[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


     
               MAPPING THE CHALLENGES AND PROGRESS OF 
               THE OFFICE OF INFORMATION AND TECHNOLOGY

=======================================================================

                                HEARING

                               BEFORE THE

                SUBCOMMITTEE ON TECHNOLOGY MODERNIZATION

                                 OF THE

                     COMMITTEE ON VETERANS' AFFAIRS
                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                         TUESDAY, APRIL 2, 2019

                               __________

                            Serial No. 116-2

                               __________

       Printed for the use of the Committee on Veterans' Affairs
       
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]       


        Available via the World Wide Web: http://www.govinfo.gov
        
                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
38-952 PDF                 WASHINGTON : 2022                     
          
-----------------------------------------------------------------------------------          
        
        
                     COMMITTEE ON VETERANS' AFFAIRS

                   MARK TAKANO, California, Chairman

JULIA BROWNLEY, California           DAVID P. ROE, Tenessee, Ranking 
KATHLEEN M. RICE, New York               Member
CONOR LAMB, Pennsylvania, Vice-      GUS M. BILIRAKIS, Florida
    Chairman                         AUMUA AMATA COLEMAN RADEWAGEN, 
MIKE LEVIN, California                   American Samoa
MAX ROSE, New York                   MIKE BOST, Illinois
CHRIS PAPPAS, New Hampshire          NEAL P. DUNN, Florida
ELAINE G. LURIA, Virginia            JACK BERGMAN, Michigan
SUSIE LEE, Nevada                    JIM BANKS, Indiana
JOE CUNNINGHAM, South Carolina       ANDY BARR, Kentucky
GILBERT RAY CISNEROS, JR.,           DANIEL MEUSER, Pennsylvania
    California                       STEVE WATKINS, Kansas
COLLIN C. PETERSON, Minnesota        CHIP ROY, Texas
GREGORIO KILILI CAMACHO SABLAN,      W. GREGORY STEUBE, Florida
    Northern Mariana Islands
COLIN Z. ALLRED, Texas
LAUREN UNDERWOOD, Illinois
ANTHONY BRINDISI, New York
                 Ray Kelley, Democratic Staff Director
                 Jon Towers, Republican Staff Director

                SUBCOMMITTEE ON TECHNOLOGY MODERNIZATION

                     SUSIE LEE, Nevada, Chairwoman

JULIA BROWNLEY, California           JIM BANKS, Indiana, Ranking Member
CONOR LAMB, Pennsylvania             STEVE WATKINS, Kansas
JOE CUNNINGHAM, South Carolina       CHIP ROY, Texas

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Veterans' Affairs are also 
published in electronic form. The printed hearing record remains the 
official version. Because electronic submissions are used to prepare 
both printed and electronic versions of the hearing record, the process 
of converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.
                            
                            
                            C O N T E N T S

                              ----------                              

                         Tuesday, April 2, 2019

                                                                   Page

Mapping The Challenges And Progress Of The Office Of Information 
  And Technology.................................................     1

                           OPENING STATEMENTS

Honorable Susie Lee, Chairwoman..................................     1
Honorable Jim Banks, Ranking Member..............................     2
Honorable Mark Takano, Prepared statement only...................    19

                               WITNESSES

Ms. Carol Harris, Director for Information, Technology 
  Acquisition Management, U.S. Government Accountability Office..     4
    Prepared Statement...........................................    20

Mr. Brent Arronte, Deputy Assistant, Inspector General, Office of 
  Audits and Evaluations, Office of Inspector General, U.S. 
  Department of Veterans Affairs.................................     6
    Prepared Statement...........................................    33

        Accompanied by:

    Mr. Michael Bowman,Director,Information Technology and 
        Security Audits Division, Office of Audits and 
        Evaluations Office of Inspector General,U.S. Department 
        of Veterans Affairs

 
 MAPPING THE CHALLENGES AND PROGRESS OF THE OFFICE OF INFORMATION AND 
                               TECHNOLOGY

                              ----------                              


                         Tuesday, April 2, 2019

            Committee on Veterans' Affairs,
                    U. S. House of Representatives,
                                                   Washington, D.C.
    The Subcommittee met, pursuant to notice, at 10:20 a.m., in 
Room 1302, Longworth House Office Building, Hon. Susie Lee 
presiding.
    Present: Representatives Lee, Brownley, Lamb, Cunningham, 
Banks, Watkins, and Roy.

           OPENING STATEMENT OF SUSIE LEE, CHAIRWOMAN

    Ms. Lee. Good morning. This hearing will now come to order.
    This is the first hearing of the 116th Congress by the 
Subcommittee on Technology Modernization. This Subcommittee was 
created last year and recognized that all aspects of 
implementing technology at the Department of Veterans Affairs 
needs to be sustained attention and oversight.
    I am pleased that the work that was begun last year will 
continue and I am honored to be part of the effort. I look 
forward to working with my colleague, Ranking Member Banks, and 
the other Members of the Subcommittee on this very important 
mandate.
    VA has many technology modernization projects underway, 
from the Electronic Health Record Modernization, the Financial 
Management Business Transformation, and the efforts to update 
its supply chain system.
    Congress has also given VA several critical programs to 
implement, including the MISSION Act and the Forever GI Bill. 
These programs will need to have strong technology systems that 
support the successful delivery of health care and benefits to 
our veterans. The Subcommittee will engage in oversight of each 
of these programs over the next several months; however, I 
thought it would be helpful to begin the Subcommittee's work 
with an assessment of the office within the VA that bears much 
of the responsibility for implementing that technology that 
will support these critical programs.
    The Office of Information and Technology, I will refer to 
as OIT, is responsible for all aspects of technology 
modernization in the VA, including the acquisition, 
development, and implementation.
    OIT is also responsible for making sure that VA's critical 
systems are secure, and that veterans' personal data is 
protected.
    It is clear that OIT has struggled in its mission. Many 
decades of oversight by the Government Accountability Office 
and the Office of Inspector General have found and documented 
systematic leadership and management challenges at OIT. 
Progress at solving these problems, unfortunately, has been 
halting. Today, I would like to explore the root causes of 
these challenges and to identify the barriers for improvement. 
And if OIT has made progress, I would like to explore that as 
well, so that we can determine how to successfully replicate 
those results.
    One of the major problems at OIT has been high turnover in 
leadership. VA has had five Chief Information Officers in 4 
years. I am glad that the confirmed leader is in place and I 
wish Mr. Gfrerer success in his position, and I hope that he is 
able to implement some of the critical change that is needed at 
OIT. However, you will note that we have an empty chair at the 
table where OIT should be represented. The Subcommittee invited 
Mr. Gfrerer to the hearing today, but the VA declined, because 
he is testifying before the Full Committee later this 
afternoon. That is somewhat understandable, and we told the VA 
we would accept a Deputy for testimony today.
    I want to be clear that we won't stand on ceremony in the 
Subcommittee. We want to engage with knowledgeable management 
and staff, no matter their title, to better understand these 
challenges and figure out the solutions. Unfortunately, VA 
refused this Subcommittee's request.
    I hope we will hear from OIT at a Subcommittee hearing in 
the near future, because if we want VA to be able to 
successfully deliver health care and benefits to our veterans, 
OIT has to be an effective part of that effort.
    There is no doubt that we want OIT to succeed at its 
mission, because its success means that veterans get the 
highest level of care and reliable access to the benefits they 
have earned.
    I am pleased to have Members of our oversight community 
here today to help the Subcommittee further its oversight of 
technology at VA. I look forward to testimony from the GAO and 
OIG, and engaging in discussion with them now and moving 
forward.
    Thank you.
    Ms. Lee. I would now like to recognize my colleague Ranking 
Member Banks for 5 minutes to deliver any opening remarks he 
may have.
    Mr. Banks.

         OPENING STATEMENT OF JIM BANKS, RANKING MEMBER

    Mr. Banks. Thank you, Madam Chair. It is my privilege to be 
working with you on this Subcommittee this Congress.
    We got off to a great start with oversight of the HR 
Modernization Program last year; that continues to be my 
priority, but our jurisdiction extends to all enterprise 
technology projects, and I commend you for considering other 
issues as well.
    The VA Office of Information and Technology is responsible 
for the networks, computers, and software that VBA, VHA, and 
NCA rely on to carry out their missions. I was relieved to see 
the Chief Information Officer, Mr. Gfrerer, confirmed by the 
Senate on the very last day of the 115th Congress. We had a 
candid, encouraging meeting in my office last month and I look 
forward to working with him.
    I understand that Mr. Gfrerer will be testifying before the 
Full Committee this afternoon, but I was surprised and, 
frankly, disappointed that not only was he unable to appear 
this morning, but VA declined to send any witness in his place 
from OIT. I was hoping to start this year with a discussion of 
OIT's activities and priorities. I appreciate the Secretary 
outlining his focuses: EHRM, the MISSION Act, supply chain 
integration with DoD, and financial systems modernization; 
given the circumstances, I am going to take this opportunity to 
outline mine.
    VA's number one IT problem, before we even get into 
specific programs, is that operation and maintenance of legacy 
systems and fixed infrastructure cost consume almost all of the 
OIT budget. When I joined this Committee, that percentage was 
about 80, and now it is approaching 90. We have been devoting 
more attention to IT, but the situation is actually getting 
worse.
    The Administration is proposing a $240 million OIT increase 
on a base of about $4.1 billion. I agree, we have to invest in 
IT, but I need to know this will actually bend that cost curve 
and produce some new capabilities rather than perpetuate the 
current state of affairs.
    As to EHRM, OIT's role is upgrading the networks and 
computer hardware at the medical centers in anticipation of 
Cerner being installed. I am cautiously optimistic that OIT is 
actually ahead of the curve here. Although OIT's role has not 
changed, VA has decided to shift many of these infrastructure 
costs out of the EHRM appropriation into the OIT appropriation. 
I do not object to that in principle, but I am concerned about 
transparency.
    As to the MISSION Act IT systems, chiefly the Decision 
Support Tool, I appreciate the media bringing attention to the 
issue, but we are getting a lot of alarming conjecture without 
the basic information about what the projects are and what they 
are supposed to do. I look forward to discussing that in this 
afternoon's hearing.
    As to the VA adopting DMLSS from DoD and integrating the 
supply chains, I generally agree with the concept, but I have 
been given very little information on which to base an opinion. 
The Subcommittee needs an in-depth briefing on the pilot site, 
and we know to know the long-term plan. I think adding DMLSS to 
the EHRM scope of work in Spokane and Seattle might be one too 
many blocks on the Jenga tower.
    I will say that I am concerned about what impact the cost 
of these new systems for the MISSION Act, supply chain, and 
others will have on bending that operations and maintenance 
cost curve.
    DST is a new system integrating data from a half a dozen 
legacy systems and it is going to layer on top of them, not 
replace any of them. Integrating DST with CPRS is messy and 
difficult, and the whole goal of EHRM is to get rid of CPRS. 
DMLSS has existed in DoD for a long time, but is going to be a 
complicated integration into VA. I see a natural tension here 
between adding new systems that are necessary to VA's mission 
and retiring old systems to bend that cost curve.
    Finally, as to the Financial Management Business 
Transformation Program, I need to see some forward movement. VA 
started FMBT almost 3 years ago and I have watched it relaunch 
three separate times, balloon in cost to above $2 billion, but 
not deliver any new capabilities. We have been told that the 
old financial and accounting software barely holds together, 
and VA's ability to pass an audit is hanging on by a thread; 
that sort of thing absolutely gets my attention, but FMBT 
stalls and the status quo seems to continue without incident. 
That makes me question the urgency that VA used to sell this 
program.
    I appreciate our witnesses from OIG and GAO being here and 
I am eager to hear your perspectives. And with that, Madam 
Chair, I yield back.
    Ms. Lee. Thank you, Mr. Banks.
    I will now introduce the witnesses that have come before 
the Subcommittee today. First, I would like to introduce Carol 
Harris, who is the Director of Information Technology 
Acquisition Management Issues at the U.S. Government 
Accountability Office.
    Brent Arronte is the Deputy Assistant Inspector General in 
the Office of Audits and Evaluations in the VA Office of the 
Inspector General, and he is accompanied by Michael Bowman, who 
is the Director of Information Technology and Security Audits 
Division within the Office of Inspector General. Welcome.
    We will now hear the prepared statements from our panel 
Members. Your written statements in full will be included in 
the hearing record without objection.
    Ms. Harris, you are recognized for 5 minutes.

                   STATEMENT OF CAROL HARRIS

    Ms. Harris. Thank you, Madam Chairlady.
    Chair Lee, Ranking Member Banks, and Members of the 
Subcommittee, thank you for inviting us to testify today on the 
state of IT acquisitions and operations at VA. As requested, I 
will briefly summarize our prior work on the Department's 
systems modernization efforts over the last decade, as well as 
its IT acquisition reform and cyber security efforts.
    As you know, the use of IT is crucial to helping VA 
effectively serve the Nation's veterans. Each year the 
Department spends billions of dollars on its information 
systems and assets. VA's IT budget now exceeds $4 billion 
annually. This morning I would like to highlight three key 
points from our body of IT-related work at VA.
    First, VA's management of IT system modernization efforts 
continues to be high risk. VA's track record of delivering 
failed or troubled IT systems is a large part of why we 
designated VA health care as a high-risk area for the Federal 
Government in 2015.
    For example, VA pursued three efforts over nearly two 
decades to modernize VistA, its health information system. 
These efforts experienced high costs, challenges to ensuring 
interoperability of health data, and ultimately did not result 
in a modernized system. VA recently initiated its fourth 
effort, called the Electronic Health Record Modernization, and 
the program is already facing serious challenges.
    As we have previously reported, the Government's plan for 
this program has not been fully defined, nor has the VA fully 
implemented our recommendation to define a role of the key 
office in its governance plans.
    VA's Veterans Benefits Management System, its system for 
processing disability benefit claims, we pointed out that the 
system was not able to fully support disability and pension 
claims, as well as appeals processing. The development of this 
system was expected to be completed in 2015, but that did not 
occur, and VA had not produced a plan that identified when the 
system would be completed.
    We also noted three areas that were in need of increased 
management attention: cost estimating, system availability, and 
system defects. Accordingly, we made five recommendations to 
improve VA's ability to more effectively complete and deliver 
the system. The Department has only addressed one of the five 
recommendations thus far.
    My second point, VA's progress to better manage its IT 
operations is uneven and its CIO authorities continue to have 
key weaknesses.
    I am pleased to report that the Department has implemented 
a comprehensive software license management program based on 
six recommendations we made in 2014. As a result, VA is able to 
analyze agency-wide software license data such as usage and 
costs, and it subsequently identified about $65 million in cost 
savings over 3 years from analyzing just one of its licenses. 
However, progress is much more limited when it comes to 
accurately assigning risk to VA's IT investment portfolio, as 
well as meeting OMB's targets for data center closures and 
optimization.
    The Department also lacks policies fully addressing the 
role and responsibilities of the CIO in four of six statutory 
areas, including IT workforce and budgeting. Ensuring that 
these CIO authorities are formalized is especially critical for 
the Department, as they have had ten CIOs since 2004 and six 
since 2012, thus making the average CIO tenure at VA less than 
2 years.
    Lastly, in the area of cyber security, VA has more work to 
ensure its high-impact systems are adequately protected. These 
systems hold sensitive information, the loss of which could 
cause a Nation catastrophic harm. In May 2016, we found VA had 
implemented a number of security controls over selected 
systems, but that it had also not always effectively 
implemented access controls, patch managements, and contingency 
planning to protect the confidentiality, integrity, and 
availability of these critical systems. These weaknesses 
existed in part because VA lacked a robust information security 
program.
    Moving forward in these three areas I noted, it will be 
critical for VA to fully and effectively implement our 17 open 
recommendations as soon as possible. Doing so will better 
position the Department to more effectively deliver secure 
systems and IT operations that meet mission needs, and also, 
where available, realize additional cost savings.
    That concludes my statement. I look forward to addressing 
your questions.

