[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]




 
                   VA CYBERSECURITY AND IT OVERSIGHT

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 16, 2016

                               __________

                           Serial No. 114-133

                               __________

Printed for the use of the Committee on Oversight and Government Reform





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      


                             ________

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 25-503 PDF              WASHINGTON : 2017       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                         
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
               Troy Stock, IT Subcommittee Staff Director
                         Michael Flynn, Counsel
                    Sharon Casey, Deputy Chief Clerk
                 David Rapallo, Minority Staff Director
                                 ------                                

                 Subcommittee on Information Technology

                       WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking 
MARK WALKER, North Carolina              Member
ROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois
                                     TED LIEU, California
                                     
                                     
                                     
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 16, 2016...................................     1

                               WITNESSES

Ms. Laverne Council, Assistant Secretary for Information and 
  Technology, Chief Information Officer, U.S. Department of 
  Veterans Affairs, Accompanied by Brian Burns, Deputy Assistant 
  Secretary for Information Security, Office of Information and 
  Technology, U.S. Department of Veteran Affairs
    Oral Statement...............................................     4
    Written Statement............................................     7
Mr. Brent Arronte, Deputy Assistant Inspector General for Audits 
  and Evaluations, U.S. Department of Veterans Affairs, 
  Accompanied by Michael Bowman, Director of Information 
  Technology and Security Audits Division, Office of Inspector 
  General, U.S. Department of Veterans Affairs
    Oral Statement...............................................    23
    Written Statement............................................    25

                                APPENDIX

Representative Connolly Statement for the Record.................    56
Representative McMorris Rodgers Statement for the Record.........    58
2016-03-16 Iraq and Afghanistan Statement for the Record.........    60


                   VA CYBERSECURITY AND IT OVERSIGHT

                              ----------                              


                       Wednesday, March 16, 2016

                  House of Representatives,
            Subcommittee on Information Technology,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 2:00 p.m., in 
Room 2247, Rayburn House Office Building, Hon. William Hurd 
[chairman of the subcommittee] presiding.
    Present: Representatives Hurd, Farenthold, Kelly, and 
Connolly.
    Also Present: Representative Moulton.
    Mr. Hurd. The Subcommittee on Information Technology will 
come to order. Without objection, the chair is authorized to 
declare a recess at any time.
    Last June, in the first hearing on the data breach of the 
Office of Personnel Management, I told agencies that we would 
be watching to make sure they are taking their cybersecurity 
obligations seriously. We discussed how CIOs, CISOs, and agency 
heads need to take a hard look at their IG audits and GAO 
reports, and make sure they address the findings to make sure 
their cyber posture is meeting FISMA standards. The same is 
true when addressing the federal IT acquisition reforms. That 
is why this committee, in a bipartisan fashion, developed a 
scorecard to grade agencies on their implementation of FITARA.
    This committee will continue to hold agency heads 
responsible for the state of their agency information 
technology and cybersecurity posture, but much of this work 
starts in the office of the CIO. We are here today to continue 
that work, and nearly no other department is of such importance 
to get right as the second largest Federal agency whose mission 
it is to care for our Nation's veterans. We cannot afford and 
should not allow IT lapses to occur.
    While we are focusing on the technical details today, I 
hope each of us will also take time to recognize that there are 
real-world consequences and impacts of these decisions, and 
that they fall upon those who have already given so much for 
their country. We cannot forget that.
    Ms. Council, I am pleased to have you here today. I know 
this is your sixth hearing, I think, in the last 10 days, so I 
appreciate it. I think it is because you are so charming and 
you know what you are doing, so it is great to have you here.
    Truthfully, I am very encouraged. I am encouraged that you 
have a strategy in place to eliminate material weaknesses, 
material weaknesses that, in some cases, go back 17 years.
    The VA exceeded the OMB's target on 30-day the 
cybersecurity sprint and expanded strong authentication 
practices to 100 percent of its privileged users and 80 percent 
of its unprivileged users. This was demonstrated progress in 
the area of cybersecurity and a positive indicator that the VA 
is making progress in this area. But concerns remain.
    The goal you and your chief information security officer 
have set to eliminate the material weaknesses is by the end of 
2017, 2 years to solve in some cases fairly basic cybersecurity 
best practices. We are talking about predictive scanning for 
vulnerabilities, implementing risk assessment, monitoring 
tools, and security training. Two years is too long, and I 
think we can do better.
    The VA received an overall grade on the committee's FITARA 
scorecard of a C. The agency received Fs in savings relating to 
data center consolidation and IT portfolio review. Again, I 
must highlight this is self-reported data.
    We will talk about that and the VA's plan to implement 
FITARA further.
    The modernization of the VA's legacy technology is a real 
concern that is affecting millions of veterans.
    Ms. Council, a few weeks ago, you testified before the 
House Appropriations Committee that you ``want to take a step 
back from the existing modernization plan of VistA. You cited 
changes in circumstances and issues such as women's health, the 
Internet of Things, and Care in the Community as instigating 
factors in taking a pause on the VistA Evolution plan developed 
in 2014.
    While I certainly appreciate big thinking, especially in 
government IT, I have to ask whether or not this is another 
example of the VA taking a U-turn on substantial IT investment. 
We have been down this road before with the effort to make 
electronic health records of the DOD and VA interoperable.
    Is VistA going to end up in a multiyear investment that 
never delivers the functionality that the VA's health care 
providers need? The meaningful exchange of health care data has 
been delayed for far too long.
    While the DOD and VA seem to have made progress recently 
with the Joint Legacy Viewer. I want to reiterate once again 
that the JLV is not true interoperability.
    The missed deadlines, cost overruns, and failures to 
deliver on expectations leave me with serious doubts about 
whether these two departments are able to work together toward 
effective, real-time sharing of veterans' health data.
    Turning to the issue of patient scheduling, what will a 
pause of VistA Evolution mean for the medical appointment 
scheduling system? Here again is a problem that needs an IT 
solution that has suffered repeated setbacks.
    This is not a new problem. The scheduling component of 
VistA dates back to 1984. With veterans coming home from the 
wars in Iraq and Afghanistan, this is a system that needs to be 
upgraded immediately. Fifty-thousand schedulers made 80 million 
appointments in fiscal year 2011 alone--80 million.
    The VA has recently put in place a 5-year contract to 
develop a new medical appointment scheduling system at the cost 
of $624 million. I have to ask the questions: Could this have 
been done cheaper with commercial off-the-shelf technology? 
Will the latest attempt work? Will this contract fix the 
scheduling problems at the VA?
    I have said it time and again, the problems the agencies 
face in IT and cybersecurity are not in the availability or 
accessibility of technology. The tools already exist. The 
challenge the Federal agencies face, and we have seen at OPM 
and the Department of Education, is having the leaders in 
place, leaders who have vision and a commitment to staying at 
their agency to see the vision through.
    And, Ms. Council, I am excited because I think you are the 
right person for the job.
    I thank the panel for attending today's hearing, and I look 
forward to today's discussion.
    Now it is my pleasure and honor to recognize the gentlelady 
from Illinois, my friend and ranking member of the 
subcommittee, Ms. Kelly, for her opening remarks.
    Ms. Kelly. Thank you, Mr. Chairman.
    Information technology is critical to improving the service 
and performance of the Federal Government, especially the 
Department of Veterans Affairs, one of the largest integrated 
health care systems in the United States, serving millions of 
veterans and families.
    Today's hearing provides the VA an opportunity to 
demonstrate their commitment to improving the delivery of 
health care and benefits to our veterans, while safeguarding 
the veteran information and VA data that exists within its 
environment.
    This committee plays an important oversight role that can 
increase transparency and accountability of agency efforts to 
implement important legislation such as the FITARA and FISMA.
    In response to various internal challenges and external 
pressures, VA rolled out a new strategy to transform the Office 
of Information and Technology into a world-class IT 
organization that supports the delivery of excellent health 
care and benefits to veterans. Transforming an IT organization 
of 8,000 employees with a budget of more than $4 billion is no 
simple task.
    The VA chief information officer, Ms. Council, joined VA in 
July 2015, inheriting an IT environment with thousands of 
outstanding security risks and failed or mismanaged IT 
projects. However, Ms. Council's written testimony to this 
subcommittee in October stated, and I quote, ``The opportunity 
is now, because we have the key components for success. We have 
executive-level support from the Secretary and Deputy 
Secretary, and the CIO role at VA is empowered with unique 
flexibility. I've been impressed to find that we have a hard-
working, mission-oriented staff that cares deeply about 
creating a better experience for the veteran. Through 
congressional action, we have a centralized IT and sufficient 
resources. Finally, we have the ability to deliver for our 
business partners when they need us the most.''
    I look forward to hearing more on the progress at VA and 
recognizing the Office of Information and Technology to better 
manage the IT portfolio and enhance CIO authority and 
accountability as required by the FITARA.
    Given the recent breaches in both the public and private 
sector, we are all aware of the evolving nature of threats 
facing information systems. It is important that we ensure that 
the VA responds to these threats with efforts to fully address 
information security weaknesses and enhance its information 
security posture. These efforts to improve VA operations and 
information security are essential to regaining the trust and 
confidence of the American public that the VA is taking care of 
our Nation's vets.
    Thank you, Mr. Chairman.
    Mr. Hurd. Thank you.
    Now I will hold the record open for 5 legislative days for 
any members who would like to submit a written statement.
    Mr. Hurd. We will now recognize our panel of witnesses. I 
am pleased to welcome the Honorable LaVerne Council, Assistant 
Secretary for Information and Technology and chief information 
officer at the Office of Information and Technology of the U.S. 
Department of Veterans Affairs.
    Ms. Council is accompanied by Brian Burns, Deputy Assistant 
Secretary for Information Security at the Office of Information 
and Technology at the U.S. Department of Veterans Affairs, 
whose expertise may be needed during questioning.
    Next, I would like to welcome Brent Arronte, Deputy 
Assistant Inspector General for Audits and Evaluations with the 
Office of Inspector General at the U.S. Department of Veterans 
Affairs. Mr. Arronte is also accompanied by Mr. Michael Bowman, 
director of the Information Technology and Security Audits 
Division at the Office of the Inspector General, whose 
expertise may be needed during questioning as well.
    Welcome to you all. Pursuant to committee rules, all 
witnesses will be sworn in before they testify. We will also 
swear in Mr. Burns and Mr. Bowman.
    So please rise and raise your right hands.
    Do you solemnly swear or affirm the testimony you are about 
to give will be the truth, the whole truth, and nothing but the 
truth?
    Thank you. Please be seated.
    Let the record reflect that the witnesses answered in the 
affirmative.
    In order to allow time for discussion, please limit your 
testimony to 5 minutes. Your entire written statement will be 
made part of the record.
    Ms. Council, we will start with you, and you are recognized 
for 5 minutes.

