VA Information Technology: Management Making Important Progress  
in Addressing Key Challenges (26-SEP-02, GAO-02-1054T). 	 
                                                                 
In March of this year, GAO testified before the House		 
Subcommittee on Oversight and Investigations, Committee on	 
Veterans' Affairs, about the Department of Veterans Affairs' (VA)
information technology (IT) program, and the strides that the	 
Secretary had made in improving departmental leadership and	 
management of this critical area--including the hiring of a chief
information officer. At the Subcommittee's request, GAO evaluated
VA's new IT organizational structure, and provided an update on  
VA's progress in addressing other specific areas of IT concern	 
and our related recommendations pertaining to enterprise	 
architecture, information security, the Veterans Benefits	 
Administration's replacement compensation and pension payment	 
system and maintenance of the Benefits Delivery Network, and the 
government computer-based patient record initiative.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-02-1054T					        
    ACCNO:   A05191						        
  TITLE:     VA Information Technology: Management Making Important   
Progress in Addressing Key Challenges				 
     DATE:   09/26/2002 
  SUBJECT:   Information resources management			 
	     Information technology				 
	     Medical information systems			 
	     Computer security					 
	     Information systems				 
	     Federal Health Information Exchange		 
	     Program						 
                                                                 
	     VA Information Technology Program			 
	     DOD/IHS/VA Government Computer-Based		 
	     Patient Record Project				 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-02-1054T

Testimony Before the Subcommittee on Oversight and Investigations,
Committee on Veterans* Affairs, House Representatives

United States General Accounting Office

GAO For Release on Delivery Expected at 10 a. m. EDT Thursday, September
26, 2002

VA INFORMATION TECHNOLOGY

Management Making Important Progress in Addressing Key Challenges

Statement of Joel C. Willemssen Managing Director, Information Technology
Issues

GAO- 02- 1054T

Why GAO Did This Study

In March of this year, GAO testified before the Subcommittee about the
Department of Veterans Affairs* (VA) information technology (IT) program,
and the strides that the Secretary had made in improving departmental
leadership and management of this critical area* including the hiring of a
chief information officer.

At the Subcommittee*s request, GAO evaluated VA*s new IT organizational
structure, and provided an update on VA*s progress in addressing other
specific areas of IT concern and our related recommendations pertaining to

 enterprise architecture,  information security,  the Veterans Benefits

Administration*s replacement compensation and pension payment system and
maintenance of the Benefits Delivery Network, and

 the government computerbased patient record initiative.

September 26, 2002 VA INFORMATION TECHNOLOGY Management Making Important
Progress in Addressing Key Challenges

This is a test for developing highlights for a GAO report. The full
testimony, including GAO's objectives, scope, methodology, and analysis,
is available at www. gao. gov/ cgi- bin/ getrpt? GAO- 02- 1054T. For
additional information about the testimony, contact Joel C. Willemssen
(202- 512- 6253) or at

[email protected] gao. gov. To provide comments on this test highlights,
contact Keith Fultz (202- 512- 3200) or email [email protected] gao. gov.
Highlights of GAO- 02- 1054T, testimony before the Subcommittee on
Oversight and Investigations,

Committee on Veterans' Affairs, House of Representatives United States
General Accounting Office

What GAO Found

Since our March testimony, VA has made important progress in its overall
management of information technology. For example, the Secretary*s
decision to centralize IT functions, programs, and funding under the
department- level CIO holds great promise for improving the accountability
and management of IT spending* currently over $1 billion per year. But in
this as well as the other areas of prior weakness, the strength of VA*s
leadership and continued management commitment to achieving improvements
will ultimately determine the department*s degree of success. As for its
progress in other areas:

 Enterprise architecture. The Secretary recently approved the initial,
*as is* version of this blueprint for evolving its information systems,
focused on defining the department*s current environment for selected
business functions. VA still, however, needs to select a permanent chief
architect and establish a program office to facilitate, manage, and
advance this effort.

 Information security. Steps have been taken that should help provide a
more solid foundation for detecting, reporting, and responding to security
incidents. Nonetheless, the department has not yet fully implemented a
comprehensive computer security management program that includes a process
for routinely monitoring and evaluating the effectiveness of security
policies and controls, and acting to address identified vulnerabilities.

 Compensation and pension payment system. While some actions have been
taken, after more than 6 years, full implementation of this system is not
envisioned before 2005; this means that the 3.5 million payments that VA
makes each month will continue to depend on its present, aging system.

 Government computer- based patient record initiative. VA and the
Department of Defense have reported some progress in achieving the
capability to share patient health care data under this program. Since
March, the agencies have formally renamed the initiative the Federal
Health Information Exchange and have begun implementing a more narrowly
defined strategy involving a one- way information transfer from Defense to
VA; a two- way exchange is planned by 2005. G A O Accountability Integrity
Reliability

Highlights

Page 1 GAO- 02- 1054T

Mr. Chairman and Members of the Subcommittee: Thank you for inviting us to
take part in your discussion of the Department of Veterans Affairs* (VA)
information technology (IT) program. Information technology continues to
play an integral and substantial role in helping VA effectively serve our
nation*s veterans, with the department spending more than a billion
dollars annually in support of its information technology operations. As
you are well aware, however, the department has been challenged in its
efforts to effectively manage its information technology to produce
results and achieve optimal agency performance.

Our testimony last March noted important strides by the Secretary of
Veterans Affairs to improve the department*s IT leadership and management,
including the hiring of a chief information officer (CIO) to lead the
program and a commitment to reform how the department uses information
technology. 1 Since that time, the Secretary has taken additional steps
toward achieving improvements in key areas of IT performance, including
recently announcing a realignment of the way in which the department is
organized to carry out its information technology mission.

At your request, we will discuss today this new organizational structure
and resulting changes in the role of VA*s CIO. In addition we will provide
an update of the department*s progress since March in addressing specific
weaknesses in its overall information technology program, including the
status of its actions to

 develop an enterprise architecture,  improve information security, 
implement the Veterans Benefits Administration*s (VBA) veterans service

network (VETSNET) replacement compensation and pension payment system and
maintain the existing Benefits Delivery Network, and  implement jointly
with the Department of Defense and Indian Health

Service the government computer- based patient record initiative. In
conducting this work we analyzed relevant documentation and interviewed
key agency officials to identify and assess VA*s decisions and

1 U. S. General Accounting Office, VA Information Technology: Progress
Made, but Continued Management Attention Is Key to Achieving Results, GAO-
02- 369T (Washington, D. C.: Mar. 13, 2002).

Page 2 GAO- 02- 1054T

actions since March to improve its information technology management. We
reviewed available documentation discussing the department*s plans and
strategies for realigning its information technology structure. We also
examined its enterprise architecture strategy as well as steps being taken
to strengthen computer security management departmentwide. Further, we
conducted site visits at the Veterans Benefits Administration*s regional
office in Salt Lake City to assess the current use of VETSNET in
processing compensation and pension benefits claims; and at the VA medical
center in Washington, D. C., to observe data retrieval capabilities of the
Federal Health Information Exchange (formerly the government computer-
based patient record initiative). We performed our work in accordance with
generally accepted government auditing standards, in August and September
of this year.

Over the past 6 months, VA has shown clear progress in addressing some of
the critical weaknesses that have plagued its management of information
technology. The Secretary of Veterans Affairs and other top agency leaders
have continued to make important strides in improving key areas of IT
performance. Nonetheless, some aspects of the department*s information
technology environment continue to be particularly challenging and to
require substantial management attention. As the department proceeds,
ensuring sound project management and oversight will continue to be
essential to advancing its efforts.

Accountability for its information technology investments should be well
served by VA*s recently announced realignment of its information
technology structure. Although yet to be finalized, the Secretary*s
decision to centralize information technology functions, programs, and
funding under the department- level CIO shows promise for improving IT
accountability and enabling the department to implement its One VA vision.
2 The additional oversight afforded the CIO could have a significant
impact on the department*s ability to more effectively capture and manage
its IT spending.

