Veterans Affairs: Sustained Management Attention Is Key to	 
Achieving Information Technology Results (12-JUN-02, GAO-02-703).
                                                                 
The Department of Veterans Affairs (VA) has made important	 
progress in raising corporate awareness of the department's	 
information technology (IT) needs and in taking actions to	 
improve key areas of IT performance. Nevertheless, the department
has significant work to accomplish in order to use IT investments
to improve mission performance. VA has taken important steps in  
laying the groundwork for an integrated, departmentwide 	 
enterprise architecture--a blueprint for evolving its information
systems and developing new systems that optimize their mission	 
value--by establishing crucial executive support and a strategy  
to define produces and processes essential to its development. VA
has also strengthened its department-level information security  
program by requiring greater management accountability from	 
senior executives, through mandated information security	 
performance standards. In addition, Veterans Health		 
Administration (VHA) managers and clinicians have shown good	 
progress in expanding their use of the decision support system to
facilitate clinical and financial decisionmaking. However, many  
aspects of the department's IT environment remain troublesome.	 
The department continues to report pervasive computer security	 
challenges, including access and other general control		 
weaknesses. Moreover, in pursuing critical information systems	 
investments, the Veterans Benefits Administration has not	 
addressed important concerns related to managing, defining	 
requirements for, and testing software supporting the veterans	 
service network compensation and pension replacement system	 
initiative. These issues present continuing challenges to VA.	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-02-703 					        
    ACCNO:   A03545						        
  TITLE:     Veterans Affairs: Sustained Management Attention Is Key  
to Achieving Information Technology Results			 
     DATE:   06/12/2002 
  SUBJECT:   Health care services				 
	     Information resources management			 
	     Information systems				 
	     Information technology				 
	     Interagency relations				 
	     Medical information systems			 
	     Medical records					 
	     Performance measures				 
	     Strategic information systems planning		 
	     Systems compatibility				 
	     DOD/IHS/VA Government Computer-Based		 
	     Patient Record Project				 
                                                                 
	     VA Information Technology Program			 
	     VA Decision Support System 			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-02-703
     
A

Report to the Chairman, Subcommittee on Oversight and Investigations,
Committee on Veterans Affairs, , House of Representatives

June 2002 VETERANS AFFAIRS Sustained Management Attention Is Key to
Achieving Information Technology Results

GAO- 02- 703

June 12, 2002 The Honorable Steve Buyer Chairman, Subcommittee on Oversight
and Investigations Committee on Veterans Affairs House of Representatives

Dear Mr. Chairman: On March 13, 2002 , we testified before the Subcommittee
on the Department of Veterans Affairs ( VA) continuing actions to address
critical weaknesses in its overall information technology ( IT) program. 1
In brief, we noted that VA had made important progress in raising corporate

awareness of the department s IT needs and in taking actions to improve key
areas of IT performance. Nevertheless, the department has significant work
to accomplish in order to use IT investments to improve mission performance.
This report officially transmits recommendations that we are making to the
Secretary of Veterans Affairs based on our work presented in our testimony.
Prior to the testimony, we discussed the results of our review with VA
officials, and they generally agreed with our findings. We performed our
work from June 2001 through March 2002, in accordance

with generally accepted government auditing standards. In our testimony, we
noted that VA had taken important steps in laying the groundwork for an
integrated, departmentwide enterprise architecture a blueprint for evolving
its information systems and developing new systems that optimize their
mission value by establishing crucial executive support and a strategy to
define products and processes essential to its development. VA also had
strengthened its department- level information security program by requiring
greater management accountability from senior executives, through mandated
information security performance standards. In addition, Veterans Health
Administration ( VHA) managers and clinicians had shown good progress in
expanding their use of the

decision support system ( DSS) to facilitate clinical and financial
decisionmaking.

1 U. S. General Accounting Office , VA Information Technology: Progress
Made, but Continued Management Attention Is Key to Achieving Results, GAO-
02- 369T ( Washington, D. C. , March 13, 2002) .

However, we also testified that many aspects of the department s IT
environment remained troublesome. For example, we noted the need for
continued attention to instituting a sound program management structure,
including a permanent chief architect and an established program office, to
manage and advance the department s enterprise architecture program.
Further, VA s efforts to establish a comprehensive information security
management program required additional work to ensure that the department s
computer systems, networks, and sensitive veterans health

care and benefits data were protected from unnecessary exposure to
vulnerabilities and risks. The department continued to report pervasive
computer security challenges, including access and other general control

weaknesses. Moreover, in pursuing critical information systems investments,
the Veterans Benefits Administration had not addressed important concerns
related to managing, defining requirements for, and testing software
supporting the veterans service network compensation and pension

replacement system initiative. In addition, as part of the government
computer- based patient record ( GCPR) initiative, VA had achieved limited
progress in its joint efforts with the Department of Defense ( DOD) and
Indian Health Service ( IHS) to create an interface for sharing data in
their disparate health information systems. We noted that the scope of the

project increasingly had been narrowed from its original objectives and that
the initiative continued to proceed without a comprehensive strategy.
Finally, while VHA managers and clinicians had continued to expand their use
of DSS, VHA had not selected a permanent director to provide consistent
management and oversight for the DSS program or fully staffed the DSS
program office to support the system s operation.

Collectively, these issues present continuing challenges for VA. It is
paramount that VA s leadership successfully address these matters in order
to achieve a more stable, reliable, and modernized systems environment that
can effectively support critical decisionmaking and operations and to
realize better overall returns on the department s IT investments. To assist
the Subcommittee in its oversight role and to help the Secretary

accomplish needed improvements, we are making recommendations based on the
findings reported in our March testimony, which is reprinted in appendix I.
In providing written comments on a draft of this report, the Secretary of
Veterans Affairs concurred with our recommendations.

Recommendations for Successful implementation of an enterprise architecture
is essential for

Executive Action effectively and efficiently engineering business processes
and for

implementing and evolving their supporting information systems. Our
experience with federal agencies has shown that attempting to modernize IT
environments without an enterprise architecture to guide and constrain
investments often results in systems that are duplicative, not well
integrated, unnecessarily costly to maintain and interface, and ineffective

in supporting mission goals. 2 We therefore recommend that the Secretary
take action to ensure that VA effectively develops, implements, and manages
its enterprise architecture by instructing the department- level Chief
Information Officer ( CIO) to expeditiously fill the position of chief
architect with a full- time

permanent employee who has the requisite core competencies needed for this
position;

immediately establish and adequately staff the enterprise architecture
program management office;

ensure that all critical process steps outlined in the federal CIO Council s
suggested guidance 3 on managing the enterprise architecture program for (
1) establishing management structure and control, ( 2) developing a baseline
enterprise architecture, ( 3) developing a target enterprise architecture, (
4) developing a sequencing plan to move from the baseline to the target
architecture, ( 5) using the enterprise architecture to implement new
projects, and( 6) maintaining the enterprise architecture 4 are sufficiently
addressed and completed; and

integrate securities practices into the enterprise architecture. Effectively
securing VA s information systems and telecommunications networks is vital
to the department s ability to safeguard its assets,

2 U. S. General Accounting Office, Information Technology: Enterprise
Architecture Use across the Federal Government Can Be Improved, GAO- 02- 6 (
Washington, D. C. : February 19, 2002) . 3 Chief Information Officer
Council, A Practical Guide to Federal Enterprise Architecture, Version 1. 0
( Washington, D. C. , February 2001) .

