b'<html>\n<title> - HOW SECURE IS VETERANS\' PRIVACY INFORMATION?</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n \n              HOW SECURE IS VETERANS\' PRIVACY INFORMATION?\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                                 of the\n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                         TUESDAY, JUNE 4, 2013\n\n                               __________\n\n                           Serial No. 113-21\n\n                               __________\n\n       Printed for the use of the Committee on Veterans\' Affairs\n\n\n\n                                 ______\n\n                   U.S. GOVERNMENT PRINTING OFFICE \n82-237                     WASHINGTON : 2014\n____________________________________________________________________________ \nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1d7a6d725d7e686e697578716d337e727033">[email&#160;protected]</a>  \n\n                     COMMITTEE ON VETERANS\' AFFAIRS\n\n                     JEFF MILLER, Florida, Chairman\n\nDOUG LAMBORN, Colorado               MICHAEL H. MICHAUD, Maine, Ranking \nGUS M. BILIRAKIS, Florida            Minority Member\nDAVID P. ROE, Tennessee              CORRINE BROWN, Florida\nBILL FLORES, Texas                   MARK TAKANO, California\nJEFF DENHAM, California              JULIA BROWNLEY, California\nJON RUNYAN, New Jersey               DINA TITUS, Nevada\nDAN BENISHEK, Michigan               ANN KIRKPATRICK, Arizona\nTIM HUELSKAMP, Kansas                RAUL RUIZ, California\nMARK E. AMODEI, Nevada               GLORIA NEGRETE MCLEOD, California\nMIKE COFFMAN, Colorado               ANN M. KUSTER, New Hampshire\nBRAD R. WENSTRUP, Ohio               BETO O\'ROURKE, Texas\nPAUL COOK, California                TIMOTHY J. WALZ, Minnesota\nJACKIE WALORSKI, Indiana\n\n            Helen W. Tolar, Staff Director and Chief Counsel\n\n                                 ______\n\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                    MIKE COFFMAN, Colorado, Chairman\n\nDOUG LAMBORN, Colorado               ANN KIRKPATRICK, Arizona, Ranking \nDAVID P. ROE, Tennessee              Minority Member\nTIM HUELSKAMP, Kansas                MARK TAKANO, California\nDAN BENISHEK, Michigan               ANN M. KUSTER, New Hampshire\nJACKIE WALORSKI, Indiana             BETO O\'ROURKE, Texas\n                                     TIMOTHY J. WALZ, Minnesota\n\nPursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public \nhearing records of the Committee on Veterans\' Affairs are also \npublished in electronic form. The printed hearing record remains the \nofficial version. Because electronic submissions are used to prepare \nboth printed and electronic versions of the hearing record, the process \nof converting between various electronic formats may introduce \nunintentional errors or omissions. Such occurrences are inherent in the \ncurrent publication process and should diminish as the process is \nfurther refined.\n\n\n                            C O N T E N T S\n\n                               __________\n\n                              June 4, 2013\n\n                                                                   Page\n\nHow Secure Is Veterans\' Privacy Information?.....................     1\n\n                           OPENING STATEMENTS\n\nHon. Mike Coffman, Chairman, Subcommittee on Oversight and \n  Investigations.................................................     1\n    Prepared Statement of Hon. Coffman...........................    54\nHon. Ann Kirkpatrick, Ranking Minority Member, Subcommittee on \n  Oversight and Investigations...................................     2\n    Prepared Statement of Hon. Kirkpatrick.......................    55\nHon. Jackie Walorski, Member, Committee on Veterans\' Affairs, \n  U.S. House of Representatives, Prepared Statement only.........    55\n\n                               WITNESSES\n\nLinda A. Halliday, Assistant Inspector General for Audits and \n  Evaluations, Office of Inspector General, U.S. Department of \n  Veterans Affairs...............................................     3\n    Prepared Statement of Ms. Halliday...........................    55\n    Accompanied by:\n\n      Ms. Sondra McCauley, Deputy Assistant Inspector General for \n          Audits and Evaluations, Office of Inspector General, \n          U.S. Department of Veterans Affairs\n      Mr. Michael Bowman, Director, Information Technology and \n          Security Audits Division, Office of Inspector General, \n          U.S. Department of Veterans Affairs\nStephen W. Warren, Acting Assistant Secretary for Information and \n  Technology, U.S. Department of Veterans Affairs................    17\n    Prepared Statement of Mr. Warren.............................    61\n    Accompanied by:\n\n      Mr. Stan Lowe, Deputy Assistant Secretary for Information \n          Security, Office of Information and Technology, U.S. \n          Department of Veterans Affairs\nJerry L. Davis, Former Deputy Assistant Secretary for Information \n  Security, Office of Information and Technology, U.S. Department \n  of Veterans Affairs............................................    41\n    Prepared Statement of Mr. Davis..............................    62\n    Executive Summary of Mr. Davis...............................    65\n\n                        QUESTIONS FOR THE RECORD\n\nLetter From: Hon. Coffman, Chairman, Subcommittee on Oversight & \n  Investigations, To: U.S. Department of Veterans Affairs........    65\nQuestions From: Hon. Coffman, To: U.S. Department of Veterans \n  Affairs........................................................    66\nQuestions From: Hon. Huelskamp, To: U.S. Department of Veterans \n  Affairs........................................................    67\nQuestions and Responses From: U.S. Department of Veterans Affairs    67\n\n\n              HOW SECURE IS VETERANS\' PRIVACY INFORMATION?\n\n                         Tuesday, June 4, 2013\n\n             U.S. House of Representatives,\n                    Committee on Veterans\' Affairs,\n              Subcommittee on Oversight and Investigations,\n                                                   Washington, D.C.\n    The Subcommittee met, pursuant to notice, at 2:50 p.m., in \nRoom 334, Cannon House Office Building, Hon. Mike Coffman \n[Chairman of the Subcommittee] presiding.\n    Present: Representatives Coffman, Lamborn, Roe, Huelskamp, \nWalorski, Kirkpatrick, O\'Rourke, and Walz.\n\n             OPENING STATEMENT OF CHAIRMAN COFFMAN\n\n    Mr. Coffman. Good afternoon. I would like to welcome \neveryone to today\'s hearing titled ``How Secure is Veterans\' \nPrivate Information?\'\' Reports from VA\'s Office of Inspector \nGeneral, private inspector consultants brought on by VA, and \nthis Subcommittee\'s own investigation have revealed tremendous \nproblems within VA\'s Office of Information and Technology. Some \nof these issues have been made public in the Inspector General \nreports which outline mismanagement of human measures and the \nlack of much-needed technical expertise.\n    Other issues have been less publicized, such as those \ncaptured in the Deloitte, quote/unquote, ``DeepDive\'\' that \nidentified gaps in OI&T\'s organizational structure and a poorly \nexecuted business model. The latter report recognized the \ngrowth of VA by 33 percent since 2006, growth that is mirrored \nby the expansion of VA\'s computer network. Unfortunately, there \nhas not been a comparable growth in the technical personnel \nneeded to manage security of VA\'s sprawling network.\n    These failures have created problems for both the \nDepartment and for veterans. The Inspector General \nsubstantiated that VA was transmitting sensitive data, \nincluding personally identifiable information and internal \nnetwork routing information, over an unencrypted \ntelecommunications carrier network, both violations of Federal \nregulation and basic IT security. The IG also noted that VA has \nnot implemented technical configuration controls to ensure \nencryption of sensitive data, despite VA and Federal \ninformation security requirements.\n    Similarly, it is evident that software patches are not up-\nto-date across the network, too many users have administrative \naccess, security software is not up-to-date on older computers, \nand computer ports are not properly secured. There is little to \nno security of file transfer protocol and Web pages are \nvulnerable, allowing unauthorized access to veterans\' \nunprotected personal information within the system.\n    While these issues alone give cause for grave concern, this \nSubcommittee\'s investigation has identified even greater \nproblems. The entire veteran database in VA, containing \npersonally identifiable information on roughly 20 million \nveterans, is not encrypted, and evidence suggests that it has \nrepeatedly been compromised since 2010 by foreign actors, \nincluding China and possibly by Russia.\n    Recently, the Subcommittee discussed VA\'s authorization to \noperate, a formal declaration that authorizes operation of a \nproduct on VA\'s network which explicitly accepts the risk to \nagency operators and was told that, quote, ``VA\'s secrecy \nposture was never at risk,\'\' unquote. In fact, VA\'s security \nposture has been an unacceptable risk for at least 3 years as \nsophisticated actors use weaknesses in VA\'s security posture to \nexploit the system and remove veterans\' information and system \npasswords. While VA knew foreign intruders had been in the \nnetwork, the Department was never sure what exactly these \nforeign actors took because the outgoing data was encrypted by \nthe trespassers.\n    These actors have had constant access to VA systems and \ndata, information which included unencrypted databases \ncontaining hundreds of thousands to millions of instances of \nveterans\' information, such as veterans\' and dependents\' names, \nSocial Security numbers, dates of birth, and protected health \ninformation. Notwithstanding these problems, VA has waived or \narbitrarily extended accreditation of its security system on \nits network. It is evident that VA\'s waivers or extensions of \naccreditation only appear to resolve material weaknesses \nwithout actually resolving those weaknesses.\n    VA\'s IT management knowingly accepted the security risk by \nwaiving the security requirements even though such waivers are \nnot appropriate. This lapse in computer security and the \nsubsequent attempts by VA officials to conceal this problem are \nintolerable, and I look forward to a candid discussion about \nthese issues.\n    I now yield to Ranking Member Kirkpatrick for her opening \nstatement.\n\n    [The prepared statement of Chairman Coffman appears in the \nAppendix]\n\n           OPENING STATEMENT OF HON. ANN KIRKPATRICK\n\n    Mrs. Kirkpatrick. Thank you, Mr. Chairman.\n    As the Department of Veterans Affairs works hard to serve \nthe needs of today\'s veterans, they must work equally hard to \nprotect their personal information. Today\'s hearing is an \nattempt to determine whether a veteran\'s private information is \nsecure.\n    Mr. Chairman, veterans need to know that when they ask the \nVA for services and benefits that they have earned, the \ninformation they submit in order to get those benefits will not \nbe compromised under any circumstances. I hope that the VA came \nprepared today to provide assurances to Congress and veterans \nthat their information technology systems are secure. We expect \nVA to also answer our questions directly and honestly. As we \nget questions from veterans in our district, we want to provide \ncomplete and honest answers to them.\n    Congress received a letter from Mr. Jerry L. Davis, now a \nformer employee at the VA, who states that, quote, ``There is a \nclear and present danger and risk of exposure and compromise of \nsensitive data,\'\' end quote.\n    Mrs. Kirkpatrick. I share the Chairman\'s concern on whether \nVA is following the required government practices and policies \nregarding the monitoring and remediation of system risk.\n    Two OIG reports, from 2012 and 2013, raised additional \nconcerns. The 2012 report questions whether the agency has the \nproper strategic human capital management program to meet \nmission-critical system capabilities as the VA moves into the \n21st century. The second, 2013, OIG report faults VA for \nfailing to secure private information by not encrypting health \ndata transmitted to outpatient clinics and external business \npartners. The VA must address the concerns raised and assure \nveterans who come to the VA for assistance that their personal \ninformation is secure.\n    I want to thank everyone for being here today. I would also \nlike to thank the witnesses for their testimony and for \nanswering questions about the security of veterans\' private \ninformation at the Department of Veterans Affairs.\n    Thank you, Mr. Chairman. I yield back.\n\n    [The prepared statement of Hon. Kirkpatrick appears in the \nAppendix]\n\n    Mr. Coffman. Thank you, Ranking Member Kirkpatrick.\n    I would now like to welcome our first panel to the witness \ntable. On this panel we will hear from Ms. Linda Halliday, \nAssistant Inspector General for Audits and Evaluations from the \nVA\'s Office of Inspector General. Accompanying Ms. Halliday is \nMs. Sondra McCauley, Deputy Assistant Inspector General for \nAudits and Evaluations, and Mr. Michael Bowman, Director of the \nInformation Technology and Security Audits Division.\n    Before I recognize the panel, I ask that you please rise \nand raise your right hand.\n    [Witnesses sworn.]\n    Mr. Coffman. Ms. Halliday, you are now recognized for 5 \nminutes.\n\nTESTIMONY OF LINDA A. HALLIDAY, ASSISTANT INSPECTOR GENERAL FOR \n   AUDITS AND EVALUATIONS, OFFICE OF INSPECTOR GENERAL, U.S. \nDEPARTMENT OF VETERANS AFFAIRS, ACCOMPANIED BY SONDRA MCCAULEY, \nDEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS AND EVALUATIONS, \n   OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS \n AFFAIRS, AND MICHAEL BOWMAN, DIRECTOR, INFORMATION TECHNOLOGY \nAND SECURITY AUDITS DIVISION, OFFICE OF INSPECTOR GENERAL, U.S. \n                 DEPARTMENT OF VETERANS AFFAIRS\n\n    Ms. Halliday. Mr. Chairman and Members of the Subcommittee, \nthank you for the opportunity to testify on VA\'s security of \nveterans private information. With me today are Ms. Sondra \nMcCauley, my deputy, and Mr. Michael Bowman, the Director of \nthe OIG\'s Information Technology Security Division.\n    Secure systems and networks are essential to VA\'s programs \nand operations for delivering benefits and services to our \nNation\'s veterans, yet OIG reports continue to disclose a \npattern of ineffective information security which places VA at \nunnecessary risk. For more than 10 consecutive years, our \nconsolidated financial statement audit reports have identified \nIT security as a material weakness.\n    We also perform annual reviews of VA\'s compliance with the \nrequirements of the Federal Information Security Management \nAct, known as FISMA. This act serves as a catalyst for \ndeveloping the framework to protect agency IT systems and \nsensitive information.\n    As last year\'s FISMA audit progressed, we did note VA \nfocused more efforts to standardize information security \ncontrols. Mid-year in 2012, VA initiated CRISP, the Continuous \nReadiness and Information Security Program, to ensure year-\nround monitoring and to establish a team responsible for \nresolving the IT material weakness. However, CRISP was not in \nplace long enough to adequately improve the material weakness \nfor last year\'s FISMA report. The report will be issued this \nmonth and will include 32 recommendations for improving VA\'s \ninformation security program.\n    We found repeat weaknesses and vulnerabilities in four key \nareas. In the area of system access, we found password \nstandards that were not consistently implemented and user \naccounts that were not enforcing minimal access privileges.\n    In the area of configuration management, we found critical \nsystems lacked appropriate baseline controls and up-to-date \nvulnerability patches. Also, the policies and procedures for \nauthorizing, testing, and approval of system changes were not \nconsistently implemented.\n    In the area of security management, VA still had to address \nabout 4,000 outstanding security vulnerabilities. We found its \nrisk assessments and security plans were outdated and in some \ninstances were not consistently put in place to reflect VA\'s \ncurrent IT environment or Federal standards.\n    In the fourth area, contingency planning, we found some \nplans were not fully tested or updated, and in addition, backup \ntapes were not always encrypted prior to being sent to offsite \nstorage. More importantly, we continue to identify significant \ntechnical weaknesses in databases, servers, network devices \nsupporting sensitive data exchanges among VA facilities. Many \nof these weaknesses are due to inconsistent program enforcement \nand ineffective communication between VA management and field \noffices.\n    In addition to FISMA, OIG projects over the past 2 years \nhave identified information security deficiencies, placing \nsensitive veterans data at risk of unauthorized access, loss, \nor disclosure. Specifically, we reported on a broad range of \nsecurity concerns, including VA\'s transmission of sensitive \ndata and internal network routing information over an \nunencrypted carrier network, and VA\'s external data-sharing \nagreements and system interconnections which resulted in \nunsecured electronic and hard copy data at VA medical centers \nand co-located research facilities. We reported that 48 percent \nof VA\'s 400,000 encryption software licenses, valued at about \n$5.1 million, remained unused, leaving VA computers vulnerable. \nAnd we reported on a backlog of personnel background checks \nwhich were inappropriately prohibiting some 3,000 contractors \nfrom working on awarded contracts.\n    In summary, our audit reports and findings and \nrecommendations provide a roadmap for VA to improve its \ninformation security program, and VA needs to focus on \naddressing previously reported security issues related to the \nIT material weakness, they need to remediate high-risk system \nissues in their Plans of Actions and Milestones, and they need \nto establish effective processes for continuous monitoring and \nto perform vulnerability assessments.\n    Mr. Chairman, this concludes my statement, and we would be \nhappy to answer any questions you or the Subcommittee may have.\n\n    [The prepared statement of Linda A. Halliday appears in the \nAppendix]\n    Mr. Coffman. Thank, Ms. Halliday.\n    How effective are VA facilities with protecting sensitive \nveteran data?\n    Ms. Halliday. Well, based on our oversight, we\'re \ncontinuing to find information security vulnerabilities at \nalmost every VA medical center we visit. We visit 20 to 30 \nVAMCs a year as part of our FISMA work and we consistently find \nproblems. The types of vulnerabilities include weak passwords, \nmissing software patches, lack of software updates, excessive \npermissions, and unnecessary user accounts left on the system.\n    Mr. Coffman. What are the foremost reasons why, after all \nthis time, information security is still a major concern at the \nVA?\n    Ms. Halliday. I would say that ineffective access controls, \nineffective configuration management controls, I think \nineffective management of systems interconnection and \ninadequate contractor oversight would be a fourth major reason.\n    Mr. Coffman. Ms. Halliday, based on your ongoing oversight \nwork, is VA likely to get rid of its IT security material \nweaknesses this year?\n    Ms. Halliday. At this point it is too early to conclude. We \ndo expect that the CRISP initiative, which is starting to \nprovide continuous monitoring, will be in place for the entire \n12 months of this fiscal year 2013 FISMA review. Our concern, \nwhile we\'re seeing weaknesses occur with less frequency, they \nare still occurring and they are repeat occurrences and \nvulnerabilities that we have reported on in fiscal year 2012 \nand earlier years.\n    Mr. Coffman. What are VA\'s most significant risks related \nto adequately protecting its systems and sensitive data?\n    Ms. Halliday. The first would probably be ineffective \naccess controls. That\'s where critical systems had accounts \nwith default passwords that were considered weak passwords, \ni.e. easy to guess. User accounts with access rights that were \nnot appropriate. In other words, you want to make sure that all \nusers have a need for that information and that they have a \nsecurity level appropriate to that need. We also identify \nunsecured electronic and hard copy research data at VA medical \ncenters and co-located research facilities.\n    So that covers access controls. Then we have inconsistent \nconfiguration management controls. Systems include key \ndatabases supporting critical applications, but they are not \npatched timely or secured and configured to mitigate previously \nknown information vulnerabilities. We have ineffective \nmanagement of system interconnections. That\'s VA sensitive data \nsuch as health records and internal Internet protocol, \naddresses. They are transmitted between VA medical centers and \nthe community-based outpatient clinics using unencrypted \nprotocols. And then access control and configuration \nmanagement. These are all very significant risks that VA faces.\n    As far as inadequate contractor oversight, contractors \nwithout the appropriate security clearances are gaining access \nto some VA mission critical systems, and we did a report on not \nhaving security clearances in place before gaining access to \nthe systems with contractors.\n    Mr. Coffman. Moving forward, what steps can VA take to \nprevent the loss of sensitive data?\n    Ms. Halliday. I think VA really needs to improve its \ncontinuous monitoring process to ensure all the controls are \noperating as intended, and it needs to address the external \norganizations that it works with to make sure that they are \nadequately protecting sensitive veteran data in accordance with \nthe VA policy and FISMA requirements. VA needs to ensure all \nservice provider contracts include provisions to implement \ninformation security protections in accordance with their \npolicies and procedures.\n    Mr. Coffman. Thank you.\n    Ranking Member Kirkpatrick.\n    Mrs. Kirkpatrick. You testified that there\'s a 10-year \nperiod of weakness and vulnerability. So there was a report \ngiven to the VA year after year after year. In that 10-year \nspan, did you see an increase in vulnerability and weakness? A \ndecrease? Can you quantify that for me over that 10-year \nperiod?\n    Ms. Halliday. We do an audit of VA\'s consolidated financial \nstatements annually and our contractors look at all of the \ncontrols associated with information security. They have felt \nthat it has been a material weakness in VA for 10 full years.\n    Mrs. Kirkpatrick. Has it been the same level of weakness \nand vulnerability? What I mean is, has it been getting worse \nfor a while or has it gotten better?\n    Ms. Halliday. I don\'t think you ever get the exact same \nlevel of vulnerability. I think our concern, we report out on \nthese various problems based on the testing. A couple years \nago, VA\'s Plan of Actions and Milestones addressing security \nvulnerabilities was almost at 15,000 items that were \noutstanding and unaddressed. This past year VA has gotten it \ndown to about 4,000, but that\'s still 4,000 security weaknesses \nand vulnerabilities that haven\'t been addressed. It is too \nmany.\n    Mrs. Kirkpatrick. Do you think that the CRISP program is \nhelping them address those vulnerabilities more quickly?\n    Ms. Halliday. Based on the preliminary and early testing, \nyes. We are still seeing and identifying security weaknesses \nand vulnerabilities, but to a lesser extent that we\'ve seen \nthat in the past. I would also have to say that VA is actively \nworking with us to try and make sure that they understand what \nwe are finding as part of our FISMA testing, understand the \nfull scope so that they can put the right fixes in place.\n    Mrs. Kirkpatrick. That was going to be one of my questions. \nWhen you issue a report, do you actually have a conversation \nwith leadership at the VA about what needs to be implemented?\n    Ms. Halliday. Absolutely.\n    Mrs. Kirkpatrick. And is that on an ongoing basis?\n    Ms. Halliday. Yes, it is. With this information security \nmaterial weakness rising to the last material weakness in the \nDepartment\'s financial statements, the Secretary on down \nthrough his chain of command has had it on their radar. They \nare working very hard. And we have made sure that we have been \ncommunicating with the Department. For example, that if we \nemploy certain tools in our oversight to scan their systems, \nthey are also acquiring those same state-of-the-art tools. So I \nthink that there is an effort there, and at least this year and \npart of last year the communications have been better between \nwhat OIG is doing in the field, finding, and getting it \nremediated.\n    Mrs. Kirkpatrick. I have one last question. I have a \nconcern in your audit report. You say that you are concerned \nwith a lack of human resources, and your statement says OIT \nexperienced vacancies and excessive turnover in key leadership \npositions responsible for OIT\'s strategic human capital \nmanagement program. Could you tell the Committee a little bit \nmore about that? What do you mean by excessive turnover?\n    Ms. Halliday. I\'m going to ask Sondra McCauley to take \nthat.\n    Mrs. Kirkpatrick. If you could just quantify that and give \nsome reasons why you think that\'s happening.\n    Ms. McCauley. Excessive turnover in terms of the leadership \nwithin OIT in terms of managing the program. Turnover in terms \nof the program managers and project managers needed to manage \neach specific project, if you will, as well as a reliance on \ncontractors to do a lot of the jobs that we really need \ngovernment personnel to do.\n    Mrs. Kirkpatrick. And why do you think that there is that \nexcessive turnover?\n    Ms. McCauley. Some of it was attributed to a lack of \nplanning, that is the need for a human capital plan to really \nfocus in on the succession planning at the leadership level. \nBut also to better identify the skills that were needed to help \nmanage these IT programs, and what would be a better \ncontractor-to-FTE ratio to manage the programs.\n    Mrs. Kirkpatrick. Okay. Thank you. I yield back, Mr. \nChairman.\n    Mr. Coffman. Thank you, Ranking Member Kirkpatrick.\n    Mr. Lamborn, you are recognized for 5 minutes.\n    Mr. Lamborn. Thank you, Mr. Chairman. And before I ask my \nquestions, I want to thank you, Mr. Chairman, for having this \nhearing. This is such an important topic. And there is so much \ngoing on here that I was frankly not really aware of and should \nhave been, and we need to be aware what\'s going on. So thank \nyou for your leadership. This is so critical.\n    Ms. Halliday, I am stunned about what\'s going on here. And \nyou said in your written testimony, ``Lacking proper \nsafeguards, IT systems are vulnerable to intrusions by groups \nseeking to obtain sensitive information, commit fraud, disrupt \noperations, or launch attacks against other systems. VA has at \ntimes been the victim of such malicious intent.\'\'\n    Can you tell us what you know about these malicious attacks \non the VA\'s sensitive information? Who committed these?\n    Ms. Halliday. I will let Mr. Bowman speak to this one. It \nis in his area.\n    Mr. Bowman. Thank you.\n    We were informed of an intrusion by foreign countries \nthrough the Network Security Operations Center. The specifics \nof that, the foreign countries have actually compromised the \ndomain controller and gained access to email accounts and were \ntaking email information of the senior leadership at VA. The \ndifficult part was, is VA was unsure how the foreign countries \ngained access to the networks and what was actually being \ntransmitted out of the VA networks back to the original source. \nThat\'s the one that\'s most current that I\'m aware of. We also \nreference 2006 with the stolen laptop and the loss of the 26 \nmillion records. But those are the two main things that come to \nmind.\n    As far as our ongoing FISMA work, we do continue to \nidentify weaknesses with the critical databases that does host \nsensitive data, and the Web applications that are facing the \nInternet do have well-known vulnerabilities that could be \nexploited from the Internet. And these are ongoing from year-\nto-year. So there are significant risks out there that are \nrelated to this.\n    Mr. Lamborn. And why don\'t we know how much was taken?\n    Mr. Bowman. A lot of it is having the right tools in place, \nsuch as intrusion-detection systems, and audit logs turned on. \nIn some cases, VA doesn\'t have audit logs enabled, so it is \nunaware of how these systems have been infiltrated and what \ndata has been captured and what has been transmitted. Good \nIntrusion Detection Systems on all the network segments are \nimportant to identify the attack signatures.\n    Mr. Lamborn. Okay. What is the kind of sensitive \ninformation concerning a veteran like in my district back in \nColorado Springs that could have been compromised?\n    Mr. Bowman. It is more personal identifiable information \nthat could be used to commit fraud. Let\'s say a malicious \nintruder gains access to a database and has the Social Security \nnumber, name, and the date of birth, they could use that to \ncommit credit card fraud. And that\'s the main risk to veterans.\n    Mr. Lamborn. And with the 20 or so million veterans who are \non the system, the VA doesn\'t know how few or how many of their \nsensitive information like Social Security numbers have been \ncompromised?\n    Mr. Bowman. That\'s a potential risk.\n    Mr. Lamborn. It could be all of them?\n    Mr. Bowman. Yes, without having audit logging enabled, you \ndon\'t know what has been compromised or how often those systems \nhave been accessed in an unauthorized manner.\n    Mr. Lamborn. Would either of you ladies like to add to what \nI\'ve been asking?\n    Ms. Halliday. No, I think Mike answered it perfectly.\n    Mr. Lamborn. I\'m just amazed at this. I mean, this is \nserious. And the VA has known about this for up to 10 years \nnow?\n    Mr. Bowman. We\'ve reported significant vulnerabilities for \nwell over 10 years, as indicated by the IT material weakness. \nIn the last 5 years, we have increased our assessment of the \nsecurity controls through our user vulnerability assessment \ntools, database tools, Web app tools, so we think our \nevaluation is more comprehensive. In the last 5 years, we\'ve \nshown consistent vulnerabilities from year to year that put the \nVA systems at risk.\n    Mr. Lamborn. And you mentioned potential state actors with \nmalicious intent. Was that fairly recent that those attempts or \nthose actions were detected?\n    Mr. Bowman. I heard about that within the last year and a \nhalf.\n    Mr. Lamborn. So there\'s a pattern of knowing about this for \n10 years leading up to a malicious capture of who knows how \nmany Social Security numbers or other sensitive pieces of \ninformation of up to 20 million veterans within the last year \nand a half. Is that a proper understanding?\n    Mr. Bowman. It is possible. We don\'t know.\n    Mr. Lamborn. Thank you, Mr. Chairman. I yield back.\n    Mr. Coffman. Thank you, Mr. Lamborn.\n    Mr. O\'Rourke for 5 minutes.\n    Mr. O\'Rourke. Thank you, Mr. Chair.\n    For Ms. Halliday, I actually wanted to follow up on some \nquestions Mr. Lamborn was asking. For a veteran back home in \nthe districts we represent, specifically, have we seen any \nconsequences that we\'ve been able to document in terms of their \ninformation being stolen and used by someone who has broken \ninto this system? And not necessarily in my district, but can \nyou point to some examples of how this has affected people that \nwe represent?\n    Ms. Halliday. VA has an NSOC program where you report \nsecurity incidents to them. They will prioritize it and start \nto work on the severity of those incidents. There is normally a \ngood record then given of the facts of what happened and they \nwill look at the controls and try to put the remediation in \nplace. There are hundreds of incidents reported on an annual \nbasis.\n    Mr. O\'Rourke. And can you take us through one to illustrate \nthe consequences? For example, Social Security information was \ntaken. They used that to impersonate that veteran to try to \ntake benefits or to obtain credit cards or--\n    Ms. Halliday. I do not have an example.