2 According to the department, the *One VA* vision describes how it will
use information technology in versatile new ways to improve services and
enable VA employees to help customers more quickly and effectively. It
stems from the recognition that veterans think of VA as a single entity,
but often encounter a confusing, bureaucratic maze of uncoordinated
programs that put them through repetitive and frustrating administrative
procedures and delays. Results in Brief

Page 3 GAO- 02- 1054T

Beyond its actions to establish greater accountability in this area, the
department continues to make important progress in developing its
departmentwide enterprise architecture* the blueprint for evolving its
information systems and developing new systems that optimize their mission
value. The Secretary recently approved the initial version of VA*s
enterprise architecture, focused on defining the department*s current, *as
is* and desired, *to be* target environments for selected business
functions. Nonetheless, VA must still accomplish critical actions to
ensure successful completion of its architecture. For example, to achieve
a sound program management structure, it needs to select a permanent chief
architect and establish a program office to facilitate, manage, and
advance this effort.

In another critical area, the department continues to make progress in
strengthening its information security. It has taken actions that should
help provide a more solid foundation for detecting, reporting, and
responding to security incidents. Among these actions, it has contracted
to expand departmentwide incident response and analysis capabilities,
including enhancing security monitoring and detection. Nonetheless, the
department has not yet fully implemented a comprehensive computer security
management program that includes a process for routinely monitoring and
evaluating the effectiveness of security policies and controls and
addressing identified vulnerabilities. Further, VA*s offices self- report
computer security weaknesses, and it lacks an independent component to
ensure the accuracy of reporting and validation of corrective actions
taken.

Conversely, the department is not making as much progress in addressing
the challenges associated with implementing its VETSNET compensation and
pension replacement payment system. Specifically, after more than 6 years,
the department still has significant work to accomplish, and could be
several years from fully implementing the system. Complete implementation
is not anticipated until 2005, thus requiring continued reliance on the
aging Benefits Delivery Network to provide the more than 3.5 million
payments that VA must make to veterans each month.

Finally, VA and DOD have made some progress in achieving the capability to
share patient health care data begun under the government computerbased
patient record (GCPR) initiative. This progress was achieved as part of a
substantially revised, scaled- down strategy. As part of this new strategy
that the two agencies have now implemented, clinicians in VA medical
facilities throughout the country have access to health information on
more than a million separated service personnel.

Page 4 GAO- 02- 1054T

Successful implementation of VA*s information technology program requires
strong leadership and management to help define and guide the department*s
plans and actions. The Paperwork Reduction Act of 1980 and the Clinger-
Cohen Act of 1996 3 articulate the importance of CIOs in promoting
improvements in their agencies* work processes and making sound investment
decisions that effectively align IT projects with the organization*s
business planning and measurement processes. To be successful in this
role, CIOs must build credible organizations and develop and organize
information management capabilities to meet agency mission needs.

With the hiring of a department- level CIO in August 2001, VA took a
significant step toward addressing critical and longstanding weaknesses in
its management of information technology. Our prior work has highlighted
some of the challenges that the CIO faced as a result of the way in which
the department was organized to carry out its information technology
mission. 4 Among these challenges was that information systems and
services were highly decentralized, with the VA administrations and staff
offices controlling a majority of the department*s information technology
budget. As illustrated in figure 1, out of the approximately $1.25 billion
fiscal year 2002 information technology budget, the Veterans Health
Administration (VHA) oversaw approximately $1.02 billion, VBA
approximately $158.3 million, and the National Cemetery Administration
(NCA) approximately $5.87 million. The remaining $60.2 million was
controlled at the department level.

3 44 U. S. C. 3506 and P. L. 104- 106, Section 5125, respectively. 4 U. S.
General Accounting Office, VA Information Technology: Important
Initiatives Begun, Yet Serious Vulnerabilities Persist, GAO- 01- 550T
(Washington, D. C.: Apr. 4, 2001) and GAO- 02- 369T. IT Realignment

Increases Authority and Oversight of VA*s Chief Information Officer

Page 5 GAO- 02- 1054T

Figure 1: Breakdown of VA*s $1.25 Billion Information Technology Budget
(fiscal year 2002)

Source: GAO analysis.

In addition, our testimony in March noted that there was neither direct
nor indirect reporting to VA*s cyber security officer* the department*s
senior security official* thus raising questions about this person*s
ability to enforce compliance with security policies and procedures and
ensure accountability for actions taken throughout the department. The
more than 600 information security officers in VA*s three administrations
and its many medical facilities throughout the country were responsible
for ensuring the department*s information security, although they reported
only to their facility*s director or to the chief information officer of
their administration.

Given the large annual funding base and decentralized management
structure, it is crucial that the CIO ensure that well- established and
integrated processes for leading, managing, and controlling investments

Page 6 GAO- 02- 1054T

are commonplace and followed throughout the department. The Secretary has
recognized weaknesses in accountability for the department*s information
technology resources and the consequent need to reorganize how information
technology is managed and financed. Accordingly, in a memorandum dated
August 6, 2002, he announced a realignment of the department*s information
technology operations. According to the memorandum, the realignment will
centralize information technology functions, programs, workforce
personnel, and funding into the office of the department- level CIO. In
particular, several significant changes are being made:

 The CIOs in each of the three administrations* VHA, VBA, and NCA* have
been designated deputy CIOs and will report directly to the department-
level CIO. Previously, these officials served as componentlevel CIOs who
reported only to their respective administrations* undersecretaries.  All
administration- level cyber security functions have been consolidated

under the department*s cyber security office, and all monies earmarked for
these functions have been placed under the authority of the cyber security
officer. Information security officers previously assigned to VHA*s
21veterans integrated service networks will now report directly to the
cyber security officer, thus extending the responsibilities of the cyber
security office to the field.  Beginning in fiscal year 2003, the
department- level CIO will assume

executive authority over VA*s IT appropriations. The realignment had not
been finalized at the conclusion of our review, thus its full impact on
VA*s mission and the CIO*s success in managing information technology at
the department level could not yet be measured. Nonetheless, in pursuing
these reforms, the Secretary has demonstrated the significance of
establishing an effective management structure for building credibility in
the way information technology is used, and has taken a significant step
toward achieving a *One VA* vision.

The Secretary*s initiative also represents a bold and innovative step by
the department, and is one that has been undertaken by few other federal
agencies. For example, as part of our review, we sent surveys to the 23
other major federal agencies, seeking information on the organization and
reporting relationships of their department- and component- level CIOs. Of
the 17 agencies that responded, 8 reported having component- level CIOs,
none of which reported to the department- level CIO. Only one agency with
component- level CIOs reported that its department- level CIO had
authority over all IT funding.

Page 7 GAO- 02- 1054T

As the realignment proceeds, the CIO*s success in managing information
technology operations will hinge on effective collaboration with business
counterparts to guide IT solutions that meet mission needs. Guidance that
we issued in February 2001 on the effective use of CIOs in several leading
private and public organizations provides insight into three key factors
contributing to CIO successes:

 First, senior executives embrace the central role of technology in
accomplishing mission objectives and include the CIO as a full participant
in senior executive decision- making.  Second, effective CIOs have
legitimate and influential roles in leading top

managers to apply IT to business problems and needs. While placement of
the CIO position at an executive management level in the organization is
important, effective CIOs earn credibility and produce results by
establishing effective working relationships with business unit heads. 
Third, successful CIOs structure their organizations in ways that reflect
a

clear understanding of business and mission needs. Along with business
processes, market trends, internal legacy structures, and available IT
skills, this understanding is necessary to ensure that the CIO*s office is
aligned to best serve the needs of the enterprise. 5

VA*s new organizational structure holds promise for building a more solid
foundation for investing in and improving the department*s accountability
over information technology resources. Specifically, under the realignment
the CIO assumes budget authority over all IT appropriations, including
authority to veto proposals submitted from sub- department levels. This
could have a significant effect on VA*s accountability for how components
are spending money, as we have previously noted the department*s inability
to adequately capture all of its IT costs. 6

As the first step toward gaining accountability for information technology
investments, the CIO is attempting to determine what expenditures have
been incurred in fiscal year 2002. Since VA*s annual budget submissions to
OMB have not included a specific line item for information technology
operations, the CIO has asked each administration to provide accurate
information identifying the costs incurred by each of them for this fiscal

5 U. S. General Accounting Office, Maximizing the Success of Chief
Information Officers: Learning From Leading Organizations, GAO- 01- 376G
(Washington, D. C.: February 2001). 6 U. S. General Accounting Office, VA
Information Technology: Progress Continues Although Vulnerabilities
Remain, GAO/ T- AIMD- 00- 321 (Washington, D. C.: Sept. 21, 2000).

