
unauthorized access to its computer systems and information. As a 
result, veterans' personal information remains at unnecessary risk of 
unauthorized disclosure and inadvertent or deliberate misuse.

    Question 2: You mentioned in your statement that VA is reporting an 
increasing number of security incidents. Why is that?

        a. Does that mean VA's security controls are ineffective?
    There are likely two reasons why VA has been reporting an 
increasing number of security incidents over the past 3 years. The 
first reason relates to improvements in VA's incident management 
capability. Since the May 2006 data theft, VA has realigned and 
consolidated two centers with responsibilities for incident management, 
as well as developed and documented key policies and procedures. For 
example, it has developed an incident report template to assist VA 
personnel in reporting incidents to the consolidated center within 1 
hour of discovering an incident. In addition, VA employees were 
required to take security and privacy training, which may have 
heightened their awareness of their responsibility to report incidents 
involving loss of personal information. These actions are, perhaps, 
contributing factors to VA having reported the highest number of 
incidents in comparison to 23 other major Federal agencies during 
fiscal years 2007 through 2009.
    The second reason is the likelihood that the number of attacks or 
incidents is increasing, although we cannot be certain of this because 
the number of undetected attacks or incidents is not known. We have 
previously reported that the threats to Federal systems and critical 
infrastructure are evolving and growing. The fact that VA has been 
reporting an increasing number of security incidents over each of the 
past 3 years is consistent with the experience of other Federal 
agencies. To illustrate, the government-wide number of security 
incidents reported by Federal agencies to U.S. CERT has increased 
dramatically from about 5,500 in fiscal year 2006 to about 30,000 in 
fiscal year 2009, an increase of over 400 percent. Across the 
government, agencies including VA have experienced a wide range of 
incidents involving data loss or theft, computer intrusions, and 
privacy breaches, underscoring the need for improved security 
practices.
    The fact that VA is reporting an increasing number of security 
incidents does not necessarily mean, in and of itself, that VA's 
security controls are ineffective because even strong controls may not 
block all intrusions and misuse. However, it does indicate that 
vulnerabilities remain in security controls designed to adequately 
safeguard information. Moreover, despite the steps VA has taken to 
strengthen its information security, both the Office of Inspector 
General and an independent auditor reported that VA's security controls 
were ineffective. In VA's fiscal year 2009 performance report, the 
independent auditor cited failures to remediate known security control 
deficiencies, enforce policies for passwords, approve changes to 
systems, and test contingency plans, among other weaknesses.\2\ The 
auditor concluded that IT security and control weaknesses remain 
pervasive at VA.
---------------------------------------------------------------------------
    \2\ Department of Veterans Affairs, FY 2009 Performance and 
Accountability Report, (Washington, D.C.: Nov. 16, 2009).

    Question 3: How does VA's information security program compare to 
other Federal agencies?
    Similar to VA, most major Federal agencies have deficient 
information security programs. As depicted in table 1, our analysis of 
inspector general, agency, and GAO reports shows that most major 
agencies had weaknesses in most of the key security control categories 
for fiscal year 2009.

 Table 1: 24 Major Federal Agencies' Control Weaknesses for  Fiscal Year
                                  2009
------------------------------------------------------------------------
                             Number of major        Was VA one of the
    Security control       agencies reporting       agencies reporting
        category               weaknesses              weaknesses?
------------------------------------------------------------------------
Access controls          22                      yes
------------------------------------------------------------------------
Configuration            23                      yes
 management
------------------------------------------------------------------------
Segregation of duties    17                      yes
------------------------------------------------------------------------
Contingency planning     22                      yes
------------------------------------------------------------------------
Security management      23                      yes
------------------------------------------------------------------------
Source: GAO analysis of IG, agency, and GAO reports.

    VA was one of six major agencies to report a material weakness in 
information security over its financial systems and information--the 
most severe kind of weakness for financial reporting purposes.\3\ As 
illustrated in figure 1, 21 of the 24 major agencies either had a 
material weakness or significant deficiency in information security 
over their financial systems.
---------------------------------------------------------------------------
    \3\ A material weakness is a deficiency, or a combination of 
deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented or detected and corrected on a timely 
basis. A significant deficiency is a deficiency, or a combination of 
deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit attention by those charged with 
governance. A deficiency in internal control exists when the design or 
operation of a control does not allow management or employees, in the 
normal course of performing their assigned functions, to prevent, or 
detect and correct misstatements on a timely basis.
---------------------------------------------------------------------------
Figure 1: Significant Deficiencies in Information Security Included in 
                 24 Major Agencies' Financial Reporting

[GRAPHIC] [TIFF OMITTED] T7022A.003

    VA was also one of the 20 major agencies for which information 
security was cited as a major management challenge in fiscal year 2009. 
In part for these reasons, GAO has continued to designate information 
security as a governmentwide high-risk area since 1997.

    Question 4: What are the top three things that VA should focus on 
now to strengthen security over its systems and information?
    To address long-standing weaknesses and strengthen VA's information 
security program, the following three actions are key:

      Mitigate known vulnerabilities, focusing on high-risk 
deficiencies and weaknesses. Over the past several years, GAO, VA's 
Office of Inspector General, and VA's internal assessments have 
identified thousands of security deficiencies and vulnerabilities in 
the department's information systems and practices. Following the May 
2006 security incident, VA officials began working on an action plan to 
strengthen information security controls at the department. In fiscal 
year 2009, VA's independent auditor reported that while the department 
continued to make steady progress, many information technology security 
control deficiencies were not analyzed and remediated across the 
agency, deficiencies were sometimes closed as corrected in the absence 
of sufficient and documented support for the closures, and a large 
backlog of deficiencies remained in the VA plan of action and milestone 
system. Effective mitigation of these deficiencies could help VA to 
prevent, limit, and detect unauthorized access to computerized networks 
and systems and help ensure that only authorized individuals can read, 
alter, or delete data. If these deficiencies are not successfully 
corrected in a timely manner, VA will continue to lack effective 
security controls to safeguard its assets and sensitive information.
      Implement automated mechanisms to monitor systems and 
networks, and identify and remediate system security weaknesses. 
Another action that VA can take to improve securing and monitoring of 
its systems and networks is to expand its use of automated tools for 
performing certain security-related functions. Because VA is large and 
geographically dispersed, increasing automation of key security 
processes can assist in the efficient and effective implementation of 
key controls across the entire enterprise. For example, VA can use 
centrally administered automated diagnostic and analytical tools to 
continuously monitor network traffic, scan devices across the 
enterprise to identify vulnerabilities or anomalies from typical usage, 
and monitor compliance with departmental configuration requirements. In 
addition, improving the use of automated tools for patch management can 
increase efficiency in mitigating known vulnerabilities on many systems 
within the department. In its fiscal year 2009 performance report, VA 
acknowledged the need to implement monitoring mechanisms and address 
system security weaknesses. The department plans to have 100 percent of 
its operational systems in continuous monitoring by the end of fiscal 
year 2010.
      Establish and implement oversight and accountability 
mechanisms to ensure that management remains committed and effective in 
its efforts to implement a comprehensive information security program. 
Security programs should have owners at the management level who are 
held accountable through performance appraisals that can be affected by 
the results of these measures. In September 2006, VA issued a 
memorandum that required all senior executive performance plans to 
include information security as an evaluation element by November 30, 
2006. In a September 2007 report, we stated that VA was unable to 
provide documentation on the performance plan reviews or a documented 
process for regular review of these plans.\4\ Without a process for 
reviewing senior executives' performance plans on a regular basis to 
ensure that information security is included as an evaluation element, 
VA may not have effective management accountability for information 
security. Accordingly, we recommended that VA develop, document, and 
implement a process for reviewing on a regular basis the performance 
plans of senior executives to ensure that information security is 
included as an evaluation element. The department has stated that it 
now has in place a process for reviewing these senior executives' 
performance plans. We plan to verify VA's actions later this year.
---------------------------------------------------------------------------
    \4\ GAO-07-1019.

    Question 5: VA is implementing its new IT project management 
guidance--the Project Management Accountability System (PMAS). What is 
---------------------------------------------------------------------------
the status of VA's PMAS implementation?

        a. Does this guidance include any provisions for information 
        security?

    As of March 2010, VA had begun applying the PMAS management 
approach to all of the department's IT projects that were planned to 
deliver new system functionality or enhance existing systems. Initiated 
in June 2009 by VA's Assistant Secretary for Information and Technology 
(who serves as the department's Chief Information Officer), PMAS is 
intended to improve the department's management and oversight of IT 
projects by requiring that new system functionality be delivered to 
customers in 6-month increments and that projects be stopped and re-
evaluated after missing three consecutive customer delivery milestones. 
When PMAS was initiated, the Assistant Secretary called a stop to 45 of 
the department's IT projects that were identified as behind schedule or 
over budget.
    VA has included high-level discussion of information security in 
its PMAS guidance. Specifically, the department's original (June 2009) 
PMAS instructions described actions necessary for projects to restart, 
including development of a system security plan and requirements for 
how system security will be managed. Subsequent guidance, issued in 
March 2010, required the development of a project management plan that, 
according to the department, is to include system security plans and 
requirements.
    Our responses to these questions are based on work that we 
performed in accordance with generally accepted government auditing 
standards.

                                               Gregory C. Wilshusen
                              Director, Information Security Issues

                                                  Valerie C. Melvin
          Director, Information Management and Human Capital Issues

                                 

                                     Committee on Veterans' Affairs
                       Subcommittee on Oversight and Investigations
                                                    Washington, DC.
                                                       May 20, 2010

Honorable George J. Opfer
Inspector General
U.S. Department of Veterans Affairs
810 Vermont Avenue, NW
Washington, DC 20420

Dear Inspector General Opfer:

    Thank you for the testimony of Belinda J. Finn, Assistant Inspector 
General for Audits and Evaluations, Office of Inspector General, U.S. 
Department of Veterans Affairs, accompanied by Michael Bowman, Director 
of Information Technology and Security Audits, Office of Inspector 
General at the U.S. House of Representatives Committee on Veterans' 
Affairs Subcommittee on Oversight and Investigations hearing that took 
place on May 19, 2010, entitled ``Assessing Information Security at the 
U.S. Department of Veterans Affairs.''
    Please provide answers to the following questions by Friday, July 
2, 2010, to Todd Chambers, Legislative Assistant to the Subcommittee on 
Oversight and Investigation.

    1.  What are the VA's most significant risks related to adequately 
protecting its systems and sensitive data?
    2.  What are VA's most significant risks regarding its many system 
interconnections with external organizations?
    3.  How is the OIG leveraging the work of the independent financial 
statement auditors to expand the depth of its FISMA assessments?
    4.  Moving forward, what steps can VA take to prevent the loss of 
sensitive data?
    5.  How has VA's realignment of its Information Technology program 
in 2006 impacted the implementation of the Department's security 
program?
    6.  What are some of the criticisms regarding FISMA law and how has 
it impacted OIG's evaluation of VA's information security program?
    7.  What is the role of FISMA's Certification and Accreditation 
process for securing Federal information systems?
    8.  What are VA's most significant risks related to adequately 
protecting its systems and sensitive data?

    Thank you again for taking the time to answer these questions. The 
Committee looks forward to receiving your answers. If you have any 
questions concerning these questions, please contact Martin Herbert, 
Majority Staff Director for the Subcommittee on Oversight and 
Investigations at (202) 225-3569.

            Sincerely,

                                                  Harry E. Mitchell
                                                           Chairman

MH:tc

                               __________
                                U.S. Department of Veterans Affairs
                                        Office of Inspector General
                                                    Washington, DC.
                                                      June 21, 2010

The Honorable Harry E. Mitchell
Chairman
Subcommittee on Oversight and Investigations
Committee on Veterans' Affairs
United States House of Representatives
Washington, DC 20515

Dear Mr. Chairman:

    This is in response to your May 20, 2010, letter following the May 
19, 2010, hearing on Assessing Information Security at the U.S. 
Department of Veterans Affairs. Enclosed are our responses to the 
additional hearing questions.
    Thank you for your interest in the Department of Veterans Affairs.