\n    Mr. O\'Rourke. Okay. Let me just ask you or Mr. Bowman, do \nyou know of examples that have been documented, specific \nconsequences? I mean, I agree with what everyone has said so \nfar, the overall problem and the threat represented by these \nsecurity vulnerabilities is unacceptable and needs to be \naddressed and needs to be fixed, but I also want to understand \nthe human dimension of this, what problems it has already \ncaused for veterans, if any, if you\'ve been able to document \nthem. I am assuming there have been. So anyhow, that\'s \nsomething we would like to follow up on.\n    Then I guess for Mr. Bowman, what\'s the expectation in \nterms of being able to address these? When should this \nCommittee expect to hear back from Ms. Halliday at a future \nhearing that these findings and problems that have been \nuncovered have been addressed to our satisfaction and that we \nfeel that we have a reasonable level of security, these threats \nhave been closed, and we are now happy with that system? What\'s \na date that you could point us towards?\n    Mr. Bowman. VA plans to implement a fully developed \ncontinuous monitoring program within the next 6 to 8 months. \nUsing that, they should have a better visibility of the \nsecurity posture of their IT systems. We have 32 outstanding \nrecommendations from our FISMA work that need to be addressed \nto improve the security posture. It will probably take VA well \nover a year, year and a half to get a good handle on that and \naddress those issues.\n    So if we could possibly convene maybe a year from now, VA \nmay be able to communicate some significant progress in their \nIT security program; we will be able to communicate that as \nwell.\n    Mr. O\'Rourke. And just to make sure that I understand what \nyou just said, within 12 to 18 months those 32 recommendations \nwould be implemented?\n    Mr. Bowman. I don\'t know for sure, but I think that\'s a \nreasonable timeline if VA takes an aggressive approach for \nimproving its security program.\n    Mr. O\'Rourke. Okay.\n    Ms. Halliday. Sir, we just received the official comments \nfrom Mr. Warren on the 32 recommendations and the \nimplementation plans that they will deploy regarding those 32 \nrecommendations. There are various timeframes associated with \nthat. But our first conclusion will come at the end of this \nyear\'s audit of the consolidated financial statements as to \nwhether they would drop that material weakness or not, and all \nof the testing will be happening over the summer. So that \nreport is issued on November 15th, and it will assess whether \nthe material weakness remains or it drops to a significant \ndeficiency. At this point, since VA has not fully implemented \nits continuous monitoring, Mike is exactly correct that it is \nprobably going to take longer than a few months to take care of \nthis.\n    Mr. O\'Rourke. Okay. Thank you.\n    Mr. Chairman, I yield back.\n    Mr. Coffman. Thank you, Mr. O\'Rourke.\n    Dr. Roe for 5 minutes.\n    Mr. Roe. I thank the Chairman.\n    Ms. Halliday, thank you and your team for the excellent \nwork you\'ve done and certainly informing our Committee of the \nproblems. I guess my concern is, is that this mirrors and \npatterns many of the other hearings I\'ve been to where we can\'t \nseem to get the electronic health record fixed year after year, \nand it looks like that security is a problem year after year. \nWe just passed a bill in the House, CISPA.\n    Most of us in this room have been to classified briefings \non the security risks that this country has from outside bad \nactors. And I\'ve got to go home this weekend, as every member \nup here does, and when this information gets out, veterans are \ngoing to come to me, there are many veterans sitting right up \nhere at this dais, and they are going to say, are my records \nsecure? And I\'m going to have to look them in the eye and say, \nno, they are not, from what I\'ve heard. And that\'s not a very \nacceptable answer, especially after 10 years, and especially \nafter we know the risks in the government.\n    You haven\'t looked at every other phase, but do other \ndepartments in the U.S. Government share these same problems? \nIn other words, is this a systemic-wide problem across \ngovernment or is this just VA specific? And you may not be able \nto answer that question.\n    Ms. Halliday. I can\'t give you a definitive answer, but it \nis a problem for those agencies that are dealing with privacy-\ntype information.\n    Mr. Roe. You know, we\'ve been asked as a Congress, we\'ve \nbeen instructed in private that it is a severe problem for \nbusiness. We\'ve been asked to look at some privacy issues about \nhow you--and we have a department of government that\'s not even \ndoing what we\'re asking business to do right now.\n    I think there are a couple of things that I would like to \nask just briefly, and government-wide we don\'t know. How will \nwe know that when we do go home, when can we say that this \ninformation will be secure? And we certainly know how when you \nsteal private information, whether it is through somebody \ngetting your debit card number or whatever, what it is used \nfor, it is basically just to steal from you. So is that it, \njust mainly you think, or is it access to other government \nagencies through the VA? Is this the back door to some other \nagencies?\n    Ms. Halliday. When we can say that the security of veterans \ninformation has been taken care of, I think will be at the \npoint when VA addresses all the recommendations in the reports \nthat we have made with regards to FISMA. We\'ve given them a \nroadmap to fix things. It is such a decentralized organization \nthat they have to bring a culture of accountability, personal \naccountability for every action, and they need to make sure \nthey have a consistent implementation of the policies and \nprocedures. We don\'t quite see that yet with the FISMA testing \nor the testing done as part of the consolidated financial \nstatements.\n    Mr. Roe. Let\'s say you go to a VA medical center somewhere, \nand you mentioned that some of the software wasn\'t up to date, \npasswords, you can figure it out, 111, whatever, four 1s in a \nrow, whatever. Who is responsible for that and what penalty is \nit if you don\'t do anything?\n    Ms. Halliday. The responsibility lies with the CIO in the \nDepartment of Veterans Affairs and it tiers down through that \norganization.\n    Mr. Roe. Okay. When a breach occurs, what does VA do then? \nWhen you know you\'ve been hacked or there is an attempt. Let\'s \nsee you haven\'t been breached, but you know that your firewall \nhas been pinged, what do you do?\n    Ms. Halliday. You assess the severity of it based on the \nfacts you can determine. You get a team together to look at how \nto fix whatever controls are needed to be fixed related to what \nhappened. And VA has been trying to do that, but they have a \nsignificant number of security incidents.\n    Mr. Roe. And I\'m thinking, I am a veteran, I\'m sitting here \nthinking okay, we\'ve lost a laptop computer with 20 million \nbits of information on it and the system is not secure now. \nThat doesn\'t give me a lot of confidence if I go to the VA to \nhand over my Social Security number and all that.\n    Ms. Halliday. Right. VA did mandate cybersecurity and \nprivacy awareness training nationwide to bring down a level of \npersonal accountability to every individual that\'s doing work \nand touching veteran-sensitive information to make sure it \nbrought accountability to this process and requires individuals \nto sign a statement that they will protect the veteran\'s \ninformation. So that is a step in the right direction.\n    Mr. Roe. Ms. Halliday, thank you. And I think we have our \nmarching orders, and we will hear from the other two panels. \nBut I think in 12 months we should be able to sit here, or \nless, and be able to look our veterans in the eye and say to \nthem that your information is as secure as we can do it. I \nunderstand there is nothing that\'s 100 percent, I got that. But \nit is relatively secure. Am I correct in that?\n    Ms. Halliday. Absolutely. Both the prior VA Secretary and \nthe current have asked for the gold standard in protecting VA\'s \nveterans information, and I think the expectation should be \nnothing less.\n    Mr. Roe. Thank you, Mr. Chairman. I yield back.\n    Mr. Coffman. Mr. Walz for 5 minutes.\n    Mr. Walz. Thank you, Mr. Chairman.\n    Ms. Halliday and your team, thank you once again for \ncoming.\n    Again, we have been through these hearings and we listen to \nthem. I guess the part I\'m getting at is, and many of us, \nmyself included, I\'ve been advocating for more sharing of data, \nespecially between DoD and VA, been advocating for being able \nto get some of that information to some of our partners, like \nthe county veteran service officers, to help with claim \nprocessing, been advocating for bringing private medical data \ninto the system to help speed the claims process.\n    With that being said, with the VA and its research \npartners, how do they do the formal agreements between them? \nAnd I guess the point I\'m getting at here is, is this issue \nwe\'re addressing--and I would assume you have lots of contact \nwith your private sector counterparts and best practices--this \nvery same thing happens in the private sector, correct, but \nthere\'s no requirement for them to report when there is a \nbreach. Is that correct?\n    Ms. Halliday. Pretty much, yes.\n    Mr. Walz. How are these agreements done and if there\'s a \nbreach at a research institution on the private sector side, \nhow do we know they are reporting that breach back and who is \nultimately responsible in those agreements?\n    Ms. Halliday. Basically, you need a formal agreement that \noutlines the roles and responsibilities of both the external \npartner and VA. In that particular instance, we see some real \ninconsistencies and some of these agreements are not being put \nin place.\n    The second you would like to do is make sure that, whatever \narrangement VA is entering into, that organization has \ncommensurate controls with VA so that they can adhere to VA\'s \npolicies and procedures.\n    Mr. Walz. But they are not required to adhere to FISMA, is \nthat correct, private entity?\n    Ms. Halliday. Right. But you can establish those terms in \nthese agreements.\n    Mr. Walz. Okay.\n    Ms. Halliday. And that\'s where you should do that. Because \nif you have one side, securing veterans\' information very \ntightly and another handling it very loosely, you have a \nproblem.\n    Mr. Walz. Is it safe to say we then do not know the scope \nof the problem yet if those are lacking, because there are \nmany, many of these agreements.\n    Ms. Halliday. Absolutely.\n    Mr. Walz. Okay. So we have no idea on the scope of that.\n    Ms. Halliday. Right.\n    Mr. Walz. When you look at this, where is the model? Is \nthere an entity, an institution that\'s out there that is the \ngold standard of best practices, how should this be done? I \nmean, there are standards and protocols that should be \nimplemented. Who is doing it on the scale of VA? Is Citibank \ndoing it? Is Credit Suisse doing it? Who is doing it that it \nlooks correct? Because the targets here aren\'t necessarily \ntargets because they are veterans. They are targets because \nthey are easy, is that correct, or they are trying to make it \neasy in many cases. Can you give me an example of who is the \ngold standard?\n    Ms. Halliday. We can\'t give you an example.\n    Mr. Walz. Is that for lack of your knowledge on what others \nare doing or is that because there might not be one?\n    Ms. Halliday. I would say more lack of our having direct \nknowledge of who is actually performing specific practices. \nSome people might attest that they do have a gold standard, but \nwhen you look behind it and you see breaches and problems with \nthat. We haven\'t looked at that so I can\'t really answer.\n    Mr. Walz. If we had some of them here to talk to us about \nthe problems they are having, that might help us get an \nunderstanding of this and let the VA bring some of those things \nin.\n    Ms. Halliday. I think there\'s always an opportunity to \nbring in best practices from the outside and from other Federal \nagencies.\n    Mr. Walz. Okay. So if we implement all the protocols that \nyou\'ve put out there, and I think you gave me the number of \n4,000 potential weaknesses or vulnerabilities, if we \nimplemented all of those and were able to do it, what\'s the \ncost associated with that? I understand what the cost of not \ndoing it is great. It is a breach of trust and security of our \nveterans. What\'s the implication? Is that not something you \nfactor in when you do your assessment?\n    Ms. Halliday. Sir, I would not have that answer, but you \nshould ask VA.\n    Mr. Walz. Okay. Very good.\n    All right. Well, again, I thank you for your service. It is \ninvaluable. As I always say, the more that we can do to support \nthe IG, the better government we get out of it. So thank you.\n    Ms. Halliday. Thank you.\n    Mr. Coffman. Mr. Huelskamp for 5 minutes.\n    Mr. Huelskamp. Thank you, Mr. Chairman. I appreciate you \nproviding the opportunity for this hearing. And I must say I \nhave a lot of words to describe my feelings, and embarrassed by \nthe actions or lack thereof by the VA might be one of those. \nShocked. Surprised. I guess I will probably be even more \nsurprised by later testimony.\n    But if I understand correctly, one of the things that you \ndid mention, that there was a violation or personal emails of \nthe Secretary and high-level staff were compromised. And can \nyou describe that a little bit further?\n    Mr. Bowman. My understanding is that when the domain \ncontrollers got compromised, they got access to the senior \nleadership email accounts, and there is information that \nindicates that those emails were exported outside the VA \nnetwork.\n    The value of them is unknown. What they did with those \nemails is unknown. But whenever you compromise a domain \ncontroller, essentially you own the enterprise. That\'s the \nseriousness of it.\n    Mr. Huelskamp. I appreciate that. You own access to 20 \nmillion records, plus that of their dependents. What was the VA \nresponse when you brought that to their attention?\n    Mr. Bowman. It wasn\'t formally communicated to me. I heard \nit in a meeting that was discussed between the NSOC. And they \nprobably were unaware I was listening in, but that is just what \nI heard, just by observing some of these meetings and VA \ndescribing these events.\n    Mr. Huelskamp. And this is very shocking, Mr. Chairman. I \nknow we have a letter in front of us from a very high-ranking \nofficial at the VA that says, quote, ``VA\'s security posture \nwas never at risk.\'\' Was never at risk. And that\'s a quote from \na high-ranking official. And I would guess that perhaps they \nused email to put this together. Can you imagine the thought \nthat the folks that were hacking the system were actually \nreading this email as they were exporting 20 million private \nrecords. And you indicated we do have evidence potentially of \nexternal state-sponsored espionage that might be occurring to \nthe VA. One of you had indicated that was a possibility?\n    Mr. Bowman. That\'s my understanding.\n    Mr. Huelskamp. Okay. And did you bring this to the VA\'s \nattention and what was their response?\n    Mr. Bowman. We haven\'t. With the FISMA work, we haven\'t \nspecifically addressed that issue. We do get into incident \nhandling and monitoring. And we identify every year there are \nnetwork connections that aren\'t being monitored by VA. So the \nrisk is that you could have systems compromised, data being \ntransmitted externally, and VA could be unaware of it.\n    Mr. Huelskamp. They could be unaware that the information \nis actually leaving. And if asked, they could potentially, even \nunder oath say we know of no such transmission, which if I \nunderstand correctly might absolutely be true and would suggest \nobviously when you\'ve given up control of the system like you \nindicated you would have actually no idea of the threat then?\n    Mr. Bowman. That\'s correct.\n    Ms. Halliday. Sir, one of the things that we do as part of \nour oversight is gain an understanding of what is happening in \nthe VA environment, and then we send information to our \ncontractor who is doing the actual FISMA assessment to put the \nright work steps in place to do full evaluations, to understand \nand properly assess the risks. That\'s all happening as part of \nthe FISMA process.\n    Mr. Huelskamp. And I appreciate your work. You have a very \ndifficult task of identifying the problems and hopefully \nproviding some solutions, but it is up to the VA, maybe after \n10 years, to finally implement some of those.\n    The latest thing I see in your report is an incident from \nMarch 2013 in which sensitive, private, perhaps medical and \npersonal data was transmitted over an unencrypted \ntelecommunications carrier network. Can you tell me what \nhappened when that personal data was transmitted unencrypted? \nApparently VA did not know they were doing that. What\'s their \nresponse? You indicate that the management acknowledged this \npractice and formally accepted the security risk. Did they \nidentify who was at risk, how they were at risk, and did they \nclose this security gap?\n    Mr. Bowman. Yes, we received a hotline complaint discussing \nthe transmission of unencrypted data between the medical \ncenters and the community-based outpatient clinics using \nunencrypted protocols over a telecommunication carrier network. \nWe went and discussed with the network engineers and various \nlevels with VA, and they admitted that this is a common \npractice.\n    Mr. Huelskamp. They admitted this is a common practice.\n    Mr. Bowman. It is a common practice. But a mitigating \nfactor is, is they logically segment that traffic from other \ncustomer traffic. The downside of that is it still needs to be \nencrypted, and there are technological solutions that can \nencrypt that traffic when it is outside of VA\'s span of \ncontrol. Now, VA responded to that report by saying they plan \nto implement encryption controls, so that will improve that \nrisk of losing that data as it leaves VA\'s span of control.\n    Mr. Huelskamp. I\'m sorry, Mr. Chairman, one last question.\n    So they planned. Do you know if they actually have \nimplemented the encryption to protect sensitive data?\n    Mr. Bowman. My understanding is that edge router encryption \ncontrols have not been implemented yet.\n    Mr. Huelskamp. I yield back, Mr. Chairman.\n    Mr. Coffman. Ms. Walorski for 5 minutes.\n    Mrs. Walorski. Thank you, Mr. Chairman.\n    I appreciate the report, I appreciate the information. I \nwill tell you, when I was in the Indiana House, we did hold \ncompanies responsible for these massive breaches of identify \ntheft, especially when a Social Security number was in the \nbreach. And so we did have legislation and we still do, and I \nthink 17 or 18 other States now have it as well, holding \nprivate companies responsible, and if there\'s a breach that the \nbuck does stop with them for immediate information sharing, in \nsome cases freezing credit reports.\n    So my first question is on this information as it is leaked \nto a veteran in my district, say their Social Security number \nwas accessed, are any of those Social Security numbers redacted \nor is this just free-flowing raw data that\'s going out the \ndoor?\n    Mr. Bowman. Well, we don\'t have knowledge of any specific \ncases of data loss, other than the 2006 example, and in those \ncases VA is responsible for providing credit reporting services \nto the veterans who may have been harmed by this. But what we \ntry to indicate, is that using unencrypted protocols, the risks \nremain, that the potential is there, and that VA needs to \nimplement these proactive controls so these type of events do \nnot occur going forward.\n    Mrs. Walorski. But in light of the answers to the various \nquestions up here, there obviously has been more than just one \nincident in 2006 when that information has been available. And \nso, you know, I think about this in my district. I have 52,000 \nveterans in my district and then their extended families, and \nI\'m thinking, you know, if this happened in the private sector, \nautomatically this would have triggered--just the suspicion and \nthe not knowing would have triggered an automatic credit freeze \nto the people that would be living in my district.\n    So I\'m looking at this from the standpoint of saying, you \nknow, sending out an APB when I get out of here that says to \nthe 52,000 vets in my district, better check your credit report \nbecause we have no idea that your information has not been \nbreached, and to continually check that. And as we continue to \ntell people to go access their VSOs and go access their \nfacilities because there\'s a long wait and the things we deal \nwith on the veteran side, is how at risk they are with sharing \nthat information in today\'s day with these violations.\n    In the private sector, this type of an entity would never \nsurvive. The lawsuits that would come would shut them down \nbecause of private information being at risk and being taken \nand nobody responsible. So it is absolutely baffling to me that \nin addition to some of the other things that we have heard in \nthis report, that the buck stops with the CIO, and we have had \nnothing but turnover, as you\'ve reported, in this entity of \nthis area of the VA to begin with. Has anybody ever been \ndisciplined based upon the findings of your reports?\n    Ms. Halliday. We can only make a recommendation. It is up \nto the Department to take the administrative action. That\'s the \nextent of our authority.\n    Mrs. Walorski. Have any of your recommendations involved \nissues of employees or incompetence or training or things \nactually for the people who are actually working there taking \nthis information?\n    Ms. Halliday. Yes, I would say several, especially with our \nadministrative investigations. It\'s looking at very specific \npersonal accountability for actions.\n    Mrs. Walorski. And are you asking specifically that \nsupervisors and managers and CIOs and these kind of people that \nhave been in charge, where the buck stops with this \ninformation, that they be disciplined, if not terminated?\n    Ms. Halliday. We make a recommendation for appropriate \nadministrative action and then generally give a discussion with \nthat--\n    Mrs. Walorski. And is the appropriate action usually \ntermination? I\'m not familiar with the protocol. What is the \nappropriate action on something like this large of a risk to \nthis many people?\n    Ms. Halliday. You would have to look at the severity of the \nincident, determine the exposure, determine what the \naccountability was. Was there intent? Was this a mistake that \nthey may not have been able to prevent? And then when you do \nthat, you apply the Douglas factors for discipline actions in \nthe Federal Government?\n    Mrs. Walorski. But my understanding would be, in the last \n10 years, based upon the previous questioning, that the 40 or \nso outstanding compliance issues that you have advocated that \nthey follow, had those been followed in the last couple of \nyears, we would have remedied this situation. So there has to \nbe some kind of accountability still, and disciplinary actions, \nand the buck stops someplace with this staff, correct?\n    Ms. Halliday. We absolutely think the Department should \nhave implemented many of the FISMA recommendations and \ntightened controls early, and they would have less security \nincidents.\n    Mrs. Walorski. Thank you.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Coffman. Thank you, panel. I appreciate your testimony. \nYou are now excused.\n    I now invite the second panel to the witness table.\n    On this panel, we will hear from Mr. Stephen Warren, Acting \nAssistant Secretary for Information and Technology at the \nDepartment of Veterans Affairs. Accompanying Mr. Warren is Mr. \nStan Lowe, Deputy Assistant Secretary for Information Security \nfrom the Office of Information and Technology at the Department \nof Veterans Affairs.\n    Before I recognize the panel, I ask that you please rise \nand raise your right hand.\n    [Witness sworn.]\n    Mr. Coffman. You may be seated.\n    Mr. Warren, you are now recognized for 5 minutes.\n\nTESTIMONY OF STEPHEN W. WARREN, ACTING ASSISTANT SECRETARY FOR \n    INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS \n AFFAIRS, ACCOMPANIED BY STAN LOWE, DEPUTY ASSISTANT SECRETARY \nFOR INFORMATION SECURITY, OFFICE OF INFORMATION AND TECHNOLOGY, \n              U.S. DEPARTMENT OF VETERANS AFFAIRS\n\n    Mr. Warren. Chairman Coffman, Ranking Member Kirkpatrick, \nMembers of the Subcommittee, thank you for inviting me to \ntestify regarding the Department of Veterans Affairs \nInformation Technology Security Program. Accompanying me today \nis Mr. Stanley Lowe, Deputy Assistant Secretary for Information \nSecurity.\n    There is no higher priority than protecting the data that \nVA holds on our Nation\'s veterans. I, as well as the many IT \nemployees at VA--over 56 percent are veterans themselves--take \nthis responsibility very seriously.\n    As the Committee knows, the Department received a wake-up \ncall from the stolen laptop incident in 2006. As a result, the \nVA consolidated its disparate IT functions into a single, \nunified IT organization. VA\'s consolidated IT organization is \nresponsible for providing the tools, services, and systems that \nare necessary to protect veterans\' information at 153 \nhospitals, 853 community-based outpatient clinics, 57 benefit \nprocessing offices, and over 160 cemeteries or memorial cites. \nOur network supports over 400,000 users and over 750,000 \nindividual devices. We are committed to protecting the \ninformation we hold on millions of veterans, their \nbeneficiaries, and more than 300,000 VA employees.\n    As we all know, IT security threats continue to evolve. To \nthat end, we have implemented our continuous monitoring \nprogram, which continuously checks all IT systems and monitors \nevery device attached to the VA network. VA launched the \nContinuous Readiness in Information Security Program, or CRISP, \nin 2012 to proactively address process and policy deficiencies, \nas well as architecture and configuration issues.\n    As part of the CRISP effort, the VA conducts rigorous \nvulnerability scanning, continuous monitoring of patching and \nsoftware inventory, implementing port security, anti-virus \nservices, and encryption of nonmedical IT desktops and laptops.\n    Through Web Application Security Assessments, VA is able to \nidentify critical vulnerabilities and potential exploits in VA \nsystems. We protect the network infrastructure by identifying \nall network assets, critical database stores, all external \nconnections, and provide the Trusted Internet Connection \nGateways services.\n    In the past year, VA has measurably improved its security. \nThe Department has ensured that over 98 percent of VA staff \nhave received the mandatory security training they need to \nprotect the information of veterans and their families. Only \nstaff turnover prevents us from reaching 100 percent.\n    After the 2006 incident, VA worked to ensure its laptop \ncomputers were encrypted to provide another layer of \nprotection. Currently, over 98 percent of VA\'s nonmedical IT \nlaptops are encrypted. The Department aims to complete the \nencryption of the final 2 percent by June 30.\n    VA has a robust data breach notification process using a \nData Breach Core Team. When the team determines that a \npotential breach may have occurred, they notify affected \nindividuals and offer credit monitoring. VA also posts a \nmonthly report of data breach notification on its Web site, and \nthis report is provided to Congress, in addition to the \nrequired quarterly data breach report.\n    VA has become one of the very best large organizations of \nproviding notification if a potential breach occurred. This law \nrequires notification within 60 days. A review of VA\'s incident \ntracking system over the current fiscal year indicates that VA \ntakes, on average, 25 days to provide notice. VA\'s standards \nand practices exceed even the strictest Federal, State laws and \npolicies.\n    I would like to update you on our progress to extend VA\'s \nauthority to operate, or ATOs. Before giving you this update, I \nwould like to assure the Committee in the strongest terms that \nat no time was veterans\' data placed at risk by this process. \nThe signing of an ATO represents the final step in what is \notherwise a continual process of security and management \nreviews.\n    As the Committee is aware, VA has been working to extend \nnearly 600 ATOs over the last several months. We have worked to \nassure that requirements for each ATO are properly conducted \nand documented. VA trusts the ATO validation process and the \nwork of the information security officers, facility CIOs, and \nsystem owners to ensure system security. This paper-based \nprocess validates that critical steps are being taken to \nprotect our veterans\' data.\n    Mr. Chairman, VA places the highest priority on \nsafeguarding veterans\' and employees\' personnel information. We \nare committed to information security. And although work \nremains, VA has made significant improvements in the last few \nyears and strives to meet those highest standards in protecting \nour Nation\'s veterans\' sensitive information.\n    Thank you for your continued support of veterans, their \nfamilies, and our efforts to protect veterans and their \ninformation. I am prepared to answer any questions by the \nRanking Member, the Chairman, or the Members.\n\n    [The prepared statement of Stephen W. Warren appears in the \nAppendix]\n\n    Mr. Coffman. Mr. Warren, given your knowledge of visitors \nin the network since 2010, and understanding that there were \nsignificant security weaknesses, why would you insist on \nconveying the message that veteran data is not at risk?\n    Mr. Warren. Thank you, Chairman. I think that that actually \nis a great question to ask within the construct of information \nprotection.\n    I think it\'s very important to note that my partners in the \nInspector General\'s Office used words such as could, might, \npotential, possible, is possible. When an audit takes place, \nwhen a review takes place, the focus is on what could happen. \nBut remember, the existence of a risk is not the same as the \nremoval of information out of the network.\n    Several things need to exist. What needs to exist is the \npotential, and we try to drive those down as quick as we can. \nThere needs to be an actor who has access and the ability to \nget to where that risk is. They need to be able to do that in \nsuch a way that they are not seen, and then they need to be \nable to move the information out of the network through all the \nsensors and past the gateway, as well as past our partners in \nDHS who are watching outside our gateway, and then remove it. \nSo the piece we need to be very careful of is, we\'re talking \nabout potentials, we\'re not talking about actuals. And so the--\n    Mr. Coffman. I\'m sorry. How do you define the difference \nbetween an actual and a potential? And I\'m looking at an \ninternal report on August 15, 2012, and it talks about an \nactual--at least it talks about that the network was \npenetrated. So how do you define actual versus potential?\n    Mr. Warren. Sir, I don\'t have that report in front of me.\n    Mr. Coffman. Well, I\'ll make it available to you.\n    Mr. Warren. And I will gladly respond to the record, sir, \nin terms of that specific incident.\n    Mr. Coffman. Sure. Okay.\n    Mr. Coffman. Please define the difference between actual \nand potential.\n    Mr. Warren. Potential is--and we\'ll do as an example your \nhome computer. So if you do not update your--\n    Mr. Coffman. How about we just stick with the VA system. \nLet\'s talk about that.\n    Mr. Warren. Sure. We can talk about a desktop computer. \nOnce a month Microsoft puts out a set of patches on Tuesdays. \nSo every Tuesday, once a month, the first Tuesday Microsoft \nsends out a full set of patches. If we do not incorporate those \npatches into the system, the potential for somebody going to a \nWeb site and the potential being exploited goes up. But the VA \nhas a very aggressive program to make sure those desktop \npatches happen once a month as Microsoft puts it out. So if you \ndon\'t do them and you don\'t do it over multiple months, the \npotential for the desktop to be compromised and the system \nitself to be compromised goes up.