Page 8 GAO- 02- 1054T

year. According to the CIO, preliminary results showed that certain non-
IT costs, such as for users* personnel, had been included in the total
expenditures, while some IT costs, such as for IT personnel and
telecommunications, had been excluded. The CIO*s goal is to compile cost
data that accurately reflect the department*s information technology
expenditures.

In the absence of a budget line item, the CIO is requiring each facility
to develop *spend plans* for fiscal year 2003 IT funding. These plans are
expected to serve as a control mechanism for information technology
expenditures during the year and will be administered by each facility,
with the CIO retaining veto power over them. The plans have been designed
to provide the CIO with investment cost details at a departmentwide level,
allowing for a portfolio- based project selection process and lessening
duplication of effort. Once the plans are implemented, the CIO anticipates
being able to compare planned and actual expenditures and to uncover the
details of specific projects.

Developing and implementing an enterprise architecture 7 to guide VA*s
information technology activities continues to be an essential and
challenging undertaking. VA and other federal agencies are required to
develop and implement enterprise architectures to provide a framework for
evolving or maintaining existing and planned IT, in accordance with OMB
guidelines. 8 In addition, guidance issued last year by the Federal CIO
Council, 9 in collaboration with us, further emphasizes the importance of
enterprise architectures in evolving information systems, developing new
systems, and inserting new technologies that optimize an organization*s
mission value. Overall, effective implementation of an enterprise
architecture can facilitate VA*s management by serving to inform, guide,
and constrain the information technology investment decisions being made
for the department, and subsequently decreasing the risk of buying

7 An enterprise architecture is a blueprint for systematically and
completely defining an organization*s current (baseline) operational and
technology environment, and a roadmap toward the desired (target) state.
It is an essential tool for effectively and efficiently engineering
business processes and for implementing their supporting systems and
helping them evolve.

8 OMB, Management of Federal Information Resources, Circular A- 130
(Washington, D. C.: Nov. 30, 2000). 9 Chief Information Officer Council, A
Practical Guide to Federal Enterprise Architecture,

Version 1.0 (Washington, D. C.: February 2001). Progress Toward

Developing an Enterprise Architecture Continues, but Additional Work
Needed

Page 9 GAO- 02- 1054T

and building systems that are duplicative, incompatible, and unnecessarily
costly to maintain and interface.

As depicted in figure 2, the enterprise architecture is both dynamic and
iterative, changing the enterprise over time by incorporating new business
processes, new technology, and new capabilities. Depending on the size of
the agency*s operations and the complexity of its environment, enterprise
architecture development and implementation require sustained attention to
process management and agency action over an extended period of time. Once
implemented, the enterprise architecture must be kept current through
regular maintenance.

Periodic reassessments are required to ensure that it remains aligned with
the department*s strategic mission and priorities, changing business
practices, funding profiles, and technology innovation.

Page 10 GAO- 02- 1054T

Figure 2: The Enterprise Architecture Process

Source: A Practical Guide to Federal Enterprise Architecture, Version 1.0,
2001

When we testified last March, VA had taken a number of promising steps
toward establishing some of the core elements of an enterprise
architecture. Among other actions, it had obtained executive commitment
from the Secretary, department- level CIO, and other senior executives and
business teams that is crucial to raising awareness of and leveraging
participation in developing the architecture. VA had also chosen a highly
recognized framework to organize the structure of its enterprise

Page 11 GAO- 02- 1054T

architecture. 10 Further, it had begun defining its current architecture,
an important step for ensuring that future progress can be measured
against such a baseline, and it was developing its future (target)
telecommunications architecture.

Nonetheless, at that time we noted that VA still faced many more critical
tasks to successfully develop, implement, and manage its enterprise
architecture. One of the key activities that required attention was the
establishment of a program management office headed by a permanent chief
architect to manage the development and maintenance of the enterprise
architecture. In addition, the department needed to complete a program
management plan delineating how it would develop, use, and maintain the
architecture. Further, although VA had developed a baseline application
inventory to describe its *as is* state, it had not completed validating
the inventory or developing detailed application profiles for the
inventory, including essential information such as business functions,
information flows, and external interface descriptions.

Over the past 6 months, VA has made substantial strides toward instituting
its enterprise architecture program. For example, in April it issued its
fiscal year 2002 One VA enterprise architecture implementation plan, which
will be used to align integrated technology solutions with the
department*s business needs. And in July, the CIO issued a mandatory
directive prescribing departmentwide policy for the establishment and
implementation of an integrated One VA enterprise architecture and to
guide the development and management of all of VA*s IT assets. 11 VA also
finalized its enterprise architecture communications plan that will be
used to help business and IT management and staff develop a corporate
model of customer service.

More recently, on September 5, the Secretary approved the initial version
of the department*s One VA enterprise architecture. VA officials describe
the architecture as a top- down, business- focused document that provides

10 Among the experts that VA consulted was John Zachman, author of *A
Framework for Information Systems Architecture,* referred to as the
Zachman framework (IBM Systems Journal, vol. 26( 3), 1987). This framework
provides a common context for understanding a complex structure and
enables communication among those involved in developing or changing the
structure.

11 Department of Veterans Affairs, Department of Veterans Affairs (VA)
Enterprise Architecture (EA), VA Directive 6051 (Washington, D. C.: July
12, 2002). VA Has Expanded Its

Initial Enterprise Architecture Development Work

Page 12 GAO- 02- 1054T

a blueprint for systematically defining and documenting the department*s
desired (target) environment. The document provides a high- level,
overarching view of the department*s *as is* enterprise business functions
and key enabling functions. 12 VA*s work to develop the *as is* view
revealed the complexities of its baseline information systems, work
processes, and supporting infrastructure. For example, it identified over
30 independently designed and operated data networks, over 200 independent
external network connections, over 1,000 remote access system modem
connections, and a total of 7,224 office automation servers that are
currently part of the baseline environment.

The enterprise architecture document also incorporates high- level
versions of a sequencing plan, technical reference model, and standards
profile* all of which are critical to ensuring the complete development
and implementation of the architecture. A sequencing plan serves as a
systems migration roadmap to provide the agency with a step- by- step
process for moving from the baseline to the target architecture. The
technical reference model provides a knowledge base for a common
conceptual framework, defines a common vocabulary and set of services and
interfaces, and serves as a tool for the dissemination of technical
information across the department. The standards profile, used in
conjunction with the technical reference model, assists departmental
components in coordinating the acquisition, development, and
interoperability of systems to accomplish the department*s enterprise
architecture program goals.

Further, VA has integrated security practices into the initial version of
its enterprise architecture. These security practices provide a high-
level description of the baseline and target distributed systems
architectures for major elements of the department*s cyber security
infrastructure.

Even with notable progress, VA must nonetheless complete a number of
additional actions to fully implement and effectively manage its
enterprise architecture. With the Federal CIO Council*s guide as a basis
for analysis, table 1 illustrates the progress that the department has
made since March

12 Enterprise business functions are externally focused functions
involving direct interactions with veterans across the enterprise, such as
providing medical care benefits, vocational rehabilitation, and employment
benefits. Key enabling functions are those necessary to support the
enterprise business functions, such as eligibility and registration, and
enable smooth operation of the overall enterprise both internally and
externally. Continued Commitment to

Developing VA*s Enterprise Architecture Is Essential

Page 13 GAO- 02- 1054T

in accomplishing key enterprise architecture process steps, along with
examples of the various critical actions still required to successfully
implement and sustain its enterprise architecture program.

