b'<html>\n<title> - REBOOT: EXAMINING THE U.S. DEPARTMENT OF VETERANS AFFAIRS INFORMATION TECHNOLOGY STRATEGY FOR THE 21ST CENTURY</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n                REBOOT: EXAMINING THE U.S. DEPARTMENT OF\n\n\n                VETERANS AFFAIRS INFORMATION TECHNOLOGY\n\n                     STRATEGY FOR THE 21ST CENTURY\n\n=======================================================================\n\n\n\n                                HEARING\n\n                               before the\n\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                                 of the\n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 11, 2011\n\n                               __________\n\n                           Serial No. 112-12\n\n                               __________\n\n       Printed for the use of the Committee on Veterans\' Affairs\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n67-187                    WASHINGTON : 2011\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n\n                     JEFF MILLER, Florida, Chairman\n\nCLIFF STEARNS, Florida               BOB FILNER, California, Ranking\nDOUG LAMBORN, Colorado               CORRINE BROWN, Florida\nGUS M. BILIRAKIS, Florida            SILVESTRE REYES, Texas\nDAVID P. ROE, Tennessee              MICHAEL H. MICHAUD, Maine\nMARLIN A. STUTZMAN, Indiana          LINDA T. SANCHEZ, California\nBILL FLORES, Texas                   BRUCE L. BRALEY, Iowa\nBILL JOHNSON, Ohio                   JERRY McNERNEY, California\nJEFF DENHAM, California              JOE DONNELLY, Indiana\nJON RUNYAN, New Jersey               TIMOTHY J. WALZ, Minnesota\nDAN BENISHEK, Michigan               JOHN BARROW, Georgia\nANN MARIE BUERKLE, New York          RUSS CARNAHAN, Missouri\nTIM HUELSKAMP, Kansas\nVacancy\nVacancy\n\n            Helen W. Tolar, Staff Director and Chief Counsel\n\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                      BILL JOHNSON, Ohio, Chairman\n\nCLIFF STEARNS, Florida               JOE DONNELLY, Indiana, Ranking\nDOUG LAMBORN, Colorado               JERRY McNERNEY, California\nDAVID P. ROE, Tennessee              JOHN BARROW, Georgia\nDAN BENISHEK, Michigan               BOB FILNER, California\nBILL FLORES, Texas\n\nPursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public \nhearing records of the Committee on Veterans\' Affairs are also \npublished in electronic form. The printed hearing record remains the \nofficial version. Because electronic submissions are used to prepare \nboth printed and electronic versions of the hearing record, the process \nof converting between various electronic formats may introduce \nunintentional errors or omissions. Such occurrences are inherent in the \ncurrent publication process and should diminish as the process is \nfurther refined.\n\n\n                            C O N T E N T S\n\n                               __________\n\n                              May 11, 2011\n\n                                                                   Page\nReboot: Examining the U.S. Department of Veterans Affairs \n  Information Technology Strategy for the 21st Century...........     1\n\n                           OPENING STATEMENTS\n\nChairman Bill Johnson............................................     1\n    Prepared statement of Chairman Johnson.......................    23\nHon. Joe Donnelly, Ranking Democratic Member.....................     3\n    Prepared statement of Congressman Donnelly...................    24\n\n                               WITNESSES\n\nU.S. Department of Veterans Affairs:\n  Hon. Roger W. Baker, Assistant Secretary for Information and \n    Technology, and Chief Information Officer, Office of \n    Information and Technology...................................     4\n    Prepared statement of Mr. Baker..............................    24\n  Belinda J. Finn, Assistant Inspector General for Audits and \n    Evaluations, Office of Inspector General, Office of \n    Information and Technology...................................    14\n    Prepared statement of Ms. Finn...............................    31\n  U.S. Government Accountability Office, Joel C. Willemssen, \n    Managing Director, Information Technology....................    16\n    Prepared statement of Mr. Willemssen.........................    36\n\n                   MATERIAL SUBMITTED FOR THE RECORD\n\nPost-Hearing Questions and Responses for the Record:\n\n    Hon. Bill Johnson, Chairman, Subcommittee on Oversight and \n      Investigations, Committee on Veterans\' Affairs, to Hon. \n      Eric K. Shinsek, Secretary, U.S. Department of Veterans \n      Affairs, letter dated May 16, 2011, and VA responses.......    48\n    Hon. Joe Donnelly, Ranking Democratic Member, Subcommittee on \n      Oversight and Investigations, Committee on Veterans\' \n      Affairs to Hon. Roger W. Baker, Assistant Secretary for \n      Information and Technology and Chief Information Officer, \n      U.S. Department of Veterans Affairs, letter dated May 12, \n      2011, and VA responses.....................................    57\n    Hon. Joe Donnelly, Ranking Democratic Member, Subcommittee on \n      Oversight and Investigations, Committee on Veterans\' \n      Affairs to Belinda J. Finn, Assistant Inspector General for \n      Audits and Evaluations, Office of Inspector General, U.S. \n      Department of Veterans Affairs, letter dated May 12, 2011, \n      and response from Hon. George J. Opfer, Inspector General, \n      U.S. Department of Veterans Affairs, letter dated June 13, \n      2011.......................................................    59\n    Hon. Joe Donnelly, Ranking Democratic Member, Subcommittee on \n      Oversight and Investigations, Committee on Veterans\' \n      Affairs to Joel Willemssen, Managing Director, Information \n      Technology, U.S. Government Accountability Office, letter \n      dated May 12, 2011, and response letter dated June 22, 2011    61\n\n\n                 REBOOT: EXAMINING THE U.S. DEPARTMENT\n\n\n                    OF VETERANS AFFAIRS INFORMATION\n\n\n                TECHNOLOGY STRATEGY FOR THE 21ST CENTURY\n\n                              ----------                              \n\n\n                        WEDNESDAY, May 11, 2011\n\n             U.S. House of Representatives,\n                    Committee on Veterans\' Affairs,\n              Subcommittee on Oversight and Investigations,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 10:00 a.m., in \nRoom 334, Cannon House Office Building, Hon. Bill Johnson \n[Chairman of the Subcommittee] presiding.\n    Present: Representatives Johnson, Roe, Donnelly, and \nBarrow.\n\n             OPENING STATEMENT OF CHAIRMAN JOHNSON\n\n    Mr. Johnson. Good morning. This hearing will come to order.\n    I want to welcome everyone to today\'s hearing entitled, \n``Reboot: Examining VA\'s IT Strategy for the 21st Century.\'\'\n    With an information and technology (IT) budget exceeding $3 \nbillion annually, it is reasonable for the American taxpayer to \nexpect the Office of Information and Technology (OI&T) at the \nU.S. Department of Veterans Affairs (VA) to effectively utilize \navailable technology and provide the highest quality support in \nthe Department\'s delivery of health care and benefits to our \nNation\'s veterans.\n    As we will hear from the witnesses on both panels today, \nbillions of dollars have been spent on IT at the VA. However, \nveterans, the taxpayers, and Members of this Committee are left \nto wonder what has resulted from these expenditures.\n    Have improvements been made? Certainly they have. Are the \nimprovements and advancements in VA IT over the last 10 years \non par with the amount of time and taxpayer dollars put into \nthe effort? Certainly not.\n    The witnesses on today\'s second panel will help illuminate \nthe magnitude of the money spent on IT over time. To name just \na few, $127 million over 9 years on an outpatient scheduling \nsystem with none of the planned improvements in place; \nsuspension of the Strategic Asset Management or SAM Program \nafter failing to meet yet another milestone; and $70 million in \nan overrun on a WiFi installation contract.\n    I also remain concerned that, as with past contracts and \nefforts, VA is not thoroughly vetting cost and risk analysis \nbefore undertaking new large IT projects.\n    While VA continues to push forward on cloud computing, its \nown administration has not fully established the Federal \nguidelines for information security in cloud computing.\n    In a health care environment such as VA\'s, I know that I \nwould not want my personally identifiable information floating \naround in the cloud especially given a track record of data \nbreaches that is less than stellar.\n    We once again notice a history of poor acquisition and \ncontract management at VA, a theme this Subcommittee is \nfamiliar with. Given the frequency of problems in IT contracts, \nwe know there must be a significant degree of inexperience \namong the contracting staff, but we are also left to wonder \nwhether supervisors at OI&T either do not know or do not care \nabout these shortcomings.\n    When IT needs are not clearly defined at the beginning of \nthe process, it leads to cost increases and time delays down \nthe road. With an IT staff of over 7,000, I find it difficult \nto believe that knowledgeable IT professionals are not helping \nto create a well-defined request for proposal, a key element of \na viable contract.\n    When these contracts constantly have to be modified, it \nresults in greater cost to the taxpayer and a delay of improved \nservices to our veterans.\n    A crucial area for VA IT to meet expectations is the \nestablishment of the joint electronic health record or EHR with \nthe U.S. Department of Defense (DoD). Yet, another overdue item \nfor our active-duty servicemembers and our veterans, the EHR \nhas been pursued separately by the two departments. The result \nis billions of dollars spent, much of it duplicative, and no \njoint EHR.\n    While I commend the secretaries of both departments for \nfinally committing this spring to cooperatively pursue this \nendeavor, I have lingering concerns that mistakes made in \nprevious IT contracts could be repeated.\n    For example, after releasing a final Request for Proposal \n(RFP) on an open-source custodial agent at the end of last \nmonth, VA is only allowing a 3-week turnaround for proposals to \nbe submitted at the end of this week.\n    It is not rocket science. The capabilities to do what needs \nto be done already exist. Hundreds of millions of dollars could \nhave been saved in previous years by simply having a robust IT \narchitecture and strategy in place.\n    When needs are clearly defined, protect veterans\' \ninformation, establish an electronic health record in \nconjunction with DoD, and implement stringent oversight of \nthese and all undertakings in the Office of Information and \nTechnology, everybody benefits, the taxpayer and the veterans.\n    I fully understand the challenges of managing information \ntechnology in a large organization because I have done so. What \nI do not understand is why it has taken so long to get only so \nfar at VA.\n    The American people are watching and expect VA to take care \nof our veterans as promised.\n    Again, I appreciate everyone\'s attendance at today\'s \nhearing and I now yield to the Ranking Member for his opening \nstatement.\n    Mr. Donnelly.\n    [The prepared statement of Chairman Johnson appears on p. \n23]\n\n             OPENING STATEMENT OF HON. JOE DONNELLY\n\n    Mr. Donnelly. Thank you, Mr. Chairman.\n    Secretary Shinseki has often stated the need to transform \nthe VA to meet the changing needs of our warriors. A perfect \nexample of this was when the VA found themselves having to \nprocess education claims manually due to the Legacy System \nbeing unable to process these claims after the passage of the \nrecent historic GI Bill legislation.\n    For this reason, I find it important and critical that the \nVA maintains an updated IT system that proves to be reliable \nand can be manipulated as new software is incorporated through \nthe years ahead.\n    The VA has decided that using an open-source model will \nprovide a better outcome with lower risks and lower cost. Their \ncooperation with the DoD on using open source is encouraging, \nin part because this cooperation is essential. There is a \ncritical need to develop an interoperable electronic health \nrecord system and because DoD has relied on open source in the \npast.\n    Although there are multiple concerns on both sides of the \naisle, the VA has reassured us that open source provides \nseveral benefits. But along with those benefits, making sure \nthat veterans\' personal information remains secure is critical.\n    I also understand that contract management and weaknesses \nhave overshadowed VA\'s efforts to keep up with the VA\'s IT \ninfrastructure. Cost overruns, contract weaknesses, and unmet \nproject time frames are just a few examples of the implications \nthat can occur if there are no firm requirements in contracts. \nSuch was the case with the WiFi awarded contract to Catapult \nLimited.\n    We must additionally find a way to reduce our reliance on \ncontracting out tasks that do not allow the Department to \ndevelop internal expertise.\n    What I am concerned about is making sure that, first, the \nVA IT has an interoperable model in place; second, best \npractices should be in place from the private and public \nsector; and, third, that new IT strategies have the best value \nfor our veterans.\n    Additionally, we must ensure we have a clear strategic plan \nthat will be for the entire course. We have too often canceled \na program or contract after many millions of hard-earned \ntaxpayer dollars have been spent.\n    Finally, I encourage the VA to keep us updated on your \nefforts as we work jointly to give our veterans the 21st \nCentury relevant IT system that they deserve.\n    Thank you, Mr. Chairman. I yield back.\n    [The prepared statement of Congressman Donnelly appears on \np. 24.]\n    Mr. Johnson. I thank the gentleman for yielding back.\n    And I welcome the first panel to the witness table. On this \npanel today, we will hear testimony from the Honorable Roger W. \nBaker, Assistant Secretary for Information and Technology and \nChief Information Officer (CIO) at the Department of Veterans \nAffairs.\n    Assistant Secretary Baker is accompanied by Peter L. Levin, \nPh.D., Senior Advisor to the Secretary and Chief Technology \nOfficer (CTO) at the Department of Veterans Affairs.\n    Assistant Secretary Baker, your complete written statement \nwill be made a part of this hearing record and you are \nrecognized now for 5 minutes.\n\n   STATEMENT OF HON. ROGER W. BAKER, ASSISTANT SECRETARY FOR \nINFORMATION AND TECHNOLOGY, AND CHIEF INFORMATION OFFICER, U.S. \nDEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY PETER L. LEVIN, \n PH.D., SENIOR ADVISOR TO THE SECRETARY, AND CHIEF TECHNOLOGY \n          OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS\n\n    Mr. Baker. Thank you, Mr. Chairman and Ranking Member \nDonnelly, for inviting me to testify in front of this Committee \nto discuss the Department of Veterans Affairs\' information \ntechnology strategy for the 21st Century.\n    I appreciate the opportunity to testify on our plans, \nactions, and accomplishments on making VA\'s IT organization a \n21st Century leader in the Federal Government.\n    As you said, Mr. Chairman, I am pleased to be accompanied \ntoday by Dr. Peter Levin, the CTO for the Department of \nVeterans Affairs.\n    I will be brief in my oral remarks. My written testimony \nprovides details on the transformation we have been working to \nachieve in VA IT. And I believe the next panel will accurately \ndepict a few of the many challenges that we faced when I was \nconfirmed nearly 2 years ago.\n    Since that time, we have made substantial progress in the \nareas of customer service and customer satisfaction, product \ndevelopment, information security and privacy, financial \ntracking, and operational metrics.\n    Most importantly, we know that we have made progress due to \nthe metrics that we now track and report in each of those \nareas. We have begun to operate VA\'s IT organization like a \nprivate-sector IT organization.\n    But we also clearly have a long way to go in achieving our \ngoal of being the best IT organization in government and \ncomparable with large scale private-sector IT shops.\n    While our metrics support our transformation, they also \nexpose areas where much more work is required. So let me just \ntouch on a few.\n    We must implement a technical reference manual or a TRM for \nour architecture and the processes to govern the specifics of \nwhat hardware and software is allowed to run in our expansive \nIT infrastructure.\n    Today we have over 64,000 different software packages that \nrun on our desktop computers. Our visibility of the desktop \ninitiative has allowed us to see exactly what runs on each of \nour desktop computers.\n    And I doubt that products such as Pinball Wizard have a \nmedical use.\n    We must reduce the number of servers we support. From my \nprivate-sector experience, virtualization and elimination of \nphysical server count can produce substantial operational \nsavings.\n    And we must better define and rationalize our architecture \nat all levels, including our network, our data centers, our \nservers, our applications, our desktops, our help desk \narchitecture, our product and use of support architecture, and \nat higher levels our medical business architecture, our \nbenefits business architecture, and our corporate business \narchitectures.\n    And we must ring efficiencies out of our application \nsupport area by pursuing shutdown of redundant or unused \nsystems.\n    Finally, Mr. Chairman, we must find better ways to \ncommunicate with and motivate our IT employees because it is \nonly through skilled and motivated employees that VA IT will \nachieve our goal as we seek to build an IT organization that \ncan be compared with the best private-sector companies.\n    In closing, I would like to thank each of you again for \nyour continued support of our Nation\'s veterans, of the \nDepartment of Veterans Affairs, and of VA IT. And thank you for \nthe opportunity to testify before the Subcommittee on the \nimportant work we are undertaking to improve the results of \nVA\'s IT investments.\n    I look forward to your questions.\n    [The prepared statement of Mr. Baker appears on p. 24]\n    Mr. Johnson. Thank you, Assistant Secretary Baker.\n    We will now begin questioning and I will start off.\n    Does VA have an IT architecture that defines the blueprint \nfor each of the 16 initiatives that is linked to business \noutcomes?\n    Mr. Baker. Thank you, Mr. Chairman.\n    I do not believe I would tell you today we have a fully \ndocumented detailed architecture in that relative to any part \nof our organization. We have in the past had what I would call \na shelf-ware architecture in the organization, meeting \nrequirements, but not really guiding where we were going.\n    We have recently put one of our brightest folks in charge \nof the architecture area to renovate that, Dr. Paul Tibbits. I \nwould say fortunately one of the first challenges Dr. Tibbits \nhad was to be a key player in achieving the joint common \nelectronic health record system with the Department of Defense.\n    Mr. Johnson. Let\'s go into that a little bit. Did I \nunderstand you to say correctly, and correct me if I am wrong, \nthat you really do not have a complete architecture of VA\'s IT \nenvironment?\n    Mr. Baker. That is absolutely correct.\n    Mr. Johnson. That is correct. Is it your opinion that an \narchitecture that describes the VA business systems environment \nwould be a first and critical component of developing an IT \nstrategy?\n    Mr. Baker. No. Actually, Congressman, I would not. And it \ngoes back kind to the analogy of the alligators in the swamp. \nThere are a lot of alligators in the VA IT infrastructure.\n    As you know, we were consolidated as an IT organization \nabout 3 years ago. And a lot of the issues that we faced have \nbeen along the lines of just getting the basic changing \nanalogies, blocking and tackling right inside the IT \norganization.\n    Mr. Johnson. I can relate to that. I have done that in the \ncommercial world. But I also know that if you do not know where \nyou are going, any road will get you there.\n    How many systems do you have in VA in IT? How many systems \ndo you guys support?\n    Mr. Baker. Speaking from an application system perspective, \nthe best estimate I would give you is in the 400 to 500 range. \nI know that we support approximately 300 of those in our Austin \nInformation Technology Center or the Corporate Data Center \nOffice. Most of our systems are going to be supported there and \nthen other systems throughout the organization. So I think 500 \nis a reasonable estimate.\n    Mr. Johnson. Do you have a lead integrator that is linking \nthe 16 initiatives and the associated projects to ensure \nconsistency, standardization, and that these systems are going \nto talk to one another?\n    Mr. Baker. We do not have a contractor from that \nperspective, no.\n    Mr. Johnson. Who is handling the integration effort?\n    Mr. Baker. We have a member of our architecture team \nembedded with each of the major initiatives and we have the \nmajor initiative lead from an IT perspective working together \nto ensure that we are doing things that work together from the \nmajor initiative perspective.\n    Mr. Johnson. Do you have a timeline for developing an IT \narchitecture?\n    Mr. Baker. I could not give you one off the top of my head \ntoday, Congressman. I know Dr. Tibbits is working that right \nnow. And to be clear, there are many facets of the IT \narchitecture.\n    As I mentioned in my oral testimony, the first thing we are \nworking on right now is the technical reference manual, \nsomething that then governs exactly what is allowed to run in \nour infrastructure as, if you will, a baseline from there. We \nare working on architectures in the areas of networks.\n    So, for example, we know where all of our circuits are. We \nknow what our basic architecture at the network level is. But \nlooking forward, we need a forward-looking network architecture \nand not a backward-looking circuitry of an architecture.\n    Mr. Johnson. You and I certainly agree on that regard. I am \nencouraged when you talk about virtualization because I have \nundertaken massive virtualization programs in the commercial \nworld. And I can tell you that it brings tremendous benefits \nand cost savings.\n    How many data centers does the VA have?\n    Mr. Baker. I believe that the report that we have given OMB \nsays, I think it is 62 at this point.\n    Mr. Johnson. What is your life cycle replacement process \nfor replacing the servers? How many servers do you have in \nthose data centers?\n    Mr. Baker. Right now the best number I have to give you and \nwe are trying to define between virtualized instances and \nphysical instances----\n    Mr. Johnson. Physical servers.\n    Mr. Baker. My problem is today I know the number 37,000. \nSome of those are virtual on top, you know, multiple virtual on \ntop of a single physical.\n    Mr. Johnson. Well, we are going to come back to this \nprobably in a second round of questioning. I have some others. \nBut I am going to defer to my colleague, Mr. Donnelly, now to \nask his questions, but we will come back.\n    Mr. Baker. Thank you, Mr. Chairman.\n    Mr. Donnelly. Thank you, Mr. Chairman.\n    In looking at the Catapult contract, when you say that the \nacquisition team established a very aggressive timeline for the \nacquisition process and 236 sites, 45 are done, the cost \noverruns are staggering.\n    What was the decision framework used? I mean, how was that \ndone that you wound up in a contract where it was not fully \ndelineated, all the details were not there, all the information \nto get this done? How do you jump off when it appears that not \nevery T was crossed?\n    Mr. Baker. Thank you, Mr. Congressman.\n    That contract was awarded well before my time.\n    Mr. Donnelly. Well, I understand.\n    Mr. Baker. But as I looked at that contract, there are some \nmitigating parts of that. One of the things that is clear is \nthat we, the government, underestimated the amount of concrete \nand metal in our hospitals.\n    Our goal in that WiFi contract was to prepare the way for \nadvanced medical equipment that could be completely untethered \nfrom the wall and so we looked to provide 100 percent coverage \nand strong coverage for a WiFi signal inside of our hospitals.\n    It is fairly, I have to say, well-known physics that thick \nconcrete and metal structures will block the signal and require \nmore points of presence to accomplish that level of coverage.\n    My understanding is that that was the major cause of \nescalation in that contract was the underestimate of the number \nof points of presence that would be required in each facility.\n    From that perspective, that is a reasonable reason for the \ncontractor to increase the costs. We are asking them to do more \nwork. So we have done a better job of understanding from site \nsurveys and other studies that that was factually true. I \nbelieve so. And that would lead to a more accurate contract \naward at the time of award to the vendor.\n    Mr. Donnelly. The contract itself had an engineering change \nrequest that permitted pricing modification.\n    I mean, is there a point where you say this is what we are \ngoing to give you and those are the funds you get and we expect \nyou to do the job for those funds?\n    Mr. Baker. Yes. The problem there is that the contractor\'s \nappropriate response then is, yes, and I will deliver exactly \nwhat I contracted for for those dollars.\n    And so if you go into a facility and what we ask them to do \nwill give us 70 percent wireless coverage, it really does not \nmake sense to even wire the facility because then I could not \nuse those WiFi devices.\n    If a nurse is going to do bar code medication \nadministration with a WiFi device, but 30 percent----\n    Mr. Donnelly. Well, let me ask you this. As we sit here \ntoday, we have 45 sites done, I think, out of 236?\n    Mr. Baker. The number I had in my head was about a third of \nour major hospitals were done.\n    Mr. Donnelly. Okay. Are we even capable of giving specs for \na contract on this at this point? Do we know what a hundred \npercent coverage would entail and could you get a fixed price \nfor something like that right now?\n    Mr. Baker. I believe so. We have stopped the previous \ncontract per the report and other advice provided. And we are \nmoving forward with the award of a new contract based on site \nsurveys done independently of the new contractor. We are going \nto take the lessons learned from the previous contract and move \nforward with a new contract. Specifically to your question, we \nought to be able to get a firm fixed price that we do not have \nto issue change orders against from the vendor to accomplish \nwhat we want to accomplish.\n    Mr. Donnelly. What kind of time frame are you looking at?\n    Mr. Baker. Congressman, I do not have that off the top of \nmy head, but I believe we could give you the detailed \nacquisition schedule in a response after the hearing.\n    [The VA subsequently provided the following information:]\n\n         Target award date for the new Wi-Fi installation contract is \n        First Quarter FY 2012, and projected timeline to complete award \n        to all remaining VAMC sites is 12-18 months from award.\n\n    Mr. Donnelly. And one other question. Has the VA done an \nanalysis yet on long-term savings by using open source for the \njoint electronic health record?\n    Mr. Baker. Thank you, Congressman.\n    Yes, we have. And it goes down this path. We run one of the \nbest electronic health record systems in the country right now, \nbut we have proven that the normal methods available to the \ngovernment to improve that system are not going to keep it up \nwith the rate of improvement in the private sector.\n    We know from other folks\' experience that in a number of \nyears, and I peg it at 5 to 10 years, if we do not \nsubstantially improve VistA, my successor will be back here \nasking for somewhere around $16 billion to replace VistA in the \nhospitals. We must run a good electronic health record system \nin the hospitals. The benefits from a health care standpoint \nfor veterans are outstanding and well proven.\n    Our move to open source is an attempt to use private-sector \nmethods to bring the private sector much more into how we \nimprove VistA and forestall or completely avoid having to pay a \nmassive bill to replace VistA. If we can improve VistA and the \ncosts for that incrementally are minimal, then we can avoid a \nhuge out-year expense to replace it.\n    Mr. Donnelly. Thank you very much.\n    Thank you, Mr. Chairman.\n    Mr. Johnson. Thank you, Mr. Donnelly.\n    Mr. Roe.\n    Mr. Roe. Thank you, Mr. Chairman. Just a couple of \nquestions.\n    One, how big is this system when you look at DoD and how \nmany people are we covering and just how enormous is this \nsystem?\n    Mr. Baker. My understanding of the metrics is that between \nthe two organizations, we have about 15 million annual patients \ncovered by the two electronic health record systems. Probably \nbetween 15 and 20 million electronic health records inside the \ntwo systems.\n    I believe each system individually is among the largest \nhealth care organizations in the country. Both organizations \nwere out in front in adopting electronic health record systems. \nSo singly we are huge. Jointly we are massive.\n    Mr. Roe. Well, the next question is, where are we timeline-\nwise? I have talked about this before, on getting this done \nbecause I think it is absolutely essential that you do not have \ntwo parallel massive systems that cannot talk to each other and \nit is obvious they are not going to be able to talk to each \nother? So where are we in that timeline?\n    Mr. Baker. Congressman, Secretaries Shinseki and Gates \nabsolutely agree with you. They have put us on a path to \nachieve a single common electronic health record system. I \ncannot get out in front of their communication relative to \ntheir May 2nd meeting. I can tell you, though, that our \norganizations have been working together for about 6 months.\n    The most important thing the two secretaries did was to \nagree that no is not an answer. The answer is yes and our \norganizations should figure out how to make that happen. That \nhas come together very nicely.\n    I really have to not go any further than that in order to \nnot get out in front of the secretaries, but we are very----\n    Mr. Roe. Let\'s get down a little bit more. When we had the \nchangeover, when Secretary Panetta will be there, I do not know \nwhether he has been brought up to speed or not. My concern is, \nhe is going to be drinking from a fire hose when he first gets \nthere. I mean, he really is.\n    And where is this priority? I do not want to sit here 2 \nyears from now and we are having the same conversation because \nwe get lost. I mean, he is going to be looking at three wars, I \nguess, now and all the other things that he is going to be \ndoing in his new shop. And it is the infrastructure just below \nhim to keep this ball rolling down the road.\n    Mr. Baker. I believe I could safely say that that concern \nexactly 6 months ago from Secretary Shinseki\'s perspective is \nwhat kind of lit this discussion off.\n    I believe our objective and what we will accomplish is to \nhave this nailed down before Secretary Gates leaves. We expect \nthat Secretary Panetta will also be interested in it. But I \nknow from the experiences Dr. Levin and I have had with working \nwith the DoD that this has moved well beyond Secretary Gates \ninto their organization at this point.\n    Mr. Roe. Good. I think that is essential because I think \nonce you get the momentum, it will happen.\n    Do you have any time frame that you can think of that this \ncould--I mean, is it a year, 2 years?\n    Mr. Baker. Congressman, I just have to not get out in front \nof the secretaries on that one. I apologize. We are moving as \nquickly as we can and very hard. I expect a communique from \nthem here in the next week or so that we will be able to give \nyou more information.