4 Some examples of key actions yet to be performed by VA in developing,
implementing, and using an enterprise architecture are highlighted in table
1 of appendix I.

maintain the confidentiality of sensitive veterans health and disability
benefits information, and ensure the reliability of its financial data.
Without a complete, comprehensive, and fully integrated computer security
management program in place, VA will lack essential elements required to
protect the department s systems and networks from unnecessary exposure to
vulnerabilities and risks. We therefore recommend that the

Secretary take actions to complete a comprehensive and secure information
systems environment by instructing the CIO, in conjunction with VA s cyber
security officer, to

implement all actions needed to complete a comprehensive security management
program, 5 including those related to ( 1) central security management
functions, ( 2) security policies and procedures, ( 3) risk assessments, (
4) security awareness, and ( 5) monitoring and evaluating computer controls;

develop a process for managing the department s updated security plan to
include collecting and tracking performance data, ensuring management action
when needed, and providing independent validation of reported issues; and
regularly report to the Secretary, or his designee, on progress in
implementing VA s security plan. We further recommend that the Secretary
enforce management accountability for information security by ensuring the
consistent use of the mandated information security performance standards
when appraising the department s senior executives.

VA s consistent and effective delivery of benefits payments is vital to
fulfilling its service delivery obligations to our nation s veterans.
Accordingly, successful implementation of a system to replace the existing
aging benefits delivery network is essential. We therefore recommend that,
before the Secretary approves any new funding for the compensation and
pension replacement system, he should ensure that actions have been taken to
address our long- standing concerns regarding VBA s development and
implementation of this system by directing the Undersecretary for Benefits,
in coordination with VBA s CIO, to

5 The actions still needed are highlighted in table 2 of appendix I.

appoint and direct a project manger to develop an action plan for and
oversee a complete analysis of the current systems replacement initiative,
to include ( 1) assessing and validating users requirements for

the new system to ensure that business needs are met and ( 2) testing the
system s functional business and end- to- end processing capabilities to
ensure that accurate and timely benefits payments are made;

finalize and approve a revised compensation and pension replacement system
strategy, based on the results of the analysis, and complete and implement
an integrated compensation and pension replacement project plan;

develop and implement an action plan to move VBA from the current to the
replacement system; and

develop and implement an action plan to ensure that the benefits delivery
network will be able to continue accurately processing benefits payments
until the new compensation and pension system is deployed. The original goal
of the GCPR initiative was to provide VA, DOD, and IHS health care providers
the capability to electronically share comprehensive patient information and
thus improve the quality of care for patients. With the narrowing of the
original objectives and the lack of a comprehensive

strategy, GCPR s ability to deliver expected benefits is in doubt. Moreover,
VA still needs to implement the recommendations from our April 2001 report,
6 which called for ( 1) designating a lead agency for the GCPR initiative
and ( 2) developing detailed plans for the remainder of the endeavor. To
make significant progress beyond the current strategy, we are additionally
recommending that the Secretary instruct the VHA undersecretary and VHA CIO,
in cooperation with DOD and IHS, to

revisit the original goals and objectives of the GCPR initiative to
determine if they remain valid and where necessary, revise the goals and
objectives to be aligned with the current strategy and direction of the
project; and

6 U. S. General Accounting Office, Computer- Based Patient Records: Better
Planning and Oversight by VA, DOD, and IHS Would Enhance Data Sharing, GAO
01- 459 ( Washington, D. C. , April 30, 2001) .

commit the executive support necessary for adequately managing the project
and ensure that sound project management principles are followed in carrying
out the initiative.

VHA s decision support system provides its managers and clinicians with data
on patterns of patient care and patient health outcomes, and allows them to
analyze resource allocation and determine the cost of providing health care
services. We recommend that the Secretary take action to ensure continued
progress in improving DSS operational efficiency and effectiveness and the
realization of full clinical and financial benefits of the system by
directing the Undersecretary for Health, in conjunction with VHA s Chief
Financial Officer, to

assign a permanent director to provide consistent management and oversight
of the DSS program; and

fill the existing vacant positions in the DSS program office with
individuals possessing the necessary skills to provide leadership and
program direction for the overall DSS program.

Agency Comments and In providing written comments on a draft of this report,
the Secretary of

Our Evaluation Veterans Affairs concurred with our recommendations and
stated that the

department has initiated a number of actions to address them. These comments
are reprinted in appendix II. We are sending copies of this report to the
Secretary of Veterans Affairs and to the Director, Office of Management and
Budget, as well as to other interested parties. Copies will also be
available at our Web site at www. gao. gov. If you or your staff have any
questions concerning matters discussed in this report, please contact me at
( 202) 512- 6257, or Valerie Melvin, Assistant Director, at ( 202) 512-
6304. We can also be reached by e- mail at

mcclured@ gao. gov and melvinv@ gao. gov, respectively. Individuals making
key contributions to this report included Dave Irvin, Tonia Johnson, Barbara
Oliver, and J. Michael Resser.

Sincerely yours, David L. McClure Director, Information Technology
Management Issues

Appendi x I

GAO s March 13, 2002, Testimony United States General Accounting Office

GAO Testimony Before the Subcommittee on Oversight and Investigations,

Committee on Veterans' Affairs, House of Representatives

For Release on Delivery Expected at 10 a. m. EST

VA INFORMATION

Wednesday, March 13, 2002

TECHNOLOGY Progress Made, but Continued Management Attention Is Key to
Achieving Results Statement of David L. McClure Director, Information
Technology Management Issues

GAO- 02- 369T

Mr. Chairman and members of the subcommittee: We are pleased to participate
in today s continuing dialogue on the Department of Veterans Affairs' ( VA)
information technology ( IT) program. IT is key to helping VA effectively
serve our nation s veterans, and over the years, the department has expended
substantial resources ( more than $ 6 billion over the last 6 years) in
support of its IT needs. As you know, however, VA has encountered persistent
challenges in managing IT to produce results and improve performance.

When we testified before the subcommittee last April, a new secretary of
veterans affairs had just been confirmed and an executive- level security
officer had been hired. 1 To his credit, the secretary readily seized upon
the seriousness of the issues that have been raised concerning VA s IT
program, and committed to reforming how the department uses information
technology. Since then, VA has also hired a department- level chief
information officer ( CIO) to lead its IT program. We view this executive
leadership as a positive and significant step forward in the

department s attempt to achieve better returns on its IT investments.
However, VA s IT investment and management challenges are significant, and
its ability to resolve them with the right combination of people, processes,
and technology that are focused on achieving solid results will take
sustained time, effort, and commitment.