Table 1: VA*s Progress in Developing, Implementing, and Using an
Enterprise Architecture as of September 2002 Steps in the enterprise
architecture (EA) process a

Steps VA has completed as of September 2002 Examples of actions VA has
taken or

planned since March 2002 Examples of key actions yet to be performed
Obtain executive buy- in and support

Ensure agency head buy- in and support v

Issue executive enterprise architecture policy v

Obtain support from senior executive and business units v

Establish management structure and control

Establish technical review committee v

Establish capital investment council Drafted the Information Technology
Integrated Management Guide, which lays out the integration of VA*s EA,
capital planning, investment, and project management functions Completed
integration of its capital planning, investment, and project management
functions, and uses it to evaluate IT projects

Finalize and issue the Information Technology Integrated Management Guide

Establish EA executive steering committee v

Appoint chief architect Acting chief architect continues to fill position
Recruitment effort for permanent chief architect continues; position
expected to be filled in early 2003

Hire a chief architect with requisite core competencies

Establish EA program management office Filled five positions in EA program

management office Additional position advertisements being prepared, full
staffing of office anticipated by the end of calendar year 2002

Fully staff the EA program management office with experienced architects
to manage, control, and monitor development of the EA Appoint key
personnel for risk management, configuration management and quality
assurance (QA)

Risk manager and configuration manager positions have not been filled, and
VA does not plan to fill them The Enterprise Architecture Council will
perform risk and configuration management and the Information Technology
Board will perform QA functions

Ensure that adequate staffing occurs and functions are performed Establish
an independent, objective entity to perform QA

Page 14 GAO- 02- 1054T

Steps in the enterprise architecture (EA) process a

Steps VA has completed as of September 2002 Examples of actions VA has
taken or

planned since March 2002 Examples of key actions yet to be performed

Establish enterprise architecture core team

v

Develop EA marketing strategy and communications plan

v

Develop EA program management plan Develop and finalize a

plan that will delineate actions to develop, use, and maintain the EA,
including management control and oversight Initiate development of
enterprise architecture v

Define architecture process and approach

Define intended use of architecture v

Define scope of architecture v

Determine depth of architecture v

Select appropriate EA products v

Select products that represent business of enterprise v

Select products that represent agency technical assets v

Evaluate and select framework v

Select EA tool set v

Develop baseline enterprise

architecture Collect information that describes

enterprise Version 1.0 of VA*s EA includes highexisting level descriptions
of its baseline enterprise architecture business functions and key
enabling functions from the planners* business owners* designers* and
builders* viewpoints.

Continue development of the enterprise architecture to fully describe and
document all current business functions and the technology infrastructure
Generate products and populate EA repository b Repository established on
VA*s intranet

Web site is populated with data on the planners* and owners* views of VA*s
architecture In FY 2003 VA plans to assess the need to develop a new
repository and the contents of that repository

Complete population of the EA repository with products that describe the
relationships among information elements and work products

Review, validate, and refine models Enterprise Architecture Council
subject matter experts reviewed, validated, and refined models contained
in version 1.0 of the enterprise architecture Council membership included
representatives from VA*s technical and business lines

Have subject matter experts continue to assess the enterprise architecture
products for accuracy and completeness

Page 15 GAO- 02- 1054T

Steps in the enterprise architecture (EA) process a

Steps VA has completed as of September 2002 Examples of actions VA has
taken or

planned since March 2002 Examples of key actions yet to be performed
Develop target enterprise architecture

Collect information that defines future business operations and supporting
technology: strategic business objectives information needed to support
business applications to provide information technology to support
applications

Version 1.0 of VA*s enterprise architecture contains high- level
descriptions of VA*s enterprise business functions and key enabling
functions from the planners* and business owners* views of the Zachman
framework

Continue to decompose and further define key elements of the target
architecture

Generate products and populate EA repository Repository established on
VA*s intranet

Web site is populated with data on the planners* and owners* views of the
VA architecture In FY 2003 VA plans to assess the need for another
repository and the contents of that repository

Complete population of the EA repository with products that describe the
relationships among information elements and work products

Review, validate, and refine models Subject matter expert review of
version

1.0 of the enterprise architecture carried out by members of the
Enterprise Architecture Council from VA*s technical and business lines

Have subject matter experts continue to assess the enterprise architecture
products for accuracy and completeness

Develop sequencing plan

Identify gaps July 8, 2002 sequencing plan contained in version 1.0 of EA
provides a high- level overview of how VA will migrate from the current to
the target architecture

Future version of the sequencing plan should identify gaps to assess the
state of legacy systems, technology maturity, acquisition opportunities,
and fiscal reality of the transition Define and differentiate among
legacy, migration, and new systems Address all activities in this

step Plan migration Address all activities in this

step Approve, publish, and disseminate EA products Address all activities
in this

step Use enterprise architecture Integrate EA with capital planning and
investment control and systems life cycle processes

Drafted the Information Technology Integrated Management Guide, which lays
out the integration of VA*s EA, capital planning, investment, and project
management functions Implemented the integrated capital planning,
investment, and project management functions, and uses then to evaluate IT
projects

Finalize and issue the Information Technology Integrated Management Guide

Page 16 GAO- 02- 1054T

Steps in the enterprise architecture (EA) process a

Steps VA has completed as of September 2002 Examples of actions VA has
taken or

planned since March 2002 Examples of key actions yet to be performed

Train personnel Developing a project manager training curriculum Used the
annual department CIO conference to conduct an overview of the
department*s EA effort

Ensure that members of all EA decision- making bodies are trained in the
EA process, the relationship of the EA to the capital planning and
investment control process, and the system life cycle; EA training should
also be provided to current and future IT project managers Establish
enforcement processes and procedures Published the following documents,

which relate to enforcement of EA processes and procedures:

 VA Directive 6051

 VA EA Strategy, Governance, & Implementation

 One- VA EA Implementation Plan: FY 2002

 One- VA Enterprise Architecture (version 1.0)

Develop precise definitions and criteria for compliance as well as
different levels of compliance

Define compliance criteria and consequences Address all activities in this

step Set up integrated reviews Address all activities in this

step Execute integrated process Address all activities in this

step Initiate new and follow- up projects Address all activities in this

step Prepare proposal Align project to EA Make investment decision Execute
projects Address all activities in this

step Manage and perform project development Evolve EA with program/
project Assess progress Complete project Address all activities in this

step Deliver product Assess architecture Evaluate results Consider other
uses of EA Maintain enterprise architecture Address all detailed

activities in this step Maintain EA as enterprise evolves

Page 17 GAO- 02- 1054T

Steps in the enterprise architecture (EA) process a

Steps VA has completed as of September 2002 Examples of actions VA has
taken or

planned since March 2002 Examples of key actions yet to be performed

Reassess EA periodically Manage projects to reflect reality Ensure
business direction and processes reflect operations Ensure current
architecture reflects system evolution Evaluate legacy system maintenance
requirements against sequencing plan Maintain sequencing plan as
integrated program plan Continue to consider proposals for EA
modifications

a Chief Information Officer Council. b A repository is an information
system used to store and access architectural information, relationships
among the information elements, and work products. Source: GAO analysis.

As the table indicates, immediate attention still needs to be focused on
acquiring a permanent chief architect to manage the development and
maintenance of the enterprise architecture. Currently, the chief
technology officer serves as the acting chief architect while the
department recruits someone to fill the position on a permanent basis.
According to the acting chief architect, VA anticipates filling the
position in early 2003. The enterprise architecture program management
office likewise needs to be fully staffed. As of September 6, 5 of the
office*s 16 positions had been filled. Officials expect this office to be
fully staffed by the end of this year. Instituting a permanent chief
architect with the requisite core competencies to lead the enterprise
architecture development and fully staffing the enterprise architecture
program office to support the effort, will provide vital components of
management and oversight necessary for a successful enterprise
architecture program.

Two quality assurance roles* those of risk manager and configuration
manager* also still need to be filled. At the conclusion of our review,
VA*s Enterprise Architecture Council was performing risk and configuration
management and its Information Technology Board was performing quality
assurance functions. However, Federal CIO Council guidance recommends that
the CIO make risk and configuration management the explicit
responsibilities of individuals designated for those roles. The guide
further recommends that the CIO establish an independent quality assurance
function to evaluate the enterprise architecture.

Page 18 GAO- 02- 1054T

VA must also still develop a program management plan to delineate how it
will develop, use, and maintain the enterprise architecture. Such a plan
is integral to providing definitive guidance for effectively managing the
enterprise architecture program.