\n    Mr. Roe. Okay. And I guess the other thing I would like to \nknow since we had the sort of loss of data, is this data stored \nin secure servers off site? How is the data backed up, because \nI know when we put our ERM in, that was a huge issue about \nwhere the data is stored and if you have a crash, can you \noperate your system? In other words, if it is down, what do you \ndo?\n    Mr. Baker. Let me start with the metrics. We have a very \ngood track record on availability of VistA systems. It is about \n99.95 percent availability nationwide.\n    To the data question, the VistA systems today run in VA \ndata centers. In half of the country, we have achieved \nconsolidation of those systems into regional data centers. We \nwill have 11 or 12 hospitals supported from a single data \ncenter. All the data is stored there and backed up there and \nretained there. The local facility has a read-only version of \nthat data in case there is an outage to back up.\n    In the other half of our systems, the VistA systems \nhospitals, the VistA systems still run in the hospital and they \nback up locally there at their facilities.\n    Mr. Roe. Well, my time is up, but does DoD do the same \nthing?\n    Mr. Baker. I am not familiar enough with DoD\'s setup to \nreally answer that question right now.\n    Mr. Roe. Okay. I yield back.\n    Mr. Johnson. Thank you, Dr. Roe.\n    I want to go back to something that came out of Mr. \nDonnelly\'s questioning and correct me if I am wrong. He asked \nyou if you have a cost analysis, cost-benefit analysis for your \nopen-source decision.\n    And I understood you to say that you do; is that correct?\n    Mr. Baker. At this point, we do, Congressman, yes.\n    Mr. Johnson. Well, I am curious because in previous \nconversations that we have had with you, Mr. Secretary, you \nsaid you did not have that.\n    Mr. Baker. At that point in time, we did not. Based on----\n    Mr. Johnson. But, yet, you have already talked to the \nindustry about your decision to move to open source.\n    Did you have that cost analysis before you made that \ndecision? I mean, what good does a cost analysis, cost- benefit \nanalysis do if you are going to make the decision before you \nget it?\n    Mr. Baker. Well, as I discussed, I cannot remember if you \nand I had this discussion or if it has been with your staff, \nthe cost-benefit analysis on open source is pretty \nstraightforward.\n    Mr. Johnson. Can you provide that to us?\n    Mr. Baker. Yes.\n    Mr. Johnson. All right. We can get it this week?\n    Mr. Baker. Yes. We can provide it to you this afternoon.\n    Mr. Johnson. Okay. We would like to see that.\n    [The information provided to the Subcommittee staff was \ninadequate.]\n    Mr. Johnson. Let me go back to the data centers question \nagain. You said you have 62 data centers, approximately 37,000 \nservers, correct?\n    Mr. Baker. Yes.\n    Mr. Johnson. I hate to drill down into some technology \nstuff, but I have a method to my madness here. That equates to \n596 physical servers per data center on the average. Does that \nsound right to you?\n    Mr. Baker. I think to go back to the answer, the issue with \nthe 37,000 number that I just discovered this morning as I was \nasking my staff is we think that some amount of that is \nactually counting virtual instances, multiple virtual instances \nthat run on a single physical server.\n    Mr. Johnson. Yeah. So do you know how many physical servers \nyou have in your network?\n    Mr. Baker. Today I do not have that answer. Yesterday when \nI prepared my testimony, I thought I had that answer for you.\n    [The VA subsequently provided the following information:]\n\n         As noted at the hearing, VA has around 37,000 virtual servers. \n        The number of physical servers is 12,235.\n\n    Mr. Johnson. See, an architecture would tell you that. And \nthe first step in managing an environment as complex as yours \nis, as costly as the VA\'s is, that would be a very, very first \nstep because with virtualization, as you said, some \norganizations are seeing anywhere from 50 to 70 percent \nreductions in physical servers.\n    What is your life-cycle replacement strategy for servers?\n    Mr. Baker. It depends on the server type. In general, we \nwould like to replace them in the 4 to 6 year time frame. We \nhave some, for example, the database servers on the VistA \nsystems, that are well beyond that service period.\n    Mr. Johnson. How much on the average does a physical server \ncost, the type that you guys use? And you may use multiple \ntypes of servers, but as a general rule, do you have any idea?\n    Mr. Baker. The best number I have for you there, sir, is \nabout $10,000 each.\n    Mr. Johnson. Okay. All right. Let me go back. Do you have \nany metrics to measure your progress along these 16 \ninitiatives? Do you have any metrics that will tell you whether \nor not you are achieving the goals? I mean----\n    Mr. Baker. Yes.\n    Mr. Johnson. You do?\n    Mr. Baker. Each and every one of the 16 major initiatives \nhas an operating plan agreed to with the Deputy Secretary. The \nDeputy Secretary manages each of those initiatives on a monthly \nbasis to their operating plan. So we look at are they achieving \nthe milestones and results at the initiative level.\n    Underpinning that then are specific IT projects that are \nmanaged to the milestones for those IT projects and whether \nthey are making those inside of the Program Management \nAccountability System (PMAS).\n    Mr. Johnson. How many different functional areas does your \nIT department support within VA? I mean, you have financial \napplications, I am sure. You have various health applications. \nWhat different functional areas?\n    In a manufacturing company, you would have operations, you \nwould have finance, you would have purchasing, you would have \nall of those different things. What are the different \nfunctional areas that your department supports?\n    Mr. Baker. So from an IT perspective, we look at our \ncustomers inside the organization in three areas. There is the \nhealth portfolio, there is the benefits portfolio, and there is \nthe corporate portfolio systems.\n    So in corporate would be human resources and finance, the \ncontract management system, those sort of things.\n    In the benefits portfolio would be each of the systems \nnecessary to support the various pieces of the business of the \nVeterans Benefits Administration, so education, compensation \nand pension, loan guarantee, and also national cemeteries with \ntheir electronification.\n    And then in the health portfolio, the main items are the \nautomation systems in the hospitals, but there is also a \nfinancial portfolio inside of health for their business office. \nI think that is probably a fairly reasonable view of the \noverall portfolio.\n    Mr. Johnson. And theoretically all of those systems pass \ninformation back and forth one to another, right?\n    Mr. Baker. We sure wish they did a lot more of it, sir, \nyes.\n    Mr. Johnson. Back to my concern about architecture. Is open \nsource on the multi-year program?\n    Mr. Baker. Yes.\n    Mr. Johnson. Okay.\n    Mr. Baker. As I understand the question.\n    Mr. Johnson. Okay. Well, you know, I am going to sort of \nsummarize with this.\n    Mr. Donnelly, do you have any other questions?\n    Mr. Donnelly. No more questions.\n    Mr. Johnson. You know, I have heard your testimony this \nmorning, no architecture, no timeline for an architecture. When \nasked by Dr. Roe if you have a timeline for EHR integration \nwith DoD, there is no timeline for that.\n    I am just really confused and concerned about how the \ntaxpayers\' resources are being used and the level of support \nthat we are providing to our veterans.\n    You have some 7,000 people in the IT department within the \nVeterans Administration. I am trying to equate that to my \nexperience.\n    I know in 1992, the United States Air Force\'s Software \nDevelopment Center had roughly 2,000 people to develop all of \nthe software, maintain that software for the entire portfolio \nfor the air force, everything from food service to dropping \nbombs.\n    I just find it hard to believe that with an architecture \nand an understanding of how these systems should be integrated \ntogether that we could not find cost savings, resource \nefficiencies. And I know you are nodding in agreement and some \nof your testimony indicates that you want to get there.\n    Why is it taking so long? How long have you been there?\n    Mr. Baker. Next week will be 2 years.\n    Mr. Johnson. Why is it taking so long because you are not \nthe first that this committee has had these types of \ndiscussions with? This seems to be an ongoing thing.\n    I told someone the other day I feel a little bit like a \ngreyhound at a dog track. We come out and then we chase these \nrabbits around from one session of Congress to the next. We put \nthe rabbit up and then the next session, we bring the rabbit \nout. We chase him around again and we get many of the same \nanswers over and over and over again.\n    I think the American people, I think America\'s veterans \ndeserve better than that.\n    Why is it taking so long to get our arms around \narchitecture, around common-sense business practices, around \nproject management, concepts like virtualization that has been \naround for years now? Why is it taking so long, Mr. Secretary?\n    Mr. Baker. Congressman, in a much longer discussion, I \nwould love to have that discussion, but----\n    Mr. Johnson. We have plenty of time. I mean, we have the \nhearing room until noon to hear what your comments are.\n    Mr. Baker. Let me answer it this way. I do not believe that \nI have established a reputation for sitting around. We \nintroduced PMAS, the Program Management Accountability System, \nwithin 1 month of me----\n    Mr. Johnson. Mr. Secretary, I asked you very specific \nquestions around architecture, around common-sense project \nmanagement, business practices, things like cost-benefit \nanalyses coming out after the fact.\n    Why is it taking so long to get common-sense IT strategic \nplanning processes in place within the Veterans Administration?\n    Mr. Baker. The simple answer, Congressman, is that the \ngovernment clearly does not operate like a private-sector \norganization. None of the disciplines that I think are \nnecessary for an IT organization existed inside of VA IT. The \nway it had been run before I arrived was not in a way a \nprivate-sector organization would be organized or run.\n    We have implemented strong financial disciplines. I pulled \n$700 million out of VA IT and saved that money to spend it in \nbetter places because, frankly, when I arrived, that money was \nbeing wasted.\n    We have a good track record of focusing on it. I understand \nyour focus on architecture. I would like to get there. But the \nproblems we faced when we came in that you are about to hear \nabout from the next panel, failing $127 million programs like \nreplacement scheduling, had to be dealt with, had to be dealt \nwith soon so we did not continue to waste the taxpayers\' \ndollars.\n    Mr. Johnson. Well, you have got----\n    Mr. Baker. I agree with you on architecture, sir. I do not \ndisagree with you. I think our only difference is in the \nperspective on what things are going to bite us hard first.\n    As we both know, a VistA system down in a hospital is \ncritical and I had to make certain that that would not occur. I \nhad to make certain that information loss was stemmed, that we \nwould not have issues in those areas.\n    I had to stop our failing IT programs that were wasting \nhundreds of millions of dollars of taxpayers\' money.\n    I agree with you on architecture. I would love to get \nthere. I believe it is a matter of prioritization and just the \nway that I look at an IT organization.\n    Mr. Johnson. I commend the fact that you recognize that \nsome of these problems exist. I mean, that part is encouraging.\n    I will leave you with this. I remain concerned that we do \nnot have an overall 30,000-foot view of the VA\'s IT \nenvironment, how these systems interconnect, which system is \nrequired to talk to another system, and how we are utilizing \nthe millions of dollars that are being spent on IT within VA, \nand what we are doing with those 7,000 people.\n    I think the American taxpayer is asking for answers around \nthat. You well know, you hear it every day America is broke. We \nhave to find a way to do things better, to do things more cost \neffectively.\n    And, you know, from my perspective, and I hear you say that \nyou recognize some of those, IT is one of the most costly \naspects of any organization\'s cost basis today, in today\'s \nenvironment. There is no question about that. It is also the \nplace where the most savings can be recognized with sound, \ncommon-sense best practices, those kinds of things.\n    And so I thank you for your testimony today. I am going to \nencourage you to stay around----\n    Mr. Baker. We will be here.\n    Mr. Johnson [continuing]. And listen to the next panel. And \nwith that, you are excused. Thank you very much.\n    Mr. Baker. Thank you.\n    Mr. Johnson. Well, I invite the second panel to the witness \ntable. On this panel today, we will be hearing testimony from \nBelinda J. Finn, Assistant Inspector General for Audits and \nEvaluations at the VA Office of Inspector General (OIG).\n    Ms. Finn is accompanied by Ms. Maureen T. Regan, Counselor \nto the Inspector General at the VA Office of Inspector General.\n    We will also receive testimony in this panel from Joel \nWillemssen.\n    Am I pronouncing that right?\n    Mr. Willemssen. Yes, sir.\n    Mr. Johnson. Okay. Managing Director for Information \nTechnology at the U.S. Government Accountability Office.\n    Ladies and gentleman, your complete written testimony will \nbe made part of the hearing record. We will begin with Ms. \nFinn.\n    You are now recognized for 5 minutes.\n\n STATEMENT OF BELINDA J. FINN, ASSISTANT INSPECTOR GENERAL FOR \n   AUDITS AND EVALUATIONS, OFFICE OF INSPECTOR GENERAL, U.S. \n   DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY MAUREEN T. \nREGAN, COUNSELOR TO THE INSPECTOR GENERAL, OFFICE OF INSPECTOR \n   GENERAL, U.S. DEPARTMENT OF VETERANS AFFAIRS; AND JOEL C. \n  WILLEMSSEN, MANAGING DIRECTOR, INFORMATION TECHNOLOGY, U.S. \n                GOVERNMENT ACCOUNTABILITY OFFICE\n\n                  STATEMENT OF BELINDA J. FINN\n\n    Ms. Finn. Thank you, sir.\n    Mr. Chairman and Members of the Committee, thank you for \nthe opportunity to discuss the OIG\'s findings regarding VA\'s \nmanagement of its information technology projects.\n    Ms. Maureen Regan, Counselor to the OIG, is also here \ntoday.\n    Our testimony summarizes our recent work highlighting \nissues regarding VA\'s IT governance and system developments.\n    During our audit of VA\'s IT capital investment management, \nwe examined VA\'s realignment of its IT program from a \ndecentralized to a centralized management structure.\n    We reported that the ad hoc manner in which the Office of \nInformation and Technology or OI&T managed the realignment had \nresulted in an environment with inconsistent management \ncontrols and inadequate oversight.\n    Further, in September 2009, we reported that VA needed to \nmanage its major IT development projects in a more disciplined \nand consistent manner.\n    In general, VA\'s processes were adequate. However, OI&T had \nnot communicated them, complied with them, or enforced the \nsoftware development requirements.\n    Our audit work on several IT development projects has \nidentified problems with inadequate project and contract \nmanagement, staffing shortages, and lack of guidance. These \nrecurring themes have repeatedly hindered VA\'s IT development \nsuccess.\n    Our reports on the Financial and Logistics Integrated \nTechnology Enterprise Program, better known as FLITE, concluded \nthat program managers were repeating problems from the failed \nCoreFLS Project. Specifically the FLITE Program managers did \nnot have requirements, plans, and controls to ensure the \nachievement of cost, schedule, and performance goals, have \nsufficient staff or clear roles and responsibilities, and \neffectively identify and manage the risk associated with the \nStrategic Asset Management Pilot Project.\n    OI&T has since suspended the Pilot Project for not meeting \nuser acceptance requirements.\n    Our report on the Post-9/11 GI Bill long-term solution \nconcluded that OI&T met schedule deadlines while sacrificing \ncost and performance objectives. Lacking the management, \ndiscipline, and processes for effective project development, \nfuture long-term solution releases to meet mandates of the \nrevised GI Bill could meet the schedule, but at the expense of \ncost and performance goals.\n    Our report on the Veterans Services Network Project, \nVETSNET, concluded that, given the competing priorities, VA\'s \nplans and schedule for migrating all programs to the new \nsystem, the VETSNET System, were unclear.\n    Work to meet the original program objectives had been \nextended by 5 years and at a cost of $308 million are more than \ntwo times the projection from 2006.\n    OI&T has historically struggled to manage IT acquisition \ncontracts effectively. In response to a hotline complaint, we \nreviewed a contract to install wireless networking services at \n236 VA sites. We found the time frames to plan, solicit, and \naward the contract were unreasonable.\n    VA had also issued a statement of objectives without enough \ndetail for vendors to submit reasonable proposals resulting in \nescalating contracting costs and delayed network installation \nnationwide.\n    In conclusion, the Department historically has struggled to \nmeet IT development cost, schedule, and performance objectives. \nWe are currently reviewing OI&T\'s new Program Management \nAccountability System to assess the controls that are needed to \nimprove program oversight and ensure success in development \nefforts.\n    Mr. Chairman, thank you again for the opportunity to be \nhere today. Ms. Regan and I would be pleased to answer any \nquestions that you or other Members may have.\n    [The prepared statement of Ms. Finn appears on p. 31.]\n    Mr. Johnson. Thank you, Ms. Finn.\n    Mr. Willemssen, you are now recognized for 5 minutes.\n\n                STATEMENT OF JOEL C. WILLEMSSEN\n\n    Mr. Willemssen. Thank you, Mr. Chairman, Ranking Member \nDonnelly. Thank you for inviting us to testify today on VA\'s \nmanagement of information technology.\n    As requested, I will briefly summarize our statement.\n    Our work at VA over the last several years has shown that \nthe Department faces challenges in effectively managing IT. \nToday I will cover three of those.\n    One, developing information systems; two, securing \ninformation and systems; and, finally, working with the \nDepartment of Defense to implement joint solutions.\n    Regarding developing systems, we have recently reported on \ntwo important VA systems development projects. VA began work \nmore than a decade ago on the first project, an effort to \nreplace the Outpatient Appointment Scheduling System that the \nDepartment said had long-standing limitations.\n    However, after spending an estimated $127 million over 9 \nyears, VA had not implemented any of the project\'s planned \ncapabilities. The effort was hindered by weaknesses in several \nkey management disciplines such as acquisition planning, \nrequirements analysis, testing, progress reporting, risk \nmanagement, and oversight.\n    We made recommendations to VA in each of these areas to \nimprove future development of needed capabilities.\n    We also reviewed VA\'s development of a new system for \nprocessing Post-9/11 GI Bill educational assistance benefits. \nIn this case, we found that VA had delivered initial key \nautomated capabilities and was, therefore, able to provide \nregional processing offices with the capability to prepare \nbenefits claims.\n    However, we also identified areas for improvement and made \nseveral recommendations to VA to further guide full development \nand implementation of the entire system.\n    Let me next turn to a second major VA challenge, \ninformation security. Long-standing weaknesses in security \ncontrols have consistently been a material weakness at VA. We \nand the VA OIG have issued numerous reports showing that these \nweaknesses are pervasive and place VA\'s program and financial \ndata at risk.\n    Implementation of the many recommendations directed to VA \nand a fully effective information security program are critical \nto the Department reducing its security risks.\n    Finally, let me highlight the barriers that VA faces in \nestablishing shared electronic record capabilities with the \nDepartment of Defense.\n    VA and DoD each have massive health care operations and \neach spend large sums of money to separately develop and \noperate electronic health record systems.\n    Earlier this year, we reported that due to barriers in \nthree key areas, VA and DoD lacked mechanisms for identifying \nand implementing IT solutions to jointly address their common \nhealth care system needs.\n    These barriers were, one, strategic planning that jointly \naddressed requirements; two, enterprise architectures to guide \nhow they would move to an integrated set of systems; and, \nthree, investment management processes that would help ensure \nthat chosen solutions would meet the departments\' common needs \nand provide better value to the government as a whole.\n    We recommended several actions to the secretaries of \nVeterans Affairs and Defense to overcome these barriers. Both \ndepartments concurred with our recommendations and in March of \nthis year, the secretaries committed their respective \ndepartments to pursue joint development of integrated \ncapabilities. Doing so can lead to better solutions at lower \ncost.\n    That concludes a summary of my statement and I look forward \nto your questions. Thank you.\n    [The prepared statement of Mr. Willemssen appears on p. \n36.]\n    Mr. Johnson. Thank you very much.\n    Ms. Finn, you mentioned in your testimony that they have \nadequate oversight processes, right? Did I understand that \nright?\n    Ms. Finn. I believe what I referred to was that the \npolicies and procedures for system developments seemed adequate \nin that they reflected the commonly accepted best business \npractices for system developments.\n    Mr. Johnson. Okay. But, yet, you indicated that the problem \nwas with compliance with those processes?\n    Ms. Finn. Yes. The issue was compliance with those \nprocesses and the implementation of them. To be specific, the \nway they had been promulgated throughout the Department \nsometimes gave managers the impression that they were just \nguidance and, therefore, not something that they needed to \nfollow or should follow, but were suggestions.\n    Mr. Johnson. Did you see any evidence of any emphasis on \nthe compliance issue? I mean, did they have processes in place \nto identify lack of compliance and mitigating action once they \ndiscovered it?\n    Ms. Finn. Our audit work was about 2 years ago and at that \ntime, no, the process did not have a lot of structure and \ndiscipline to it.\n    Mr. Johnson. Okay. Mr. Willemssen, you mentioned three \nareas, development of IT systems, security, and joint \nintegration.\n    Is it your opinion, and I thought you said so, I just want \nto clarify, that an architecture that clearly indicated how all \nof these different systems would fit together and a road map \nfor integrating them would be a major step in the right \ndirection to overcome those inadequacies?\n    Mr. Willemssen. Absolutely, Mr. Chairman, absolutely \ncritical to doing so. And I understand the magnitude of what \nthe Chief Information Officer is facing. And given that \nmagnitude, he probably has to take it in doable bites and look \nat the most critical functions and make sure he understands the \narchitecture of that. And most importantly, where does he want \nto go.\n    Mr. Johnson. Okay.\n    Mr. Willemssen. And that is why we focused, for example, on \nthe VA and DoD area, that jointly, they need to figure out \nwhere they want to go, figure out where they are, and then have \na transition plan to get from here to there. That is what is \ncurrently missing.\n    We are encouraged, though, by the recent announcement that \nthe secretaries are committed to this, but you are right. \nConstant oversight by your Committee among others will go a \nlong way to making sure that happens. Without that oversight, \nthings can fall by the wayside.\n    Mr. Johnson. Well, Ms. Finn mentioned compliance with \nprocesses and you talked about the lack of an architecture.\n    Is it your sense that, Mr. Willemssen, inside the VA, do \nthey really have an understanding of the software development \nlife cycle and the major steps involved because you mentioned \ndevelopment specifically? Did you find in your analysis that \nthere is understanding of the software development life cycle?\n    Mr. Willemssen. It is a mix. With the size of the \norganization, there are elements that do understand the life \ncycle. There are elements who clearly, for example, understand \nthe Software Engineering Institute\'s capability maturity model \nand are striving to do as best as possible within the \nparameters of the engineering disciplines within the model. But \nthat is not prevalent throughout the organization----\n    Mr. Johnson. Okay.\n    Mr. Willemssen [continuing]. So that when you are going \nwith any particular system development effort, it is somewhat \nhit or miss and, therefore, the software development processes \nmay not be ingrained, but it may be ad hoc and chaotic. You may \nget lucky and you may have a group that knows what they are \ndoing. On the other hand, you may not.\n    Mr. Johnson. Did you see any indication or evidence that \nthere is a formal program management or project management \ncertification program within the VA with how their IT projects \nare run?\n    Mr. Willemssen. I do not recall that, but that is something \nthat Mr. Baker, I believe, is pushing very hard and that we \nwould be supportive of. But we have not done work specifically \non project management, but I think you are definitely on the \nright topic there because it continually comes up in the \nsystems that we have reviewed.\n    Mr. Johnson. It goes back to what I said earlier. I mean, \nif you do not know where you are going, any road will get you \nthere and so we end up with what we have.\n    We will probably come around for another second round of \nquestions to you folks. I appreciate it.\n    I will yield at this time to Mr. Donnelly.\n    Mr. Donnelly. Thank you, Mr. Chairman.\n    Mr. Willemssen, have you sat with the DoD and talked to \nthem about this issue and asked what their positions are and \nwhat they plan to do?\n    Mr. Willemssen. We have. We have also done an in-depth \nreview of their AHLTA (Armed Forces Health Longitudinal \nTechnology Application) System which is their own health care \nsystem. Again, I am encouraged by both secretaries committed to \ndo something because without that, you are going to want to \ncontinue to go with your own Department\'s system.\n    Mr. Donnelly. What do you plan your continuing role to be \nin making sure this progress continues to see that it is not \ntwo home teams doing their own thing?\n    Mr. Willemssen. At this point, our plan would be to follow-\nup on our outstanding recommendations that we made in our \nFebruary report in those three barrier areas that I mentioned.\n    And also before the hearing, Dr. Levin and I committed to \nmeeting within the next 2 weeks to get further understanding of \nwhat is going on subsequent to the secretaries\' commitment to \npursue this aggressively.\n    Mr. Donnelly. Do you have your own progress schedule for a \ntimeline on this integration and this coming together so we can \nhave a system that works across both departments and that work \nseamlessly with one another?\n    Mr. Willemssen. We do not have a specific schedule other \nthan following up on the recommendations and providing periodic \nprogress reports to bodies such as this that provide oversight. \nSo if I were to come here a year from now and report the same \ninformation, that would definitely say something.\n    Mr. Donnelly. Do you have any idea cost-wise if both groups \nwere on the same plan, following the same software and working \ntogether so the records come over seamlessly from DoD to VA \nthat were able to track individuals, what kind of cost savings \nthat would result in?\n    Mr. Willemssen. We have not done the cost analysis. But \nwhen you look at the billions that are planned to be spent on \neach separately over the next many years, I think you can see \nthe opportunities for savings are significant. You overlay on \nthat plans that not only VA has but DoD and the rest of the \nFederal Government to significantly consolidate the massive \nnumber of data centers that are out there and you will have \nagain tremendous cost savings.\n    Mr. Donnelly. Ms. Finn, you have identified a number of \nprograms that there is a lack of sufficient or qualified IT \npersonnel.\n    What can be done to address this problem in your judgment?\n    Ms. Finn. This is the case I think where OI&T will have to \nhave a concerted strategy and an implementation plan to address \nthat issue.\n    When Mr. Baker first started and he and I first met, he \nasked what do you think my biggest problem will be. And I said \nsystem development without a question and he agreed. And he has \nworked to address that.\n    I will be able to tell you a little more specifically about \nwhat the Department needs to do later this year. We are \nplanning to do an audit of OI&T\'s human capital management and \nwe will probably be looking at their strategy and \nimplementation for increasing their expertise in program \nmanagement.\n    Mr. Donnelly. And one final question is, from your \nperspective, what exactly has the VA done now to improve its \nability to manage IT projects and what do you think is the most \nimportant thing they can do to improve that?\n    Ms. Finn. They have taken two actions. One is the use of \nthe Agile system development methodology which calls for \nincremental functionality little bits at a time and that allows \na project to hopefully make better progress than the \ntraditional waterfall method that, you know, assumes you have \neverything planned out before you start.\n    And the second is the Program Management Accountability \nSystem, which is the oversight structure that OI&T uses to \nmonitor the progress of all their system development efforts in \nthe various projects.\n    PMAS was somewhat of a departure for VA in that it provides \nan overarching look at system development. We have been doing \nsome work to actually look at the implementation of the PMAS \nsystem and the discipline because, as you know, often the devil \nis in the details as to how well the oversight is implemented. \nAnd we will be issuing a report on that later this summer.\n    Mr. Donnelly. Thank you very much.\n    I yield back, Mr. Chairman.\n    Mr. Johnson. Thank you.\n    Ms. Finn, you mentioned the Agile implementation \nmethodology. And I have used that myself and so I agree with \nyou that it is a good way especially on big projects.\n    However, you know, I am going to keep beating this horse \nuntil we get someone\'s attention. Architecture, Agile works \nwell when you have a well-defined set of requirements, a well-\ndefined road map on where you are going to.\n    Is it your opinion that Agile works well in environments \nwhere you really do not have that, where you do not know which \nway you are going?\n    Ms. Finn. I do not think any software methodology can work \nif you do not really have an end game in mind to know what you \nare trying to develop. And I would think Agile has no more \nadvantage in that situation than the waterfall method.\n    Mr. Johnson. Sure. Okay.\n    Mr. Willemssen, the Ranking Member just started talking \nabout some staffing deficiencies.\n    Do you feel that the VA OI&T staffing of over 7,100 people \nis appropriate and effective?\n    Mr. Willemssen. Appropriate? We have not done a detailed \nanalysis of all the staff, what their capabilities are, how \nthey are deployed, what they are working on, so I would not \nventure a guess on that.\n    I would say that based on my almost 20 years off and on of \nevaluating VA IT there are pockets of excellence and there are \npockets where much additional work is needed. So it is hard to \ngeneralize.