\n    Mr. Coffman. It\'s my understanding you have not instituted \nall the patches in the VA system. Is that correct?\n    Mr. Warren. I\'m sorry, I missed the first part.\n    Mr. Coffman. That you have not instituted all of the \npatches prescribed for the VA system.\n    Mr. Warren. I would tell you, Mr. Chairman, that we have a \nvery aggressive program to make sure the desktop computers are \npatched.\n    Mr. Coffman. You\'re not answering my question.\n    Mr. Warren. The intent is not--\n    Mr. Coffman. To the VA system. Is it true that not all the \npatches have been applied as prescribed in the VA system? In \nthe information network.\n    Mr. Warren. Sir, there are about 750,000 devices in the \nnetwork. So if you\'re asking does every single one of those \ndevices have every single one of the patches that their \nmanufacturers put out, the answer would be no because there are \nmultiple times when that patch will actually break the \napplication that you need to use, and therefore there is a \nwaiver in place that says you don\'t patch that system because \nnot working is actually worse than a potential risk within an \nenvironment which is--\n    Mr. Coffman. Mr. Warren, why did you not previously \ndisclose to the Committee that VA has had serious and \ncontinuous compromises of systems and data by nation-state \nsponsored actors?\n    Mr. Warren. With all due respect, I do not believe it is a \ntrue statement, as you laid it out, that the VA has been \ncontinually compromised by foreign nation states. We have a \nstrong partnership with Homeland Security, which watches the \nboundary for the Department.\n    Mr. Coffman. Mr. Warren, has a foreign entity targeted and \npenetrated our network?\n    Mr. Warren. I am aware of a single incident that our \nnetwork operation center identified.\n    Mr. Coffman. And when was that?\n    Mr. Warren. It was last year. I will need to get back for \nthe record in terms of the specific date.\n    Mr. Coffman. Very well. And I will make this internal \ndocument available to you. And I think you can be informed that \nthere actually have been quite a few breaches.\n    Ranking Member Kirkpatrick.\n    Mrs. Kirkpatrick. Thank you, Mr. Chairman. I\'d like to \nfollow that line of questioning.\n    Mr. Warren, if a system is compromised, would you know? Or \nis it possible for it to be compromised and you to not know?\n    Mr. Warren. I would tell you, with the controls that we \nemplace, with continuous monitoring, as well as the work that \nwe do at our boundaries with Homeland Security and our NSOC, \nthe probability of somebody being in the network and \ncompromising a system without us knowing it is very, very low. \nBut I can\'t argue the absolute.\n    Mrs. Kirkpatrick. Can you provide for the Committee how \nmany times the system has been hacked since the beginning of \nthis year?\n    Mr. Warren. I will gladly provide that for the record.\n    Mrs. Kirkpatrick. Thank you. Was it your testimony that it \ntakes you 25 days to notify the veteran that their personal \ninformation may have been compromised?\n    Mr. Warren. Yes, ma\'am. If I could expand on that.\n    Mrs. Kirkpatrick. Would you expand on that, because that \nreally concerns me. In 25 days everything could be wiped out \nfor that person.\n    Mr. Warren. Certainly, ma\'am. What happens is as soon as--\nand VA has a 1-hour reporting requirement--as soon as an \nemployee believes the potential of something happening, they\'re \nsupposed to notify our NSOC, and it is part of the reporting we \ndo. At that point, we pull the team together and we ask the \nquestion: What and why? Is it real? And if it turns out we have \nan issue, the Data Breach Team--which meets once a week, which \nis made up of career staff who are outside the chain of \ncommand--they do the analysis of that potential breach and they \ndetermine if the potential was high enough that data had left. \nAnd normally, if there is just a little potential, the \nDepartment goes ahead and reaches out to all of those veterans \nwith credit monitoring for a year. And the 25-day period is the \ntime for the notification to the NSOC, the establishment of the \nteam, the analysis of the data to make sure what was reported \nwas actual. And in many cases--in fact, in most cases--it\'s the \npotential that is reported, and we reach out to veterans anyway \nand we offer that credit reporting.\n    Mrs. Kirkpatrick. How many times have you had to notify \nveterans within the last year?\n    Mr. Warren. Ma\'am, I will get you that for the record in \nterms of the number of times that we notified veterans and \noffered credit reporting as a result of a potential data \nbreach.\n    Mrs. Kirkpatrick. Thank you. And was it also your testimony \nthat by June 30 of this year your system will be encrypted?\n    Mr. Warren. Actually, my testimony, ma\'am, was that for all \nnonmedical IT laptops. So the ones that are under my \nresponsibility, we will have the last of those encrypted.\n    Mrs. Kirkpatrick. But the medical laptops will not be \nencrypted?\n    Mr. Warren. No, ma\'am. And, Ranking Member, the difficulty \nwe have with medical devices is they\'re constrained by their \ncertification from the FDA. And the concern is by putting \nencryption on that laptop, a medical device that has a laptop \nin it, you will actually impede the ability of that medical \ndevice to do its job.\n    And so we\'ve had lots of conversations with the FDA to \nfigure out how you can do that. But when a device is certified \nthat has a medical device in it, the condition of the device at \nthe time of certification constrains what you can do \nafterwards. And so to handle that, we actually have a separate \narea, an isolated area in the VA network where we put those \nmedical devices that are based on IT equipment. And we also go \nfurther by working with our partners in VHA where we start \ntesting those devices to see if there is an impact to its job \nin terms of delivering care, or if we impact their \ncertification boundary. And in cases where it isn\'t--and there \nis a tool called bar-code medication, which is what the nurses \nmove through the wards--we are able to show that there was no \nimpact, those medical device laptops are now encrypted. And so \nwe work our way through that with our partners in the health \nadministration and the biomed folks.\n    Mrs. Kirkpatrick. I have one last question. Are you \nfamiliar with or have you heard the Inspector General talk \nabout the fact there has been excessive turnover in key \nleadership positions and there\'s a lack of human resources in \nthe IT departments? Do you agree with that statement?\n    Mr. Warren. I would tell you that an organization going \nthrough transformation is a difficult place to work because \neverything is moving around you. And so we have had transition \nof staff. We\'ve had transition of staff going out and coming \nin. This year, I believe I am 100 folks below my ceiling of \nabout 8,500 individuals.\n    Mrs. Kirkpatrick. Do you have a strategy to address that so \nyou have adequate human resources?\n    Mr. Warren. We do active recruiting. We work with the HR \norganization to figure out how do I do pools so I can make sure \nI\'ve got project managers lined up, to make sure I have \nindividuals lined up to bring them in.\n    We also have a very strong focus on veterans. As an \nexample, last year, 75 percent of my new hires were veterans, \nbecause that\'s very important to me, as a veteran, to make sure \nwe\'re bringing our clients, if you will, into the organization \nto help us do a better job.\n    Mrs. Kirkpatrick. Thank you, Mr. Warren. I yield back.\n    Mr. Coffman. Mr. Warren, please be reminded that during the \ncourse of this oversight hearing and Committee investigation, \nit is a Federal crime, pursuant to 18 United States Code \nsection 1001, in pertinent part, knowingly and willfully to \nfalsify, conceal, or cover up a material fact, or to make any \nmaterially false, fictitious or fraudulent statement.\n    Mr. Lamborn, you have 5 minutes.\n    Mr. Lamborn. Thank you, Mr. Chairman.\n    Mr. Warren, members of the previous panel testified under \noath that foreign state actors have accessed sensitive \ninformation of veterans within the last 2 years and that the VA \ndoes not know how much information was stolen. Would you agree \nwith that statement?\n    Mr. Warren. I would say, Congressman Lamborn, there is that \npotential. I would tell you that, working with our partners at \nHomeland Security in terms of where they watch our gateway--so \nit\'s not just the VA connected to the world and everything \nhappens, we have Homeland Security, if you will, at the gate. \nSo I have our team on our side and Homeland Security on the \nother side. And between the two of us, we watch all the traffic \ngoing back and forth.\n    So the ability of material to move, yes, there is always a \npotential. We referred to a particular incident that the \nInspector General talked about. I was aware of that incident. \nSo I would tell you that one, we know happened. With the other \nones, it\'s still the potential and the probable, in terms of--\n    Mr. Lamborn. And of the one that you will admit has \nhappened, we don\'t know how much information was taken because \nit was encrypted before being exported. Isn\'t that correct? So \nwe don\'t know how little or how much the data was that was \nstolen?\n    Mr. Warren. Sir, my recollection of that report--and what \nI\'d like to do is go back and review that report to give you \nthe answer in terms of what came out and what the report was \nable to tell us given the conditions that existed.\n    Mr. Lamborn. What kind of dependent information is put into \nsome veterans\' files?\n    Mr. Warren. I would tell you, Congressman Lamborn, the \nveteran files are held in many locations in the VA, in many \nsystems, whether in the electronic health record or whether in \nthe new--used as part of the new VBMS system, as well as all \nthe other systems. So the information necessary to provide \nbenefits or services is what we--\n    Mr. Lamborn. So it can include the names and Social \nSecurity numbers of dependents.\n    Mr. Warren. If that\'s required as part of the claim or \nservice process, sir.\n    Mr. Lamborn. Another problem I have is--and this happened \nto me recently. I got a credit card in the mail. It turns out \nthat my credit card issuer had been compromised, so everyone \nhad to get a new credit card. And we had to go back and change \nthe numbers on all our accounts. It was a big hassle. \nFortunately, nothing was stolen that I know of. But what \nhappens when a Social Security number is stolen? You can\'t \nreplace that. I mean, we\'re talking about something really \nserious here. Are you aware of how serious this is?\n    Mr. Warren. Congressman Lamborn, we take any potential \nincident and any incident very seriously. I take it personally. \nIt\'s one of the reasons why the VA offers credit monitoring. So \neven when there is a potential, we reach out to the veteran and \nwe offer them that credit monitoring for a year. We also have a \n1-800 number that we\'ve made available to veterans if they have \nany questions so that they can reach out to us if by chance \nsomething does happen, so we can help them, walk them through \nthat process.\n    Mr. Lamborn. You said earlier that we place the highest \npriority on protecting this information, and yet members of the \nOIG indicated that for more than 10 consecutive years, \nindependent public accounting firms under contract with OIG \nhave identified information technology security controls in the \nVA as a material weakness. How can that condition have \npersisted for 10 years if that\'s your highest priority?\n    Mr. Warren. Congressman Lamborn, thank you for that \nquestion. I would tell you that material weakness is actually a \nfinancial term. It\'s the same type of term used as part of \nSarbanes-Oxley in terms of laying those financial controls on \nthe organization. So the material weakness says there is a \nquestion about whether the financial data in the system is \nsecure or not.\n    So material weakness, yes. I will tell you that, as an \norganization, the Department wasn\'t going, we\'ve got a material \nweakness, move on. Every year we took the inputs--and I\'ve only \nbeen with the VA for 7 of those 10 years--every year I\'ve been \nthere we took those inputs and we laid out what we needed to \ndo. We laid the resources on it. We put focus on training. And \nI will tell you it wasn\'t enough. And so 2 years ago, this \nmajor effort of doing CRISP, of taking the whole organization--\nnot just the IT organization, but taking the whole \norganization, because information protection is not just an IT \nthing.\n    Mr. Lamborn. Well, I\'ll agree with one thing you\'ve just \nsaid when you said it wasn\'t enough. I certainly agree with \nthat.\n    And how do we know that there isn\'t going to be some kind \nof document dump by a foreign actor, you know, WikiLeaks or \nsomething like that? I mean, there are so many things--health \ncare records. There is such sensitive information in health \ncare records. So we\'re not just talking about Social Security \nnumbers, there\'s health care records. We shouldn\'t be here \ntoday, and I am sad that we are at this juncture right now.\n    Mr. Chairman, I yield back.\n    Mr. Coffman. Thank you, Mr. Lamborn.\n    Mr. O\'Rourke.\n    Mr. O\'Rourke. Thank you, Mr. Chairman.\n    For Mr. Warren, I\'m not as conversant in the details of \nthese issues and the different systems and protocols involved \nas I would like to be, but I think it\'s fair to say that the \npicture you paint of the VA\'s IT system and the vulnerabilities \nis very different than the one that we just heard from, from \nMs. Halliday. And I think you heard many of us say that what we \nheard presented was unacceptable in terms of the \nvulnerabilities, unacceptable in terms of the amount of time \nthat the VA has known about those vulnerabilities without \nsuccessfully addressing them, some concerns about when \ninformation was reported to this Committee and others in terms \nof breaches to the system and retrieval of information by \nforeign actors.\n    Can you just, so in general terms that I can understand, \naddress that discrepancy from what we just heard to what you\'re \npresenting? You seem to be saying that things are generally \nunder control.\n    Mr. Warren. I would tell you the state of security and the \nwork we need to do is something that I wrestle with all the \ntime. Am I satisfied with where we are? No, I\'m not. Can we do \nbetter in terms of fixing the things that our partners in the \nIG and the audit community have identified? Yes. And we are \ndedicated to doing that.\n    But the difference that you are hearing from myself versus \nthe audit community is, they have to deal with potential: Is \nthere a chance? Is there any opportunity for something like \nthat to happen? And the answer will always be yes. It will \nalways be yes, that there is a potential. So if you ever ask \nme, or even if you ask me today, can I guarantee that \neverything is perfect and wonderful? I could not give you that \nguarantee because it\'s constantly changing, the technology \nconstantly changes.\n    So my focus is more of a very pragmatic operational person \nwhose job is to try and make sure we continue to deliver those \nbenefits and services in a way that has the least risk, the one \nthat does not put our veterans\' information at risk while we do \nthat. And again, is it where I want it to be? No. Do we \ncontinue to drive on getting it to where we need to be? Yes.\n    Mr. O\'Rourke. In terms of the 32 recommended steps that \nneed to be implemented--and I asked the IG\'s Office about what \nthe timeframe would be to implement those--do you agree that \nit\'s a 12-to-18-month implementation timeframe?\n    Mr. Warren. Yes, sir. And in fact, when the report gets \npublished, you will find there is a departmental response. And \nit actually lays out what it is that we have in place and what \nwe are going to do. And I believe the latest date I have when I \nsigned out that document with all the different organizations \nwas September 2014 for some of the longer items. And I believe \nthat fits within that 12-to-18-month period.\n    But there are many things that are happening now. We have \nsome significant things coming online at the end of August. \nThere are things taking place between now and August. But the \nlonger, harder ones take that extra time to get there.\n    Mr. O\'Rourke. And so there are no fundamental differences \nbetween your office and the IG\'s report in terms of what they \njust described to us in their findings, their vulnerabilities, \nand the seriousness of those vulnerabilities and threats?\n    Mr. Warren. I will tell you, there were many reports \nreferred to in the prior panel. You will find that if you look \nat the report and you look in the appendix, the place where the \nDepartment did not agree with the findings, you will find a \nstatement in there that says--again, we always thank our \npartners to come in. We see them as part of the team. They give \nus that outside view. But where we disagreed with what their \nobservations were, we normally state that in the document.\n    So, given the Chairman\'s reminder, I need to make sure that \nwhere the Department did not agree, we stated in the report. \nAnd we also state what it is we\'re doing as a result of what \nthey find and what our plan of actions are. And then we give a \nquarterly update to all of the things that we said we are going \nto do. And as the Acting Assistant Secretary, I sign off on \nevery one of those quarterly reports in terms of what we said \nwe were going to do, what did we do to ensure that we are \nresponsive not only to what the Inspector General identified, \nbut ensuring that we\'re doing everything we need to do to \nprotect our veterans data.\n    Mr. O\'Rourke. Let me ask one more question. You\'ve used the \nterms ``possible,\'\' ``probable\'\' and ``actual\'\' several times \nin response to our questions. A question I asked of the \nprevious panel, can you tell us of an actual incident where, \nbecause of a security vulnerability, private information from a \nveteran was retrieved by someone to negatively impact that \nveteran, whether they stole their Social Security number or \nother personal data that was then used to harm that veteran?\n    Mr. Warren. I am aware of several incidents, and I will \ndescribe one for you. It\'s an individual who accessed--he was a \nsystem administrator--again, not foreign, but domestic--\naccessed the database and used the information to do identity \ntheft. When identified, we refer those to the IG and they bring \nin criminal investigations. So, in that regard, there was an \nindividual who breached the system. It is always referred to \nlaw enforcement. It is always referred to law enforcement. And \nthen we provide credit monitoring, and we also work with the \nlaw enforcement folks to make sure that they have full access \nto do what they need to do.\n    So I will tell you, large organization, lots of people, \nthere are going to be folks who do bad things. As we find them, \nwe refer them to law enforcement for them to take action. And \nthen we just keep, as a result of what we saw--what then do we \ndo, right; how did that person get in there. So you will see \nthere is a very strong personal accountability program the \nDepartment is bringing onboard to go ask the question, are we \nhiring the right people? Do they have the right credentials? \nAre there flags here on their personnel records such that we \nreally shouldn\'t be putting them into a position of trust--not \nan IT thing, but the broader aspect of how you hire folks and \nhow you make sure you\'re bringing in the right folks.\n    Mr. O\'Rourke. Thank you.\n    Thank you, Mr. Chairman.\n    Mr. Coffman. Just real quick. When the OIG, in their \nreport, said that your system got hacked by foreign actors, do \nyou refute that as part of your response?\n    Mr. Warren. So, again, I believe you\'re referring to that \nAugust report. Let me just make sure what you\'re referring to, \nMr. Chairman, if I can. I don\'t have enough information to \nanswer your question, sir.\n    Mr. Coffman. So you\'re not aware--in the OIG report, in \ntheir testimony, when they were up here, they referenced that \nyour system got hacked by foreign actors. First of all, do you \nacknowledge that?\n    Mr. Warren. I believe I already have in my testimony, Mr. \nChairman.\n    Mr. Coffman. Yes or no?\n    Mr. Warren. Yes.\n    Mr. Coffman. Very well.\n    Dr. Poe for 5 minutes.\n    Mr. Roe. Thank you, Mr. Chairman.\n    And a couple of questions that Congressman Lamborn talked \nabout.\n    One of the reasons that, the way I understand this from \nlistening this afternoon, that you might not know what \ninformation is going out is that the information that people \nwere after was not encrypted. But on the way out the door it \nwas encrypted, so you couldn\'t read what was gone. So you could \ntruthfully sit there and say we don\'t know what\'s been stolen \nbecause you really don\'t know. And it should just have been the \nother way around; we should have had the data encrypted so that \nnobody could have gotten a hold of it or done anything with it. \nAm I right or wrong with that? Did I misunderstand?\n    Mr. Warren. No, Congressman Roe, you are actually laying it \nout appropriately. And again, with the report that we\'re \nreferring to, glad to do a private briefing to the Committee \nwith the details because of some of the issues around it.\n    I will tell you that the area where the individuals were, \nwere in the email area, in terms of pulling emails out. The one \ncompensating controller, the thing we do as well, is many of \nour emails are encrypted. So the reference to unencrypted is \ninformation in databases. This particular information--which I \nbelieve has been referred to--deals with folks who went after \nemail packages. In many cases, those are encrypted such that it \nwould be difficult to read them. But again, because, as you \nrightfully pointed out, the data left the network encrypted, \nit\'s hard to say yes or no what it was.\n    Mr. Roe. I understand that now. And let me ask, would any \nof this other information, since you-- do you cover the part of \nthe VA involved in contracting? Is that data--not just personal \ninformation, but is contract data? In other words, if I\'m \nbidding on a project out here, would a foreign competitor know \nwhat that contract was? Because we certainly have seen that in \nother areas. Is that possible?\n    Mr. Warren. Sir, I can\'t refute the possible of any \nscenario in terms, again, there are no absolutes in information \nsecurity. We strive to make sure there aren\'t any--\n    Mr. Roe. Let me stop you. I\'ve heard that before. This \nAugust 15th, there is an Office of Information Security, and \nyou stated you heard--at least were known of one time that--I \nthink that I understood this--that you had been hacked or \npinged. March 10th and onward the DeepDive Analysis has been \ntracking activities of well-funded cyber-espionage teams that \nregularly target VA. Over the past 31 months, the DDA--that\'s \nthe Direct Dive Analysis--has identified eight of these teams \nas part of our threat program. Each team is assigned a name--I \nwon\'t go through that. Assigning a common nomenclature has \nallowed them to contribute each of their campaigns and see \nwhich one of them is the most effective. And it goes through \nhow they were doing it. I\'m sure you\'re aware of that.\n    Mr. Warren. Yes, sir. The key reporting and the fusion \ntechnology team--so the individual whose report you\'re reading \nfrom--is an initiative that I started in terms of asking folks \nto go out and start pulling data and understand what was going \non. What I think what you will see--\n    Mr. Roe. Help clear me up because you said you only heard \nof one--you only knew of one incident, and yet you started \nthis, which there are eight different teams that are looking. \nAnd it appears from this information we have--which it makes \nsense that they most like to hack us during holiday times, \nwhich makes sense, your defenses are down, Thanksgiving, \nChristmas, those times when we would be less--our defenses are \nup less.\n    Mr. Warren. I think what you\'ll find, sir, if you read into \nthat report, it\'s targeting. So the report, again, it\'s a very \naggressive defensive policy in terms of through our network \nsecurity folks is trying to identify where the threats are. \nNow, again, the August report we talked about, the specific \ninstance where we saw the material leaving and some of the \nthings that we did as a result of that, you will find there are \nreports like that that are published probably a couple times a \nmonth from the fusion team saying this is what we\'re tracking, \nthis is what we\'re monitoring, this is what we\'re doing about \nit.\n    Mr. Roe. But you wouldn\'t be tracking those if they weren\'t \nactive.\n    Mr. Warren. Sir, there are things known as honey pots, \nblack holes, where the individual may try to come in. And what \nyou do is you set up your perimeter so it looks like they\'re \nactually getting into data, but they\'re not. You\'re actually \ntracking and capturing them.\n    The other piece, if I could, is there are actors you see \ninside, but you also set it up on the outside, where if they \nare trying to send data out, you basically put a trash can \nwhere the data goes versus leaving the Department.\n    Mr. Roe. I have some more questions on that to see how many \ntimes that has happened. There is a note here I have that says \nover 400,000 systems in VA\'s network do not even have a basic \nsecurity baseline installed. Is that correct or incorrect?\n    Mr. Warren. Sir, I would need to basically validate where \nthat report is coming from, and I will take that for the \nrecord.\n    Mr. Roe. And lastly, just one quick question: Who are the \nstate-sponsored actors that we\'re dealing with? You haven\'t \ncalled any names, but who are they?\n    Mr. Warren. I would tell you, sir, that my preference is to \ndo that in a closed session; otherwise I would put my clearance \nat risk, as well as the fines and penalties.\n    Mr. Roe. That\'s fine. That\'s fine. I yield back.\n    Mr. Coffman. Mr. Walz for 5 minutes, please.\n    Mr. Walz. Thank you, Chairman.\n    Thank you, Mr. Warren.\n    Your data is on those computers too, correct, as a veteran?\n    Mr. Warren. Yes, it is, sir.\n    Mr. Walz. Okay. And you were over at FTC and DOE?\n    Mr. Warren. Yes, sir. I was at the Federal Trade \nCommission, where I did the national Do Not Call Registry, \nsomething I\'m very proud of, as well as annual credit \nmonitoring that you can get, and then at the Department of \nEnergy with the Weapons Clean Up Program.\n    Mr. Walz. How does your knowledge over there--does the \ncurrent job you\'re in correspond with you having a knowledge of \nthose organizations and their ability to provide security over \ndata? Because I\'m assuming both of those have very sensitive \ndata, especially DOE, in terms of state secrets and things like \nthat. So is there a comparison there? Can you tell us how they \nfunction or how VA\'s system is in terms of robustness compared \nto those?\n    Mr. Warren. I would tell you, sir, we are all facing the \nsame threats. And we all put the protections in place and we \nwork with each other. In fact, we have a very aggressive \noutreach program with the folks in the other organization. And \nthere is also a larger effort through the Federal CIO Council \nto learn from each other and use our best practices because we \nare all facing that threat today.\n    Mr. Walz. I agree. And this is what I\'m trying to get at. \nAnd I think the gentlewoman from Indiana brought up a good \npoint. States are trying to tackle this as they go. And I\'m \nlooking through, there\'s a Privacy Rights Organization \nClearinghouse that, as we speak, in realtime is listing this: \nHealth Information Trust of Frisco, Texas, 111 record \ncompromised. A dentist in Rochester, New York, on June 3, theft \nof a laptop, 13,806 records.\n    One, though, that comes in here--and I think it brings to \nthe point of what we\'re trying to get at--is Hampton Roads \nHealth System, Newport News, Virginia, talked about employees \naccessing information incorrectly. And it even notes in this \nthat they were fired for that. And then of course there\'s \nmalicious content and all that.\n    The point I\'m trying to figure out here is, when you do \nthis, is data security an all-or-nothing, zero-sum proposition? \nIs it an impenetrable firewall, or it\'s open access, or are \ndecisions made in the business community as well as you that \nrisk assessment and what is acceptable risk is in that?\n    I\'m assuming in the private sector now--and listening to \nMs. Walorski brought up a very good point--is there is a huge \nmarket in identity theft insurance, data breach insurance on \nthat. Those insurance underwriters must be drawing some \nguidelines on what is acceptable risk and what is not. Does \nthat pertain to what you\'re doing? Is the VA doing that very \nsame risk analysis based on best practices of those \nunderwriters?\n    Mr. Warren. Yes, sir. We apply those same rules. It is \nbaked into the standards that we follow. The National Institute \nof Standards and Trust applies those to us.\n    And to your question about, is there an all or nothing? I \nthink our partners at DoD found out with WikiLeaks, in a secure \nsystem, you still could not guarantee the material would not--\n    Mr. Walz. Well, what I guess I\'m asking for is, is it \nworth--and I\'m going to come to this question is: What\'s the \ncost, have you figured, to implement OIG\'s recommendations? Is \nthere a cost factor that takes into this? Say, for example, \ndepending on where I\'m at, versus a high crime versus a low \ncrime neighborhood, I might not invest in the most robust \nsecurity system, taking and thinking into--there hasn\'t been a \ncrime in my neighborhood in 75 years. Those are things that we \nwork in. Now, if I always want to be absolutely sure, I could \ngo to the top of the line every time and implement that \nsecurity. How do you view that at VA when you make those \ndecisions?\n    Mr. Warren. Sir, great question. Thank you for that \nquestion. We look at what the risk is. Is it something at the \nperimeter or is it something inside? Is the data inside \nsomething that has the highest level of need or something that \nis just transactional data? And the amount of resources we \napply and the controls we put in place are actually tailored to \nthe information that\'s in the system and the potential risk.\n    Mr. Walz. Does OIG take that into consideration when they \nput out their recommendations, that you are doing--what you\'re \ntelling me is, you are doing a risk analysis, a cost-benefit \nanalysis. Is OIG asking or saying this is the ultimate perfect \nworld, what it looks like in security? Are they factoring that \nin?\n    Mr. Warren. I believe my partners in the Inspector General \nOffice are taking that into consideration. But I will tell you \nthey\'ve done a fair appraisal, in terms of the FISMA audit, of \nareas where we need to continue our attention and focus. And I \nwill tell you the one thing that tells me that we\'re on the \nright path is we did this massive program last year called \nCRISP, which was more than just IT, it was the leadership of \nthe organization--the VHAs, the VBAs, the NCAs. So they got \nengaged from the senior levels of what do we need to secure the \nenterprise. And we are seeing the critical things dealing with \npersonal attitude by non-IT folks as well as IT folks is \nchanging to where it needs to be.\n    Mr. Walz. Well, if I heard that right, OIG did say they \ndidn\'t give an assessment based on it hasn\'t run its whole \ncourse yet. So what your assessment is, is at the end of this, \nwhen you go back and look at what CRISP did, we\'re going to see \na change across the spectrum, culturally and robustness of \nsecurity.\n    Mr. Warren. Yes, sir. We are seeing that change. And I will \ntell you the change will need to continue from here on out \nbecause we know that threat evolves with our change.