            Sincerely,

                                         /s/ Richard J. Griffin for
                                                    GEORGE J. OPFER

Enclosure

                               __________
Questions from the Honorable Harry Mitchell For Belinda Finn, Assistant 
   Inspector General for Audits and Evaluations Office of Inspector 
                                General,
    U.S. Department of Veterans Affairs, Before the Subcommittee on 
     Oversight and Investigations, Committee on Veterans' Affairs,
     United States House of Representatives, Hearing on Assessing 
    Information Security at the U.S. Department of Veterans Affairs

    Question 1: What are VA's most significant risks related to 
adequately protecting its systems and sensitive data?

    Response: Assessments conducted under the Federal Information 
Security Management Act (FISMA) identified three areas of concern:

      Unauthorized Access--Default passwords, weak passwords, 
and vulnerable third party applications provide well-known attack 
points for malicious users to gain unauthorized access to mission 
critical systems.
      Contractor Security--VA faces significant challenges 
providing effective oversight to ensure contractors are meeting VA's 
information security requirements. Our review of a specific service 
provider managing multiple active contracts also revealed that VA has 
not implemented effective procedures to mitigate the risks of 
unauthorized access and disclosure of sensitive veteran information. VA 
will remain at risk unless it can ensure that all staff and contractors 
comply with relevant information security policies and procedures.
      External Organizations--VA's system interconnections with 
external organizations, such as affiliates, also pose significant risks 
to VA systems and data.

    Question 2: What are VA's most significant risks regarding its many 
system interconnections with external organizations?

    Response: The most significant risks regarding its many system 
interconnections with external organizations are:

      Unencrypted Protocols--Many of these system 
interconnections utilize unencrypted protocols to transfer sensitive 
veteran data. Consequently, interconnection data is vulnerable to 
interception by attackers outside the network.
      Monitoring--VA does not monitor most of its system 
interconnections with external organizations, providing ample 
opportunities for attackers to penetrate VA's network without being 
detected.
      Controls--While VA has established interconnection 
agreements with most external organizations hosting VA sensitive data, 
it has not implemented controls to ensure that external organizations 
are adequately protecting sensitive veteran data in accordance with VA 
policies and procedures (End Point Security).

    Question 3: How is the OIG leveraging the work of the independent 
financial statement auditors to expand the depth of its FISMA 
assessments?

    Response: We expanded the scope of the consolidated financial 
statement audit to include testing of security controls, which directly 
relates to our FISMA assessment as well as the independent audit of 
VA's financial statements.
    In connection with the evaluation of VA's Consolidated Financial 
Statements, our independent auditors perform information security 
testing at VA's three major data centers and include assessments of 
mission critical financial management systems, data bases, web 
applications, network devices, and general support systems. The results 
of this work directly support the OIG's evaluation of VA's information 
security program in accordance with FISMA.
    The expanded scope has enabled us to increase the number of FISMA 
site visits from 12 facilities in FY 2009 to 20 facilities in FY 2010. 
This expanded coverage enables us to identify trends and systemic 
issues, draw better conclusions, and make recommendations regarding the 
effectiveness of VA's information security program.

    Question 4: Moving forward, what steps can VA take to prevent the 
loss of sensitive data?

    Response: VA needs to implement safeguards to ensure that external 
organizations are adequately protecting sensitive veteran data in 
accordance with VA policy and FISMA. VA should ensure that all service 
provider contracts include provisions to implement information security 
protections in accordance with VA policy and procedures. VA also needs 
to establish a complete inventory of all hardware that hosts VA 
sensitive data and ensure that storage devices are authorized and fully 
encrypted.
    Further, VA must implement procedures to sanitize all storage 
devices that are no longer used to host sensitive data. VA also needs 
to fully deploy software that will prevent personnel from transferring 
VA sensitive data to unencrypted and unauthorized personal storage 
devices.

    Question 5: How has VA's realignment of its Information Technology 
(IT) program in 2006 impacted the implementation of the Department's 
information security program?

    Response: The centralization of IT functions has allowed VA to 
develop agency-wide policies and procedures supporting VA's information 
security program. However, our annual FISMA evaluations continue to 
show that VA has not implemented effective controls to enforce VA's 
information security policies and procedures.
    The centralization has facilitated the development and 
implementation of the Certification and Accreditation program and the 
Privacy Impact Assessments program across the agency. However, our 
FISMA assessments have concluded that VA's Certification and 
Accreditation and Privacy Impact Assessment programs do not adequately 
identify and mitigate significant information system security risks. 
For example, the Certification and Accreditation program did not 
identify significant access control weaknesses that were discovered 
during the OIG's annual FISMA assessment. Privacy Impact Assessments 
did not consider whether VA sensitive information was stored on minor 
applications hosted at VA medical facilities and other program offices.
    Moreover, VA still has a high number of decentralized legacy 
information systems and networks and continues to struggle with 
implementing consistent and effective information security controls 
across all systems and networks.

    Question 6: What are some of the criticisms regarding the FISMA 
law, and how has it impacted OIG's evaluation of VA's information 
security program?