At your request, we have been reviewing VA' s continuing actions to address
critical weaknesses in its overall IT program. Today, we will share with you
the results of our work to date regarding VA s actions since last April to

develop an enterprise architecture;

improve information security;

implement the Veterans Benefits Administration' s veterans service network
project that is intended to replace its existing compensation and pension
payment system with a new system;

extend the usage of, and standardize data collection for, the Veterans
Health Administration' s decision support system, being used to facilitate
managers and clinicians analyses of patient care and cost of providing
health care services; and

implement jointly with the Department of Defense and Indian Health Service,
the government computer- based patient record initiative,

1 U. S. General Accounting Office, VA Information Technology: Important
Initiatives Begun, Yet Serious Vulnerabilities Persist, GAO- 01- 550T (
Washington, D. C. : April 4, 2001) . Page 1 GAO- 02- 369T

which was intended to allow physicians and users to access data in each
others health information systems.

In doing this work, we analyzed relevant documentation and interviewed key
agency officials to identify and assess VA s progress in implementing
specific actions since April 2001 related to developing an enterprise
architecture, improving information security, developing the Veterans
Benefits Administration s veterans service network compensation and pension
replacement system, extending usage of the Veterans Health Administration s
decision support system, and advancing data sharing via the government
computer- based patient record project. We performed our work in accordance
with generally accepted government auditing standards, from June 2001
through March 2002.

Results in Brief Over the past year, VA has clearly benefited from the
commitment of the secretary and other top leaders to addressing critical
weaknesses in the

department s management of information technology. As a result of their
leadership, VA has made important strides in raising corporate awareness of
the department s needs and in articulating and acting upon a vision for
achieving improvements in key areas of IT performance. Despite this
progress, however, many aspects of VA s IT environment remain troublesome,
and our message today reflects concerns that we have long viewed as
significant impediments to the department s effective use of IT to achieve
optimal agency performance. As such, VA has more work to accomplish before
it can point to real improvement in overall program performance and be
assured that it has a stable, reliable, and modernized systems environment
to effectively support critical agency decisionmaking and operations.

In an area of growing importance, VA has taken key steps in laying the
groundwork for an integrated, departmentwide enterprise architecture a
blueprint for evolving its information systems and developing new systems
that optimize their mission value. Crucial executive support has been
established and the department has put in place a strategy to define
products and processes that are critical to its development. VA is also
currently recruiting a chief architect to assist in implementing and
managing the enterprise architecture. Significant work, nonetheless, is
still required before the department will have a functioning enterprise
architecture in place for acquiring and utilizing information systems across
VA in a cost- effective and efficient manner. VA s success in developing,
implementing, and using a complete and enforceable enterprise architecture
hinges upon continued attention to putting in place a sound program
management structure including a permanent chief architect and an
established program office to facilitate, manage, and advance this effort
and to be held accountable for its success. In addition, VA must Page 2 GAO-
02- 369T

continue to take steps to identify and collect crucial information
describing essential business functions, information flows, strategic plans,
and requirements, and produce a well- thought- out sequencing plan that
considers management and organizational changes and business goals and

operations. Success also hinges on having proactive management focused on
ensuring that investment management and systems development and acquisition
are closely linked with the enterprise architecture processes. This
integration must be done in a manner that best suits the agency s particular
organization, culture, and internal management practices.

Information security management is another area in which VA has taken
important steps to strengthen its department- level program, including
mandating information security performance standards and, thus, greater
management accountability for senior executives. It has also updated
security policies, procedures, and standards to guide the implementation of
critical security measures. However, VA continues to report pervasive and
serious information security weaknesses. Thus far, its actions toward

establishing a comprehensive computer security management program have not
been sufficient to ensure that the department can protect its computer
systems, networks, and sensitive veterans health care and benefits data from
unnecessary exposure to vulnerabilities and risks. Moreover, VA s current
organizational structure does not ensure that the cyber security officer can
effectively oversee and enforce compliance with security policies and
procedures that are being implemented throughout the department.

Beyond these two key areas of IT management concern, VA and its
administrations also have continued to pursue several critical information
systems investments that have consumed substantial time and resources, with
mixed success. For example, after about 16 years and at least $ 335 million
spent on modernization, the Veterans Benefits Administration ( VBA) is still
far from a modernized system to replace its aging benefits delivery network,
needed to more effectively support its compensation and pension and other
vital benefits payment processes. VBA has not adequately addressed several
longstanding concerns related to project management, requirements
development, and testing all of which raise

uncertainty about whether the ongoing veterans service network ( VETSNET)
project will deliver a cost- effective solution with measurable and specific
program- related benefits.

Conversely, the Veterans Health Administration s ( VHA) managers and
clinicians have made good progress in expanding their use of the decision
support system ( DSS) to facilitate clinical and financial decisionmaking.
The use of DSS data for the fiscal year 2002 resource allocation process and
a requirement that veteran integrated service network directors better
account for their use of this system have both raised awareness of and
promoted its utility among VHA facilities. Moreover, VHA has begun steps to
further improve the accuracy and timeliness of DSS data. As VHA- wide

Page 3 GAO- 02- 369T

usage of DSS progresses, sustained top management attention will be crucial
to ensuring the continued success of this system. Lastly, VA has achieved
limited progress in its joint efforts with the Department of Defense and
Indian Health Service to create an interface for sharing data in their
health information systems, as part of the government computer- based
patient record initiative. Strategies for implementing the project continue
to be revised, its scope has been substantially narrowed, and it continues
to operate without clear lines of authority or comprehensive, coordinated
plans. Consequently, the future success of this project remains uncertain,
raising questions as to whether it will ever fully achieve its original
objective of allowing health care professionals to share clinical
information via a comprehensive, lifelong medical record.

Promising Beginning, One of VA s most essential yet challenging undertakings
has been

but VA Remains Far developing and implementing an enterprise architecture to
guide the

department s IT efforts. An enterprise architecture a blueprint for from
Implementing an

systematically and completely defining an organization s current ( baseline)
Enterprise

operational and technology environment and a roadmap toward the desired (
target) state is an essential tool for effectively and efficiently

Architecture engineering business processes and for implementing their
supporting

systems and helping them evolve. Office of Management and Budget ( OMB)
guidelines 2 require VA and other federal agencies to develop and implement
enterprise architectures to provide a framework for evolving or maintaining
existing and planned IT. Guidance issued last year by the Federal CIO
Council 3 in collaboration with us further emphasizes the importance of
enterprise architectures in evolving information systems, developing new
systems, and inserting new technologies that optimize an organization s
mission value.