\n    I think what the Inspector General\'s representative said \nhere about taking a look at the human capital function within \nIT and seeing what kind of capabilities, what kind of \ncertifications, what kind of project management discipline, \nthat makes a lot of sense.\n    And I think Mr. Baker would probably welcome such a review.\n    Mr. Johnson. Okay. Shifting back just a little bit and \neither of you can respond to this question, what would prevent \nVA OI&T from fully implementing the information security \nprogram required under the Federal Information Security \nManagement Act of 2002 (FISMA)?\n    Ms. Finn. Big question there. No single thing comes to \nmind. Of course, we do review the information security posture \nannually under the requirements of FISMA. In fact, our report \non 2010 should be available fairly soon.\n    The biggest obstacle that I see is, and Mr. Baker may have \na different thought on this, is VA\'s decentralized nature in \nthat even with a centralized OI&T, a centralized information \ntechnology organization, you still need to have consistent \nimplementation and disciplines out at many facilities.\n    Your security is only as good as, you know, as each \nindividual location. And it is a very cumbersome process to \nidentify all of the issues and have the command and control \nstructure needed from Washington to make sure all of the fixes \nare made and updated because information security is a daily \nrequirement. You have to keep your patches. You have to keep \nyour passwords.\n    So it is the decentralized nature I believe is the big \nchallenge and just the fact that you have to keep up with it \nevery day in that environment.\n    Mr. Johnson. Okay. Do you think developing technologies \nsuch as cloud computing and open source, even though the U.S. \nChief Information Officer has cited security concerns, do you \nhave concerns about pursuing that given the security issues \nthat we have already talked about?\n    Ms. Finn. Of course I have concerns. I was reading the \nOffice of Management and Budget\'s strategies yesterday about \ncloud computing and I noted that they talked about establishing \nFederal clouds hopefully to provide better security That gives \nme a little more comfort than just going out to the commercial \narea. But I think even that environment will require a lot of \nmonitoring and controls to ensure that it is secure.\n    At VA, of course, we deal with a lot of personal \ninformation and so we want to make absolutely certain that it \nis secure.\n    Mr. Willemssen. If I may, Mr. Chairman----\n    Mr. Johnson. Absolutely.\n    Mr. Willemssen [continuing]. I would echo that issue. We \nissued a report last year on the Federal Government\'s plans to \nmove forward with cloud computing. We were especially concerned \nat that time at the lack of guidance addressing the security \nramifications of going to the cloud.\n    Since that time, there has been some guidance disseminated, \nbut for an organization that has much sensitive data, you have \nto make that move very carefully and with a lot of controls in \nplace with the provider of the service.\n    Mr. Johnson. Mr. Willemssen, we talked a little bit about, \nand I agree with you, it is encouraging to see that the \nsecretaries of the departments have committed to moving forward \nwith this joint development integration.\n    Can you explain to us why you think it took VA and DoD \nuntil March of this year to finally come to that commitment to \njoint development of that electronic health system?\n    Mr. Willemssen. Growing pressure to do so. I think the \nfrustration was getting too high. And I think that frustration \nwas starting to boil over and I think both departments began to \nrecognize that they had to do something, especially given again \nwhat you said earlier.\n    We are a country that does not have a lot of excess funds \nto spend and you see the amount of money going into the health \nsystems for DoD and VA and it looks like an easy opportunity to \nsave some money and, oh, by the way, have better service to our \nservicemen and women and veterans. So this looks like an easy \nthing to do.\n    It is the institutional and cultural resistance \nhistorically to doing it. That is why I think unless you have \nsomebody at the secretary level driving this, it is going to be \nvery difficult to accomplish because of those institutional and \ncultural barriers.\n    Mr. Johnson. Yeah. Well, tough question here. What is your \nconfidence level that, I mean, if they did not do this on their \nown out of their own capacity to see the need for it and they \nhad to wait until there was so much pressure to do so, what is \nyour confidence level that the departments are going to work \nwell together and specifically how do you view the influence of \neach department over the Integrated Program Office in terms of \nmoving the ball up the field and making progress because I \nstill remain concerned about no timelines?\n    I have yet to see, maybe it exists, but I have yet to see a \nproject management or a program management plan that says who \nis committed to do what tactically.\n    Mr. Willemssen. Absolutely. I agree with you. That is what \nwe are looking for too. And I think if the secretaries\' \ncommunique, as was mentioned earlier, is going to come out a \nweek from now, those are the kind of details that we want to \nsee and then hold the departments accountable to the details in \nthat communique.\n    Mr. Johnson. Yeah. We will be watching for that very \nclosely as well. It should reveal some specificity around how \nwe are going to pursue this. It is the right thing to do for \nAmerica\'s veterans. It is the right thing to do for the \ntaxpayers.\n    With that, do either of you have any closing comments \nbefore we wrap up?\n    Mr. Willemssen. No, sir. Thanks, Mr. Chairman.\n    Mr. Johnson. All right. Well, my thanks to you then for \njoining us today. I appreciate your testimony.\n    Ms. Regan, you did not get a chance to say anything. \nAnything on your mind?\n    Ms. Regan. No. I am fine. Thank you.\n    Mr. Johnson. Okay. Well, you are now excused.\n    I ask unanimous consent that all Members have 5 legislative \ndays to revise and extend their remarks and include extraneous \nmaterial. And seeing as I am not going to object to my own \nmotion, that is so ordered.\n    I want to thank all Members and witnesses for their \nparticipation in today\'s hearing and business meeting.\n    This hearing is now adjourned. Thank you all.\n    [Whereupon, at 11:14 a.m., the Subcommittee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n           Prepared Statement of Hon. Bill Johnson, Chairman,\n              Subcommittee on Oversight and Investigations\n    Good morning. This hearing will come to order.\n    I want to welcome everyone to today\'s hearing ``Reboot: Examining \nVA\'s IT Strategy for the 21st Century.\'\'\n    With an information technology budget exceeding three billion \ndollars annually, it is reasonable for the American taxpayer to expect \nthe Office of Information and Technology at VA to effectively utilize \navailable technology and provide the highest quality support in the \nDepartment\'s delivery of health care and benefits to veterans.\n    As we will hear from the witnesses on both panels today, billions \nof dollars have been spent on IT at VA. However, veterans, the \ntaxpayers, and Members of this Committee are left to wonder what has \nresulted from these expenditures. Have improvements been made? \nCertainly. Are the improvements and advancements in VA IT over the last \n10 years on par with the amount of time and taxpayer dollars put into \nthe effort? Certainly not.\n    The witnesses on today\'s second panel will help illuminate the \nmagnitude of the money spent on IT over time. To name a few: $127 \nmillion over 9 years on an outpatient scheduling system, with none of \nthe planned improvements in place; suspension of the Strategic Asset \nManagement, or ``SAM\'\' program, after failing to meet yet another \nmilestone; and a $70 million overrun on a Wi-Fi installation contract.\n    I also remain concerned that, as with past contracts and efforts, \nVA is not thoroughly vetting cost and risk analysis before undertaking \nnew, large IT projects.\n    While VA continues to push forward on cloud computing, its own \nAdministration has not fully established the Federal guidelines for \ninformation security in cloud computing. In a health care environment \nsuch as VA\'s, I know that I would not want my personally identifiable \ninformation floating around in the ``cloud\'\', especially given a track \nrecord of data breaches that is less than stellar.\n    We once again notice a history of poor acquisition and contract \nmanagement at VA, a theme this Subcommittee is familiar with. Given the \nfrequency of problems in IT contracts, we know there must be a \nsignificant degree of inexperience among the contracting staff, but we \nare also left to wonder whether supervisors in OI&T either don\'t know \nor don\'t care about these shortcomings. When IT needs are not clearly \ndefined at the beginning of the process, it leads to cost increases and \ntime delays down the road.\n    With an IT staff of over seven thousand, I find it difficult to \nbelieve that knowledgeable IT professionals are not helping to create \nwell-defined Requests for Proposal, a key element of a viable contract. \nWhen these contracts constantly have to be modified, it results in \ngreater cost to the taxpayers and a delay of improved services to \nveterans.\n    A crucial area for VA IT to meet expectations is the establishment \nof the joint Electronic Health Record, or ``EHR\'\', with DoD. Yet \nanother overdue item for our active duty servicemembers and our \nveterans, the EHR has been pursued separately by the two departments. \nThe result is billions of dollars spent, much of it duplicative, and no \njoint EHR. While I commend the Secretaries of both departments for \nfinally committing this spring to cooperatively pursue this endeavor, I \nhave lingering concerns that mistakes made in previous IT contracts \ncould be repeated.\n    For example, after releasing a final RFP on an Open Source \ncustodial agent at the end of last month, VA is only allowing a 3-week \nturnaround for proposals to be submitted at the end of this week.\n    It\'s not rocket science. The capabilities to do what needs to be \ndone already exist. Hundreds of millions of dollars could have been \nsaved in previous years by simply having a robust IT architecture and \nstrategy in place. The needs are clearly defined: protect veterans\' \ninformation, establish an electronic health record in conjunction with \nDoD, and implement stringent oversight of these and all undertakings in \nthe Office of Information and Technology. I fully understand the \nchallenges of managing information technology in a large organization. \nWhat I do not understand is why it has taken so long to get only so far \nat VA. The American people are watching, and expect VA to take care of \nour veterans as promised.\n    I appreciate everyone\'s attendance at this hearing and I now yield \nthe Ranking Member for an opening statement.\n\n                                 <F-dash>\n            Prepared Statement of Hon. Joe Donnelly, Ranking\n    Democratic Member, Subcommittee on Oversight and Investigations\n    We often criticize the VA for their inefficient and outdated IT \nsystems. A perfect example of this was when the VA found themselves \nhaving to process education claim manually due to the legacy system \nbeing unable to process education claims after the passage of a modern \neducation program. For this reason, I find it important and critical \nthat the VA maintains and updated IT system that proves to be reliable \nand can be manipulated as new software is incorporated through the \nyears ahead.\n    The VA has decided that using Open Source model will provide a \nbetter outcome, with lower risks and lower cost. Their cooperation with \nthe DoD on using Open Source is encouraging, in part because this \ncooperation is essential, there is a critical need to develop and \nelectronic health record system, and because DoD has relied on Open \nSource in the past. Although there are multiple concerns that both the \nmajority and the minority might share, the VA has reassured us that \nOpen Source provides several benefits. But along with those benefits, \nmaking sure that veteran\'s personal information remains secure is \ncritical.\n    I also understand that contract management and weaknesses have \novershadowed VA\'s efforts to keep up with the VA\'s IT infrastructure. \nCost overruns, contract weaknesses, and unmet project time frames are \njust a few examples of the implications that can occur if there are no \nfirm requirements in contracts, such was the case with the Wi-Fi \nawarded contract to Catapult, Ltd.\n    What I am concerned about is making sure that first, the VA IT has \nan interoperable model in place; second, best practices should be in \nplace from the private and public sector; and third, that new IT \nstrategies have the best value for our veterans.\n    Finally, I encourage the VA to keep staff updated on your efforts.\n\n                                 <F-dash>\n     Prepared Statement of Hon. Roger W. Baker, Assistant Secretary\n      for Information and Technology and Chief Executive Officer,\n   Office of Information and Technology, U.S. Department of Veterans \n                                Affairs\nIntroduction\n\n    Chairman Johnson, Ranking Member Donnelly, Members of the \nSubcommittee: thank you for inviting me to testify regarding the \nDepartment of Veterans Affairs\' (VA) Information Technology (IT) \nstrategy for the 21st Century. I appreciate the opportunity to discuss \nVA\'s plans, actions, and accomplishments that will position VA\'s IT \norganization as a 21st Century leader in the Federal Government.\n    I am pleased to be accompanied today by Peter Levin, Ph.D., VA\'s \nChief Technology Officer.\n    Through Secretary Shinseki\'s leadership, the VA continues to focus \non the strategic goals VA established 2 years ago to transform VA into \nan innovative, 21st Century organization that is people-centric, \nresults-driven, and forward-looking. These strategic goals seek to \nreverse ineffective decision-making, systematic inefficiency, and poor \nbusiness practices in order to improve quality and accessibility to VA \nhealth care, benefits, and services; increase veteran satisfaction; \nraise readiness to serve and protect in a time of crisis; and improve \nVA internal management systems to successfully perform our mission. The \nOffice of Information and Technology (OI&T), which I am honored to \nlead, proudly support our strategic goals as we rapidly deliver \ntechnology to transform VA.\n    The VA IT enterprise is a massive single, consolidated network with \n152 hospitals, 791 community-based outpatient clinics (CBOC), 57 \nbenefits processing offices, and 131 cemeteries and 33 soldier\'s lots \nand monument sites. Our OI&T workforce numbers over 7,100, serving over \n300,000 VA employees and more than 10 million veterans. Within our $3.1 \nbillion FY 2011 budget, OI&T manages a technology profile of over \n314,000 desktop computers, 30,000 laptops, 18,000 blackberries and \nmobile devices, and 448,000 email accounts. These figures describe an \nIT enterprise that is certainly one of the largest consolidated IT \norganizations in the world.\n\nDisciplines for 21st Century Information Technology\n\n    Managing an organization of this size and scope requires \ndisciplined management and processes. To instill those disciplines, VA \nimplemented five major focus areas immediately after my confirmation. \nThese five areas--customer service, product delivery, information \nsecurity, operational metrics, and financial reporting--continue to \nguide our efforts in a disciplined and measurable way.\n\n 1. Customer Service\n\n    OI&T continues to build upon our excellent relationships with VA\'s \nAdministrations (Veterans Health, Veterans Benefits, and National \nCemeteries). We have worked hard to set a tone of cooperation that has \nmade it possible for us to effectively address many complex problems at \nthe second largest agency in the Federal Government. Thanks to my \npartners, Dr. Robert Petzel, Under Secretary for Health, Mr. Michael \nWalcoff, Acting Under Secretary for Benefits, and Mr. Steve Muro, \nActing Under Secretary for Memorial Affairs, that same cooperative \napproach continues to spread throughout VA.\n\n 2. Product Delivery\n    IT is an enabler to the implementation of the Secretary\'s 16 \nTransformational Initiatives, which cannot be executed without newly \ndeveloped IT products. These initiatives are key to improving VA\'s \nservices to Veterans, and IT investments have allowed us to deliver \nproducts or plan for on-time delivery of the following programs:\n\n        <bullet>  Successful, on-time delivery of the critical GI Bill \n        project. VA successfully converted all processing of new Post-\n        9/11 GI Bill claims to the Long Term Solution (LTS) prior to \n        the commencement of the Fall 2010 enrollment process. Since \n        installation, processing with the new system has been \n        excellent, with no significant ``bugs\'\' encountered. The \n        Veterans Benefits Administration claims processors like the new \n        system and find it easier and more efficient to use. By \n        dramatically changing its development processes, adopting the \n        Agile methodology for this project, VA also dramatically \n        changed its system development results;\n        <bullet>  Veterans Benefits Management System (VBMS), in which \n        IT provides Veterans Benefits Administration the enabling \n        technology to break the claims backlog;\n        <bullet>  The Blue Button program, in which IT provides the \n        systems and information security to allow Veterans to download \n        their currently available personal health information from \n        their MyHealtheVet account, allowing them to share their \n        personal health information with doctors outside the VA;\n        <bullet>  The eBenefits portal (a joint DoD and VA service), \n        which is evolving to a ``one-stop shop\'\' for benefit \n        applications, benefits information and access to personal \n        information such as official military personnel documents;\n        <bullet>  Veterans Relationship Management (VRM), in which IT \n        will provide the capability to improve Veterans access to VA \n        services and benefits through phone, web and email systems \n        enabling easier and more effective communications; and\n        <bullet>  The Pharmacy Reengineering program that replaces \n        existing pharmacy software modules with new technology that \n        will enhance Pharmacy services, improve customer service and \n        enhance patient safety.\n\n    As these examples illustrate, IT plays a pivotal role in the \ntransformation of VA into a 21st Century organization as envisioned by \nthe President and Secretary Shinseki.\n\n  3. Information Security\n\n    Ensuring the security of the large VA network and devices is vital. \nWe have made substantial progress in information security since the \nchallenges experienced in 2006 by instituting controls that now provide \nfor remote access to VA resources for employees and selected business \npartners, and implementing a sound security strategy to facilitate \nsecure data exchange with Department of Defense and private-sector \nhealth care organizations, and facilitating access to electronic health \nrecords for our veterans over the Internet. These efforts are \ninstrumental in making the administration\'s vision towards a virtual \nlifetime health record possible.\n    We have already made great strides with some efforts that will be \ndiscussed in greater detail below, including: visibility to the desktop \nto ensure compliance with security policies; visibility to every \nnetwork device; strong user authentication; and medical device \nisolation architecture. It is vital to us that veterans feel confident \nthat we are doing everything we can to secure their private \ninformation.\n\n  4. Operational Metrics\n\n    Our operations organization provides excellent service to our \nhospitals, benefits offices, and cemeteries. We now measure and publish \nkey metrics that tell us how we are doing. Beginning in June of 2009, \nwe started at the core, measuring network availability (which averages \n99.99 percent), Veterans Health Information Systems and Technology \nArchitecture (VistA) system availability (99.95 percent), and help desk \nwait times. We have expanded these measurements to include a list of \nnearly 167 metrics covering aspects of our network, our service \nprovision and our system/application provisioning that help us \nunderstand what works well and what does not. The ability to measure \nthese key processes and adjust accordingly is central to continuous \noperational improvement--a hallmark of a mature operation and essential \nto any 21st Century IT organization.\n    As an example, we recently completed our second enterprise-wide \ncustomer satisfaction survey, using the American Customer Satisfaction \nIndex methodology, which allows us to compare our results to those of \nlike organizations throughout government and industry. Our primary \npurpose in conducting this survey is to understand and address the \nissues that affect user satisfaction with IT services at each of our \nfacilities. We showed substantial progress between the two surveys, \nincreasing our satisfaction score from 67 to 71. For comparison \npurposes, our near-term target is to achieve a rating of 75, which \nwould indicate we are in the top half of the ratings for similar \norganizations globally. VA also uses the ACSI Survey tool to monitor \nsatisfaction with the award winning My HealtheVet Personal Health \nRecord portal and our scores in this area (75) benchmark well with the \nE-Government Index (75).\n\n  5. Financial\n\n    Finally, we created a detailed financial plan for OI&T in both 2010 \nand 2011, known as the Prioritized Operating Plan. This plan has two \nmain purposes. First, it creates a vehicle for us to agree, with our \ncustomers, on what the high priority IT services and projects are, and \nallocate our resources to ensure success on the most important items. \nIt also allows us to communicate, clearly and objectively, which \nprojects and services will and will not be accomplished. Second, it \nallows us to track our expenditures, from plan to budget to spend to \nresults, and know the business purpose for spending each dollar and \nthen track the results we expect to obtain from the expenditure. For \n2011, that plan is over 1400 lines long.\n\nVA IT is a Leader in Federal IT\n\n    Our efforts in the five focus areas have produced results across \nthe board-- results that are seen every day by each of our customers, \nfrom a VA employee at a hospital, benefits office, or cemetery, to the \nSecretary of Veterans Affairs, and to our most important customer, the \nAmerican Veteran. VA IT is a leader in the Federal Government, and is \ntransforming itself into a 21st Century IT leader by implementing \ninnovative approaches to improve our results.\n    Our goal is to be the best IT organization in the Federal \nGovernment, and comparable to large private-sector organizations. \nAchieving that goal means being a leader, and being a leader requires \nmore than being good. It requires defining a path in advance of others, \nand boldly moving forward on that path. To that end, I will highlight a \nfew areas where VA IT is, today, clearly leading the way for the \nFederal Government.\n\nOMB\'s 25 point plan\n\n    VA has been an early and rapid adopter of the elements of Office of \nManagement and Budget\'s (OMB) 25 point plan for improving Federal IT. \nIn fact, VA began pursuing many of the initiatives outlined in the 25 \npoint plan while the plan was being formulated. Consequently, VA was \nuniquely positioned to support the creation of many of the initiatives \nand become an ``early adopter.\'\' For example, VA had already begun work \non Data Center Consolidation, and was able to provide insight and \nlessons learned on the process for many other Federal agency \nparticipants.\n    Another initiative in which VA is ahead of the curve is in cloud \ncomputing, which we expect to increase efficiency through secure remote \naccess to files and programs. For example, we have a large-scale, \nsuccessful cloud program in the Post-9/11 GI Bill, with another \nstarting development for VBMS.\n    Finally, the VA adapted a key component of our Program Management \nAccountability System (PMAS), the ``strike\'\' meeting to become an early \nadopter of the program\'s intervention meetings OMB calls ``Techstats.\'\' \nDue to VA\'s forward thinking, implementation of many of the initiatives \noutlined in the 25 Point plan was seamless and fit within the plan\'s \nstructures.\n\nTransparency\n\n    VA IT has been a leader in meeting the transparency goals of this \nadministration. One key component of our transparency efforts are the \nmonthly meetings I hold with the staff of the House and Senate \nVeterans\' Affairs Committees. As you know, these meetings serve as an \nopportunity for VA to inform Congress about IT progress and issues at \nVA. Through these meetings we have developed a constant dialog that \nhelps keep Congress informed and opens lines of communication.\n    VA IT is also providing transparency into our development progress. \nEvery increment of every development project is reported in the PMAS \nDashboard, which I will discuss in more detail below, which is tied to \nthe OMB dashboard. This gives OMB, Congress, and the public a clear \nview into VA\'s IT program management progress.\n    VA\'s privacy breach report, discussed below, is another great \nexample of VA\'s leadership in transparency. Our efforts to present to \nCongress and the public our data breaches each month has had the effect \nof limiting the number of breaches that have occurred, and helped our \ninformation security staff to better identify potential risks. In \naddition, the breach report is discussed on a teleconference with the \nmedia to ensure an even greater level of transparency.\n    Shortly after the President\'s January 21, 2009 Freedom of \nInformation Act (FOIA) Memorandum, VA publicized and implemented the \nAttorney General\'s FOIA Guidelines throughout the agency by prominently \npublishing access links on the VA\'s FOIA Web site at http://\nwww.foia.va.gov/. VA\'s Chief Information Officer and VA\'s Under \nSecretary for Health appeared in a video directed to all VA FOIA \nOfficers to discuss the importance of FOIA and the implementation of \nthe President\'s FOIA guidelines by ensuring any releasable items are \nrapidly made available to the public without requiring a FOIA request. \nVA has actively improved transparency by routinely posting information \nabout VA Data Breaches. Other offices have also followed the lead and \nensured transparency, i.e., VA Office of Finance (OF) posts information \nregarding VA purchase card holders (credit card) transaction data, \nFirst Class and Business Class Travel Reports, VA Civil Service \nEmployee holiday pay data, Unclaimed Moneys Accounts data, VA\'s FY 2012 \nPresident\'s Budget Submission, and VA\'s FY 2010 Highlights for the \nCitizen (Summary of Performance and Financial Information). High level \ncontract award data is also posted without a formal request. VA\'s \nASPIRE for Quality Initiative, a VA-wide program designed to document \nkey measures of health care quality posts outcome information for acute \ncare services, intensive care units, outpatient services, safety and \nprocess measures, and indicators of how successful each VA Medical \nCenter has been in meeting its quality goals.\n\nPMAS\n\n    In June of 2009, VA introduced the Program Management \nAccountability System (PMAS). The PMAS process has transformed product \ndelivery at the VA. Before the implementation of PMAS, approximately \n283 development projects at VA met their milestone dates an estimated \n30 percent of the time. This is an estimate, as IT development projects \nsimply were not tracked to their committed dates prior to PMAS. Today, \nVA has 107 active development projects, tracked in real-time through a \nproject database and dashboard, that are meeting their milestone dates \napproximately 75 percent of the time. I know of no other Chief \nInformation Officer (CIO), government or private sector, who has this \nlevel of insight into such a large portfolio of development projects. \nVA is a true trailblazer in product delivery, as I can assure you that \nmost IT development organizations, public or private sector, would be \necstatic with meeting 75 percent of their committed milestones.\n    PMAS is important for two reasons. Most importantly, we are able to \ndeliver on the transformational capabilities VA requires. PMAS also \nensures we meet this administration\'s goal of ensuring that every \ntaxpayer dollar is well spent. In 2010, VA had a cost avoidance of \nnearly $200 million by eliminating poorly performing projects and \nrestructuring many others to lower risk, reduce spend rates, and \nimplement incremental development project plans.\n    PMAS helps VA manage our contracts better by ensuring that proper \nplanning is done prior to beginning development on an increment. That \nincludes having the contracting officer and counsel as part of the \nIntegrated Project Team during the planning phase. During the planning \nphase of a project, the work is broken into increments that deliver \ncapability to the customer in 6 months or less. As soon as the first \nincrement is planned in sufficient detail, the project can begin \ndevelopment on that increment while continuing to plan future \nincrements. By using PMAS criteria, we ensure that we have good plans \nand necessary resources in place before a project increment goes \nactive. Once the project is active, it will receive a strike whenever \nan increment milestone is missed. A project can receive no more than \nthree strikes before it is stopped and forced to re-evaluate the \nrequirement and the plan. While project failures can still occur, we \nmanage the timeline and work so closely that projects cannot fail for \nyears on end before being stopped.\n\nAgile development\n\n    A primary driver of our success under PMAS has been the adoption of \nincremental development. Every project at VA, without exception, must \ndeliver functionality to its users at least every 6 months. Several of \nour most important projects, including the GI Bill and VBMS, have \nadopted Agile development methodologies. Whereas PMAS addresses the \nplanning and management aspects of short, incremental delivery, the \nAgile development methodology provides the technical management \nguidance of how to turn project requirements into working software \nquickly and in collaboration with the customer.\n    Agile development is important to the VA because it encourages \ncontinuous input from our customers. In agile projects, all the \ndevelopment priorities are set by the customer, which ensures that the \nwork is performed in the order of importance. To increase the \nlikelihood of success, large projects are broken down into small but \nvaluable increments, each of which could potentially be a candidate for \nrelease. This is consistent with our PMAS delivery requirements. \nLastly, agile development requires continuous quality assurance \nthroughout the entire development effort, further ensuring high quality \ndeliverables.\n    Agile software development methodologies are an effective means of \nimproving the predictability, quality, and transparency of software \nproducts and their development. At the core of Agile is the iterative \nwork process. Business problems are broken down into small increments \nof delivery that are tangible products that can be reviewed and \nverified regularly by business stakeholders. By constantly \nincorporating feedback, the software that is essential to solving the \nbusiness problem is created in partnership with stakeholders and any \nmiscommunications, revisions, or changes in business needs can be \naccommodated quickly and with little rework. The quality of software is \nkept high throughout the development process as the product in \ndevelopment is kept as close to a production-ready state as possible \nwith each release increment. In addition, prior to the start of each \nincrement, business stakeholders and the development team agree upon \nwhich features or requirements are to be satisfied during that \nincrement thus ensuring that the most important work is completed \nfirst.