\n    Mr. Walz. I\'m going to use my last 25 seconds here. You\'re \nnot going to get the opportunity to do this, but following you, \nMr. Davis is going to speak and there\'s going to be some \nquestions of how things came out or why they came out. Is there \nanything you\'d like to address? I\'m out of time here. You know \nthe situation, the memorandum and how things are going to play \nout, and I think it\'s only fair that you be able to respond.\n    Mr. Warren. I would tell you, sir, I was perplexed by what \nhappened and how it went down. I was troubled by the fact that \nthere are two memos in circulation, a memo dated 29 January \nthat I and leadership received, and the one that we received \nfrom the Committee that was signed on the 28th of January that \nwe were not aware of the existence of it until Friday, when the \nCommittee staff gave it to us. And the memos are almost \nidentical except for one paragraph, and that paragraph says: \n``Clear and present danger.\'\'\n    I will tell you, if anyone tells me there\'s a clear and \npresent danger, I pick them up and I walk them over to the IG \nand say, tell them what it is that I am missing here. I \nactually did that on the 29th with the memo received. That memo \nI took to the IG.\n    On Friday, when I learned of the existence of a second memo \ndifferent than the one the Department received, I took both of \nthose memos and I reached to the IG and said, I need you to \nhelp me figure this out because I cannot figure out why the \nDepartment would get one memo with four paragraphs and the \nCommittee would get a different memo with five paragraphs and \nthe difference is ``clear and present danger.\'\' That was not \ncommunicated in the memo we received. And I\'ll tell you, I am \nstill perplexed on why that would exist.\n    Mr. Walz. Mr. Chairman, I thank you for indulging the extra \ntime.\n    Mr. Coffman. Ms. Walorski for 5 minutes.\n    Mrs. Walorski. Thank you, Mr. Chairman.\n    Mr. Warren, can you guarantee that the veterans in my \ndistrict, in Indiana\'s Second District, have not suffered a \nsecurity breach?\n    Mr. Warren. Ma\'am, I\'d be lying to you if I made that \nguarantee. Again, it is all about what the risks are. And we \ntry our darnedest--in fact, we do more than try our darnedest.\n    Mrs. Walorski. But you can\'t guarantee that.\n    Mr. Warren. I can\'t--and in fact, nobody--if someone sat \nhere and guaranteed, you should haul them out of here--\n    Mrs. Walorski. All right. Do you personally, sir, do you \npersonally feel responsible for the fact that we have a Nation \nof veterans that are vulnerable?\n    Mr. Warren. I care deeply that we are not further--\n    Mrs. Walorski. Do you feel personally responsible, when you \nleave and check out at night and go home, do you feel \nresponsible for the fact that there are various security \nbreaches and our whole Nation\'s veterans are at risk?\n    Mr. Warren. Ma\'am, I go home tired every night for all the \nthings that I do.\n    Mrs. Walorski. Do you feel responsible for all the things \nthat we talked about here today?\n    Mr. Warren. Ma\'am, I\'m personally responsible for the \norganization as the Acting CIO.\n    Mrs. Walorski. Thank you.\n    I yield back my time to Dr. Roe.\n    Mr. Roe. Just a couple of questions, and maybe I got to \nthis before. But are the state actors, is that classified \ninformation? Because I\'ve seen published reports. I mean, we\'ve \njust had the Chinese in every headline in the world here \nsaying, oh, it\'s not a big deal, it\'s not a big. We know it\'s a \nbig deal. So who are the state actors?\n    Mr. Warren. Sir, as a young lieutenant, one of the first \nbriefings I got when I came onboard was that just because \nsomething is published in the press, if you receive a briefing \nthat says it\'s classified, until the classifying authority says \nit\'s clear, it\'s classified no matter what you read.\n    Mr. Roe. The briefings you\'ve had, I mean, what you\'ve got \ndone right here, when you determine with what you\'re doing that \nsomebody is trying to breach your firewalls and get into data \nthat\'s in the VA system, that\'s classified information, you \ncan\'t come here to this Committee and say, this is what \nhappened?\n    Mr. Warren. Sir, actually, you had asked me a different \nquestion, which was the naming of the actors. We work with \nHomeland Security on our boundary, so they are in constant \ncommunication with us. They are telling us when they see stuff. \nWe are telling them when we see stuff.\n    Mr. Roe. We want you to tell us when you see stuff. What\'s \nthe problem with that? I thought that we all work for the \nAmerican people.\n    Mr. Warren. As do I, sir.\n    Mr. Roe. Well, I include you. I said we all. You, me, \neverybody in this room who\'s here who\'s a public servant works \nfor the American people. They have a right to know who\'s trying \nto get into their personal information. I would like to know \nwho\'s trying to get into the veterans that I serve, the 70-\nsomething thousand of them that live in northeast Tennessee.\n    Mr. Warren. Congressman Roe, we would be glad to come up \nand give you that private briefing with all of the material you \nwould like.\n    Mr. Roe. I guess my question is--second question is--why is \nthat classified? Why wouldn\'t that be public? When people are \ntrying to steal from you, we ought to let the people in our \ncountry know who\'s trying to steal our own veterans\' \ninformation, I think. I think that\'s very important to be \npublic. Why are we hiding that? And that\'s above where you are, \nI understand that. But that\'s a philosophical question.\n    The next question is, is that, when we come back a year \nfrom now--I\'ve been here now 4-1/2 years, and I see problems \nthat linger on and on and on. Are we going to come back 1 year \nfrom now and have the same conversation? And I totally agree \nwith you, Mr. Warren, when you were saying you couldn\'t \nabsolutely guarantee. I\'ve had people come to me when I\'m \ntaking them to the operating room and say, will you guarantee \nthat I\'m going to live through the surgery? Well, I can\'t \nguarantee that. I got that. I understand that. But with as good \na system, can we say a year from now that the IG, in fact, who \ngave a very good report, you will have met those metrics that \nyou agree with, and then you all work out if you don\'t agree \nwith them?\n    Mr. Warren. Sir, I would like to take the 12 to 18 months \nthe IG identified. But the intent is to clear as many of those \nas we can in the 12 months with the schedule we\'ve given them, \nand to keep moving through those until we\'ve cleared them all.\n    Mr. Roe. I yield back.\n    Mr. Coffman. Thank you, Mr. Chairman.\n    Mr. Huelskamp.\n    Mr. Huelskamp. Thank you, Mr. Chairman.\n    Mr. Warren, the IG\'s testimony outlined some pretty serious \ndeficiencies in the Office of Information and Technology. And \naccording to the evidence, VA\'s network has been accessed by \nforeign state actors since March 2010. And in that fiscal year, \nand since then, you\'ve received a grand total of more than \n$87,000 in bonuses. Can you explain how you merit such a large \namount in bonuses?\n    Mr. Warren. Sir, as you\'re aware, the way the compensation \nsystem works in the Federal Government is a performance plan is \nlaid on an employee, as in myself. A supervisor sits down and \nlays out what I expect from you in the year. And based upon how \nyou do, there is an appraisal given.\n    Mr. Huelskamp. So how you did was worthy of $87,000 in \nbonuses? Is that your understanding?\n    Mr. Warren. I believe, as a result of me exceeding the \nperformance expectations that my leadership have laid on me, I \nwas recognized with performance awards of that amount.\n    Ms. Halliday. Okay. I\'d like to ask a question as well, \nthat you did state there were no absolutes in your mind in \nsecurity. But we do have a letter here, a very absolute \nstatement from your boss, the Secretary, that says, quote, ``To \nbe clear, VA\'s security posture was never at risk.\'\'\n    Is that a true or false statement?\n    Mr. Warren. I would tell you, sir, as the person who ghost \nwrote that memo, in terms of doing the staff work for the \nSecretary, I was not clear in my language and I take ownership \nof that.\n    Mr. Huelskamp. Is it true or false?\n    Mr. Warren. It is true with respect to the ATO process, \nwhich this memo was trying to answer. With respect to the \nbroader question, as we\'ve already talked about today, there \nalways is some risk. And so again--\n    Mr. Huelskamp. Is this a false statement then?\n    Mr. Warren. I would not say it was a false statement, sir.\n    Mr. Huelskamp. It\'s an inadequate statement? A mistake?\n    Mr. Lowe, let me ask you a question: Have you ever brought \nto Mr. Warren\'s attention that there are significant security \nissues that need to be addressed?\n    Mr. Lowe. Congressman, thank you.\n    Have I ever brought attention to Mr. Warren that there are \nsignificant security issues that need to be addressed? No, sir, \nI have not.\n    Mr. Huelskamp. You have not?\n    Mr. Lowe. I have not.\n    Mr. Huelskamp. Usually, I try to anticipate an answer. And \nto anticipate an answer that in your job you have never \nidentified a single security risk really strains credibility. \nYour own testimony.\n    So you\'ve never sent an email, never made a statement to \nMr. Warren or his superiors that there are any security risks \nin the IT system at the VA?\n    Mr. Lowe. I brief Mr. Warren and the Secretary frequently \non security risks for the organization.\n    Mr. Huelskamp. Do you know how many foreign state actors \nhave been identified as perhaps intruding upon the system?\n    Mr. Lowe. I know that there are foreign state actors that \nare--\n    Mr. Huelskamp. Do you know how many have you identified? Is \nthere one or more?\n    Mr. Lowe. Individual state actors?\n    Mr. Huelskamp. The Individual states. It\'s a pretty clear \nquestion.\n    Mr. Lowe. Yes, sir.\n    Mr. Huelskamp. Have you identified more than one?\n    Mr. Lowe. Yes, sir.\n    Mr. Huelskamp. How many more? Mr. Warren said there was \nonly one, in his earlier testimony. How many more were \nidentified?\n    Mr. Lowe. How many more state actors that are actively \ntrying to penetrate the network or actors that have \npenetrated--\n    Mr. Huelskamp. I\'m guessing there will be a second round of \nquestions, so it probably doesn\'t help to try to stall. Would \nyou answer the question? How many more?\n    Mr. Lowe. Sir, I have been in this position for \napproximately 90 days. I\'m still trying to ascertain the state \nof the organization.\n    Mr. Huelskamp. Have you seen any memos that would identify \nmore than one?\n    Mr. Lowe. More than one--\n    Mr. Huelskamp. State actor. You believe there\'s more than \none. Mr. Warren stated there was only one. You believe there\'s \nmore than one. I am asking how many more?\n    Mr. Lowe. I don\'t know the answer off the top of my head, \nsir. If I could get back to you on the record, I would \nappreciate it.\n    Mr. Huelskamp. Well, I will note for the Committee I\'ve had \na grand total of, I believe 23 questions. I\'ve been waiting for \n264 days for your agency to respond. As Dr. Roe mentioned, \nwe\'re supposed to be working for the American people. And when \nyour agency, your bosses refuse to answer questions, it looks \nlike you\'re covering things up. When you say there\'s one state \nactor, he says there\'s more, he\'s only been here for 90 days, \nwe\'ve got a report from the people that work for you, Mr. \nWarren--you know this report. You know there\'s eight actors \nidentified on here. And you claimed there\'s only one in your \nearlier testimony. I think that\'s embarrassing. It\'s not only \nembarrassing, you\'re sworn under oath. So I\'m going to ask you \none more time, how many state actors have you identified or \nbelieve are out there that have accessed the system for 20 \nmillion veterans and their dependents?\n    Mr. Warren. Congressman Huelskamp, I believe that question \nis directed to myself?\n    Mr. Huelskamp. Is your name Mr. Warren? Answer the \nquestion, please. Let\'s get on with it. We\'re doing the \nbusiness of answering questions. Please answer them. I come \nfrom Kansas. We don\'t go through all this trying to act like we \ndon\'t know what the question is. I asked your name. Answer the \nquestion.\n    Mr. Warren. I would tell you that the Department, through \nthe NSOC, is aware of multiple state actors who are trying to \ntake action against the Department.\n    And I will tell you it is more than just state actors. It \nis very known in the community that it is more than countries. \nThere are syndicates who have this as a money-making activity. \nAnd I believe that\'s also in the open press in terms of it\'s \nnot just countries, it\'s individuals, it\'s groups of \nindividuals. And it is not just veteran data they\'re going \nafter, they go after your home, your home computer, Web sites \nyou go to. And there is a very aggressive effort, and I know \nthat Congress is engaged in terms of what\'s notification, what \nyou should notify, how we share, and how do we do all those \nthings.\n    Mr. Huelskamp. But you\'re comfortable with the current \nsecurity risk?\n    Mr. Warren. I am not comfortable with the current security \nrisk, sir. And again, I will tell you the safest computer is \nthe one you don\'t hook up to the Internet.\n    Mr. Coffman. Mr. Huelskamp, we\'ll do a second round.\n    Mr. Huelskamp. Thank you, Mr. Chairman.\n    Mr. Coffman. Mr. Warren, so we know that we\'ve been hacked \nby a foreign actor, we know that, the VA system. We know that \nthey encrypted their way out, exiting. So we don\'t know what \nthey took. We know that the system contains the personal \nidentification information for about 20 million veterans. So \nisn\'t it possible that they could have taken all of that--that \nthere is an entity, having hacked our system, that has all the \npersonal identifying information for all our 20 million \nveterans? Isn\'t that correct?\n    Mr. Warren. Sir, I am very concerned about stringing all \nthose facts together and stating a causality. In other words, \nthis, this, this, this means.\n    Mr. Coffman. Well, okay, let\'s walk through it then.\n    Number one, our system has been hacked, correct?\n    Mr. Warren. We are aware of incidents--\n    Mr. Coffman. That\'s right. Number two, that they \nencrypted--that they penetrated the system, and they encrypted \non their way out, so we don\'t know what files they took. Is \nthat correct?\n    Mr. Warren. In the incident referred to, there was data \nremoved that was encrypted, yes, sir.\n    Mr. Coffman. So we don\'t know what files they took, \ncorrect?\n    Mr. Warren. We do not know what files they took out of the \nVA.\n    Mr. Coffman. Had access to information pertaining to our 20 \nmillion veterans, did they not?\n    Mr. Warren. I would tell you, sir, that is the point where \nI diverge, because it\'s not clear where they had access, right. \nSo you\'re assuming the VA is a small place with one computer.\n    Mr. Coffman. You\'re right, we don\'t know. That\'s the \nproblem. We don\'t know. That\'s right. And so the fact is that \nthey had access to the 20 million veterans. Aren\'t you \nconcerned about that?\n    Mr. Warren. Sir, I am concerned any time veterans\' data is \nput at risk.\n    Mr. Coffman. Don\'t you feel that the veterans of this \ncountry--I being one of them, and there are some other veterans \non this Committee--ought to be warned of that fact?\n    Mr. Warren. I believe you are accomplishing that through \nthis hearing, sir.\n    Mr. Coffman. Should you have accomplished that?\n    Mr. Warren. To what end, sir? To drive veterans away from \nthe health care they need, the mental health care they need?\n    Mr. Coffman. To inform them that they need to watch out, \nthe fact their--that the system had been compromised, just as \nany private entity that had been compromised would notify the \nconsumers that they serve. You, in fact, had an obligation to \nnotify the consumers that you serve. That\'s the men and women \nthat served this Nation in uniform.\n    Mr. Warren. Yes, sir, as I did. And any time there is the \npotential where we believe there is the potential of a breach, \nwe offer credit monitoring--\n    Mr. Coffman. There was a breach.\n    Mr. Warren. We offer credit monitoring for a year. We have \na hotline to provide those services to individuals. In the \npast, we have received emails from Homeland Security--\n    Mr. Coffman. Ranking Member Kirkpatrick.\n    Mrs. Kirkpatrick. I yield back.\n    Mr. Coffman. Mr. Lamborn.\n    Mr. Lamborn. Thank you, Mr. Chairman, and once again, thank \nyou for your leadership on this issue.\n    Mr. Warren, it was testified under oath by the previous \npanel that when you own the domain controls you own the network \nand that that is what happened at the VA. Would you agree with \nthat statement?\n    Mr. Warren. I would tell you, sir, that when you have the \ndomain controllers you can go where you would like. That is not \nnecessarily the same as owning the network. Owning the network \nmeans you control what anybody does or anybody can do and where \nall the traffic goes. That is not the case.\n    Mr. Lamborn. But if you are looking for information and you \ncan go wherever you want to go, that is a pretty bad situation.\n    Mr. Warren. As I believe I have--yes, sir.\n    Mr. Lamborn. Can you tell me about the APO process, the \ncertification process? I hope I am using the right terminology.\n    Mr. Warren. Yes, sir. The authority to operate process is \nsomething that was established I think approximately in 2002 by \nthe E-Gov Act. It was a paper process that was used, very \nroutine eyes, very checklist focused, very document oriented, \nto if you are bringing a system online, are you putting it in a \nbox and controlling all of the boundaries on the box in such a \nway that it was worth the risk to the organization for the \nsystem to run.\n    Mr. Lamborn. Okay, thank you. So if you go to a vendor or \nif you go to someone in the VA and say I want you to certify \nthat everything is working properly and is secure, how long \nwould it normally take them to do that?\n    Mr. Warren. So that the ATO process is actually an ongoing \nprocess. Multiple documents are on different schedules on when \nthey are generated and when they are updated. As an example, \nCOOP/COG, which deals with what do you do if a system breaks, \nthat gets checked and exercised on an annual basis, and in fact \nevery year the IG comes in and looks at have you done that? \nThat is a part of that. There is a system security plan which \nis the description of it. There is the security controls in \nterms of what you are doing. There are the management controls \nin terms of what you put in place because technology can\'t do \nit. And there is a whole list of documents that you run \nthrough. Each of those are on a different schedule. So when you \ntalk certifying, there are multiple steps in the process.\n    Mr. Lamborn. Okay. What would be a normal range of high-end \nand low end of how long that certification would take?\n    Mr. Warren. Sir, if you are referring to the last two \nsteps, which I take it you are, which is the individual looking \nat all of the material that exists and asking is it relevant \nand correct and then recommending authorization, I believe you \ncan do that in 2 weeks to 30 days if you have a well-run \norganization.\n    Mr. Lamborn. Two weeks to 30 days.\n    Mr. Warren. For the last two steps of the process. As I \nsaid, all of the other ones are ongoing. Those last two steps \nare validating that the individuals below, the information \nsecurity officer, the system owner, the facility, have actually \ndone all the things and certified, attested that all of the \ninformation is correct, that it is current. So that \ncertification process is not a go do a lot of work. It is make \nsure all the folks below you, all the processes you are \nresponsible for, have happened.\n    Mr. Lamborn. So if you accepted certifications like that in \nthat 2 weeks to 30 days or 2 months process, then you would \nalso be trusting that everything before those last two steps \nhad been accomplished on an ongoing and regular basis?\n    Mr. Warren. Yes, sir. You count on the signature of the \nindividual and the attestation they have done their job. And I \nwill tell you, when we did that first cycle, of the 268 \ndocuments that were signed, I rejected over 40 percent because \nwhen I looked at the underlying documentation, which is how I \ndo things, it did not meet the standard and I sent them back to \nbe redone. So the certifier said yep, it is ready, but when I \ndid that first set, 44 percent did not meet it.\n    Mr. Lamborn. So you would not accept an ATO without all of \nthe previous steps having been done on an ongoing basis up to \nthe last two steps and then reviewing it once again for those \nlast two steps?\n    Mr. Warren. Yes, sir.\n    Mr. Lamborn. And you would not rush something through just \nto look good or something like that?\n    Mr. Warren. Sir, my signature means a heck of a lot to me, \nso when I sign something saying that I am accepting the risk, I \nam accepting that risk. So I believe I laid out a responsible \ntime period for something to be done and I had an expectation \nthat the individual would have done all the things necessary \nsuch that when it got to me that it needed to be done. And in \nfact the action was given in November in a meeting where the \nindividual accepted the responsibility to do the job by \nFebruary. It had been talked about prior to that in multiple \nmeetings about the need to fix that process. I was expecting at \nthe end of the process that all of the things they were \nresponsible for had happened. And even though they were, I \nstill checked and rejected the ones that did not meet the \nstandard.\n    Mr. Lamborn. All right. Thank you.\n    Mr. Coffman. Mr. Warren, a quick question. Did you mislead \nthe Secretary of Veterans Affairs when you had inserted the \nlanguage in the letter that was sent to me on May 14th, ``To be \nclear, VA security posture was never at risk.\'\' Did you mislead \nthe Secretary?\n    Mr. Warren. Mr. Chairman, I did not intend to mislead the \nSecretary.\n    Mr. Coffman. But you did?\n    Mr. Warren. I don\'t believe I did.\n    Mr. Coffman. You did?\n    Mr. Warren. I believe my answer was within the context of \nthe question which was dealing with the ATO process.\n    Mr. Coffman. Dr. Roe.\n    Mr. Roe. Just very briefly. Mr. Warren, one of the things \nthat is most important I think at the VA or with anyone in \nhealth care is trust. You have to trust not only the person \nthat is seeing you, providing the care, but you have to trust \nthat that information will be protected. Because many times it \ncould be very embarrassing if something had occurred to you \nyears ago that maybe current family members, other people don\'t \nknow about, right now the relationships you have had, issues \nthat come along, mental health care issues. That is why it is \nso--not just money, but that is why that is important.\n    And I guess a question that I have, and the VA has not done \nan exemplary job, in 2006 with the laptop it took forever to \nnotify people. Secondly, when the issue came along with the \ncolonoscopies, that wasn\'t handled very well by the VA. And I \ndon\'t think that veterans right now understand, as a matter of \nfact I guarantee you they won\'t until they see this hearing \ntoday and the word gets out among the veteran community that \nall of their personal information potentially is at risk.\n    I guess the question I have for you is, are you concerned \nat all about your data in the VA, if you go to the VA, about \nyour own personal information, you?\n    Mr. Warren. Sir, I have no reservation about using VA \nbenefits or services, placing the data, my data in the \nveterans\' hands, into my staff\'s hands, into the rest of the \nVA. I believe we would be doing a disservice to our veterans by \ntelling them, hey, there is a disproportionate risk and \ntherefore you should not be coming to the VA for those services \nor benefits.\n    We know health care, and as you have already talked about \nin other settings about mental health care and making sure our \nveterans get that, I would hate that this, the potential to \ndrive folks away from the services and the benefits not only \nthat they have earned but they need.\n    Mr. Roe. But equally just as bad is to have that \ninformation once she have shared it with somebody, shared with \nthe world, I think Mr. Lamborn said in a WikiLeak drop. I think \nthe most compelling thing you said, and I have to agree with \nyou the more I hear in these hearings I go to, is don\'t hook up \na computer to the Internet if you don\'t want somebody to know \nabout it. Apparently if you can\'t protect it, I mean that is \nwhat you said just a minute ago, whether you said that just out \nof exasperation or fact, but I think when you hook it up, you \nmay be now, you may be an open book.\n    Mr. Warren. I would tell you, sir, and it is a great area \nwhere we focus and it is the training of our workforce, our \ngreatest asset and our greatest risk is our employee base, \nbecause if you do something without thinking, if you do not \nthink about where you go--in other words, if you go out to the \nInternet and you say ``free car,\'\' and you go to that Web site \nto get that free car, you are actually downloading probably \nmalicious software.\n    Within the VA, we protect against that. But when you are at \nhome, if you go to the wrong place or your child goes to the \nwrong place or a visiting sibling or niece, you are putting \nthat computer at risk, right? And one of the programs that we \nhave at the VA is, we don\'t allow you to hook your personal \ncommuter up to the VA. We actually allow you to come into the \nVA through a virtual environment so you don\'t bring any of the \nthings you have on your home computer.\n    In fact, at the Federal Trade Commission before the virtual \ntechnology had really matured, we paid for anti-virus \nprotection for individuals\' personal computer because we knew \nif they had to use it to get into the VA through remote or into \nthe Federal Trade Commission.\n    At the VA we don\'t have to do that because we protect by \ndoing virtual. But the behaviors that we build at the VA we \nwant them to take home, because if you are at home dealing with \nidentity theft because you did a bad thing unintentionally, you \nreally can\'t do your job at the VA as a result of it.\n    Active aggressive education. Posters. Some of the things \nthat we have been exploring with, and we did it at the Federal \nTrade Commission, is you do spooks, right? You send individuals \nemail at work intentionally, bad stuff, right, and you want \nthem to basically do it. And you pop up and say don\'t do this \nfor real, because this, if this had been a real one, you would \nhave just compromised your system.\n    Mr. Coffman. Mr. Walz.\n    Mr. Walz. I yield back my time, Mr. Chairman.\n    Mr. Coffman. Mr. Huelskamp.\n    Mr. Huelskamp. Thank you, Mr. Chairman. I apologize for my \nemotion earlier. I have a 95-year-old veteran uncle, a Purple \nHeart recipient who is facing some medical problems and the \nthought that his records might be at risk is particularly \nworrisome to me. But I have a few more follow-up questions for \nMr. Warren and his assistant on some budget issues.\n    If I understand correctly, the VA intends to transfer \nalmost $69 million to various IT efforts. Is any of that money \ndestined for IT security?\n    Mr. Warren. Sir, so I can make sure I am answering the \nquestion appropriately, is that referring to a reprogramming \naction that was sent up to the Hill, or is this something else?\n    Mr. Huelskamp. That would be a reprogramming.\n    Mr. Warren. This would be the reprogramming. I need to go \nback and confirm which accounts were being moved. I do not \nbelieve--in fact, I am pretty sure that that transfer would not \nbe degrading any of the efforts we are doing in information \nsecurity; that the work that we need to do to continue CRISP \nand to support the work on the material weakness that the IG \nhas identified--\n    Mr. Huelskamp. Is it enhancing your IT security efforts?\n    Mr. Warren. I would tell you every day we are working on \nenhancing our--\n    Mr. Huelskamp. With this transfer, are you moving money to \nenhance the IT security?\n    Mr. Warren. The primary purpose of those dollars, sir, that \ntransfer, is to move accounts, move dollars out of different \naccounts--\n    Mr. Huelskamp. Are you using it for enhancing IT security? \nYes or no.\n    Mr. Warren. I will need to go back and confirm if we are \nmoving funds into the information security accounts. I can\'t \ntell you that directly here, but I will get back to you, sir.\n    Mr. Huelskamp. The second budget question would be, it is \nmy understanding under your direction, the VA spent $14 million \nfor a conference room, approximately $14 million for a \nconference room in Martinsburg, Virginia. Is that accurate?\n    Mr. Warren. Sir, I would need to take that one for the \nrecord. The number I believe is high, but I need to go back and \npull the records up to confirm.\n    Mr. Huelskamp. When you say high, is that in the ballpark? \nRoughly? I appreciate getting the actual figures, but your best \nguess is how much was spent on this conference room?\n    Mr. Warren. Sir, the reason I would like to take the \nquestion for the record is Martinsburg is a facility that has \nmultiple conference facilities in it. It is a place where we \nhave the NSOC in terms of our security group. So I don\'t know \nif it is facilities we built for them. There is a location for \nthe Secretary and the leadership team. I don\'t know if it \nrefers to that. We also have a command post for the IT \norganization in case we deploy there. So I don\'t know which one \nyou are speaking to, so that is why I would like to take it for \nthe record.\n    Mr. Huelskamp. There is one here. It would be the one room \nthat has a plaque on the wall with your name on it. And I don\'t \nknow if we have a copy of that. That would be the plaque that \nis on the wall. So if you are going to look for the room--is it \ncustomary in the VA to put your name on a plaque on a wall?\n    Mr. Warren. Sir, that is actually the plaque to the \nbuilding, and I was the responsible official that worked with \nthe Congress to get the funding for that location. And I \nbelieve if you look in any new building that has been built, \nthe names of the individuals responsible normally appear on the \nplaque.\n    Mr. Huelskamp. I would say actually say put about 300 \nmillion taxpayers on there as the ones responsible for the \nbuilding.\n    The last thing I want to ask you about, you mentioned \ncredit monitoring services.\n    Mr. Warren. Yes, sir.\n    Mr. Huelskamp. Who do you provide those to?\n    Mr. Warren. We provide those in any case where we believe \nthere is the potential for the release of veterans data.\n    Mr. Huelskamp. So you do that on an individual--\n    Mr. Warren. On an individual basis. A letter is sent out to \neach of the veterans where--\n    Mr. Huelskamp. Do you know how many you have provided this \nfor?\n    Mr. Warren. I will take that for the record and get it back \nto you, sir.\n    Mr. Huelskamp. Okay. So you actually have identified \nindividuals you believe their data is at risk and provided them \ncredit monitoring services if they so choose?\n    Mr. Warren. Any time we believe there is the potential of \nthe information being released, we offer the credit monitoring \nprotection to those veterans.\n    Mr. Huelskamp. Okay. And I understand you don\'t believe \nanything is actual, you don\'t have actually any loss of data. \nIt is all potential.\n    Mr. Warren. I will tell you, sir, we go the extra distance \nby offering that. We actually have a lower threshold for \noffering than anybody else because we want to be sure--\n    Mr. Huelskamp. You know that how?\n    Mr. Warren. Based upon our communication with the industry \nand conversations with folks who offer credit monitoring. I am \nnot sure you will find other government agencies who offer \ncredit monitoring if there is the potential of a risk. I think \nthe VA is unique in that regard.\n    Mr. Huelskamp. I look forward to that information, the \nexact numbers of folks you have identified potentially at risk.\n    Mr. Warren. Yes, sir.\n    Mr. Huelskamp. Thank you, Mr. Chairman. I yield back.