Beyond these actions, VA must continue to enhance the enterprise
architecture that it has begun instituting. For example, additional work
is needed to fully develop the baseline and target architectures to
encompass all of the department*s business functions, identify common
areas of business, and eliminate duplication of processes across the
organization through business process reengineering. As the initial
version of the enterprise architecture notes, significant process
duplication exists across the department. For example, VA identified eight
different ways in which registration and eligibility are determined in the
*as- is* (baseline) architecture. Nonetheless, although VA recognized
opportunities for integrating and consolidating the department*s duplicate
processes and functions, its initial enterprise architecture document
lacked any specific guidance on how and when consolidation and integration
will take place.

Also, important to the success of an enterprise architecture effort is a
fully- developed enterprise architecture repository. 13 Such a system
serves to highlight information interdependencies and improves the
understandability of information across an organization. It also helps to
significantly streamline change control by establishing linkages among the
information, facilitating impact analyses, and providing for ready
evaluations of change proposals. Although VA*s enterprise architecture
repository contains information reflecting the views of its business
planners and owners, the department still needs to completely populate the
repository with data that describe the interrelationships among all
information elements and work products. The acting chief architect stated
that, in fiscal year 2003, the department will assess its need for a
different system to serve as the EA repository.

As establishment of the enterprise architecture proceeds, VA also will
need to further refine its sequencing plan to identify differences between
baseline and target architectures and gaps in the process, and to assess
the state of legacy, migration, and new systems, and budget priorities and
constraints. In addition, the acting chief architect noted that the
current

13 A repository is an information system used to store and access
architecture information, relationships among the information elements,
and work products.

Page 19 GAO- 02- 1054T

version of the technical reference model is generic and will require
further development. Such customization is important in order to provide
VA with consistent sets of service areas and interface categories and
relationships used to address interoperability and open systems issues and
serve as a basis for identifying, comparing, and selecting existing and
emerging standards and their relationships. Such a document can also be
used to organize infrastructure documentation.

According to VA officials, actions to refine and build upon the enterprise
architecture are ongoing, and the department plans to issue an interim
revision to the initial document within 4 to 6 months, and a completely
new version by July 2003. The Enterprise Architecture Council will be
responsible for developing these products. As the enterprise architecture
management program moves forward, the department must ensure that it
continues to sufficiently address and complete all critical process steps
outlined in the federal CIO guidance within reasonable time frames. With
enhanced management capabilities provided by an enterprise architecture
framework, VA should be able to (1) better focus on the strategic use of
emerging technologies to manage its information, (2) achieve economies of
scale by providing mechanisms for sharing services across the department,
and (3) expedite the integration of legacy, migration and new systems.

VA*s information security continues to be an area of significant concern.
The department relies extensively on computer systems and
telecommunications networks to meet its mission of providing health care
and benefits to veterans. VA*s systems support many users, its networks
are highly interconnected, and it is moving increasingly to more
interactive, Web- based services to better meet the needs of its
customers. Effectively securing these systems and networks is critical to
the department*s ability to safeguard its assets, maintain the
confidentiality of sensitive medical information, and ensure the
reliability of its financial data.

As this subcommittee is well aware, VA has faced long- standing challenges
in achieving effective computer security across the department. Since 1998
we have reported on wide- ranging deficiencies in the department*s
Information Security

Continues to Require Top Management Attention

Page 20 GAO- 02- 1054T

computer security controls. 14 Among the weaknesses highlighted was that
VA had not established effective controls to prevent individuals from
gaining unauthorized access to its systems and sensitive data. In
addition, the department had not provided adequate physical security for
its computer facilities, assigned duties in a manner that segregated
incompatible functions, controlled changes to its operating systems, or
updated and tested its disaster recovery plans. Similar weaknesses have
been confirmed by VA*s inspector general, as well as through the
department*s own assessments of its computer security controls in response
to government information reform legislation. 15 As evidence, since
September 2001, VA has self- reported approximately 27, 000 control
weaknesses related to physical and logical access, segregation of duties,
system and application controls, and continuity of operations. As of
August 31, 2002, according to VA, about half (14,000) of these weaknesses
remained unresolved.

Contributing significantly to VA*s computer security problems has been its
lack of a fully implemented, comprehensive computer security management
program* essential to managing risks to business operations that rely on
its automated and highly interconnected systems. Our 1998 report on
effective security management practices used by several leading public and
private organizations 16 and a companion report on risk- based security
approaches in 1999 17 identified key principles that can be used to
establish a management framework for more effective information security
programs. This framework, depicted in figure 3, points to five key areas
of effective computer security program management* central security
management, security policies and procedures, risk- based assessments,
security awareness, and monitoring and evaluation. Leading organizations
we examined applied these key principles to ensure that

14 U. S. General Accounting Office, Information Systems: VA Computer
Control Weaknesses Increase Risk of Fraud, Misuse, and Improper
Disclosure, GAO/ AIMD- 98- 175 (Washington, D. C.: Sept. 23, 1998) and
GAO- 02- 369T.

15 The government information security reform provisions of the fiscal
year 2001 Defense Authorization Act (P. L. 106- 398) require annual agency
program reviews and annual independent evaluations for both non- national
security and national security information systems.

16 U. S. General Accounting Office, Information Security Management:
Learning From Leading Organizations, GAO/ AIMD- 98- 68 (Washington, D. C.:
May 1998). 17 U. S. General Accounting Office, Information Security Risk
Assessment: Practices of Leading Organizations, GAO/ AIMD- 00- 33
(Washington, D. C.: November 1999).

Page 21 GAO- 02- 1054T

information security addressed risks on an ongoing basis. Further, these
principles have been cited as useful guidelines for agencies by the
Federal CIO Council and incorporated into the council*s information
security assessment framework, 18 intended for agency self- assessments.

Figure 3: Information Security Risk Management Framework

Source: GAO/ AIMD- 98- 68.

When we testified before the subcommittee in March, VA had begun a number
of actions to strengthen its overall computer security management posture.
For example, the Secretary had instituted information security

18 Chief Information Officers Council, Federal Information Technology
Security Assessment Framework (Washington, D. C.: Nov. 28, 2000).

Page 22 GAO- 02- 1054T

standards for members of the department*s senior executive service to
provide greater management accountability for information security. In
addition, VA*s cyber security officer had organized his office to focus
more directly on the critical elements of information security control
that are defined in our information systems controls audit methodology. 19
The cyber security officer also had updated the department*s security
management plan, outlining actions for developing risk- based security
assessments, improving the monitoring and testing of systems controls, and
implementing departmentwide virus- detection software and
intrusiondetection systems. The plan placed increased emphasis on
centralizing key security functions that were previously decentralized or
nonexistent, including virus detection, systems certification and
accreditation, network management, configuration management, and incident
and audit analysis.

Nonetheless, while VA had completed a number of important steps, its
security management program continued to lack essential elements required
for protecting the department*s computer systems and networks from
unnecessary exposure to vulnerabilities and risks. For example, while the
department had begun to develop an inventory of known security weaknesses,
it had not instituted a comprehensive, centrally managed process that
would enable it to identify, track, and analyze all computer security
weaknesses. Further, the updated security management plan did not
articulate critical actions that VA would need to take to correct specific
control weaknesses or time frames for completing key actions.

Since March, the department has taken important steps to further
strengthen its computer security management program. For example, the
cyber security officer has updated and expanded the department*s
information security policies and procedures, placing increased emphasis
on better securing and overseeing the department*s computer environment.
More recently, as discussed earlier, VA*s realignment of its information
technology resources placed administration and field office security
functions more directly under the oversight of the department*s CIO.

19 U. S. General Accounting Office, Federal Information System Controls
Audit Manual,

GAO/ AIMD- 12. 19. 6 (Washington, D. C.: January 1999). Progress
Continues, but

Actions Still Needed to Achieve a Comprehensive Security Management
Program

Page 23 GAO- 02- 1054T

VA has also acted to help provide a more solid foundation for detecting,
reporting, and responding to security incidents. For example, it has
contracted to acquire an expanded departmentwide incident response and
analysis capability, to include enhanced security monitoring and
detection. Further, it has enhanced its computer virus detection program
by providing technical training to operational staff and distributing
antivirus patches for known viruses to affected systems. In addition, VA
has initiated a multiyear project intended to consolidate, protect, and
centrally manage external connections to its critical financial, medical,
and benefits systems. This project, with full implementation planned for
September 2004, is expected to reduce the approximately 200 external
computer network connections that the department now relies on to about
10. By reducing these connections, VA should be better positioned to
effectively reduce its risk of unauthorized access to its critical
systems.