                       WITNESS STATEMENTS

                  STATEMENT OF LAVERNE COUNCIL

    Ms. Council. Thank you, Chairman Hurd, Ranking Member 
Kelly, and distinguished subcommittee members. Thank you for 
the opportunity to discuss the progress we are making towards 
serving our Nation's veterans.
    In October, I shared with you our plan to transform the 
Office of Information and Technology, or OI&T, into a world-
class organization by implementing a new enterprise strategy. 
Our mission is to collaborate with our business partners to 
create the best experience for all veterans.
    We are becoming a principles-based organization, one 
centered on transparency, accountability, innovation, and 
teamwork.
    Our team is transforming. We are infusing a new 
perspectives and skills by hiring new talent. We have added 
five senior leaders and will add an additional 11 in the next 
90 days. This team will carry the torch for relentless 
execution.
    When our veterans interact with VA, they are making the 
choice to entrust us with their personal information. The 
delivery of VA's enterprise cybersecurity strategy in September 
2015 was the first reinforcement of our commitment to safeguard 
their information with tools, technology, and the people of the 
highest caliber.
    We have made significant progress in improving our 
cybersecurity posture. For the first time, our security efforts 
are fully funded and resourced at $370 million in fiscal years 
2016 and 2017. This investment will make the implementation of 
our plan a reality.
    OI&T can no longer be considered a material weakness for 
VA. We are addressing all key FISMA findings. By the end of 
2016, we will close 30 percent of the IG's recommendations, and 
we will close 100 percent by the end of 2017.
    We have reduced elevated privileges by 95 percent, and we 
will technically enforce personal identity verification, or 
PIV, to achieve our 80 percent goal by September.
    But the highest level of security does not rest with IT 
alone. We are providing comprehensive education to ensure that 
all VA employees remain vigilant. We have updated our national 
rules of behavior and our annual security training, and we are 
emphasizing continuous engagement with our employees.
    Information security poses constant challenges, and it is 
only through continuous reinforcement that our employees can 
support us in this battle.
    We have achieved several significant goals in 
implementation of our Enterprise Program Management Office, or 
EPMO. The EPMO began operating on February 1 and is now our 
control tower, mapping out an agile path for all IT efforts. We 
replaced the Program Management Accountability System, or PMAS, 
with our new Veteran-focused Integration Progress, or VIP. VIP 
reduced our overhead obligation by 88 percent.
    Our most important projects, including VistA Evolution or 
VistA 4, the Enterprise Health Management Platform, VBMS, and 
our interoperability processes are already transitioned to VIP.
    For the first time, OI&T will have an integrated 18-month 
portfolio, a single change and a single release calendar. We 
will also include a 90-day post-release warranty on all efforts 
to ensure the highest levels of performance.
    Access to accurate veteran information is one of our core 
responsibilities. We will jointly be certifying 
interoperability with DOD, as mandated by the 2014 NDAA, within 
the next month and ahead of the 2016 deadline. We are outpacing 
our projection for our interoperability tool, the Joint Legacy 
Viewer, which has over 44,000 users and grows by over 3,000 
weekly.
    But we must do more. We are evaluating our electronic 
health record modernization plans to ensure we have the right 
strategy in place for the next 25 years, well beyond what will 
be achieved in 2018 by VistA 4.
    This is not about the software. This is about supporting 
the veteran anytime, anywhere. We must strive for continuous 
innovation, not just for NEHR, but for a digital health 
platform. We owe it to our veterans to evaluate their needs and 
meet each veteran where she is.
    I am proud of our recent accomplishments. But 
transformation requires a relentless focus on outcome, outcomes 
that matter, outcomes that support the veterans who have 
supported us.
    Mr. Chairman, members of the subcommittee, thank you again 
for the opportunity to discuss our progress with you. I am 
happy to take your questions at this time.
    [Prepared statement of Ms. Council follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Mr. Hurd. Thank you, Ms. Council.
    Now I would like to recognize Mr. Arronte for 5 minutes.