\n    Mr. Coffman. Potentially, I think that number is about 20 \nmillion. Mr. Warren, thank you so much for your testimony \ntoday. Mr. Lowe, you are excused, both of you. Thank you. Stay \naround. I think if we have time we will do that classified \nsetting after Mr. Davis gives testimony.\n    On the last panel today is Mr. Jerry Davis, former Deputy \nAssistant Secretary for Information Security for the Office of \nInformation and Technology at the Department of Veterans \nAffairs.\n    Before I recognize you, Mr. Davis, I ask that you please \nrise and raise your right hand.\n    [Witness sworn.]\n    Mr. Coffman. Please take your seat and you will be \nrecognized for 5 minutes, Mr. Davis.\n\nSTATEMENT OF JERRY L. DAVIS, FORMER DEPUTY ASSISTANT SECRETARY \nFOR INFORMATION SECURITY, OFFICE OF INFORMATION AND TECHNOLOGY, \n              U.S. DEPARTMENT OF VETERANS AFFAIRS\n\n    Mr. Davis. Chairman Coffman, Ranking Member Kirkpatrick, \nand Members of the Subcommittee, thank you for the opportunity \nto convey my concerns to you regarding the protection of \ninformation systems and information, which includes sensitive \nveteran data at the Department of Veterans Affairs.\n    From August 2010 until February 2013 I have served as the \nDeputy Assistant Secretary Information Security and Chief \nInformation Security Officer at the VA. As the DAS IS, I served \nas the most senior civil servant staff member within VA with \nresponsibility for oversight and accountability and the \nprotection of VA information, VA privacy, records management, \nand the Freedom of Information, FOIA, Act process.\n    At that time, the time of my departure from VA in early \nFebruary 2013, I was one, if not the longest serving chief \ninformation security officer in the Federal Government, with \nnearly a decade of service in that role spread across multiple \nFederal agencies. I am also a Marine veteran, having served in \ncombat with distinction during the first Gulf War, so the \nappointment to the position as the VA CISO had special meaning. \nIt was a position that I did not take lightly and I was and I \nstill am extremely proud to have had an opportunity to serve \nour country, and equally proud to have had an opportunity to \nserve the veteran community.\n    My time at VA was largely filled with a great sense of \npride because of the purpose and mission of VA and because of \nmy role, which had a direct and positive impact on the veteran \ncommunity. However, there came a time at the end of my tenure \nwhere my pride turned to serious consternation, and that \nconsternation remains to this day.\n    In nearly 20 years of building and managing security \nprograms across government and private industry, I have never \nseen an organization with as many unintended security \nvulnerabilities. Upon my arrival in late August 2010, I \ninherited results of more than 15 continuous years of an \nunintended and documented material weakness in IT security \ncontrols. This material weakness included more than 13,000 \nuncompleted IT security corrective actions. These 13,000 \ncorrective actions will require more than 100,000 sub-actions \nto fully remediate and manage IT security vulnerabilities and \nimprove the VA security posture. In early September 2010, I was \nalso advised that nearly 600 VA systems\' Authority to Operate \nhad expired and there was no plan in place to bring these \nsystems into compliance.\n    Despite the voluminous number of uncompleted corrective \nactions and expired ATOs, the most concerning issue was a \nconversation I had with the VA Principle Deputy Assistant \nSecretary Steph Warren, who told me shortly after my arrival \nthat we have uninvited visitors in the network. Further \ndiscussion with the VA network security operations team \nindicated that VA became aware of a serious network compromise \nin March 2010 and these uninvited visitors were nation-state \nsponsored attackers.\n    Over the course of time while working with the VA NSOC and \nexternal agencies I learned that these attackers were a nation-\nstate sponsored cyber espionage unit and that no less than \neight different nation-state sponsored organizations had \nsuccessfully compromised VA networks and data or were actively \nattacking VA networks, attacks that continue at VA to this very \nday.\n    These group of attackers were taking advantage of weak \ntechnical controls within the VA network. Lack of controls such \nas encryption on VA data bases holding millions of sensitive \nrecords, web applications containing common exploitable \nvulnerabilities, and weak authentication to sensitive systems \ncontributed to successful unchallenged and unfettered access \nand exploitation of VA systems and information by this specific \ngroup of attackers.\n    During my tenure, I consistently ensured that each instance \nof attack or compromise by these group of attackers was \ndocumented and communicated to the VA OIT leadership through \nspecialized reporting called Key Investigative Reporting \nperformed by the NSOC Deep Dive analysis team and biweekly \nsecurity meetings with the VA Principle Deputy Assistant \nSecretary, Mr. Steph Warren.\n    From late August 2010 until my departure in early February \n2013, I planned for and executed with support from various sub \noffices within OIT a series of initiatives and activities \nneeded to improve network and system security with the \nparticular focus on defending the network against sophisticated \nand targeted attacks levied by nation-state sponsored \norganizations. Some of these initiatives included a web \napplication security program, the VA software assurance \nprogram, continuous monitoring and diagnostics of VA \ninformation systems, mandating encryption of all VA databases, \nand supported the reduction of the total number of VA databases \nhosting sensitive veteran information.\n    During my tenure as CISO, with the support of VA as a \nwhole, we were able to close more than 10,000 of the 13,000 \nsecurity corrective actions. In all, VA personnel executed more \nthan 100,000 sub actions. While these actions did improve \nsecurity from a compliance perspective, there still existed a \nproblem of fully implementing adequate technical security \ncontrols needed to defend network systems and system \ninformation from nation-state sponsored attackers.\n    The heart of selecting the proper technical controls meant \nfully understanding the threat actors, their tactics, \ntechniques and procedures, and along with systems and network \nvulnerabilities in implementing a program that could \ncontinuously report on and remediate identified vulnerabilities \nin a near realtime fashion.\n    Over time, the Office of Information Security worked to \nenhance a comprehensive program called Continuous Monitoring \nand Diagnostics that would provide adequate security of VA \nsystems and networks by continually evaluating certain \ntechnical controls in a near realtime fashion. There is proof \nthat a good CMD program monitoring the correct controls can \nsignificantly improve information security and is consistent \nwith the direction that the Federal Government is taking in \nsecuring Federal systems. It is also significantly superior to \neven a good paper-based ATO process.\n    It is my testimony that at the time of my departure from VA \nthat the process required for the DAS IS to make an attestation \nthat VA systems were adequately secure was completely faulty \nand improper and implementation of the process veteran systems \nand VA information to further risk of compromise. It was \nconfirmed to me by the VA information security staff charged \nwith executing the process that it was flawed, provided no \nvalue, and that providing a positive attestation to the \nadequacy of security controls would seriously compromise the \nintegrity of the VA security program. I subsequently conveyed \nthis message to the Assistant Secretary and the PDAS by formal \nmemorandum and in conversation to the PDAS between January 15, \n2013, and January 23, 2013.\n    VA Handbook 6500.3 states that the DAS is responsible for \nreviewing all C&A packages and making a decision recommendation \nto the authorizing official to issue an IATO, ATO or Denial of \nAuthorization to operate; and providing an IATO extension in \nthe event local management can demonstrate continuous \nmonitoring and security due diligence are being provided.\n    In accordance with VA information security policy and \nfollowing VA information security procedures as a DAS IS, I \nelected to recommend a denial of Authority to Operate and also \nelected to recommend movement of VA systems over the course of \neight months into an enhanced continuous monitoring program \nwhere systems technical controls can be centrally managed and \nevaluated in a near realtime fashion. I based my decision on \nthe guidance provided by the information security team on the \nfact that the paper-based process would not keep highly \nsophisticated nation-state sponsored attackers from further \ncompromising VA data.\n    Furthermore, as each VA system was transitioned into the \ncontinuous monitoring program, additional specific critical \ncontrols would be evaluated for adequacy before being fully \ngranted a full ATO. These additional critical controls are \nproven to slow and repeal sophisticated nation-state sponsored \nattackers from compromising information systems and data. This \nwas an agreed upon process with the VA information security \nteam and a process that had been briefed by me to the Director \nof IT Audits and Security within the VA Office of the Inspector \nGeneral several weeks before the process implementation.\n    Despite the authority granted to the DAS IS, to make the \nrecommendation to deny authorization, the VA OIT PDAS made a \nconcerted effort to circumvent my authority and influence my \ndecision to make a recommendation to the accrediting official \nthat 545 VA systems be given an interim authority to operate. \nFurthermore, VA handbook and policy 6500.3 and VA policy 6500 \nprovides no role or authority for the PDAS, OIT with regard to \nthe program or processes governing authority to operate.\n    To this end, I would recommend to this Subcommittee some \nrecommendations. Review all key investigation reports and Deep \nDive analysis reports and Web Application Security Program \nreports to assess the damage and depth of exposure, extent of \ncompromise to VA systems and compromise to Veteran information, \nand regularly report to the House Committee on Veterans Affairs \non progress made with respect to mitigating access to VA \nsystems and veteran information by nation-state sponsored \norganizations.\n    Assess previously identified web application exposures and \nassess for potential compromise of veteran data, both PII and \nPHI.\n    Include web application exposures as part of the Data \nBreach Core Team evaluation process.\n    Assess the potential compromise to non-VA networks sharing \nan interconnection with VA\'s networks.\n    Designate the VA network as a compromised environment and \nestablish controls that are effective and support the \nreclamation of control back to VA from nation-state sponsored \norganizations.\n    Move the VA systems into a full continuous monitoring and \ndiagnostics program with near realtime situation awareness of a \nsecurity posture with a focus on the 20 critical controls.\n    Increase VA funding for VA security programs and number of \ninformation security officers supporting VA field offices and \nfacilities.\n    Move reporting lines for the DAS Information Security \ndirectly to the Assistant Secretary OIT or to the Office of the \nSecretary, VA.\n    Assess the past and present practices of the OIT leadership \nwith regard to decisions made in the protection of VA systems \nand information.\n    I would like to thank the Members of the Subcommittee for \nyour time today and I look forward to any questions you may \nhave.\n\n    [The prepared statement of Jerry L. Davis appears in the \nAppendix]\n\n    Mr. Coffman. Thank you, Mr. Davis. Mr. Davis, in your \nexperience, what would be the intended use for their access \nonce these actors gained access into the network?\n    Mr. Davis. The actors, once they get inside a network, \ndepending on what their goals and objectives are, could be a \nnumber of things. So initially, once they get inside a network \nthey establish a foothold and that foothold is actually meant \nand designed to allow them access into the network at another \ngiven time. So basically what they do is, they install \nbackdoors into the network. Once they are inside the network \nand they have established those backdoors, they then attempt to \nmove laterally throughout the network by compromising \npasswords, user names and things of that nature, and elevating \ntheir privileges so they can further move throughout the \nnetwork and start looking at systems to potentially compromise.\n    Their long-term objective is to maintain a presence inside \nthe network for whatever they need to do. So by maintaining the \npresence means that they will attack multiple systems, they \nwill continue to steal passwords, user names, things of that \nnature, so they can maintain their presence, and then \nessentially take whatever data that they deem may be important \nfor them.\n    Mr. Coffman. Mr. Davis, can you elaborate on these nation-\nstate attackers?\n    Mr. Davis. So within VA I saw--we dealt with approximately \neight different types of attackers or groups or organizations. \nIn looking at reporting that was put out by industry experts, \nparticularly a report in February of 2013, Mandiant, they \nidentified attackers coming from the People\'s Republic of \nChina, the People\'s Liberation Army, and in information that I \nhad at the time and looking back when we did the analysis on \nthose individuals, we identified that it was also the same \ngroups. One the groups we called were the Comment Crew, and \nthey are known to be sponsored by the People\'s Liberation Army.\n    Mr. Coffman. Mr. Davis, how does an organization defend \nagainst these sophisticated attackers once they are in the \nnetwork?\n    Mr. Davis. Once they are in the network, once you \nunderstand that they are in the network, you have to do \nsomething which I call is, you are in a compromised \nenvironment. So there is a number of things that you need to do \nto understand how do you reclaim that environment.\n    The first thing you need to do is identify which systems \nwere compromised, do a forensics evaluation if you can on what \nwas actually taken, remove users from resources around the \nnetwork and then do things such as look at what we call \nindications of compromise.\n    So this is basically digital fingerprints that we would \nhave of different groups who have compromised other \nenvironments and we now have their fingerprints. You will look \nfor these indications of compromise and then basically go back \nand remediate all of those areas where you believe the \ncompromise took place or where you know the compromise took \nplace.\n    So if you know that the compromise was a missing patch, you \nhave to start patching past the systems. The problem is, is \nthat once you realize that the individuals are in the network, \non average, they have already compromised the environment for \ngenerally up to a year by the time you figured out they have \nbeen in the network. So you may go back and patch a particular \nsystem, but they have already established backdoors elsewhere \nin the network. So it becomes sometimes chasing your tail \naround and around in circles in trying to identify where they \nare. So you may patch, but they will pop up again somewhere \nelse. So it takes over time a number of years, months to years, \nto go through the organization systematically and plug these \nholes.\n    DoD puts out a very good document, it is not classified, it \nis sensitive but it is the not classified, that is called \nOperating in a Compromised Environment, and it teaches \norganizations, it is instructions on how you actually operate \nin a compromised environment and reclaim that environment.\n    Mr. Coffman. Mr. Walz.\n    Mr. Walz. Thank you, Chairman. Mr. Davis, thank you. Thank \nyou for your service both in uniform and after.\n    I am going to try and go back at this issue because I think \nthe issue of security and veterans security is paramount. The \naccusations that have been laid out, I am going to get at this \nand try and figure it out. Can you tell me, was this issue over \nyou pointing out that there were problems, did that lead to \nyour departure from VA?\n    Mr. Davis. The problems at VA didn\'t lead to my departure. \nLike I said earlier, we had worked through a tremendous number \nof corrective actions. You know, as I said earlier, I worked \nthrough about--of the 13,000, we had gotten through about \n10,000 of them. At that time I felt that the work that I was \ndoing at VA, some other opportunities came up. I had an \nopportunity to move back to the West Coast where I am from \noriginally and be closer to my family out there, was part of \nthe reason why I elected to move back.\n    Mr. Walz. Because you signed off, if I am right here, in \nAugust 31 of 2011 you did the extensions on the ATOs.\n    Mr. Davis. That is correct.\n    Mr. Walz. And then again you met with Mr. Warren on \nNovember 29th about the expiring ATOs, and then on December \n21st you informed him of your resignation. It is just personal \ntiming on all this, is why this hit like this?\n    Mr. Davis. Yes, it was the timing. I had actually notified \nthe previous Assistant Secretary Mr. Baker before November that \nI would be departing. I had just had a one-on-one with him and \nsaid that I have an opportunity to go back to the West Coast. I \ndon\'t have anything in writing but there has been a formal \noffer. When I get a formal offer--\n    Mr. Walz. This was all prior to December 31st on the \nexpiring ATOs.\n    Mr. Davis. That is correct.\n    Mr. Walz. Why would they have asked you when they knew you \nwere leaving, you had already signed on to these, do you think \nit was appropriate at that time? Now, you say, the thing that I \nam going at is under duress. What did they do or ask you to do \nthat violated your conscience on this to sign these things?\n    Mr. Davis. The process to do the Authority to Operate, it \nis a sign-off that says--that gives my attestation that the \nsystems are adequately secure. The process is pretty involved \nand very extensive. So the problem that I had was that the \nprocess was asked to be short-circuited. In other words, an \nemail had come out from the OIT front office indicating that \nMr. Warren wanted all the authorities who operate to be signed \nby the time I left, and that was 2 weeks. This is January 11th. \nSo my team forwarded that to me--\n    Mr. Walz. Why didn\'t you just say no and walk away? Because \nwhat you are asking here is signing off on a system that is \ngoing to possibly lead to the breach of this. You knew it \nwasn\'t working. You knew that there were violations made. But \nby putting your name on it, it gave the authorization to move \nit forward. You were already leaving your job and had notified \nthem, and then a month later a memo is sent, and I am going to \nget to that in a minute, two different ones, and I find out \nabout it here for this hearing. I am still trying to get at \nthis.\n    Mr. Davis. Yes, sir. At that point, I did say no in \nwriting, in memorandum form to Mr. Baker, and that would have \nbeen on or about January 15th, immediately after I became aware \nthat I was needed to sign these before I had departed. In the \nmemorandum that I sent to Mr. Baker, I said that this is \nimproper because all of the activities that are needed to make \na decision on authorities to operate can\'t be done in 2 weeks. \nI said there is going to be errors and omissions and that it \nwas improper, we would jeopardize the integrity of security.\n    Mr. Walz. Did someone threaten you?\n    Mr. Davis. I wouldn\'t say--no one threatened me, but \nbasically I was told that I would not be getting--be given a \ntransfer date, a transfer date would not be given to the agency \nthat picked me up until I signed off on the documentation.\n    Mr. Walz. Who told you that about the transfer?\n    Mr. Davis. Mr. Warren.\n    Mr. Walz. Mr. Warren said you would not be given a transfer \ndate if you wouldn\'t sign on a document that your conscience \ntold you was wrong?\n    Mr. Davis. That is correct. And that was--I contacted the \nsenior executive HR because the new organization was contacting \nme and asking me when was I going to be coming on board, \nbecause I had told them back in December that I would give VA \n30 days to work through whatever I had left to do and I would \nbe coming on board. At this point they are contacting VA. They \nare asking when am I going to get a release date. I contacted \nHRHCS and I was told that Mr. Warren said that you would not be \ngiven a release date because you still had a project to finish.\n    Mr. Walz. Did he miss this last paragraph in the memo you \ngave him? The one I have here says I attest that there is a \nclear and present danger and risk of exposure and compromise of \nthe sensitive data.\n    He testified under oath that he never got that, that this \nwas added to the letter that was sent to Congress on January \n28th, and on January 29th he got the letter without that there.\n    Mr. Davis. He did indeed, sir, get a different copy.\n    Mr. Walz. Why a different copy?\n    Mr. Davis. Let me explain what happened. I originally--that \nwas the original letter that I had written, and that letter was \non an internal--a letter that was going to VA internally and it \nhad concurrently copied all the Members of Congress. My \nbusiness office came back to me, because we were putting it \nthrough the official VA system, my business office came back to \nme and said we don\'t concurrent copy Members of Congress on \nletters of this type. They get an individual memorandum. So I \nsaid okay.\n    So they went ahead and drafted the individual memorandum in \nthe background. Meanwhile, what I did was, I had someone look \nat the letter and they said they didn\'t like the language. They \nsaid I don\'t like the language. They said you probably should \nchange this language at the bottom. It sounds a little bit \ndramatic and that sort of thing.\n    Mr. Walz. Well, when I read this letter, the most important \nparagraph is the last one.\n    Mr. Davis. Yes. It was--someone told me that I asked to--\nthe person I asked to look at it thought it was overly \ndramatic. I said, you know, this is a dramatic thing, but maybe \nit is. So I did change the letter. But what had happened was I \nsent that inside, but then later on before I left, I had gotten \ncopies of the original letters that came up here to the Members \nof Congress and those had went out.\n    Mr. Walz. Okay, I will yield back. We will wait if there is \na second round of questions.\n    Mr. Coffman. Mr. Lamborn.\n    Mr. Lamborn. Thank you, Mr. Chairman.\n    Continuing on these ATOs, Mr. Warren testified that in a \nwell run organization you can finish up the last two steps \nprior to signing off on an ATO in as little as 2 weeks. Now, \nyou did not feel that that was appropriate though, and why not?\n    Mr. Davis. Because the team that was putting together, \nwhich was the security team that worked under me that runs the \nwhat we call assessment and authorization process, they looked \nat the process--they put together the process, looked at it, \nbrought it to me and said, sir, do not sign these, the process \nis not good. But I already knew that just by looking at what \nwas coming up to me for me to sign that it wasn\'t a good \nprocess.\n    Mr. Lamborn. So in an ideal situation, if it was a well run \norganization you could do that. So you are saying it wasn\'t a \nwell run organization?\n    Mr. Davis. The ATO process that was taking place at the \nvery end was not the general ATO process that we had done in \nthe 2-1/2 years that I had been there. It was cut short, very \nabbreviated, to make this 2-week timeframe. And I said there is \nno way you can certify and accredit 600 systems in a 2-week \ntimeframe by going through all the controls.\n    The bigger problem that I had was there is a checklist, and \nsome individuals have already testified to this. That on that \nchecklist we were asking people out in the field to validate \nthat the controls had not changed. My team that came back to me \nin reaching out to the field, one of the reasons they told me \nnot to sign the document is because the individuals who were \nsupposed to sign off on the checklist delegated the authority \ndown, down, down into the organization to hurry up and meet the \ntimeframe.\n    So you had individuals that had no concept about the \nsecurity posture of the system checking off on this checklist \nand then sending them up to me for signature, and I just \nrefused to sign them.\n    Mr. Lamborn. Thank you. That is very illuminating, and I am \nsorry that we are even in this posture today. I am sorry that \nwe have to have this hearing.\n    You mentioned encryption and others have talked about that. \nWas it a negligent practice or a deficient practice not to have \nveterans\' personal information encrypted so that one of these, \nup to eight state actors or state sponsored or outside actors, \nhad they accessed it, it would have been not usable to them?\n    Mr. Davis. That is correct. Encryption of any sensitive \ndata is a general policy. When I got to VA and we started \nlooking, the VA policy, which is Directive 6500, encryption on \ndatabases was basically optional. So in 2012, I said absolutely \nnot. I am mandating that all databases be encrypted because of \nthe issues of individuals being in the network who could \nquite--pretty simply, once you got into the database you had \neverything that you needed.\n    Mr. Lamborn. Now, those of us, some of us anyway on this \npanel have been concerned about what would have been able to be \naccessed. Am I correct in assuming that this would include, of \nthe 20 million veterans on the system, Social Security numbers \nand names, ages and possibly Social Security numbers of \ndependents and sometimes personal health information?\n    Mr. Davis. Sure. Some of the systems that were compromised, \nif they had that information in them obviously they would take \nthat. In some of the studies that my organization did when we \nwere looking at web applications, and web applications that \nhave a database connected to the back end it has veterans\' \ninformation, my team will run security software tools and it \nwill tell them if that application is vulnerable to attack and \nhow easily it is vulnerable and exploitable.\n    My team at that time found a number of applications that \nhad veteran information, 30 million instances of veteran \ninformation that was exploitable, and they exploited the system \nto show that it was exploitable inside those systems; Social \nSecurity numbers, date of birth, so on and so forth.\n    Mr. Lamborn. And what about, and I don\'t know if there is \ngoing to be a second round or not, I may have to pursue this \nlater, but what about access to other networks? Like, I know \nDoD and VA interact a lot, at least in the health care issue. \nWhat possible access could this allow if someone was \ncontrolling VA or at least had domain control to get into other \nnetworks?\n    Mr. Davis. As we talked about earlier, the team did these \nkey investigative reports, so specifically looking at the \nnation-state sponsored attackers. And one of the compromises \nthat they picked up on, this report was right as I was leaving, \nthis came out on January 9th, 2013, there was an incident that \ntook place where the team, and I will just kind of read it, it \nsays the teams in turn simply gains initial access to an \nenterprise via spear pfishing by moving laterally previously \nthrough compromised trusted networks.\n    I will jump forward in this report, and what they have said \nis that--has targeted and compromised one or more systems \nwithin the Silver Spring office site code, many of which are \nvirtual private network users. Based on information collected \nfrom open source intelligence and interviews of targeted users, \nthe Deep Dive analysis team considers the Bidirectional Health \nInformation Exchange Program to be a high value target for this \nteam. The BHIE program is a joint information technology data \nexchange initiative between the Department of Defense, DoD, and \nVA. The team may be interested in the data residing in the \nsystem and the network interconnections between the VA and DoD \nallowing this program to function or both.\n    Mr. Lamborn. Thank you.\n    Mr. Coffman. Dr. Roe.\n    Mr. Roe. Thank you. A couple of things I want to just go \nover very quickly and then yield my time. In March 2010, these \nuninvited visitors were nation-state sponsored attackers. Over \nthe course of time, while working with the VA, the NSOC team \nand external agents learned that these attackers were a nation-\nstate sponsored cyber espionage unit and that no less than \neight different nation-state sponsored organizations had \nsuccessfully compromised VA networks or data or were actively \nattacking, not necessarily compromised but attacking VA \nnetworks, and attacks continue to VA to this day. Is that a \ncorrect statement?\n    Mr. Davis. That is correct.\n    Mr. Roe. So to this date, to date perhaps these attacks are \ntaking place. The other question I have is, that I think you \njust stated, and you said the PLA without any hesitation. I \nguess I would have to ask Mr. Warren, why couldn\'t he say the \nPLA? He didn\'t mention that. It is not any big secret to \nanybody.\n    Mr. Davis. It is in the public domain.\n    Mr. Roe. Yes, it is.\n    Mr. Davis. And that is what I am going off. I am going off \nthe report that came out in the public domain that listed these \ngroups of individuals, organizations, and based on that \ninformation that is in this public domain report, we could \naccurately say that those are the same individuals. Even the \nnomenclature is the same.\n    Mr. Roe. And I am not a technical person so stop me if I am \noff base, but you mentioned that once that system has been \ncompromised, that piece of malware is in the system, there are \nways you can operate around it.\n    Mr. Davis. Yes.\n    Mr. Roe. But would encryption work once you have been \ncompromised? Once that malware--do you follow me?\n    Mr. Davis. Right. So it depends on what exactly the malware \nis that they put on the system. Your encryption would be of \nlittle value to you if--once the malware is on the system, the \nmalware can then go out and call down other tools into the \nenvironment. And some of the tools that they do remotely is \nthey pulled down keystroke logging. So if they have those types \nof tools, a keystroke logger on that system, when you go to log \nin to decrypt, they have the decryption password for that \nsystem.\n    Mr. Roe. So they get your password that way.\n    Mr. Davis. That is correct.\n    Mr. Roe. And do you know that that has happened? When you \nhave got the system up now, let\'s say you are back there, would \nyou know that has happened to you, that they swiped the \npassword?\n    Mr. Davis. We know that the way these individuals work that \nit is a typical tactic for them to, if they compromise \nsomething such as a domain controller as was said earlier, or \nparticularly the domain controllers, the domain controller has \na file on it called the SAM file and that file is the \nsecurities accounts manager. In that file are all the password \naccounts for the users in the network. So if they have got the \ndomain controller, they will grab the SAM file. When they \nencrypt the information, generally, if it is going out and it \nis encrypted, I know they hit a domain controller. I guarantee \nthey probably took the SAM file. They are going to go back, \ncrack it later and are going to take every password that was on \nthat system.\n    Mr. Roe. So you better change your password pretty often?\n    Mr. Davis. Yes, you would have to change all the--but the \nproblem is, if you have compromised the domain controller, you \nhave to change the password to the domain controller as well \nbecause they are on a controller. If you are just changing \npasswords without changing the domain controller, they are just \ngrabbing that as it goes along.\n    Mr. Roe. Well, I want to thank all of the people here \ntoday, Ms. Halliday, certainly your team and every one of you. \nI have learned a lot today, and I think we will continue.\n    Mr. Chairman, thanks for holding this hearing.\n    Mr. Coffman. Mr. Huelskamp.