    [The prepared statement of Carol Harris appears in the 
Appendix]

    Ms. Lee. Thank you, Ms. Harris.
    Mr. Arronte, you are now recognized for 5 minutes.

                   STATEMENT OF BRENT ARRONTE

    Mr. Arronte. Thank you, Madam Chair, Ranking Member Banks, 
and Members of the Subcommittee, thank you for the opportunity 
to discuss the Office of Inspector General's oversight of VA's 
Office of Information and Technology.
    VA faces challenges in developing IT systems it needs to 
support its current goals and overall mission. For over 20 
consecutive years, information security has been reported as a 
material weakness in VA's consolidated financial statement 
audit. Our audits have shown that IT systems development and 
management at the VA is a long-standing, high-risk challenge. 
Despite some incremental advances, our reports indicate VA IT 
programs are still often susceptible to cost overruns, schedule 
slippages, and performance problems.
    Further, VA struggles to maintain a permanent CIO. Since 
June of 2013, VA has had six permanent or acting CIOs. From 
January 2017 to January 2019, there have been three acting 
CIOs. With such turnover in a key position, it is difficult for 
VA to support and drive IT innovation for the Department.
    In fiscal year 2016, the VA's Chief Information Officer 
formed an Enterprise Cyber Security Strategy Team, also known 
as ECST, that developed an Enterprise Cyber Security Strategic 
Plan. The plan was designed to help VA achieve transparency and 
accountability, while securing veteran information through 
teamwork and innovation. The team scope included management of 
current cyber security efforts, as well as the development and 
review of VA's operational requirements from desktop to 
software to network protection.
    The ECST has launched 31 plans of action to address 
previously identified weaknesses. We continue to see 
information systems security deficiencies similar in type and 
risk level to our findings in prior years, and an overall 
inconsistent implementation of the security program.
    Our annual FISMA audits indicate that the Enterprise Cyber 
Security Plan efforts has not been fully effective in 
addressing or eliminating material weaknesses found in VA's 
information security program for fiscal year 2018.
    Examples of some of those weaknesses identified are legacy 
financial management system, password standards not 
consistently implemented, and users provided inappropriate 
access to some systems, and systems not securely configured to 
mitigate vulnerabilities.
    VA is also challenged in developing IT systems needed to 
support mission goals. Recent OIG reports disclose that some 
progress has been made in timely deploying system functionality 
because of the agile system development methodology. However, 
despite these incremental advances, VA struggles with cost 
overruns and performance shortfalls in its efforts to develop 
several major mission-critical systems.
    VA's mechanism for overseeing IT program management has 
improved, but has not been fully effective in controlling these 
IT investments.
    Our work has demonstrated that VA continues to struggle 
with its IT investments and securing IT systems. Some 
improvements in information security management have become 
evident with the inception of the ECST initiative; however, 
more work remains to be done and VA needs to remain focused on 
addressing OIG recommendations in the security and development 
of IT systems. Until a proven process is in place to ensure 
control across the enterprise, the IT material weaknesses may 
stand, and VA's mission-critical systems and sensitive 
veterans' data may remain at risk of attack or compromise.
    Madam Chair, this concludes my statement. We would be happy 
to answer any of your questions or questions from other Members 
of the Committee.

    [The prepared statement of Brent Arronte appears in the 
Appendix]