As this subcommittee is well aware, VA has been attempting to develop an
enterprise architecture for several years, but without much overall success.
Our prior reports and testimony 4 have documented how VA s previous attempts
have fallen short of their intended purpose and did not reflect an approach
that would result in an integrated, departmentwide

2 OMB, Management of Federal Information Resources, Circular A- 130 (
Washington, D. C. : November 30, 2000) . 3 Chief Information Officer
Council, A Practical Guide to Federal Enterprise Architecture, Version 1. 0
( Washington, D. C. , February 2001) . 4 U. S. General Accounting Office, VA
Information Technology: Improvements Needed to Implement Legislative
Reforms, GAO/ AIMD- 98- 154 ( Washington, D. C. , July 7, 1998) ; U. S.
General Accounting Office, Information Technology: Update on VA Actions to
Implement Critical Reforms, GAO/ T- AIMD00-

74 ( Washington, D. C. , May 11, 2000) ; U. S. General Accounting Office, VA
Information Technology: Progress Continues Although Vulnerab il i t ies
Remain, GAO/ T- AIMD- 00- 321 ( Washington, D. C. , September 21, 2000) ;
GAO- 01- 550T. Page 4 GAO- 02- 369T

blueprint. For example, VA s earlier strategy had called for each of its
administrations VBA, VHA, and the National Cemetery Administration to
develop its own logical architecture, which likely would not have

resulted in the department s having an integrated architecture, but rather,
at least three separate, unrelated architectures. In addition, VA s common
business lines had not been adequately involved in prior attempts to develop
an architecture. In July 1998 and August 2000, respectively, we recommended
that VA take actions to develop a detailed implementation plan with
milestones for completing an integrated, departmentwide architecture, and
that it include VA business owners in its architecture development. After
assuming office last year, VA s secretary vowed to take action to address
the inadequacies in the department s approach.

VA Has Taken Over the past year, VA has made progress in taking specific
actions to lay

Important Steps the groundwork for its enterprise architecture. Its most
recent set of activities closely adhere to the Federal CIO Council s
suggested guidance

Toward Developing on managing the enterprise architecture program.

an Enterprise By effectively implementing an enterprise architecture, VA
stands to

Architecture, But realize a number of important and tangible benefits. For
example, an

Much Work Remains enterprise architecture can

capture facts about the department s mission, functions, and business
foundation in an understandable manner to promote better planning and
decisionmaking;

improve communication among the department s business organizations and IT
organizations through a standardized vocabulary; and

provide architectural views that help communicate the complexity of VA s
large systems and facilitate management of its extensive, complex
environments.

Overall, effective implementation of an enterprise architecture can
facilitate VA s IT management by serving to inform, guide, and constrain the
decisions being made for the department, and subsequently decreasing the
risk of buying and building systems that are duplicative, incompatible, and
unnecessarily costly to maintain and interface.

As depicted in figure 1, developing, implementing, and maintaining an
enterprise architecture is a dynamic, iterative process of changing the
enterprise over time by incorporating new business processes, new
technology, and new capabilities. Depending on the size of the agency s
operations and the complexity of its environment, enterprise architecture
development and implementation requires sustained attention to process

Page 5 GAO- 02- 369T

management and agency action over an extended period of time. Moreover, once
implemented, the enterprise architecture requires regular upkeep and
maintenance to ensure that it is kept current and accurate. Periodic
reassessments are necessary to ensure that the enterprise architecture
remains aligned with the department s strategic mission and priorities,
changing business practices, funding profiles, and technology innovation.

Figure 1: The E terprise Architecture Process

Source: A Practical Guid to Fed ral Ent rprise Archit ctur , Version 1. 0,
2001

A prerequisite to development of the enterprise architecture is sustained
sponsorship and strong commitment achieved through buy- in of the agency
head, leadership of the CIO, and early designation of a chief architect.
Further, the establishment of an architectural team is necessary to define
an agency- specific architectural approach and process. The cycle for
completing an enterprise architecture highlights the need for constant
monitoring and oversight of architectural activities and progress, and for
architecture development teams to work closely with agency business line
executives to produce a description of the agency s operations, a vision of
the future, and an investment and technology strategy for accomplishing

defined business goals. The architecture is maintained through continuous

Page 6 GAO- 02- 369T

modification to reflect the agency s current baseline and target business
practices, organizational goals, vision, technology, and infrastructure.

In initiating its enterprise architecture process, VA has applied key
principles of the Federal CIO Council s guidance and has put in place some
core elements of the council s enterprise architecture framework. For
example, in the area of executive commitment, the department has

obtained crucial buy- in and support from the secretary, department- level
CIO, and other senior executives and business teams; this is essential to
raising awareness of and leveraging participation in developing the
architecture. As evidence of his commitment, last April the secretary
established a team made up of VA senior management business line and
information technology professionals to develop an enterprise architecture
strategy. The team met on weekends over the course of about 60 days and, in
August 2001, issued an executive enterprise architecture strategy that
articulates the department s policy and principles governing the
development, implementation, and maintenance of VA s enterprise
architecture.

VA is in the process of establishing committees to manage, control, and
monitor activities and progress in fully developing and implementing its
enterprise architecture. For example, VA s information technology board has
begun functioning as the department s enterprise architecture executive
steering committee, with responsibility for directing, overseeing, and
approving core elements and actions of the enterprise architecture program.
As part of VA s actions to develop and advance its enterprise architecture,
it has also chartered an enterprise architecture council which when
activated is expected to assist in developing project

priorities and performing management reviews and evaluations of IT project
proposals. In addition, VA is in the process of establishing an enterprise
architecture program management office and, over the last 8 months, has been
recruiting a permanent chief architect to provide overall leadership and
guidance for the enterprise architecture program. These

management entities are essential for ensuring that the department s IT
investments are aligned with the enterprise architecture and optimize the
interdependencies and interrelationships among business operations and the
underlying IT that supports them.

Further, as part of its enterprise architecture strategy, VA has chosen a
highly recognized enterprise architecture framework that will be used to
organize the structure of the architecture. 5 To facilitate its selection of
a framework, VA consulted with experts from the private sector and

5 Among the experts that VA consulted was John Zachman, author of A
Framework for Information Systems Architecture, referred to as the Zachman
framework ( IBM Systems Journal, vol. 26( 3) , 1987) . This framework
provides a common context for understanding a complex structure and enables
communication among those involved in developing or changing the structure.
Page 7 GAO- 02- 369T

borrowed lessons learned from officials involved in architecture development
at other federal agencies. VA has begun defining its current architecture,
an important step for ensuring that future progress can be measured against
such a baseline, and is also developing its future ( target)
telecommunications architecture. In addition, to assist in the management of
new IT initiatives, VA is considering using a system that it has designed to
link the management of its enterprise architecture program to the department
s capital planning and project management. It is also considering using a
Web- based tool that

it has designed to collect data on business rules, requirements, and
processes that will be integrated into the enterprise architecture
management process.

While VA has taken several important steps forward, it is important to note
that the department has many more critical work steps ahead in implementing
and managing its enterprise architecture. Using the Federal

CIO Council s enterprise architecture guide as a basis for analysis, table 1
illustrates some key steps that have been accomplished, along with examples
of the many critical actions VA must still address to implement and sustain
its enterprise architecture program. Accomplishing these remaining steps
will require continued and substantial time, effort, and commitment.