\n    Mr. Huelskamp. Thank you, Mr. Chairman. I just want to \nfollow up on a statement that Dr. Roe mentioned in which he \nstated that you learned about these attackers were a nation-\nstate sponsored cyber espionage unit with no less than eight \ndifferent nation-state sponsored organizations. Who told you \nthis, how did you determine that, and was that common knowledge \nin the IT network?\n    Mr. Davis. It was put together through information that the \nVA Information Security Team, they are called the Enterprise \nNetwork Defense Team, they put that information together \nbecause they track, as Mr. Warren stated earlier, they track \nall these issues across the network. They produce these \nreports. They would send them to me and Mr. Warren and a couple \nother folks and I would read through them and work out a plan \nof action or strategy to work through this.\n    Mr. Huelskamp. So the report you mentioned, which I believe \nwe have a copy of, both reports, did Mr. Warren receive these \nreports as well?\n    Mr. Davis. Yes, he was on that email distribution list. I \nthink it was only Mr. Warren, myself and maybe one other \nperson. There is like three people.\n    Mr. Huelskamp. Did you discuss this issue of nation-state \nsponsored organizations with Mr. Warren?\n    Mr. Davis. We did from time to time initially when I first \ncame on board at VA. He told me that we have uninvited visitors \nin the network. I pretty much knew what that meant. I had dealt \nwith it before. And then going on in subsequent talks, from \ntime to time I had a biweekly security meeting with Mr. Warren. \nIt would come up about these attackers in the network. If we \nhad an incident it might be the topic of the day that we had an \nincident and we are trying to work through it. So, yes, we \ndefinitely talked about it.\n    Mr. Huelskamp. And above Mr. Warren, did you discuss with \nany of his superiors about that or did you just leave it in his \nhands?\n    Mr. Davis. I generally--my reporting line was to Mr. \nWarren, so generally, I didn\'t have a great opportunity to talk \nto folks above Mr. Warren.\n    Mr. Huelskamp. Did you ever email them with the information \nor include them on an email distribution about this issue?\n    Mr. Davis. No. I just worked directly with Mr. Warren on \nthose things.\n    Mr. Huelskamp. Okay. I think you were here earlier, but a \nstatement from Mr. Shinseki indicates that, again to be clear, \nVA security posture was never at risk. Your opinion on that, \nMr. Davis. Is that an accurate statement?\n    Mr. Davis. I would say that is not an accurate statement.\n    Mr. Huelskamp. Okay. Did Mr. Warren ever tell you that was \nan inaccurate statement? Did you ever discuss something along \nthose lines?\n    Mr. Davis. At the time when we were doing the ATOs in the \nmemorandum and at the time when he visited my office, I believe \nit was January 22nd, I said that, you know, that the process \nwas just bad and basically, as I wrote in the memo, I repeated \nthe words that it jeopardized the integrity of the security \nprogram.\n    Mr. Huelskamp. Lastly, I didn\'t get a chance to ask \nquestions on this issue, but recently it has come up that \nnumerous other Secretary and high level individuals in \nWashington have at times used private apparently non-secure \nemail systems to communicate and to conduct business. Do you \nknow if that was occurring at the VA?\n    Mr. Davis. I couldn\'t say definitely. I would suspect that \npeople do do that, but I have no direct knowledge that anybody \nwas doing it. I was not asked to investigate or anything like \nthat.\n    Mr. Huelskamp. Okay. Were there any VA policies about doing \nthat?\n    Mr. Davis. I believe there is a VA policy. I believe it \nwould be more on the--possibly on the HR side of the house, but \nit may also be in the security policy, that official business \nyou have to conduct using VA provided email systems and things \nof that nature. But I don\'t know the exact policy that that \nwould be. But I am pretty sure that it is in policy.\n    Mr. Huelskamp. And then lastly and I will yield back, Mr. \nChairman, I wasn\'t trying to figure out what you were doing on \npersonal time, but the testimony you have given sometimes has \nnot matched up with earlier testimony as I understood that. Do \nyou have any printed out emails or anything in your possession \nthat would help establish the veracity of some of the \ndiscussions today, or is that all retained entirely by the \nDepartment?\n    Mr. Davis. Anything that I have with me, it is free to go \nto the Committee. It is a lot--some of this is off the public \nInternet and some of them are internal VA documentation and \nemail systems information, things like that, that--some of them \nI would be concerned that where there are system compromise--or \nsystem issues, exposures of data, that it identifies the \nparticular vulnerability in the system. So I would ask that the \nsystem piece of it be stripped out.\n    Mr. Huelskamp. I understand. Last, Mr. Chairman, Mr. Davis, \nas I understand it, you have 20 years of experience in the \nprivate and public sector dealing with system security and it \nstill is your recommendation that the VA network should be \ndesignated as a compromised environment. Is that still your--\n    Mr. Davis. That is correct.\n    Mr. Huelskamp. Thank you, Mr. Chairman. I yield back.\n    Mr. Coffman. Thank you, Mr. Huelskamp. Does anybody have \nany questions they would like to ask?\n    Very well. Our thanks. Mr. Davis, thank you very much for \nyour testimony today. You are now excused.\n    It is obvious from what we have heard here today that VA \nneeds to take action to improve its IT security. The \nSubcommittee looks forward to working with VA to address these \nserious deficiencies and ensure that all steps are being taken \nto safeguard the information of our veterans. In that vein, I \nask that in 30 days VA provide this Subcommittee a specific \nplan to address all of its IT vulnerabilities.\n    I ask unanimous consent that all Members have 5 legislative \ndays to revise and extend their remarks and include extraneous \nmaterial. Without objection, so ordered.\n    Mr. Weaver, the Committee will be in touch with you to \nestablish a date and time for a separate meeting for a \nclassified brief--\n    Mr. Warren. Warren.\n    Mr. Coffman. Mr. Warren, I am sorry. I was looking at you. \nMr. Warren, okay.\n    I would like to once again thank all of our witnesses and \naudience members for joining us today in conversation. This \nhearing is now adjourned.\n\n    [Whereupon, at 5:40 p.m., the Subcommittee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n           Prepared Statement of Hon. Mike Coffman, Chairman\n\n    Good afternoon. I would like to welcome everyone to today\'s hearing \ntitled ``How Secure is Veterans\' Private Information?\'\'\n    Reports from VA\'s Office of Inspector General, private sector \nconsultants brought on by VA, and this Subcommittee\'s own investigation \nhave revealed tremendous problems within VA\'s Office of Information and \nTechnology.\n    Some of these issues have been made public in Inspector General \nreports which outlined mismanagement of human resources and the lack of \nmuch needed technical expertise. Other issues have been less \npublicized, such as those captured in the Deloitte (``deep dive\'\' that \nidentified gaps in OI&T\'s organizational structure and a poorly \nexecuted business model.\n    The latter report recognized the growth of VA by thirty-three \npercent since 2006; growth that is mirrored by the expansion of VA\'s \ncomputer network. Unfortunately, there has not been a comparable growth \nin the technical personnel needed to manage security of VA\'s sprawling \nnetwork.\n    These failures have created problems for both the Department and \nfor veterans.\n    The Inspector General substantiated that VA was transmitting \nsensitive data, including personally identifiable information and \ninternal network routing information, over an unencrypted \ntelecommunications carrier network--both violations of Federal \nregulation and basic IT security. The IG also noted that VA has not \nimplemented technical configuration controls to ensure encryption of \nsensitive data despite VA and Federal information security \nrequirements.\n    Similarly, it is evident that software patches are not up to date \nacross the network, too many users have Administrator access, security \nsoftware is not up to date on older computers, and computer ports are \nnot properly secured. There is little to no security of file transfer \nprotocol, and web pages are vulnerable allowing unauthorized access to \nveterans\' unprotected personal information within the system.\n    While these issues alone give cause for grave concern, this \nSubcommittee\'s investigation has identified even greater problems. The \nentire veteran database in VA, containing personally identifiable \ninformation on roughly 20 million veterans, is not encrypted, and \nevidence suggests that it has repeatedly been compromised since 2010 by \nforeign actors, including in China and possibly in Russia.\n    Recently, the Subcommittee discussed VA\'s Authorization to Operate, \na formal declaration that authorizes operation of a product on VA\'s \nnetwork which explicitly accepts the risk to agency operations, and was \ntold that ``VA\'s security posture was never at risk.\'\'\n    In fact, VA\'s security posture has been an unacceptable risk for at \nleast three years as sophisticated actors use weaknesses in VA\'s \nsecurity posture to exploit the system and remove veterans\' information \nand system passwords. While VA knew foreign intruders had been in the \nnetwork, the Department was never sure what exactly these foreign \nactors took, because the outgoing data was encrypted by the \ntrespassers.\n    These actors have had constant access to VA systems and data, \ninformation which included unencrypted databases containing hundreds of \nthousands to millions of instances of Veteran information such as \nveterans\' and dependents\' names, social security numbers, dates of \nbirth, and protected health information.\n    Notwithstanding these problems, VA has waived or arbitrarily \nextended accreditation of its security systems on its network. It is \nevident that VA\'s waivers or extensions of accreditation only \n``appear\'\' to resolve material weaknesses without actually resolving \nthose weaknesses.\n    VA\'s IT management knowingly accepted the security risks by waiving \nthe security requirements even though such waivers are not appropriate. \nThis lapse in computer security and the subsequent attempts by VA \nofficials to conceal this problem are intolerable and I look forward to \na candid discussion about these issues.\n    I now yield to Ranking Member Kirkpatrick for her opening \nstatement.\n\n                                 <F-dash>\n               Prepared Statement of Hon. Ann Kirkpatrick\n\n    Thank you, Mr. Chairman.\n    As the Department of Veterans Affairs works hard to serve the needs \nof today\'s veterans they must work equally hard to protect their \npersonal information.\n    Today\'s hearing is an attempt to determine whether a veterans\' \nprivate information is secure. Mr. Chairman, veterans need to know that \nwhen they ask VA for the services and benefits they have earned, the \ninformation they submit in order to get those benefits will not be \ncompromised under any circumstances.\n    I hope that the VA came prepared today to provide assurances to \nCongress and veterans that that all their information technology \nsystems are secure. We expect VA to also answer our questions directly \nand honestly. As we get questions from veterans in our districts we \nwant to provide complete and honest answers to them.\n    Congress received a letter from Mr. Jerry L. Davis, now a former \nemployee at VA, who states that ``there is a clear and present danger \nand risk of exposure and compromise of the sensitive data.\'\' I share \nthe Chairman\'s concern on whether VA is following the required \ngovernment practices and policies regarding the monitoring and \nremediation of system risk.\n    In addition, two OIG reports from 2012 and 2013 raise additional \nconcerns. The 2012 report questions whether the agency has the proper \nStrategic Human Capital Management program to meet mission-critical \nsystem capabilities as VA moves in the 21st century. The second 2013 \nOIG report faults VA for failing to ensure private information by not \nencrypting health data transmitted to outpatient clinics and external \nbusiness partners. The VA must address the concerns raised and assure \nveterans who come to VA for assistance that their personal information \nis secure.\n    I want to thank everyone for being here today. I would also like to \nthank the witnesses for their testimony and for answering our questions \nabout the security of veterans\' private information at the Department \nof Veterans\' Affairs.\n    Thank you Mr. Chairman. I yield back.\n\n                                 <F-dash>\n               Prepared Statement of Hon. Jackie Walorski\n\n    Mr. Chairman and Ranking Member, it\'s an honor to serve on this \nCommittee.\n    I thank you for holding this hearing on such an important issue \naffecting our veterans and their sensitive personal information.\n    There are over 22 million veterans who have proudly served this \ncountry and who we are indebted to for their selfless call to protect \nthe freedoms which we cherish. \\1\\ The fact that the personal \ninformation of many of these veterans may have been compromised is \ncompletely unacceptable.\n---------------------------------------------------------------------------\n    \\1\\ Veteran population estimates, as of September 30, 2012, are \nproduced by the VA Office of the Actuary (VetPop 2011). http://\nwww.va.gov/vetdata/Veteran--Population.asp.\n---------------------------------------------------------------------------\n    The VA\'s Office of Information and Technology has proven inept at \nsecuring the Department\'s information systems and has consequentially \nexposed veteran information.\n    Our veterans are comprised of an exceptional group of men and \nwomen, including their families, who should not live in fear of their \nprivate information getting into the wrong hands.\n    I look forward to working my colleagues and our panelists to \nestablish an immediate plan of action that will address this serious \nproblem.\n    Thank you.\n\n                                 <F-dash>\n                Prepared Statement of Linda A. Halliday\n\n    Mr. Chairman and Members of the Subcommittee, thank you for the \nopportunity to discuss the Office of Inspector General\'s (OIG) work \nregarding the securing of veterans\' private information by VA. I am \naccompanied by Ms. Sondra McCauley, Deputy Assistant Inspector General \nfor Audits and Evaluations, and Mr. Michael Bowman, Director, OIG\'s \nInformation Technology and Security Audits Division.\nBACKGROUND\n    Secure systems and networks are integral to supporting the range of \nVA mission-critical programs and operations. Information technology \n(IT) safeguards are essential due to the wide availability of hacking \ntools on the internet and the advances in the effectiveness of attack \ntechnology. Lacking proper safeguards, IT systems are vulnerable to \nintrusions by groups seeking to obtain sensitive information, commit \nfraud, disrupt operations, or launch attacks against other systems. VA \nhas at times been the victim of such malicious intent. In the past, VA \nhas reported security incidents in which sensitive information has been \nlost or stolen, including personally identifiable information (PII), \npotentially exposing millions of Americans to the loss of privacy, \nidentity theft, and other financial crimes. The need for an improved \napproach to information security is apparent, and one that senior VA \nleaders well recognize.\n    In response to the need to improve security controls, VA has made \nprogress defining policies and procedures supporting its Department-\nwide information security program. However, VA continues to face \nsignificant challenges implementing effective access controls, \nconfiguration management controls, and contingency planning to protect \nmission-critical systems from unauthorized access, alteration, or \ndestruction. VA has taken positive steps to safeguard personal and \nproprietary information used by VA employees and contractors. Key \nactions have included:\n\n    <bullet>  Mandating cyber security and privacy awareness training \nto ensure that VA and contract employees are familiar with applicable \nlaws, regulations, and policies.\n    <bullet>  Reviewing the accuracy of position sensitivity level \ndesignations for VA and contract employees.\n    <bullet>  Strengthening its policies and procedures for identifying \nand reporting incidents involving information management and security \nviolations to ensure that the incidents are promptly and thoroughly \ninvestigated.\n    <bullet>  Establishing a clear chain of command and accountability \nstructure for information security.\n\n    These were good first steps toward improving information security; \nhowever, more needs to be done. Over recent years, the OIG has \nconducted a series of reviews to help VA overcome its information \nsecurity challenges by identifying the underlying causes for VA\'s \nsecurity vulnerabilities and deficiencies. These include our statutory \nwork, reviews of complaints to the OIG Hotline, and proactive reviews \nof internal controls. Our report findings have disclosed a pattern of \nineffective information security controls that expose VA\'s mission-\ncritical systems and sensitive data to unnecessary risk. We believe our \ncorresponding audit recommendations provide a roadmap for VA to improve \nthe effectiveness of its information security program and safeguard the \nsensitive data needed to support delivery of benefits and services to \nour Nation\'s veterans.\n\nSTATUTORILY-REQUIRED REVIEWS\n    For more than 10 consecutive years, independent public accounting \nfirms under contracts with the OIG identified information technology \nsecurity controls as a material weakness as a result of their annual \naudits of VA\'s Consolidated Financial Statements. Work on these audits \nsupports our annual Federal Information Security Management Act (FISMA) \nassessments. FISMA requires agencies to develop, document, and \nimplement agency-wide information security risk management programs and \nprepare annual reports. FISMA also requires that each year, the OIG \nassess the extent to which VA complies with FISMA\'s information \nsecurity requirements, information security standards developed by the \nNational Institute of Standards and Technology, and the annual \nreporting requirements from the Office of Management and Budget.\n    In the middle of FY 2012, while our annual FISMA assessment was \nongoing, VA instituted the Continuous Readiness in Information Security \nProgram (CRISP) to ensure continuous monitoring year-round and \nestablish a team responsible for resolving the IT material weakness. As \nour FISMA work progressed, we noted more focused VA efforts to \nimplement standardized information security controls across the \nenterprise. We also saw improvements in role-based and security \nawareness training, contingency plan testing, reducing the number of \noutstanding Plans of Action and Milestones (POA&Ms), developing initial \nbaseline configurations, reducing the number of IT individuals with \noutdated background investigations, and improving data center web \napplication security. However, the CRISP initiative was not launched \nuntil March 2012 and the improved processes had not been implemented \nfor an entire fiscal year with the opportunity to demonstrate sustained \nimprovements in information security.\n    For FY 2012, we provided a draft report to VA for review and \ncomments and we expect to issue our report in June 2013. The report \nwill discuss control deficiencies in four key areas:\n    Configuration Management Controls are designed to ensure critical \nsystems have appropriate security baseline controls and up-to-date \nvulnerability patches implemented. However, we found:\n\n    <bullet>  Systems including key databases supporting various \napplications were not timely patched or securely configured to mitigate \nknown and unknown information security vulnerabilities.\n    <bullet>  Baseline configurations, including implementation of the \nFederal Desktop Core Configuration, were not consistently implemented \nto mitigate significant system security risks and vulnerabilities \nacross the facilities.\n    <bullet>  Change control policy and procedures for authorizing, \ntesting, and approval of system changes were not consistently \nimplemented for the networks and mission critical system hardware and \nsoftware changes.\n\n    Access Controls are designed to ensure that password standards are \nconsistently implemented across the enterprise and that user accounts \nare monitored to enforce minimal access privileges necessary for \nlegitimate purposes and to eliminate conflicting roles. Our FISMA \nassessment revealed that:\n\n    <bullet>  Password standards were not consistently implemented and \nenforced across multiple VA systems, including the network domain, \ndatabases, and mission critical applications. In addition, multi-factor \nauthentication for remote access had not been implemented across the \nagency.\n    <bullet>  Inconsistent reviews of networks and application user \naccess resulted in numerous generic, system, and inactive user accounts \nthat were not removed and/or deactivated from the system, and users \nwith access rights that were not appropriate.\n    <bullet>  Proper completion of user access requests was not \nconsistently performed to eliminate conflicting roles and enforce \nprinciples of least system privilege.\n    <bullet>  Lack of monitoring of access in the production \nenvironment for individuals with elevated application privileges for a \nmajor application.\n\n    Security Management is designed to ensure that system security \ncontrols are effectively monitored on an ongoing basis and system \nsecurity risks are effectively remediated through corrective action \nplans or compensating controls. We will report that:\n\n    <bullet>  Security management documentation, including the risk \nassessments and System Security Plans, were outdated and did not \naccurately reflect the current system environment or Federal standards.\n    <bullet>  Background reinvestigations were not performed timely or \ntracked effectively. In addition, personnel were not receiving the \nproper level of investigation for the sensitivity levels of their \npositions.\n    <bullet>  Scheduled completion dates for POA&Ms were updated \nwithout written justification and supporting documentation was not \nadequate to justify POA&M closures.\n\n    Contingency Planning Controls ensure that mission-critical systems \nand business processes can be restored in the event of a disaster or \nemergency. However, we determined that:\n\n    <bullet>  Contingency plan documentation had not been updated to \nreflect lessons learned from the contingency and disaster recovery \ntests, and detailed recovery procedures for all system priority \ncomponents had not been documented and/or did not reflect current \noperating conditions.\n    <bullet>  Backup tapes were not encrypted prior to being sent to \noffsite storage at selected facilities and data centers.\n\n    More importantly, we continue to identify significant technical \nweaknesses in databases, servers, and network devices that support \ntransmitting sensitive information among VA\'s Medical Centers, Data \nCenters, and VA Central Office. Many of these weaknesses are due to \ninconsistent enforcement of an agency-wide information security program \nacross the enterprise and ineffective communication between VA \nmanagement and the individual field offices. Therefore, VA needs to \nimprove its monitoring process to ensure controls are operating as \nintended at all facilities and communicate security deficiencies to the \nappropriate personnel to implement corrective actions.\n    We have identified and reported deficiencies where control \nactivities were not appropriately designed or operating effectively. \nThe dispersed locations, the continued reorganization of VA business \nunits, and the diversity in applications adversely affected facilities \nand management\'s ability to consistently remediate IT security \ndeficiencies agency-wide. For example, VA\'s complex and dispersed \nfinancial system architecture had resulted in a lack of common system \nsecurity controls and inconsistent maintenance of IT mission-critical \nsystems. Consequently, VA continues to be challenged by a lack of \nconsistent and proactive enforcement of established policies and \nprocedures throughout its geographically dispersed portfolio of legacy \napplications and newly implemented systems. In addition, VA lacks an \neffective and consistent corrective action process for identifying, \ncoordinating, correcting, and monitoring known internal security \nvulnerabilities on databases, web applications, and networks \ninfrastructures.\n    Our FY 2012 FISMA report will include 27 current recommendations to \nthe Acting Assistant Secretary for Information and Technology for \nimproving VA\'s information security program. The report also highlights \nfive unresolved recommendations from prior years\' assessments for a \ntotal of 32 outstanding recommendations. Overall, we are recommending \nthat VA focus its efforts in the following areas:\n\n    <bullet>  Addressing security-related issues that contributed to \nthe IT material weakness reported in the FY 2012 audit of the \nDepartment\'s consolidated financial statements.\n    <bullet>  Remediating high-risk system security issues in its Plans \nof Action and Milestones.\n    <bullet>  Establishing effective processes for evaluating \ninformation security controls via continuous monitoring and \nvulnerability assessments.\n\n    We continue to evaluate VA\'s progress during our ongoing FY 2013 \nFISMA audit and acknowledge increased VA efforts to improve information \nsecurity, but we are still identifying repeat deficiencies, albeit to a \nlesser extent. This fall, upon completion of our FY 2013 FISMA testing \nand related work, we will make a determination as to whether VA\'s \nimprovement efforts are successful in overcoming the IT material \nweakness.\n\nOTHER REPORTS RELATED TO INFORMATION SECURITY\n    Over the past 2 years, we have issued a series of audits and \nreviews that have identified VA\'s information security controls \ndeficiencies. Our reports disclosed a number of issues, including \nineffective management of systems interconnections and sensitive data \nexchanges, delayed contractor background investigations, and inadequate \naccess controls that placed sensitive veterans\' data at unnecessary \nrisk.\n\nReview of Alleged Transmission of Sensitive VA Data Over Internet \n        Connections\n    In March 2013, we substantiated an allegation made through the OIG \nHotline that VA was transmitting sensitive data, including PII and \ninternal network routing information, over an unencrypted \ntelecommunications carrier network. VA Office of Information Technology \n(OIT) personnel disclosed that VA typically transferred unencrypted \nsensitive data, such as electronic health records and internal internet \nprotocol addresses, among certain VA Medical Centers and Community \nBased Outpatient Clinics using an unencrypted telecommunications \ncarrier network. OIT management acknowledged this practice and formally \naccepted the security risk of potentially losing or misusing the \nsensitive information exchanged.\n    VA has not implemented technical configuration controls to ensure \nencryption of sensitive data despite VA and Federal information \nsecurity requirements. Without controls to encrypt the sensitive VA \ndata transmitted, veterans\' information may be vulnerable to \ninterception and misuse by malicious users as it traverses unencrypted \ntelecommunications carrier networks. Further, malicious users could \nobtain VA router information to identify and disrupt mission-critical \nsystems essential to providing health care services to veterans.\n    VA acknowledged transmitting PII over privately segmented networks \nto support service to veterans. VA concurred with our recommendations \nto improve the protection of sensitive data transmitted over the \nunencrypted carrier networks and implement configuration controls to \nensure encryption of such data. VA clarified that it employs an \nindustry telecommunications carrier network to provide a segmented \nnetwork for transmitting PII, but noted that these network links are \nnot currently employing encryption controls to protect sensitive data.\n    VA did not agree with the assertion that PII and internal network \nrouting information were being transmitted over unsecured internet \nconnections. However, based on interviews with OIT personnel at VA \nMedical Centers as well as information provided by the OIG Hotline \ncomplainant, we maintain that PII and router information were being \ntransmitted unencrypted through a telecommunications carrier that also \nprovided internet services to customers outside of VA. Nonetheless, we \ncommend OIT for performing a review of the locations associated with \nthe Hotline complaint and inspecting communication networks to ensure \nproper segmentation of VA networks from internet connections. We \nrecognize that industry telecommunications carriers can segment data \ntraffic from unsecured Web connections. However, we believe the risk \nremains that sensitive VA data and router information can be \ncompromised when it is transmitted across unencrypted \ntelecommunications carrier networks outside of VA\'s span of technical \ncontrol. More specifically, the network alone does not provide \nencryption, integrity, or authentication protections for the \ntransmission of sensitive data and such services may be vulnerable to \ndenial of service or sniffing attacks by malicious users. The Assistant \nSecretary for Information and Technology acknowledged these information \nsecurity risks by stating OIT will review technical network \ncommunications practices across the enterprise and take corrective \nactions without hesitation.\n\nAudit of VA System Interconnections With Research and University \n        Affiliates\n    In October 2012, we reported on the effectiveness of VA\'s \nmanagement of network interconnections and sensitive data exchanges \nwith its research and university affiliates. Our audit disclosed that \nVA has not consistently managed its systems interconnections and data \nexchanges with its external research and university affiliates. Despite \nFederal requirements, VA could not readily account for the various \nsystems linkages and sharing arrangements. VA also could not provide an \naccurate inventory of the research data exchanged, where data was \nhosted, or the sensitivity levels. In numerous instances, we identified \nunsecured electronic and hardcopy research data at VA Medical Centers \nand co-located research facilities.\n    We determined that VA\'s data governance approach has been \nineffective to ensure that research data exchanged is adequately \ncontrolled and protected throughout the data life cycle. VA and its \nresearch partners have not consistently instituted formal agreements \nrequiring that hosting facilities implement controls commensurate with \nVA standards for protecting the sensitive data. The responsible \nVeterans Health Administration program office\'s decentralized approach \nto research data collection and oversight at a local level has not been \neffective to safeguard sensitive VA information. Because of these \nissues, VA data exchanged with its research partners was considered to \nbe at risk of unauthorized access, loss, or disclosure.\n    VA has the opportunity to further serve veterans by supplying the \npatient and medical data needed to achieve advancements in medical \nresearch and health care services. However, providing such sensitive \ndata through electronic or hard copy means without effective \ninformation security controls and oversight has left the data \nsusceptible to unauthorized access, loss, or disclosure. Leaving \nhosting facilities responsible for data governance at the local level \nwithout coordinated involvement of all stakeholders has proven \nineffective and improvements are needed.