\n    Contrary to popular belief, the successful Agile program requires \ngreat rigor as it is essentially a process based on statistical \nanalysis. Every work product (software or otherwise) is defined, broken \ndown and estimated. As work progresses, these work products are \ncarefully tracked on a daily basis and results of progress are \npublished to the team and stakeholders (and any other authorized, \ninterested party) to provide complete transparency. The result of this \nhyper-transparency is that problems in the development process are \nidentified early and changes, regardless of their origin, can be \naccommodated quickly and efficiently.\n\nInformation Security\n\n    To vastly improve our information security posture, we have \nachieved the goal of providing visibility to every desktop on the \nnetwork. Visibility to the desktop allows the CIO and our Information \nSecurity Team the ability to see, for every machine on the network, \nwhat software is installed, whether security policies are met and what \nvulnerabilities exist--that\'s more than 314,000 desktops and more than \n30,000 laptops reviewed for issues each day. We are easily able to \nidentify outliers and enforce compliance on computers that do not meet \nour network security requirements.\n    In our continued effort to further enhance our security posture, we \nwill gain visibility to all servers in the VA environment and implement \na strong authentication solution for system administrators by September \n2011. In addition to gaining visibility to the server computing domain, \nVA will take the additional step of gaining increased visibility of \nnetwork infrastructure devices. Strong authentication coupled with \nvisibility all the way down to the end user desktop is first-rate for \nan organization the size of VA and stands to be the one of the largest \ndeployments ever made of security and network management software in a \ncentralized and consolidated network environment. When completed, the \nVA will have unmatched near real time security situational awareness of \nits computing resources, consisting of more than three quarters of a \nmillion devices.\n    We have also achieved full implementation of our medical device \nisolation architecture, which is essential to mitigating security \nvulnerabilities in our medical devices. The isolation architecture \nallows us to localize virus outbreaks in populations where providing \nprotection proves more difficult for equipment such as medical devices, \nby using virtual local area networks and access control lists. These \ntechnologies allow us to easily identify threats and vulnerabilities \nand quarantine them to prevent viruses from spreading across the VA \nnetwork.\n    Our achievements on visibility to the desktop and our medical \ndevice isolation architecture put us well ahead of most Federal \norganizations, and on par with well managed private-sector \norganizations. Our ability to provide immediate response to \nvulnerabilities and threats within our enterprise, as well as enacting \na proactive approach to centralized monitoring, reporting, compliance \nvalidation and providing maximum service availability, is quickly \nestablishing VA as a model of excellence for the rest of the Federal \nGovernment.\n\nProtecting Personal Private Information\n\n    While we have made important strides in reducing the number of data \nbreaches that occur, VA has led the way in both responding to \nincidents, and providing transparency when reporting data breaches. Our \nIncident Resolution Team compiles a comprehensive report detailing \nevery reported data breach on a daily and weekly basis. The reports are \nthen discussed with the Data Breach Core Team which is made up of \nrepresentatives from the Office of General Counsel, Veterans Health \nAdministration, Veterans Benefit Administration, National Cemetery \nAdministration and VA Central Office staff offices. At the end of each \nmonth, our Incident Resolution Team compiles a comprehensive report \ndetailing every reported data breach, the circumstances of the breach, \nthe number of Veterans affected, the steps taken to remedy the \nsituation, and any pertinent follow-up information. This information is \nsubmitted to Congress, and is also posted publicly on the VA Web site. \nAfter its publication, I hold a press conference to discuss the \nbreaches in an open, transparent manner. The number of facilities and \nthe complex IT environments at VA present unique security and privacy \nchallenges. VA\'s Incident Resolution Team consistently monitors and \nresponds to every privacy or security event, no matter if it deals with \none Veteran or thousands. The team members are considered experts in \ntheir field, and have assisted other government agencies individually \nand spoken at Federal IT and privacy events.\n\nVLER\n\n    In April 2009, President Obama charged the Secretary of Defense and \nSecretary of Veterans Affairs to create a Virtual Lifetime Electronic \nRecord (VLER) to bring together the plethora of systems. This was done \nin order to create a seamless way for servicemembers, Veterans and \nthose who support and care for them to access and manage benefits and \ncare from the day they enter military service and throughout their \nlives. VLER itself is not a ``system\'\', but rather a business and \ntechnical redesign initiative that establishes the interoperability and \ncommunication environment necessary for DoD, VA and other public and \nprivate partners to securely exchange information. The result will \nimprove health, benefits delivery and personnel activities by enabling \nproviders to easily access the information they need. In this way, VLER \nis enabling health care and benefit providers to proactively deliver \nthe full continuum of services and benefits Veterans have earned \nthrough several capability areas that are brought on-line in a measured \napproach.\n    The VLER initiative ensures doctrine, policies, organizational \nstructures, personnel training and IT solutions converge to create an \nenvironment of information transparency that improves the quality of \nlife for Veterans and servicemembers. The benefits of VLER are already \nbeing felt by Veterans and servicemembers around the country in many \ndifferent ways.\n    VLER is now being used to support the exchange of health care \ninformation between DoD, VA and private health care providers in San \nDiego, CA; Hampton Roads and Richmond, VA; and Spokane, WA; and \nAsheville, NC areas. The capability delivered at these pilot sites will \nbecome more robust over time and expand to include six additional \nregions throughout the country by the end of this fiscal year. In 2012, \nwe will leverage the tools and lessons learned in these 11 areas to \nprovide this clinical encounter support to health care providers who \ncare for Veterans throughout the entire United States.\n    VLER and the further expansion of the eBenefits portal will empower \nVeterans and servicemembers by enabling them to access their \ninformation, including health care records; benefit applications, \nbenefits information, and other personal information through an \ninteractive web portal. The eBenefits portal is a rapidly growing joint \nVA/Department of Defense (DoD) service with more than 278,000 \nregistered users as of March 31, 2011. As VLER continues to mature, it \nwill enable the eBenefits portal to provide servicemembers and Veterans \nmore capabilities, including accessing their official military \npersonnel documents, viewing the status of their disability \ncompensation claim, updating direct deposit information for certain \nbenefits, and obtaining a VA guaranteed home loan Certificate of \nEligibility. The eBenefits portal effectively bridges the conversion \nfrom active duty to Veteran status by allowing servicemembers to retain \nthe same login information they had as an active duty participant. This \nsimple change is critical as it realizes the goal for the VA to be \nVeteran-centric.\n    VLER will provide on-line access to all eligibility information, \n``Notice of Death\'\' reporting, and enhanced support of final honors and \nmemorial benefits under the National Cemetery Administration. Redesign \nand modernization of cemetery IT systems will include great \ncollaboration with the Department of Defense.\n    VLER should reduce the cost of the delivery of services, increases \nefficiency of operations, reduces cycle times for benefits delivery, \ncontributes to the elimination of homelessness, reduces claims backlogs \nby delivering information sharing capabilities, increases access to \nbenefits by connecting data owners and data users; and, increases the \nquality and effectiveness of services provided to Veterans and \nservicemembers. There are certainly obstacles to achieving these lofty \ngoals, but we are optimistic that VLER is making progress to meet the \nPresident\'s vision for the future.\n\nOpen Source\n\n    The VistA Electronic Health Record (EHR) system is a proven and \nessential element of VA\'s ability to provide Veterans with high quality \nhealth care and control health care costs. In part because of VistA, \nVHA has excelled in the last 15 years in both areas. Independent \nstudies have pegged the rate of return on VA\'s investments in VistA at \nabout $2 returned for every dollar invested.\n    While the current VistA EHR system meets or exceeds the \ncapabilities currently available from commercial EHR vendors, low \ninvestment in VistA over the last decade has eroded its standing from \nthe once-clear clear market leader to being merely competitive. While \nVA clinicians express strong support and preference for VistA as a \nclinical tool, they are also vocal and unanimous in calling for us to \nre-invigorate the innovation that made VistA the best EHR system \navailable.\n    Clearly, the private sector must play a role in that innovation. \nThe size of private-sector investment and the rate of innovation in the \ncommercial EHR sector far exceeds the government\'s ability to produce \ntimely, cost-effective EHR products.\n    VA estimates the cost of replacing VistA with an existing \ncommercial package at $16 billion, based both on VA-commissioned \nindependent validation exercise and on the real-world experiences of \nKaiser Permanente. Published reports say that Kaiser spent $4 billion \nimplementing a commercial off-the-shelf EHR system in their 36 \nhospitals and supporting facilities. Based on size of VA relative to \nKaiser (VA has 153 hospitals), $16 billion is a reasonable estimate.\n    To avoid those costs, and to find a way to involve the private \nsector in modernizing VistA, the VA is turning to Open Source. Open \nsource software (OSS) began as the ``free software\'\' initiative in the \nearly 1980\'s, though the word free in this context is ambiguous. In \nthis case, it should be thought of as free speech. EHR users from \nacross the community are free to comment and contribute to the \nevolution of the code base, and VA is free to accept or reject any of \nthose contributions.\n    In practice, Open Source has proven to be a powerful method of \nproducing production quality software. Market leading products such as \nUnix, Linux, Netscape, Mozilla, Apache, and many others are the result \nof Open Source software approaches. And while key product elements such \nas licensing, cost, security, etc. are different with an Open Source \nproduct, they are neither better nor worse. Open source methodologies \nhave been proven many times in high-reliability production environments \nin the private sector to deliver products that meet or exceed the \nquality and robustness of proprietary and Government off the Shelf \n(GOTS) products.\n    VA has spent more than a year conducting a very deliberative \nprocess to examine the implications of Open Source for VistA. We have \nseen two substantial studies on the topic contributed by the private \nsector and academia. We have consulted with hundreds of organizations, \nand thousands of individuals. We have conducted three Requests for \nInformation (RFIs), and received numerous papers, emails, and comments. \nOur path forward with Open Source has been broadly advised and highly \ntransparent, and is certainly much the better for it.\n    VA expects that the rate of innovation and improvement in VistA can \nbe increased without increasing our current budget by better involving \nthe private sector (and true private-sector practices) in both the \ngovernance and development of the VistA system through Open Source. To \nthat end, we have released a Request for Proposal to establish an Open \nSource ``Custodial Agent,\'\' to run the Open Source community. Our \nestimate of the costs of establishing the Custodial Agent are less than \n$10 million per year.\n\nConclusion\n\n    Mr. Chairman, over the last 2 years, VA\'s IT organization has made \nmany significant improvements and had many successes, but there are \nnumerous challenges ahead. We are solidly on the path that we must \nfollow to achieve our ultimate goal of being a leader in Federal IT. \nBut I believe it prudent to reiterate the words from my confirmation \ntestimony that are still true today: ``There is no easy path, no simple \nanswer, and no short-cut solution to creating a strong IT capability at \nVA. Achieving this will require hard work, disciplined management, and \nhonest communications.\'\' Mr. Chairman, Ranking Member Donnelly, and \nMembers of this Subcommittee, I am committed to continuing that work. \nThank you for your continued support of Veterans, their families and \nsurvivors, of VA, and of our efforts to transform VA IT. My colleague \nand I are prepared to answer any questions you and other Members of the \nSubcommittee may have.\n\n                                 <F-dash>\n       Prepared Statement of Belinda J. Finn, Assistant Inspector\n    General for Audits and Evaluations, Office of Inspector General,\n                  U.S. Department of Veterans Affairs\n    Mr. Chairman and Members of the Committee, thank you for the \nopportunity to discuss the Office of Inspector General\'s (OIG) findings \nregarding the Department of Veterans Affairs\' (VA) management of its \ninformation technology (IT) projects. I am accompanied today by Maureen \nT. Regan, Counselor to the Inspector General.\n\nBACKGROUND\n\n    The use of IT is critical to VA providing a range of benefits and \nservices to veterans, from medical care to compensation and pensions. \nIf managed effectively, IT capital investments can significantly \nenhance operations to support the delivery of VA benefits and services.\n    However, when VA does not properly plan and manage its IT \ninvestments, they can become costly, risky, and counterproductive. As \nwe have reported, IT management at VA is a longstanding high-risk area. \nHistorically, VA has experienced significant challenges in managing its \nIT investments, including cost overruns, schedule slippages, \nperformance problems, and in some cases, complete project failures. \nSome of VA\'s most costly failures have involved management of major IT \nsystem development projects awarded to contractor organizations.\n\nIT GOVERNANCE CHALLENGES\n\n    In 2009, we provided an overarching view of VA\'s structure and \nprocess for IT investment management (Audit of VA\'s Management of \nInformation Technology Capital Investments, May 29, 2009). As part of \nthe audit, we examined VA\'s realignment of its IT program from a \ndecentralized to a centralized management structure. The realignment \nwas to provide greater accountability and control over VA resources by \ncentralizing IT operations under the management of the Chief \nInformation Officer (CIO) and standardizing operations using new \nprocesses based on industry best practices--goals that have only \npartially been fulfilled.\n    We reported that the ad hoc manner in which the Office of \nInformation and Technology (OI&T) managed the realignment inadvertently \nresulted in an environment with inconsistent management controls and \ninadequate oversight. Although we conducted this audit more than 2 \nyears after VA centralized its IT program, senior OI&T officials were \nstill working to develop policies and procedures needed to effectively \nmanage IT investments in a centralized environment. For example, OI&T \nhad not clearly defined the roles of IT governance boards responsible \nfor facilitating budget oversight and IT project management.\n    Further, in September 2009, we reported that VA needed to better \nmanage its major IT development projects, valued at that time at over \n$3.4 billion, in a more disciplined and consistent manner (Audit of \nVA\'s System Development Life Cycle Process, September 30, 2009). In \ngeneral, we found that VA\'s System Development Life Cycle (SDLC) \nprocesses were adequate and comparable to Federal standards. However, \nOI&T did not communicate, comply with, or enforce its mandatory \nsoftware development requirements. OI&T did not ensure that required \nindependent milestone reviews of VA\'s IT projects were conducted to \nidentify and address system development and implementation issues. Once \nagain, we attributed these management lapses to OI&T centralizing IT \noperations in an ad hoc manner, leaving little assurance that VA was \nmaking appropriate investment decisions and best use of available \nresources. Moreover, VA increased the risk that its IT projects would \nnot meet cost, schedule, and performance goals, adversely affecting \nVA\'s ability to timely and adequately provide veterans health services \nand benefits.\n    These audits demonstrated that OI&T needed to implement effective \ncentralized management controls over VA\'s IT investments. Specifically, \nwe recommended that OI&T develop and issue a directive that \ncommunicated the mandatory requirements of VA\'s SDLC process across the \nDepartment. We also recommended that OI&T implement controls to conduct \ncontinuous monitoring and enforce disciplined performance and quality \nreviews of the major programs and projects in VA\'s IT investment \nportfolio. Although OI&T concurred with recommendations and provided \nacceptable plans of actions, OI&T\'s implementation of the corrective \nactions is still ongoing. For example, OI&T is reviewing for approval \nthe draft governance board charters and plans to issue a VA directive \nmandating Program Management Accountability System (PMAS) compliance \nonce version 3.0 of the guide is developed. PMAS is VA\'s new IT \nmanagement approach that focuses on achieving schedule objectives while \nthe scope of functionality provided remains flexible.\n\nPROJECT MANAGEMENT SHORTFALLS\n\n    Over the past 2 years, our audit work on several IT system \ndevelopment projects has identified themes as to why VA has continued \nto fall short in its IT project management. These issues include \ninadequate project and contract management, staffing shortages, lack of \nguidance, and poor risk management--issues that have repeatedly \nhindered the success of IT major development projects undertaken by \nOI&T.\n\nVA\'s Replacement Scheduling Application\n\n    In August 2009, we reported that the Replacement Scheduling \nApplication (RSA) project failed because of ineffective planning and \noversight (Review of the Award and Administration of Task Orders Issued \nby the Department of Veterans Affairs for the Replacement Scheduling \nApplication Development Program, August 26, 2009). RSA was a multi-year \nproject to replace the system the Veterans Health Administration used \nto schedule medical appointments for VA patients. Lacking defined \nrequirements, an IT architecture, and a properly executed acquisition \nplan, RSA was at significant risk of failure from the start. We \nsuggested that VA needed experienced personnel to plan and manage the \ndevelopment and implementation of complex IT projects effectively. A \nsimilar suggestion was made in an earlier report in June 2009, where we \nnoted that VA needed to place greater emphasis on training VA personnel \nto manage IT enterprise development projects rather than continuing to \nrely primarily on external organizations and contractors to manage \nthese projects. We believe this condition still exists today and until \ncorrected, VA will struggle to overcome challenges managing its IT \ninvestments. (Review of Interagency Agreement between the Department of \nVeterans Affairs and Department of Navy, Space and Naval Warfare \nSystems Center (SPAWAR), June 4, 2009.) We also suggested that a system \nto monitor and identify problems affecting the progress of projects \ncould support VA\'s leadership in making effective and timely decisions \nto either redirect or terminate troubled projects. PMAS is currently \nthe Department\'s approach to implementing this suggestion.\n\nFinancial and Logistics Integrated Technology Enterprise\n\n    In September 2005, VA began developing the Financial and Logistics \nIntegrated Technology Enterprise (FLITE) program to address the \nlongstanding need for an integrated financial management system. As a \nsuccessor to the failed Core Financial and Logistics System (CoreFLS), \nFLITE was a multi-year development effort comprised of three \ncomponents: an Integrated Financial Accounting System (IFAS), Strategic \nAsset Management (SAM), and a Data Warehouse. However, as we reported \nin September 2009, program managers did not fully incorporate lessons \nlearned from the failed CoreFLS program to increase the probability of \nsuccess in FLITE development (Audit of FLITE Program Management\'s \nImplementation of Lessons Learned, September 16, 2009). For example, \ncritical FLITE program functions were not fully staffed, non-FLITE \nexpenditures were improperly funded through the FLITE program, and \ncontract awards did not comply with competition requirements. We \nrecommended that FLITE program managers develop written procedures to \nmanage and monitor lessons learned and expedite actions to ensure full \nstaffing of the FLITE program.\n\nAudit of the FLITE Strategic Asset Management Pilot Project\n\n    Our report on the SAM pilot project disclosed that FLITE program \nmanagers did not take well-timed actions to ensure VA achieved cost, \nschedule, and performance goals. Further, the contractor did not \nprovide acceptable deliverables in a timely manner (Audit of the FLITE \nStrategic Asset Management Pilot Project, September 14, 2010). Once \nagain, we identified instances where FLITE program managers could have \navoided mistakes by paying closer attention to lessons learned from the \nCoreFLS effort.\n    Specifically, FLITE program managers:\n\n        <bullet>  Awarded a task order on April 21, 2009, to General \n        Dynamics for implementation of the SAM pilot project, even \n        though the FLITE program suffered from a known shortage of \n        legacy system programmers critical to integration efforts \n        required to make FLITE a success.\n        <bullet>  Did not clearly define FLITE program and SAM pilot \n        project roles and responsibilities, resulting in confusion and \n        unclear communications between VA and General Dynamics. \n        Contractor personnel indicated that they received directions \n        and guidance from multiple sources. One of their biggest \n        obstacles was trying to overcome the lack of one clear voice \n        for VA\'s FLITE program.\n        <bullet>  Did not ensure that the solicitation for the SAM \n        pilot project clearly described VA\'s requirements for SAM end-\n        user training. As such, VA contractually agreed to a training \n        solution that did not meet its expectations. General Dynamics \n        subsequently revised its training approach to meet VA\'s needs, \n        but at a total cost of $1,090,175, which was more than a 300 \n        percent increase from the original $244,451 training cost.\n        <bullet>  Did not always effectively identify and manage risks \n        associated with the SAM pilot project even though inadequate \n        risk management had also been a problem with the failed \n        CoreFLS. Specifically, FLITE program managers did not take \n        steps early on to ensure that the contractor participated in \n        the risk management process and that the Risk Control Review \n        Board adequately mitigated risks before closing them.\n\n    Because of such issues, in early 2010 VA was considering extending \nthe SAM pilot project by 17 months (from 12 to 29 months), potentially \nmore than doubling the original contract cost of $8 million. We \nrecommended that VA establish stronger program management controls to \nfacilitate achieving cost, schedule, and performance goals, as well as \nmitigating risks related to the successful accomplishment of the SAM \npilot project. (SAM was suspended in March 2011 for not meeting user \nrequirements. Further details are discussed below.)\n\nReview of Alleged Improper Program Management within the FLITE \n        Strategic Asset Management Pilot Project\n\n    This report, in response to a hotline allegation, disclosed that \nFLITE program managers needed to improve their overall management of \nthe SAM pilot project (Review of Alleged Improper Program Management \nwithin the FLITE Strategic Asset Management Pilot Project, September 7, \n2010). FLITE program managers did not develop written procedures that \nclearly defined roles and responsibilities, provide timely guidance to \nprogram and contract staff, or foster an effective working environment \nwithin the FLITE program. FLITE program managers also did not ensure \ncertain elements considered necessary for a successful software \ndevelopment effort, such as ``to be\'\' and architectural models were \nincluded as project deliverables in the FLITE program. In general, we \nrecommended that VA strengthen project management controls to improve \nthe SAM pilot, beta, and national deployment projects.\n    New Office of Management and Budget (OMB) guidance on financial \nsystems IT projects, issued on June 28, 2010, also had a major impact \non the FLITE program. OMB issued the guidance because large-scale \nfinancial system modernization efforts undertaken by Federal agencies \nhave historically led to complex project management requirements that \nare difficult to manage. Moreover, by the time the lengthy projects are \nfinished, they are technologically obsolete. Consequently, OMB directed \nall Chief Financial Officer Act agencies immediately to halt the \nissuance of new procurements for financial system projects until it \napproves new project plans developed by the agencies. In July 2010, \nVA\'s Assistant Secretary for Information and Technology announced \ntermination of the IFAS and Data Warehouse portions of FLITE. In March \n2011, the SAM pilot project, the final component of the FLITE program, \nwas suspended just weeks before it was scheduled for deployment. SAM \nhad received its ``third strike\'\' in the PMAS review process for \nfailing user acceptance testing, which indicated that SAM was not ready \nfor live operation. As of March 2011, program managers estimated \nobligations of about $126 million for the FLITE program; of that \namount, the SAM project represented approximately $40 million.\n\nGI Bill Long Term Solution\n\n    In September 2010, we reported that OI&T\'s plan for deployment of \nthe GI Bill Long Term Solution (LTS) was effective in part (Audit of \nVA\'s Implementation of the Post-9/11 GI Bill Long Term Solution, \nSeptember 30, 2010). LTS is a fully automated claims processing system \nthat utilizes a rules-based engine to process Post-9/11 GI Bill Chapter \n33 veterans\' education benefits.\n    OI&T developed and deployed both LTS Releases 1 and 2 on time. \nLacking the management discipline and processes necessary to control \nperformance and cost in project development, OI&T has relied upon PMAS \nto achieve project scheduling goals. With this schedule-driven \nstrategy, OI&T has been able to satisfy users and incrementally move VA \nforward in providing automated support for education benefits \nprocessing under the Post-9/11 GI Bill.\n    However, OI&T\'s achievement of the time frames for LTS Releases 1 \nand 2 required that VA sacrifice much of the system functionality \npromised. Specifically, due to unanticipated complexities in developing \nthe system, OI&T deployed Release 1 as a ``pilot\'\' to approximately 16 \nclaims examiners, with the functionality to handle only 15 percent of \nthe Chapter 33 education claims that the Veterans Benefits \nAdministration anticipated processing. Release 2 caught up on the \nfunctionality postponed from Release 1, while providing the capability \nto process 95 percent of all Chapter 33 education claims. However, due \nto data structure and quality issues that still had to be overcome, \nusers could not make use of all of the functionality provided through \nRelease 2 and were able to process only 30 percent of all Chapter 33 \neducation claims. In addition to these performance issues, OI&T did not \nhave processes in place to track actual LTS project costs.\n    Following Release 3 that allowed VA to automate input of college \nenrollment information, OI&T deployed LTS Release 4 in accordance with \nthe original delivery schedule of December 2010. OI&T recently deployed \nLTS Release 4.2 and has plans for two additional releases, tentatively \nscheduled for June and November 2011, to accommodate recent revisions \nto the Post-9/11 GI Bill. These LTS releases should provide \nenhancements such as automated scheduling for future housing \nallocations, and claims processing for licensing and certification and \nnational tests. Any delays in providing the promised functionality \ncould require continued manual processing, which could in turn delay \npayment of GI Bill benefits to veterans.\n    In the absence of effective performance and cost controls, OI&T \nruns the risk that future LTS releases may continue to meet schedule, \nbut at the expense of performance and cost project goals. We \nrecommended that OI&T improve LTS management by conducting periodic \nindependent reviews to help identify and address system development and \nimplementation issues as they arise. We also recommended that OI&T \nadopt cost control processes and tools to ensure accountability for LTS \ncosts in accordance with Federal IT investment management requirements. \nOI&T concurred with our recommendations and provided acceptable plans \nof action, but implementation of corrective actions such as putting \nindependent oversight reviews into place is still ongoing.\n\nVeterans Services Network\n\n    In February 2011, we reported that the Veterans Services Network \n(VETSNET) program faces the continuing challenge of managing competing \nrequirements and new systems initiatives that have repeatedly changed \nthe scope and direction of the program (Audit of the Veterans Service \nNetwork, February 11, 2001). Since 1996, VA has been working on this \neffort to consolidate compensation and pension benefits processing into \na single replacement system. However, the repeated changes have \nadversely impacted schedule, cost, and performance goals over the life \nof VETSNET development. Given a loss of focus concerning the end goals \nof the program, VA\'s plans and time frames for retiring the aging \nBenefits Delivery Network and migrating all entitlement programs to the \nVETSNET Corporate Database have become unclear. Work to meet original \nprogram objectives has been extended by nearly 5 years. In 2009, VA \nreported a revised cost estimate of $308 million through 2012, more \nthan two times an amount previously projected in 2006.\n    Further, frequently changing business requirements have \nnecessitated additional VETSNET software releases. Because software \nchange controls and testing have not been adequate to ensure proper \nsystem functionality, software rework and rollback of installation \npackages have been required to correct defects, and planned \nfunctionality enhancements have been delayed. We recommended that VA \nalign resources and establish a schedule for accomplishing the original \ngoals of VETSNET in the near term. We also recommended that VA \nimplement improved processes to address software development \ndeficiencies.