    Ms. Lee. Thank you very much, Mr. Arronte.
    We will now begin the question-and-answer portion of the 
hearing, and I would like to start by asking a few questions of 
Ms. Harris from the GAO.
    The GAO has included the VA on its high-risk list since 
2015, at least partially because of the information technology 
struggles. In your report to congressional committees in March 
of 2019, GAO found that the VA had regressed in the area of 
leadership commitment.
    Will you explain GAO's views on why this rating changed for 
the worse?
    Ms. Harris. Yes, ma'am. So the reason why VA regressed in 
this area is because of the frequent turnover in the CIO 
leadership. Again, the average turnover--or the average tenure 
of the VA CIO is less than 2 years and that is a major problem.
    Our work has shown that the CIO needs to be in office 
roughly 3 to 5 years to be effective, and about 5 to 7 years 
for any major change initiative to take hold in a large public 
sector organization.
    And so that is the primary reason as to why VA regressed in 
that area.
    Ms. Harris. Thank you.
    What is the status of the VA's efforts to address the 
recommendations that the GAO had made in relation to VA's IT 
management issues?
    Ms. Harris. Well, we have made 29 recommendations in total 
related to the IT management challenges, VA has closed roughly 
40 percent of those recommendations thus far, so there are 
about 60 percent that are remaining. And so those are related 
to the disability benefits system and ensuring that they have a 
plan in place for when they intend to complete the remaining 
functionality for that system. That is one of the priority 
recommendations that we have identified.
    Another priority recommendation that we believe VA should 
implement as soon as possible is defining the role of the 
Interagency Program Office on its Electronic Health Records 
Modernization Program, and they should do that as soon as 
possible.
    And then the last priority recommendation of that remaining 
60 percent that are open are related to data center 
optimization, because, as Mr. Banks had noted, you know, 80 
percent of the IT OI&T budget is mired in that legacy system 
money. And so to identify areas where there can be cost 
savings, data center optimization is one of those areas where 
cost savings in that area could be reinvested into developing 
new modernized systems.
    Ms. Lee. How many of--speaking of those top priorities in 
your recommendations, how many of those require the leadership 
of the CIO?
    Ms. Harris. All three areas require the leadership of the 
CIO. I mean, certainly in the area of the Electronic Health 
Records Modernization, the CIO doesn't play the primary role, 
he is more of a supporting role for the Department, but his 
leadership still needs to be there, because he will be 
responsible for the infrastructure that is necessary for when 
that system is deployed.
    Ms. Lee. Thank you.
    Mr. Arronte, in your recent report on the Forever GI Bill 
implementation, you found that no one appeared to be in charge 
of the project. This seems to, unfortunately, be a common theme 
at the VA. What were your findings regarding the lack of 
accountability?
    Mr. Arronte. Yes, ma'am. We found there was no single 
accountable management official. And what happened--and we 
agree with you, this seems to be a common theme, and what 
happens is, when it is time to make final decisions about an 
initiative or an application, there is nobody there to do that. 
So it stalls the initiative, the initiatives tend to be pushed 
out the door when they are not ready, and then what we end up 
seeing is functionality problems with those programs as they 
mature. And then they try to fix it in flight, so to speak, and 
they struggle with that.
    I think they struggle with program management across the 
board when it comes to IT initiatives.
    Ms. Lee. In your opinion, why do you think the VA has found 
it so difficult?
    Mr. Arronte. Without trying to speculate too much, based on 
our experience, I think there is just--maybe this is a poor 
analogy--maybe there are too many chefs in the kitchen, and 
everybody has ownership of a piece of this, and I think there 
is poor communication between the CIO's office and the 
administrations.
    Ms. Lee. Thank you very much.
    I now yield 5 minutes to Mr. Banks for his questions.
    Mr. Banks. Thank you, Madam Chair.
    Ms. Harris, the last time you testified before the 
Subcommittee, we were talking about the IPO, the Interagency 
Program Office, and the management of EHRM and MHS Genesis. 
Everyone agreed the IPO is not living up to Congress' vision 
for a single point of accountability. At the time, I promised 
legislation on the subject. Unfortunately, DoD and VA still 
have not come to any decisions.
    Last week, staff began circulating a summary of the 
legislation, we are working to finalize it. The idea is the IPO 
should be re-purposed to organize all aspects of 
interoperability, not just the electronic health records, 
between DoD, VA, and the Office of the National Coordinator. 
The departments will have to figure out what level of 
centralized control they want, but we need to focus on 
comprehensive interoperability.
    What more can you add today about the IPO's role and what 
is your opinion of the concept of that type of legislation?
    Ms. Harris. I appreciate the question, Mr. Banks. I think 
the IPO, as it is currently operating, is not an effective 
office for leading or for being that central point of 
accountability. I think you have two departments, VA and DoD, 
who are unwilling to relinquish control to a third party to 
make those decisions. And I think that this is actually the 
most important recommendation that we have made for the EHRM 
program. If DoD and VA cannot formalize a process for how they 
are going to adjudicate these really tough issues, they are 
going to fail again in this fourth attempt in integrating their 
systems.
    So, again, having a single point of accountability is 
crucial, because when the wheels start falling off the bus, we 
have to be able to identify who is responsible in order to 
effectively have corrective actions.
    And in terms of the proposed legislation, we are happy to 
take a look at it and weigh in, and certainly, you know, we are 
happy to meet with you to discuss that further.
    Mr. Banks. I appreciate it. I hope we can get there before 
the wheels fall off the bus and correct the problems before it 
gets to that point.
    Ms. Harris. Absolutely.
    Mr. Banks. My next question is for anyone who wants to 
answer it.
    The major recent organizational changes in OIT seem to be 
the creation of the IT Operations and Service Division, which 
centralized the help desk support and the Enterprise Program 
Management Office, which is the, quote, ``air traffic control 
tower,'' if you will, for all of the IT projects.
    Are these offices making a positive impact? And, if not, 
how would you improve it?
    Mr. Bowman. Every year, we evaluate VA's information 
security program under FISMA, and we do interact with the ITOPS 
personnel when we are conducting site visits at 24 VA 
facilities. We are seeing incremental improvement, some 
incremental improvements over accountability. We are starting 
to see roles and responsibilities defined as it relates to IT 
security, but the improvements have just been marginal at best.
    Mr. Banks. Anybody else? Okay.
    Ms. Harris. I will say, just in terms of centralization, 
one of the benefits that we have seen or one of the good things 
to come out of centralizing IT at VA is in their software 
license management area.
    Previous to VA implementing our recommendations, the 
management of these licenses were relatively decentralized, and 
now they actually have a comprehensive inventory of their 
licenses and they are able to systematically identify the costs 
and the usage associated with these individual licenses. And so 
now they are in a better position to identify cost savings as a 
result and so that is one of the benefits of this 
centralization.
    I think one of the things that they should be focusing on 
if they are going to continue this route is, you know, when it 
comes to IT project management and utilizing and sharing IT 
best practices in the area of, for example, agile software 
development, they can harness this type of an approach to 
ensure that their IT project managers are adequately trained in 
this area, so that they can have adequate oversight over their 
contractors who are also utilizing this same software 
methodology.
    Mr. Banks. I appreciate that. I don't have enough time to 
ask another question, but I will save more for the second round 
with that.
    I will yield back.
    Ms. Lee. Thank you, Mr. Banks.
    I would now like to recognize Ms. Brownley from California.
    Ms. Brownley. Thank you, Madam Chair, and thank you for 
holding this hearing that is an important one. And I just want 
to say that I agree with you wholeheartedly about your 
disappointment and our disappointment that VA has failed to 
send a witness here for today's hearing.
    You know, Congress has a huge responsibility in terms of 
oversight and making sure that VA is hitting its benchmarks and 
it is modernizing its IT systems, especially with large-scale 
undertakings like the electronic health record--already said, 
fourth attempt, this was an important one to succeed in--all of 
the IT systems involved in the implementation of the MISSION 
Act, just to name a few, it is critically important that we 
know. So we put a lot of trust in the VA that they are meeting 
their benchmarks and moving forward in the timeframe that they 
set out to do, but if they are not here today it is really very 
hard to have any confidence or trust that VA is doing what they 
should be doing.
    So, I share your concerns and I am disappointed that they 
are not here.
    I wanted to follow up with you, Ms. Harris, on your comment 
around the CIO and the turnover that it has had. If you could 
tell us in your opinion, you know, why is this happening? What 
is causing it? What are the--are there barriers? Is it the job 
description in and of itself?
    Why is it that it is so difficult to have a high-quality 
leader in this very important position and hold on to that 
person?
    Ms. Harris. Well, we have seen a high turnover of CIO 
leadership across the Federal Government. This isn't a problem 
that is specific to the VA necessarily, but the actual tenure 
of less than 2 years makes VA one of the most challenging of 
the bunch for sure.
    I am not quite sure as to why specifically VA can't seem to 
hold on to a CIO; however, I do commend them for recently 
making the change of ensuring that the CIO does report directly 
to the Secretary, because that is an important elevation of the 
position. I think that that recent change by VA will actually 
help them have a CIO stay in the position longer, because when 
that position is elevated then you are going to retain and 
recruit high-quality CIOs.
    And also I think that, you know, when it comes to the CIO 
position, if VA can have the CIO, Mr. Gfrerer, in this position 
for about 3 to 5 years, that is when, you know, based on our 
work, we have seen CIOs become more effective, and especially a 
large change management program like EHRM, the Electronic 
Health Records Modernization Program. You are going to want Mr. 
Gfrerer to be in there at least 3 to 5 years, hopefully longer, 
5 to 7 years, where we have actually seen success in public 
sector organizations.
    Ms. Brownley. Thank you. You also mentioned too that it is 
going to be necessary for the DoD and the VA to iron out its 
differences and be on the same page in order to properly 
implement the EHR Modernization. And to me, when I hear that, 
my sense is that we should stop right now until, you know, we 
have crossed our Ts and dotted our Is before--that this has to 
be ironed out first and foremost. It sounds like this is a 
critical piece, I mean common sense will tell you it is a 
critical piece, it is the reason why we have been unsuccessful 
over many, many, many years.
    So what are your recommendations in terms of, you know, in 
our oversight responsibilities how we should proceed?
    Ms. Harris. Ensuring that VA fully defines the role of the 
Interagency Program Office with DoD is the most important 
action that VA can take to ensure that the EHRM program is a 
success. If they do not fully define that process with DoD, 
they are going to fail.
    Ms. Brownley. Well, that seems abundantly clear.
    I know my time is running out, but I just wanted to touch 
upon the Family Caregiver Program. It is a very important 
program in terms of its expansion and moving forward and I 
know, again, the IT systems have really delayed the 
implementation of that program, and if there were any comments 
in terms of how that is progressing.
    [Pause.]
    Ms. Brownley. I yield back my time.
    Ms. Lee. Thank you, Ms. Brownley.
    I would now like to recognize Mr. Lamb from Pennsylvania.
    Mr. Lamb. Thank you very much, Madam Chairwoman.
    I want to address a couple of big-picture questions first. 
And I apologize if this retreads any ground that you covered 
before I got here, but I just want to open this to all three 
witnesses.
    I see kind of a couple of different ingredients in the 
recurring problem that we keep having with the Electronic 
Health Records, with the GI Bill benefits, with some of the 
issues with disability claims that we have had on the IT side.
    There is clearly a management and leadership piece in terms 
of achieving stable leadership in the CIO position and 
leadership that is willing to show up for relevant hearings, 
but then obviously there is an investment component as well. 
There are many people who feel that the IT infrastructure is 
outdated.
    There is kind of a recurring problem, it seems like, in 
Federal infrastructure generally where money gets doled out 
piecemeal over a lot of years in a way that makes it difficult 
to ever finish the task of a single big investment.
    So I guess if you think about those two factors, leadership 
and money, can you address at all whether one of those is more 
to blame for the recurring problems that we keep having or the 
other, or is it something else entirely?
    Mr. Bowman. I can certainly talk about our ongoing work 
with the VA's implementation of FTAR and that relates to the 
CIO's ability to see IT acquisitions across the enterprise, be 
involved in the planning, programing, budget, and execution 
aspect of that. And, although our draft report is under 
development, we are seeing that the CIO is not actively 
involved in the planning and budgeting of IT within all the 
administrations across the enterprise. I think that has a real 
adverse effect, and then you combine that with the frequent 
turnover, it is a recipe for disaster.
    Mr. Lamb. Ms. Harris, do you have anything to add to that?
    Ms. Harris. I actually would like to add to what Mr. Bowman 
is saying about the CIO's absence in the IT budgeting process. 
Actually within VA, VA does not have any policies associated 
with the CIO's roles and responsibilities associated with IT 
strategic planning whatsoever and only a minimal amount of 
policies in place related to the IT budgeting aspect. And that 
is a major problem, especially with this frequent turnover of 
CIOs that we have.
    Having codified policies that ensures that the CIO 
establishes goals for improving agency operations through IT 
and measuring progress against those goals is absolutely 
critical. So we have made recommendations in this area and VA 
should be--we want VA to implement them as soon as possible.
    Mr. Lamb. Thank you.
    And I think the kind of separate issue that is kind of 
hanging out there, I think that makes a lot of sense for the 
year-over-year regular budgeting for IT investments, 
maintenance, that kind of thing. Obviously, we have the second 
massive project with the electronic health records.
    Given the instability in leadership that we have talked 
about, again, the unwillingness to show up to a relevant 
hearing, do you have any suggestions to us as to how we can 
make sure that this EHR project actually stays on schedule and 
within budget, or at least that we know when there is a red 
flag? You know, we don't want to happen on the VA side what 
happened on the DoD side with this sort of disastrous rollout 
when it was show time. So, any specific suggestions there?
    Ms. Harris. Well, the first is defining the role of the IPO 
and having a single point of accountability, ensuring that DoD 
and VA have a formalized process for adjudicating those tough 
issues. That is the first piece.
    The second piece is ensuring that VA develops a 
comprehensive baseline for its EHRM program with a reliable 
cost estimate and a reliable schedule with performance targets 
that can be tracked, because what we have seen in these large, 
major IT programs with VA is that they lack this baseline plan. 
And so it is really challenging to hold their management 
accountable in the absence of a plan.
    So those are the two key things that VA needs to be set up 
for success.
    Mr. Lamb. Would that differ from the way the DoD did the 
rollout at the limited number of sites? I mean, I guess, what 
are you saying specifically in terms of a performance target, 
can you give an example?
    Ms. Harris. Well, I mean, the rollout of sites, I am not 
saying that that should be necessarily different. I think 
piloting is certainly the way to go, but having performance 
targets associated with the system itself, for example, in 
measuring system defects or measuring customer satisfaction, 
those are key areas that VA will have to make sure that they 
have measurable targets in place for.
    Mr. Lamb. Thank you.
    I yield back.
    Ms. Lee. Thank you, Mr. Lamb.
    I would now like to recognize Mr. Banks for additional 
questions.
    Mr. Banks. Thank you very much, Madam Chair.
    First of all, Ms. Harris, in your testimony you write that 
the VA operates 240 information systems. Could you put that 
into perspective for me a little bit? Is that a lot for an 
agency the size of the VA? And about how many systems would VA 
need under optimal conditions?
    Ms. Harris. Well, VA operates one of the most complex and 
largest IT networks within the civilian agencies. I mean, you 
look at their IT budget, it is the third highest behind DHS and 
HHS. I can't tell you what the right number of systems should 
be, but considering that 80 percent of their budget goes to 
maintaining old legacy systems, that is a major problem both 
from an operational perspective of having to ensure that they 
have the personnel in place to maintain old code, but also from 
a cyber security perspective as well, that is a major challenge 
for them.
    So--
    Mr. Banks. Is 240 a lot or that is--because of the 
complexity of the systems, that is within range of what you 
would expect?
    Ms. Harris. I would say that that number is high. And, 
again, taking a look at where the money is going, since only 20 
percent of their money is going towards developing modernized 
systems, that makes it a problem. So there isn't enough money 
available to invest into, you know, decreasing that, turning 
off old legacy systems and investing into new systems.
    I can't tell you what the right number would be, but--
    Mr. Banks. Okay, thank you for that. I will move on.
    Mr. Bowman, I understand that you manage the VA Cyber 
Security Audit under the Federal Information Security 
Modernization Act. In 2015, you found 35 weaknesses; last year, 
you found 28. That seems like slow progress towards securing 
veterans' data.
    Historically, what has VA done to address the FISMA 
recommendations and how would you characterize their progress?
    Mr. Bowman. So when I first came to VA to become the 
Director back in 2008, there was about 33 outstanding 
recommendations in connection to the FISMA work. So that if you 
compare that today from our most recent report, we are now down 
to 28 recommendations.
    Most of the improvement that I have seen VA do is really it 
is in policy, it is in plans of action and milestones. Incident 
handling and response has also made an improvement. But as far 
as making corrections and remediations to address access 
control issues, configuration management issues, disaster 
recovery issues, the progress has been just marginal at best. 
It is--
    Mr. Banks. So what are the barriers that are preventing the 
VA from--I mean, 35 to 28, that doesn't seem like very good 
progress to me. What is stopping us from substantially 
diminishing that number?
    Mr. Bowman. In my opinion, that VA has to implement a more 
robust vulnerability management program. They need to be able 
to identify the vulnerabilities and correct them before we 
conduct our FISMA audits.
    And there are times where VA is seeing these issues at the 
same time that we are seeing them every year. And so that has 
to be a more proactive program. They need to be able to patch 
their systems in a more timely manner. We are finding systems 
that are outdated with security updates by more than 2 years 
and these are on the mission-critical systems.
    They also need to make IT security a priority and there are 
years where we just don't feel that they are dedicating the 
resources to take these issues seriously.
    Mr. Banks. So, a lack of urgency?
    Mr. Bowman. In my opinion, yes.
    Mr. Banks. Okay. Of the 28 recommendations last year, the 
VA didn't concur with three of them, claiming that they had 
already been resolved. Can you explain these recommendations 
and whether or not you agree with the VA's position?
    Mr. Bowman. Well, part of it was is that we sat with VA 
several times, we asked for them to provide us supporting 
documentation, so that we could conclude whether or not the 
corrective action plans had been remediated. VA did not provide 
them to us, nor were we able to perform any subsequent testing, 
and for that reason those recommendations remain.
    Now, going forward, we are going to put efforts to see 
whether or not those corrective action plans are effectively 
mitigating the vulnerabilities. It just remains to be seen 
right now, but I don't feel VA made a concerted effort to give 
us the information we were asking for.
    Mr. Banks. All right, let me get one more question in 
really quick, continuing on the same subject. What are the VA's 
most significant risks from its many systems that are connected 
with external organizations?
    Mr. Bowman. I think it is very important you have got to 
monitor all system interconnections on the VA networks. They 
have got hundreds of business partners, they have got numerous 
connections in and out of the network. VA doesn't monitor all 
those systems.
    Now, going forward, there is only maybe about five or six 
that aren't monitored, which is better than how they were doing 
4 or 5 years ago, but you really shouldn't have any 
interconnections that weren't monitored, because your partners, 
their security posture may be far worse than VA. They could be 
a vector right into your network and, without monitoring it, VA 
doesn't know whether or not its systems are infiltrated.
    Mr. Banks. Thank you. My time has expired.
    Ms. Lee. Thank you, Mr. Banks.
    I want to talk about, you know, successful IT programs 
require that agencies know exactly what they are building or 
buying, who the users are and what they are actually going to 
need. This is requirements development and it takes a lot of 
legwork by the agency to research and talk to stakeholders, and 
it is also a place where many agencies under time and money 
constraints tend to fall short.
    Mr. Arronte or Ms. Harris, either one of you, what are some 
of the best practices that the GAO and OIG have identified 
regarding requirements development and recommendations?
    Ms. Harris. One of the most critical success factors in 
delivering major IT programs is, as you mentioned, requirements 
development and management, ensuring that the program is 
adequately involving the end users in the development of those 
requirements. And then from there prioritizing requirements, 
because as if, for example, funding becomes unstable or gets 
cut, you are going to want to be able to very quickly, you 
know, de-scope the program as necessary.
    And so those are the two critical success factors that we 
have found regarding requirements in delivering IT systems.
    Mr. Bowman. I definitely agree that agile software 
development practices. The sooner you get the end users 
involved in developing the requirements and testing it and on 
the rollout, you are more likely to hit your targets. But I 
think it is also important that VA stabilize their 
functionality requirements. A lot of times in these projects 
they will go in with a general idea of what they want and, as 
they start developing a road plan, they realize that they need 
a lot more functionality to achieve end user goals and to meet 
the goals of the project. So, without stabilizing that, you are 
not going to hit your schedule, you are not going to hit your 
cost goals, and then the system will not perform as intended.
    Ms. Lee. Thank you. Mr. Arronte, the OIG reviewed the issue 
of unwarranted medical examinations for disability benefits and 
found that the VBA needed to take steps to prioritize the 
design and implementation of system automation reasonably 
designed to minimize unwarranted reexaminations. The VBA then 
concurred with the recommendation, but the OIG Web site says it 
was not implemented because, quote, ``the recommendation was 
unable to be satisfactorily addressed despite significant 
efforts due to the lack of resources or other reasons.''
    Could you elaborate on that?
    Mr. Arronte. Yes, and this was kind of a surprise to us. 
Typically, we meet with the Department and we discuss our 
recommendations. They came back; they felt that the 
recommendation was a good recommendation that they wanted to 
implement. And then, as they started moving along the course to 
implement, OI&T came and told them, well, we might be able to 
do this, but it is going to be 18 to 24 months before we can do 
this. And when we make our recommendations, we try to gear our 
recommendations to be implementable within a year. So, once VBA 
leadership was notified that this was not going to happen in a 
year, they came back to us and said, look, we are not going to 
be able to do this; not that we don't agree with it and not 
that we don't want it, but OI&T is telling us 18 to 24 months.
    Ms. Lee. So there was no way to sort of define what could 
be accomplished within a year?
    Mr. Arronte. No. And OI&T, the way they prioritize what is 
important is--I can speak from VBA, VBA senior leadership has 
conveyed to me that it is unclear to them how OI&T prioritizes 
work across the Department.
    Ms. Lee. Okay, that is surprising.
    Ms. Harris, one more question. I have just a little bit of 
time. One of the issues that the GAO cited with regards to the 
Forever GI Bill implementation was that the VBA Education 
Service and the Office of Information and Technology could not 
agree on what a working solution was.
    You know, we have talked about having a single point of 
accountability can be helpful to prevent this type of 
disagreement, but what other types of mechanisms can an agency 
have in place that would help keep the project's scope on 
track?
    Ms. Harris. Well, certainly having strong leadership in 
place is absolutely vital and ensuring that program staff have 
the necessary knowledge and skills from an IT management and 
contractor oversight perspective. Those are two major areas 
that are common to successfully delivering an IT system.
    Ms. Harris. Thank you.
    I now yield to Mr. Banks.
    Mr. Banks. Thank you, Madam Chair.
    Mr. Arronte or Mr. Bowman, the VA also undergoes a 
financial statement audit every year, which includes IT systems 
and cyber security. I understand there are many material 
weaknesses in that audit as well. What actions should VA take 
to correct the material weaknesses?
    Mr. Arronte. So Mr. Bowman is going to speak specifically 
to some of the IT challenges. We do have one that is directly 
related to information technology and it is ensuring effective 
information security program and system controls. And one of 
the things that we see--and we have talked about budget and 
management and which one is more or less important--with these 
security controls and the CIO not being part of the budget 
process, what we find is medical centers are purchasing IT 
equipment under their own budget, and then what happens is the 
CIO is unaware that this equipment has been purchased, so the 
CIO is not--there is no process to ensure that the security of 
this equipment is in place because the CIO was unaware of it.
    Mr. Bowman. Related to IT, even though that my focus is of 
FISMA, part of that focus is to evaluate the IT controls in 
connection with the consolidated financial statement audit as 
well, and so what we see in FISMA is basically duplicate issues 
that we find for the consolidated financial statement.
    So the real issues, the way for VA to remediate the 
material weakness and get it downgraded to a significant 
deficiency is we have got to see password controls consistently 
implemented across all systems. And we still see passwords with 
the same user name and passwords sometimes 2 and 3 years 
running, we have got default passwords. And, you know, when you 
are briefing the VA Secretary and we start explaining that, it 
is really uncomfortable, because that seems like very low-
hanging fruit and why is that a discussion point every year 
when we brief out on the financial statement. So that is first 
and foremost.
    The other thing--
    Mr. Banks. You brief that over and over again, but little 
to no progress in addressing it?
    Mr. Bowman. It certainly gets a lot of air time at the 
meeting and, you know, there is a lot of focus that says, well, 
we are going to get rid of this next year. Either our testing 
methods are very good or just VA is lax, it is hard to tell. 
Sometimes we just go back and test the same systems and we will 
find those same user accounts with unchanged passwords.
    But the other thing is, is VA has legacy systems that are 
no longer supported by the vendor, so they can't update those 
systems for, you know, hot fixes and security patches to 
address emerging IT security issues.
    And so, unless you resolve those, the material weakness 
will remain.
    Mr. Banks. Unbelievable, but let's move on.
    Mr. Arronte, in your testimony you cite the VA IT budget 
proposal as $4.3 billion. Does that include all IT spending?
    Mr. Arronte. No, sir, it does not. And, as I alluded to 
earlier, what happens is VHA has a specific line item for the 
purchases of IT equipment, which I was in a meeting and we 
asked the CFO at the time, why is there a specific line item 
for the hospitals or the VA MCs or the VISNs to purchase IT 
equipment without going through the CIO? And what we were told 
was it takes the CIO's office too long to approve equipment 
that we need now.
    Mr. Banks. So let me ask you, what are the practical 
consequences of having IT activities that the Chief Information 
Officer isn't aware of?
    Mr. Arronte. So, one, cost overruns; two, duplication of IT 
acquisition equipment; and, third, not being able to--because 
you are unaware of this equipment, you can't place security on 
it and you can't track it, and then it becomes an inventory 
issue as well.
    Mr. Banks. That is startling and troubling, and, with that, 
I will yield back.
    Ms. Lee. I am going to continue on this with respect to the 
electronic health records revamp that we are doing in terms of 
the acquisition process.
    Do you have recommendations? I mean, we have the $10 
billion contract with Cerner and then the $6 billion that the 
VA needs to use for the infrastructure and the equipment. Are 
there recommendations you have to make sure that process is as 
successful as possible?
    Mr. Arronte. So we have not done any formal work with EHR. 
We have staff that attend clinical council meetings to monitor 
the progress. Right now we understand that there are 
discussions between VA and DoD on medical coding. Until some of 
that is resolved, I am not sure what our role is going to be 
with the limited resources we have. But I think a good answer 
is, look at the past practices, look at the past--like Mr. 
Banks indicated, 33 recommendations, 28 recommendations, they 
can't get security on equipment right.
    I think VA risks--this is a behavior for VA, and I think 
what is the potential risk for EHR is these types of behaviors 
will roll over into this initiative, and that is what we are 
looking at right now.
    Ms. Lee. Okay.
    Ms. Harris. Madam Chair, we intend to initiate work on the 
EHR program very soon. We have ongoing work at VistA, as well 
as ongoing work on the DoD side, the MHS Genesis program. So we 
have not made specific recommendations related to the EHR 
acquisition itself, but we do have the one outstanding 
recommendation to define the role of the Interagency Program 
Office.
    And again, as I mentioned earlier, if that process hasn't 
been formalized, whatever VA does on the acquisition, I mean, 
it is ultimately going to fail in terms of the interoperability 
with DoD.
    Ms. Lee. Thank you.
    Ms. Harris. So they have to get that right.
    Ms. Lee. Thank you.
    Well, this has been somewhat depressing, but also a helpful 
discussion. And we certainly look forward to working with the 
VA to ensure that we help overcome these deficiencies, because 
ultimately making sure that we are successful means better care 
for our veterans, which is ultimately the goal for all of us.
    So I look forward to continuing as the Subcommittee moves 
forward with oversight of technology and modernization at the 
VA.
    I would like to thank all of our witnesses for your 
attendance and your testimony, and your patience in answering 
these questions.
    And all Members will have 5 legislative days to revise and 
extend their remarks and include extraneous material.
    And this hearing has now been adjourned. Thank you.