Page 8 GAO- 02- 369T

Table 1: VA s Progress in Developi g, Impleme ting, and Using an Enterprise
Architecture Steps in the enterprise architecture ( EA) process a Obtain ex
cutive buy- in and support

Obtain support from senior executive and

Establish management structure and control

Appoint key personnel for risk management, configuration manageme t and
quality assurance ( QA)

Establish enterprise architecture core

Steps VA has completed

Ensure agency head buy- in a d support

Steps in the enterprise architecture ( EA) process a

Develop EA marketing strategy and communications plan

D fine architecture process and approach

Select appropriate EA products Select products that represent business

Select products that represent agency

D velop baseline enterprise architecture

Collect i formation that describes existing enterprise

Steps VA has completed

Define intended use of architecture

Steps VA Examples of actions

Steps in the enterprise architecture ( EA) has

VA has planned or Examples of key actions yet

process a

completed taken

to be performed

Generate products and populate EA Create and populate the EA repository

repository with products that describe the relationships among i formation
elements

and work products Review, validate, and refine models Have subject matter
experts

assess the enterprise architecture products for accuracy and completeness

D velop target enterprise architecture

Collect i formation that defines future VA is collecting

Collect proposed business business operations a d supporti g information and

processes and information technology:

adding it to the flows, strategic plans,

strategic business objectives Zachman framework modernization plans, and

information needed to support business to define the to- be

requirements documents;

applications to provide information architecture for

incorporate technology forecast,

technology to support applications telecommunications

standards profile, and technical reference model Generate products and
populate EA

Create and populate the EA repository

repository with products that describe the relationships among i formation
elements

and work products Review, validate, and refine models Have subject matter
experts

assess the enterprise architecture products for accuracy and completeness

D velop sequencing plan Address all detailed activities i this step Identify
gaps Define and differentiate legacy, migration, a d new systems Plan
migration Approve, publish, and disseminate EA products

Use enterprise architecture Address all detailed activities i this step
Integrate EA with capital planning and investment control and systems life
cycle processes Train personnel Establish enforcement processes and
procedures

Define compliance criteria and consequences Set up integrated reviews
Execute integrated process Initiate new and follow- up projects

Prepare proposal Align project to EA Make investment decision

Page 11 GAO- 02- 369T

Steps VA Examples of actions

Steps in the enterprise architecture ( EA) has

VA has planned or Examples of key actions yet

process a

completed taken

to be performed

Execute projects Manage and perform project development Evolve EA with
program/ project Assess progress Complete project

Deliver product Assess architecture Evaluate results

Consider other uses of EA

Maintain enterprise architecture Address all detailed activities i this step
Maintain EA as enterprise evolves

Reassess EA periodically Manage projects to reflect reality

Ensure business direction and processes reflect operations Ensure current
architecture reflects system evolution Evaluate legacy system maintenance
requirements against

sequencing plan Maintain sequencing plan as integrated program plan Continue
to co sider proposals for EA modifications

a Chief Information Officer Cou cil.

b A repository is an i formatio system used to store and access
architectural information, relationships among the i formation elements, and
work products. Source: GAO analysis.

Among the key activities requiring immediate attention is establishment of a
program management office headed by a permanent chief architect to manage
the development and maintenance of the enterprise architecture. VA has begun
establishing such an office and is currently recruiting a chief architect.
However, until the department has an office that is fully staffed with
experienced architects and hires a chief architect with the requisite core
competencies, it will continue to lack the management and oversight
necessary to ensure the success of its enterprise architecture program.
Further, until the department has completed an implementation plan that
delineates how it will develop, use, and maintain the enterprise

architecture, it will lack definitive guidance for effectively managing the
enterprise architecture program.

Further, a lot of work lies ahead related to VA s efforts toward developing
its baseline and target architectures. A crucial first step in building the
enterprise architecture is identifying and collecting existing products that

Page 12 GAO- 02- 369T

describe the agency as it exists today and as it is intended to look and
operate in the future. While VA has developed a baseline application
inventory to describe its as is state, it has not yet completed validating
the inventory, or completed detailed application profiles for the inventory,

including essential information such as business functions, information
flows, and external interface descriptions. Similarly, to define its vision
of future business operations and supporting technology, VA must still

collect crucial information for its target architecture, including
information on its proposed business processes, strategic plans, and
requirements.

Beyond these planning and development activities, VA will also have to
ensure the successful transition and implementation of its enterprise
architecture. Evolving the agency from its baseline to the target
architecture will require concurrent, interdependent activities and
incremental development. As such, VA will need to develop and maintain a
sequencing plan to provide a step- by- step approach for moving from the
baseline to the target architecture. Development of this sequencing plan
should consider a variety of factors, including sustaining of operations
during the transition, anticipated management and organizational changes,
and business goals and operational priorities. Ultimately, VA s success in
using the architecture will depend on active management and receptive
project personnel, along with effective integration of the enterprise
architecture process with other enterprise life cycle processes.

A key aspect of VA s enterprise architecture program is the integration of
security practices into the enterprise architecture. The CIO Council has
articulated guidelines for doing so. 6 For example, the architecture policy
should include security practices and the architecture team should include
security experts. In its enterprise architecture strategy document, VA has
committed to including security in all elements of its enterprise
architecture. Further, VA s executive- level security officer served as a
member of its architecture team. As VA moves forward in developing,
implementing, and using its enterprise architecture, we would expect it to
include information security details relating to the design, operations,
encryption, vulnerability, access, and use of authentication processes. A
commitment to building information security into all elements of its
enterprise architecture program is essential to helping VA meet the
challenges that it faces in protecting its information systems and sensitive
data.

As VA moves forward with its enterprise architecture management program, it
should ensure that remaining critical process steps outlined in the federal
CIO guidance are sufficiently addressed and completed within reasonable
timeframes. With the enhanced management capabilities

6 Chief Information Officer Council, A Practical Guide to Federal Enterprise
Architecture, Version 1. 0 ( Washington, D. C. , February 2001) . Page 13
GAO- 02- 369T

provided by an enterprise architecture framework, VA should be able to ( 1)
better focus on the strategic use of emerging technologies to manage its
information, ( 2) achieve economies of scale by providing mechanisms for
sharing services across the department, and ( 3) expedite the integration of
legacy, migration, and new systems.

Information Security Information security continues to be among the top
challenges that the

Challenges Continue department must contend with. As you know, in carrying
out its mission,

VA relies on a vast array of computer systems and telecommunications to
Require Top

networks to support its operations and store the sensitive information that
Management it collects related to veterans health care and benefits. VA s
networks are highly interconnected, its systems support many users, and the
department Attention is increasingly moving to more interactive, Web- based
services to better meet the needs of veterans. Effectively securing these
computer systems and networks is critical to the department' s ability to
safeguard its assets, maintain the confidentiality of sensitive veterans
health and disability benefits information, and ensure the reliability of
its financial data.

Mr. Chairman, when we last testified, VA had just established a department-
level information security management program and hired an executive- level
official to head it. 7 VA had also finalized an information security
management plan to provide a framework for addressing longstanding
departmentwide computer security weaknesses. However, as our testimony
noted, the department had not implemented key components of a comprehensive,
integrated security management program that are essential to managing risks
to business operations that rely on its automated and highly interconnected
systems. This condition existed despite our previous recommendation that VA
effectively implement and oversee its computer security management program
through assessing risks, implementing policies and controls, promoting
awareness, and evaluating the effectiveness of information system controls
at its facilities. 8 As with its enterprise architecture, the Secretary
expressed his intent to implement measures that would remedy existing
deficiencies in the department s security program.