\n\nIT ACQUISITION AND CONTRACT MANAGEMENT WEAKNESSES\n\n    In response to a hotline complaint, we reviewed the contract \nawarded to Catapult Technology, Ltd., for the installation of wireless \nfidelity (Wi-Fi) services at 236 VA sites (Review of Allegations of \nAcquisition Planning Weaknesses and Cost Overruns on the Contract \nAwarded to Catapult Technology, Ltd., March 31, 2011). The complainant \nmade several allegations regarding the award and administration of the \ncontract. Our review substantiated all of the allegations except one, \nand partially substantiated the remaining allegation.\n    We determined that the time frames established to plan, solicit, \nand award the contract were unreasonable. VA did not establish firm \nrequirements and issued a Statement of Objectives that lacked the \ndetail needed for vendors to submit reasonable, firm fixed-price \nproposals. Because of inadequate planning and incomplete information \nregarding requirements, VA processed modifications that caused contract \ncosts to increase significantly; the current contract costs are \nprojected at $161.5 million, which is a $70.5 million (77 percent) \nincrease in contract costs.\n    VA processed modifications adding additional sites; however, the \ncontract had no provision that permitted VA to increase the number of \nsites. We also determined that VA was improperly paying Catapult on a \nmilestone basis rather than on a completed site basis according to the \ncontract terms. This was not only inconsistent with the contract, it \nwas also inconsistent with the information provided to vendors during \nsolicitation. The Office of Acquisitions and Logistics concurred with \nall our findings and recommendations and terminated the contract.\n\nCONCLUSION\n\n    VA continues to rely on IT advancements to provide better services \nto our Nation\'s veterans. Historically, VA has struggled to manage IT \ndevelopments that successfully deliver desired results within cost, \nschedule, and performance objectives. OI&T recently implemented PMAS to \nstrengthen IT project management and improve the rate of success of \nVA\'s IT projects. We are currently conducting an audit to determine \nwhether OI&T has planned and implemented PMAS with the management \ncontrols needed for effective oversight of the Department\'s IT \ninitiatives. Specifically, we are examining PMAS data reliability, \nproject cost tracking, and guidance and processes for ensuring project \ncompliance with the oversight approach. Our audit results should \nprovide valuable information to VA and Congress as VA moves forward in \nmanaging its technology investments. We expect to issue a final report \nthis summer.\n    Mr. Chairman, this concludes my statement. We would be pleased to \nanswer any questions that you or other Members of the Subcommittee may \nhave.\n\n                                 <F-dash>\n      Prepared Statement of Joel C. Willemssen, Managing Director,\n     Information Technology, U.S. Government Accountability Office\n         INFORMATION TECHNOLOGY: Department of Veterans Affairs\n                  Faces Ongoing Management Challenges\n                             GAO HIGHLIGHTS\nWhy GAO Did This Study\n\n    The use of information technology (IT) is crucial to helping the \nDepartment of Veterans Affairs (VA) effectively serve the Nation\'s \nveterans, and the department has expended billions of dollars annually \nover the last several years to manage and secure its information \nsystems and assets. VA has, however, experienced challenges in managing \nits IT. GAO has previously highlighted VA\'s weaknesses in managing and \nsecuring its information systems and assets.\n    GAO was asked to testify on its past work on VA\'s weaknesses in \nmanaging its IT resources, specifically in the areas of systems \ndevelopment, information security, and collaboration with the \nDepartment of Defense (DoD) on efforts to meet common health system \nneeds.\n\nWhat GAO Recommends\n\n    In previous reports in recent years, GAO has made numerous \nrecommendations to VA aimed at improving the department\'s IT management \ncapabilities. These recommendations were focused on: improving two \nprojects to develop and implement new systems, strengthening \ninformation security practices and ensuring that security issues are \nadequately addressed, and overcoming barriers VA faces in collaborating \nwith DoD to jointly address the departments\' common health care \nbusiness needs.\n\nWhat GAO Found\n\n    Recently, GAO reported on two VA systems development projects that \nhave yielded mixed results. For its outpatient appointment scheduling \nproject, VA spent an estimated $127 million over 9 years and was unable \nto implement any of the planned capabilities. The application software \nproject was hindered by weaknesses in several key management \ndisciplines, including acquisition planning, requirements analysis, \ntesting, progress reporting, risk management, and oversight. For its \nPost-9/11 GI Bill educational benefits system, VA used a new \nincremental software development approach and deployed the first two of \nfour releases of its long-term system solution by its planned dates, \nthereby providing regional processing offices with key automated \ncapabilities to prepare original and amended benefits claims. However, \nVA had areas for improvement, including establishing business \npriorities, testing the new systems, and providing oversight.\n    Effective information security controls are essential to securing \nthe information systems and information on which VA depends to carry \nout its mission. For over a decade, VA has faced long-standing \ninformation security weaknesses as identified by GAO, VA\'s Office of \nthe Inspector General, VA\'s independent auditor, and the department \nitself. The department continues to face challenges in maintaining its \ninformation security controls over its systems and in fully \nimplementing the information security program required under the \nFederal Information Security Management Act of 2002. These weaknesses \nhave left VA vulnerable to disruptions in critical operations, theft, \nfraud, and inappropriate disclosure of sensitive information.\n    VA and DoD operate two of the Nation\'s largest health care systems, \nproviding health care to 6 million veterans and 9.6 million active duty \nservicemembers at estimated annual costs of about $48 billion and $49 \nbillion, respectively. To provide this care, both departments rely on \nelectronic health record systems to create, maintain, and manage \npatient health information. GAO reported earlier this year that VA \nfaced barriers in establishing shared electronic health record \ncapabilities with DoD in three key IT management areas--strategic \nplanning, enterprise architecture (i.e., a description of business \nprocesses and supporting technologies), and IT investment management. \nSpecifically, the departments were unable to articulate explicit plans, \ngoals, and time frames for jointly addressing the health IT \nrequirements common to both departments\' electronic health record \nsystems. Additionally, although VA and DoD took steps toward developing \nand maintaining artifacts related to a joint health architecture, the \narchitecture was not sufficiently mature to guide the departments\' \njoint health IT modernization efforts. Lastly, VA and DoD did not have \na joint process for selecting IT investments based on criteria that \nconsider cost, benefit, schedule, and risk elements, which would help \nto ensure that the chosen solution both meets the departments\' common \nhealth IT needs and provides better value and benefits to the \ngovernment as a whole. Subsequent to our report, the Secretaries of \nVeterans Affairs and Defense agreed to pursue integrated electronic \nhealth record capabilities.\n\n                               __________\n\n    Mr. Chairman and Members of the Subcommittee:\n    I am pleased to be a part of today\'s dialogue with the Subcommittee \non the Department of Veterans Affairs\' (VA) actions to better manage \nits information technology (IT) resources. The use of IT is crucial to \nhelping VA effectively serve the Nation\'s veterans and the department \nhas expended billions of dollars over the last several years to manage \nand secure its information systems and assets--the department\'s budget \nfor IT now exceeds $3 billion annually.\n    VA has, however, experienced challenges in managing its IT \nresources, as we have previously reported.\\1\\ As you requested, in my \ntestimony today, I will describe those challenges, specifically in the \nareas of systems development, information security, and collaborating \nwith the Department of Defense (DoD) to jointly develop electronic \nhealth record system capabilities.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Electronic Health Records: DoD and VA Should Remove \nBarriers and Improve Efforts to Meet Their Common System Needs, GAO-11-\n265 (Washington, D.C.: February 2011); Information Technology: Veterans \nAffairs Can Further Improve Its Development Process for Its New \nEducation Benefits System, GAO-11-115 (Washington, D.C.: December \n2010); Information Security: Federal Guidance Needed to Address Control \nIssues with Implementing Cloud Computing, GAO-10-513 (Washington, D.C.: \nMay 2010); Information Technology: Management Improvements Are \nEssential to VA\'s Second Effort to Replace Its Outpatient Scheduling \nSystem, GAO-10-579 (Washington, D.C.: May 2010); and Information \nSecurity: Veterans Affairs Needs to Resolve Long-Standing Weaknesses, \nGAO-10-727T (Washington, D.C.: May 19, 2010).\n---------------------------------------------------------------------------\n    The information in my testimony is based primarily on our previous \nwork at VA. We also obtained and analyzed pertinent documentation to \ndetermine the current status of selected department management efforts. \nWe conducted our work in support of this testimony during May 2011 in \nthe Washington, D.C., area. All work on which this testimony is based \nwas conducted in accordance with generally accepted government auditing \nstandards.\n\nBackground\n\n    VA\'s mission is to promote the health, welfare, and dignity of all \nveterans in recognition of their service to the Nation by ensuring that \nthey receive medical care, benefits, social support, and lasting \nmemorials. According to information from the department, its employees \nmaintain the largest integrated health care system in the Nation for \nmore than 5 million patients at more than 1,500 sites of care, provide \ncompensation and pension benefits for nearly 4 million veterans and \nbeneficiaries, and maintain nearly 3 million gravesites at 163 \nproperties. Over time, the use of IT has become increasingly important \nto the department\'s efforts to provide these benefits and services to \nveterans; VA relies on its IT systems for medical information and \nrecords and for processing benefits claims, including compensation and \npension and education benefits. Further, VA is increasingly expected to \nimprove its service to veterans by sharing information with other \ndepartments, especially DoD.\n    VA\'s fiscal year 2012 request for almost $3.2 billion in IT budget \nauthority indicates the range of the department\'s IT activities. For \nexample, the request includes:\n\n        <bullet>  about $1.4 billion to operate and maintain existing \n        infrastructure and systems;\n        <bullet>  approximately $650 million to develop new system \n        capabilities to support, for example, faster compensation and \n        pension claims processing, elimination of veteran homelessness, \n        and improvement of veteran mental health;\n        <bullet>  $68 million for information security activities; and\n        <bullet>  $915 million to fund about 7,000 IT personnel.\n\n    Our prior work has shown that success in managing IT depends, among \nother things, on having and using effective system development \ncapabilities and having effective controls over information and \nsystems. We have issued several products on VA in important management \nareas where the department faces challenges. My testimony today will \nbriefly summarize these products.\n\nRecent System Development Projects Have Achieved Varied Degrees of \n        Success\n\n    Historically, VA has experienced significant IT development and \ndelivery difficulties. We recently reported on two important VA systems \ndevelopment projects.\\2\\ The first project expended an estimated $127 \nmillion without delivering any of the planned capabilities. VA has \nbegun implementing capabilities from the second project, although we \nidentified opportunities for improvement.\n---------------------------------------------------------------------------\n    \\2\\ GAO-10-579 and GAO-11-115.\n\nVA\'s Scheduling Replacement Project Was Hindered by Systems Development \n---------------------------------------------------------------------------\n        and Acquisition Weaknesses\n\n    To carry out VA\'s daily operations in providing care to veterans \nand their families, the department relies on an outpatient appointment \nscheduling system. However, according to the department, this current \nscheduling system has had long-standing limitations that have impeded \nits effectiveness. Consequently, VA began work on a replacement system \nin 2000. However, after spending an estimated $127 million over 9 \nyears, VA had not implemented any of the planned capabilities.\n    VA\'s efforts to successfully complete the Scheduling Replacement \nProject were hindered by weaknesses in several key project management \ndisciplines and a lack of effective oversight. Specifically,\n\n        <bullet>  VA did not adequately plan its acquisition of the \n        scheduling application and did not obtain the benefits of \n        competition. The Federal Acquisition Regulation (FAR) required \n        preparation of acquisition plans \\3\\ that must address how \n        competition will be sought, promoted, and sustained.\\4\\ VA did \n        not develop an acquisition plan until May 2005, about 4 years \n        after the department first contracted for a new scheduling \n        system. Further, VA did not promote competition in contracting \n        for its scheduling system. Instead, VA issued task orders \n        against an existing contract that the department had in place \n        for acquiring services such as printing, computer maintenance, \n        and data entry. These weaknesses in VA\'s acquisition management \n        reflected the inexperience of the department\'s personnel in \n        administering major IT contracts. To address identified \n        shortcomings, we recommended that VA ensure that future \n        acquisition plans document how competition will be sought, \n        promoted, and sustained.\n---------------------------------------------------------------------------\n    \\3\\ See FAR, subpart 7.1. See also FAR 34.004.\n    \\4\\ See FAR 7.105 b(2).\n---------------------------------------------------------------------------\n        <bullet>  VA did not ensure that requirements were complete and \n        sufficiently detailed. Effective, disciplined practices for \n        defining requirements include analyzing requirements to ensure \n        that they are complete, verifiable, and sufficiently \n        detailed.\\5\\ For example, maintaining bidirectional \n        traceability from high-level operational requirements through \n        detailed low-level requirements to test cases is a disciplined \n        requirements management practice. However, VA did not \n        adequately define requirements. For example, in November 2007, \n        VA determined that performance requirements were missing and \n        that some requirements were not testable. Further, according to \n        project officials, some requirements were vague and open to \n        interpretation. Also, requirements for processing information \n        from other systems were missing. The incomplete and \n        insufficiently detailed requirements resulted in a system that \n        did not function as intended. In addition, VA did not ensure \n        that requirements were fully traceable. As early as October \n        2006, an internal review noted that the requirements did not \n        trace to business rules or to test cases. By not ensuring \n        requirements traceability, the department increased the risk \n        that the system could not be adequately tested and would not \n        function as intended. We therefore recommended that VA ensure \n        implementation of a requirements management plan that reflected \n        leading practices.\n---------------------------------------------------------------------------\n    \\5\\ See Carnegie Mellon Software Engineering Institute, Capability \nMaturity Model<SUP>\'</SUP> Integration for Development, version 1.2 \n(Pittsburgh, Pa., August 2006), and Software Acquisition Capability \nMaturity Model (SA-CMM) version 1.03, CMU/SEI-2002-TR-010 (Pittsburgh, \nPa., March 2002).\n---------------------------------------------------------------------------\n        <bullet>  VA\'s concurrent approach to performing system tests \n        increased risk. Best practices in system testing indicate that \n        testing activities should be performed incrementally, so that \n        problems and defects \\6\\ with software versions can be \n        discovered and corrected early. VA\'s guidance on conducting \n        tests is consistent with these practices and specifies four \n        test stages and associated criteria for progressing through the \n        stages.\\7\\ For example, defects categorized as critical, major, \n        and average severity identified in testing stage one are to be \n        resolved before testing in stage two is begun. Nonetheless, VA \n        took a high-risk approach to testing by performing tests \n        concurrently rather than incrementally. Scheduling project \n        officials told us that they ignored their own testing guidance \n        and performed concurrent testing at the direction of Office of \n        Enterprise Development senior management in an effort to \n        prevent project timelines from slipping. The first version to \n        undergo stage two testing had 370 defects that should have been \n        resolved before stage two testing was begun. Almost 2 years \n        after beginning stage two testing, 87 defects that should have \n        been resolved before stage two testing began had not been \n        fixed. As a result of a large number of defects that VA and the \n        contractor could not resolve, the contract was terminated. To \n        prevent these types of problems with future system development \n        efforts, we recommended that VA adhere to its own guidance for \n        system testing.\n---------------------------------------------------------------------------\n    \\6\\ Defects are system problems that require a resolution and can \nbe due to a failure to meet the system specifications.\n    \\7\\ According to VA testing documentation, these stages are (1) \ntesting within the VA development team, (2) testing services, (3) field \ntesting, and (4) final review and acceptance testing.\n---------------------------------------------------------------------------\n        <bullet>  VA\'s reporting based on earned value management data \n        was unreliable. The Office of Management and Budget (OMB) and \n        VA policies require major projects to use earned value \n        management \\8\\ to measure and report progress. Earned value \n        management is a tool for measuring a project\'s progress by \n        comparing the value of work accomplished with the amount of \n        work expected to be accomplished. Such a comparison permits \n        actual performance to be evaluated and is based on variances \n        \\9\\ from the cost and schedule baselines. In January 2006, the \n        scheduling project began providing monthly reports to the \n        department\'s Chief Information Officer based on earned value \n        management data. However, the progress reports included \n        contradictory information about project performance. \n        Specifically, the reports featured stoplight indicators (green, \n        yellow, or red) that frequently were inconsistent with the \n        reports\' narrative. For example, the June 2007 report \n        identified project cost and schedule performance as green, \n        despite the report noting that the project budget was being \n        increased by $3 million to accommodate schedule delays. This \n        inconsistent reporting continued until October 2008, when the \n        report began to show cost and schedule performance as red, the \n        actual state of the project. Further, the former program \n        manager noted that the department performed earned value \n        management for the scheduling project only to fulfill the OMB \n        requirement, and that the data were not used as the basis for \n        decision-making because doing so was not a part of the \n        department\'s culture. To address these weaknesses, we \n        recommended that VA ensure effective implementation of earned \n        value management.\n---------------------------------------------------------------------------\n    \\8\\ OMB issued policy guidance (M-05-23) to agency CIOs on \nimproving technology projects that includes requirements for reporting \nperformance to OMB using earned value management (August 2005).\n    \\9\\ Cost variances compare the value of the completed work (i.e., \nthe earned value) with the actual cost of the work performed. Schedule \nvariances are also measured in dollars, but they compare the earned \nvalue of the completed work with the value of the work that was \nexpected to be completed. Positive variances indicate that activities \ncost less or are completed ahead of schedule. Negative variances \nindicate activities cost more or are falling behind schedule.\n---------------------------------------------------------------------------\n        <bullet>  VA did not effectively identify, mitigate, and \n        communicate project risks. Federal guidance and best practices \n        advocate risk management.\\10\\ To be effective, risk management \n        activities should include identifying and prioritizing risks as \n        to their probability of occurrence and impact, documenting them \n        in an inventory, and developing and implementing appropriate \n        risk mitigation strategies. VA established a process for \n        managing the scheduling system project\'s risks that was \n        consistent with relevant best practices. Specifically, project \n        officials developed a risk management plan that defined five \n        phases--risk identification, risk analysis, risk response \n        planning, risk monitoring and control, and risk review. \n        However, the department did not take key project risks into \n        account. Senior project officials indicated that staff members \n        were often reluctant to raise risks or issues to leadership due \n        to the emphasis on keeping the project on schedule. \n        Accordingly, VA did not identify as risks (1) using a \n        noncompetitive acquisition approach, (2) conducting concurrent \n        testing and initiation of stage two testing with significant \n        defects, and (3) reporting unreliable project cost and schedule \n        performance information. Any one of these risks alone had the \n        potential to adversely impact the outcome of the project. The \n        three of them together dramatically increased the likelihood \n        that the project would not succeed. To improve management of \n        the project moving forward, we recommended that VA identify \n        risks related to the scheduling project and prepare plans and \n        strategies to mitigate them.\n---------------------------------------------------------------------------\n    \\10\\ OMB Circular A-130 (Nov. 30, 2000) and Carnegie Mellon \nSoftware Engineering Institute, Capability Maturity Model Integration \nfor Development, version 1.2 (Pittsburgh, Pa., August 2006).\n---------------------------------------------------------------------------\n        <bullet>  VA\'s oversight boards did not take corrective actions \n        despite the department becoming aware of significant issues. \n        GAO and OMB guidance call for the use of institutional \n        management processes to control and oversee IT investments.\\11\\ \n        Critical to these processes are milestone reviews that include \n        mechanisms to identify underperforming projects, so that timely \n        steps can be taken to address deficiencies. These reviews \n        should be conducted by a department-level investment review \n        board composed of senior executives. In this regard, VA\'s \n        Enterprise Information Board was established to provide \n        oversight of IT projects through in-process reviews when \n        projects experience problems. Similarly, the Programming and \n        Long-Term Issues Board is responsible for performing milestone \n        reviews and program management reviews of projects. However, \n        between June 2006 and May 2008, the department did not provide \n        oversight of the Scheduling Replacement Project, even though \n        the department had become aware that the project was having \n        difficulty meeting its schedule and performance goals. \n        According to the chairman of the Programming and Long-Term \n        Issues Board, it did not conduct reviews of the scheduling \n        project prior to June 2008 because it was focused on developing \n        the department\'s IT budget strategy. To address these \n        deficiencies, in June 2009, VA began establishing the Program \n        Management Accountability System to promote visibility into \n        troubled programs and allow the department to take corrective \n        actions. We recommended that VA ensure the policies and \n        procedures it was establishing were executed effectively.\n---------------------------------------------------------------------------\n    \\11\\ GAO, Information Technology Investment Management: A Framework \nfor Assessing and Improving Process Maturity, GAO-04-394G (Washington, \nD.C.: March 2004) and OMB, Capital Programming Guide: Supplement to \nCircular A-11, Part 7, Planning, Budgeting, and Acquisition of Capital \nAssets (Washington, D.C., June 2006).\n\n    In response to our report, VA concurred with our recommendations \nand described its actions to address them. For example, the department \nstated that it would work closely with contracting officers to ensure \nfuture acquisition plans clearly identify an acquisition strategy that \npromotes full and open competition. In addition, the department stated \nthat the Program Management Accountability System will provide near-\nterm visibility into troubled programs, allowing the Principal Deputy \nAssistant Secretary for Information and Technology to provide help \nearlier and avoid long-term project failures.\n    In May 2011, VA\'s program manager stated that the department\'s \neffort to develop a new outpatient scheduling system--now referred to \nas 21st Century Medical Scheduling--consists largely of planning \nactivities, including the identification of requirements. However, \naccording to the manager, the project is not included in the \ndepartment\'s fiscal year 2012 budget request. As a result, the \ndepartment\'s plans for addressing the limitations that it had \nidentified in its current scheduling system are uncertain.\n\nVA Has Partially Delivered New Education Benefits System Capabilities, \n        but Can Improve Its Development Process\n\n    In contrast to the scheduling system project failure, VA has begun \nimplementing a new system for processing a recently established \neducation benefit for veterans. The Post-9/11 GI Bill provides \neducational assistance for veterans and members of the armed forces who \nserved on or after September 11, 2001. VA concluded that its existing \nsystem and manual processes were insufficient to support the new \nbenefits. For instance, the system was not fully integrated with other \ninformation systems such as VA\'s payments system, requiring claims \nexaminers to access as many as six different systems and manually input \nclaims data. Consequently, claims examiners reportedly took up to six \ntimes longer to pay Post-9/11 GI Bill program claims than other VA \neducation benefit claims. The challenges associated with its processing \nsystem contributed to a backlog of 51,000 claims in December 2009. In \nresponse to this situation, the department began an initiative to \nmodernize its benefits processing capabilities. VA chose an incremental \ndevelopment approach, referred to as Agile software development,\\12\\ \nwhich is intended to deliver functionality in short increments before \nthe system is fully deployed.\n---------------------------------------------------------------------------\n    \\12\\ Agile software development is not a set of tools or a single \nmethodology, but a philosophy based on selected values, such as, the \nhighest priority is to satisfy customers through early and continuous \ndelivery of valuable software; delivering working software frequently, \nfrom a couple of weeks to a couple of months; and that working software \nis the primary measure of progress. For more information on Agile \ndevelopment, see http://www.agilealliance.org.\n---------------------------------------------------------------------------\n    In December 2010, we reported that VA had delivered key automated \ncapabilities used to process the new education benefits. Specifically, \nit deployed the first two of four releases of its long-term system \nsolution by its planned dates, thereby providing regional processing \noffices with key automated capabilities to prepare original and amended \nbenefits claims. Further, VA established Agile practices including a \ncross-functional team that involves senior management, governance \nboards, key stakeholders, and distinct Agile roles and began using \nthree other Agile practices--focusing on business priorities, \ndelivering functionality in short increments, and inspecting and \nadapting the project.\n    However, to help guide the full development and implementation of \nthe new system, we reported that VA could make further improvements to \nthese practices in five areas.\n\n        1.  Business priorities. To ensure business priorities are a \n        focus, a project starts with a vision that contains, among \n        other things, a purpose, goals, metrics, and constraints. In \n        addition, it should be traceable to requirements. VA \n        established a vision that captured the project purpose and \n        goals; however, it had not established metrics for the \n        project\'s goals or prioritized project constraints. Department \n        officials stated that project documentation was evolving and \n        they intended to improve their processes based on lessons \n        learned; however, until it identified metrics and constraints, \n        the department did not have the means to compare the projected \n        performance with the actual results. We recommended that VA \n        establish performance measures for goals and identify \n        constraints to provide better clarity in the vision and \n        expectations of the project.\n        2.  Traceability. VA had also established a plan that \n        identified how to maintain requirements traceability within an \n        Agile environment; however, the traceability was not always \n        maintained between legislation, policy, business rules, and \n        test cases. We recommended that VA establish bidirectional \n        traceability between requirements and legislation, policies, \n        and business rules.\n        3.  Definition of ``done.\'\' To aid in delivering functionality \n        in short increments, defining what constitutes completed work \n        and testing functionality is critical.\\13\\ However, VA had not \n        established criteria for work that was considered ``done\'\' at \n        all levels of the project. Program officials stated that each \n        development team had its own definition of ``done\'\' and agreed \n        that they needed to provide a standard definition across all \n        teams. Without a mutual agreement for what constitutes ``done\'\' \n        at each level, the resulting confusion can lead to inconsistent \n        quality. We therefore recommended that VA define the conditions \n        that must be present to consider work ``done\'\' in adherence \n        with agency policy and guidance.