    Response: Since its passage, some believe that FISMA is a paperwork 
intensive exercise that has identified vulnerabilities but has not 
significantly improved information system security controls at Federal 
agencies.
    The OMB Chief Information Officer has also stated that elements of 
FISMA reporting are based on metrics that focus on compliance reporting 
rather than information security outcomes. To improve the quality of 
FISMA reporting in 2010, OMB will require agencies to provide broader 
information related to their system inventories, critical applications, 
external connections, identity management, and access controls. The 
expanded FISMA reporting will assist OMB in determining whether 
agencies are effectively monitoring information supporting their 
agency-wide information security programs. For example, collecting data 
on the number of systems tested for security vulnerabilities will allow 
OMB to assess the effectiveness of the agency-wide information security 
program.
    Our audit work addresses OMB's compliance reporting requirements 
under FISMA. More importantly, our work involves substantial testing of 
general and technical information security controls designed to protect 
VA's mission critical systems from unauthorized access, alteration, and 
destruction. Testing of general and technical information security 
controls helps us offer recommendations that can improve the security 
posture of VA in areas where significant security risks persist. Our 
audit findings and recommendations provide a solid foundation for 
improving the effectiveness of VA's information security program and 
for assisting VA in meeting the fundamental security objectives of 
FISMA.

    Question 7: What is the role of FISMA's Certification and 
Accreditation process for securing Federal information systems?

    Response: Under FISMA, Certification and Accreditation is a formal 
process of identifying agency systems and their boundaries, conducting 
risk assessments of potential security threats and vulnerabilities, 
establishing minimum sets of security controls to protect agency 
systems, and performing tests of controls to provide assurance that 
relative system security risks are addressed or fully mitigated by 
compensating controls.
    Documentation provided in Certification and Accreditation packages 
include system risk assessments; system security, remediation and 
contingency plans; and the results of independent security controls 
analyses.
    The Certification and Accreditation process is designed to provide 
authorizing officials with essential information so they can make 
credible risk-based decisions on whether to authorize the operation of 
an information system.

                                 

                                     Committee on Veterans' Affairs
                       Subcommittee on Oversight and Investigations
                                                    Washington, DC.
                                                       May 20, 2010

Honorable Eric K. Shinseki
Secretary
U.S. Department of Veterans Affairs
810 Vermont Avenue, NW
Washington, DC 20420

Dear Secretary Shinseki:

    Thank you for the testimony of the Honorable Roger W. Baker, 
Assistant Secretary for Information and Technology, U.S. Department of 
Veterans Affairs, accompanied by Jaren Doherty, Acting Deputy Assistant 
Secretary for Information Protection and Risk Management, Office of 
Information and Technology; Jan R. Frye, Deputy Assistant Secretary for 
Acquisition and Logistics, Office of Acquisition, Logistics, and 
Construction; and Frederick Downs, Jr., Chief Procurement and Clinical 
Logistics Officer, Veterans Health Administration at the U.S. House of 
Representatives Committee on Veterans' Affairs Subcommittee on 
Oversight and Investigations hearing that took place on May 19, 2010, 
entitled ``Assessing Information Security at the U.S. Department of 
Veterans Affairs.''
    Please provide answers to the following questions by Friday, July 
2, 2010, to Todd Chambers, Legislative Assistant to the Subcommittee on 
Oversight and Investigations.

    1.  In a December 30, 2009 letter to Peter Orszag, Director of the 
Office of Management and Budget, Secretary Shinseki stated that though 
VA's CIO section report states that contingency plans for 94 percent of 
VA's systems have been tested in accordance with department policy, the 
IG indicates that only 50 percent of the contingency plans have been 
tested. Furthermore, the IG reports that VA's SMART database does not 
maintain evidence that contingency plan testing was performed for all 
581 systems reported to OMB. What do you attribute the differences 
between your numbers and the IG's?

                a.  Also, are there financial and operational 
                considerations that contribute to these differences? If 
                so, please explain in detail the financial and 
                operational aspects.

    2.  Please explain the FISMA implications in the VA's two recent 
data breaches.
    3.  In FY 2009, the VA closed just over 9,000 plans of actions and 
milestones. There are still approximately 8,615 unresolved plans of 
actions and milestones, almost half (4,218) of which were overdue. 
Please explain the reasons for these deficiencies.
    4.  How does VA enforce the FISMA requirements on contractors and 
how often?
    5.  What material weaknesses in the system did the two breaches 
reported in April uncover?
    6.  Prior to the April breaches, particularly with the logbook 
loss, who at the Department of Veterans Affairs was in charge of 
securing veteran information not maintained in an IT environment? How 
has this changed since the loss of the logbook?
    7.  Who is currently responsible for contracts procured by the 
Medical Centers if they contain programs that may provide the 
contractor access to veterans' personal information?
    8.  How will the Department ensure that the information security 
clause is in every contract whereby veteran information is exchanged 
between VA and a contractor?
     9.  How has the General Counsel's office addressed the 500 plus 
contractors who have refused to sign the contract modifications adding 
the information security clause?
    10.  Given the concern that there should not be a reduction in 
services to our veterans, please respond to the following questions:

                a.  Please provide the Committee with a list of the 579 
                contractors who refused to sign the information 
                security clause.
                b.  How many of these contracts are currently providing 
                critical veterans' services?
                c.  What will happen to the contracts if the vendor 
                continues to refuse to sign the information security 
                clause?
                d.  Will services to our veterans be undermined if VA 
                actively pursues these contractors or discontinues 
                business with them?

    11.  Both the VA OIG and the GAO had identified areas of weakness 
at the VA relating to information security, particularly in the areas 
of access controls, configuration management, segregation of duties, 
contingency planning, and security management. What steps are being 
taken by the Department to address these deficiencies? Please provide 
the Committee with a timeline for full implementation of these 
measures?
    Thank you again for taking the time to answer these questions. The 
Committee looks forward to receiving your answers. If you have any 
questions concerning these questions, please contact Martin Herbert, 
Majority Staff Director for the Subcommittee on Oversight and 
Investigations at (202) 225-3569 or Arthur Wu, Minority Staff Director 
for the Subcommittee on Oversight and investigations at (202) 225-3527.