    [Whereupon, at 11:18 a.m., the Subcommittee was adjourned.]

                            A P P E N D I X

                              ----------                              

       Prepared Statement of Mark Takano, Chairman Full Committee
    Good Morning. This hearing will come to order.
    This is the first hearing of the 116th Congress by the Subcommittee 
on Technology Modernization. This Subcommittee was created last year 
because this Committee recognized that all aspects of implementing 
technology at the Department of Veterans Affairs needs sustained 
attention and oversight.
    I am pleased that the work that was begun last year will continue 
and I am honored to be a part of the effort. I look forward to working 
with my colleague, Ranking Member Banks, and the other members of the 
Subcommittee on this important mandate.
    VA has many technology modernization projects underway, from the 
Electronic Health Record Modernization, the Financial Management 
Business Transformation, and efforts to update its supply chain system. 
Congress has also given VA several critical programs to implement, 
including the MISSION Act and the Forever GI Bill. These programs will 
need to have strong technology systems that support the successful 
delivery of healthcare and benefits to our veterans.
    The Subcommittee will engage in oversight of each of these programs 
over the next several months. However, I thought it would be helpful to 
begin the Subcommittee's work with an assessment of the office within 
VA that bears much of the responsibility for implementing the 
technology that will support these critical programs.
    The Office of Information and Technology (OI&T) is responsible for 
all aspects of technology modernization at VA, including acquisition, 
development, and implementation. OI&T is also responsible for making 
sure that VA's critical systems are secure, and that veterans' personal 
data is protected.
    It is clear that OI&T has struggled in its mission.
    Many decades of oversight work by the Government Accountability 
Office and the Office of Inspector General have found and documented 
systemic leadership and management challenges at OI&T. Progress at 
solving these problems has been halting.
    Today, I would like to explore the root causes of these challenges 
and to identify the barriers to improvement. And if OI&T has made 
progress I would like to explore that as well, so that we can determine 
how successful results can be replicated.
    One of the major problems at OI&T has been high turnover in 
leadership. VA has had five chief information officers in four years. I 
am glad that a confirmed leader is now in place and I wish Mr. Gfrerer 
success in his position and I hope that he is able to implement some of 
the critical change that is needed at OI&T.
    However, you will note that we have an empty chair at the table 
where the Office of Information and Technology should be represented. 
The Subcommittee invited Mr. Gfrerer to the hearing today, but the VA 
declined because he is testifying before the Full Committee this 
afternoon. That is somewhat understandable, and we told VA that we 
would accept a deputy for testimony today. We won't stand on ceremony 
in this Subcommittee. We want to engage with knowledgeable management 
and staff - no matter their title - to better understand these 
challenges and to figure out solutions. Unfortunately, VA refused the 
Subcommittee's request.
    I hope we will hear from OI&T at a Subcommittee hearing in the near 
future, because if we want VA to be able to successfully deliver 
healthcare and benefits to our Veterans, OI&T has to be an effective 
part of that effort. There is no doubt that we want OI&T to succeed at 
its mission, because its success means that veterans get the highest 
level of care and reliable access to the benefits they have earned.
    I am pleased to have members of our oversight community here today 
to help the Subcommittee further its own oversight of technology at VA. 
I look forward to testimony from GAO and the OIG and engaging in 
discussion with them now and going forward.
    Thank you.

                                 
                 Prepared Statement of Carol C. Harris
Addressing IT Management Challenges Is Essential to Effectively 
    Supporting the Department's Mission

    Chair Lee, Ranking Member Banks, and Members of the Subcommittee:

    Thank you for the opportunity to participate in today's hearing 
regarding the Department of Veterans Affairs' (VA) Office of 
Information and Technology (OI&T). As you know, the use of information 
technology (IT) is crucial to helping VA effectively serve the nation's 
veterans. The department annually spends billions of dollars on its 
information systems and assets-VA's budget for IT now exceeds $4 
billion annually.
    However, over many years, VA has experienced challenges in managing 
its IT projects and programs, raising questions about the efficiency 
and effectiveness of OI&T and its ability to deliver intended outcomes 
needed to help advance the department's mission. These challenges have 
spanned a number of critical initiatives related to modernizing the 
department's (1) health information system, the Veterans Health 
Information Systems and Technology Architecture (VistA); (2) program to 
support family caregivers; and (3) benefits management system. The 
department has also experienced challenges in implementing provisions 
of the Federal Information Technology Acquisition Reform Act (commonly 
referred to as FITARA), \1\ and in appropriately addressing 
cybersecurity risks.
---------------------------------------------------------------------------
    \1\ Carl Levin and Howard P. `Buck' McKeon National Defense 
Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, division 
A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014).
---------------------------------------------------------------------------
    We have previously reported on these IT management challenges at VA 
and have made recommendations aimed at improving the department's 
system acquisitions and operations. \2\ At your request, my testimony 
today summarizes results and recommendations from our work at the 
department that examined its system modernization efforts, as well as 
its efforts toward implementing FITARA and addressing cybersecurity 
issues.
---------------------------------------------------------------------------
    \2\ GAO, Electronic Health Records: VA and DOD Need to Support Cost 
and Schedule Claims, Develop Interoperability Plans, and Improve 
Collaboration, GAO 14 302 (Washington, D.C.: Feb. 27, 2014); VA Health 
Care: Actions Needed to Address Higher-Than-Expected Demand for the 
Family Caregiver Program, GAO 14 675 (Washington, D.C.: Sept. 18, 
2014); Veterans Benefits Management System: Ongoing Development and 
Implementation Can Be Improved; Goals Are Needed to Promote Increased 
User Satisfaction, GAO 15 582 (Washington, D.C.: Sept. 1, 2015); IT 
Dashboard: Agencies Need to Fully Consider Risks When Rating Their 
Major Investments, GAO 16 494 (Washington, D.C.: June 2, 2016); 
Information Technology Reform: Agencies Need to Improve Certification 
of Incremental Development, GAO 18 148 (Washington, D.C.: Nov. 7, 
2017); Data Center Optimization: Continued Agency Actions Needed to 
Meet Goals and Address Prior Recommendations, GAO 18 264 (Washington, 
D.C.: May 23, 2018); Federal Chief Information Officers: Critical 
Actions Needed to Address Shortcomings and Challenges in Implementing 
Responsibilities, GAO 18 93 (Washington, D.C.: Aug. 2, 2018); 
Information Security, Agencies Need to Improve Controls over Selected 
High-Impact Systems, GAO 16 501 (Washington, D.C.: May 18, 2016); 
Information Security: Agencies Need to Improve Implementation of 
Federal Approach to Securing Systems and Protecting against Intrusions, 
GAO 19 105 (Washington, D.C.: Dec. 18, 2018); and Cybersecurity 
Workforce: Agencies Need to Accurately Categorize Positions to 
Effectively Identify Critical Staffing Needs, GAO 19 144 (Washington, 
D.C.: Mar. 12, 2019).
---------------------------------------------------------------------------
    In developing this testimony, we relied on our recently issued 
reports that addressed IT management issues at VA and our bi-annual 
high-risk series. \3\ We also incorporated information on the 
department's actions in response to recommendations we made in our 
previous reports. The reports cited throughout this statement include 
detailed information on the scope and methodology of our prior reviews.
---------------------------------------------------------------------------
    \3\ GAO maintains a high-risk program to focus attention on 
government operations that it identifies as high risk due to their 
greater vulnerabilities to fraud, waste, abuse, and mismanagement or 
the need for transformation to address economy, efficiency, or 
effectiveness challenges. VA's issues were highlighted in our 2015 
High-Risk Report, GAO, High-Risk Series: An Update, GAO 15 290 
(Washington, D.C.: Feb. 11, 2015), 2017 update, GAO, High-Risk Series: 
Progress on Many High-Risk Areas, While Substantial Efforts Needed on 
Others, GAO 17 317 (Washington, D.C.: Feb. 15, 2017), and 2019 update, 
GAO, High-Risk Series, Substantial Efforts Needed to Achieve Greater 
Progress on High-Risk Areas, GAO 19 157SP (Washington, D.C.: Mar. 6, 
2019).
---------------------------------------------------------------------------
    We conducted the work on which this statement is based in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives.

Background

    VA's mission is to promote the health, welfare, and dignity of all 
veterans in recognition of their service to the nation by ensuring that 
they receive medical care, benefits, social support, and lasting 
memorials. In carrying out this mission, the department operates one of 
the largest health care delivery systems in America, providing health 
care to millions of veterans and their families at more than 1,500 
facilities.
    The department's three major components-the Veterans Health 
Administration (VHA), the Veterans Benefits Administration (VBA), and 
the National Cemetery Administration (NCA)-are primarily responsible 
for carrying out its mission. More specifically, VHA provides health 
care services, including primary care and specialized care, and it 
performs research and development to address veterans' needs. VBA 
provides a variety of benefits to veterans and their families, 
including disability compensation, educational opportunities, 
assistance with home ownership, and life insurance. Further, NCA 
provides burial and memorial benefits to veterans and their families.

VA Relies Extensively on IT

    The use of IT is critically important to VA's efforts to provide 
benefits and services to veterans. As such, the department operates and 
maintains an IT infrastructure that is intended to provide the backbone 
necessary to meet the day-to-day operational needs of its medical 
centers, veteran-facing systems, benefits delivery systems, memorial 
services, and all other systems supporting the department's mission. 
The infrastructure is to provide for data storage, transmission, and 
communications requirements necessary to ensure the delivery of 
reliable, available, and responsive support to all VA staff offices and 
administration customers, as well as veterans.
    Toward this end, the department operates approximately 240 
information systems, manages approximately 314,000 desktop computers 
and 30,000 laptops, and administers nearly 460,000 network user 
accounts for employees and contractors to facilitate providing benefits 
and health care to veterans. These systems are used for the 
determination of benefits, benefits claims processing, patient 
admission to hospitals and clinics, and access to health records, among 
other services.
    VHA's systems provide capabilities to establish and maintain 
electronic health records that health care providers and other clinical 
staff use to view patient information in inpatient, outpatient, and 
long-term care settings. The department's health information system-
VistA-serves an essential role in helping the department to fulfill its 
health care delivery mission.
    Specifically, VistA is an integrated medical information system 
that was developed in-house by the department's clinicians and IT 
personnel, and has been in operation since the early 1980s. \4\ The 
system consists of 104 separate computer applications, including 56 
health provider applications; 19 management and financial applications; 
eight registration, enrollment, and eligibility applications; five 
health data applications; and three information and education 
applications. Within VistA, an application called the Computerized 
Patient Record System enables the department to create and manage an 
individual electronic health record for each VA patient.
---------------------------------------------------------------------------
    \4\ VistA began operation in 1983 as the Decentralized Hospital 
Computer Program. In 1996, the name of the system was changed to VistA.
---------------------------------------------------------------------------
    In June 2017, the former VA Secretary announced that the department 
planned to acquire the same Cerner electronic health record system that 
the Department of Defense (DOD) has acquired. \5\ VA's effort-the 
Electronic Health Record Modernization (EHRM) program-calls for the 
deployment of a new electronic health record system at three initial 
sites in 2020, with a phased implementation of the remaining sites over 
the next decade.
---------------------------------------------------------------------------
    \5\ In July 2015, DOD awarded a $4.3 billion contract for a 
commercial electronic health record system developed by Cerner, to be 
known as MHS GENESIS. The transition to the new system began in 
February 2017 in the Pacific Northwest region of the United States and 
is expected to be completed in 2022.
---------------------------------------------------------------------------
    In addition, VBA relies on the Veterans Benefits Management System 
(VBMS) to collect and store information such as military service 
records, medical examinations, and treatment records from VA, DOD, and 
private medical service providers. In 2014, VA issued its 6-year 
strategic plan, which emphasizes the department's goal of increasing 
veterans' access to benefits and services, eliminating the disability 
claims backlog, and ending veteran homelessness. According to the plan, 
the department intends to improve access to benefits and services 
through the use of enhanced technology to provide veterans with access 
to more effective care management.
    The plan also calls for VA to eliminate the disability claims 
backlog by fully implementing an electronic claims process that is 
intended to reduce processing time and increase accuracy. Further, the 
department has an initiative under way that provides services, such as 
health care, housing assistance, and job training, to end veteran 
homelessness. Toward this end, VA is working with other agencies, such 
as the Department of Health and Human Services, to implement more 
coordinated data entry systems to streamline and facilitate access to 
appropriate housing and services.

VA Manages IT Resources Centrally

    Since 2007, VA has been operating a centralized organization, OI&T, 
in which most key functions intended for effective management of IT are 
performed. This office is led by the Assistant Secretary for 
Information and Technology-VA's Chief Information Officer (CIO). The 
office is responsible for providing strategy and technical direction, 
guidance, and policy related to how IT resources are to be acquired and 
managed for the department, and for working closely with its business 
partners-such as VHA-to identify and prioritize business needs and 
requirements for IT systems. Among other things, OI&T has 
responsibility for managing the majority of VA's IT-related functions, 
including the maintenance and modernization of VistA. \6\ As of January 
2019, OI&T was comprised of about 15,800 staff, with more than half of 
these positions filled by contractors.
---------------------------------------------------------------------------
    \6\ VistA is a joint program with OI&T and VHA.