\n---------------------------------------------------------------------------\n    \\13\\ One of the key Agile principles is that the delivery of \ncompleted software be defined, commonly referred to as the definition \nof ``done.\'\' This is critical to the development process to help ensure \nthat, among other things, testing has been adequately performed and the \nrequired documentation has been developed.\n---------------------------------------------------------------------------\n        4.  Testing. While the department had established an \n        incremental testing approach, the quality of unit and \n        functional testing performed during Release 2 was inadequate in \n        10 of the 20 segments of system functionality we reviewed. \n        Program officials stated that they placed higher priority on \n        user acceptance testing at the end of a release and relied on \n        users to identify defects that were not detected during unit \n        and functional testing. Without improved testing quality, the \n        department risks deploying future releases that contain defects \n        that may require rework. To reduce defects and rework to fix \n        them, we recommended that VA improve the adequacy of the unit \n        and functional testing processes.\n        5.  Oversight. In order for projects to be effectively \n        inspected and adapted, management must have tools to provide \n        effective oversight. For Agile development, progress and the \n        amount of work remaining can be reflected in a burn-down chart, \n        which depicts how factors such as the rate at which work is \n        completed (velocity) and changes in overall product scope \n        affect the project over time. While VA had an oversight tool \n        that showed the percentage of work completed to reflect project \n        status at the end of each iteration, it did not depict the \n        velocity of the work completed and the changes to scope over \n        time. We therefore recommended that VA implement an oversight \n        tool to clearly communicate velocity and the changes to project \n        scope over time.\n\n    VA concurred with three of our five recommendations. It did not \nconcur with our recommendation that it implement an oversight tool to \nclearly communicate velocity. However, without this level of visibility \nin its reporting, management and the development teams may not have all \nthe information they need to fully understand project status. VA also \ndid not concur with our recommendation to improve the adequacy of the \nunit and functional testing processes to reduce the amount of system \nrework. However, without increased focus on the quality of testing \nearly in the development process, VA risks delaying functionality and/\nor deploying functionality with unknown defects that could require \nfuture rework that may be costly and ultimately impede the claims \nexaminers\' ability to process claims efficiently.\n    In early May 2011, we reported that the implementation of remaining \ncapabilities is behind schedule and additional modifications are \nneeded.\\14\\ According to VA officials, system enhancements such as \nautomatic verification of the length of service were delayed because of \ncomplexities with systems integration and converting data from the \ninterim system. Additionally, recent legislative changes to the program \nrequired VA to modify the system and its deployment schedule. For \ninstance, VA will need to modify its system to reflect changes to the \nway tuition and fees are calculated--an enhancement that officials \ndescribed as difficult to implement. Because of these delays, final \ndeployment of the system is now scheduled for the end of 2011--a year \nlater than planned.\n---------------------------------------------------------------------------\n    \\14\\ GAO, Veterans\' Education Benefits: Enhanced Guidance and \nCollaboration Could Improve Administration of the Post-9/11 GI Bill \nProgram, GAO-11-356R (Washington, D.C.: May 2011).\n\n---------------------------------------------------------------------------\nVA Continues To Face Information Security Challenges\n\n    Effective information security controls \\15\\ are essential to \nsecuring the information systems and information on which VA depends to \ncarry out its mission. Without proper safeguards, the department\'s \nsystems are vulnerable to individuals and groups with malicious intent \nwho can intrude and use their access to obtain sensitive information, \ncommit fraud, disrupt operations, or launch attacks against other \ncomputer systems and networks. The consequence of weak information \nsecurity controls was illustrated by VA\'s May 2006 announcement that \ncomputer equipment containing personal information on veterans and \nactive duty military personnel had been stolen. Further, over the last \nfew years, VA has reported an increasing number of security incidents \nand events. Specifically, each year during fiscal years 2007 through \n2009, the department reported a higher number of incidents and the \nhighest number of incidents in comparison to 23 other major Federal \nagencies.\n---------------------------------------------------------------------------\n    \\15\\ Information system general controls affect the overall \neffectiveness and security of computer operations and are not unique to \nspecific computer applications. These controls include security \nmanagement, configuration management, operating procedures, software \nsecurity features, and physical protections designed to ensure that \naccess to data is appropriately restricted, that only authorized \nchanges to computer programs are made, that incompatible computer-\nrelated duties are segregated, and that backup and recovery plans are \nadequate to ensure the continuity of operations.\n---------------------------------------------------------------------------\n    To help protect against threats to Federal systems, the Federal \nInformation Security Management Act of 2002 (FISMA) sets forth a \ncomprehensive framework for ensuring the effectiveness of information \nsecurity controls over information resources that support Federal \noperations and assets. The framework creates a cycle of risk management \nactivities necessary for an effective security program. In order to \nensure the implementation of this framework, FISMA assigns specific \nresponsibilities to OMB, agency heads, chief information officers, \ninspectors general, and the National Institute of Standards and \nTechnology (NIST), in particular requiring chief information officers \nand inspectors general to submit annual reports to OMB.\n    In addition, Congress enacted the Veterans Benefits, Health Care, \nand Information Technology Act of 2006.\\16\\ Under the act, VA\'s Chief \nInformation Officer is responsible for establishing, maintaining, and \nmonitoring departmentwide information security policies, procedures, \ncontrol techniques, training, and inspection requirements as elements \nof the department\'s information security program. It also reinforced \nthe need for VA to establish and carry out the responsibilities \noutlined in FISMA, and included provisions to further protect veterans \nand servicemembers from the misuse of their sensitive personal \ninformation and to inform Congress regarding security incidents \ninvolving the loss of that information.\n---------------------------------------------------------------------------\n    \\16\\ Veterans Benefits, Health Care, and Information Technology Act \nof 2006, Pub. L. No. 109-461, 120 Stat. 3403, 3450 (Dec. 22, 2006).\n\n---------------------------------------------------------------------------\nWeaknesses in Security Controls Have Placed VA\'s Systems at Risk\n\n    Information security has been a long-standing challenge for the \ndepartment, as we have previously reported. In 2010, for the 14th year \nin a row, VA\'s independent auditor reported that inadequate information \nsystem controls over financial systems constituted a material \nweakness.\\17\\ Among 24 major Federal agencies, VA was one of eight \nagencies in fiscal year 2010 to report such a material weakness.\n---------------------------------------------------------------------------\n    \\17\\ A material weakness is a significant deficiency, or \ncombination of significant deficiencies, that results in more than a \nremote likelihood that a material misstatement of the financial \nstatements will not be prevented or detected by the entity\'s internal \ncontrol.\n---------------------------------------------------------------------------\n    VA\'s independent auditor stated that, while the department \ncontinued to make steady progress, IT security and control weaknesses \nremained pervasive and placed VA\'s program and financial data at risk. \nThe auditor noted the following weaknesses:\n\n        <bullet>  Passwords for key VA network domains and financial \n        applications were not consistently configured to comply with \n        agency policy.\n        <bullet>  Testing of contingency plans for financial management \n        systems at selected facilities was not routinely performed and \n        documented to meet the requirements of VA policy.\n        <bullet>  Many IT security control deficiencies were not \n        analyzed and remediated across the agency and a large backlog \n        of deficiencies remained in the VA plan of action and \n        milestones system. In addition, previous plans of action and \n        milestones were closed without sufficient and documented \n        support for the closure.\n\n    In addition, VA has consistently had weaknesses in major \ninformation security control areas. As shown in table 1, for fiscal \nyears 2007 through 2010, deficiencies were reported in each of the five \nmajor categories of information security access controls \\18\\ as \ndefined in our Federal Information System Controls Audit Manual.\\19\\\n---------------------------------------------------------------------------\n    \\18\\ Access controls ensure that only authorized individuals can \nread, alter, or delete data; configuration management controls provide \nassurance that only authorized software programs are implemented; \nsegregation of duties reduces the risk that one individual can \nindependently perform inappropriate actions without detection; \ncontinuity of operations planning provides for the prevention of \nsignificant disruptions of computer-dependent operations; and an \nagencywide information security program provides the framework for \nensuring that risks are understood and that effective controls are \nselected and properly implemented.\n    \\19\\ GAO, Federal Information System Controls Audit Manual \n(FISCAM), GAO-09-232G (Washington, D.C.: Feb. 2009).\n\n\n         Table 1: Control Weaknesses for Fiscal Years 2007-2010\n------------------------------------------------------------------------\n     Security control category        2007      2008      2009     2010\n------------------------------------------------------------------------\nAccess control                      <bullet>  <bullet>  <bullet  <bullet\n                                                         >        >\n------------------------------------------------------------------------\nConfiguration management            <bullet>  <bullet>  <bullet  <bullet\n                                                         >        >\n------------------------------------------------------------------------\nSegregation of duties               <bullet>  <bullet>  <bullet  <bullet\n                                                         >        >\n------------------------------------------------------------------------\nContingency planning                <bullet>  <bullet>  <bullet  <bullet\n                                                         >        >\n------------------------------------------------------------------------\nSecurity management                 <bullet>  <bullet>  <bullet  <bullet\n                                                         >        >\n------------------------------------------------------------------------\n\n\n    Source: GAO analysis based on VA and Inspector General reports.\n\n    In fiscal year 2010, for the 11th year in a row, the VA\'s Office of \nInspector General designated VA\'s information security program and \nsystem security controls as a major management challenge for the \ndepartment. Of 24 major Federal agencies, the department was 1 of 23 to \nhave information security designated as a major management challenge. \nThe Office of Inspector General noted that the department had made \nprogress in implementing components of an agencywide information \nsecurity program, but nevertheless continued to identify major IT \nsecurity deficiencies in the annual information security program \naudits. To assist the department in improving its information security, \nthe Office of Inspector General made recommendations for strengthening \naccess controls, configuration management, change management, and \nservice continuity. Effective implementation of these recommendations \ncould help VA to prevent, limit, and detect unauthorized access to \ncomputerized networks and systems and help ensure that only authorized \nindividuals can read, alter, or delete data.\n    In March 2010, we reported \\20\\ that Federal agencies, including \nVA, had made limited progress in implementing the Federal Desktop Core \nConfiguration (FDCC) initiative to standardize settings on \nworkstations.\\21\\ We determined that VA had implemented certain \nrequirements of the initiative, such as documenting deviations from the \nstandardized set of configuration settings for Windows workstations and \nputting a policy in place to officially approve these deviations. \nHowever, VA had not fully implemented several key requirements. For \nexample, the department had not included language in contracts to \nensure that new acquisitions address the settings and that products of \nIT providers operate effectively using them. Additionally, VA had not \nobtained a NIST-validated tool to monitor implementation of \nstandardized workstation configuration settings. To improve the \ndepartment\'s implementation of the initiative, we made four \nrecommendations: (1) complete implementation of VA\'s baseline set of \nconfiguration settings, (2) acquire and deploy a tool to monitor \ncompliance with FDCC, (3) develop, document, and implement a policy to \nmonitor compliance, and (4) ensure that FDCC settings are included in \nnew acquisitions and that products operate effectively using these \nsettings. VA concurred and has addressed the recommendation to ensure \nsettings are included in new acquisitions. The department intends to \nimplement the remaining recommendations in the future.\n---------------------------------------------------------------------------\n    \\20\\ GAO, Information Security: Agencies Need to Implement Federal \nDesktop Core Configuration Requirements, GAO-10-202 (Washington, D.C.: \nMarch 12, 2010).\n    \\21\\ In March 2007, OMB launched the FDCC initiative to standardize \nand strengthen information security at Federal agencies. Under the \ninitiative, agencies were to implement a standardized set of \nconfiguration settings on workstations with Microsoft Windows XP or \nVista operating systems. OMB intended that by implementing the \ninitiative, agencies would establish a baseline level of information \nsecurity, reduce threats and vulnerabilities, and improve protection of \ninformation and related assets.\n\nVA\'s Uneven Implementation of FISMA Has Limited the Effectiveness of \n---------------------------------------------------------------------------\n        Security Efforts\n\n    FISMA requires each agency, including agencies with national \nsecurity systems, to develop, document, and implement an agencywide \ninformation security program to provide security for the information \nand information systems that support the operations and assets of the \nagency, including those provided or managed by another agency, \ncontractor, or other source. As part of its oversight responsibilities, \nOMB requires agencies to report on specific performance measures, \nincluding the percentage of:\n\n        <bullet>  employees and contractors receiving IT security \n        awareness training and those who have significant security \n        responsibilities and have received specialized security \n        training,\n        <bullet>  systems whose controls were tested and evaluated, \n        have tested contingency plans, and are certified and \n        accredited.\\22\\\n---------------------------------------------------------------------------\n    \\22\\ Certification is a comprehensive assessment of management, \noperational, and technical security controls in an information system, \nmade in support of security accreditation, to determine the extent to \nwhich the controls are implemented correctly, operating as intended, \nand producing the desired outcome with respect to meeting the security \nrequirements for the system. Accreditation is the official management \ndecision to authorize operation of an information system and to \nexplicitly accept the risk to agency operations based on implementation \nof controls.\n\n    Since fiscal year 2006, VA\'s progress in fully implementing the \ninformation security program required under FISMA and following the \npolicies issued by OMB has been mixed. For example, from 2006 to 2009, \nthe department reported a dramatic increase in the percentage of \nsystems for which a contingency plan was tested in accordance with OMB \npolicy. However, during the same period, it reported decreases in both \nthe percentage of employees who had received security awareness \ntraining and the percentage of employees with significant security \nresponsibilities who had received specialized security training. These \ndecreases in the percentage of individuals who had received information \nsecurity training could limit the ability of VA to effectively \nimplement security measures.\n    For fiscal year 2009, in comparison to 23 other major Federal \nagencies, VA\'s efforts to implement these information security control \nactivities were equal to or higher in some areas and lower in others. \nFor example, VA reported equal or higher percentages than other Federal \nagencies in the number of systems for which security controls had been \ntested and reviewed in the past year, the number of systems for which \ncontingency plans had been tested in accordance with OMB policy, and \nthe number of systems that had been certified and accredited. However, \nVA reported lower percentages of individuals who received security \nawareness training and lower percentages of individuals with \nsignificant security responsibilities who received specialized security \ntraining.\n\nCloud Computing Presents Opportunities but Poses IT Security Challenges\n\n    Cloud computing is an emerging form of computing that relies on \nInternet-based services and resources to provide computing services to \ncustomers, while freeing them from the burden and costs of maintaining \nthe underlying infrastructure. Examples of cloud computing include Web-\nbased e-mail applications and common business applications that are \naccessed online through a browser, instead of through a local computer. \nThe President\'s budget has identified the adoption of cloud computing \nin the Federal Government as a way to more efficiently use the billions \nof dollars spent annually on IT. However, as we reported in May \n2010,\\23\\ Federal guidance and processes that specifically address \ninformation security for cloud computing had not yet been developed, \nand those cloud computing programs that have been implemented may not \nhave effective information security controls in place.\n---------------------------------------------------------------------------\n    \\23\\ GAO-10-513.\n---------------------------------------------------------------------------\n    As we reported, cloud computing can both increase and decrease the \nsecurity of information systems in Federal agencies. Potential \ninformation security benefits include those related to the use of \nvirtualization, such as faster deployment of patches, and from \neconomies of scale, such as potentially reduced costs for disaster \nrecovery. Risks include dependence on the security practices and \nassurances of the provider, dependence on the provider, and concerns \nrelated to sharing computing resources. However, these risks may vary \nbased on the cloud deployment model. Private clouds may have a lower \nthreat exposure than public clouds, but evaluating this risk requires \nan examination of the specific security controls in place for the \ncloud\'s implementation. We made recommendations to OMB, the General \nServices Administration, and NIST to assist agencies in identifying \nuses of cloud computing and necessary security measures, selecting and \nacquiring cloud computing products and services, and implementing \nappropriate information security controls when using cloud computing.\n\nVA Faces Barriers To Establishing Shared Electronic Health Record \n        Capabilities With DoD\n\n    VA and DoD have two of the Nation\'s largest health care operations, \nproviding health care to 6 million veterans and 9.6 million active duty \nservicemembers and their beneficiaries at estimated annual costs of \nabout $48 billion and $49 billion, respectively. Although the results \nof a 2008 study found that more than 97 percent of functional \nrequirements for an inpatient electronic health record system are \ncommon to both departments, the departments have spent large sums of \nmoney to separately develop and operate electronic health record \nsystems. Furthermore, the departments have each begun multimillion \ndollar modernizations of their electronic health record systems. \nSpecifically, VA reported spending almost $600 million from 2001 to \n2007 on eight projects as part of its Veterans Health Information \nSystems and Technology Architecture (VistA) modernization. In April \n2008, VA estimated an $11 billion total cost to complete the \nmodernization by 2018. For its part, DoD has obligated approximately $2 \nbillion over the 13-year life of its Armed Forces Health Longitudinal \nTechnology Application (AHLTA) and requested $302 million in fiscal \nyear 2011 funds for a new system.\n    Additionally, VA and DoD are working to establish the Virtual \nLifetime Electronic Record (VLER), which is intended to facilitate the \nsharing of electronic medical, benefits, and administrative information \nbetween the departments. VLER is further intended to expand the \ndepartments\' health information sharing capabilities by enabling access \nto private-sector health data. The departments are also developing \njoint IT capabilities for the James A. Lovell Federal Health Care \nCenter (FHCC) in North Chicago, Illinois. The FHCC is to be the first \nVA/DoD medical facility operated under a single line of authority to \nmanage and deliver medical and dental care for veterans, new Naval \nrecruits, active duty military personnel, retirees, and dependents.\n    In February 2011, we reported that VA and DoD lacked mechanisms for \nidentifying and implementing efficient and effective IT solutions to \njointly address their common health care system needs as a result of \nbarriers in three key IT management areas--strategic planning, \nenterprise architecture, and investment management.\n\n        <bullet>  Strategic planning: The departments were unable to \n        articulate explicit plans, goals, and time frames for jointly \n        addressing the health IT requirements common to both \n        departments\' electronic health record systems. For example, \n        VA\'s and DoD\'s joint strategic plan did not discuss how or when \n        the departments propose to identify and develop joint health IT \n        solutions, and department officials did not determine whether \n        the IT capabilities developed for the FHCC could or would be \n        implemented at other VA and DoD medical facilities.\n        <bullet>  Enterprise architecture: Although VA and DoD had \n        taken steps toward developing and maintaining artifacts related \n        to a joint health architecture (i.e., a description of business \n        processes and supporting technologies), the architecture was \n        not sufficiently mature to guide the departments\' joint health \n        IT modernization efforts. For example, the departments did not \n        define how they intended to transition from their current \n        architecture to a planned future state.\n        <bullet>  Investment management: VA and DoD did not establish a \n        joint process for selecting IT investments based on criteria \n        that consider cost, benefit, schedule, and risk elements, which \n        would help to ensure that a chosen solution both meets the \n        departments\' common health IT needs and provides better value \n        and benefits to the government as a whole.\n\n    These barriers resulted in part from VA\'s and DoD\'s decision to \nfocus on developing VLER, modernizing their separate electronic health \nrecord systems, and developing IT capabilities for FHCC, rather than \ndetermining the most efficient and effective approach to jointly \naddressing their common requirements. Because VA and DoD continued to \npursue their existing health information sharing efforts without fully \nestablishing the key IT management capabilities described, they may \nhave missed opportunities to successfully deploy joint solutions to \naddress their common health care business needs.\n    VA\'s and DoD\'s experiences in developing VLER and IT capabilities \nfor FHCC offered important lessons to improve the departments\' \nmanagement of these ongoing efforts. Specifically, the departments can \nimprove the likelihood of successfully meeting their goal to implement \nVLER nationwide by the end of 2012 by developing an approved plan that \nis consistent with effective IT project management principles. Also, VA \nand DoD can improve their continuing effort to develop and implement \nnew IT system capabilities for FHCC by developing a plan that defines \nthe project\'s scope, estimated cost, and schedule in accordance with \nestablished best practices. Unless VA and DoD address these lessons, \nthe departments will jeopardize their ability to deliver expected \ncapabilities to support their joint health IT needs.\n    We recommended several actions that the Secretaries of Veterans \nAffairs and Defense could take to overcome barriers that the \ndepartments face in modernizing their electronic health record systems \nto jointly address their common health care business needs, including \nthe following:\n\n        <bullet>  Revise the departments\' joint strategic plan to \n        include information discussing their electronic health record \n        system modernization efforts and how those efforts will address \n        the departments\' common health care business needs.\n        <bullet>  Further develop the departments\' joint health \n        architecture to include their planned future state and \n        transition plan from their current state to the next generation \n        of electronic health record capabilities.\n        <bullet>  Define and implement a process, including criteria \n        that considers costs, benefits, schedule, and risks, for \n        identifying and selecting joint IT investments to meet the \n        departments\' common health care business needs.\n\n    We also recommended that the Secretaries of Veterans Affairs and \nDefense strengthen their ongoing efforts to establish VLER and the \njoint IT system capabilities for FHCC by developing plans that include \nscope definition, cost and schedule estimation, and project plan \ndocumentation and approval.\n    Both departments concurred with our recommendations and on March \n17, 2011, the Secretaries of Veterans Affairs and Defense committed \ntheir respective departments to pursue joint development and \nacquisition of integrated electronic health record capabilities.\n    In summary, effective IT management is critical to the performance \nof VA\'s mission. However, the department faces challenges in key areas, \nincluding systems development, information security, and collaboration \nwith DoD. Until VA fully addresses these and implements key \nrecommendations, the department will likely continue to (1) deliver \nsystem capabilities later than expected; (2) expose its computer \nsystems and sensitive information (including personal information of \nveterans and their beneficiaries) to an unnecessary and increased risk \nof unauthorized use, disclosure, tampering, theft, and destruction; and \n(3) not provide efficient and effective joint DoD/VA solutions to meet \nthe needs of our Nation\'s veterans.\n    Mr. Chairman, this concludes my statement today. I would be pleased \nto answer any questions you or other Members of the Subcommittee may \nhave.\n\nContacts and Acknowledgments\n\n    If you have questions concerning this statement, please contact \nJoel C. Willemssen, Managing Director, Information Technology Team, at \n(202) 512-6253 or <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="196e7075757c746a6a7c7773597e7876377e766f">[email&#160;protected]</a>; or Valerie C. Melvin, Director, \nInformation Management and Human Capital Issues, at (202) 512-6304 or \n<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a9c4ccc5dfc0c7dfe9cec8c687cec6df87">[email&#160;protected]</a> Other individuals who made key contributions include \nMark Bird, Assistant Director; Mike Alexander; Nancy Glover; Paul \nMiddleton; and Glenn Spiegel.\n                   MATERIAL SUBMITTED FOR THE RECORD\n\n                                     Committee on Veterans\' Affairs\n                       Subcommittee on Oversight and Investigations\n                                                    Washington, DC.\n                                                       May 16, 2011\nThe Honorable Eric K. Shinseki\nSecretary\nU.S. Department of Veterans Affairs\n810 Vermont Avenue, NW\nWashington, DC 20420\n\nDear Mr. Secretary:\n\n    In reference to the Oversight and Investigations Subcommittee \nhearing entitled ``Reboot: Examining VA\'s IT Strategy for the 21st \nCentury\'\' that took place on May 11, 2011, I would appreciate it if you \ncould answer the enclosed hearing questions by the close of business on \nJune 20, 2011.\n    In an effort to reduce printing costs, the Committee on Veterans\' \nAffairs, in cooperation with the Joint Committee on Printing, is \nimplementing some formatting changes for materials for all full \nCommittee and Subcommittee hearings. Therefore, it would be appreciated \nif you could provide your answers consecutively and single-spaced. In \naddition, please restate the question in its entirety before the \nanswer.\n    Due to the delay in receiving mail, please provide your response to \nDiane Kirkland at <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="88ece1e9e6eda6e3e1fae3e4e9e6ecc8e5e9e1e4a6e0e7fdfbeda6efe7fea6">[email&#160;protected]</a> If you have any \nquestions, please call 202-225-3527.\n            Sincerely,\n\n                                                       Bill Johnson\n                                                           Chairman\n    EG/dk\n\n                               __________\n\n                        Questions for the Record\n                  House Committee on Veterans Affairs\n              Subcommittee on Oversight and Investigations\n                         Chairman Bill Johnson\n      ``Reboot: Examining VA\'s IT Strategy for the 21st Century\'\'\n                              May 11, 2011\nQuestion 1: Does the VA OI&T have an Enterprise Architecture partner to \n        help realize the benefits of each of the 16 Major Initiatives \n        linked to business outcomes.\n\n    Response: Yes, the Office of Information and Technology (OI&T) \nOffice of Architecture and Strategy uses several partner companies in \nits work on the Major Initiatives to ensure they are well planned and \ncoordinated. The business sponsor of each major initiative identifies \nthe business goals and objectives they intend to achieve. These \noutcomes are reviewed and approved by the Deputy Secretary, then \nmonitored on a monthly basis by Office of Policy and Planning (OPP) \nthrough Operational Management Reviews. OI&T is building an effective \nworking relationship with the Business Architects in Veterans Health \nAdministration (VHA), Veterans Benefits Administration (VBA), and \nNational Cemetery Administration (NCA) to create more explicit \nEnterprise Architecture (EA) artifacts that link in more detail to the \nDepartment of Veterans Affairs (VA) Strategic Plan. In turn the Plan \nlinks to the Major Initiatives and to OI&T initiatives and the OI&T \nspend plan. VA is strengthening our approach to using EA to promote \nmission effectiveness and stewardship of funds.