            Sincerely,

                                                  Harry E. Mitchell
                                                           Chairman

                                                       David P. Roe
                                          Ranking Republican Member

MH/:tc

                               __________
                        Questions for the Record
               The Honorable Harry E. Mitchell, Chairman
         The Honorable David P. Roe, Ranking Republican Member
              Subcommittee on Oversight and Investigations
                  House Committee on Veterans' Affairs
  Assessing Information Security at the U.S. Department of Veterans' 
                                Affairs
                              May 19, 2010

    Question 1: In a December 30, 2009 letter to Peter Orszag, director 
of the Office of Management and Budget, Secretary Shinseki stated that 
though VA's CIO section report states that contingency plans for 94 
percent of VA's systems have been tested in accordance with department 
policy, the IG indicates that only 50 percent of the contingency plans 
have been tested. Furthermore, the IG reports that VA's SMART database 
does not maintain evidence that contingency plan testing was performed 
for all 581 systems reported to OMB. What do you attribute the 
differences between your number and the IG's?

    Question 1(a): Also, are there financial and operation 
considerations that contribute to these differences? If so, please 
explain in detail the financial and operational aspects.

    Response: The Department believes that the differences noted are 
primarily due to the inability of the sites to upload contingency 
testing documents to the SMART database for review by the OIG. Also, 
some sites cannot test contingency plans at alternate sites in 
accordance with existing Department policy due to financial and 
operational considerations, such as the inability to take mission-
critical systems out of production for even a brief period of time. To 
address these differences, the Department will ensure that all evidence 
of contingency plan testing is uploaded into the SMART database and 
will look into revising existing policy requiring alternative site 
testing of contingency plans.

    Question 2: Please explain the FISMA implications in the VA's two 
recent data breaches.

    Response: Federal Information Security Management Act (FISMA) 
guidance for the protection of Personally Identifiable Information 
(PII) is defined in the NIST Special Publication (SP) 800-122, Guide to 
Protecting the Confidentiality of Personally Identifiable Information 
(PII). VA already has adequate policies and procedures in place to 
identify these two incidents as major deficiencies.
    In the case of the lost laptop by the contractor, specific 
processes by OI&T personnel and those within the Office of 
Acquisitions, Logistics and Construction are currently being put into 
place to remediate any commercial contracts being awarded without the 
specific requirements for safe keeping of sensitive and PII 
information. VA is also analyzing auditing vendors in their security 
practices to ensure they are complying with these requirements.
    Security language in contracts has been a requirement since the 
first security policy was created in July 1988 (VA Circular 10-88-78). 
Additionally, VA CIO Memorandum, Contract Security/Privacy 
Requirements, dated August 27, 2008, and VA Secretary Memorandum, 
Protecting Information Security and Privacy, dated February 27, 2009, 
further established the requirement. VA Handbook 6500.6, Contract 
Security, published March 12, 2010, incorporates content from both 
memorandums and makes security language in contracts VA policy.
    In the case of the lost hard copy binder, although there are 
policies in place to ensure this type of incident should never have 
occurred, these policies were not sufficient. VA is in the process of 
crafting an acceptable security practice that provides more security 
without hindering medical care.

    Question 3: In FY 2009, VA closed just over 9,000 plans of actions 
and milestones. There are still approximately 8,615 unresolved plans of 
actions and milestones, almost half (4,218) of which were overdue. 
Please explain the reasons for these deficiencies.

    Response: VA conducts security reviews on information systems which 
result in Plans of Action and Milestones (POA&M), or deficiencies. A 
regular review schedule and a continuous monitoring effort produce new 
deficiencies as new exploits and vulnerabilities are found. This 
increases the number of deficiencies that VA carried from FY 2009.
    However, VA has taken an aggressive approach to removing these 
deficiencies. Our efforts with projects such as implementation of 
Federal Desktop Core Configuration (FDCC), visibility to the desktop 
initiative and increased focus on vulnerability scanning, will 
systematically remove deficiencies and prevent slippage in remediation 
schedules to reduce actions becoming overdue.
    VA is also implementing a continuous monitoring program with 
increased oversight capabilities to monitor POA&Ms at each facility and 
on each information system. This effort prevents occurrences where 
tasks are not being completed timely and effectively.
    To clean up the backlog of overdue POA&Ms, VA created POA&M work 
groups on November 12, 2008, consisting of representatives from various 
organizations, including IT Field Operations and Development (FOD), 
CIOs, Field Security Service (FSS) Information Security Officers 
(ISOs), Engineering, Development, and the Office of Cyber Security 
(OCS). This group, co-chaired by the FSS Regional Information Security 
Directors (RISDs) and IT FOD Certification and Accreditation (C&A) 
Coordinators, identified and divided POA&Ms into four work groups based 
on major groupings of systems in the Department FISMA inventory. Each 
workgroup made recommendations to address POA&Ms based on the 
following: national waiver requests, identified invalid POA&Ms, and 
recommended remediation at the 
National-, Regional-, or Local-level. Currently, the following actions 
have been taken:

      National waiver requests have been completed
      National-level POA&M points of contact have been 
appointed by OED, EIE, and the Region 5 IT Director to assist local 
sites with remediation
      Local sites have been informed of what POA&Ms they are 
required to complete

    IT FOD is chartering a new POA&M initiative in FY10-FY 2011 called 
the ``FISMA Challenge'' to further define roles and responsibilities, 
and take a risk based decision approach to address POA&Ms.

    Question 4: How does VA enforce the FISMA requirement on 
contractors and how often?