VA Is Requesting about $5.9 Billion for IT and a New Electronic Health 
---------------------------------------------------------------------------
    Record System for Fiscal Year 2020

    VA's fiscal year 2020 budget request includes about $5.9 billion 
for OI&T and its new electronic health record system. Of this amount, 
about $4.3 billion was requested for OI&T, which represents a $240 
million increase over the $4.1 billion enacted for 2019. The request 
seeks the following levels of funding:

      $401 million for new systems development efforts to 
support current health care systems platforms, and to replace legacy 
systems, such as the Financial Management System;
      approximately $2.7 billion for the operations and 
maintenance of existing systems, which includes $327.3 million for 
infrastructure readiness that is to support the transition to the new 
electronic health record system; and
      approximately $1.2 billion for administration.

    Additionally, the department requested about $1.6 billion for the 
EHRM program. This amount is an increase of $496 million over the $1.1 
billion that was enacted for the program for fiscal year 2019. The 
request includes the following:

      $1.1 billion for the contract with the Cerner Corporation 
to acquire the new system,
      $161,800 for program management, and
      $334,700 for infrastructure support.

VA's Management of IT Has Contributed to High-Risk Designations

    In 2015, we designated VA Health Care as a high-risk area for the 
federal government and noted that IT challenges were among the five 
areas of concern. \7\ In part, we identified limitations in the 
capacity of VA's existing systems, including the outdated, inefficient 
nature of certain systems and a lack of system interoperability-that 
is, the ability to exchange and use electronic health information-as 
contributors to the department's IT challenges related to health care.
---------------------------------------------------------------------------
    \7\ GAO maintains a high-risk program to focus attention on 
government operations that it identifies as high risk due to their 
greater vulnerabilities to fraud, waste, abuse, and mismanagement or 
the need for transformation to address economy, efficiency, or 
effectiveness challenges. VA's issues were highlighted in our 2015 
High-Risk Report, GAO, High-Risk Series: An Update, GAO 15 290 
(Washington, D.C.: Feb. 11, 2015) and 2017 update, GAO, High-Risk 
Series: Progress on Many High-Risk Areas, While Substantial Efforts 
Needed on Others, GAO 17 317 (Washington, D.C.: Feb. 15, 2017).
---------------------------------------------------------------------------
    Also, in February 2015, we added Improving the Management of IT 
Acquisitions and Operations to our list of high-risk areas. \8\ 
Specifically, federal IT investments were too frequently failing or 
incurring cost overruns and schedule slippages while contributing 
little to mission-related outcomes. We have previously reported that 
the federal government has spent billions of dollars on failed IT 
investments, including at VA. \9\
---------------------------------------------------------------------------
    \8\ GAO 15 290.
    \9\ GAO, Information Technology: Management Improvements Are 
Essential to VA's Second Effort to Replace Its Outpatient Scheduling 
System, GAO 10 579 (Washington, D.C.: May 27, 2010); Information 
Technology: Actions Needed to Fully Establish Program Management 
Capability for VA's Financial and Logistics Initiative, GAO 10 40 
(Washington, D.C.: Oct. 26, 2009).
---------------------------------------------------------------------------
    Our 2017 update to the high-risk report noted that VA had partially 
met our leadership commitment criterion by involving top leadership in 
addressing the IT challenges portion of the VA Health Care high-risk 
area; however, it had not met the action plan, monitoring, demonstrated 
progress, or capacity criteria.
    We have also identified VA as being among a handful of departments 
with one or more archaic legacy systems. Specifically, in our May 2016 
report on legacy systems used by federal agencies, we identified two of 
VA's systems as being over 50 years old-the Personnel and Accounting 
Integrated Data system and the Benefits Delivery Network system. \10\ 
These systems were among the 10 oldest investments and/or systems that 
were reported by 12 selected agencies.
---------------------------------------------------------------------------
    \10\ GAO, Information Technology: Federal Agencies Need to Address 
Aging Legacy Systems, GAO 16 468 (Washington, D.C.: May 25, 2016).
---------------------------------------------------------------------------
    Accordingly, we recommended that the department identify and plan 
to modernize or replace its legacy systems. VA addressed the 
recommendation in May 2018, when it provided a Comprehensive 
Information Technology Plan that showed a detailed roadmap for the key 
programs and systems required for modernization. The plan included time 
frames, activities to be performed, and functions to be replaced or 
enhanced. The plan also indicated that the Personnel and Accounting 
Integrated Data system and the Benefits Delivery Network system are to 
be decommissioned in quarters 3 and 4 of fiscal year 2019, 
respectively.
    Our March 2019 update to our high-risk series noted that the 
ratings for leadership commitment criterion regressed, while the action 
plan criterion improved for the IT Challenges portion of the VA Health 
Care area. \11\ The capacity, monitoring, and demonstrated progress 
criteria remained unchanged. Our work continued to indicate that VA was 
not yet able to demonstrate progress in this area.
---------------------------------------------------------------------------
    \11\ GAO 19 157SP.
---------------------------------------------------------------------------
    Since its 2015 high-risk designation, we have made 14 new 
recommendations in the VA Health Care area, 12 of which were made since 
our 2017 high-risk report was issued. For example, in June 2017, to 
address deficiencies we recommended that the department take six 
actions to provide clinicians and pharmacists with improved tools to 
support pharmacy services to veterans and reduce risks to patient 
safety. VA generally concurred with these recommendations; however, all 
of them remain open.

FITARA Is Intended to Help VA and Other Agencies Improve Their IT 
    Acquisitions

    Congress enacted FITARA in December 2014 to improve agencies' 
acquisitions of IT and enable Congress to better monitor agencies' 
progress and hold them accountable for reducing duplication and 
achieving cost savings. The law applies to VA and other covered 
agencies. \12\ It includes specific requirements related to seven 
areas, including agency CIO authority, data center consolidation and 
optimization, risk management of IT investments, and government-wide 
software purchasing. \13\
---------------------------------------------------------------------------
    \12\ The provisions apply to the agencies covered by the Chief 
Financial Officers Act of 1990, 31 U.S.C. Sec.  901(b). These agencies 
are the Departments of Agriculture, Commerce, Defense, Education, 
Energy, Health and Human Services, Homeland Security, Housing and Urban 
Development, Justice, Labor, State, the Interior, the Treasury, 
Transportation, and Veterans Affairs; the Environmental Protection 
Agency, General Services Administration, National Aeronautics and Space 
Administration, National Science Foundation, Nuclear Regulatory 
Commission, Office of Personnel Management, Small Business 
Administration, Social Security Administration, and U.S. Agency for 
International Development. However, FITARA has generally limited 
application to the Department of Defense.
    \13\ FITARA also includes requirements for covered agencies to 
enhance the transparency and improve risk management of IT investments, 
annually review IT investment portfolios, expand training and use of IT 
acquisition cadres, and compare their purchases of services and 
supplies to what is offered under the federal strategic sourcing 
initiative that the General Services Administration is to develop. The 
Federal Strategic Sourcing Initiative is a program established by the 
General Services Administration and the Department of the Treasury to 
address government-wide opportunities to strategically source commonly 
purchased goods and services and eliminate duplication of efforts 
across agencies.

      Agency CIO authority enhancements. CIOs at covered 
agencies are required to (1) approve the IT budget requests of their 
respective agencies, (2) certify that IT investments are adequately 
implementing incremental development, as defined in capital planning 
guidance issued by the Office of Management and Budget (OMB), (3) 
review and approve contracts for IT, and (4) approve the appointment of 
other agency employees with the title of CIO.
      Federal data center consolidation initiative. Agencies 
are required to provide OMB with a data center inventory, a strategy 
for consolidating and optimizing their data centers (to include planned 
cost savings), and quarterly updates on progress made. The law also 
requires OMB to develop a goal for how much is to be saved through this 
initiative, and provide annual reports on cost savings achieved. \14\
---------------------------------------------------------------------------
    \14\ In November 2017, the FITARA Enhancement Act of 2017 was 
enacted into law to extend the sunset date for the data center 
provisions of FITARA. The law's data center consolidation and 
optimization provisions currently expire on October 1, 2020. Pub. L. 
No. 115-88 (Nov. 21, 2017).
---------------------------------------------------------------------------
      Enhanced transparency and improved risk management in IT 
investments. OMB and covered agencies are to make detailed information 
on federal IT investments publicly available, and department-level CIOs 
are to categorize their major IT investments by risk. \15\ 
Additionally, in the case of major investments rated as high risk for 4 
consecutive quarters, \16\ the act required that the department-level 
CIO and the investment's program manager conduct a review aimed at 
identifying and addressing the causes of the risk.
---------------------------------------------------------------------------
    \15\ ``Major IT investment'' means a system or an acquisition 
requiring special management attention because it has significant 
importance to the mission or function of the government; significant 
program or policy implications; high executive visibility; high 
development, operating, or maintenance costs; an unusual funding 
mechanism; or is defined as major by the agency's capital planning and 
investment control process.
    \16\ The IT Dashboard lists the CIO-reported risk level of all 
major IT investments at federal agencies on a quarterly basis.
---------------------------------------------------------------------------
      Government-wide software purchasing program. The General 
Services Administration is to enhance government-wide acquisition and 
management of software and allow for the purchase of a software license 
agreement that is available for use by all executive branch agencies as 
a single user. Additionally, the Making Electronic Government 
Accountable by Yielding Tangible Efficiencies Act of 2016, or the 
``MEGABYTE Act,'' further enhanced CIOs' management of software 
licenses by requiring agency CIOs to establish an agency software 
licensing policy and a comprehensive software license inventory to 
track and maintain licenses, among other requirements. \17\
---------------------------------------------------------------------------
    \17\ Pub. L. No. 114-210 130 Stat. 824 (July 29, 2016).

    In June 2015, OMB released guidance describing how agencies are to 
implement FITARA. \18\ This guidance is intended to, among other 
things:
---------------------------------------------------------------------------
    \18\ OMB, Management and Oversight of Federal Information 
Technology, Memorandum M-15-14 (Washington, D.C.: June 10, 2015).

      assist agencies in aligning their IT resources with 
statutory requirements;
      establish government-wide IT management controls that 
will meet the law's requirements, while providing agencies with 
flexibility to adapt to unique agency processes and requirements;
      clarify the CIO's role and strengthen the relationship 
between agency CIOs and bureau CIOs; and
      strengthen CIO accountability for IT costs, schedules, 
performance, and security.

VA and Other Agencies Face Cybersecurity Risks

    The federal approach and strategy for securing information systems 
is prescribed by federal law and policy. The Federal Information 
Security Modernization Act (FISMA) provides a comprehensive framework 
for ensuring the effectiveness of information security controls over 
information resources that support federal operations and assets. \19\ 
In addition, the Federal Cybersecurity Enhancement Act of 2015 requires 
protecting federal networks through the use of federal intrusion 
prevention and detection capabilities. Further, Executive Order 13800, 
Strengthening the Cybersecurity of Federal Networks and Critical 
Infrastructure \20\, directs agencies to manage cybersecurity risks to 
the federal enterprise by, among other things, using the National 
Institute of Standards and Technology Framework for Improving Critical 
Infrastructure Cybersecurity \21\ (cybersecurity framework).
---------------------------------------------------------------------------
    \19\ The Federal Information Security Modernization Act of 2014 
(FISMA 2014) (Pub. L. No. 113-283, Dec. 20, 2014) largely superseded 
the Federal Information Security Management Act of 2002 (FISMA 2002), 
enacted as Title III, E-Government Act of 2002, Pub. L. No. 107-347, 
116 Stat. 2899, 2946 (Dec. 17, 2002). As used in this report, FISMA 
refers both to FISMA 2014 and to those provisions of FISMA 2002 that 
were either incorporated into FISMA 2014 or were unchanged and continue 
in full force and effect.
    \20\ The White House, Strengthening the Cybersecurity of Federal 
Networks and Critical Infrastructure, Executive Order 13800 
(Washington, D.C.: May 11, 2017), 82 Fed. Reg. 22391 (May 16, 2017).
    \21\ National Institute of Standards and Technology, Framework for 
Improving Critical Infrastructure Cybersecurity, Version 1.1 
(Gaithersburg, MD: Apr. 16, 2018).
---------------------------------------------------------------------------
    Federal agencies, including VA, and our nation's critical 
infrastructures-such as energy, transportation systems, communications, 
and financial services-are dependent on IT systems and electronic data 
to carry out operations and to process, maintain, and report essential 
information. The security of these systems and data is vital to public 
confidence and national security, prosperity, and well-being.
    Because many of these systems contain vast amounts of personally 
identifiable information, agencies must protect the confidentiality, 
integrity, and availability of this information. In addition, they must 
effectively respond to data breaches and security incidents when they 
occur.
    The risks to IT systems supporting the federal government and the 
nation's critical infrastructure are increasing, including insider 
threats from witting or unwitting employees, escalating and emerging 
threats from around the globe, and the emergence of new and more 
destructive attacks. Cybersecurity incidents continue to impact federal 
entities and the information they maintain. According to OMB's 2018 
annual FISMA report to Congress, agencies reported 35,277 information 
security incidents to DHS's U.S. Computer Emergency Readiness Team \22\ 
in fiscal year 2017.
---------------------------------------------------------------------------
    \22\ Within DHS, the U.S. Computer Emergency Readiness Team is a 
component of the National Cybersecurity and Communications Integration 
Center. It serves as the central federal information security incident 
center specified by FISMA.

VA Has Made Limited Progress toward Addressing IT System Modernization 
---------------------------------------------------------------------------
    Challenges

    VA has made limited progress toward addressing the IT management 
challenges for three critical initiatives: VistA, the Family Caregiver 
Program, and VBMS. Specifically, the department has recently initiated 
its fourth effort to modernize VistA, but uncertainty remains regarding 
the program's governance. In addition, although VA has taken steps to 
address our recommendations for the Family Caregiver Program and VBMS, 
the department has not fully implemented most of them.

VA Recently Initiated Its Fourth Effort to Modernize VistA

    VA has pursued four efforts over nearly 2 decades to modernize 
VistA. \23\ These efforts-HealtheVet, the integrated Electronic Health 
Record (iEHR), VistA Evolution, and EHRM-reflect varying approaches 
that the department has considered to achieve a modernized health care 
system. Figure 1 shows a timeline of the four efforts that VA has 
pursued to modernize VistA since 2001.
---------------------------------------------------------------------------
    \23\ GAO, VA Health IT Modernization: Historical Perspective on 
Prior Contracts and Update on Plans for New Initiative, GAO 18 208 
(Washington, D.C.: Jan. 18, 2018).
[GRAPHIC] [TIFF OMITTED] T8952.001


---------------------------------------------------------------------------
HealtheVet

    In 2001, VA undertook its first VistA modernization project, the 
HealtheVet initiative, with the goals of standardizing the department's 
health care system and eliminating the approximately 130 different 
systems used by its field locations at that time. HealtheVet was 
scheduled to be fully implemented by 2018 at a total estimated 
development and deployment cost of about $11 billion. As part of the 
effort, the department had planned to develop or enhance specific areas 
of system functionality through six projects, which were to be 
completed between 2006 and 2012.
    In June 2008, we reported that the department had made progress on 
the HealtheVet initiative, but noted concerns with its project planning 
and governance. \24\ In June 2009, the Secretary of Veterans Affairs 
announced that VA would stop financing failed projects and improve the 
management of its IT development projects. Subsequently in August 2010, 
the department reported that it had terminated the HealtheVet 
initiative.
---------------------------------------------------------------------------
    \24\ GAO 08 805.