                   STATEMENT OF BRENT ARRONTE

    Mr. Arronte. Mr. Chairman and members of the subcommittee, 
thank you for the opportunity to discuss the Office of 
Inspector General's work regarding the VA's management of 
information technology and information security.
    As previously indicated, I am accompanied by Mr. Michael 
Bowman, OIG's director of Information Technology and Security 
Audit Division.
    VA continues to face challenges in developing IT systems it 
needs to support its current goals and overall mission. For 16 
consecutive years, information security has been reported as a 
material weakness in VA's consolidated financial statement 
audit. Our audits have shown that IT system development and 
management at VA is a longstanding, high-risk challenge.
    Despite some advances, our reports indicate VA IT programs 
are still often susceptible to cost overruns, schedule 
slippages, and performance problems.
    Over the past 3 years, the OIG has made 69 recommendations 
to improve IT systems management and security. As of February 
2016, 57 of those recommendations remain open. Of those 57, 17 
are repeat recommendations and 13 are modified repeat 
recommendations.
    For fiscal year 2016, the VA estimates a total IT 
investment of about $4.1 billion to fund information system 
security, system development initiatives, and systems operation 
and maintenance. If not properly planned and managed, these to 
IT investments can become costly, risky, and counterproductive.
    In March 2012, the VA instituted the Continuous Readiness 
and Information Security Program, also known as CRISP. The 
purpose of CRISP is to ensure continuous, year-round monitoring 
and to establish a team responsible for resolving IT material 
weaknesses. While VA implemented some standardized information 
security controls, these improvements require time to be fully 
implemented and to show if they are effective.
    Our limited review indicates the CRISP initiative has not 
been fully effective in addressing systemic weaknesses or 
eliminating material weaknesses found in VA's information 
security program for fiscal year 2015.
    Examples of some of these weaknesses are financial 
management systems using outdated technology, password 
standards not consistently implemented, and systems not 
securely configured to mitigate known and unknown information 
security vulnerabilities.
    In April 2015, our administrative investigative staff found 
that certain OI&T employees failed to follow VA information 
security policy and contract security requirements. 
Specifically, OI&T staff improperly approved VA contractors to 
work remotely and access VA's network from foreign countries 
such as China and India.
    We identified that one contractor used his personally owned 
laptop to access VA's network from China. This contractor had 
administrative rights as well. Upon completion of his work, he 
left the laptop in China. As of this date, the laptop has not 
been recovered.
    We also found that other VA contractor employees improperly 
connected to the VA's network from other foreign locations. We 
determined VA information security officials and the former 
executive in charge for OI&T failed to quickly and effectively 
respond to determine if there was a compromise as a result of 
VA contractors accessing VA networks internationally.
    VA is also challenged in developing IT systems needed to 
support mission goals. Recent OIG reports disclose that some 
progress has been made in timely deploying system functionality 
because of the agile system development method. Despite these 
advances, VA continues to struggle with cost overruns and 
performance shortfalls.
    VA's mechanism for overseeing IT program management has 
improved but has not been fully effective in controlling these 
IT investments. Our work has demonstrated that VA continues to 
struggle with its IT investments.
    Some improvements in information security have become 
evident with the inception of CRISP. However, more work remains 
to be done, and VA needs to remain focused on addressing OIG 
recommendations in the security and development of IT systems.
    Until a proven process is in place to ensure controls 
across the enterprise, the IT material weakness may stand and 
VA's mission-critical systems and sensitive veterans data may 
remain at risk of attack or compromise.
    Mr. Chairman, this concludes my statement. We would be 
happy to answer any questions you or other members of the 
subcommittee may have.
    [Prepared statement of Mr. Arronte follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
    