\n\n    Question 2: Is Cloud Computing on the multi-year program? What is \nthe desired time frame for its implementation and what are the deciding \nfactors for that time frame?\n\n    Response: Cloud computing is not a specific program line item; \nrather, VA has adopted the direction of the Federal Chief Information \nOfficer (CIO) and has begun implementing a ``Cloud First\'\' strategy \nwith any new OI&T initiatives. Agencies are now required to deploy \ntechnology projects to cloud-based solutions whenever a secure, \nreliable, cost-effective cloud option exists. Cloud is increasingly \ntightly woven into all new VA initiatives.\n    VA has established criteria for Cloud projects within our \nenterprise data centers based on storage, processor load and \napplication design.\n    At this time, we are implementing a private Cloud based in our data \ncenters that provides secure OI&T operations for VA internal systems as \nwell as pursuing commercial Cloud hosting opportunities for VA systems \nthat do not require the same level of security.\n    The deciding factors in our time frame for deployment include:\n\n        <bullet>  Security. Data that contains patient or Veteran \n        financial data obviously requires greater security than, for \n        example, Web sites listing information on obtaining VA \n        services.\n        <bullet>  Applicability for Cloud deployment. Some \n        applications, because of heavy system requirements, do not lend \n        themselves to virtualization;\n        <bullet>  Application design. Older applications may be \n        candidates for Cloud, but this requires programming and testing \n        to ensure compatibility;\n        <bullet>  Budget. Moving to the Cloud involves funding to \n        deploy virtualized systems and storage, as well as for \n        regression testing and standardization of software;\n        <bullet>  Staffing. VA has a finite number of programmers and \n        operations staff available to provide testing of Cloud \n        services; and\n        <bullet>  Availability of secure, reliable, cost-effective \n        commercial services.\n\n    There are several VA applications which are in production in a \ncloud-based architecture or have significant resources invested in \ntheir completion. VA currently employs a hybrid private cloud (both off \nand on premise) to deliver the Post-9/11 GI Bill application suite. The \nDepartment continues to work through the technology required to support \nthe movement of 100,000 (approximately 20 percent) customer mailboxes \ninto a Federal cloud architecture, targeted to begin early in fiscal \nfear 2012. VA has begun beta testing of a private cloud solution for \nthe technology to interface lab equipment with the Department\'s \nelectronic health care record. These are a few of the varied types of \napplications which VA has determined were suited for a cloud-based \ndeployment.\n\n    Question 3: How has VA\'s return on investment (ROI) in IT \ndevelopment over the last 5 years compared with private-sector \ncompanies of comparable size?\n\n    Response: VA\'s IT ROI compares favorably with the private sector in \na number of areas. A recent independent study covering the 10-year \nperiod between 1997 and 2007 found that VA\'s health IT investment was \n$4 billion, while savings were more than $7 billion. This represents a \nROI of 75 percent. In comparison, a 2010 study of General Motors IT \ninvestments anticipates an internal ROI of 70 percent.\\1\\ An earlier \nstudy of Ford Motor Company\'s IT investment, on the ford.com Web site, \ncites a ROI of 115 percent.\\2\\ While the studies\' methodologies may \ndiffer, the results indicate VA\'s IT ROI for VistA is similar to \ncomparably-sized private-sector companies.\n---------------------------------------------------------------------------\n    \\1\\ 2010. General Motors Prepares for Future with Next Generation \nInformation Networks for Global Manufacturing Operations: On Track to \nAchieve 166 percent ROI Over Five Years. Cisco Business Transformation \nSeries--Connected Manufacturing, page 9. Retrieved from http://\nwww.cisco.com/web/strategy/docs/manufacturing/Cisco-AutoCaseStudy-\nGM.pdf.\n    \\2\\ 2002. ROI Profile: Microsoft Content Management Server \nFord.com. Nucleus Research Note 17, page 1. Retrieved from http://\nnucleusresearch.com/library/microsoft-roi/c17.pdf.\n---------------------------------------------------------------------------\n    However, recognizing systemic issues in other areas of development, \nVA introduced the Project Management Accountability System (PMAS) in \n2009 to dramatically increase VA\'s success rate in meeting customer \nsoftware milestones. This success rate is now approximately 75 percent, \nup from 30 percent (estimated, as no metrics were tracked at that time) \nprior to PMAS implementation.\n\n    Question 4: Please describe in further detail how VA\'s IT \ninvestment over the last 5 years has been in line with industry best \npractices and where improvements can be made.\n\n    Response: Prior to the implementation of PMAS in 2009, VA IT \ninvestments were not adequately tracked to provide viable answer to \nthis question. Since full implementation of PMAS in March of 2010, VA \nIT projects have been delivered approximately 75 percent of the \ncustomer facing milestones it set. This success rate is in line with \nindustry best practices.\n\n    Industry standards for managing IT investments focus largely on the \nprinciples and criteria established by the Project Management \nInstitute, widely recognized as the credentialing authority for Project \nManagement Professionals (PMP). These industry standards are constantly \nevolving. A common thread is the focus on measurable, performance-based \noversight techniques that ensure product delivery is completed within \nbudget, on schedule, and meets performance and functionality \nexpectations.\n    VA\'s PMAS is a performance-based project management discipline \nmandated by VA\'s Assistant Secretary for Information and Technology for \nall IT development projects. PMAS conforms to the core principles and \nstandards recognized and utilized by private industry, but PMAS is \nspecifically tailored to manage the unique investment, management, and \noversight challenges faced by public sector IT development projects.\n    PMAS establishes more rigorous controls than the industry standard \nfor ensuring that investments in IT projects meet project development \ntimelines and expectations for functionality. Specifically, PMAS uses \nincremental product build techniques for IT projects, with delivery of \nnew functionality (tested and accepted by the customer) in cycles of 6 \nmonths or less. Projects managed under PMAS are tightly monitored and \nsubject to being halted when significant deviations to plans occur and \ninsufficient remediation plans are presented. PMAS requires that a \nproject be paused and re-evaluated at the point where it has \ndemonstrated trouble.\n    The use of metrics to monitor and assess performance for IT \ndevelopment is another best practice and key strategy VA employs to \nensure resources are used effectively and project managers are held \naccountable. When PMAS was implemented, we identified a requirement to \ntrack, monitor, and report on the status of projects that fell under \nthe PMAS management discipline. As a result, the PMAS Dashboard was \ndeveloped and fielded. The purpose of the PMAS Dashboard is to track, \nmonitor, and report the status of PMAS managed IT projects--thereby \nproviding visibility into planned versus actual costs and schedules, \nand to provide a disciplined management approach with the goal to \nimprove the rate of success of VA\'s IT projects. The status of every \nactive PMAS-managed project is reported to and reviewed by VA senior \nmanagement on a monthly basis. The implementation of PMAS and related \ntools has resulted in the on-time delivery of customer-facing products \napproximately 75 percent of the time, an increase from 30 percent on-\ntime prior to the implementation of PMAS.\n    PMAS also necessitates the use of VA\'s standardized development \nprocesses. These processes are captured in ProPath, VA\'s IT process \nasset library. Process standardization is widely accepted by industry \nand advisory bodies as a means for improving delivery rate, resource \nusage, and organizational success. While ProPath initially captured \nonly development practices, later versions of ProPath will capture all \naspects of the development lifecycle.\n    In addition to PMAS, VA adopted a new acquisition strategy to more \neffectively use our IT resources. This new strategy for acquiring IT \nservices, Transformation Twenty-One Total Technology (T4), will assist \nto consolidate our IT service requirements into 15 prime contracts \n(seven of which have been reserved for Veteran-owned small businesses) \nleveraging economies of scale to save both time and money and enable \ngreater oversight and accountability.\n\n    Question 5: Going forward, how will VA OI&T ensure IT contracts are \nproperly defined and written from RFI to RFP to Contract to \nImplementation--in order to ensure more responsible use of taxpayers\' \ndollars?\n\n    Response: VA is using and now strengthening our Integrated Project \nTeam (IPT) process with the right personnel from the beginning of a \nprocurement/acquisition submission to implementation. VA has already \npublished the first IPT guide, and requires as part of PMAS policy, \nthat all projects must be managed under a cognizant IPT. IPT membership \nis specified in policy, and must include a warranted contracting \nofficer and general counsel. OI&T, OPP, Office of Acquisition, \nLogistics and Construction (OALC), and Office of General Counsel (OGC) \nare collaborating in devising several mechanisms to strengthen IPTs. \nThe options under consideration include more training on IPT operation, \nuse of acquisition-trained facilitators for IPT for larger, high-\npriority programs, and greater management visibility into assignment of \nstaff to IPTs. Customer engagement is required already in policy, but \ncould be strengthened as well to assure timely development of \nrequirements and real-time awareness of project issues that could \naffect schedule of functionality. This is a teaming relationship with \nthe customer to properly define the requirement so that we are able to \ndesign, develop, implement, and deploy the materiel solution needed by \nthe customer. (This is all part of the IPT and PMAS processes, and \nrecorded in ProPATH, the VA OI&T process asset library, which serves as \nthe basis for development of all courseware for OI&T staff training.)\n    To allow time for IPTs to operate properly and develop practical \nacquisition strategies, VA is now accelerating the due date for \nbusiness requirements. For functional requirements for FY 12 projects, \nthe due date will be July 2011.\n    The following are the practices being utilized at the Technology \nAcquisitions Center (TAC):\n\n\n    Customer Training--Training provided acquisition-related material \nto OI&T personnel, covering essential topics such as market research, \nperformance work statements, cost estimates, and technical evaluations. \nEach of these training units, along with `hands-on\' workshops, were \nintended to provide the customer with fundamental information that \nwould help them to better understand the acquisition process and \nassociated documentation, thereby resulting in better defined \nrequirements, streamlined processes, and reduced cycle time.\n    Document Templates--Templates were developed to guide the customer \nin preparing acquisition plans, sole source justifications, and cost \nbenefit analysis, along with instructional procurement guidelines, \nwhich helped customers understand what acquisition documents were \nrequired based on the type of procurement and the dollar threshold. One \ntemplate found most useful was the Performance Work Statement (PWS) \ntemplate for services, which provided the preparer with detailed \nguidance through the template. The PWS template has aided in the \npreparation of requirements which were consistent, accurate, and \ncomplete. The introduction of uniformity in the process provides \nadditional assurances that requirements would be more easily \nunderstood, and thereby lessen ambiguities which could lead to \nmisinterpretation and undesirable performance.\n    IPTs and Lockdowns--Two highly effective practices that result in \nbetter defined requirements--and ultimately better contracts--is \nthrough the use of ``IPTs\'\' and ``Lockdowns.\'\' With roles and \nresponsibilities clearly defined in charters, acquisition and customers \nwork together as integral IPT members in the identification, refinement \nand establishment of IT requirements and acquisition strategies. While \nIPTs characterized the components of the partnership, the practice of \n``lockdowns\'\' provide a real-time, collaborative working framework from \nwhich the IPT could excel. With each lockdown session, the objective of \ncritical ``buy-in\'\' is achieved as hands-on IPT participants \ncollaboratively formulated business strategies, and established \nacquisition planning goals, while also jointly developing high-quality \ntechnical documentation.\n    Partnering with Industry--Receiving useful feedback from industry \nis critical establishing requirements that are both accurate and \nfeasible. Reaching out to industry is a valuable investment of \nresources, which in the end pays dividends to several beneficiaries. \nThrough ``Advanced Planning Briefings for Industry\'\' (APBI) and \n``Industry Days,\'\' cross-communication between industry and the \ngovernment results in a mutual understanding of the needs and \ncapabilities of the two parties. More specifically, an Industry Day \nconference allows industry to raise questions and present ideas for \nGovernment consideration on a specific, pending requirement. Through \nthese give-and-take forums, the government is provided an opportunity \nto best define, and refine, its requirements before a solicitation is \nreleased.\n\n    Question 6: In the Catapult contract, VA OIG found that VA paid \nCatapult on a milestone basis. This payment basis was inconsistent with \nboth the contract as well as the information provided to vendors during \nsolicitation. What mechanisms are or were in place to prevent blatant \ndisregard of contracting conditions established twice in writing? How \ndid those mechanisms fail twice in the case of this contract?\n\n    Response: OI&T is currently conducting an internal review of the \nCatapult contract. We expect this review to be complete by mid-July, \nand will plan to brief the Subcommittee when the review is complete.\n\n    Question 7: How does an individual or company access GSA\'s Schedule \n70 in order to participate in VA\'s IT contracting process?\n\n    Response: There are over 4,000 companies currently on GSA\'s \nSchedule 70. In order to participate in VA\'s IT contracting process \nunder GSA\'s Schedule 70, the individual or company must first obtain a \nGSA Schedule 70 contract. The first step in the process is submitting \nan offer in response to the IT Schedule 70 solicitation, which is made \navailable on the Federal Business Opportunities (FedBizOpps) Web site. \nThe individual or company would then submit an electronic offer via \nGSA\'s eOffer electronic system. GSA would review the offer to ensure \ncompliance with the solicitation, and upon determination that the \nofferor\'s prices were fair and reasonable, a GSA IT Schedule 70 \ncontract would be awarded if it was in the best interest of the \ngovernment. To assist an individual or company, GSA has made available \nthe free online training courses, ``How to Become a Contractor--GSA \nSchedules Program\'\' and ``How to Get on Schedule.\'\' These courses \nprovide prospective offerors with helpful information about how to \nprepare an offer and the GSA Schedule 70 contract award process.\n\n    Question 8: In the absence of a final T4 award, is VA moving \nforward with its IT projects? Is the contracting organization denying \nthe program managers alternative contracting vehicles in anticipation \nof using T4?\n\n    Response: VA is, and will continue to move forward on all of its IT \nprojects. The VA\'s contracting organizations will continue to take into \nconsideration all available contractual vehicles in the development of \nan acquisition strategy. This procedure will continue irrespective of \nthe T4 awards.\n\n    Question 9: What assurance can VA provide the Committee that VA \nwill use other contracting vehicles that are currently available in \norder to move IT projects forward?\n\n    Response: Since January 1, 2011, OI&T has awarded 218 contracts \n(through June 1, 2011) using various contracting vehicles. We will \ncontinue to perform work while we await T4 award.\n\n    Question 10: What steps has VA taken to ensure success for the \nInteragency Program Office (IPO) as ``the single point of \naccountability\'\' as established in the FY 2008 National Defense \nAuthorization Act? How has VA defined ``single point of \naccountability\'\' in writing to those involved with the IPO?\n\n    Response: VA will be utilizing the IPO as established by the FY \n2008 National Defense Authorization Act. VA and DoD are currently \nrevising IPO\'s charter to empower the IPO to effectively manage the \nimplementation of the integrated Electronic Health Record (iEHR).\n\n    Question 11: Please describe in further detail the cooperative \nactions, below the Secretary level, between VA and DoD in implementing \niEHR.\n\n    Response: The Secretaries have designated the Deputy Chief \nManagement Officer (DoD) and the Assistant Secretary, Information and \nTechnology (VA) to lead the coordinated efforts of the two Departments \nto establish the iEHR through a Senior Coordinating Group (SCG). The \nSecretaries have charged the SCG with accomplishing the initial \nobjectives of the iEHR, including establishing governance, naming key \nstaff, and planning the implementation of the iEHR, including costing. \nThere are hundreds of VA and DoD staff working on accomplishing the \nvarious taskings as assigned by the SCG.\n\n    Question 12: Please describe in further detail DoD\'s role in the \nmove toward Open Source and how that role has compared to VA\'s actions.\n\n    Response: Clearly, establishing an Open Source consortium, and \nembracing private-sector participation in VistA, was initially driven \nby VA. After considering the role that Open Source could play in \nensuring the long-term success of the iEHR, particularly in helping the \ngovernment better engage the private sector, DoD agrees with VA that \nOpen Source is a vital part of the path forward for the iEHR. To that \nend, DoD is participating in both the selection of the Custodial Agent \n(CA) and in the Board of Directors of the CA.\n\n    Question 13: The National Institute of Standards and Technology \n(NIST), in its Internal Report 7622 (NISTIR 7622) published last year, \nsets of supply chain risk management practices for Federal information \nsystems. Has VA applied these practices to its own IT projects? What \nsteps has VA taken to minimize supply chain risk for IT projects?\n\n    Response: VA OI&T minimizes supply chain risk management by \nmanaging the security component of all software development and service \ndelivery work. OI&T does not outsource the security component when \npurchasing products and services. OI&T has developed tight security \ncontrols in line with the NIST recommendations, as well as FISMA \nrequirements, which allows us to provide the necessary standards to \nmanage supply chain risk.\n\n    Question 14: Has the IPO been utilized in any of these steps? If \nso, which ones?\n\n    Response: As VA and DoD move forward with plans to strengthen the \nIPO\'s charter, supply chain risk management best practices will be one \nof the many factors considered.\n\n    Question 15: Please further explain VA\'s certainty in the Open \nSource approach when, by VA\'s own admission, no cost analysis had been \ndone ahead of time. Other than a three-page document provided to the \nSubcommittee after the May 11 hearing, what documentation explains in \ndetail the review of all alternatives before making a decision?\n\n    Response: The cost analysis for Open Source is short because the \nanalysis is simple. VA has proven that the EHR is a vital part of \neffective heath care for Veterans. Our current EHR, VistA, while still \nviable is no longer the market leader VA assesses the cost of replacing \nVistA at its 153 hospitals and over 800 CBOCs at approximately $16 \nbillion. If VA cannot find a way to move VistA forward at a rate that \nkeeps pace with the private sector, we must eventually ask the \ntaxpayers for the funding necessary to replace VistA. Our assessment is \nthat Open Source is a viable path, and perhaps the only viable path, to \nallow VA to improve VistA at a much more rapid pace by involving the \nprivate sector in both planning and implementing its path forward. As \nDoD and VA move forward to establish the iEHR, the involvement of the \nprivate sector is even more critical, which is one of the primary \nreasons DoD has agreed with VA that Open Source should be part of our \noverall iEHR plans.\n    VA has spent more than a year conducting a very deliberative \nprocess to examine the implications of Open Source for VistA. We have \nseen two substantial studies on the topic contributed by the private \nsector and academia. We have consulted with hundreds of organizations, \nand thousands of individuals about the pros and cons of the Open Source \napproach. We have conducted three Requests for Information (RFIs), and \nreceived numerous papers, emails, and comments. Our path forward with \nOpen Source has been broadly advised and is highly transparent.\n\n    Question 16: Please identify and explain the elements of VA\'s life-\ncycle analysis of IT projects.\n\n    Response: IT projects are selected based on their relationship to \nthe VA Strategic Plan. The single IT authority at VA allows \ncomprehensive view of all VA IT investments and their prioritization \nusing a shared governance approach in concert with their respective \nbusiness sponsors. To create a lifecycle view of total cost of \nownership, VA is in the process of implementing IPTs for all projects, \nwhich includes members with the knowledge of life cycle management, to \naddress all infrastructure components from data center to desktop, from \nproject initiation to close out and disposal.\n\n    Question 17: Please explain how VA applied the above life-cycle \nanalysis to Open-Source VistA prior to making the decision to move \nforward on that project.\n\n    Response: VA senior leadership has determined that as a software \nsourcing strategy, Open Source (OS) represents an approach that is very \nlikely to reduce development risk and strengthen development rigor, \npromote innovation, promote cyber security, and make OS applications \nmore broadly available to the Nation through the entire life cycle of \neach OS project. Open Source is a development strategy, and is not \nitself a project with a life cycle--and, it is not a substitute for \nlife cycle management of total cost of ownership. The OS approach will \nallow VA to address total cost of ownership for Open Source software, \nincluding implementation, hosting, telecommunications, end-user \nsupport, and project closeout.\n\n    Question 18: Is VA appropriately staffed with the knowledge and \nexperience level to build rigorous business cases based on \ncomprehensive cost benefit analyses and returns on investment in \ninformation technology?\n\n    Response: While no organization is at a point where it has all of \nthe expertise and knowledge it needs, VA OI&T has made great strides \ntowards building an IT staff with the knowledge and skills required to \naccomplish our mission. Through our Program/Project Manager training \ncourses, peer review process, techstat meetings, competency model, and \nother training and guidance practices, OI&T has worked to develop tools \nto improve the performance of our staff.\n\n    Question 19: Please describe OI&T\'s incorporation of Supply Chain \nRisk Management by the National Institute of Standards and Technology \n(NIST) in moving forward with Open Source software implementation.\n\n    Response: As discussed above, OI&T\'s Information Security \norganization effectively and directly manages the security component of \nsoftware development, procurement, and implementation. We will continue \nto employ these best practices in moving forward with the Open Source \nsoftware implementation.\n\n    Question 20: DoD is currently running pilot programs on \ncybersecurity. Please explain VA\'s decision to move forward on large-\nscale IT programs before these programs have concluded and the results \nhave been published.\n\n    Response: VA has determined that delay in pursuing its operational \nrequirements for critical programs such as Veterans Benefits Management \nSystem (VBMS), Post-9/11 GI Bill, and VistA Open Source, should not be \ndelayed due to DoD\'s pilot programs. This assessment considered the \npressing needs to improve performance and service delivery to Veterans \nas well as the status of each program. VA will ensure its cybersecurity \nrequirements are fully integrated into all projects and will maintain \nclose contact with DoD in order to consider the emerging outcomes of \ntheir pilot programs.\n\n    Question 21: According to a number of industry white papers, Wi-Fi \nhas deficiencies as a real-Time Asset and Patient Tracking Solution and \nultimately will cost more to use this method than radio frequency \nidentification technology (RFID) for the same purpose. On June 17, \n2010, VA (10N) placed a moratorium on Real Time Location systems \nacquisition because a national contract was to be implemented during \nthat fiscal year. Is the moratorium still in place? If so, please \nexplain VA\'s recent submissions of two RFP\'s with language that \nindicates Infra-red and Radio Frequency work-arounds while the \nmoratorium is in place?\n\n    Response: Real-Time Location Systems (RTLS) and radio frequency \nidentification (RFID) are closely related, and are overlapping \ntechnologies used for identifying and locating items or people. RTLS is \nthe term used to describe those technologies that provide ``real-time\'\' \nlocation, regardless of whether radio frequencies are used or some \nother technology, such as ultrasound or infra-red. RFID is the term \nused to indicate that radio frequencies are being utilized, regardless \nof whether the item is being located in real-time or not. Therefore, \nsome RTLS systems are also RFID systems, and some RFID systems are also \nRTLS systems. They are not necessarily separate systems that compete \nwith one another. Rather, the terms offer differing ways of describing \nthese systems, either by describing the technologies employed or the \nuses for the technologies. RFID is generally broken down into two \ntypes: passive and active. Active RFID systems utilize a tag with a \nbattery, that beacons information at pre-set intervals. Passive RFID \nsystems utilize a ``tag\'\' (normally a sticker or label) that has no \nbattery, so relies on an external power source to ``excite\'\' it, \ncausing it to send out an identification message. Because passive RFID \ntags only announce themselves when in the proximity of an exciter, \npassive systems generally do not offer real-time location capabilities.\n    VA has a large number of business processes (use cases) that can \nbenefit from RTLS and/or RFID technologies. Some use cases lend \nthemselves to passive RFID, while others lend themselves to active \nRFID/RTLS. An example of the former is folder accountability and \ninventorying in VBA, while an example of the latter is real-time \nlocation of mobile medical assets, such as EKG carts, infusion pumps, \nor wheelchairs. Because VA has such a wide variety of use cases, it was \nunderstood from the beginning that no single RFID/RTLS technology would \nsatisfy all of VA\'s needs. It is therefore VA\'s plan to procure an \nappropriate technology to address each use case.\n    Even within active RFID, there are numerous technologies, each with \ntheir own unique set of plusses and minuses. Wi-Fi is a radio frequency \n(RF) based system utilizing the 2.4 GHz band. There are also RF based \nsystems utilizing the 900 MHz and 433 MHz bands. Additionally, there \nare systems that utilize ultrasound (either alone or in combination \nwith an RF-based system) or an infra-red system in combination with an \nRF-based system.\n    Prior to making the decision to utilize Wi-Fi for RTLS, when \npossible, VA consulted with industry leaders such as Gartner. Gartner \nindicated that Wi-Fi has the single largest market share, by far, in \nthe health care RTLS market space, (likely exceeding 60 percent) and \nthat when a properly configured WiFi network is already in place, it \nmakes sense to leverage the existing investment for location-based \nservices such as RTLS, rather than wiring and installing redundant \nnetworks of transceivers, at great cost, for little or no benefit. \nCost, however, is not the only consideration. One of VA\'s major \nconcerns is interoperability and not being locked into a proprietary, \nsingle-vendor solution. WiFi-based RTLS systems are the only standards-\nbased RTLS solution, being based on the international IEEE 802.11 \nstandard. Other systems (notably, those based on 900 MHz, 433 MHz, and \nultrasound) are highly proprietary, meaning that one vendor\'s tags will \nnot work with any other vendor\'s transceivers, even if the same \nfrequency band is utilized. This creates two potentially dangerous \nconditions for VA: the possibility of the single vendor going out of \nbusiness, and the possibility of the single vendor raising the cost of \nthe proprietary tags by an exorbitant amount. VA finds it more prudent \nto employ technologies based on internationally-recognized standards, \nwhere consumables (in this case, RTLS tags) are commodities, available \nfrom multiple vendors.\n    Wi-Fi based RTLS systems currently have a spatial resolution of \napproximately 7 meters at best, although as technology advances, this \nis improving. For some purposes, it is sufficient to know where an item \nis to within 7 meters accuracy. It is for those use cases only that VA \nintends to utilize Wi-Fi alone. It is well understood that some use \ncases in VA require pinpointing an item\'s location with greater \naccuracy than 7 meters, and it is our intention to procure \ncomplementary technologies (infra-red or ultrasound) in those cases. \nThis is not a work-around for a flawed system. Use of hybrid systems is \na common strategy employed by RTLS vendors and customers to leverage \nthe benefits of Wi-Fi, yet augment it (where necessary) to provide \nfiner spatial resolution than could be achieved by Wi-Fi alone. It \nshould be noted that other RF-based systems (e.g. 433 and 900 MHz) also \nrequire these same complementary technologies to enhance spatial \nresolution for certain use cases.\n    Given the promise that RFID and RTLS systems have for VA \noperations, multiple VA entities have identified the need for these \nsystems and had begun to procure them. Unfortunately, this was being \ndone in an uncoordinated fashion, with no technical standards and no \nthought to interoperability. If these systems are to be maximally \nuseful, they must be able to exchange data and be able to aggregate \ndata at a national level. Commonality is also required in order to \nsupport higher quality, more efficiency, and less costly. This was the \nimpetus behind the moratorium. It was designed to afford VA the \nopportunity to devise a technical strategy for RFID/RTLS so that \ntaxpayer dollars would be used wisely.