---------------------------------------------------------------------------
iEHR

    In February 2011, VA began its second VistA modernization 
initiative, the iEHR program, in conjunction with DOD. The program was 
intended to replace the two separate electronic health record systems 
used by the two departments with a single, shared system. In addition, 
because both departments would be using the same system, this approach 
was expected to largely sidestep the challenges that had been 
encountered in trying to achieve interoperability between their two 
separate systems.
    Initial plans called for the development of a single, joint iEHR 
system consisting of 54 clinical capabilities to be delivered in six 
increments between 2014 and 2017. Among the agreed-upon capabilities to 
be delivered were those supporting laboratory, anatomic pathology, 
pharmacy, and immunizations. According to VA and DOD, the single system 
had an estimated life cycle cost of $29 billion through the end of 
fiscal year 2029.
    However, in February 2013, the Secretaries of VA and DOD announced 
that they would not continue with their joint development of a single 
electronic health record system. This decision resulted from an 
assessment of the iEHR program that the secretaries had requested in 
December 2012 because of their concerns about the program facing 
challenges in meeting deadlines, costing too much, and taking too long 
to deliver capabilities. In 2013, the departments abandoned their plan 
to develop the integrated system and stated that they would again 
pursue separate modernization efforts.

VistA Evolution

    In December 2013, VA initiated its VistA Evolution program as a 
joint effort of VHA and OI&T. The program was to be comprised of a 
collection of projects and efforts focused on improving the efficiency 
and quality of veterans' health care, modernizing the department's 
health information systems, increasing the department's data exchange 
and interoperability with DOD and private sector health care partners, 
and reducing the time it takes to deploy new health information 
management capabilities. Further, the program was intended to result in 
lower costs for system upgrades, maintenance, and sustainment. However, 
VA ended the VistA Evolution program in December 2018 to focus on its 
new electronic health record system acquisition.

EHRM

    In June 2017, VA's Secretary announced a significant shift in the 
department's approach to modernizing VistA. Specifically, rather than 
continue to use VistA, the Secretary stated that the department would 
acquire the same electronic health record system that DOD is 
implementing. In this regard, DOD awarded a contract to acquire a new 
integrated electronic health record system developed by the Cerner 
Corporation. According to the Secretary, VA decided to acquire this 
same product because it would allow all of VA's and DOD's patient data 
to reside in one system, thus enabling seamless care between the 
department and DOD without the manual and electronic exchange and 
reconciliation of data between two separate systems.
    According to the Secretary, this fourth VistA modernization 
initiative is intended to minimize customization and system differences 
that currently exist within the department's medical facilities, and 
ensure the consistency of processes and practices within VA and DOD. 
When fully operational, the system is intended to be a single source 
for patients to access their medical history and for clinicians to use 
that history in real time at any VA or DOD medical facility, which may 
result in improved health care outcomes. According to VA's Chief 
Technology Officer, Cerner is expected to provide integration, 
configuration, testing, deployment, hosting, organizational change 
management, training, sustainment, and licenses necessary to deploy the 
system in a manner that meets the department's needs.
    To expedite the acquisition, in June 2017, the Secretary signed a 
``Determination and Findings,'' for a public interest exception \25\ to 
the requirement for full and open competition, and authorized VA to 
issue a solicitation directly to Cerner. Accordingly, the department 
awarded a contract to Cerner in May 2018 for a maximum of $10 billion 
over 10 years. Cerner is to replace VistA with a commercial electronic 
health record system. This new system is to support a broad range of 
health care functions that include, for example, acute care, clinical 
decision support, dental care, and emergency medicine. When 
implemented, the new system will be expected to provide access to 
authoritative clinical data sources and become the authoritative source 
of clinical data to support improved health, patient safety, and 
quality of care provided by VA.
---------------------------------------------------------------------------
    \25\ FAR, 48 C.F.R. Sec.  6.302-7.
---------------------------------------------------------------------------
    Further, the department has estimated that, as of November 2018, an 
additional $6.1 billion in funding, above the Cerner contract amount, 
will be needed to fund additional project management support supplied 
by outside contractors, government labor costs, and infrastructure 
improvements over a 10-year implementation period.
    Deployment of the new electronic health record system at three 
initial sites is planned for March 2020, \26\ with a phased 
implementation of the remaining sites over the next decade. Each VA 
medical facility is expected to continue using VistA until the new 
system has been deployed at that location.
---------------------------------------------------------------------------
    \26\ The three initial deployment sites are the Mann-Grandstaff, 
American Lake, and Seattle VA Medical Centers.
---------------------------------------------------------------------------
    After VA announced in June 2017 that it planned to acquire the 
Cerner electronic health record system, we testified in June 2018 that 
a governance structure had been proposed that would be expected to 
leverage existing joint governance facilitated by the Interagency 
Program Office. \27\ At that time, VA's program officials had stated 
that the department's governance plans for the new program were 
expected to be finalized in October 2018. However, the officials had 
not indicated what role, if any, the Interagency Program Office was to 
have in the governance process. This office has been involved in 
various approaches to increase health information interoperability 
since it was established by the National Defense Authorization Act for 
Fiscal Year 2008 to function as the single point of accountability for 
DOD's and VA's electronic health record system interoperability 
efforts.
---------------------------------------------------------------------------
    \27\ GAO, VA IT Modernization: Preparations for Transitioning to a 
New Electronic Health Record System Are Ongoing, GAO 18 636T 
(Washington, D.C.: June 26, 2018).
---------------------------------------------------------------------------
    In September 2018, we recommended that VA clearly define the role 
and responsibilities of the Interagency Program Office in the 
governance plans for acquisition of the department's new electronic 
health record system. \28\ The department concurred with our 
recommendation and stated that the Joint Executive Committee, a joint 
governance body comprised of leadership from DOD and VA, had approved a 
role for the Interagency Program Office that included providing 
expertise, guidance, and support for DOD, VA, and joint governance 
bodies as the departments continue to acquire and implement 
interoperable electronic health record systems.
---------------------------------------------------------------------------
    \28\ GAO, Electronic Health Records: Clear Definition of the 
Interagency Program Office's Role in VA's New Modernization Effort 
Would Strengthen Accountability, GAO 18 696T (Washington, D.C.: Sept. 
13, 2018).
---------------------------------------------------------------------------
    However, the department has not yet provided documentation 
supporting these actions and how they relate to VA's governance 
structure for the new acquisition. In addition, the role described does 
not appear to position the office to be the single point of 
accountability originally identified in the National Defense 
Authorization Act for Fiscal Year 2008. We continue to monitor the 
department's governance plans for the acquisition of the new electronic 
health record system and its relationship with the Interagency Program 
Office.

The Family Caregiver Program Has Not Been Supported by an Effective IT 
    System

    In May 2010, VA was required by statute to establish a program to 
support family caregivers of seriously injured post-9/11 veterans. In 
May 2011, VHA implemented its Family Caregiver Program at all VA 
medical centers across the country, offering caregivers an array of 
services, including a monthly stipend, training, counseling, referral 
services, and expanded access to mental health and respite care. In 
fiscal year 2014, VHA obligated over $263 million for the program.
    In September 2014, we reported that the Caregiver Support Program 
office, which manages the program, did not have ready access to the 
types of workload data that would allow it to routinely monitor the 
effects of the Family Caregiver Program on VA medical centers' 
resources due to limitations with the program's IT system-the Caregiver 
Application Tracker. \29\ Program officials explained that this system 
was designed to manage a much smaller program and, as a result, the 
system has limited capabilities. Outside of obtaining basic aggregate 
program statistics, the program office was not able to readily retrieve 
data from the system that would allow it to better assess the scope and 
extent of workload problems at VA medical centers.
---------------------------------------------------------------------------
    \29\ GAO 14 675.
---------------------------------------------------------------------------
    Program officials also expressed concern about the reliability of 
the system's data. The lack of ready access to comprehensive workload 
data impeded the program office's ability to monitor the program and 
identify workload problems or make modifications as needed. This runs 
counter to federal standards for internal control which state that 
agencies should monitor their performance over time and use the results 
to correct identified deficiencies and make improvements.
    We also noted in our report that program officials told us that 
they had taken initial steps to obtain another IT system to support the 
Family Caregiver Program, but they were not sure how long it would take 
to implement. Accordingly, we recommended that VA expedite the process 
for identifying and implementing a system that would fully support the 
Family Caregiver Program. VA concurred with our recommendation and 
subsequently began taking steps to implement a replacement system. 
However, the department has encountered challenges related to the 
system implementation efforts. We have ongoing work to evaluate VA's 
effort to acquire a new IT system to support the Family Caregiver 
Program.

Additional Actions Can Improve Efforts to Develop and Use the Veterans 
    Benefits Management System

    In September 2015, we reported that VBA had made progress in 
developing and implementing VBMS-its system for processing disability 
benefit claims-but also noted that additional actions could improve 
efforts to develop and use the system. \30\ Specifically, VBA had 
deployed the initial version of the system to all of its regional 
offices as of June 2013. Further, after initial deployment, it 
continued developing and implementing additional system functionality 
and enhancements to support the electronic processing of disability 
compensation claims.
---------------------------------------------------------------------------
    \30\ GAO 15 582.
---------------------------------------------------------------------------
    Nevertheless, we pointed out that VBMS was not able to fully 
support disability and pension claims, as well as appeals processing. 
While the Under Secretary for Benefits stated in March 2013 that the 
development of the system was expected to be completed in 2015, 
implementation of functionality to fully support electronic claims 
processing was delayed beyond 2015. In addition, VBA had not produced a 
plan that identified when the system would be completed. Accordingly, 
holding VBA management accountable for meeting a time frame and 
demonstrating progress was difficult.
    Our report further noted that, even as VBA continued its efforts to 
complete the development and implementation of VBMS, three areas were 
in need of increased management attention: cost estimating, system 
availability, and system defects. We also noted in our report that VBA 
had not conducted a customer satisfaction survey that would allow the 
department to compile data on how users viewed the system's performance 
and, ultimately, to develop goals for improving the system.
    We made five recommendations to improve VA's efforts to effectively 
complete the development and implementation of VBMS. VA agreed with 
four of the recommendations. In addition, the department has addressed 
one of the recommendations-that it establish goals for system response 
time and use the goals as the basis for reporting system performance.
    However, the department has not yet fully addressed our remaining 
recommendations to (1) develop a plan with a time frame and a reliable 
cost estimate for completing VBMS, (2) reduce the incidence of system 
defects present in new releases, (3) assess user satisfaction, and (4) 
establish satisfaction goals to promote improvement. Continued 
attention to these important areas can improve VA's efforts to 
effectively complete the development and implementation of VBMS and, in 
turn, more effectively support the department's processing of 
disability benefit claims.

VA Has Demonstrated Uneven Progress toward Implementing Key FITARA 
    Provisions

    FITARA included provisions for federal agencies to, among other 
things, enhance government-wide acquisition and management of software, 
improve the risk management of IT investments, consolidate data 
centers, and enhance CIOs' authorities. Since its enactment, we have 
reported numerous times on VA's efforts toward implementing FITARA. 
\31\
---------------------------------------------------------------------------
    \31\ GAO 16 494, GAO 16 469, GAO 18 148, GAO 18 264, GAO 18 93.
---------------------------------------------------------------------------
    VA's progress toward implementing key FITARA provisions has been 
uneven. Specifically, VA issued a software licensing policy and has 
generated an inventory of its software licenses to inform future 
investment decisions. However, the department did not fully address 
requirements related to IT investment risk, data center consolidation, 
or CIO authority enhancement.

Software Licensing

    VA has made progress in addressing federal software licensing 
requirements. In May 2014, we reported on federal agencies' management 
of software licenses and stressed that better management was needed to 
achieve significant savings government-wide. \32\ Specifically 
regarding VA, we noted that the department did not have comprehensive 
policies that included the establishment of clear roles and central 
oversight authority for managing enterprise software license 
agreements, among other things. We also noted that it had not 
established a comprehensive software license inventory, a leading 
practice that would help the department to adequately manage its 
software licenses.
---------------------------------------------------------------------------
    \32\ GAO, Federal Software Licenses: Better Management Needed to 
Achieve Significant Savings Government-Wide, GAO 14 413 (Washington, 
D.C.: May 22, 2014).
---------------------------------------------------------------------------
    The inadequate implementation of these and other leading practices 
in software license management was partially due to weaknesses in the 
department's policies related to licensing management. Thus, we made 
six recommendations to VA to improve its policies and practices for 
managing licenses. For example, we recommended that the department 
regularly track and maintain a comprehensive inventory of software 
licenses and analyze the inventory to identify opportunities to reduce 
costs and better inform investment decision making.
    Since our 2014 report, VA has taken actions to implement all six 
recommendations. For example, the department implemented a solution to 
generate and maintain a comprehensive inventory of software licenses 
using automated tools for the majority of agency software license 
spending and/or enterprise-wide licenses. Additionally, the department 
implemented a solution to analyze agency-wide software license data, 
including usage and costs; and it subsequently identified approximately 
$65 million in cost savings over 3 years due to analyzing one of its 
software licenses.

Risk Management

    VA has made limited progress in addressing the FITARA requirements 
related to managing the risks associated with IT investments. In June 
2016, we reported on risk ratings assigned to investments by CIOs. \33\ 
We noted that the department had reviewed compliance with risk 
management practices, but had not assessed active risks when developing 
its risk ratings.
---------------------------------------------------------------------------
    \33\ GAO 16 494.
---------------------------------------------------------------------------
    VA determined its ratings by quantifying and combining inputs such 
as cost and schedule variances, risk exposure values, and compliance 
with agency processes. Metrics for compliance with agency processes 
included those related to program and project management, project 
execution, the quality of investment documentation, and whether the 
investment was regularly updating risk management plans and logs.
    When developing CIO ratings, VA chose to focus on investments' risk 
management processes, such as whether a process was in place or whether 
a risk log was current. Such approaches did not consider individual 
risks, such as funding cuts or staffing changes, which detail the 
probability and impact of pending threats to success. Instead, VA's CIO 
rating process considered several specific risk management criteria: 
whether an investment (1) had a risk management strategy, (2) kept the 
risk register current and complete, (3) clearly prioritized risks, and 
(4) put mitigation plans in place to address risks. As a result, we 
recommended that VA factor active risks into its CIO ratings. We also 
recommended that the department ensure that these ratings reflect the 
level of risk facing an investment relative to that investment's 
ability to accomplish its goals. VA concurred with the recommendations 
and cited actions it planned to take to address them.