    Mr. Hurd. Thank you, sir.
    I now would like to recognize the gentleman from Texas, Mr. 
Farenthold, for 5 minutes for questioning.
    Mr. Farenthold. Thank you very much, Mr. Chairman.
    Ms. Council, you talked a little bit about upgrading your 
medical records system. If your electronic medical records 
system was in the private sector, would it be compliant with 
all the laws applicable to the private sector, HIPAA laws and 
all the other new requirements under the Affordable Care Act?
    Ms. Council. Not all the new laws. That is one of the 
reasons that we are developing a new strategy that we need to 
go forward with for the next 25 years. So, no, it would not, 
not all the ACA.
    Mr. Farenthold. And it is also my understanding that a lot 
of both your hardware and software is grossly out of date. I 
was down in the Rio Grande Valley and the Secretary of the VA 
mentioned to the group some of the financial systems are 
actually running computer language called COBOL, which was 
actually around probably before I was born, and I am in my 50s.
    Is it a problem to maintain and update this code and find 
employees to do that?
    Ms. Council. The current state of the financial systems is 
that we are looking for a shared platform with our financial 
organization. They are looking at Treasury as a Federal 
opportunity to engage a partner.
    So you are right, the systems are older. As a person in her 
50s as well, and COBOL being a language that I know quite well, 
it is old, and we do need to upgrade.
    Mr. Farenthold. What sort of effect is this out-of-date 
software having on delivering service to our veterans and 
making sure that the physicians who provide service either 
under the voucher system or Veterans Choice are paid in a 
timely fashion?
    Ms. Council. I think you have touched on the main issue as 
to why we are looking at a digital health platform, sir. The 
reality is when you are on old platforms, old hardware, old 
software, you cannot take advantage of the new opportunities to 
share data, as well as upgrade our information with those 
providers and pay them quicker.
    That is really our focus, to ensure that we are prepared 
for the future.
    Mr. Farenthold. And it is not just the software that is 
out-of-date or your custom software. It is even some of the 
stuff you buy off-the-shelf. It is my understanding you all 
have not yet completely migrated off Windows XP, which is no 
longer supported by Microsoft.
    Ms. Council. There are 834 custom applications within the 
VA. The most customs that I have ever seen in my career. We 
also do have XP in the environment, much of that leveraged by 
medical cyber and medical equipment.
    As part of our enterprise cybersecurity strategy, we have 
put in processes to eliminate and drive out that lifecycle 
problem.
    Mr. Farenthold. Are we also looking in the VA at moving 
away from the extraordinary number of custom systems? There is 
a lot of off-the-shelf stuff that you ought to be able to 
adopt. Is that not a reasonable question?
    Ms. Council. It is a very reasonable question, sir. There 
are five new functions we are adding as part of the strategy. 
One of those new functions is strategic sourcing, which is all 
about putting us in a situation where we buy versus build, so 
that we look for off-the-shelf software that can meet our needs 
first. We validate that there is not something that is already 
built that could meet our needs, and then we make those calls 
based on what best fits the process.
    Mr. Farenthold. I can understand that there is some legacy 
stuff that was designed to run on Windows XP and may not run on 
other stuff. Our research shows that you all are still on 
Exchange Server 2003 that had an end-of-life-support cycle in 
2014.
    Do you think the outdated software that is not getting 
current security patches might be a cybersecurity opening or 
vulnerability?
    Ms. Council. We actually use the same assessing process 
that the IG uses and patch aggressively against each of those 
issues, as well as taking those software out.
    One of the big opportunities that we have and we are 
deploying within the next month a contract to start moving much 
of this to the cloud using Email as a Service, moving much of 
that storage out into the cloud in a secure manner working with 
the IG. It gives us an opportunity to eliminate some of the 
hardware issues that we have, but also put ourselves in a new 
place, as far as transformation.
    Mr. Farenthold. I want to direct this final question to 
anybody on the panel that would like to answer. Is there 
anything that Congress is not doing that it should be doing to 
help you through this IT crisis and get you to where you can 
better deliver services to our veterans? Obviously, the answer 
is to give us more money, but maybe we can do a little better 
than just that.
    Ms. Council. I always say this because it still continues 
to be the issue. When you are hiring for information 
technology, the kinds of architects we need, the kinds of 
security people we need, we are competing against private 
resources. And it takes a while to get into the Federal 
Government, and the requirements are not those that those same 
resources and highly valued resources would face in private 
industry.
    We need those resources, and even as we get access and 
opportunities to meet those people to talk with them, we take a 
long time to get them in the door. So any help that can be 
given there will be the most important help you can give us.
    Mr. Farenthold. And if you can get us some specifics on 
that, we want you to be able to compete with Google for the 
good people.
    Ms. Council. I appreciate it. I have three or four resumes 
I will get to you.
    Mr. Farenthold. Did anyone else want to answer that?
    All right. I will yield back the remainder of my time.
    Mr. Hurd. Thank you, Mr. Farenthold.
    Now I would like to recognize the ranking member for her 5 
minutes of questioning.
    Ms. Kelly. Thank you again.
    Ms. Council, as chief information officer, you oversee the 
activities of VA's $4 billion IT budget and over 8,000 IT 
employees in support of the VA's mission. Information 
technology at the VA includes a wide variety of tools and 
systems that support VA's mission to care for our Nation's 
vets. Your testimony highlights the creation of the Enterprise 
Program Management Office, which will host VA's biggest IT 
programs and help VA meet FITARA requirements.
    When will of the EPMO be fully functional? And how will you 
ensure the office achieves its desired results?
    Ms. Council. The EPMO actually came on February 1, which 
means that we stood the team up. We are building the program 
management. We are talking to union about some of the new 
roles. All those things around people should be fully completed 
by April 1, as far as the union.
    But that means we have already started working. We have 
hired in, out of the Department of Commerce, the head for all 
of our pillars. As I mentioned, our top four projects are all 
under VIP. There are 12 core projects in which we are 
validating every step of the process.
    By the end of September, every single project will be 
working under VIP, which will move us to true agile 
development. The PMAS process, which people knew about, really 
was one that focused on waterfall. This will be true agile, and 
it will reduce our overhead by over 88 percent and increase our 
ability to deliver by only requiring seven core necessary 
documents and available to operate at the beginning of the 
process.
    All these things should move us into a situation where we 
deliver every quarter versus every 6 months.
    Ms. Kelly. Okay. Information security weaknesses have 
consistently been found at the VA for several years. FISMA 
compliance helps ensure Congress and the public that the VA is 
committed to safeguarding veterans' information and VA data. 
What are the some of the challenges to addressing weaknesses 
and improving VA's information security programs and practices 
to comply with FISMA?
    Ms. Council. One of the things, as was mentioned by Mr. 
Arronte, is the length of some of these repeatable issues. The 
fact is, we had to put a core process in place. We had to talk 
about the accountability. We wanted to make sure we were fully 
sourced, resourced, and that we were also fully funded.
    In addition to not only having a team that is out there 
remediating, we have put a process in place to ensure that 
these issues stay fixed. I think that is really important. You 
can't just have it fixed one time and then when auditors come 
in, they see the same issues.
    So what we have done, one of the other new areas that we 
have added is quality and compliance. Our quality and 
compliance includes our risk management. The risk management 
team will get out in front of all of these issues and actually 
evaluate have we addressed what we said we would address, do 
the remediation, be engaged with the IG, and make sure that we 
are hearing what we need to hear in opening, and that our teams 
are responding properly.
    At the end of an audit, we are now also coming back in 
after we get the audit findings and coming right back into that 