The effects of not having a fully integrated computer security management
program in place remain evident. Since the subcommittee s hearing on this
topic last April, VA and its Office of Inspector General have continued to

report pervasive computer security challenges. VA s September 2001 report on
compliance with recently enacted government information

7 GAO- 01- 550T. 8 U. S. General Accounting Office, VA Information Systems:
Computer Security Weaknesses Pe r sist at the Veterans Health
Administration, GAO/ AIMD- 00- 232 ( Washington, D. C. : September 8, 2000)
. Page 14 GAO- 02- 369T

security reform legislation 9 revealed that the department had not
implemented effective information security controls for many of its systems
and major applications. Last October, VA s inspector general also reported
that it had found significant problems related to the department s control
and oversight of access to its systems, including that VA had ( 1) not
adequately limited the access of authorized users or effectively managed
user identifications and passwords, ( 2) not established effective controls
to prevent individuals from gaining unauthorized access to its systems, ( 3)
not provided adequate physical security to its computer facilities, and ( 4)
not updated and tested disaster recovery plans to ensure continuity of
operations in the event of a disruption in service.

Many of these access and other general control weaknesses mirror
deficiencies we have reported since 1998, and that VA s inspector general
continues to report as a material weakness in the department s internal
controls. 10 Based largely on weaknesses of this type, last fall the House
Government Reform Subcommittee on Government Efficiency, Financial
Management and Intergovernmental Relations gave VA a failing grade in
computer security. 11

Progress Being Made, But VA s senior leadership has shown greater awareness
of and concern for

Important Elements of a the severity of the department s computer security
problems, and since

Comprehensive last April has taken steps aimed at strengthening VA s overall
security

Computer Security posture. Specifically, to provide greater management
accountability for

information security, the secretary has mandated information security
Management Program Still

performance standards for members of the department s senior executive
Lacking

service. In addition, VA s cyber security officer the department s senior
security official has organized his office to focus more directly on the

9 The government information security reform provisions of the fiscal year
2001 Defense Authorization Act ( P. L. 106- 398) require annual agency
program reviews and annual independent evaluations for both non- national
security and national security information systems. 10 Department of
Veterans Affairs Office of Inspector General, Report of the Audit of the
Department of Veterans Affairs Consolidated Financial Statements for Fiscal
Years 2001 and 2002( Washington, D. C. ,

February 27, 2002) . 11 House Committee on Government Reform. Subcommittee
on Government Efficiency, Financial Management and Intergovernmental
Relations, Computer Security: How Is the Government Doing? 107 th Cong. , 1
st sess. , 9 November 2001. Page 15 GAO- 02- 369T

critical elements of information systems control that are defined in our
information system controls audit methodology. 12 Further, the department
has adopted the National Institute of Standards and Technology s federal

information technology security assessment framework to use in determining
the current status of these controls and measuring the progress of
information security program improvements.

The cyber security officer also recently revised the department s security
management plan to update security policies, procedures, and technical
standards. The updated plan outlines actions for developing risk- based
security assessments, improving the monitoring and testing of systems
controls, and implementing departmentwide virus- detection software and
intrusion- detection systems. The plan places increased emphasis on
centralizing key security functions that previously were decentralized or
nonexistent, including virus detection, systems certification and
accreditation, network management, configuration management, and incident
and audit analysis.

Yet even with this positive direction, VA s actions do not fully address
remaining problems, and are inadequate to cover the breadth of matters
essential to a comprehensive security management program. Our 1998

report on effective security management practices used by several leading
public and private organizations 13 and a companion report on risk- based
security approaches in 1999 14 identified key principles that can be used to
establish a management framework for more effective information security
programs. This framework is depicted in figure 2. The leading organizations
we examined applied these principles to ensure that information security
addressed risks on an ongoing basis. Further, these have been cited as
useful guidelines for agencies by the Federal CIO Council and incorporated
into the council s information security assessment framework, 15 intended
for agency self- assessments.

12 U. S. General Accounting Office, Federal Information System Controls
Audit Manual, GAO/ AIMD12. 19. 6 ( Washington, D. C. , January 1999) . 13 U.
S. General Accounting Office, Information Security Management: Learning From
Leading Organizations, GAO/ AIMD- 98- 68 ( Washington, D. C. , May 1998) .
14 U. S. General Accounting Office, Information Security Risk Assessmen t

: Practices of Leading Organizations, GAO/ AIMD- 00- 33 ( Washington, D. C.
, November 1999) . 15 Chief Information Officer Council, Federal Information
Technology Security Assessment Framework ( Washington, D. C. , November 28,
2000) . Page 16 GAO- 02- 369T

Figure 2: Information Security Risk Management Framework

Source: GAO/ AIMD- 98- 68.

Using our information security risk management framework as criteria, table
2 summarizes both the actions that VA has taken and those still needed to
ensure that it has a comprehensive computer security management program. As
shown, while VA has completed a number of important steps, its efforts in
each of the five key areas of effective computer security program management
central security management, security policies and procedures, risk- based
assessments, security awareness, and monitoring and evaluation have not yet
included key actions that are essential for successful and effective program
implementation.

Page 17 GAO- 02- 369T

Table 2: Actions Needed to Ensure a Comprehensive Computer Security Ma
agement Program Important elements of a computer security management program
c Actions VA has taken Actions still needed

Central security management function

Established a department- level Ensure full- time security officers or staff

to guide and oversee complia ce with information security officer with
primary duty for security are assigned

established policies and procedures Began requiring full- time security

to information security officer positions, and and review effectiveness of
the

officers or staff with primary duty clearly define their roles and

security environment for security at all facilities

responsibilities Established a CIO subcommittee to

Develop guidance to ensure authority and improve departmentwide

independence for security officers coordination on security issues Develop
policies and procedures to ensure

departmentwide coordination of security functions

Security policies and procedures that Updating department security

Refocus departme t policy to address govern a complete computer security

policy and guidance security from an interconnected VA

program and i tegrate all security Developed technical security

systems e vironment perspective in aspects of an organization s

standards for some network addition to that of individual systems

environment, including local area platforms Develop and implement technical
security

networks, wide area networks, and standards for mainframe and other systems
mainframe security

and security software

Periodic risk assessments to assist Developed abbreviated risk

Include best minimum standards or management in making decisions on

methodology as part of the guidance for performing risk assessments

necessary controls to help ensure that Government Information Security

in methodology security resources are effectively

Reform Act process Develop guidance for determining when a distributed to
minimize potential loss

Established policy requiring risk to event is a significant change and
explaining

be assessed when significant the level of risk assessment required for

changes are made to computer these system changes

systems Page 18 GAO- 02- 369T

Important elements of a computer security management program c Actions VA
has taken Actions still needed

Security awareness to educate users Implemented a departme twide

Establish a process to ensure program about current information security

security awareness program compliance

risks, policies, and procedures

Monitoring and evaluating computer

Issued contract for independent Develop specific requirements for

controls to e sure their effectiveness, compliance reviews of ongoing

conducting compliance review program improve them, and oversee

initiatives related to security Develop a ongoing program for testing
compliance controls

controls to include assessments of both Performed penetration testing of its

internal and external access to VA Web sites from the Internet

systems; expand current tests to identify Implemented computer virus-

unauthorized or vulnerable external detection software departmentwide

connections to VA s network Began developing an inventory of

Establish a process for tracki g the status security weaknesses

of security weaknesses, corrective actions taken, and independent validation
of the Established a process for reporting

corrective actions computer security incidents and

Develop a process for routinely analyzing piloted intrusion- detection
systems

the results of computer security reviews to at selected locations

identify trends and vulnerabilities and apply Developed a certification and

appropriate countermeasures to improve accreditation framework for its

security general support and major Develop a proactive security i cident
applications

response program to mo itor user access for unusual or suspicious activity

C U. S. General Accounti g Office, Ex cutive Guide: Information S curity
Management , GAO/ AIMD- 98- 68 ( Washington, D. C. : April 7, 1998) .
Source: GAO analysis.