    Response: VA released a new policy in March 2010, VA Handbook 
6500.6, Contract Security, which provides a process to ensure that the 
security clause and appropriate security language are included in VA 
contracts in which VA sensitive information is stored, generated, 
transmitted or exchanged, regardless of format and whether it resides 
on VA or non-VA systems. This process involves a team that includes the 
Information Security Officer (ISO), the Privacy Officer (PO), the 
Contracting Officer's Technical Representative (COTR) and the 
Contracting Officer (CO) in the review of contracts to ensure that the 
appropriate language for that particular contract is included in the 
contract. This process applies to the creation of new contracts. The 
Handbook includes a checklist that helps the team determine the areas 
within the proposed contract that would have security implications. The 
Handbook also provides an Appendix that contains 12 pages of reviewed/
approved security/privacy language that will be added to contracts, as 
appropriate. The Handbook also includes the requirement for oversight 
of contracts. To help provide oversight, Certification and 
Accreditation (C&A) of applicable contractor systems as well as a new 
Contractor Security Control Assessment (CSCA) is introduced that can be 
utilized for monitoring service contracts such as transcription 
contracts and tele-radiology contracts. A ``Contractor Rules of 
Behavior'' is also introduced that outlines a contractor's individual 
security responsibilities.
    Contractors and contractor-provided services are reviewed at least 
annually for compliance with FISMA requirements. All contractors are 
required to take security awareness training and sign the ``rules of 
behavior'' annually, and VA information security officers validate 
service provider conformance with FISMA requirements at least annually 
through reviews of system documentation to ensure security controls are 
documented and tested, site visits to ensure security controls are in 
place and operating as stated in the documentation, and interviews with 
contractors operating these systems.

    Question 5: What material weaknesses in the system did the two 
breaches reported in April uncover?

    Response: With the Heritage Health Solutions laptop loss, 
contractor data security has become a focused issue. Some contracts 
were found to not have the proper security language in them. The other 
concern is that some vendors have contracts with the correct security 
language in place, but are not following the security measures 
required. VA did not have a way of monitoring the security 
effectiveness of the many contracts in place.
    With the Dallas VAMC's missing binder and clipboard, paper loss has 
become a more focused issue. All logbooks used in clinical settings, 
containing either PII or PHI are major vulnerabilities.

    Question 6: Prior to the April breaches, particularly with the 
logbook loss, who at the Department of Veterans Affairs was in charge 
of securing Veterans information not maintained in an IT environment? 
How has this changed since the loss of the logbook?

    Response: Each service or department seeing patients has procedures 
in place as dictated by the Health Insurance Portability and 
Accountability Act (HIPAA) and the Privacy Office to secure all paper 
copies of information generated, produced or otherwise prepared in the 
course of business. In response to this breach, the facility has taken 
steps to identify all log books being used at the Medical Center and 
begun identifying other means to track patients. The Privacy Office and 
OI&T have the ultimate responsibility of securing information 
regardless of the storage environment.

    Question 7: Who is currently responsible for contracts procured by 
the Medical Centers if they contain programs that may provide the 
contractor access to Veterans' personal information?

    Response: VHA revised response: The local Contracting Officer (CO) 
is responsible for contracts procured by the medical centers if they 
contain programs that may provide the contractor access to Veterans' 
information. The CO, Information Security Officer (ISO), and the 
Privacy Officer (PO) meet during the acquisition planning stage to 
review the contract requirements and plan how to best protect personal 
information. Also, the Contracting Officer's Technical Representative 
(COTR) maintains oversight of the contract during the administration of 
the contract to insure compliance with the contract terms and 
conditions as related to the security of IT information. It is a 
concerted effort of several VA offices, critical personnel and subject 
matter experts who must address the security of Veterans' personal 
data.

    Question 8: How will the Department ensure that the information 
security clause is in every contract whereby Veteran information is 
exchanged between VA and a contractor?

    Response: With the implementation of VA Handbook 6500.6, Contract 
Security, a process has been created to ensure that the security clause 
and appropriate security/privacy language is included in contracts in 
which VA sensitive information is stored, generated, transmitted or 
exchanged, regardless of format and whether it resides on VA or non-VA 
systems.
    Effective immediately, the Office of Information and Technology 
Oversight and Compliance (ITOC), an organization of 128 highly skilled 
security analysts during each of their upcoming facility assessments, 
will review the 10 largest dollar amount contracts, 20 randomly 
selected contracts, and 3 vendors for all contracts that receive or 
store information on VA clients at that facility to ensure their 
compliance with VA policy. Any facility with contracts that do not 
comply with the required security language will be reported to the 
appropriate VA senior leadership for remediation. Also, the Risk 
Management Team recently incorporated inclusion of the information 
security clause into its A-123 Audit Reviews.

    Question 9: How has the General Counsel's office addressed the 500 
plus contractors who have refused to sign the contract modifications 
adding the information security clause?

    Response: The Office of the General Counsel (OGC) has been 
providing ongoing, adhoc, informal advice to contracting officers and 
other procurement staff across the country since Secretary Shinseki's 
February 27, 2009 Memorandum ordered all VA contracts and other 
agreements to be examined and analyzed to determine whether the VAAR 
Security Clauses should be incorporated and modified into existing 
contracts and agreements and written into future procurement documents. 
OGC has also participated in various teams working on VHA Memoranda and 
VA Handbook 6500 groups. OGC's Professional Group V has also provided 
written guidance to VA procurement attorneys across the country. OGC 
has further given advice to strategic response teams to help them 
understand the analyses necessary to resolve the situations involving 
contractors who refuse to sign modifications adding the VAAR Security 
Clauses into their contracts.
Analysis
    A VHA review had identified 580 contracts in which contractors had 
not agreed to incorporate the VAAR clauses into existing, open 
contracts. Further review and analyses with the combined efforts of 
Information Security Officers (ISOs), Privacy Officers (POs), and 
Contracting Officers (COs) with OGC guidance produced the following 
result: only 3 contracts (as of June 25, 2010) still required a 
resolution of their VAAR security clause status as not all VA or VHA 
contracts required such modifications or amendments.
    For all VA Veterans Integrated Service Networks (VISNs) combined, 
the data reveals how the 580 contracts/agreements identified were 
reduced to 60 as of June 11, 2010:

----------------------------------------------------------------------------------------------------------------
                                                                                      Contracts/
Clause Added     Contract         Contract      ISO/PO Exemption    Nursing Home     Agreements At   Grand Total
                  Expired        Terminated            \1\            Exemption          Issue
----------------------------------------------------------------------------------------------------------------
92            176             6                36                  215             60                580
----------------------------------------------------------------------------------------------------------------
\1\ ISO/PO Exemption(s): When ISO/PO analysis suggested the security clauses were not necessary, the requirement
  was waived and the contract exempted from including the clauses.