\n    Establishing formal information security agreements is one method \nof documenting data sharing agreements and ensuring that hosting \nfacilities institute information security controls commensurate with VA \nstandards. Further, a centralized data governance and storage approach \nwould ensure researchers effectively control and securely manage \nsensitive VA research information over the data life cycle. Such \nmeasures are key to protect veterans\' PII and personal health \ninformation and promote continued advancements in medical research now \nand for the future. VA generally concurred with our report \nrecommendations. VA is taking corrective actions, however, all \nrecommendations remain open as full implementation has not occurred.\n\nReview of Alleged Incomplete Installation of Encryption Software \n        Licenses\n    In October 2012, we substantiated a Hotline allegation that OIT had \nnot installed and activated an additional 100,000 licenses purchased in \n2011. As of July 2012, OIT officials stated they had installed and \nactivated only a small portion, about 65,000 (16 percent), of the total \n400,000 licenses procured. OIT did not install and activate all of the \nlicenses due to inadequate planning and management of the project. \nSpecifically, OIT did not allow time to test the software to ensure \ncompatibility with VA computers, ensure sufficient human resources were \navailable to install the encryption software on VA computers, and \nadequately monitor the project to ensure encryption of all VA laptop \nand desktop computers.\n    As such, 335,000 (84 percent) of the total 400,000 licenses \nprocured, totaling about $5.1 million in questioned costs, remained \nunused as of 2012. Given changes in VA technology since 2006, VA lacked \nassurance the remaining software licenses were compatible to meet \nencryption needs in the current computer environment. Further, because \nOIT did not install all 400,000 encryption software licenses on VA \nlaptop and desktop computers, veterans\' PII remained at risk of \ninadvertent or fraudulent access or use.\n    We recommended the Assistant Secretary for Information and \nTechnology complete an assessment of the encryption software project to \ndetermine whether the software was compatible with VA\'s operating \nsystems and still met VA needs. Based on the assessment, we recommended \nthat VA terminate the project or develop a plan, including adequate \nhuman resources and project monitoring, to ensure installation and \nactivation of the remaining encryption software licenses. The Assistant \nSecretary for Information and Technology concurred with our finding and \nrecommendations and is taking steps to move forward with the software \nimplementation.\n\nReview of Alleged Delays in VA Contractor Background Investigations\n    In September 2012, we reported on the merits of a complaint \nregarding ineffective VA management of its contractor background \ninvestigations. We substantiated that VA could improve management of \nits contractor background investigations. Specifically, VA had a \nbacklog of 3,000 contractor background investigations as of April 2012, \ndespite process improvements and a reduction in pending cases in recent \nmonths. VA also inappropriately prohibited contractors from working on \nawarded contracts although VA policy only requires initiating, not \nfully completing, investigations before contractors could start work.\n    According to VA officials, delays occurred due to ineffective \nmanagement within VA\'s program office which is responsible for \ninitiating and adjudicating background investigations; staff \nmisunderstanding VA\'s personnel security requirements and investigative \nprocesses; and no effective centralized system to monitor progress in \naddressing the backlog. In the absence of a system linking contractors \nneeding background investigations with underlying contracts, we could \nnot determine whether VA unnecessarily paid for contractors not yet \nauthorized to work on awarded contracts. Nonetheless, VA officials said \nthe backlog adversely affected their ability to fully staff major IT \ninitiatives.\n    Our report provided several recommendations for improving \nprocedures to reduce the backlog of contractor background \ninvestigations and implementing a central case management system to \nmonitor contractor status and associated costs during the background \ninvestigation process. VA generally concurred with our findings and \nrecommendations and has reported corrective actions to address them.\n\nReview of Alleged Mismanagement of the Systems To Drive Performance \n        Project\n    In February 2012, we reported that VA\'s Office of Management did \nnot effectively manage the Systems to Drive Performance (STDP) project. \nWe substantiated that VA did not adequately protect sensitive VA \ninformation from unauthorized access and disclosure. Specifically, we \ndetermined that more than 20 system users had inappropriate access to \nsensitive STDP information. On a specific note, VA\'s National Data \nSystems Group did not consistently approve requests for user access. \nFurthermore, project managers did not report unauthorized access as a \nsecurity event, as required by VA policy. Security deficiencies \noccurred because STDP project managers were not fully aware of VA\'s \nsecurity requirements for system development and had not formalized \nuser account management procedures. Inadequate Information Security \nOfficer oversight also contributed to weaknesses in user account \nmanagement and the failure to report the granting of excessive user \nrights as security violations. As a result, VA lacked assurance of \nadequate control and protection of sensitive STDP data.\n    VA concurred with our findings and recommendation to ensure that \nemployees assigned to the STDP project receive the role-based security \ntraining needed to address the issues highlighted in the report. \nAdditionally, VA agreed to assign an Information Security Officer to \nthe project to ensure VA\'s information security requirements are met. \nCorrective actions have been taken and these recommendations are now \nclosed.\n\nReview of Alleged Unauthorized Access to VA Systems\n    In July 2011, we reported on the merits of an OIG Hotline \nallegation that certain contractors without proper security clearances \ngained unauthorized access to VA networks and Veterans Health \nInformation System and Technology Architecture (VistA) systems at \nmultiple VA medical facilities. Our review substantiated the allegation \nand found that contractors improperly used other employees\' Virtual \nPrivate Network user accounts to gain unauthorized access to VA systems \nand networks. The review also substantiated that contractor personnel \ndid not obtain appropriate background security clearances before \ngaining access to VA systems and networks. Contractors admitted to \nsharing two of their employees\' user accounts to access VA networks on \na number of occasions for maintenance and monitoring of contractor \nsystems. Further, contractors could not provide evidence that it \nreadily initiated actions to terminate user accounts after the \nemployee\'s separation date.\n    VA policy specifically prohibits the sharing of user accounts and \nrequires the closing of user accounts as part of proper user account \nmanagement. Further, VA policy requires VA personnel to regularly \nreview user account access for inappropriate or unusual activity and \ntake necessary actions. Contractors stated they did not fully \nunderstand VA\'s information security requirements regarding user \naccount access and did not believe additional user accounts were \nneeded. Additionally, VA did not actively monitor user account activity \nor readily communicate with contractors the need periodically to \nidentify and terminate unnecessary user accounts. Without effective \ncontrols to prevent unauthorized access by contractors, VA information \nsystems and sensitive veterans\' data are vulnerable to increased risks \nof compromised availability, integrity, and confidentiality. The lack \nof individual accountability over user accounts provides ample \nopportunities to conceal malicious activity such as theft or misuse of \nveterans\' data. VA concurred with our findings and recommendations. \nHowever, the report remains open because a key recommendation regarding \ncontractor security controls and practices has not been implemented \nalmost 2 years after we issued the report.\n\nCONCLUSION\n    Well-publicized information security incidents at VA demonstrate \nthat weaknesses in information security policies and practices expose \nmission-critical systems and data to unauthorized access and \ndisclosure. Through its CRISP initiative, VA has strengthened its \nefforts to define policies and procedures supporting its agency-wide \ninformation security program. However, its highly decentralized and \ncomplex system infrastructure poses significant challenges to \nimplementing effective access controls, system interconnection \ncontrols, configuration management controls, and contingency planning \npractices that adequately protect mission-critical systems from \nunauthorized access, alteration, or destruction. Until VA fully \nimplements key elements of its information security program and \naddresses our outstanding audit recommendations, VA\'s mission-critical \nsystems and sensitive veterans\' data remain at increased and \nunnecessary risk of attack or compromise.\n    Mr. Chairman, this concludes my statement. We would be happy to \nanswer any questions you or other Members of the Subcommittee may have.\n\n                                 <F-dash>\n\n                Prepared Statement of Stephen W. Warren\n\nIntroduction\n    Chairman Coffman, Ranking Member Kirkpatrick, Members of the \nSubcommittee: thank you for inviting me to testify regarding the \nDepartment of Veterans Affairs\' (VA) Information Technology (IT) \nsecurity strategy. I appreciate the opportunity to discuss VA\'s plans, \nactions, and accomplishments in IT security.\n    Protecting the data that VA holds on Veterans is as important as \nthe Veterans themselves. As the committee knows, the Department \nreceived a wakeup call from the incident in 2006 involving a stolen \nlaptop which contained unencrypted information on over 19 million \nVeterans. As a result of this incident, VA consolidated its disparate \nIT functions into a single, unified IT organization. This consolidation \nhas benefited VA in many ways, especially in terms of strengthening its \ninformation security posture. VA\'s consolidated IT organization is \nresponsible for protecting Veteran information at 153 hospitals, 853 \ncommunity-based outpatient clinics, 57 benefits processing offices, and \n131 cemeteries and 33 soldier\'s lots and monument sites. Our network \nsupports over 400,000 users, and over 750,000 devices.\n    We remain committed to protecting the information we hold on \nmillions of Veterans and their beneficiaries and more than 300,000 VA \nemployees by providing round-the-clock security of VA\'s enterprise and \ninfrastructure. The Department fully supports the White House\'s \ninformation security initiatives such as two-factor authentication \nusing HSPD-12 compliant PIV cards, which the VA is in the process of \nimplementing. The Department continues to improve the security posture \nof the VA network through our Visibility into Everything initiative, \nwhich allows VA to see and manage all of its devices and network \ncomponents in real time. The continuous monitoring program is \nresponsible for checking IT systems and monitoring every desktop and \nlaptop computer attached to the VA network.\n    To reinforce our commitment to information security, we are \nfostering a culture change to ensure that all users on our system \nfollow all necessary and required IT and privacy protection rules. VA \nlaunched the Continuous Readiness in Information Security Program \n(CRISP) in 2012 to proactively address process and policy deficiencies \nand architecture and configuration issues. As part of the CRISP effort, \nVA conducts rigorous vulnerability scanning, continuous monitoring of \npatching and software inventory, implementing port security, anti-virus \nservices, and encryption of non-medical IT laptops.\n    Through Web Application Security Assessments, VA is able to \nidentify critical vulnerabilities and potential exploits in VA \napplications that store millions of records of sensitive data. The \nnetwork infrastructure is protected through identification of all \nnetwork assets and critical database stores, identification of all \nconnections, and providing the Trusted Internet Connection Gateways \nservices for mail, content filtering, name resolution and firewall \nprotection.\n    In the past year, VA improved its security posture. The Department \nhas ensured that over 98 percent of VA staff have received the \nmandatory information security training they need to protect the \ninformation of Veterans and their families. We have also completed a \nnumber of business impact assessments for contingency planning.\n    After the 2006 laptop incident, VA worked to ensure its laptop \ncomputers were encrypted to provide another layer of protection. \nCurrently, over 98 percent of VA\'s non-medical IT laptops are \nencrypted. VA has around 2,500 unencrypted laptops remaining and, with \nthe exception of laptops with specific waivers (specific medical uses, \nresearch laptops using software where encryption would disable the \ndevice, service/maintenance laptops that do not connect to VA\'s network \nor store sensitive information, and laptops purchased by VA and given \nto Veterans as part of a A rehabilitation program) the Department \nexpects to complete encryption of all laptops by June 30, 2013.\n\nData Breaches\n    The Department has worked hard to regain the trust of Veterans \nafter the stolen laptop incident in 2006. VA now has a robust data \nbreach notification process, using a Data Breach Core Team (DBCT), \nwhich provides advance planning, guidance, analysis, and direction \nregarding the potential loss of Protected Health Information (PHI), \nPersonally Identifiable Information (PII), or both. The DBCT serves as \nthe decision making body between the functional area(s) affected, VA \norganizations, and external stakeholders.\n    The DBCT is made up of representatives from across nearly every \npart of the VA enterprise. When the DBCT determines that a breach is \nreportable, notification is made to the affected individuals and credit \nmonitoring is extended. VA also posts a monthly report of data breach \nnotifications on its Web site and holds a press call with reporters to \ndiscuss the contents of the report. The report is also provided to \nCongress, in addition to a quarterly data breach report.\n    VA has become one of the very best large organizations at providing \nnotification when a breach occurs. For example, while the HITECH Breach \nNotification Rule requires covered entities to provide notification \nwithin 60 calendar days after discovery of the breach, and the \nstrictest state laws require notice within 45 days after discovery of a \nbreach, VA policy requires notification within 30 days. A review of \nVA\'s incident tracking system over the current fiscal year indicates \nthat VA takes, on average, 25 days to provide notice. VA\'s standards \nand practices exceed even the strictest Federal and state laws and \npolicies.\n\nConclusion\n    Mr. Chairman, VA places the highest priority in safeguarding \nVeterans\' and employees\' personal information. We are committed to \ninformation security, and although work remains, VA has made \nsignificant improvements made in the last few years and strives to meet \nthe highest standards in protecting sensitive information. Thank you \nfor your continued support of Veterans, their families, and of our \nefforts to protect Veterans and their private information. I am \nprepared to answer any questions you and other Members of the \nSubcommittee may have.\n\n                                 <F-dash>\n\n                  Prepared Statement of Jerry L. Davis\n\nINTRODUCTION\n    Chairman Coffman, Ranking Member Kirkpatrick and members of the \nSubcommittee, thank you for the opportunity to convey my concerns to \nyou regarding the protection of information systems and information, \nwhich includes sensitive Veteran data at the Department of Veterans \nAffairs (VA).\n    From August 2010 until February 2013, I served as the Deputy \nAssistant Secretary, Information Security (DAS IS) and Chief \nInformation Security Officer (CISO) at the VA. As the DAS IS, I served \nas the most senior civil service staff member within VA with \nresponsibility for oversight and accountability in the protection of VA \ninformation, VA privacy, records management and the Freedom of \nInformation Act (FOIA) process. At the time of my departure from VA in \nearly February 2013, I was one, if not the longest serving Chief \nInformation Security Officer (CISO) in the federal government with \nnearly a decade of service in that role spread across multiple federal \nagencies. I am also a Marine Veteran having served in combat with \ndistinction during the First Gulf War, so the appointment to the \nposition as the VA CISO had special meaning. It was a position that I \ndid not take lightly and I was and I still am extremely proud to have \nhad an opportunity to serve our country and equally proud to have had a \ngreat opportunity to serve the Veteran community.\n    My time at VA was largely filled with a great sense pride because \nof the purpose and mission of VA and because of my role, which had a \ndirect and positive impact on the Veteran community. However there came \na time at the end of my tenure where my pride turned to serious \nconsternation and that consternation remains this very day.\n\nSECURITY POSTURE IN 2010: VA\'s COPROMISED ENVIRONMENT\n    In nearly 20 years of building and managing security programs \nacross government and private industry, I had never seen an \norganization with as many unattended IT security vulnerabilities. Upon \nmy arrival in late August 2010 I inherited the results of more than 15 \ncontinuous years of an unattended and documented material weakness in \nIT security controls. This material weakness included more than 13,000 \nuncompleted IT security corrective actions. These 13,000 security \ncorrective actions would require more than 100,000 sub actions to fully \nremediate and manage IT security vulnerabilities and improve the VA \nsecurity posture. In early September 2010, I also was advised that \nnearly 600 VA systems\' Authority to Operate (ATO) had expired and there \nwas no plan in place to bring these systems into compliance.\n    Despite the voluminous number of uncompleted corrective actions and \nexpired ATOs, the most concerning issue was the conversation I had with \nthe VA Principle Deputy Assistant Secretary (PDAS), Stephen Warren, who \ntold me shortly after my arrival that ``We have uninvited visitors in \nthe network\'\'. Further discussion with the VA Network Security \nOperations (NSOC) team indicated that VA became aware of a serious \nnetwork compromise in March 2010 and these ``uninvited visitors\'\' were \nnation-state sponsored attackers. Over the course of time while working \nwith the VA NSOC team and external agencies, I learned that these \nattackers were a nation-state sponsored cyber espionage unit and that \nno less than eight (8) different nation-state sponsored organizations \nhad successfully compromised VA networks and data or were actively \nattacking VA networks; attacks that continue at VA to this very day. \nThese groups of attackers were taking advantage of weak technical \ncontrols within the VA network. Lack of controls such as encryption on \nVA databases holding millions of sensitive records, web applications \ncontaining common exploitable vulnerabilities and weak authentication \nto sensitive systems contributed to the successful unchallenged and \nunfettered access and exploitation of VA systems and information by \nthis specific group of attackers.\n    During my tenure, I consistently insured that each instance of \nattack or compromise by these group of attackers was documented and \ncommunicated to the VA OIT leadership through specialized reporting \ncalled Key Investigative Reporting (KIR) performed by the NSOC Deep \nDive Analysis (DDA) team and biweekly security meetings with the VA \nPrinciple Deputy Assistant Secretary (PDAS), Mr. Stephan Warren.\n\nMITIGATION ACTIVITIES 2010-2013\n    From late August 2010 until my departure in early February 2013, I \nplanned for and executed with support from various sub offices within \nOIT a series of initiatives and activities needed to improve network \nand systems security with a particular focus on defending the network \nagainst sophisticated and targeted attacks levied by nation-state \nsponsor organizations. Some of these initiatives included the Web \nApplications Security Program (WASP), the VA Software Assurance \nProgram, Continuous Monitoring and Diagnostics (CMD) of VA information \nsystems, and mandating encryption of VA databases, and supported the \nreduction of the total number of VA databases hosting sensitive Veteran \ninformation.\n    During my tenure as CISO, with the support of VA as a whole, we \nwere able to close more than 10,000 of the 13,000 security corrective \nactions. In all, VA personnel executed more than 100,000 sub actions. \nWhile these actions did improve security from a compliance perspective, \nthere still existed a problem of fully implementing adequate technical \nsecurity controls needed to defend networks, systems and sensitive \ninformation from nation-state sponsored attackers. The heart of \nselecting the proper technical controls meant fully understanding the \nthreat actors, their tactics, techniques and procedures (TTPs) and \nalong with system and network vulnerabilities and implementing a \nprogram that could continuously report on and remediate identified \nvulnerabilities in a near real time fashion.\n    Over time, the Office of Information Security (OIS) worked to \nenhance a comprehensive program called Continuous Monitoring and \nDiagnostics (CMD) that would provide adequate security of VA systems \nand networks by continually evaluating certain technical controls in a \nnear real time fashion. There is proof that a good CMD program \nmonitoring the correct controls can significantly improve information \nsecurity and is consistent with the direction that the federal \ngovernment has taken in securing federal systems. It is also \nsignificantly superior to even a good paper based ATO process.\n\nOIT LEADERSHIP DEVIATES FROM ATO PROCESS\n    It is my testimony that at the time of my departure from VA that \nthe processes required for the DAS, IS to make an attestation that VA \nsystems were adequately secure was completely faulty and improper and \nthe implementation of the process exposed Veteran systems and VA \ninformation to further risk of compromise. It was confirmed to me by \nthe VA information security staff charged with executing the process \nthat it was flawed, provided no value and that a providing a positive \nattestation to the adequately of security controls would seriously \ncompromised the integrity of the VA security program. I subsequently \nconveyed this message to the Assistant Secretary and the PDAS by formal \nmemorandum and in conversation to the PDAS between January 15, 2013 and \nJanuary 23, 2013.\n    VA Handbook 6500.3 states that the DAS, IPRM (now called DAS,IS) is \nresponsible for:\n\n    (3) Reviewing all C&A packages and making a decision recommendation \nto the AO to issue an IATO, ATO or Denial of Authorization [emphasis \nadded] to operate; and\n\n    (4) Providing an IATO extension in the event local management can \ndemonstrate continuous monitoring and security due diligence are being \nprovided . . . .\n\n    In accordance with VA information security policy and following VA \ninformation security procedures, As the DAS, IS, I elected to recommend \na denial of an authority to operate and also elected to recommend \nmovement of VA systems over the course of eight (8) months into an \nenhanced continuous monitoring program, where systems technical \ncontrols could be centrally managed and evaluated in a near real time \nfashion. I based my decision on the guidance provided by the \ninformation security team and on the fact that the paper based process \nwould not keep highly sophisticated nation-state sponsored attackers \nfrom further compromising VA data. Furthermore, as each VA system was \ntransitioned into the continuous monitoring program, additional \nspecific critical controls would be evaluated for adequacy before being \ngranted a full ATO. These additional critical controls are proven to \nslow and repel sophisticated, nation-state sponsored attackers from \ncompromising information systems and data. This was an agreed upon \nprocess with the VA information security team and a process that had \nbeen briefed by me to the Director of IT Audits and Security within the \nVA Office of the Inspector General (OIG) several weeks before the \nprocess implementation.\n    Despite the authority granted to the DAS, IS to make a \nrecommendation to deny authorization, the VA OIT PDAS made a concerted \neffort to circumvent my authority and influence my decision to make a \nrecommendation to the Accrediting Official (AO) that 545 VA systems be \ngiven an IATO. Furthermore, VA handbook 6500.3 and VA policy 6500, \nprovides for no role or authority for the PDAS, OIT with regard the \nprogram or processes governing Authority to Operate.\n\nRECOMMENDATIONS\n    To this end, I would recommend that this subcommittee:\n\n    1. Review all VA Key Investigative Reports (KIRs) and Deep Dive \nAnalysis (DDA) reports and Web Application Security Program reports \n(WASP) to assess the damage and depth of exposure, extent of compromise \nto VA systems and compromise of Veteran information; and\n\n    2. Regularly report to the House Committee on Veteran Affairs on \nprogress made with respect to mitigating access to VA systems and \nVeteran information by nation-state sponsored organizations;\n\n    3. Assess previously identified web application exposures and \nassess for potential compromise of Veteran data, both PII and PHI;\n\n    4. Include web application exposures as part of the Data Breach \nCore Team (DBCT) evaluation process;\n\n    5. Assess the potential compromise to non VA networks sharing an \ninterconnection with VA\'s network;\n\n    6. Designate the VA network as a ``compromised environment\'\' and \nestablish controls that are effective and support the reclamation of \ncontrol back to VA from nation-state sponsored organizations;\n\n    7. Move the VA systems into a full continuous monitoring and \ndiagnostics program with near real time situational awareness of its \nsecurity posture with a focus on the 20 critical controls;\n\n    8. Increase VA funding for information security programs; and \nnumber of Information Security Officers (ISOs) supporting VA field \noffices and facilities\n\n    9. Move reporting lines for the DAS, IS directly to the AS, OIT or \nto the Office of the Secretary, VA\n\n    10. Assess the past and present practices of the OIT leadership \nwith regard to decisions made in the protection of VA systems and \ninformation.\n\n    I would like to thank the members of the subcommittee for your time \ntoday and I look forward to any questions you may have.\nExecutive Summary\n    At the Department of Veterans Affairs (VA), the Deputy Assistant \nSecretary for Information Security (DAS, IS) is responsible for \ninformation security and privacy strategy, management, policy, \nprocedures, oversight and reporting. VA handbook 6500.3, Certification \nand Accreditation (C&A) of VA Information Systems, Holds the DAS, IS \nresponsible for;\n\n    Reviewing all final C&A packages and making a decision \nrecommendation to the AO to issue an IATO [Interim Authority to \nOperate], ATO [Authority to Operate], or Denial of Authorization to \noperate . . . `` and ``Providing an IATO extension in the event local \nmanagement can demonstrate continuous monitoring and security due \ndiligence are being provided . . . \'\'\n\n    Beginning in early 2010 and continuing through late 2012, VA \nsystems had been under repeated attacks and data compromised by no less \nthan eight (8) groups of well organized and sophisticated nation-state \nsponsored actors who appear to have had unfettered and at times, \nunchallenged access to VA networks, systems and information. Internal \nreporting by the Office of Information Security (OIS) to the Principle \nDeputy Assistant Secretary (PDAS), Office of Information and Technology \n(OIT) kept the PDAS informed of the condition regarding exposures of \nVeteran dated in information systems. This reporting further confirmed \nto the PDAS by his own admission in late 2010 that ``uninvited visitors \nwere in the [VA] network\'\' and thus continued to be a persistent threat \nand risk to VA systems and sensitive information and other \ninterconnected non-VA networks.\n    Security enhancements and programs put into place by the DAS, IS \nbeginning in late 2010 through early 2013, revealed over time that \nsignificant amounts of Veteran data was exposed to potential compromise \nby any attacker from both the Internet and from within the VA network \ninfrastructure.\n    Because of unfettered access to VA systems and information by \nsophisticated attackers and lack of adequate controls to ensure \nprotection of Veteran information, in January 2013, the DAS, IS \noperating under the authority of VA policy and FISMA, determined that \nthe newly derived C&A process was not proper and inadequate for \nsecuring VA systems holding sensitive information. Despite the \nrecommendation from the DAS, IS to the Assistant Secretary, OIT to \nreconsider an IATO using the inadequate process, the PDAS used his \nofficial position to influence the DAS, IS to sign an attestation that \nsystems were adequately secure for more than 250 ATOs, and essentially \nexposing VA systems and sensitive data to further risk of compromise \nand exposure.\n\n                                 <F-dash>\n                        Questions For The Record\n Letter From: Hon. Mike Coffman, Chairman, Subcommittee on Oversight & \n                         Investigations, To: VA\n    October 22, 2013\n\n    The Honorable Eric K. Shinseki\n    Secretary\n    U.S. Department of Veterans Affairs\n    810 Vermont Avenue, NW\n    Washington, DC 20420\n\n    Dear Mr. Secretary:\n\n    Please provide written responses to the attached questions for \nrecord for the Oversight and Investigations Subcommittee hearing \nentitled ``How Secure is Veterans\' Private Information\'\' that took \nplace on June 4, 2013.\n    In responding to these questions for the record, please answer each \nquestion in order using single space formatting. Please also restate \neach question in its entirety before each answer. Your submission is \nexpected by the close of business on July 25, 2013, and should be sent \nto Ms. Bernadine Dotson at <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f7b592859996939e9992d9939883849899b79a969e9bd99f98828492d9909881d9">[email&#160;protected]</a>\n    If you have any questions, please call Mr. Eric Hannel, Majority \nStaff Director of the Oversight & Investigations Subcommittee, at 202-\n225-3527.\n\n    Sincerely,\n\n    Mike Coffman\n    Chairman\n    Subcommittee on Oversight & Investigations\n\n    MC/hr\n\n                                 <F-dash>\n    Questions for the Record from Subcommittee Chairman Mike Coffman\n\n    1. The OIG indicates that IT security has been a material weakness \nat VA for more than 10 years. Why did VA OI&T wait until 2012 to \ninstitute a proactive initiative like the Continuous Readiness in \nInformation Security Program (CRISP) to try to address this issue?\n\n    2. The OIG\'s more recent Semiannual Report states that OI&T has 11 \nreports open containing 60 recommendations with 14 open for more than \nyear. Can you explain why you concur with OIG recommendations but can\'t \nseem to complete the actions necessary to close the recommendations?\n\n    <bullet>  For example, one report will be open for 2 years come \nJuly and yet the most significant recommendation remains open - which \ndeals with reviewing contractor security controls and practices to \nensure compliance with VA\'s information security requirements.\n\n    3. What steps is VA taking to eliminate the IT Material weakness in \nFY 13?\n\n    4. Why does VA have so many repeat findings and recommendations \nfrom the OIG\'s FISMA work? Why has VA not made any significant progress \ntowards eliminating these long standing recommendations?