As the table illustrates, VA s security management program continues to lack
essential elements required to protect the department s computer systems and
networks from unnecessary exposure to vulnerabilities and risks. For
example, while VA has begun to develop an inventory of known security
weaknesses, it continues to be without a comprehensive, centrally managed
process that will enable it to identify, track, and analyze all computer
security weaknesses. Further, the updated security management plan does not
articulate critical actions that VA will need to take to correct specific
control weaknesses or the time frames for completing key actions. While the
plan calls for monitoring VA s computer control environment to ensure
compliance, the plan does not provide a framework to guide the monitoring
activities by, for example, identifying the specific security areas to be
reviewed, the scope of compliance work to be performed, the frequency of
reviews, reporting requirements, or the resolution of reported issues.

VA also lacks a mechanism for collecting and tracking performance data,
ensuring management action as needed and, when appropriate, providing
independent validation of program deliverables. Without these essential Page
19 GAO- 02- 369T

elements, VA will have only limited assurance that its financial information
and sensitive medical records are adequately protected from unauthorized
disclosure, misuse, or destruction. Accordingly, as VA continues to improve
upon its information security management, it should move expeditiously to
address the gaps we are highlighting in table 2.

In commenting on the department s current security posture, VA s cyber
security officer stated that efforts are planned or underway to address the
actions not yet completed. He added that by August 31, 2002, the department
expects to have a plan for completing all of the necessary corrective
actions.

Overarching While VA is clearly placing greater emphasis on its information
security, its

Organizational and cyber security officer will be challenged to manage the
security function

Management Issues Could on a departmentwide basis. As the department is
currently organized,

more than 600 information security officers in VA s three administrations
Hinder VA s Ability to Fully and its many medical facilities throughout the
country 16 are responsible for

Address Information ensuring that appropriate security measures are in
place. These

Security Challenges information security officers report to their facility s
director or the chief information officer for their administration. However,
there is neither

direct nor indirect reporting to VA s cyber security officer, thus raising
questions about this official s ability to enforce compliance with security
policies and procedures and ensure accountability for actions taken
throughout the department. Further, because VA s information security budget
relies on funding by its component administrations, the cyber security
officer lacks control and accountability over a significant portion of the
financial resources that the security program depends on to sustain its
operations.

17 Successfully managing information security under this organizational
structure, therefore, will in large part depend on the extent to which VA s
business managers assume responsibility for implementing the appropriate
policies and controls to mitigate risks, and work collaboratively and
cooperatively with the cyber- security officer. Consequently, it will be
essential for VA to hold its senior managers accountable for information
security at their respective facilities and administrations. VA has taken a
critical step toward achieving this by establishing security performance
standards for its senior executives. These standards must be effectively
applied and enforced, however, to ensure a successful outcome.

16 VHA provides medical care at 163 hospitals, more than 800 community and
facility- based clinics, 135 nursing homes, 43 domiciliaries, 206
readjustment counseling centers, and various other facilities. 17 For
example, to help support its fiscal year 2002 security program budget
request of about $ 55 million, VA expects to receive about $ 22 million in
funding from VHA and $ 12 million from the department s other
administrations and offices. Page 20 GAO- 02- 369T

Progress on the The VETSNET compensation and pension replacement effort grew
out of Compensation and

an initiative that VBA undertook in 1986 to replace its outdated benefits
delivery network ( BDN) and modernize its compensation and pension,

Pension Replacement education, and vocational rehabilitation benefits
payment systems. VBA

System Is had expected these modernized systems to provide a rich source for

answering questions about veterans benefits and enable faster processing
Disappointing

of benefits. In 1996, after experiencing numerous false starts and spending
approximately $ 300 million on the overall modernization, VBA revised its
strategy and began focusing on modernizing the compensation and pension ( C&
P) payment system. At that time, VBA estimated that the C& P replacement
project would cost $ 8 million and be completed in May 1998.

Since its inception, however, VBA has been plagued with problems in carrying
out the C& P replacement initiative. As detailed in the attachment, our
various publications since 1996 have highlighted consistent and longstanding
concerns in several areas, including project management, requirements
development, and testing. Our testimony last April noted that VBA had made
some progress in developing and testing software products that would become
part of the system. Nevertheless, we also noted that VBA had not addressed
several important issues that were key to its successful implementation,
including the need to develop an integrated project plan and schedule
incorporating all of the critical areas of this system development effort.
18 As our prior work has pointed out, a significant factor contributing to
VBA s continuing problems in developing and implementing the system has been
the level of its capability to develop and maintain high- quality software
on any major project within existing cost and schedule constraints a
condition that we identified during our 1996 assessment of the department s
software development capability.

19 Critical Actions Have Not After 6 years of work 4 years beyond what its
initial estimate called for Been Taken to Ensure VBA has spent at least $ 35
million, without much demonstrable progress

Successful Implementation toward implementing the replacement system. Since
last April, it has not

of the C& P Replacement made substantial progress in addressing the concerns
raised by our earlier

work. Although, last year, VBA indicated that it had implemented its rating
System board automation tool and had completed developing and testing its
four other software products, 20 the administration stated during our recent

review that two of the software products that will support its award
processing and finance and accounting systems still need further

18 GAO- 01- 550T. 19 U. S. General Accounting Office, Software Capab il ity
Evalua t ion: VA s Software Development Process is Immature, GAO/ AIMD- 96-
90 ( Washington, D. C. : June 19, 1996) . 20 The current C& P replacement
strategy incorporates five software products: Search and Participant
Profile, Rating Board Automation 2000, Modern Award Processing- Development,
Award Processing, and Finance and Accounting System. The first product
deployed in November 2000 Rating Board Automation 2000 was to assist
veterans service representatives in rating benefits claims. Page 21 GAO- 02-
369T

development. Moreover, VBA has not increased the number of payments using
these new software products beyond the 10 original claims that it had pilot
tested in February 2001. In addition, it continues to lack an integrated
project plan and schedule that incorporate all of the critical areas of this
system development activity. Further, VBA still has not obtained essential
support from the field office staff that will be required to use the new
software, and requirements for the new software have not yet been validated.
These deficiencies are significant, given that the software application that
VBA developed to assist veterans service representatives in rating benefits
claims ( Rating Board Automation 2000) did not meet users needs and achieved
less timely claims processing results.