    Where the contracts were allowed to expire or were terminated, 
those dropped from the total of scrutinized contracts. ISOs, POs, and 
COs examined the agreements and found 36 that either did not need or 
warrant the clauses or were worthy of an exemption from the clause 
requirements, still maintaining data security and integrity. Finally, 
non-VA nursing homes/facilities were generating their own Sensitive 
Personal Information (SPI), Personally Identifiable Information (PII) 
and/or Personal Health Information (PHI) so that the VAAR clauses, 
intended to deter the unauthorized use, exposure, or disclosure of VA 
SPI would not likely be applicable. OGC provided guidance, as 
requested, to help this analysis. As of June 25, 2010, OGC helped VHA 
staff reduce the ``orphan'' cases where the VAAR Security Clause issue 
had not been resolved to 3 through reaching out to VHA staff, COs, and 
ISOs in the field.

----------------------------------------------------------------------------------------------------------------
                                                                           ISO Denied
   Contract    Currently With      VAAR                       ISO/PO       Exemption,     Grand      Contracts
   Expired     ISO for Review    Clauses     Duplicate K     Exemption    Elevated to     Total       awaiting
                                  Added                                       OGC                    resolution
----------------------------------------------------------------------------------------------------------------
5              45              2            1              2             2              57         3 of 22,000
----------------------------------------------------------------------------------------------------------------

    One ``duplicate'' contract file was found and deleted from the 
data. Five more contracts had expired, 2 more had the VAAR Security 
Clauses incorporated by amendment, 45 were undergoing ISO review, 2 
more received ISO/PO exemptions, and 2 have been referred to OGC for 
guidance where an ISO exemption was not appropriate. OGC anticipates 
that continued OGC support and analysis will help the field resolve or 
put the remaining 3 contracts into resolvable status regarding the 
necessary security measures; the remaining contracts constitute .00013 
percent of the overall 22,000 contracts and agreements VHA analyzed to 
incorporate the VAAR Security Clauses. With continuing OGC support, 
that number may be reduced to zero. OGC staff had anticipated that the 
number of affected contracts and agreements would be reduced as further 
examinations showed the clauses would not be universally applicable to 
all agreements. Some contractors had needed VA staff to explain that 
they were entitled, pursuant to the Changes Clause of the contract, to 
be compensated for costs incurred but not anticipated for additional 
capital outlays for security measures, or that the contracts/agreements 
could incorporate the clauses as no-cost modifications.
    OGC guidance and analyses have focused on helping VA procurement 
and ISO staffs to determine whether or not the third party involved 
needed to use, store, modify, generate, or transmit VA SPI or whether 
the third party (a) generated its own data or SPI, placing such 
agreements outside the scope of the VAAR Security Clause coverage, or 
(b) did not use, store, modify, generate, or transmit VA SPI in order 
to provide the services and supplies required or to perform contractual 
obligations for VA.
    The ISOs, POs, and COs in the field are aware OGC will help them 
determine whether the clauses belong in a given agreement or situation, 
or, how they may work with contractors to understand and to use the 
clauses.

    Question 10: Given the concern that there should not be a reduction 
in services to our Veterans, please respond to the following questions:

    Question 10(a): Please provide the Committee a list of 579 
contractors who refused to sign the information security clause.

    Response: Attachment A contains the list of 45 contractors who 
refused to sign the information security clause as of June 9, 2010. The 
list was compiled after reviewing the 579 contracts which did not 
include the signed information security clause.

    Question 10(b): How many of these contracts are currently providing 
critical Veterans' services?

    Response: Of the vendors refusing to sign, almost all provide 
critical Veterans' services. Those vendor contracts not related to 
critical service are being reviewed regarding the applicability of the 
clause to the contract. COs working with the ISOs and POs, are 
reevaluating the contracts in light of the new guidance. This guidance 
consists of VA Handbook 6500.6 Contract Security, dated March 12, 2010, 
and the May 18, 2010, VAAR Security Clause in Contracts Memorandum from 
the Deputy Under Secretary for Health for Operations and Management.

    Question 10(c): What will happen to the contracts if the vendor 
continues to refuse to sign the information security clause?

    Response: The Veterans Health Administration (VHA) has been working 
diligently with several elements of VA, including OGC and the Privacy 
Office, to determine what steps should be taken when a vendor refuses 
to sign the VAAR Security Clause. VA has, as of May 19, 2010, received 
further guidance as to the applicability of the VAAR clause to nursing 
homes and other situations in which the vendors were refusing to sign. 
Guidance was provided by OI&T on March 12, 2010, as to the process in 
regards to obtaining clarity on when the clause is required in a 
contract. Our COs are currently working through those issues and have 
contacted their local ISOs and Privacy experts to identify if the 
clause is needed for these particular contracts. If it is, the CO will 
work with OGC to develop instructions on how to proceed.

    Question 10(d): Will services to our Veterans be undermined if VA 
actively pursues these contractors or discontinues business with them?

    Response: Yes. Many of these contracts are affiliate agreements 
that provide critical care necessary to serve our Veterans. Other 
contracts are service agreements to work on essential equipment that is 
needed to diagnose and treat patients. Attempting to cancel these 
contracts will be detrimental to our ability to care for our patients.

    Question 11: Both the VA OIG and the GAO had identified areas of 
weakness at the VA relating to information security, particularly in 
the areas of access controls, configuration management, segregation of 
duties, contingency planning, and security management. What steps are 
being taken by the Department to address these deficiencies? Please 
provide the Committee with a timeline for full implementation of these 
measures.