same organization.
    Leaders are being held accountable for any repeatable 
processes. And in addition, I meet weekly on all security 
issues with the security top-level pillars to ensure that we 
continue to make progress.
    Since my arrival, we have had five reports open. We had 21 
total recommendations. We have closed 95 percent of those 
already for the OIG. For GAO, we had six reports with 12 total 
recommendations. Fifty-eight percent of those recommendations 
are closed or requesting closure. Twenty-five percent of them 
are on target for closure.
    It is a different level of ownership. It is a different 
level of accountability. We have stressed that every employee 
is responsible for security. Since that was the key first thing 
that I committed to do when we arrived, we have set upon a new 
way of looking at how we do what we do and how we own it.
    So our field operations, our information security team, as 
well as our quality and compliance team, all engage in ensuring 
that we do not see these material processes continue.
    Ms. Kelly. Thank you. My colleague asked about building the 
work force and what you needed. Once you get them in, how hard 
is it to keep people because of the competition?
    Ms. Council. I've only been there for 8 months, but I 
haven't lost anybody. That's a good thing.
    I will tell you that there were a number of people that 
were leaving the organization and they stayed, and I 
appreciated that, because they really want to make this change.
    This is a mission-driven organization. It is all about the 
veteran. They know that I am here as an appointee because I 
want to get this right for the veteran. Fifty-six percent of 
our employees are vets. They get it. They know the value.
    So everyone wants to sort of roll their sleeves up and get 
it right. We just have to make sure we have all the key skills 
that we need to hold all of our contractors accountable as to 
what they are delivering.
    Ms. Kelly. Okay, thank you so much. My time is up.
    Mr. Hurd. I will recognize myself for a couple minutes.
    Ms. Council, questions to you. In 2009, again, I know this 
preceded you, the VA abandoned the scheduling improvements it 
had been working on since 2000 and started over. August 2015, 
the VA announced it contracted with two companies for a medical 
appointment scheduling system, the MASS system. And it appears 
this is like the third try in 15 years at addressing scheduling 
issues in the VA. Again, I recognize that of that 15 years, you 
have only been there for 8 months.
    What is the current status of the MASS project?
    Ms. Council. There were two parallel processes going on for 
scheduling. MASS was one, and then there was also a mobile 
product being developed called VAR, and also updates to VistA 
called VSE.
    VSE and VAR will start rolling out next month in April 
nationally. They have been piloted. They basically allow the 
ability to change our scheduling processes.
    The current scheduling system is something from--you 
mentioned COBOL. This is probably from the 1960s. If you could 
look at it, you will see that it shows the green screen and 
then also you'll see that it's an old dot-matrix screen that 
also doesn't allow people to really know what they are leading 
to. The VAR and the VSE addresses this.
    So far, 95 percent of the users like the new product. And 
the idea was that if these could not deliver, that we would 
have through MASS, which was an IDIQ contract, an ability to 
move forward.
    MASS has been put on hold until the Deputy Secretary looks 
at these new products. Right now, if these new products roll 
out fine, we will stay with those new products.
    The $624 million aligned with MASS. It was never to spend 
up to that level. Since it is an IDIQ, it is a task order kind 
of contract. So it was there to support, if these did not work. 
But we will be rolling out in April with both of those 
products, one mobile and one into the system.
    Mr. Hurd. So if VSE and VAR work, we are not going to MASS?
    Ms. Council. They are working today, and if they fully meet 
our needs--and I think there is also the misnomer on MASS. MASS 
also includes a workflow and a scheduling capability of room, 
so it was a much broader look. We wanted something for 
scheduling right away. And right now, VSE and VAR seem to meet 
the needs.
    Mr. Hurd. So are Epic and systems made simple? Are they 
involved in the VAR and VSE? Or were they to be involved in 
MASS?
    Ms. Council. They actually are part of the MASS contract.
    Mr. Hurd. So the folks that are implementing VSE and VAR, 
are any of them involved in the previous attempts by the VA to 
do scheduling?
    Ms. Council. Based on the information that we have, no, 
that would not be the case.
    Mr. Hurd. I find that a very good thing.
    If VSE and VAR are ultimately working, we are going to keep 
that and it is not potentially going to be grounded by any 
commercial off-the-shelf systems, correct?
    Ms. Council. Not at this time. That is part of the reason 
why we are looking for a digital health platform.
    The fact is, as you mentioned in your opening remarks, our 
need to really understand where we need to go for the next 25 
years means we really need to make a hard decision and start to 
think about what we have to do for Care in the Community, what 
we have to do for ACA, what we have to do for the number of 
women veterans and make it much more fluid.
    Dr. Shulkin, who heads up the VHA, and myself are really 
just not affecting what we're doing with VistA because VistA 4 
is scheduled and it is working, and it is going to roll out as 
planned into 2018. But to really say, what's the next level of 
platform? Who should we partner with? How do we make this 
happen?
    We are looking at the work with the DOD to see what they've 
learned and taking that information and also leveraging it. And 
we're meeting with industry experts to ensure that what we have 
in place, what we leave behind when we move on, the next set of 
leaders can take and move forward with.
    Mr. Hurd. My last question before we get to Mr. Connolly, 
how many clinics are currently in this test program using VSE 
and VAR, rough estimate?
    Ms. Council. This is my account manager at VHA, a new 
function.
    This is rolling out to 10 core as the pilot, and then based 
on those pilot feedback, it will be going out to the Nation.
    Mr. Hurd. I would love to know the 10 places it is going, 
because I would be interested in hearing how it is going from 
them.
    With that, I would like to recognize the distinguished 
gentleman from the great State of Virginia, Mr. Connolly, for 
his 5 minutes of questions.
    Mr. Connolly. I thank the chairman from the great State of 
Texas.
    Welcome to the panel.
    Ms. Council, the VA earned a C rating in the initial 
scorecard for compliance for FITARA, which actually was one of 
the higher grades. I would be interested in hearing from you 
why you think you got, relatively speaking, such a good grade 
as the baseline. But within that grade were other categories. 
In data center consolidation, for example, you got an F.
    So I wonder if you would, A, just talk a little bit about 
what your view being relatively new on compliance with FITARA 
and how FITARA is hopefully a benefit from your point of view, 
and then secondly, what are you doing about that F in data 
center consolidation?
    Ms. Council. The FITARA process, at this point, we have put 
in key processes with the EPMO that I mentioned to you as well 
as we are doing quality compliance, how we are going about many 
of the new abilities in data management, which will move us by 
the end of the year to close to 100 percent on the FITARA. We 
are excited about it.
    I use it as a guidepost. It allows us to really take 
ownership and hold ourselves accountable for the capabilities 
that have been put in our hands by having this legislation.
    The data center consolidation that you mentioned, we 
actually reviewed our plan yesterday that, by 2019, we will 
have eliminated 70 data centers. The other data centers will be 
eliminated through the use of the cloud, through consolidation 
of various data processes, and elimination of certain legacy 
systems. So that is in process.
    We are excited because if we can hit everything that we 
plan on in 2016, we will be the premier governmental agency in 
FITARA.
    Mr. Connolly. Wonderful.
    Your aide held up a chart a little while ago on scheduling 
appointments. Did I understand your answer to the chairman's 
question was that we are actually still using systems that go 
back to the 1960s to make scheduling appointments in the VA?
    Ms. Council. I think it is more the late 1970s.
    Mr. Connolly. Late 1970s. The Mary Tyler Moore era.
    Ms. Council. Yes.
    Mr. Connolly. All right. As opposed to the earlier Dick Van 
Dyke era.
    Ms. Council. Exactly.
    Mr. Connolly. Got it. How vulnerable are those systems to 
cyberattacks?
    Ms. Council. Last year, I think we blocked something like a 
160 million malware attacks in our department.
    Mr. Connolly. Wow, 160 million.
    Ms. Council. Yes, sir. We continue to have a defense in-