Data Center Consolidation

    VA has reported progress on consolidating and optimizing its data 
centers, although this progress has fallen short of targets set by OMB. 
\34\ Specifically, VA reported a total inventory of 415 data centers, 
of which 39 had been closed as of August 2017. \35\ While the 
department anticipated another 10 data centers would be closed by the 
end of fiscal year 2018, these closures fell short of the targets set 
by OMB. Further, while VA reported $23.61 million in data center-
related cost savings and avoidances from 2012 through August 2017, the 
department did not realize further savings from the additional 10 data 
center closures. \36\
---------------------------------------------------------------------------
    \34\ GAO 18 264.
    \35\ VA reported this data in its August 2017 inventory update to 
OMB.
    \36\ For additional information, see Department of Veterans 
Affairs, Office of Inspector General, Lost Opportunities for 
Efficiencies and Savings During Data Center Consolidation, 16-04396-44 
(Washington, D.C.: Jan. 30, 2019). In January 2019, the VA Office of 
the Inspector General released a report that concluded VA had not 
reported a projected 860 facilities as data centers, due to incorrect 
internal agency guidance on what should be classified as a data center. 
The department agreed with the report's associated recommendations to 
develop additional guidance on determining what facilities were subject 
to OMB's data center optimization initiative and to establish a process 
for conducting a VA-wide inventory of data centers. The VA Office of 
Inspector General reports the status of these recommendations as 
closed, based on actions taken by the department.
---------------------------------------------------------------------------
    In addition, as of February 2017, VA reported meeting one of OMB's 
five data center optimization metrics related to power usage 
effectiveness. Also, the department's data center optimization 
strategic plan indicated that VA planned to meet three of the five 
metrics by the end of fiscal year 2018. Further, while OMB directed 
agencies to replace manual collection and reporting of metrics with 
automated tools no later than fiscal year 2018, the department had only 
implemented automated tools at 6 percent of its data centers.
    We have recommended that VA take actions to address data center 
savings goals and optimization performance targets identified by OMB. 
\37\ The department has taken actions to address these recommendations, 
including reporting data center consolidation savings and avoidance 
costs to OMB and updating its data center optimization strategic plan. 
However, the department has yet to address recommendations related to 
areas that we reported as not meeting OMB's established targets, 
including implementing automated monitoring tools at its data centers.
---------------------------------------------------------------------------
    \37\ For other reports on data center consolidation, see GAO, Data 
Center Consolidation: Reporting Can Be Improved to Reflect Substantial 
Planned Savings, GAO 14 713 (Washington, D.C.: Sept. 25, 2014); Data 
Center Consolidation: Agencies Making Progress, but Planned Savings 
Goals Need to Be Established [Reissued on March 4, 2016], GAO 16 323 
(Washington, D.C.: Mar. 3, 2016); Data Center Optimization: Agencies 
Need to Complete Plans to Address Inconsistencies in Reported Savings, 
GAO 17 388 (Washington, D.C.: May 18, 2017); and Data Center 
Optimization: Agencies Need to Address Challenges and Improve Progress 
to Achieve Cost Savings Goal, GAO 17 448 (Washington, D.C.: Aug. 15, 
2017).

---------------------------------------------------------------------------
CIO Authorities

    VA has made limited progress in addressing the CIO authority 
requirements of FITARA. Specifically, in November 2017, we reported on 
agencies' efforts to utilize incremental development practices for 
selected major investments. \38\ We noted that VA's CIO had certified 
the use of adequate incremental development for all 10 of the 
department's major IT investments. However, VA had not updated the 
department's policy and process for the CIO's certification of major IT 
investments' adequate use of incremental development, in accordance 
with OMB's guidance on the implementation of FITARA, as we had 
recommended. As of October 2018, a VA official stated that the 
department was working to draft a policy to address our recommendation, 
but did not identify time frames for when all activities would be 
completed.
---------------------------------------------------------------------------
    \38\ GAO 18 148.
---------------------------------------------------------------------------
    In January 2018, we reported on the need for agencies to involve 
CIOs in reviewing IT acquisition plans and strategies. \39\ We noted 
that VA's CIO did not review IT acquisition plans or strategies and 
that the Chief Acquisition Officer was not involved in the process of 
identifying IT acquisitions.
---------------------------------------------------------------------------
    \39\ GAO 18 42.
---------------------------------------------------------------------------
    Accordingly, we recommended that the VA Secretary ensure that the 
office of the Chief Acquisition Officer is involved in the process to 
identify IT acquisitions. We also recommended that the Secretary ensure 
that the acquisition plans or strategies are reviewed and approved in 
accordance with OMB guidance. The department concurred with the 
recommendations and, in a May 2018 update, provided a draft process map 
that depicted its forthcoming acquisition process. However, as of March 
2019, this process had not yet been finalized and implemented.
    In August 2018, we reported that the department had only fully 
addressed two of the six key areas that we identified-IT Leadership and 
Accountability and Information Security. \40\ The department had 
partially addressed IT Budgeting, minimally addressed IT Investment 
Management, and had not at all addressed IT Strategic Planning or IT 
Workforce. Thus, we recommended that the VA Secretary ensure that the 
department's IT management policies address the role of the CIO for key 
responsibilities in the four areas we identified. The department 
concurred with the recommendation and acknowledged that many of the 
responsibilities provided to the CIO were not explicitly formalized by 
VA policy.
---------------------------------------------------------------------------
    \40\ Based on our reviews of FITARA and other relevant laws and 
guidance, we identified 35 key CIO IT management responsibilities and 
categorized them in six management areas for this report. GAO 18 93.

---------------------------------------------------------------------------
VA's Cybersecurity Management Lacks Key Elements

    In December 2018, we reported on the effectiveness of the 
government's approach and strategy for securing its systems. \41\ The 
federal approach and strategy for securing information systems is 
prescribed by federal law and policy, including FISMA and the 
presidential executive order on Strengthening the Cybersecurity of 
Federal Networks and Critical Infrastructure. \42\
---------------------------------------------------------------------------
    \41\ GAO 19 105.
    \42\ The White House, Strengthening the Cybersecurity of Federal 
Networks and Critical Infrastructure, Executive Order 13800 
(Washington, D.C.: May 11, 2017), 82 Fed. Reg. 22391 (May 16, 2017).
---------------------------------------------------------------------------
    Accordingly, federal reports describing agency implementation of 
this law and policy, and reports of related agency information security 
activities, indicated VA's lack of effectiveness in its efforts to 
implement the federal approach and strategy. Our December 2018 report 
identified that the department was deficient or had material weaknesses 
in all four indicators of departments' effectiveness in implementing 
the federal approach and strategy for securing information systems. 
Specifically, VA was not effective in the Inspector General Information 
Security Program Ratings, was found to have material weaknesses in the 
Inspector General Internal Control Deficiencies over Financial 
Reporting, did not meet CIO Cybersecurity Cross-Agency Priority Goal 
Targets, and had enterprises that were at risk according to OMB 
Management Assessment Ratings.

High-Impact Systems

    We reported on federal high-impact systems-those that hold 
sensitive information, the loss of which could cause individuals, the 
government, or the nation catastrophic harm-in May 2016. \43\ We noted 
that VA had implemented numerous controls, such as completion of risk 
assessments, over selected systems. However, the department had not 
always effectively implemented access controls, patch management, and 
contingency planning to protect the confidentiality, integrity and 
availability of these high-impact systems. These weaknesses existed in 
part because the department had not effectively implemented elements of 
its information security program.
---------------------------------------------------------------------------
    \43\ GAO 16 501.
---------------------------------------------------------------------------
    We made five recommendations to VA to improve its information 
security program. The department concurred with the recommendations 
and, as of March 2019, had implemented three of the five 
recommendations.

Cybersecurity Workforce

    Our March 2019 report on the federal cybersecurity workforce 
indicated that VA was not accurately categorizing positions to 
effectively identify critical staffing needs. \44\ The Federal 
Cybersecurity Workforce Assessment Act of 2015 required agencies to 
assign the appropriate work role codes to each position with 
cybersecurity, cyber-related, and IT functions. Agencies were to assign 
a code of ``000'' only to positions that did not perform IT, 
cybersecurity, or cyber-related functions.
---------------------------------------------------------------------------
    \44\ GAO 19 144.
---------------------------------------------------------------------------
    As we reported, VA had assigned a ``000'' code to 3,008 (45 
percent) of its 6,636 IT positions. Human resources and IT officials 
from the department stated that they may have assigned the ``000'' code 
in error and that they had not completed the process to validate the 
accuracy of their codes.
    We recommended that VA take steps to review the assignment of the 
``000'' code to any of the department's positions in the IT management 
occupational series and assign the appropriate work role codes. VA 
concurred with the recommendation and indicated that it was in the 
process of conducting a cyber coding review.
    In conclusion, VA has long struggled to overcome IT management 
challenges, which have resulted in a lack of system capabilities needed 
to successfully implement critical initiatives. In this regard, VA is 
set to begin deploying its new electronic health record system in less 
than 1 year and questions remain regarding the governance structure for 
the program. Thus, it is more important than ever for the department to 
ensure that it is managing its IT budget in a way that addresses the 
challenges we have identified in our previous reports and high-risk 
updates. If the department continues to experience the challenges that 
we have previously identified, it may jeopardize its fourth attempt to 
modernize its electronic health record system.
    Additionally, the department has been challenged in fully 
implementing provisions of FITARA, which has limited its ability to 
improve its management of IT acquisitions. Until the department 
implements the act's provisions, Congress will be unable to effectively 
monitor VA's progress and hold it accountable for reducing duplication 
and achieving cost savings. Further, the lack of key cybersecurity 
management elements at VA is concerning given that agencies' systems 
are increasingly susceptible to the multitude of cyber-related threats 
that exist. As VA continues to pursue modernization efforts, it is 
critical that the department take steps to adequately secure its 
systems.
    Chair Lee, Ranking Member Banks, and Members of the Subcommittee, 
this completes my prepared statement. I would be pleased to respond to 
any questions that you may have.

GAO Contact and Staff Acknowledgments

    If you or your staffs have any questions about this testimony, 
please contact Carol C. Harris, Director, Information Technology 
Management Issues, at (202) 512-4456 or [email protected]. Contact points 
for our Offices of Congressional Relations and Public Affairs may be 
found on the last page of this testimony statement. GAO staff who made 
key contributions to this testimony are Mark Bird (Assistant Director), 
Eric Trout (Analyst in Charge), Justin Booth, Rebecca Eyler, Katherine 
Noble, Scott Pettis, Christy Tyson, and Kevin Walsh.
                             GAO HIGHLIGHTS
Why GAO Did This Study

    The use of IT is crucial to helping VA effectively serve the 
nation's veterans. Each year the department spends billions of dollars 
on its information systems and assets. However, VA has experienced 
challenges in managing its IT programs, raising questions about its 
ability to deliver intended outcomes needed to help advance the 
department's mission. To improve federal agencies' IT acquisitions, in 
December 2014 Congress enacted FITARA. GAO has previously reported on 
IT management challenges at VA, as well as its progress in implementing 
FITARA and cybersecurity requirements.
    GAO was asked to summarize key results and recommendations from its 
work at VA that examined systems modernization efforts, FITARA 
implementation, and cybersecurity efforts.
    To do so, GAO reviewed its recently issued reports and incorporated 
information on the department's actions in response to GAO's 
recommendations.

What GAO Recommends

    GAO has made numerous recent recommendations to VA aimed at 
improving the department's IT management. VA has generally agreed with 
the recommendations and has taken steps to address them; however, the 
department has fully implemented less than half of them. Fully 
implementing all of GAO's recommendations would help VA ensure that its 
IT effectively supports the department's mission.
    View GAO-19-476T. For more information, contact Carol C. Harris at 
(202) 512-4456 or [email protected].

What GAO Found
    The Department of Veterans Affairs (VA) has made limited progress 
toward addressing information technology (IT) system modernization 
challenges.

      From 2001 through 2018, VA pursued three efforts to 
modernize its health information system-the Veterans Health Information 
Systems and Technology Architecture (VistA). However, these efforts 
experienced high costs, challenges to ensuring interoperability of 
health data, and ultimately did not result in a modernized VistA. 
Regarding the department's fourth and most recent effort, the 
Electronic Health Record Modernization, GAO recently reported that the 
governance plan for this program was not yet defined. VA has not fully 
implemented GAO's recommendation calling for the department to define 
the role of a key office in the governance plans.
      The Family Caregiver Program, which was established to 
support family caregivers of seriously injured post-9/11 veterans, has 
not been supported by an effective IT system. Specifically, GAO 
reported that, due to limitations with the system, the program office 
did not have ready access to the types of workload data that would 
allow it to routinely monitor workload problems created by the program. 
GAO recommended that VA expedite the process for identifying and 
implementing an IT system. Although the department concurred with the 
recommendation, VA has not yet fully addressed it.
      VA had developed the Veterans Benefits Management System-
its system that is used for processing disability benefit claims; 
however, the system did not fully support disability and pension 
claims, as well as appeals processing. GAO made five recommendations 
for VA to improve its efforts to effectively complete the development 
and implementation of the system. The department concurred with the 
recommendations but has implemented only one thus far.

    VA has demonstrated uneven progress toward fully implementing GAO's 
recommendations related to key Federal Information Technology 
Acquisition Reform Act (FITARA) provisions. Specifically, VA has 
implemented all six recommendations in response to GAO's 2014 report on 
managing software licenses, leading to, among other things, savings of 
about $65 million over 3 years. However, the department has not fully 
addressed two recommendations from GAO's 2016 report on managing the 
risks of major IT investments. Further, the department has not 
implemented (1) two of four recommendations related to its effort to 
consolidate data centers and (2) GAO's four recommendations to increase 
the authority of its Chief Information Officer.
    VA's management of cybersecurity has also lacked key elements. For 
example, GAO reported in May 2016 that VA had established numerous 
security controls, but had not effectively implemented key elements of 
its information security program. In addition, as GAO reported in March 
2019, the department had not accurately categorized positions to 
effectively identify critical staffing needs for its cybersecurity 
workforce. VA has implemented three of six cybersecurity-related 
recommendations from these two reports.

                                 
                             Brent Arronte
    Madam Chair, Ranking Member Banks, and members of the Subcommittee, 
thank you for the opportunity to discuss the Office of Inspector 
General's (OIG's) oversight of VA's Office of Information and 
Technology (OIT). Our statement will focus on the effectiveness of VA's 
information security program, the progress made, and challenges VA 
continues to face in developing the information technology (IT) systems 
needed to effectively carry out their mission. We base our conclusions 
on OIG reports on VA's information security program and our ongoing 
oversight of IT systems development and management. I am accompanied by 
Mr. Michael Bowman, Director of the OIG's Information Technology and 
Security Audits Division.

BACKGROUND

    Since 2000, the OIG has identified information management as a 
major management challenge because VA has a history of not properly 
planning and managing its critical IT investments. \1\
---------------------------------------------------------------------------
    \1\ Office of Inspector General 2018 Major Management Challenges, 
November 2018.
---------------------------------------------------------------------------
    For fiscal year (FY) 2020, VA requested a total IT investment of 
$4.3 billion to fund information system security, system development 
initiatives, and system operations and maintenance.
    IT systems and networks are critical to VA in carrying out its 
mission of providing medical care and a range of benefits and services 
to veterans and their families. Ensuring the secure operation of these 
systems and networks is essential given the wide availability and 
effectiveness of internet-based hacking tools. Lack of proper 
safeguards renders these systems and networks vulnerable to intrusions 
by groups seeking to obtain sensitive information, commit fraud, 
disrupt operations, or launch attacks against other VA systems. VA has 
previously reported security incidents in which sensitive information, 
including personally identifiable information, has been lost or stolen, 
potentially exposing millions of veterans and their families to the 
loss of privacy, identity theft, and other financial crimes. \2\
---------------------------------------------------------------------------
    \2\ Review of Issues Related to the Loss of VA Information 
Involving the Identity of Millions of Veterans, July 11, 2006.