    Response: VA has made progress in addressing its material weakness 
related to information security. This approach is both reactive and 
proactive whereby it is focused on the remediation of existing 
vulnerabilities as well as significantly reducing the risk of future 
vulnerabilities across VA's information system infrastructure. VA's 
material weakness in information security is broken down into five 
primary components. These components, the progress made in each, and 
the estimated timelines for their remediation are shown below:
1. Security Management (Estimated Remediation Timeline: June 2011)
    VA has made significant improvement in the development and 
management of its information security program. However, actual 
progress in eliminating the material weakness will not be known until 
November 2010 when the annual report comes from the IG. At this time, 
notable improvements include the following:

      Centralized Management. Increased accountability and 
standardization throughout the VA enterprise, the management of VA's 
information technology program and corresponding information security 
program were consolidated under the Chief Information Officer and Chief 
Information Security Officer, respectively.
      Remediation of IT Security Weaknesses. In FY 2009 alone, 
the VA closed more than 9,000 POA&Ms information security weaknesses, 
significantly reducing the risks to VA. To more strategically and 
centrally manage the Department's POA&M process, VA established several 
dashboards to visually represent the status of POA&Ms. VA strategically 
tracks and manages POA&Ms through its Security Management and Reporting 
Tool (SMART) database.
      Risk Assessment. VA improved the risk management of its 
information security program by establishing a new manual risk 
assessment process that is aligned with the steps contained in NIST SP 
800-30, Risk Management Guide for Information Technology Systems. The 
descriptions of security controls that exist within major applications 
and general support systems have been enhanced and control enhancements 
are identified for controls viewed to be deficient.
      Incident Response. Through the use of new tools and 
technologies, VA has increased the timeliness and effectiveness of its 
responses to security incidents. Most notable is the use of the Formal 
Event Review and Evaluation Tool (FERET) which is an enterprise-wide 
tool that is used for accurate identification of data breach-related 
events and incidents which provides a quantifiable classification of 
data breach incidents by type and risk. VA uses FERET to prioritize 
data breach incidents (1) so that they can be addressed and corrected 
in a timely fashion and (2) to run trending reports to stay aware of 
and prevent recurring problems.
      Certification and Accreditation. VA has successfully 
certified (tested) and accredited (authorized for operation) more than 
600 information technology (IT) systems. Certification and 
accreditation provides VA executives with a clear picture of the full 
extent of risk across all systems and a clear baseline upon which to 
build its information security program.
      Continuous Monitoring. VA performs continuous monitoring 
of its systems to help ensure that security controls are properly 
implemented. Continuous monitoring, which is part of Certification and 
Accreditation, encompasses a review of a subset of the system's overall 
security controls in order to ensure that POA&M items are appropriately 
addressed. VA also established an Emergency Response Testing (ERT) team 
as part of its continuous monitoring program. The ERT team scans the VA 
network for vulnerabilities to allow VA to proactively test for 
security weaknesses and correct deficiencies where necessary. This 
helps VA to reduce system security risk.
2. Access Controls (Estimated Remediation Timeline: October 2012)
    While much work remains to be done, VA has made progress in 
strengthening the controls over access to its information and IT 
systems. Some of the progress which has been made to date is shown 
below:

      Deployed antivirus and host-based intrusion detection 
capabilities on over 200,000 endpoints with centralized management 
capability
      Implemented solutions for (1) the time-out of remote 
access and (2) the RESCUE initiative which provides a secure remote 
access capability to the VA enterprise
      Achieved over 85 percent compliance with all Trusted 
Internet Connection (TIC) requirements which are designed to reduce the 
number of external connections, including Internet points of presence
      Implemented Rights Management Service for Document and 
Email Security
      Employing mechanisms to ensure VA password complexity 
standards are enforced on all systems across the enterprise
      Continuing to provide laptop encryption for the mobile 
workforce with 30,000 devices encrypted and evolved encryption to 
include research and other non-laptop high-risk devices
      Completing implementation of virtual local area network 
(VLAN) controls to appropriately restrict access to sensitive network 
subnets at VA Medical Centers
3. Segregation of Duties (Estimated Remediation Timeline: March 2011).
    VA is conducting periodic reviews of user accounts to determine 
whether access to VA information systems is not only commensurate with 
each user's job responsibilities but is also properly segregated to not 
allow individuals to compromise the system or its transactions. Since 
segregation of duties is both a security and a business risk, OI&T is 
teaming up with VA business lines to do these reviews. Adjustments to 
system access are being made, as appropriate, after these reviews have 
been completed.
4. Configuration Management (Estimated Remediation Timeline: July 2011)
    VA drafted VA Directive 6004, Change, Configuration, and Release 
Management Programs, to establish Department-wide configuration, 
change, and release management programs in compliance with the Federal 
Information Security Management Act (FISMA) and has developed three 
Standard Operating Procedures/Guidelines that outline the procedures 
for each program. These documents apply to all VA-related components 
and IT resources, including contracted IT systems and services.
    VA also established the Enterprise Security Change Control Board in 
January 2004 in order to ensure that all proposed changes to VA IT 
systems are reviewed, are viable, and will not adversely affect the 
operation of the existing system or subsystem. The Board is composed of 
operations, security, and privacy representatives who review proposed 
system changes for compliance to existing laws, regulations, and VA 
policies.
    To better secure its information systems, VA developed the VA 
Federal Desktop Core Configuration (FDCC) settings for Windows XP and 
Windows Vista. These standards drew from the original Windows XP and 
Vista FDCC settings issued by NIST on July 31, 2007; those settings 
were then adjusted to fit the VA environment.
    In compliance with the FISMA requirement to provide ``policies and 
procedures that ensure compliance with minimally acceptable system 
configuration requirements, as determined by the agency,'' VA also 
developed a set of minimum security configuration standards for Windows 
Server 2003, Apple/OSX, AIX, and Open VMS in order to ensure the other 
common operating systems and applications are securely configured. VA 
uses these standards in conjunction with the VA FDCC settings.
5. Contingency Planning (Estimated Remediation Timeline: September 
        2011)
    VA developed a continuity of operations plan for the Office of 
Information and Technology to ensure continued IT support in the event 
of a crisis. In addition, VA has begun a concerted effort to not only 
test but document the results of contingency planning testing for it's 
over 600 IT systems.

                                 