As was the case last March, however, VA*s actions have not yet been
sufficient to fully implement all of the key elements of a comprehensive
computer security management program. In assessing the department*s recent
corrective actions relative to our information security risk management
framework, VA still needs to accomplish a number of critical tasks that
are essential to successfully achieving a comprehensive and effective
computer security management program. Table 2 summarizes the steps that VA
still needs to accomplish in order to fully implement a comprehensive
program.

Table 2: Actions Needed to Ensure a Comprehensive Computer Security
Management Program Important elements of a computer security management
program a

Actions needed as of March 2002 Actions VA has taken

since March 2002 Actions still needed

Central security management function to guide and oversee compliance with
established policies and procedures and review effectiveness of the
security environment

Ensure that full- time security officers or staff with primary duty for
security are assigned to information security officer (ISO) positions and
clearly define their roles and responsibilities Develop guidance to ensure
authority and independence of security officers Develop policies and
procedures to ensure departmentwide coordination of security functions

Established a tracking mechanism to identify security officers and the
systems under their respective purview at each location VA Secretary
centralized the department*s IT program, including authority, personnel,
and funding, in the Office of the Chief Information Officer

Ensure that full- time security officers or staff with primary duty for
security are assigned to all ISO positions and clearly define their roles
and responsibilities In conjunction with VA*s centralization of the IT
program, develop policy and guidance to ensure (1) authority and
independence for security officers and (2) departmentwide coordination of
security functions Security policies and procedures that govern a complete
computer security program and integrate all security aspects of an

Refocus department policy to address security from an interconnected VA
systems environment perspective in addition to that of individual

Developed policies to address external connections and standards for
public key infrastructure authentication

Develop specific policy to address security interconnectivity of all
internal and external VA systems Develop and implement technical

Page 24 GAO- 02- 1054T

Important elements of a computer security management program a

Actions needed as of March 2002 Actions VA has taken

since March 2002 Actions still needed

organization*s environment, including local area networks, wide area
networks, and mainframe security

systems Develop and implement technical security standards for mainframe
and other systems and security software

security standards for mainframe and other systems and security software

Periodic risk assessments to assist management in making decisions on
necessary controls to help ensure that security resources are effectively
distributed to minimize potential loss

Include best minimum standards or guidance for performing risk assessments
in methodology Develop guidance for determining when an event is a
significant change and explaining the level of risk assessment required
for these system changes

Include best minimum standards or guidance for performing risk assessments
in methodology Develop guidance for determining when an event is a
significant change and explaining the level of risk assessment required
for these system changes Security awareness to educate users about current
information security risks, policies, and procedures

Establish a process to ensure program compliance Establish a process to
ensure

program compliance Monitoring and evaluating computer controls to ensure
their effectiveness, improve them, and oversee compliance

Develop specific requirements for conducting a compliance review program
Develop an ongoing program for testing controls to include assessments of
both internal and external access to VA systems; expand current tests to
identify unauthorized or vulnerable external connections to VA*s network
Establish a process for tracking the status of security weaknesses,
corrective actions taken, and independent validation of the corrective
actions Develop a process for routinely analyzing the results of computer
security reviews to identify trends and vulnerabilities and apply
appropriate countermeasures to improve security Develop a proactive
security incident response program to monitor user access for unusual or
suspicious activity

Initiated a multiyear project to consolidate, protect, and centrally
manage external connections to VA systems Developed a process for tracking
the status of computer security weaknesses and corrective actions taken
Developed an ad hoc approach for identifying computer control weaknesses
for review Awarded contract for an expanded security incident response and
analysis program to include security monitoring and detection capability
for external user access activities Enhanced computer virus detection
program by providing technical training to operational staff and
distributing antivirus patches

Develop specific requirements for conducting a compliance review program
Develop an ongoing program for testing controls to include assessments of
both internal and external access to VA systems; expand current tests to
identify unauthorized or vulnerable external connections to VA*s network
Develop a process to independently validate corrective actions taken
Develop a process that emphasizes routinely analyzing the results of
computer security reviews to identify trends and vulnerabilities and apply
appropriate countermeasures to improve security Develop a proactive
security incident response program to provide for both internal and
external monitoring of user access to identify unusual or suspicious
activities

a GAO/ AIMD- 98- 68. Source: GAO.

Page 25 GAO- 02- 1054T

The department*s critical remaining actions include routinely monitoring
and evaluating the effectiveness of security policies and controls and
acting to address identified weaknesses. These tasks aid organizations in
cost effectively managing their information security risks rather than
reacting to individual problems after a violation has been detected. We
have previously recommended that VA establish a program involving ongoing
monitoring and evaluation to ensure the effectiveness of its computer
control environment. An effective program framework would include a
description of the scope and level of testing to be performed, specific
control areas to be tested, the frequency of testing, and the identity of
responsible VA units. In addition, testing and evaluation would include
penetration tests and reviews of the computer network, as well as
compliance reviews of all computer control areas, including logical and
physical access controls; service continuity tests; and system and
application integrity and change controls performed on a scheduled basis.

VA has begun placing greater emphasis on controlling its security risks;
however, its current framework does not yet include some of the essential
elements required to achieve a formal program for monitoring and
evaluating computer controls. For example, while the department has
conducted some tests of its control environment, including penetration
tests and reviews of its computer network, this effort has largely been
performed in an ad hoc manner, rather than as part of a formal, ongoing
program. Further, while VA has established a departmental process for
assessing computer controls, the process relies on VA*s offices to
selfreport computer control weaknesses, with no independent validation
component to ensure the accuracy of reporting.

Similarly, an effective computer security management program should
include a process for ensuring that remedial action is taken to address
significant deficiencies and that it provides steps to analyze weaknesses
reported for identifiable trends and vulnerabilities, and to apply
appropriate countermeasures as needed. Although VA has established a
system for tracking corrective actions, it has not developed a process for
independently validating or reviewing the appropriateness of the
corrective actions taken. Further, the department currently lacks a
process to routinely analyze the weaknesses reported, limiting its
effectiveness at identifying systemic problems that could adversely affect
critical veterans information systems departmentwide.

Finally, although VA has developed a framework for addressing
departmentwide computer security, it has not yet established a mechanism
for collecting and tracking performance data, ensuring management

Page 26 GAO- 02- 1054T

review when appropriate, or providing for independent validation of
program deliverables. Until it addresses all key elements of a
comprehensive computer security management program and develops a process
for managing the department*s security plan, VA will not have full
assurance that its financial information and sensitive medical records are
adequately protected from unauthorized disclosure, misuse, or destruction.

Mr. Chairman, we continue to be concerned about the slow progress that VBA
is making in implementing the VETSNET compensation and pension replacement
system. As you know, VBA currently relies on its aging Benefits Delivery
Network to deliver over 3.5 million benefits payments to veterans and
their dependents each month. 20 The compensation and pension replacement
effort grew out of an initiative that VBA undertook in 1986 to replace its
outdated BDN and modernize its compensation and pension, education, and
vocational rehabilitation benefits payment systems. After several false
starts and approximately $300 million spent on the overall modernization,
the administration revised its strategy in 1996 and began focusing on
modernizing the compensation and pension (C& P) payment system.

VBA has now been working on the C& P replacement initiative for more than
6 years, but continues to be far from full implementation of the new
payment system. As we reported last March, long- standing, fundamental
deficiencies in VBA*s management of the project hindered successful
development and implementation of the system. For example, the initiative
was proceeding without a project manager, and VBA had not obtained
essential field office support for the new software being developed. In
addition, users* requirements for the new system had not yet been assessed
or validated to ensure that VETSNET would meet business needs; and testing
of the system*s functional business capability, as well as end- to- end
testing to ensure that accurate payments would be delivered, still needed
to be completed. Finally, VBA had not developed an integrated project plan
to guide its transition from BDN to the new system.