depth capability that we now have reinforced. We are partnered 
with DHS in a number of key areas and have been very aggressive 
with moving into some new capabilities.
    One of the things that we are always concerned about are 
any kind of breaches or any concerns with that. What we find is 
that even in those cases, most of our situations are mailings, 
information that goes out that shouldn't have gone out to 
someone in the wrong way.
    We also report all of those into the IG. We are aggressive 
about that, and we will continue to be vigilant. You must be in 
this kind of space.
    Mr. Connolly. I was looking at my own opening statement for 
today's hearing. In just the last 3 years, the cost to operate 
and maintain your top four mission-critical legacy IT systems 
jumped by more than 100 percent for one system and 50 percent 
for the other three. Is that correct?
    Ms. Council. We will come back to you on that number. I 
don't know it exactly.
    Mr. Connolly. Anyone on the panel that can corroborate 
those? I'm obviously not Donald Trump. I didn't make that up.
    [Laughter.]
    Mr. Connolly. Oops. Sorry, Mr. Chairman.
    Okay, well, please corroborate. But the reason I cite it is 
it is indicative of the plight you all have. It is not just 
trying to maintain legacy systems. It is spending about 80 
percent of what we have doing that. It is that the costs get 
higher every year.
    And some of these systems cannot be encrypted and are 
extremely vulnerable. Now, some of them apparently are in the 
beyond-encryption period, and the Chinese don't know how to 
hack into them.
    I am told COBOL is one of those categories, Mr. Chairman. 
So it may have a redeeming unintended consequence.
    But the costs are very high. I assume that in your IT 
budget, most of it is probably spent not on new investments to 
upgrade services and move to the cloud while at the same time 
protecting yourself from cyberattacks, 160 million a year, but 
it is to maintain these legacy systems.
    Ms. Council. To your point, that is one of the reasons that 
we are looking to move much of the older legacy processes 
outside of the data center into a cloud process, as well as 
eliminate them. So the way you eliminate them is by having a 
real software development lifecycle and really going 
aggressively after getting those legacies out.
    We have in our budget about $18 million this year on 
getting some of these out. We are also putting in a CMDB. A 
CMDB is a configuration management database. When you can't see 
it, and you don't know who owns it, and you don't know how much 
of it you have, the conversations are very hard to have.
    This is going to allow the team to be able to have the 
conversations and say all of this redline can get out, we don't 
need it anymore, or we have another strategy on how we can 
aggressively address it.
    It is a great opportunity for the team. We are going after 
that, and we hope we will have the CMDB in place by the end of 
this year.
    Mr. Connolly. Mr. Chairman, my time is up, but something 
you and I talked about, which is we want to find, on a 
bipartisan basis, ways to incentivize agencies to be able to 
reinvest in themselves when they identify these savings, and I 
look forward to as a follow-up to this hearing and others to 
try to be able to do that. And, of course, Ranking Member Kelly 
as well. Thank you.
    Mr. Hurd. Thank you.
    The chair notes the presence today of Congressman Seth 
Moulton of Massachusetts. We appreciate your interest in this 
topic and welcome your participation.
    I ask unanimous consent that Congressman Moulton be 
permitted to fully participate in today's hearing.
    Without objection, so ordered.
    And now I recognize the gentleman from Massachusetts for 5 
minutes.
    Mr. Moulton. Thank you, Chairman Hurd, for inviting me to 
this important hearing. This is important because I think our 
veterans have earned the best health care in the world, and 
that should be the standard that we are trying to meet.
    I get my health care from the VA as a Member of Congress, 
and I can tell you that I have seen the good and the bad. I 
have gotten some fantastic doctors.
    I had to have surgery back in January and the 
anesthesiologist and the surgeon who took care of me were 
incredibly talented. They didn't have to be at the VA. They 
were there because they wanted to take care of veterans. I felt 
very comfortable in their care. And then the pharmacy sent me 
home without the right medications.
    There is a veteran in my office named Dennis who gets his 
care at the VA as well. And he was trying to make an 
appointment a few weeks ago and couldn't get through on the 
phone system. Someone else in my office said, you know, you 
should take a video of this, and the video went viral on 
Facebook.
    Here are some of the comments that we have received on my 
Facebook page about this video from veterans across the 
country.
    This one from Walcott, Arkansas: ``I can tell you this is 
for real. It happens every time I call. I usually give up and 
drive to the clinic 18 or 20 miles away so I can talk to a 
person face-to-face.''
    From El Paso, Texas: ``This is exactly what happens every 
time you try to call for an appointment or even general 
information about an existing appointment. This is exactly why 
lots of us vets end up giving up on the system.''
    From Colorado Springs: ``Finally, a video that shows the 
frustrations of this process.''
    And from Philadelphia, Pennsylvania: ``The longest I have 
been on hold with the VA was an hour and 45 minutes before I 
gave up.''
    Finally, from Faribault, Minnesota: ``I can't count the 
times this has happened to me. It's enough to make you want to 
throw the phone through the wall.''
    So while many have said that they get excellent care once 
they get into the system, as has been my experience as well, 
sometimes simply getting access to the system is a real 
problem.
    I know the VA is making progress. I met with the Secretary 
earlier this week, and I am inspired by his leadership, by the 
private sector innovation that he is bringing to the 
organization. But I don't think we have gone far enough.
    And it doesn't make sense to me that when people in the 
private health care system can have access to better scheduling 
applications, they are not available to veterans. If our 
standard is that veterans deserve the best health care in the 
world, because that is what they've earned, then they should 
have access to these systems as well.
    So that is why, Mr. Chairman, I have introduced the Faster 
Care for Veterans Act with my colleague and friend, 
Representative Cathy McMorris Rodgers of Washington.
    This bill would create a pilot program for the VA to try 
some of these private sector scheduling programs, currently 
available technology, and give access to that technology to 
veterans.
    That is the kind of care that I think all of us who use the 
VA system deserve. And while it seems that the VA is focused on 
developing their own solutions at great costs and taking 
enormous amounts of time, it is frustrating to us that we see 
our friends and colleagues in the private sector using these 
applications and systems available today.
    So with that, I would like to ask Chairman Hurd if I can 
submit a few questions for the record, and I thank you for 
inviting me here today.
    Mr. Hurd. I would like to now recognize Mr. Farenthold from 
Texas, again for 5 more minutes.
    Mr. Farenthold. Thank you very much.
    Mr. Moulton hits on an issue.
    Mr. Hurd. I'm sorry, Mr. Farenthold. Will you yield for one 
second? I would like to submit for the record two statements, 
one from the Iraq and Afghanistan Veterans of America, the 
other one from the American Legion, to illustrate some of the 
points that Mr. Moulton made.
    Without objection, I ask unanimous consent to introduce 
them into the record.
    Without objection, so ordered.
    Mr. Hurd. Thank you, sir.
    Mr. Farenthold. Thank you, Mr. chairman.
    Ms. Council, as CIO, the difference between a computer and 
telephone is basically vanishing today. Does the telephone 
system fall under your jurisdiction or your leadership as well?
    Ms. Council. Currently, we provide the network capability, 
but we do not manage the phone contact centers or the contracts 
of those contact centers.
    The issues that are mentioned there, however, we are 
aggressively working with the new leadership. We have a new 
leader who put the 311 process in Philadelphia together, who is 
now coming in. We are making sure that we have the best 
capability.
    I also know that in that particular circumstance that was 
raised, that vendor who had voicemail now has had the contract 
updated and there is no voicemail in that process any longer.
    So we support it. We are working with them directly. I 
actually meet with that contact center so that we can ensure 
that we have the best infrastructure to move us forward more 
aggressively.
    Mr. Farenthold. I understand. This is a call center issue. 
This is not rocket science. This is technology every company of 
any size has complete with the ability for overflow calls to 
potentially go to people's homes or cell phones. We talked 