---------------------------------------------------------------------------
MAJOR CHALLENGES FACING OIT

    OIG audits have consistently shown that IT systems development is a 
challenge for VA. Projects are susceptible to cost overruns, schedule 
slippages, performance problems, and in some cases, complete failure. 
The OIG has identified significant control deficiencies in the IT areas 
of security, project management, and system development that are 
discussed in more detail below. By continuing to identify deficiencies, 
make recommendations, and oversee implementation plans, the OIG's goal 
is to help VA:

      Strengthen areas of IT security weakness to effectively 
safeguard veterans' personal information and benefits.
      Properly plan and manage IT projects to deliver a timely 
and cost-effective product that adequately satisfies the needs of VA 
staff.

IT Security

    VA's fundamental mission of providing benefits and services to 
veterans is dependent on deploying secure IT systems and networks. VA's 
information security program and its practices must be designed to 
protect the confidentiality, integrity, and availability of VA systems 
and data.
    Federal Information Security Management Act of 2002 Audit. The 
Federal Information Security Management Act of 2002 (FISMA) requires 
that agencies and their affiliates, such as government contractors, 
develop, document, and implement an organization-wide security program 
for their systems and data. In FY 2018, the OIG's contractors completed 
audits to review the extent to which VA had appropriate IT safeguards 
in place. \3\ The audit concluded that VA has made progress producing, 
documenting, and distributing policies and procedures as part of its 
program. However, VA continues to face hurdles implementing components 
of its agencywide information security risk management program to meet 
FISMA requirements.
---------------------------------------------------------------------------
    \3\ Federal Information Security Modernization Act Audit for Fiscal 
Year 2018, March 12, 2019.
---------------------------------------------------------------------------
    Significant deficiencies persist related to system access controls, 
system configuration management controls, system hardware and software 
change management controls, as well as system disaster recovery 
practices designed to protect mission-critical systems from 
unauthorized access, alteration, or destruction. To address these 
deficiencies, VA must prioritize remediation of these security 
weaknesses, as ongoing delays in implementing effective corrective 
actions may contribute to the continued reporting of an information 
technology material weakness in VA's financial statements. The FY 2018 
FISMA report contained 28 recommendations to the Assistant Secretary 
for Information and Technology for improving VA's information security 
program. These recommendations focused on improving the following 
security domains:

      System access controls to include password standards and 
user account reviews
      System configuration management controls to include 
timely system security updates
      Information security management controls such as 
consistently updating Plans of Action and Milestones and System 
Security Plans
      System disaster recovery practices for critical systems

    The Principal Deputy Assistant Secretary for Information and 
Technology concurred with 25 of 28 recommendations and provided 
acceptable action plans. While the Principal Deputy Assistant Secretary 
did not concur with three recommendations, the OIG believes these 
recommendations warrant further attention from VA and will follow up on 
these issues during the FY 2019 FISMA audit.
    Use of Unauthorized Databases. The OIG conducted a review in 
response to anonymously reported allegations that the VA Long Beach 
Healthcare System (the system) in California was maintaining an 
unauthorized Microsoft Access database, the unauthorized database 
hosted Sensitive Personal Information (SPI), and all of the Veterans 
Health Administration's 24 Spinal Cord Injury Centers had access to the 
database through a Microsoft SharePoint intranet portal. \4\ The 
complaint also stated that unsecured veteran SPI was stored on a server 
outside of VA's protected network environment. The OIG substantiated 
the allegation related to the unauthorized database at the system. 
Consistent with the allegation, the OIG found multiple instances of 
databases that hosted SPI in violation of VA policy. The OIG also 
substantiated that veteran SPI was hosted on an external server, 
located at the University of Southern California, without a formal Data 
Use Agreement authorizing such activity. In addition, the review team 
noted this server could be accessed from the internet using default 
logon credentials. The OIG recommended the Under Secretary for Health 
ensure that the Spinal Cord Injury and Disorders program staff comply 
with VA's Privacy Program and information security requirements for all 
sensitive veteran data collected, the Executive Director for the 
National Spinal Cord Injury Program Office discontinue storing SPI in 
unauthorized Microsoft Access databases, and the Acting Assistant 
Secretary for Information and Technology ensure that Field Security 
Services and VA's Privacy Service implement improved procedures to 
identify unauthorized uses of SPI and take appropriate corrective 
actions. The three responsible offices concurred with the 
recommendations. VA provided corrective action plans that were 
responsive to the recommendations. Based upon our review of VA's 
corrective actions, the OIG has closed all report recommendations.
---------------------------------------------------------------------------
    \4\ Review of Alleged Unsecured Patient Database at the VA Long 
Beach Healthcare System, March 28, 2018.

---------------------------------------------------------------------------
IT Project Management and System Development

    VA must continue to invest in and improve IT project management and 
system development so that future initiatives and major projects can 
experience more efficient and seamless rollouts. To the extent that VA 
does not properly plan and manage these IT investments, they risk 
overrunning projected costs and delivering products that do not 
consistently align with user requirements.
    Real Time Location System Review. The OIG conducted a review based 
on concerns of contract mismanagement involving the development and 
implementation of the Real Time Location System (RTLS), a product that 
uses multiple technologies for locating and tracking medical equipment. 
\5\ At the time of the review, VA was in the process of deploying RTLS 
at all medical facilities nationwide. The team determined that 
management failed to comply with VA policy and guidance when it 
deployed RTLS assets without appropriate project oversight. 
Specifically, the OIG concluded the RTLS Project Management Office 
(PMO) did not follow guidance to use an incremental project management 
approach during the acquisition and deployment of RTLS assets to 
compensate for numerous known project management risks. Consequently, 
the RTLS PMO did not ensure the vendor could meet contracted 
functionality requirements on the initial $7.5 million task order, such 
as accurate asset tracking, before ultimately committing a total of 
$431 million to the same vendor for further RTLS deployments. The OIG 
reported that management failed to provide effective oversight of the 
RTLS project from acquisition through development and implementation to 
ensure the product was successfully deployed.
---------------------------------------------------------------------------
    \5\ Review of Alleged Mismanagement of VA's Real Time Location 
System Project, December 19, 2017.
---------------------------------------------------------------------------
    The OIG also reported that VA deployed RTLS assets without meeting 
VA's information security requirements. Specifically, RTLS assets were 
deployed without the appropriate system authorizations needed to 
connect such devices to VA's network. This inadequate oversight of RTLS 
risk management activities left VA mission-critical systems and data 
susceptible to unauthorized access, loss, or disclosure. Consequently, 
VA's internal network faced unnecessary risks resulting from untested 
RTLS system security controls. In response to the OIG's findings, the 
Acting Assistant Secretary reported that OIT will conduct risk 
assessments prior to future deployments and will enforce the use of 
incremental project management to ensure an adequate return on 
investment. VA provided corrective action plans that were responsive to 
the OIG's recommendations. Based upon its review of VA's corrective 
actions, the OIG has closed all report recommendations.
    Data Center Consolidation. The OIG conducted an audit to determine 
whether VA met the data center requirements of the Federal Information 
Technology Acquisition Reform Act (FITARA). \6\ Specifically, the OIG 
assessed whether VA accurately identified and reported data center 
inventories, achieved cost savings, and met the Office of Management 
and Budget's Data Center Optimization Initiative (DCOI) targets for 
data centers at existing VA facilities. The OIG found that VA faced 
several challenges in identifying data centers VA-wide, establishing a 
sufficient plan to achieve cost savings and avoidance targets, and 
meeting optimization metrics and closures. The OIG determined that all 
VA data centers were not accurately reported to OMB and VA's strategic 
plan was inconsistent with DCOI requirements due to missing and 
incomplete information. Without an accurate inventory of data centers 
or a credible plan to increase operational efficiency and achieve cost 
savings, VA will continue to operate in an IT environment that is at 
greater risk for duplication and waste. The OIG made five 
recommendations, and the Principal Deputy Assistant Secretary for IT 
concurred and has provided an acceptable action plan for four of the 
five recommendations.
---------------------------------------------------------------------------
    \6\ Lost Opportunities for Efficiencies and Savings During Data 
Center Consolidation, January 30, 2019.
---------------------------------------------------------------------------
    Veterans Benefits Management System. A key part of the Veterans 
Benefits Administration's (VBA's) modernization efforts involved 
replacing its paper-based claims process with an automated solution 
that integrates commercial and government off-the-shelf web-based 
technology and improved business practices. VBA and OIT jointly 
developed the Veterans Benefits Management System (VBMS).

      In 2015, the OIG reviewed how effectively VA was managing 
the cost, performance, and schedule of VBMS development. \7\ While the 
OIG found that VA stayed on schedule in deploying planned VBMS 
functionality to all VA regional offices, VBMS costs increased 
significantly, more than doubling from about $579.2 million to 
approximately $1.3 billion from 2009 to 2015. The increases were due to 
inadequate cost control, unplanned changes in system and business 
requirements, and inefficient contracting practices. As a result, VA 
could not ensure an effective return on its investment and total actual 
system development costs remained unknown. The OIG recommended the 
Executive in Charge for OIT, in conjunction with the Under Secretary 
for Benefits, define and stabilize system and business requirements, 
address system performance problems, deploy required functionality to 
process claims end-to-end, and institute metrics needed to identify and 
ensure progress toward meeting stated goals. While this report is from 
2015, it highlights issues with IT project management that VBA 
continues to face.
---------------------------------------------------------------------------
    \7\ Follow-up Review of VA's Veterans Benefits Management System, 
September 14, 2015.

    In recent OIG reports on the processing of disability claims, the 
OIG found that VBMS functionality issues have contributed to concerns 
---------------------------------------------------------------------------
related to the processing of benefits.

      In a review of whether VBA staff assigned correct 
effective dates on claims for compensation benefits with an intent to 
file, the OIG determined that inaccurate dates for these claims 
partially occurred because VBMS lacked the needed functionality to 
assist rating personnel when assigning effective dates for benefits 
based on intent to file claims. \8\ The intent to file allows claimants 
the opportunity to provide minimal information related to the benefit 
sought and gives them up to one year to submit a complete claim. The 
OIG found that VBA assigned incorrect effective dates for approximately 
17 percent of compensation benefits with receipt of the intent to file 
from claimants. VBA concurred with the OIG's recommendation related to 
functionality and indicated a correction is due in late 2019.
---------------------------------------------------------------------------
    \8\ Processing Inaccuracies Involving Veterans' Intent to File 
Submissions for Benefits, August 21, 2018.
---------------------------------------------------------------------------
      In a review to determine whether VBA employees required 
disabled veterans to submit to unwarranted medical reexaminations, the 
OIG also found VBMS functionality issues. \9\ The OIG determined that 
many unwarranted medical reexaminations occurred because VBMS did not 
have the functionality to prevent the scheduling of reexaminations in 
cases that met the exemption criteria. While reexaminations are 
important in certain situations to ensure taxpayer dollars are 
appropriately spent, unwarranted reexaminations cause undue hardship 
for veterans. They also generate excessive work, resulting in 
significant costs and the diversion of VA personnel from veteran care 
and services. VBA concurred with the OIG's recommendation and stated 
that VBA and OIT are in the process of developing automated examination 
request requirements and anticipate full functionality in FY 2019, 
pending prioritization and approval of new development efforts.
---------------------------------------------------------------------------
    \9\ Unwarranted Medical Reexaminations for Disability Benefits, 
July 17, 2018.

    Forever GI Bill. In March 2019, the OIG released an issue statement 
in response to allegations that VA planned to withhold retroactive 
payments for missed or underpaid monthly housing stipends that it 
failed to pay students under the Harry W. Colmery Veterans Education 
Assistance Act, also known as the Forever GI Bill. \10\ Given the 
impact of delayed or incorrect payments on veterans and congressional 
concerns, the OIG examined VA's timeline of early implementation 
actions and the impediments to meeting Forever GI Bill mandates. The 
OIG found that VBA failed to modify their electronic systems, such as 
the Long-Term Solution application, by the required implementation date 
to make accurate housing allowance payments under sections 107 and 501 
of the law. VA also lacked an accountable official to oversee the 
project during most of the effort. Ineffective program management 
resulted in unclear communication of implementation progress and 
inadequately defined expectations, roles, and responsibilities of the 
various VA business lines and contractors involved. \11\ The OIG also 
found that approximately 10 months passed from the time Congress 
enacted the Forever GI Bill until VA received the initial software 
development release and began testing the system modifications to VA's 
Long-Term Solution application in order to address sections 107 and 501 
of the law.
---------------------------------------------------------------------------
    \10\ Forever GI Bill: Early Implementation Challenges, March 20, 
2019.
    \11\ The VA business lines and contractors involved include OIT, 
VBA Education Service, VBA Office of Business Process Integration, Booz 
Allen Hamilton, and VA leaders.

---------------------------------------------------------------------------
ONGOING OVERSIGHT INITIATIVES

    OIG engagements that are planned or underway will provide 
additional oversight of VA's IT management and IT security programs.
    The FY 2019 FISMA audit will determine the extent to which VA's 
information security program and practices comply with FISMA 
requirements. This annual audit will evaluate selected management, 
technical, and operational controls supporting 49 selected major 
applications and general support systems hosted at 25 VA facilities, 
including VA's four major data centers. As previously discussed, in 
2018 the OIG reported that VA has made progress developing, 
documenting, and distributing policies and procedures as part of its 
program. However, VA still faces challenges implementing components of 
its agency-wide information security risk management program to meet 
FISMA requirements. The OIG's 2019 audit will determine whether VA's 
improvement efforts are adequate to remove the IT material weakness 
from the OIG's report on VA's financial statements.
    The OIG is also conducting an audit to determine whether VA has 
implemented key elements of FITARA Section 831, Chief Information 
Officer Authority Enhancements. Specifically, this audit will evaluate 
the extent to which the Chief Information Officer met requirements to: 
(1) review and approve all IT asset and service acquisitions across the 
VA enterprise; and (2) participate in VA's IT planning, programming, 
budgeting, and execution, including governance, oversight, and 
reporting.
    The OIG is monitoring many facets of VA's Electronic Health Record 
Modernization project, implementation of the MISSION Act, and other IT 
initiatives. As VA moves forward with these projects, the OIG will 
track the progress made and determine the most efficient and useful 
ways to provide oversight of VA's ongoing work.

CONCLUSION

    Advances in IT enable VA to more effectively deliver benefits and 
services to our nation's veterans and their families. It is imperative 
that VA maintain secure systems and properly develop new systems. Until 
a proven process is in place to ensure control across the enterprise, 
the IT material weakness will remain and VA's mission-critical systems 
and sensitive veterans' data will be at risk of attack or compromise. 
While VA has made recent improvements in information management, more 
work remains to be done and VA must continue to address OIG 
recommendations related to the security and development of IT systems. 
The OIG will continue to conduct oversight of OIT initiatives and major 
projects to ensure they are secured, developed, and managed 
appropriately.
    Madam Chair, this concludes my statement. We would be happy to 
answer any questions you or other members of the Subcommittee may have.

                                 [all]