This past June, we recommended that, before approving any new funding for
the replacement system, the Secretary should ensure that actions are taken
to address our long- standing concerns about VBA*s development

20 Parts of the Benefits Delivery Network were developed in the 1960s. VBA
Remains Far

from Full Implementation of the VETSNET Compensation and Pension
Replacement System

Page 27 GAO- 02- 1054T

and implementation of the system. These recommended actions included (1)
appointing a project manager to direct the development of an action plan
for, and oversee the complete analysis of, the current system replacement
effort; (2) finalizing and approving a revised C& P replacement strategy
based on results of the analysis and implementing an integrated project
plan; (3) developing an action plan to move VBA from the current to the
replacement system; and (4) developing an action plan to ensure that BDN
will be available to continue accurately processing benefits payments
until the new system is deployed. 21 The department concurred with our
recommendations, and stated that actions were either under way or planned
to implement them.

Since our March testimony and subsequent recommendations, VBA has acted to
further its development and implementation of the C& P replacement system.
Among these actions VBA began recruiting a full- time project manager in
June, and, according to the deputy CIO for VBA, expects to fill this
position by the end of this month. In addition, to obtain field office and
program support, in late March VBA formalized an implementation charter
that established a VETSNET executive board and a project control board. 22
These entities are expected to provide decision support and oversee
progress on the implementation. VBA has also begun revalidating functional
business requirements for the new system. Its July 10, 2002 status report
called for validating the majority of its requirements by the end of this
month, and to complete all requirements validation by January 2003. The
report also identified actions needed to transition VBA from the current
to the replacement system. Further, in July VBA hired a contractor to
obtain support for testing the VETSNET system applications. The contractor
has been tasked with conducting functional, integration, and linkage
testing, as well as software quality assurance for each release of the
system applications.

21 U .S. General Accounting Office, Veterans Affairs: Sustained Management
Attention Is Key to Achieving Information Technology Results, GAO- 02- 703
(Washington, D. C.: June 12, 2002).

22 The executive board meets monthly and consists of VBA*s chief financial
officer, deputy chief information officer, director of compensation and
pension service, and director of field operations. The project control
board meets weekly and comprises representatives from the Office of
Information Management, Compensation and Pension Service, Office of
Resource Management, Field Operations, and the Program Analysis and
Integrity Office. It is codirected by a business project manager and a
technical project manager. Actions Taken in Recent

Months

Page 28 GAO- 02- 1054T

Nonetheless, VBA still has significant work to accomplish, and completing
its implementation of the new system could take several years. All but one
of the software applications comprising the new system still need to be
fully deployed or developed, and VBA is currently processing only nine
benefits claims using its new software products. 23 As described in VA*s
August 2002 Compensation and Pension Replacement System Capital Asset
Plan, the C& P replacement strategy incorporates six software
applications: (1) Share, (2) Modern Award Processing - Development, (3)
Rating Board Automation 2000, (4) Award Processing, (5) Finance and
Accounting System, and (6) Correspondence. These applications are being
designed to support the processing of initial benefits claims for
serviceconnected disabilities, as shown in table 3.

Table 3: C& P Replacement System*s Support of Initial Disability Claims
Processing C& P replacement system software application Initial disability
claims processing and benefit payment functions

Share (establishment) Establish the claim* regional office enters basic
information provided by the veteran into a computer system and sets up a
claim file folder Modern Award Processing * Development (MAP- D) Develop
the claim* regional office reviews the claim file folder for military
service and

medical information, requests and obtains missing information, and
assesses information to determine basic eligibility Rating Board
Automation 2000 (RBA 2000) a Rate the claim* regional office analyzes the
veteran*s service records and service and

private medical records and determines the veteran*s level of disability
Award Processing (AWARD) Authorize the claim* regional office reviews
previous work on the claim, approves the

initiation of benefit payments, and notifies the veteran of the decision
Finance and Accounting System (FAS) Pay beneficiary* regional office
enters data into computer system to generate and make

payment to veterans Correspondence Notify veteran* regional office sends
letters informing veterans of the status of actions to

process their claims a The Search and Participant Profile application is
used in conjunction with RBA 2000 and pulls

information from the corporate database when reopened claims are rated and
is transparent to the user. Until recently, this application had been
counted separately.

Source: GAO analysis.

VBA still has numerous tasks to accomplish before these software
applications can be fully implemented. Although, last year, the
administration implemented its rating board automation tool (RBA 2000), it
will not require all of its regional offices to use this software until
July 2003. In addition, our recent follow- up work determined that two of
the

23 As part of a pilot test in February 2001, VBA began processing ten
original benefits claims using its new software. However, according to
VBA, one veteran included in the pilot moved to West Virginia, and his
payment is now being delivered by the BDN. Much Work Remains

Page 29 GAO- 02- 1054T

software products continue to be in various stages of deployment.
Specifically, among the 57 regional offices that are expected to benefit
from the replacement system, only 6 are currently using Share to establish
a claim; VBA still needs to implement the tool in the 51 other regional
offices. In addition, only two regional offices* Salt Lake and Little
Rock* have pilot- tested and are currently using MAP- D to assist in the
development of most compensation claims. VBA still needs to implement this
tool in 55 other regional offices. Full implementation is currently
estimated for October 2003.

Further, three software applications* AWARD, FAS, and Correspondence*
continue to require development. According to VBA officials, when
implemented, AWARD will record award decisions and generate, authorize,
and validate on- line awards for veterans and interface with
Correspondence to develop the notification letter for the veteran. FAS
will provide the accounting benefits payments functions and will include
an interface with the Department of the Treasury.

VBA expects to complete software coding for AWARD and FAS by March 2003.
Based on its most recent estimates, it expects to begin nationwide
deployment of the two systems in April 2004. Once these activities are
accomplished, VBA plans to begin its conversion to the new system, with a
completion date currently set for December 2004. Figure 4 depicts VBA*s
current time line for the full implementation of the system.

Page 30 GAO- 02- 1054T

Figure 4: VBA*s Time Line for Completing and Implementing the Compensation
& Pension Replacement Payment System (as of July 2002)

Source: Veterans Benefits Administration.

Given its current schedule for implementing the C& P replacement system,
VBA will have to continue relying on BDN to deliver compensation and
pension benefits payments until at least the beginning of 2005. However,
with parts of this system nearing 40 years old, without additional
maintenance, BDN*s capability to continue accurately processing benefits
payments is uncertain. Our concerns have been substantiated by the VA
claims processing task force, which in its October 2001 report warned that
the system*s operations and support were approaching a critical stage and
that its performance could potentially degrade and eventually cease. 24

24 The claims processing task force was formed in May 2001, when the
Secretary of Veterans Affairs asked a group of individuals with
significant experience to assess and critique VBA*s compensation and
pension organization, management, and processes, and to develop
recommendations to significantly improve VBA*s ability to process
veterans* claims for disability compensation and pensions. Maintaining
Benefits

Delivery Network Operations Is Critical to Ensuring Continued Payments to
Veterans

Page 31 GAO- 02- 1054T

Since March, VBA has taken steps to help ensure that BDN can be sustained
and remains capable of making prompt, uninterrupted payments to veterans.
For example, VBA has (1) completed an upgrade of BDN hardware, (2) hired
11 new staff members dedicated to BDN operations, and (3) successfully
tested a contingency plan. Further, according to VBA*s deputy CIO, the
administration has developed an action plan outlining strategies for
keeping BDN operational until the replacement system is implemented.
Nonetheless, the risks associated with continual reliance on BDN remain*
one of the system*s software applications (database monitor software) is
no longer supported by the vendor, nor is it used by any other customer.

Finally, Mr. Chairman, I would like to provide updated information on VA*s
progress, in conjunction with the Department of Defense (DOD) and the
Indian Health Service (IHS), in achieving the ability to share patient
health care data as part of the government computer- based patient record
(GCPR) initiative. As you know, the GCPR project was developed in 1998 out
of VA and DOD discussions about ways to share data in their health
information systems and from efforts to create electronic records for
active duty personnel and veterans. IHS became involved because of its
experience in population- based research and its long- standing
relationship with VA in caring for the Indian veteran population, as well
as its desire to improve the exchange of information among its facilities.

GCPR was originally envisioned to serve as an electronic interface that
would allow physicians and other authorized users at VA, DOD, and IHS
health facilities to access data from any of the other agencies* health
facilities by serving as an electronic interface among their health
information systems. The interface was expected to compile requested
patient information in a temporary, *virtual* record that could be
displayed on a user*s computer screen.