about the case of scheduling appointments. There are also 
tragedies associated with calls being dropped or being sent to 
a voicemail system that some people didn't even know existed on 
a suicide prevention hotline.
    I would encourage you to work closely with those vendors 
because, again, I think the line between the IT system and the 
telephone system really isn't a line anymore, and we ought to 
be able to use the technology to make sure that no veteran 
calling for help with suicide has to wait on hold or have their 
call lost in voicemail.
    I'm going to shift gears a little bit. I spend a lot of 
time in casework. About 70 percent of the casework I do in the 
district offices that I have in Texas is VA related. Of all the 
entire government, 70 percent of our complaints and problems 
are with the VA.
    Some folks in the VA need to be kind of hanging their head 
in shame on that one, I think.
    We are spending a lot of time in our office trying to get 
doctors to work with the VA, see veteran patients under the 
voucher system or Veterans Choice, and we talked in the first 
round of questions questioning that you all are working at 
modernizing that payment system.
    But what can we do now? I mean, is there anything that can 
be done now to get the doctors paid quicker so they will see 
our veterans again?
    The local VA can say, here is help in filling out the 
forms. Here is how you fill them out right. If it takes too 
long, call us and we will try to push it through.
    But you shouldn't have to call a senior person in the VA or 
call my office to have my red tape cutter call the VA.
    First off, when will it be fixed? And until then, is there 
anything we can do to improve the situation?
    Ms. Council. I actually will be happy to get some 
information to you. One of the things about IT, if we really 
want to be good, we have to know what our business partners are 
doing. So I know that Dr. Shulkin and Dr. Bally are working 
very strongly to figure out ways that we can pre-pay for 
certain things, that we can expedite this process. It is all 
part of out access process that we need.
    We are also looking at proof of concepts around doing some 
things in the cloud with urgent care and telehealth with urgent 
care so we can see people the same day, in many cases.
    So I will be happy to get some information back to you 
exactly what they're doing. But I know we are aggressively 
making some decisions and prepaying in some cases, so that this 
is not the problem.
    Mr. Farenthold. We worked really hard in Congress to get 
the Veterans Choice program implemented and provide quick care 
for veterans. But if you guys can't deliver on paying the 
doctors, then they don't want to see them. Obviously, a lot of 
that is contracted out. You have different contractors, but we 
have to find a way to get this done because there is no point 
fixing these laws, if you guys can't execute them and do that. 
So I definitely encourage you to do that.
    Finally, we talked a little bit about some of the older 
systems, your email system, some Windows XP. Do you have a 
dollar figure on how much it is costing to contract for beyond-
lifecycle support on that?
    Ms. Council. I do not, but I can get you that information.
    Mr. Farenthold. All right. It would be interesting to look 
at comparing how much we are paying for that extended support 
versus how much it would cost to have somebody come in and 
upgrade an off-the-shelf product that pretty much any decent 
system integrator in the country ought to be able to put in.
    So I see my time is up. I appreciate your commitment. I 
wish I saw the successes that I hear in your voice reflected at 
the local level. I am waiting expectantly for that to trickle 
down, so our veterans don't have to wait for the care that they 
need. Thank you.
    Mr. Hurd. Mr. Arronte, do you have any insight on that last 
question Mr. Farenthold asked about the percentage of how much 
it costs?
    Mr. Arronte. No, sir. We don't.
    Mr. Hurd. Okay, thank you.
    I would like to recognize Ms. Kelly for an additional 5 
minutes.
    Ms. Kelly. How do the projects and programs developed by 
18F USDS integrate with other VA systems?
    Ms. Council. The GSA 18F group is I think what you're 
referring to. We have a digital team that works with us. We 
actually have one that is doing vets.gov as well as our case 
appeals modernization.
    We are actually meeting with Assistant Secretary Duncan at 
the EPA and their digital service person to find out how they 
are using 18F to see if we also have some opportunities where 
we can leverage them as well.
    Ms. Kelly. What steps are taken to ensure that conflict of 
interest protocols are in place before work by 18F and USDS 
employees begin at the VA?
    Ms. Council. At this point, I will come back to you on 
that. Most of those people are hired as Schedule A on the 
digital services team. We do not have any 18F people at this 
point, but we do have digital service folks who come in on 
schedule A, which is about a 2-year, maybe 3, but mostly 2-year 
expectation. I will come back to you and let you know if there 
are any conflict of interest forms.
    Ms. Kelly. And how are the activities of 18F and USDS 
audited by the VA?
    Ms. Council. The digital service teams are part of the IT 
team. We manage their work just like any other employee. Their 
processes, their systems, they have to adhere to every single 
process that any other employee has to adhere to. They are not 
set separate.
    Ms. Kelly. Do you have any comments about that?
    Mr. Arronte. No, ma'am.
    Ms. Kelly. Okay.
    I yield back the balance of my time. Thank you.
    Mr. Hurd. Thank you. I am going to recognize myself for 5 
minutes.
    Mr. Arronte, what are your thoughts on the decision to 
pursue VAR and VSE and put MASS on hold?
    Mr. Arronte. I'm going to turn it over to the subject 
matter expert to discuss.
    Mr. Hurd. Mr. Bowman?
    Mr. Bowman. Obviously, VA has had some history of trouble 
with their scheduling systems, so changes need to be made.
    I think the question is whether or not they're worthwhile 
investments and whether or not they're going to have an 
immediate impact to help with the scheduling. So pursuing these 
makes a lot of sense, but whether or not you're going to see an 
immediate impact, that is really the question.
    Mr. Hurd. Ms. Council, what immediate impact do you think 
you are going to see with the deployment of VSE and VAR?
    Ms. Council. The usability of the systems is just so much 
better than what is currently available. We will make sure we 
send you the depiction. When you see what is currently 
available, you will get it right away. I think once I saw that, 
I understood the difficulty in having to move from screen to 
screen to check on things to schedule an appointment.
    Mr. Hurd. So I am still trying to wrap my head around all 
this. Why pursue this versus trying to get something off-the-
shelf that you could possibly deploy a little sooner, 
especially if we had $624 million available for that? Am I not 
understanding this correctly?
    Ms. Council. I won't speak on behalf of the Deputy 
Secretary, but the way it was explained to me was they wanted 
to make sure that we were going to do something with 
scheduling, and we didn't want to necessarily believe that if 
we created it here, we couldn't leverage a piece of software--
which by the way, MASS is Epic software.
    So the real question is, we were going to do one or the 
other, and I think what we found is that if we just needed pure 
scheduling and we needed a mobile capability, we were able to 
create that and integrate it into VistA very simply. But the 
team had to try it, make it work, and I think they had an heir 
and a spare and really wanted to make sure we did the right 
thing on behalf of the veteran in getting this access dealt 
with.
    But I do not want to put words in the mouth of the Deputy 
Secretary, but that is how it was explained.
    Mr. Hurd. So this was the decision by the Deputy Secretary 
to pursue VSE and VAR over MASS or some other commercial, off-
the-shelf technology?
    Ms. Council. It was actually with, and then to run a pilot, 
and then based on the experiential relationship between that 
software and this one, which one was really best. But when Dr. 
Shulkin came in, when I came in, we really wanted to move fast. 
We wanted to get this access going, and we wanted to go with 
the fastest solution possible.
    As I mentioned, one of the key things that we have to 
really take a hard look at is the overall digital health 
platform, not just DHR, not just continuing to put more money 
into VistA, but really say we have VistA 4, it is delivering on 
the things it needs to, it is keeping us in the regulatory 
responsibility that we have, but what is the new new? What is 
the thing that we must do to enable the veteran anywhere at any 
time?
    That is probably a platform that is newer, a platform that 
is based on a COTS type of opportunity. But at this point, by 
June, Dr. Shulkin and his team would have assessed what we have 
laid out as a technical opportunity and come back when we have 
a solution.
    Mr. Hurd. So is Dr. Shulkin the one responsible for the 