\n    The RTLS/RFID moratorium is still in place, while VA crafts a \nnational RFP and awards an intended indefinite delivery/indefinite \nquantity (IDIQ) contract to satisfy all RTLS/RFID needs. Although \nsignificant market research has been done, and is continuing, the \nextremely large scope of the RTLS initiative made it prudent to perform \nseveral technology demonstrations. The two RFPs cited are part of VA\'s \ncarefully controlled technology demonstrations. Veterans Integrated \nService Networks (VISNs) 10 and 11 have been given permission to \nprocure RTLS/RFID systems, in very specific configurations, prior to \naward of the national IDIQ contract. It is hoped that the lessons \nlearned from these technology demonstrations will aid us in the \nimplementation and use of RTLS/RFIS systems nationally, and help shape \nfuture technology choices.\n\n    Question 22: The National Project Management Office (PMO) for Real \nTime Location Systems (RTLS) is touted as the Center of Excellence for \nthose systems, yet, contrary to industry standard, it is pursuing \n802.11 technology for location services despite known limitations of \n802.11 for that purpose. Please explain in detail the reason for using \n802.11 and the reasons for not using Infra-red and Radio Frequency \nmethodologies, two technologies generally regarded as better suited for \nlocation services and other uses.\n\n    Response: VA performed extensive market research on the various \ntechnologies, including consulting with the firm generally considered \nto be the leader in information technology (IT) consulting, Gartner. It \nis VA\'s understanding that Wi-Fi based RTLS systems command the lion\'s \nshare of the market for health care RTLS--over 50 percent. That would \nmake it very much the ``industry standard.\'\' Additionally, it is not \nVA\'s intention to use Wi-Fi systems alone, except where it meets the \nbusiness need. Whenever a greater spatial resolution is needed than Wi-\nFi alone can provide, VA intends to use Wi-Fi along with a \ncomplementary technology, such as infra-red or ultrasound. Part of VA\'s \nmotivation for performing the technology demonstrations in VISNs 10 and \n11 is to generate first-hand knowledge of the benefits and \ndisadvantages of each of the major RTLS technologies in a VA \nenvironment, so that we need not rely on information from external \nsources that may or may not be relevant to VA.\n    VA is not aware of any compelling data to suggest that a hybrid \nsystem utilizing Wi-Fi and a complementary technology (when necessary) \nis inferior to other RTLS technologies on the market.\n\n    Question 23: How does VA OI&T address Wi-Fi\'s incompatibility with \nexisting structures that result in a need for more access points to \ntriangulate tags and higher long-run costs compared to other \ntechnologies?\n\n    Response: The need for additional access points is primarily \nrelated to the desire to support voice over Wi-Fi (VoWiFi). The number \nof additional Wi-Fi- access points needed to support RTLS (as compared \nto VoWiFi) is small--estimated to be an additional 10 percent or less. \nIt is hard to understand how a non-WiFi RTLS system could demonstrate \nlower long-term costs than a WiFi-based RTLS system, when an \norganization already has a WiFi infrastructure in place capable of \nproviding location-based services. Implementing a non-WiFi RTLS system \nwould require pulling cable for hundreds of additional transceivers per \nfacility, purchasing and installing those transceivers, potentially \nrunning electrical connections for those transceivers, and then \nproviding ongoing support and maintenance for the non-WiFi RTLS \ntransceivers (in addition to the WiFi access points that would still be \nneeded for other business purposes). WiFi-based tags can be moderately \nmore costly than non-WiFi tags, (perhaps $50 per tag instead of $40) \nbut the number of RTLS tags per facility would need to be huge in order \nto make up the excess cost (up front and ongoing) associated with the \nnon-WiFi infrastructure. It should also be noted that with a WiFi-based \nRTLS system, any device that already has WiFi built in does not need a \ntag, since its existing WiFi radio acts as an RTLS tag. In addition to \ndevices like laptops, tablets, and smart phones, more and more medical \ndevices now come equipped with WiFi radios, further saving on RTLS tag \ncosts.\n\n    Question 24: Are additional technologies necessary to achieve \nbetter accuracy in location and tracking services, at a minimum, and if \nso, are additional infrastructures needed?\n\n    Response: As discussed more fully in question 21, WiFi suffices for \nsome of VA\'s many RTLS use cases, while for others, it does not. Where \na use case demands greater spatial resolution than WiFi alone can \nprovide, VA intends to utilize complementary technologies, such as \nultrasound or infra-red, on an as-needed basis.\n\n    Question 25: Does VA utilize RFID/RTLS technology that provides \nmultiple uses on the same infrastructure?\n\n    Response: VA currently has only very limited deployment of RTLS. \nHowever, the plan, as currently envisioned, allows us to leverage the \nsame infrastructure (WiFi) for multiple business purposes, including \nwireless data (Bar Code Medication Administration [BCMA], bedside \nnursing admissions, bedside progress notes, etc) and voice (wireless \nWiFi-based phones).\n\n    Question 26: How do these Wi-Fi solutions track objects outside the \nbuilding using the same infrastructure versus other technologies that \nhave both indoor and outdoor solutions built-in?\n\n    Response: None of the initial use cases for VHA involve tracking \nitems outdoors. WiFi can be utilized for outdoor use cases, when the \nitem will remain on campus. If inter-facility location-finding is \nneeded, some other technology, such as GPS, would likely be utilized.\n\n    Question 27: How does VA OI&T deal with the latency in Wi-Fi \nbetween when a message is sent and received, potentially triggering \nalarms and, for example, locking a door before a patient is able to \nexit?\n\n    Response: There is no industry consensus on whether WiFi is slower \nor has greater latency than competing systems, but OI&T does not \nbelieve this to be an issue. However, if latency issues were a concern, \nquality of service controls could be instituted to ensure that RTLS \ntraffic would get priority.\n\n    Question 28: Do VA\'s Wi-Fi solutions send encrypted data vulnerable \nto a security breach?\n\n    Response: The VA Wi-Fi utilizes equipment that is FIPS 140-2 \nCertified (mandated by FISMA and VA Handbook 6500) and is configured to \nfollow the associated FIPS 140-2 Security Policy as well as following \nNIST Special Publication 800-97: Establishing Wireless Robust Security \nNetworks. The system is based on 802.11i WPA2/AES security protocols \nwhich utilize FIPS 140-2 certified cryptographic modules.\n\n    Question 29: How do these solutions keep running if there is an \nissue with the Wi-Fi infrastructure or access points at any given time?\n\n    Response: The Wi-Fi Infrastructure is setup and configured to \nsurvive single component failure at the controller in the N+1 design \nmodel. The access points (AP) are deployed and configured in a way in \nwhich the system self heals. That is, the infrastructure will see an AP \n``drop off\'\' and will increase signal strength in surrounding APs to \ncover the deficiency automatically.\n\n    Question 30: How will the cost of batteries in Wi-Fi tags affect \nlong-term usage and cost versus other low-power consumption \ntechnologies?\n\n    Response: Our market research indicates that battery life with \nWiFi-based tags will be comparable to that seen in other active RTLS \ntags. By adjusting the beacon rate, a battery life of 2 years or more \nshould be attainable. Necessary beacon rate will vary by use case.\n\n    Question 31: How will interface from Wi-Fi in everyday devices \ncarried by people in facilities affect the tracking of tags in any VA \nfacility?\n\n    Response: Although this has been raised as a concern, at least 60 \npercent of the health care RTLS market utilizes WiFi-based systems, and \ninterference from other WiFi devices has not been shown to be a \nsignificant problem.\n\n    Question 32: VA OI&T currently has a workforce of over 7,100 \npeople. Please outline the growth of that staff over the last 2 years \nas well as anticipated future growth.\n\n    Response: At the beginning of FY 2009, OI&T staff count was 6,645. \nThe current (as of April) staff count is 7,101. OI&T\'s planned end-of-\nFY 2011 staff count is 7,271. We are not requesting a staffing increase \nas part of our FY 2012 budget.\n\n                                 <F-dash>\n\n                                     Committee on Veterans\' Affairs\n                       Subcommittee on Oversight and Investigations\n                                                    Washington, DC.\n                                                       May 12, 2011\nThe Honorable Roger W. Baker\nAssistant Secretary for Information\nTechnology and Chief Information Officer\nU.S. Department of Veterans Affairs\n810 Vermont Avenue, NW\nWashington, DC 20420\n\nDear Secretary Baker:\n\n    I would like to request your response to the enclosed questions for \nthe record and deliverable I am submitting in reference to our House \nCommittee on Veterans\' Affairs Subcommittee on Oversight and \nInvestigations hearing on Reboot: Examining VA\'s IT Strategy for the \n21st Century on May 11, 2011. Please answer the enclosed hearing \nquestions and deliverables by no later than Wednesday, June 22, 2011.\n    In an effort to reduce printing costs, the Committee on Veterans\' \nAffairs, in cooperation with the Joint Committee on Printing, is \nimplementing some formatting changes for material for all full \nCommittee and Subcommittee hearings. Therefore, it would be appreciated \nif you could provide your answers consecutively on letter size paper, \nsingle-spaced. In addition, please restate the question in its entirety \nbefore the answer.\n    Due to the delay in receiving mail, please provide your response to \nMs. Orfa Torres by fax at (202) 225-2034. If you have any questions, \nplease call (202) 225-9756.\n            Sincerely,\n\n                                                       Joe Donnelly\n                                                     Ranking Member\n    MH/ot\n\n                               __________\n\n                        Questions for the Record\n                  House Committee on Veterans\' Affairs\n              Subcommittee on Oversight and Investigations\n                      Ranking Member Joe Donnelly\n      ``Reboot: Examining VA\'s IT Strategy for the 21st Century\'\'\n                              May 11, 2011\n    Question 1: What are we doing to convert the many contracted IT \nstaff positions to Full Time Employee (FTE) positions within the VA?\n\n    Response: The Office of Information and Technology (OI&T) is \nalready positioning itself to recruit, retain, and train staff to have \nneeded specialized skills through the use of our staff competency \nmodels, which are currently under development. These models will also \nbe deployed to help ensure that VA has the continuously strong, capable \nleadership corps that it needs, and that leaders have the skills and \nproficiency to lead people and progress. However, in instances where \nspecialized knowledge is needed for short duration, OI&T will continue \nto use contracted services, which provides a more cost-effective \nalternative to hiring full-time career Federal employees.\n\n    Question 2: According to the VA OIG\'s recent report on the contract \nawarded to Catapult, their findings concluded that information provided \nto the vendor was unreliable. The documents proved to be incomplete or \nreliable, and the VA was aware of this. Why did VA continue with the \nprocurement process knowing documents were incomplete or unreliable?\n\n    Response: OI&T is currently conducting an internal review of the \nCatapult contract. We expect this review to be complete by mid-July, \nand would appreciate the opportunity to provide a brief on our findings \nwhen the review is complete.\n\n    Question 3: The VA OIG was unable to determine if Catapult was in \ncompliance with the Federal Acquisitions Regulation (FAR), because the \nVA did not request documentation on the subcontractors to ensure \ncompliance with the FAR provision. Why would the VA not request or have \nthis documentation available?\n\n    Response: VA wants to clarify that we believe this question refers \nto the Office of Inspector General (OIG) Report discussion of possible \nnon-compliance with FAR 52.219-27, which requires that specific minimum \npercentages of the labor cost be paid to the employees of the vendor or \nof another Service-Disabled Veteran-Owned Small Business (SDVOSB)*. The \nOIG Report refers only to the 50 percent minimum level; the \ninstallation of WiFi networks may well fall into the category of \n``Construction by special trades contractors\'\' which specifies a 25 \npercent minimum level. We are aware that Catapult has stated in writing \nthat they are in compliance with the FAR; we are not aware of what \nspecific data they may have provided to the OIG to verify compliance.\n    *The following minimum percentages are specified by FAR 52.219-27:\n\n        1.  Services (except construction), at least 50 percent of the \n        cost of personnel for contract performance will be spent for \n        employees of the concern or employees of other service-disabled \n        Veteran-owned small business concerns;\n        2.  Supplies (other than acquisition from a nonmanufacturer of \n        the supplies), at least 50 percent of the cost of \n        manufacturing, excluding the cost of materials, will be \n        performed by the concern or other service-disabled Veteran-\n        owned small business concerns;\n        3.  General construction, at least 15 percent of the cost of \n        the contract performance incurred for personnel will be spent \n        on the concern\'s employees or the employees of other service-\n        disabled Veteran-owned small business concerns; or\n        4.  Construction by special trade contractors, at least 25 \n        percent of the cost of the contract performance incurred for \n        personnel will be spent on the concern\'s employees or the \n        employees of other service-disabled Veteran-owned small \n        business concerns.\n\n    As stated above,OI&T is currently conducting an internal review of \nthe Catapult contract. We expect this review to be complete by mid-\nJuly, and would appreciate the opportunity to provide a brief on our \nfindings when the review is complete.\n\n    Question 4: In your response to the Committee on the letter we sent \non March 25th inquiring about Open Source, you said that DoD\'s \nparticipation in Open Source VistA is not essential. Can you elaborate \non this?\n\n    Response: This question is now moot, as DoD has joined VA in \nsupport of the Open Source approach. Had DoD not joined in the Open \nSource approach, VA would have used to the Open Source approach to \ndevelop and accomplish the changes necessary to VistA to move it \ntowards compliance with the integrated EHR (iEHR) architecture as \ndefined by VA and DoD. While this is still the plan, both DoD and VA \nexpect that the Open Source will be a viable way of identifying, \nselecting, and implementing modules of the iEHR that we jointly \nidentify.\n\n    Question 5: What is being done to balance the needs of IT security, \nwhile still having a common sense approach to meet needs of employees \nand veterans? (example: still do not have wireless Internet in VA \nfacilities because of security fears, even though the public hospitals \nall have them)\n\n    Response: Because of past events, VA clearly holds itself to a \nhigher standard than previous years for information security and \ninformation protection. OI&T is working hard to strike a balance \nbetween our information security needs and convenient network use, \nwhile providing the tools and access needed by employees and Veterans. \nOI&T\'s information security team has developed strong information \nsecurity controls on the wireless networks currently online in the \nhospitals with this capability. For medical centers without wireless \naccess, the current concern is resolving conflicts with wireless \nmedical devices, as well as the physical impediments to wireless access \nin large medical centers.\n    OI&T and VHA are currently piloting a program by a third party \nvendor to provide wireless Internet access in the lobby and waiting \nareas of medical centers for Veterans to use.\n\n                                 <F-dash>\n\n                                     Committee on Veterans\' Affairs\n                       Subcommittee on Oversight and Investigations\n                                                    Washington, DC.\n                                                       May 12, 2011\nMs. Belinda J. Finn\nAssistant Inspector General for Audits and Evaluations\nOffice of Inspector General\nU.S. Department of Veterans Affairs\n801 I Street, NW\nWashington, DC 20001\n\nDear Ms. Finn:\n\n    I would like to request your response to the enclosed questions for \nthe record I am submitting in reference to our House Committee on \nVeterans\' Affairs Subcommittee on Oversight and Investigations hearing \non Reboot: Examining VA\'s IT Strategy for the 21st Century on May 11, \n2011. Please answer the enclosed hearing questions and deliverables by \nno later than Wednesday, June 22, 2011.\n    In an effort to reduce printing costs, the Committee on Veterans\' \nAffairs, in cooperation with the Joint Committee on Printing, is \nimplementing some formatting changes for material for all full \nCommittee and Subcommittee hearings. Therefore, it would be appreciated \nif you could provide your answers consecutively on letter size paper, \nsingle-spaced. In addition, please restate the question in its entirety \nbefore the answer.\n    Due to the delay in receiving mail, please provide your response to \nMs. Orfa Torres by fax at (202) 225-2034. If you have any questions, \nplease call (202) 225-9756.\n            Sincerely,\n\n                                                       Joe Donnelly\n                                                     Ranking Member\n    MH/ot\n\n                                 <F-dash>\n\n                                U.S. Department of Veterans Affairs\n                                                    Washington, DC.\n                                                      June 13, 2011\nThe Honorable Joe Donnelly\nRanking Member\nSubcommittee on Oversight and Investigations\nCommittee on Veterans\' Affairs\nUnited States House of Representatives\nWashington, DC 20515\n\nDear Congressman Donnelly:\n\n    This is in response to your May 12, 2011, letter following the May \n11, 2011, hearing on Reboot: Examining VA\'s IT Strategy for the 21st \nCentury. Enclosed are our responses to the additional hearing \nquestions.\n    Thank you for your interest in the Department of Veterans Affairs.\n            Sincerely,\n\n                                                    GEORGE J. OPFER\n                                                  Inspector General\n    Enclosure\n\n                               __________\n\n                   Questions for the Record from the\n              Subcommittee on Oversight and Investigations\n                     Committee on Veterans\' Affairs\n                 United States House of Representatives\n                               Hearing on\n        Reboot: Examining VA\'s IT Strategy for the 21st Century\n    Question 1: From a VA OIG perspective, what steps has VA taken to \nimprove its ability to manage information technology (IT) projects?\n\n    Response: VA\'s Office of Information and Technology (OI&T) \nrecognized that it has issues with its program management abilities to \nensure that IT development efforts are successful. To manage this \nshortfall, OI&T established the Project Management Accountability \nSystem (PMAS), a performance based management discipline that requires \nfrequent delivery (at least every 6 months) of IT functionality. PMAS \nis currently schedule-driven, allowing for flexibility in project scope \nand functionality to ensure the schedule can be met. Under PMAS, three \nconsecutive failures (``3 strikes\'\') to meet a scheduled project \ndeliverable will result in a project being ``paused.\'\' At the \n``paused\'\' stage, the project is assessed to determine if it should be \ncontinued or terminated. PMAS also includes a red flag process which \nallows anyone associated with a project to elevate project-related \nissues to senior level officials so that they can take corrective \nactions quickly.\n    Further, OI&T is emphasizing Agile versus a traditional software \ndevelopment methodology, in which a project moves sequentially through \nconcept, design, testing, and implementation phases. Agile is an \niterative and incremental software development methodology that allows \nfor requirements and solutions to evolve through team collaboration and \ninteraction. Agile is intended to accomplish the following:\n\n        <bullet>  Emphasize teamwork.\n        <bullet>  Promote a disciplined project management process that \n        encourages frequent inspection and adaptation by breaking tasks \n        into small increments with minimal planning.\n        <bullet>  Complement PMAS\' requirement for frequent delivery of \n        deployable IT system functionality.\n\n    Question 2: Can you explain the purpose of your current PMAS audit?\n\n    Response: We are assessing whether OI&T has taken appropriate steps \nin implementing PMAS. Our audit will determine whether:\n\n        <bullet>  An adequate plan was in place for PMAS \n        implementation.\n        <bullet>  Resources are available and assigned to carry out \n        PMAS.\n        <bullet>  PMAS staff roles and responsibilities have been \n        defined.\n        <bullet>  PMAS Dashboard data for monitoring project status and \n        progress are reliable.\n        <bullet>  Controls such as oversight reviews, cost tracking \n        mechanisms, and step-by-step guidance are in place to ensure \n        projects are not only meeting schedule, but also cost and \n        performance goals.\n\n    These areas reflect issues we have historically identified in other \naudits of OI&T system development initiatives.\n\n    Question 3: Do you see problems with PMAS\' incremental delivery and \nmanaging development projects to schedule?\n    Yes. Stakeholders have expressed concerns about disrupted \noperations when they do not receive planned functionality on time and \nthe time it may take to produce all the required functionality under \nthe incremental delivery approach. Further, the potential exists that \nonce functionality is fully delivered it may be obsolete.\n    For example, we reported, in our audit of the Post-9/11 GI Bill \nLong Term Solution (LTS), that managing a project primarily to schedule \nmay be at the risk of performance and cost (Audit of VA\'s \nImplementation of the Post-9/11 GI Bill Long Term Solution, September \n30, 2010). During certain phases of LTS development, the project met \nschedule, but did not provide the originally intended functionality. \nThe project did not receive a strike even though the functionality \ndelivered was significantly less than planned.\n\n                                 <F-dash>\n\n                                     Committee on Veterans\' Affairs\n                       Subcommittee on Oversight and Investigations\n                                                    Washington, DC.\n                                                       May 12, 2011\nMr. Joel Willemssen\nManaging Director, Information Technology\nU.S. Government Accountability Office\nGovernment Accountability Office\n441 G St., NW\nWashington, DC 20548\n\nDear Mr. Willemssen:\n\n    I would like to request your response to the enclosed question for \nthe record I am submitting in reference to our House Committee on \nVeterans\' Affairs Subcommittee on Oversight and Investigations hearing \non Reboot: Examining VA\'s IT Strategy for the 21st Century on May 11, \n2011. Please answer the enclosed hearing questions and deliverables by \nno later than Wednesday, June 22, 2011.\n    In an effort to reduce printing costs, the Committee on Veterans\' \nAffairs, in cooperation with the Joint Committee on Printing, is \nimplementing some formatting changes for material for all full \nCommittee and Subcommittee hearings. Therefore, it would be appreciated \nif you could provide your answers consecutively on letter size paper, \nsingle-spaced. In addition, please restate the question in its entirety \nbefore the answer.\n    Due to the delay in receiving mail, please provide your response to \nMs. Orfa Torres by fax at (202) 225-2034. If you have any questions, \nplease call (202) 225-9756.\n            Sincerely,\n\n                                                       Joe Donnelly\n                                                     Ranking Member\n    MH/ot\n\n                               __________\n\n                              U.S. Government Accountability Office\n                                                    Washington, DC.\n                                                      June 22, 2011\nThe Honorable Joe Donnelly\nRanking Member\nSubcommittee on Oversight and Investigations\nCommittee on Veterans\' Affairs\nHouse of Representatives\n\n    Subject: Reboot: Examining the Department of Veterans Affairs \nInformation Technology Strategy for the 21st Century\n\n    This letter responds to your recent question related to our May 11, \n2011, testimony on the Department of Veterans Affairs\' (VA) ongoing \ninformation technology (IT) management challenges.\\1\\ At that hearing, \nwe discussed VA\'s weaknesses in managing its IT resources, particularly \nin the areas of systems development, information security, and \ncollaboration with the Department of Defense (DoD) on efforts to meet \ncommon health system needs. Your question, along with our response, \nfollows.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Information Technology: Department of Veterans Affairs \nFaces Ongoing Management Challenges, GAO-11-663T (Washington, D.C.: May \n11, 2011).\n---------------------------------------------------------------------------\n    In your opinion, what specific actions does the VA IT office need \nto focus on to capitalize on current technologies available?\n    VA can take a number of specific actions to capitalize on available \nIT. As discussed in our prior reports and summarized in our recent \ntestimony,\\2\\ the following actions could help VA address challenges in \nimproving system development, strengthening information security, and \nincreasing collaboration with DoD.\n---------------------------------------------------------------------------\n    \\2\\ GAO-11-663T.\n---------------------------------------------------------------------------\n    Improve system development: VA has historically experienced \nsignificant IT system development difficulties and can improve two \nprojects that have yielded mixed results. For its outpatient \nappointment scheduling project, which spent an estimated $127 million \nover 9 years without implementing any of the planned capabilities, the \ndepartment can improve its acquisition plans, identify complete system \nrequirements, adhere to system testing guidance, increase earned value \nmanagement data reliability, manage project risks, and provide \neffective oversight.\\3\\ Additionally, although VA has partially \ndelivered new system capabilities to process education benefits \nprovided under the Post-9/11 GI Bill, the department can improve its \neffort to complete the system. In particular, to guide the full \ndevelopment and implementation of the new system, VA can create project \nperformance measures, establish traceability between system \nrequirements and legislation, define criteria for what constitutes the \nsystem being ``done,\'\' improve system testing, and implement a project \noversight tool.\n---------------------------------------------------------------------------\n    \\3\\ GAO, Information Technology: Management Improvements Are \nEssential to VA\'s Second Effort to Replace Its Outpatient Scheduling \nSystem, GAO-10-579 (Washington, D.C.: May 27, 2010).\n---------------------------------------------------------------------------\n    Strengthen information security: Effective information security is \nessential to securing the systems and information on which VA depends \nto carry out its mission. Without proper safeguards, the department\'s \nsystems are vulnerable to individuals and groups with malicious intent \nwho can intrude and use their access to obtain sensitive information, \ncommit fraud, disrupt operations, or launch attacks against other \ncomputer systems and networks. In recent years, VA has reported an \nincreasing number of security incidents and events. The department can \nimprove its security posture by implementing the recommendations of its \nOffice of Inspector General for strengthening access controls, \nconfiguration management, change management, and service continuity. \nAlso, the department can fully implement the requirements of the \nFederal Desktop Core Configuration (FDCC) initiative, including \nimplementing a baseline set of configuration settings, acquiring and \ndeploying an FDCC compliance tool, and implementing a policy to monitor \ncompliance.\\4\\ Additionally, VA should ensure that any use of cloud \ncomputing that the department undertakes includes implementation of \nappropriate information security controls.\n---------------------------------------------------------------------------\n    \\4\\ GAO, Information Security: Agencies Need to Implement Federal \nDesktop Core Configuration Requirements, GAO-10-202 (Washington, D.C.: \nMarch 12, 2010).\n---------------------------------------------------------------------------\n    Increase collaboration with DoD: VA and DoD have two of the \nNation\'s largest health care operations, providing health care to 6 \nmillion veterans and 9.6 million active duty servicemembers and their \nbeneficiaries at estimated annual costs of about $48 billion and $49 \nbillion, respectively. Although the results of a 2008 study found that \nmore than 97 percent of functional requirements for an inpatient \nelectronic health record system are common to both departments, VA and \nDoD face barriers to identifying and implementing efficient and \neffective IT solutions to jointly address their common health care \nsystem needs. Thus, we have recommended several actions that VA can \ntake, in conjunction with DoD, to overcome the barriers they face as \nthey modernize their electronic health record systems. We specifically \nrecommended that the departments improve their strategic planning, \nfurther develop their joint health architecture, and define and \nimplement a process for identifying and selecting joint IT \ninvestments.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ GAO, Electronic Health Records: DoD and VA Should Remove \nBarriers and Improve Efforts to Meet Their Common System Needs, GAO-11-\n265 (Washington, D.C.: February 2, 2011).\n---------------------------------------------------------------------------\n    In summary, these actions are intended to address the challenges VA \nfaces in improving system development, strengthening information \nsecurity, and increasing collaboration with DoD and could help the \ndepartment better capitalize on IT.\n    To respond to this question, we relied on previously reported \ninformation, as well as information collected through follow-up with \nthe department. The work supporting these reports was conducted in \naccordance with generally accepted government auditing standards. These \nstandards require that we plan and perform the audit to obtain \nsufficient, appropriate evidence to provide a reasonable basis for our \nfindings and conclusions based on our audit objectives. We believe that \nthe evidence obtained provides a reasonable basis for our findings and \nconclusions based on our audit objectives.\n    Should you or your office have any questions on matters discussed \nin this letter, please contact me at (202) 512-6253 or \n<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ed9a84818188809e9e888387ad8a8c82c38a829bc3">[email&#160;protected]</a>\n            Sincerely yours,\n\n                                                 Joel C. Willemssen\n                          Managing Director, Information Technology\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'