Last March we expressed concerns about the progress that VA, DOD, and IHS
had made toward implementing GCPR. We testified that the project continued
to operate without clear lines of authority or a lead entity responsible
for final decision- making. The project also continued to move forward
without comprehensive and coordinated plans, including an agreed- upon
mission and clear goals, objectives, and performance Government

Computer- Based Patient Record Initiative Has Changed Name, Goals,
Strategy

Page 32 GAO- 02- 1054T

measures. These concerns were originally reported in April 2001, 25 when
we recommended that the participating agencies (1) designate a lead entity
with final decision- making authority and establish a clear line of
authority for the GCPR project, and (2) create comprehensive and
coordinated plans that included an agreed- upon mission and clear goals,
objectives, and performance measures, to ensure that the agencies can
share comprehensive, meaningful, accurate, and secure patient health care
data. VA, DOD, and IHS all agreed with our findings and recommendations.

Our March testimony also noted that the scope of the GCPR initiative had
been narrowed from its original objectives and that the participating
agencies had announced a revised strategy that was considerably less
encompassing than the project was originally intended to be. Specifically,
rather than serve as an interface to allow data sharing across the three
agencies* disparate systems, as originally envisioned, a first (near-
term) phase of the revised strategy had called only for a one- way
transfer of data from DOD*s current health care information system to a
separate database that VA hospitals could access.

Subsequent phases of the effort that were to further expand GCPR*s
capabilities had also been revised. A second phase that would have enabled
information exchange among all three agencies had been rescoped to enable
only a bilateral read- only exchange of data between VA and IHS. Plans for
a third phase involving the expansion of GCPR*s capabilities to public and
private national health information standards groups were no longer being
considered for the project, and there were no plans for DOD to receive
data from VA.

In May, VA and DOD proceeded with implementing the revised strategy. It
finalized a memorandum of agreement that designated VA as the lead entity
in implementing the project and formally renamed the project the Federal
Health Information Exchange (FHIE) Program. According to program
officials, FHIE is now a joint effort between DOD and VA that will enable
the exchange of health care information in two phases. The first phase, or
near- term solution, is to enable the one- way transfer of data from

25 U. S. General Accounting Office, Computer- Based Patient Records:
Better Planning and Oversight by VA, DOD, and IHS Would Enhance Health
Data Sharing, GAO- 01- 459 (Washington, D. C.: Apr. 30, 2001). GCPR Is
Proceeding under

a New Name and Strategy

Page 33 GAO- 02- 1054T

DOD*s existing health care information system to a separate database that
VA hospitals can access. Nationwide deployment and implementation of the
first phase began in late May of this year, and was completed in midJuly.

FHIE was built to interface with VA*s and DOD*s existing systems.
Specifically, electronic data from separated service members contained in
DOD*s Military Health System Composite Health Care System are transmitted
to VA*s FHIE repository, which can then be accessed through the
Computerized Patient Record System (CPRS) in VA*s Veterans Health
Information Systems and Technology Architecture (VISTA). Clinicians are
able to access and display the data through CPRS remote data views. 26 The
data currently available for transfer include demographic 27 and certain
clinical information, such as laboratory results, outpatient pharmacy
data, and radiology reports on service members that have separated from
DOD.

The final phase of the near- term solution is anticipated to begin this
October. According to VA and DOD officials, this phase is intended to
broaden the base of health information available to VA clinicians through
the transfer of additional health information on separated service
members. This additional information is expected to consist of discharge
summaries; 28 allergy information; admissions, disposition, and transfer
information; and consultation results that include referring physicians
and physical findings. Completion of this final phase of FHIE is scheduled
for September 2003. VA and DOD have budgeted $12 million in fiscal year
2003 ($ 6 million for each agency) to cover completion and maintenance of
the near- term effort.

FHIE is currently available to all VA medical centers, and according to
program officials, is showing positive results. The officials stated that,
presently, the FHIE repository contains data on almost 2 million unique
patients. This includes clinical data on over 1 million service personnel
who separated between 1987 and 2001. The data consist of over 14 million

26 The CPRS remote data views is an application that allows authorized
users to access patient health care data from any VA medical facility. 27
The demographic information consists of patient name, DOD eligibility
category, Social Security number, address, date of birth, religion,
primary language, sex, race, and marital status.

28 Discharge summaries will include inpatient histories, diagnoses, and
procedures. VA and DOD Report

Success in Implementing the First Phase of FHIE

Page 34 GAO- 02- 1054T

lab messages, almost 14 million pharmacy messages, and over 2 million
radiology messages.

Program officials stated that the quick retrieval and readability of data
contained in the FHIE repository has begun providing valuable support to
VA clinicians. They stated that FHIE is capable of accommodating up to 800
queries per hour, with an average response rate of 14 seconds per query.
For the week beginning July 29, 2002, VA clinicians made 287 authorized
queries to the database. In addition, when a clinician at a VA medical
facility retrieves the data transmitted from DOD, the data appear in the
same format as the data captured in CPRS, further facilitating its use.
During a demonstration of the data retrieval capability, a clinician at
VA*s Washington, D. C., medical center told us that the information
provided through FHIE has proven particularly valuable for treating
emergency room and first- time patients. He added that additional data
anticipated from the second phase of FHIE should prove to be even more
valuable.

Beyond FHIE, VA and DOD have envisioned a long- term strategy involving
the two- way exchange of clinical information. This initiative has been
termed HealthePeople (Federal). According to VHA*s CIO and the Military
Health System CIO, VA and DOD are jointly implementing a plan that will
result in computerized health record systems that ensure interoperability
between DOD*s Composite Health Care System II and VA*s HealtheVet VISTA to
achieve the sharing of secure health data required by their health care
providers. 29 In order to accomplish this objective, the two agencies
intend to standardize health and related data, communications, security,
and software applications where appropriate. As part of HealthePeople
(Federal), IHS is also expected to be actively involved in helping to
develop national standards and compatible software applications to further
the standardization of data, communications, and security for health
information systems. When our review concluded, VA and DOD had just begun
this initiative, with a focus on addressing the standardization issue. At
that time, they anticipated implementing this exchange of clinical
information by the end of 2005.

29 Both of these systems are currently under development. VA and DOD
Developing

Interoperable Health Systems

Page 35 GAO- 02- 1054T

In summary, Mr. Chairman, VA continues to make important progress toward
improving its management of information technology, with the attention and
support of its executive leadership contributing significantly to ongoing
actions to improve key areas of IT performance. The restructuring of
responsibility and accountability directly to the CIO is a particularly
important step* one that could set the stage for VA truly achieving its
One- VA vision. In addition, actions aimed at further developing the
department*s enterprise architecture and improving computer security
management continue to help solidify the IT foundation necessary

to guide VA*s development and protection of critical information systems
and data that are vital to its mission. Finally, although under a revised,
scaled- down initiative, VA and DOD have made some progress in achieving
the capability to share health care data on military personnel and
veterans. Yet, challenges remain. Ensuring that the enterprise
architecture will be fully implemented and sustained beyond the current
leadership necessitates that the department establish a program management
structure to guide and oversee this critical initiative. Completing its
comprehensive computer security management program is also essential to
ensure that the department can effectively safeguard its assets and
sensitive medical information. Further, the urgency that VA faces in
replacing its aging BDN continues to grow, while much must be accomplished
before full implementation of the compensation and pension replacement
system. Instituting the necessary processes and controls to guide VA*s
information technology programs and investments will be vital to ensuring
that the department does not fall short of its goals of enhancing
operational efficiency and, ultimately, improving service delivery to our
nation*s veterans.

Mr. Chairman, this concludes my statement. I would be pleased to respond
to any questions that you or other members of the subcommittee may have at
this time.

For information about this testimony, please contact me at (202) 512- 6253
or by e- mail at [email protected] gao. gov. Individuals making key
contributions to this testimony include Nabajyoti Barkakati, Nicole
Carpenter, Kristi Dorsey, David W. Irvin, Min S. Lee, Valerie C. Melvin,
Barbara S. Oliver, J. Michael Resser, and Charles M. Vrabel. Contacts and

Acknowledgments

(310441)
*** End of document. ***