policies and procedures and workflow and how they handle a call 
and handle an appointment?
    Ms. Council. Yes, sir.
    Mr. Hurd. Because ultimately, you are not responsible for 
scheduling. You are responsible for providing a platform in 
which other elements of the VA handle this, correct?
    Ms. Council. Yes, sir.
    Mr. Hurd. Because, again, I think part of the problem is 
the processes that are in place and you are delivering a 
system. And if it's not being used properly, we are going to 
have problems.
    Mr. Arronte, do you have any opinions on the implementation 
of this software and how the other elements of the VA would be 
able to put the processes in place to ensure they are using 
this new tool properly?
    Mr. Arronte. Sir, I think our concern right now is this is 
new, and so as some of this is still being piloted, we have not 
conducted any reviews. We plan to, and I'm going to have Mr. 
Bowman speak about some past experiences.
    But what is kind of long standing that we have seen with 
VA, with IT, they are trying to centralize at the headquarters 
level. I think the field is not always acceptable of that 
centralization. So sometimes what we see in some of our 
previous work is, there is a good plan and it looks good on 
paper, but getting out of the gate and getting it implemented 
seems to be some of the issues historically.
    Mr. Bowman. Anytime VA is involved with software 
development, it seems to be a high-risk venture. Some of the 
projects that we have looked at, VA tends to go over budget on 
cost. They seem to not deliver the intended functionality.
    So I think oversight of this project is essential, 
especially as it impacts veteran scheduling. VA just does not 
have a good history of delivering systems on time and within 
budget.
    Mr. Hurd. How long, Mr. Bowman, have you been part of the 
IG apparatus looking at the VA?
    Mr. Bowman. I have been with the IG for over 8 years.
    Mr. Hurd. So looking back at some of those failures, what 
would you say were some of the key reasons that those projects 
failed, with hindsight as a benefit?
    Mr. Bowman. A theme that comes through is ever-changing 
requirements. You have the business owners that can't quite 
decide on what the functionality should be. So there are a lot 
of changing system requirements, functionality requirements, 
and that impacts the development time. It encourages rework, 
systems under development.
    But until you stabilize those requirements, you are really 
unable to meet any milestones or stay within project cost 
constraints.
    Mr. Hurd. Mr. Arronte, do you have any opinion?
    Ms. Council, do you have an opinion on what was just 
stated?
    Ms. Council. Yes, sir. I think Mr. Bowman is correct when 
you talk about waterfall. As we moved to agile processing and 
using ITIL as our processes, you will see a marked difference 
in how we manage and work with our projects.
    So for instance, we have implemented what has been called a 
best practice within the VA around projects and visibility and 
transparency. All projects on the breakthrough 12, which you 
might've heard Secretary McDonald speak about, we actually have 
a governance committee that tracks against those, against 
resources, schedule, budget, as well as ATO or security.
    We see them every week. I see them every week. And we also, 
if an issue was open, be it a business issue or a resource that 
we have and it goes longer than 10 days, we call a tech stat, 
which means they come and I'm there, as well as the head of the 
application area, as well as our CFO, and we make a decision.
    We are no longer waiting until we get the right 
requirements and keeping these things going. If it is the kind 
of work that needs to get done, we have asked the businesses to 
be prepared to do it.
    With agile, it is a side-by-side, working real-time 
relationship in the development of the solution.
    We are looking for a new transformation, and I would not 
attest to anything that the gentleman mentioned in the past. 
What I will be excited about is what they see in the future.
    Mr. Hurd. Amen to that.
    Mr. Arronte, some of the FISMA violations dating back to 
2006: unsecured wireless networks in VA, lack of encryption on 
sensitive data. Are those two issues that you found that are 
still problematic?
    Mr. Arronte. Yes, sir. We have repeat findings and 
recommendations. Password protection or credentialing, for the 
last 3 years, they have clearly been repeat findings.
    VA's enterprise infrastructure is huge, but some of these 
recommendations, and I think Ms. Council has addressed that, 
some of them I think are fairly simple to fix.
    Mr. Hurd. Yes. For example, Ms. Council, unsecured wireless 
networks in VA sites, how do you go about fixing that and 
getting compliant with that in the next few months? Talk me 
through the process on why something like that takes a while to 
do.
    Ms. Council. I think at times it probably took longer than 
it should have. We now have the same assessing software that 
the IG has, so that we are looking at things in the same way. 
We make sure that we remediate early and often. We are tracking 
to those metrics, and we are actually going to grab all those 
metrics and make sure that we can also depict them out into the 
organization.
    One thing that was just mentioned was the field. In this 
transformation, we are also reorganizing for the first time 
what we do in the field. We are putting in a new help desk. We 
are reassessing and putting in service-level agreements with 
all of our customers. We also will have customer relationship 
managers out in the field that will actually go across all the 
businesses to understand, is IT doing what it needs to do, and 
do we have situations where our business partners might need 
some opportunity in helping them understand how to have a more 
secure environment?
    We are, in addition, laying out a very different way on how 
we look at how we do services and what people are held 
accountable for.
    In addition, every goal that relates to our strategy is 
being cascaded into the leader's goals and expectations for the 
year.
    So for us, we recognize exactly what we are hearing is not 
acceptable. We know now that 95 percent of the things that we 
used to be in what we call our tick are now covered. Those 5 
percent are more linkages between the VA and maybe university 
and third partners, but even that we need to provide some 
solutions to. And Brian and his team are doing that.
    Mr. Hurd. So I think this is my final question.
    Moving the Email as a Service, why hasn't that been done 
before?
    I ask that question really to leverage your experience and 
vision as a tool to work with some of your peers in other 
departments. It seems so simple. It seems so basic. Why hasn't 
it been done before?
    Ms. Council. I appreciate the question, because my new 
Principal Deputy, Ron Thompson, who came from HHS is actually 
spearheading that new contract. Email as a Service will be our 
first move, and that should happen in the next 60 days or so, 
the finalization of that.
    We are working with GSA and really trying to get in the 
FedRAMP kind of environment. We feel that if VBA can 
participate, we can actually make it good for everyone because 
of our size, but also leveraging the solutions that are already 
out there.
    So we are looking at those vehicles and moving into them, 
and the first one is Email as a Service.
    Mr. Hurd. Great. You mentioned earlier enterprise 
cybersecurity strategy. We would like love to have a copy of 
that, if possible.
    Ms. Council. No problem.
    Mr. Hurd. The committee would love to have that.
    As Congressman Farenthold mentioned, all of us in Congress 
are dealing with veterans' issues and the lack of service and 
their frustrations. I think you recognize the importance of 
your role, because you and your team and OI&T can really be the 
units that transform how the VA delivers a service.
    I appreciate your vision. I hope we have you around long 
enough in order to see that vision come through.
    And know, on the employees and making sure you can hire and 
retain good employees, we are trying to work on ways to make 
that more flexible. We are trying to work on ways on how IT 
procurement can be streamlined so you can move quicker.
    My friend Colonel McSally, Congresswoman McSally, always 
says the bad guys are moving at the speed of light, and we are 
moving at the speed of bureaucracy. If we can fix that, it will 
go a long way in order to serve those folks that have been 
willing to put themselves in harm's way in order to keep us 
safe at night.
    So I want to thank you all for being here today. I would 
also like to thank the ranking member for always indulging my 
going over time and for her willingness to work together on 
such an important issue.
    And thank you for taking the time to appear before us 
today.
    If there is no further business, without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 3:14 p.m., the subcommittee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
               
               
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]