\n\n    5. What actions is VA taking to eliminate the use of clear text \nprotocols used to transmit medical information between the VAMCs and \nthe CBOCs over external service provider networks?\n\n    6. Based on the information provided in the Deloitte\'s deep dive \nreport detailing inefficiencies in OI&T operations, what steps will the \nCIO take to improve delivery of IT services?\n\n    7. How will the issuance of the PIV badge affect the ability of the \nDepartment to respond to Congressional requests, litigation demands, \nand other similar requests to search, decrypt, and release bulk volumes \nof VA emails? Does the planned roll-out of the PIV badge tied to \nautomatic encryption hinder timely responses to such requests in any \nway?\n\n    8. Why is it that the PMAS processes only focuses on meeting \nmilestones and schedule but there are no metrics around quality, \nfunctionality and customer satisfaction?\n\n    9. The VA regulations on Information Security Matters at 38 CFR \nPart 75 appear to authorize an accelerated response with notice to the \nsubjects of a data breach and/or an offer of credit protection \nservices. How many times has credit protection service been offered to \nveterans for FY 2008-2012 and for each such instance, to how many \nveterans were such services offered? Please provide the annual cost for \ncredit services for each year between FY 2008-2012.\n\n    10. Under the regulations at 38 CFR Part 75, if the Secretary \ndetermines that individual notice is not warranted for a data breach, \nthen an independent risk analysis is required to be performed. How many \nrisk analyses have been performed in accordance with these provisions \nfor FY 2008 to present? Please describe each occurrence of such \nanalysis including the findings and conclusions. Please also indicate \neach date and instance in which a data breach was reported to OMB and/\nor to Congress within FY 2008 to present.\n\n    11. By letter to the committee dated May 14, 2013, you stated: ``To \nbe clear, VA\'s security posture was never at risk.\'\' Please explain how \nthis statement is true given the admissions uncovered in the hearing \nthat systems and networks had been breached by foreign state actors and \nthe testimony of OIG that, at one point, there were 4000 open \nvulnerabilities. If the statement was untrue when made (as it certainly \nappears), please describe what disciplinary action is being taken for \nthe subordinates responsible.\n\n    12. Reports indicate that VA became aware in January, 2013, of an \nincident where attackers used a spearphishing attack to gain access to \na joint VA-DoD network dealing with health data. How many instances \nhave hackers tried to use VA networks to gain access to Defense \nDepartment computer systems? Please describe each instance and what \ncorrective actions were taken in response.\n\n                                 <F-dash>\n        Questions for the Record from Congressman Tim Huelskamp\n\n    1. I reiterated in my questioning during your testimony, if you \ncould please communicate with the appropriate individual my request for \nanswers to the letters I sent to the Department of Veteran Affairs on \nSeptember 23, 2012 and October 3, 2012? If you need a copy of those \nquestions, my office would be happy to provide those to you.\n\n    2. Your explanation for receiving $87,000 in bonuses was that you \nmet the performance expectations laid out for you by your leadership--\ncould you please provide further explanation of those expectations to \nmy office?\n\n    3. Can you please provide information on how data security at the \nDepartment of Veteran Affairs compares with industry standards outside \nthe federal government? Specifically, please describe the current data \nencryption process used by the Department of Veteran Affairs.\n\n    4. It was stated during the hearing that outside foreign agents \nhave had access to information in the Veterans Affairs database. Could \nyou please provide to me detailed information on who has accessed the \ndata, the date(s) it was accessed, and what the Department of Veteran \nAffairs has done to prevent future compromises to the system?\n\n                                 <F-dash>\n   Questions and Responses From: U.S. Department of Veterans Affairs\nQuestions for the Record from Subcommittee Chairman Mike Coffman\n\n    1. The OIG indicates that IT security has been a material weakness \nat VA for more than 10 years. Why did VA OI&T wait until 2012 to \ninstitute a proactive initiative like the Continuous Readiness in \nInformation Security Program (CRISP) to try to address this issue?\n\n    VA Response: VA has been taking proactive steps to strengthen IT \nsecurity for many years. Prior to 2006, information technology (IT) at \nthe Department of Veterans Affairs (VA) was decentralized. Among other \nimplications, this decentralization made securing the vast VA \nenterprise information systems, and thus ending the material weakness, \nvirtually impossible. The lack of an ability to address the material \nweakness in IT was one of the primary reasons the Department, with the \nhelp of Congress, began to consolidate IT functions into the Office of \nInformation and Technology (OIT) in 2006. As a result of IT \nconsolidation, all governance, funding, and implementation of IT \nprograms and security controls are managed out of VA Central Office \n(VACO). VA\'s consolidation of OIT was not completed until 2009.\n    After consolidation, VA managed its information security posture as \nan IT concern. Prior to 2012, information security was seen by some as \nonly an IT issue. Today, VA recognizes information security is a \nDepartment-wide concern and responsibility of every single VA employee. \nIn order to bring leadership and field-level focus on the goal of \nending the material weakness, the Continuous Readiness in Information \nSecurity Program (CRISP) was formed in 2012 under a new innovative \nmanagement methodology. The CRISP effort consolidates all of the \ndisparate material-weakness related initiatives under the leadership of \none focused team across VA. Moreover, CRISP is more than just a \nprogram, but rather is a culture change to be embedded throughout the \nagency. CRISP is steered by VA executive leadership and executed by two \nOIT co-managers. This collaborative approach with senior leader \noversight allowed for more consistent communication, implementation, \nand consolidation of tasks downstream, more accurate reporting and \noversight upstream, and meant a more agile governance of the program.\n\n    2. The OIG\'s more recent Semiannual Report states that OI&T has 11 \nreports open containing 60 recommendations but can\'t seem to complete \nthe actions necessary to close the recommendations?\n\n    <bullet>  For example, one report will be open for 2 years come \nJuly and yet the most significant recommendation remains open - which \ndeals with reviewing contractor security controls and practices to \nensure compliance with VA\'s information security requirements.\n\n    VA Response: VA appreciates the work conducted by the Office of \nInspector General (OIG) to ensure that the Department is following the \ncorrect path in working to serve Veterans. VA takes OIG\'s \nrecommendations seriously, and where we concur with the \nrecommendations, we work to implement the recommendations to OIG\'s \nsatisfaction as quickly as possible.\n    VA\'s OIT acknowledges that it has several outstanding \nrecommendations over a year old. Many of these recommendations have \neither been submitted to OIG for closure, or are in the process of \nbeing implemented. VA will continue to work with its OIG partners to \nimplement and close all outstanding recommendations.\n    VA has furnished OIG with what it believes to be responses \nsufficient to close the open recommendation for its oldest reports.\n\n    3. What steps is VA taking to eliminate the IT Material weakness in \nFY 13?\n\n    VA Response: VA\'s OIT has made strides to improve its information \nsecurity program. While many of the changes in fiscal year (FY)2012 \nwere recognized by OIG during the FY 2012 audits, those changes were \nnot in place long enough to assure auditors a permanent process had \nbeen firmly established. In FY 2013, VA focused on the four major areas \nof repeat material weakness findings which are: Configuration \nManagement, Access Controls, Security Documentation, and Contingency \nPlanning. The CRISP team and VA leadership are optimistic that the \nprogress made from FY 2012 have been sustained, and when coupled with \nthe early audit results this year, will show positive improvements \nduring the remainder of FY 2013 audit results. FY 2013 also includes \nthe introduction of a new office which focuses on patch management and \nbaseline configuration management. While this program is new to FY \n2013, it is demonstrating promise in its effectiveness.\n    FY 2014 continues to bring other significant changes in working \ntowards security improvement. Some examples of major initiatives \ninclude the Department-wide implementation of a Governance, Risk, and \nCompliance (GRC) tool (begun in\n    FY 2013) which will aid in the assessments of the overall security \nposture within VA as well as the funding approval for a Security \nInformation and Event Management (SIEM) tool to provide an audit log \nand event management oversight capability.\n    All of these efforts are in conjunction with VA\'s 18-month plan in \nresponse to OIG\'s Federal Information Security Management Act (FISMA) \nAudit. The plan, provided to OIG and part of their FISMA report, \naddresses each and every OIG recommendation with a plan to remediate \nthe recommendation at various intervals, but no later than 18 months. \nThis plan includes work to complete implementation of a risk governance \nstructure, completion of a process for better documenting Plans of \nActions and Milestones, update system security plans, finish \nimplementing strong password requirements on all computers, continue \nreviewing user accounts for correct level of user access, implement a \nmechanism for ensuring antivirus definitions are installed and up to \ndate, and others.\n\n    4. Why does VA have so many repeat findings and recommendations \nfrom the OIG\'s FISMA work? Why has VA not made any significant progress \ntowards eliminating these long standing recommendations?\n\n    VA Response: As stated above, VA takes OIG\'s recommendations \nseriously and is working to implement the recommendations with which VA \nconcurs as quickly as possible, including several targeted efforts as \noutlined in the 18-month plan to address recommendations in OIG\'s FISMA \nreport. Many of the recommendations are technical in nature and require \nextensive research, and detailed implementation plans spanning more \nthan a year in order to request closure of the recommendation by OIG. \nAll findings have remediation plans either currently in development or \nexecution which will position VA to address OIG\'s FISMA \nrecommendations.\n\n    5. What actions is VA taking to eliminate the use of clear text \nprotocols used to transmit medical information between the VAMCs and \nthe CBOCs over external service provider networks?\n\n    VA Response: OIT does not agree with the conclusion reached by OIG \nin its recent report regarding data transmission. In its final report, \nOIG acknowledges that VA does not send unencrypted sensitive \ninformation over the public Internet. However, VA does not agree with \nOIG\'s assertion in its final report that the manner with which VA \ntransmits data over its network necessarily exposes sensitive data to \nnon-VA personnel.\n    Although OIT does not agree with OIG\'s findings in the OIG final \nreport, we concurred with the recommendation to immediately conduct a \ncomprehensive review. The information contained in the OIG report is \nincorrect for the specific network links cited in Veterans Integrated \nService Network 23, and is inaccurate of the network as a whole.\n    VA takes a defense-in-depth approach to the protection of data in \nflight. Encryption is being deployed at the network layer as well as \nmeans to encrypt data in flight at the application layer. The \nDepartment is already approximately two thirds done with deployment of \na Transmission Control Protocol/Internet Protocol (TCP/IP) Layer 3 bulk \nencryption solution for wide area network (WAN) links to its major \nfacilities including medical centers, regional offices, and data \ncenters. This would eliminate the passing of ``clear text\'\' across \nthose VA WAN links regardless of the use of private external service \nprovider networks as an underlying transport. Encryption for the links \nto major facilities is scheduled to be completed by the end of the \ncalendar year and the same solution is being extended to the \nDepartment\'s Community-Based Outpatient Clinics.\n    In addition to the bulk WAN encryption, there is encryption at the \napplication layer in some instances related to the transmission of \nmedical and other sensitive data. For terminal emulation sessions to \nits hospital information systems (VistA), for instance, VA uses secure \nshell which encrypts all traffic transmitted between the end user \nclient and the VistA system. For the bulk transmission of VistA data, \nthe VistA systems end user clients and other VA servers have the \ncapability to use secure file transmission protocol which encrypts the \ndata in flight. For other types of sensitive transmissions, VA staff \nand systems have standard public key infrastructure (PKI) capabilities \nto digitally sign and encrypt any transmissions and, for document \nencryption and user-based controls, VA has Rights Management Services \n(RMS). RMS encrypts documents regardless of where and how they are \ntransmitted and controls how the recipient is permitted to handle the \ndocument (e.g., whether they are permitted to forward it, print it, \nstore it, etc.). VA also uses secure socket layer and transport layer \nsecurity, which encrypts sensitive http transmissions. All of these \nmethods are in place and encrypt data transmissions independent of \nwhether or not the underlying network is, itself, encrypted.\n\n    6. Based on the information provided in the Deloitte\'s deep dive \nreport detailing inefficiencies in OI&T operations, what steps will the \nCIO take to improve delivery of IT services?\n\n    VA Response: VA is working hard to position its IT organization as \na product and service delivery organization focused on providing \nquality customer service. VA asked for the Deloitte survey to be \nconducted specifically to help address any existing issues in order to \nmeet the goal of improving customer service. As part of our culture of \nconstant measurement and evaluation against goals and objectives, \nleadership asked for a tough and thorough analysis to evaluate the \neffectiveness of the Service Delivery organization.\n    Since the delivery of the Deloitte deep dive report, we have worked \non expediting initiatives already in place designed to improve service \ndelivery and have begun two related efforts to address customer service \nand communications issues. We are currently exploring ways of \naccelerating the implementation of the National Service Desk, which we \nbelieve will streamline and improve our efficiency in capturing issues \nfacing our customers so they can be addressed and resolved more quickly \nand analyzed more comprehensively so as to enable proactive efforts to \ndo IT preventive maintenance interventions, where necessary.\n    In terms of new efforts, we established a Customer Advisory Tiger \nTeam in April 2013, comprised of members of field-based employees from \nthe Veterans Health Administration (VHA) and OIT as recommended by the \nAssistant Deputy Undersecretary for Health and the Acting Assistant \nSecretary for Information and Technology. This tiger team is tasked to \nexplore the impact of OIT organizational initiatives, such as the \nestablishment of regional service lines. Recommendations resulting from \nthe work of this committee were presented to the Acting Assistant \nSecretary for OIT in August 2013. In addition, we have begun an effort \ntoward enhancing field communications and dialogue between VACO and the \nfield through direct meetings, mostly via teleconferencing, with field \nleadership in the Veterans Benefits Administration (VBA) regional \noffices, VA medical centers, and National Cemetery Administration \noffices, working to identify and solve issues identified through focus \ngroup dialogues and intervention by our customer service improvement \ncouncil. Using the October 2013 VA-wide customer satisfaction survey as \na launching point, this program of structured interviews will identify \nsix issues to address nationwide on a quarterly basis. The first of \nseveral quarterly reports is due at the end of this month, and the six \ninitial issues we seek to address were identified in August 2013. The \ninvestigation process will continue with additional interviews in the \nnext two quarters.\n    OIT leadership is actively working with field staff to keep \ncommunication lines open as changes to the organization are developed \nand implemented. The Acting Assistant Secretary for OIT conducts weekly \ncalls with IT field leadership to keep them informed and involved in \nthis significant initiative to transform service delivery at VA. VA \nwill keep the committee informed after recommendations are selected for \nadoption and the initial set of six customer concern issues are \nselected for resolution.\n\n    7. How will the issuance of the PIV badge affect the ability of the \nDepartment to respond to Congressional requests, litigation demands, \nand other similar requests to search, decrypt and release bulk volumes \nof VA emails? Does the planned roll-out of the PIV badge tied to \nautomatic encryption hinder timely responses to such requests in any \nway?\n\n    VA Response: The issuance and use of Personal Identity Verification \n(PIV) cards will improve the security posture of VA by ensuring only \nauthorized employees have access to general information systems by \nrequiring a higher level of assurance through using multi-factor \nauthentication. Multi-factor authentication and hard PKI certificates \nassociated with the PIV card will improve network access and help \nsecure VA and Veteran\'s information. The use of PIV cards with hard PKI \ncertificates to encrypt/decrypt email complicates the response to e-\nDiscovery request. We have several efforts underway to improve our \nresponse times when dealing with emails encrypted with a hard PKI \ncertificate, as VA understands the importance of complying with such \nrequests.\n\n    8. Why is it that the PMAS processes only focuses on meeting \nmilestones and schedule but there are no metrics around quality, \nfunctionality and customer satisfaction?\n\n    VA Response: The Project Management Accountability System (PMAS) is \nan evolving IT project development methodology and management oversight \nsystem. From the very inception of PMAS, VA leadership planned to \nsystematically expand the scope and function of PMAS over time. PMAS \nwas initially implemented to ensure on-time delivery of IT \ncapabilities. PMAS\' initial focus on schedule was the most impactful to \nreviving the IT delivery rate at VA. However, PMAS continues to evolve \nand now also includes quality, functionality and customer satisfaction \nelements.\n    PMAS Guide 4.0, dated November 7, 2012, establishes current PMAS \npolicy. PMAS mandates that IT customers be engaged in the process of \nidentifying the functionalities and capabilities that new IT projects \nare to deliver. Before development of a new IT project begins, as well \nas during the development process, the customer is intricately involved \nand their satisfaction is a critical element in the ability of that \nproject to continue development. In addition, PMAS requires direct and \ncontinual participation by the customer across the entire life cycle of \nproject development via the Integrated Project Team. Specifically, PMAS \npolicy mandates that the Project Manager and the customer agree not \nonly on the IT capability to be delivered, but also on the schedule by \nwhich the new IT capability is to be developed.\n    At the conclusion of each development period, called increments, \nthe customer must approve of the capabilities which were delivered. \nWithout this measure of customer satisfaction being achieved, the \nproject cannot continue development. To deliver on time, the capability \nmust be delivered to a production environment by the scheduled \nincrement delivery date, and the customer must agree that the \ncapability meets desired functionality and schedule goals.\n    Recently, measuring functionality (scope) has also been added to \nPMAS by capturing function points delivered in an IT project\'s \nincrement. Function points measure an amount of business functionality \ndelivered by the IT system to its users. By capturing these metrics, \nanalysis can be conducted to also measure the effectiveness and \nefficiency of functionality delivered to the VA enterprise.\n    In addition to measuring functionality, PMAS is now able to capture \ncosts per increment by integrating data from the Budget Tracking Tool \nand PMAS data to achieve a cost per increment.\n    The PMAS program will continue to mature; the near-future will \nfocus on: ???(1) increasing customer satisfaction by assisting the \ncustomer in determining and measuring the business value the increment \ndelivers; (2) recognizing and verifying the progress toward achieving \nthe customers\' strategic goals and objectives; and (3) determining the \nquality of the code delivered to production.\n\n    9. The VA regulations on Information Security Matters at 38 CFR \nPart 75 appear to authorize an accelerated response with notice to the \nsubjects of a data breach and/or an offer of credit protection \nservices. How many times has credit protection service been offered to \nveterans for FY 2008-2012 and for each such instance, to how many \nveterans were such services offered? Please provide the annual cost for \ncredit services for each year between FY 2008-2012.\n\n    VA Response: The following table demonstrates the number of credit \nmonitoring offers extended by VA, and the cost to the agency.\n\n\n----------------------------------------------------------------------------------------------------------------\n                        FY                                      Issued                          Cost\n----------------------------------------------------------------------------------------------------------------\nFY 2009...........................................                        20,287                         97,519\n----------------------------------------------------------------------------------------------------------------\nFY 2010...........................................                        28,369                        148,367\n----------------------------------------------------------------------------------------------------------------\nFY 2011...........................................                        26,980                         74,908\n----------------------------------------------------------------------------------------------------------------\nFY 2012...........................................                        16,160                         39,498\n----------------------------------------------------------------------------------------------------------------\nFY 2013*..........................................                        11,485                         25,156\n----------------------------------------------------------------------------------------------------------------\n*so far through July\n\n\n    VA has reached out to Veterans Service Organizations to help \nencourage Veterans who are offered credit monitoring to accept the \nservice.\n\n    10. Under the regulations at 38 CFR Part 75, if the Secretary \ndetermines that individual notice is not warranted for a data breach, \nthen an independent risk analysis is required to be performed. How many \nrisk analyses have been performed in accordance with these provisions \nfor FY 2008 to present? Please describe each occurrence of such \nanalysis including the findings and conclusions. Please also indicate \neach date and instance in which a data breach was reported to OMB and/\nor to Congress within FY 2008 to present.\n\n    VA Response: The results of several contracted Independent Risks \nAnalysis\' (IRA) VA has conducted are below. The costs for each IRA are \nat least $29,000 and as much as $67,000. In 2012 alone, there were \n4,724 incidents. Conducting an IRA for each incident would have cost \nthe Government over $136 million. The costs are not justified by the \nresults from the IRAs. Of note, VA\'s OIG has declined to conduct IRA\'s \nas authorized by 38 U.S.C. Sec.  5724(a).\n    In order to protect our Nation\'s Veterans, VA uses a very low \nthreshold for offering credit protection services when a Veteran\'s \nsensitive personal information is the subject of a data breach. All \nreported incidents are triaged by VA\'s Incident Response Team and \nforwarded to the Department-wide Data Breach Core Team (DBCT) to \ndetermine when credit monitoring or notification letters are required. \nThe DBCT team performs the same function as the IRA at a much lower \ncost.\n    Additionally, the Department routinely performs other monitoring \nactivities to ensure information is protected and has not been \ncompromised, including conducting quarterly generalized data breach \nanalysis on the 20 million Veterans names in the Beneficiary \nIdentification Record Locator Subsystem to determine if any anomalies \nindicating identity theft warrant intervention on behalf of the \nVeteran. If such anomalies are detected, individual Veterans are \nnotified by mail. This proactive data breach analysis identifies both \npotential identity theft that may be the result of undetected VA data \nbreaches and identity theft unrelated to VA experienced by the Veteran \npopulation.\n\n    1. April 2008 - An Independent Risk Analysis (IRA) was completed on \nan incident that involved unaccounted for IT Equipment Inventory losses \nacross VA. A reasonable risk of harm was not found. Approximately \n$53,000.\n\n    2. June 2008 - An IRA was completed on an incident that involved \nlost CD\'s at VBA regional offices. A reasonable risk of harm was not \nfound. Approximately $29,000.\n\n    3. October 2009 - An IRA was completed on an incident that involved \ncontracted transcription services done for various facilities within \nVHA. A reasonable risk of harm was not found. Approximately $67,000.\n\n    4. April 2011 - An IRA was contracted regarding an OIT employee in \nFayetteville, North Carolina, who was stealing identities. The contract \nwas cancelled in September 2011, after the employee was convicted and \nthe OIG determined the investigation was complete. Credit protection \nservices were provided due to reasonable risk of harm.\n\n    11. By letter to the committee dated May 14, 2013, you stated: ``To \nbe clear, VA\'s security posture was never at risk.\'\' Please explain how \nthis statement is true given the admissions uncovered in the hearing \nthat systems and networks had been breached by foreign state actors and \nthe testimony of OIG that, at one point, there were 4000 open \nvulnerabilities. If the statement was untrue when made (as it certainly \nappears), please describe what disciplinary actions is being taken for \nthe subordinates responsible.\n\n    VA Response: As has been previously explained to the committee on \nJuly 12, 2013, this statement came in the context of a response to an \ninquiry on a particular topic. On April 25, 2013, VA received a letter \nfrom Congressman Coffman asking how VA will renew its ``Authorizations \nto Operate\'\' (ATO) various IT systems ``without compromising system \nsecurity.\'\' The Secretary responded to this question in a letter on May \n14, 2013, outlining the ATO process and stating that through this \nprocess, ``VA\'s security posture was never at risk.\'\' As the Acting \nAssistant Secretary for OIT, Mr. Stephen Warren indicated in the \ntestimony at the June 4, 2013, Subcommittee hearing, that specific \nphrase in the letter was and is clearly referring to the context of the \nletter: The process to approve ``Authorizations to Operate\'\' did not \n``compromise system security.\'\' The line did not - and was not meant \nto--imply that normal operation of VA systems were never at risk based \non other factors. Further, as you know, Mr. Warren indicated in the \nhearing that his office drafted that letter for the Secretary\'s \nsignature and that in retrospect Mr. Warren believes he could have been \nmore clear. Regardless, the sentence is within the context of the ATO \nsituation and responds to Congressman Coffman\'s request for assurance \nthat the process of renewing ATOs would not put VA systems at risk.\n\n    12. Reports indicate that VA became aware in January, 2013, of an \nincident where attackers used a spearphishing attack to gain access to \na joint VA-DoD network dealing with health data. How many instances \nhave hackers tried to use VA networks to gain access to Defense \nDepartment computer systems? Please describe each instance and what \ncorrective actions were taken in response.\n\n    VA Response: A response to this question was provided in a briefing \nto Committee staff on July 12, 2013. VA is bound by agreements with \noutside agencies to not reveal information they report to the \ndepartment in public documents or settings. This has been explained to \ncommittee staff several times.\nQuestions for the Record from Congressman Tim Huelskamp\n\n    1. I reiterated in my questioning during your testimony, if you \ncould please communicate with the appropriate individual my request for \nanswers to the letters I sent to the Department of Veteran Affairs on \nSeptember 23, 2012 and October 3, 2012? If you need a copy of those \nquestions, my office would be happy to provide those to you.\n\n    VA Response: VA provided a response to Congressman Huelskamp\'s \nOctober 3, 2012, letter on January 24, 2013. A response to Congressman \nHuelskamp\'s September 23, 2012, letter will be provided as soon as it \nis available.\n\n    2. Your explanation for receiving $87,000 in bonuses was that you \nmet the performance expectations laid out for you by you leadership--\ncould you please provide further explanation of those expectations to \nmy office?\n\n    VA Response: Mr. Warren met and exceeded the performance \nexpectations set by his supervisors. As a Senior Executive, Mr. Warren \nwas responsible for meeting the executive core requirements of leading \nchange, leading people, being results-driven, exercising business \nacumen, and building coalitions. Mr. Warren has excelled in these areas \nas reflected in the performance appraisals.\n\n    3. Can you please provide information on how data security at the \nDepartment of Veteran Affairs compares with industry standards outside \nthe federal government? Specifically, please describe the current data \nencryption process used by the Department of Veteran Affairs.\n\n    VA Response: Effectively comparing data security at VA to industry \nstandards largely depends on what sector of industry is being used for \ncomparison. VA is on par with health care providers in terms of data \nsecurity based on publicly available data regarding Health Insurance \nPortability and Accountability Act reports to the Department of Health \nand Human Services. VA has made great strides in encrypting laptops and \ndesktops, having completed approximately 99.6 percent encryption of \nlaptops and 70 percent encryption of desktops, with the remainder of \ndesktop encryption to be completed by the end of the calendar year.\n\n    4. It was stated during the hearing that outside foreign agents \nhave had access to information in the Veterans Affairs database. Could \nyou please provide to me detailed information on who has accessed the \ndata, the date(s) it was accessed, and what the Department of Veteran \nAffairs has done to prevent future compromises to the system?\n\n    VA Response: A response to this question was provided in a briefing \nto Committee staff on July 12, 2013. VA is bound by agreements with \noutside agencies to not reveal information they report to the \ndepartment in public documents or settings. This has been explained to \ncommittee staff several times.\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'