At this time, VBA also is without a project manager to oversee the project.
Progress made early in 2000 toward creating a project control board to
manage the C& P replacement was curtailed when the project manager departed
last April. Until VBA provides appropriate management and oversight for all
aspects of the project s development and implementation, it will not be
positioned to ensure that this project will deliver a cost- effective
solution with measurable and specific program- related benefits.

Further, the schedule for implementing the replacement system continues to
undergo change, resulting in additional delays. Last April, VBA had planned
to deploy VETSNET in all of its 58 regional offices in July 2002. However,
VBA officials have since modified the deployment time frame twice, with its
latest proposal being to deploy each of the five applications separately
over 2 years, beginning in June 2003. VBA management has not yet approved
this latest strategy.

Studies Highlight the Need Last year, the secretary expressed concerns about
the VETSNET project

for Additional Testing and and called for an independent audit of the C& P
replacement system to

Information to Support facilitate his decision on whether to continue the
initiative. Accordingly, a

Continued Systems contractor was hired in May 2001 to assess ( 1) whether
the system

architecture will be capable of supporting VBA s projected future
Development

workload, and ( 2) whether the system being developed will meet future
functional, performance, and security needs. The contractor reported last
September that the system architecture would be able to process VBA s
projected future workload.

However, the contractor neither assessed nor reported on whether the system
will meet future functional business needs, and the scope of its review did
not generate sufficient information to fully evaluate and make an informed
decision on whether the project should proceed. The review focused primarily
on the system s ability to perform efficiently under a heavy workload, and
did not include user acceptance or the functional testing that is needed to
ensure that the system can fully satisfy user requirements and that deployed
software can be used without significant errors. Further, the review did not
fully address the security requirements

Page 22 GAO- 02- 369T

for the new system. VA s department- level CIO agreed that the scope of the
contractor s review had been limited to a technical review of whether
VETSNET could handle the anticipated workload. He also acknowledged the need
for functional testing and an integrated project plan.

Similar concerns about VBA s strategy for the C& P replacement project were
also documented in an October 2001 report issued by the VA claims processing
task force. 21 In its report, the task force emphasized that limited user
and functional testing posed a major problem for VBA in developing and
implementing its systems. The task force highlighted material deficiencies
in VBA s strategic planning and its implementation and deployment of new and
enhanced information technology products and initiatives, as had been
pointed out in an earlier report. Further, the task force questioned whether
VETSNET represented a viable long- term solution, in part because it does
not provide support for a redesigned and

integrated claims process across VA s administrations and offices. In
commenting on these reports findings, VBA s CIO stated that, by the end of
March 2002, her office anticipated completing a remediation plan that will
address the most critical concerns identified in the contractor s review.
She stated that the office is in the process of developing a statement of
work to obtain contractor support to develop additional functional testing
capability. The statement of work is scheduled for completion in June 2002.
In addition, the CIO is negotiating with relevant VBA business groups to
secure subject matter experts to validate business requirements and assist
with the functional testing.

VETSNET Deployment If not promptly addressed, the problems and delays that
have been noted

in implementing the VETSNET project could have critical cost Delays Affect
the Benefits

implications for the department and service delivery inefficiencies for the
Delivery Network

veteran community. In particular, without a replacement system, VA must
continue to rely on the aging BDN to deliver its benefit payments, parts of
which were developed in the 1960s. Although the BDN was enhanced to

address year 2000 conversion issues, because of its anticipated replacement,
VBA has since made only limited investments in maintaining it.

21 The claims processing task force was formed in May 2001, when the
secretary of veterans affairs asked a group of individuals with significant
VA experience to assess and critique VBA' s compensation and pension
organization, management, and processes and to develop recommendations to
significantly improve VBA' s ability to process veteran claims for
disability compensation and pension. Page 23 GAO- 02- 369T

Without additional maintenance, it is uncertain that the BDN will be able to
continue accurately processing the many benefits payments that VBA must
make. 22 In its report, the claims processing task force warned that the
system s operations and support were approaching a critical stage, with the
potential for performance to degrade and eventually cease. The task force
recommended that the BDN be sustained and upgraded to ensure that payments
to veterans would remain prompt and uninterrupted until VBA is able to field
a replacement system. VBA officials have stated that they are working on a
plan to address this issue. This plan is expected to include purchasing an
additional mainframe computer to help extend the system s operation until
2007 the date by which new systems are planned to be operational for all
three benefits payment business lines.

As you can see, Mr. Chairman, despite many years of work, VBA still has a
number of fundamental tasks to accomplish before it can successfully
complete development and implementation of the VETSNET project. Before
proceeding with this project, VBA must assess and validate users
requirements for the new system to ensure that business needs are met. It
also needs to complete testing of the system s functional business

capability, as well as end- to- end testing to ensure payments are made
accurately. Finally, it must establish an integrated project plan to guide
its transition from the old to the new system. Until VBA performs a complete
analysis of the initiative, as the secretary has indicated he would do, it
is questionable whether additional resources should be expended on

continued systems development activities. VHA Continues to

Unlike VBA s work on VETSNET, VHA continues to make progress in Expand Its
Use of expanding overall use of its decision support system ( DSS) . As you
know, DSS is an executive information system designed to provide VHA

DSS managers and clinicians with data on patterns of patient care and
patient

health outcomes, as well as the capability to analyze resource utilization
and the cost of providing health care services. VHA completed its
implementation of DSS in October 1998. However, in September 2000, we
testified that DSS had not been fully utilized since its implementation, and

noted that DSS was not being used for all the purposes intended. 23 Last
April, we testified that VHA had shown moderate progress in increasing usage
of DSS among its veterans integrated service networks ( VISN) and medical
centers, and encouraged VA to continue providing top management support to
ensure that the system is fully utilized and that financial and clinical
benefits are realized. Our testimony noted several 22 The current C& P
payment system alone processes about 3. 2 million payments each month.

Altogether, the three benefits payment business lines process about 3. 5
million payments monthly. 23 GAO/ T- AIMD- 00- 321. Page 24 GAO- 02- 369T

efforts that VHA had undertaken to encourage greater use of DSS, including
using DSS data to support the fiscal year 2002 resource allocation process
and as a consideration in preparing VISN directors year- end performance
appraisals, requiring VISN directors to provide

examples of their reports and processes that rely on DSS data, and ensuring
that medical centers processing of DSS data is current ( no more than 60
days old) .

24 VHA s initiatives to encourage greater use of DSS have yielded results.
The use of DSS data in the fiscal year 2002 allocation process has clearly
raised VHA s awareness about the importance of this information. VHA s most
recent DSS processing report, dated January 31, 2002, revealed that all 22
VISNs had completed processing fiscal year 2001 DSS data and that seven
VISNs had begun processing fiscal year 2002 data. Further, every VISN has
provided both clinical and financial examples of DSS usage, and this
information is now being considered in the quarterly reviews of the VISN
directors' performance. As a result, VHA s managers have grown more
knowledgeable about and have begun to make more informed decisions regarding
the cost of care being provided by their facilities.

Initiatives Are Being Taken VHA continues to explore other initiatives to
improve the accuracy and

to Improve the Accuracy, completeness of DSS data. In response to a report
issued by VA s inspector

general in March 1999, 25 regarding the failure of some medical facilities
to Timeliness, and Availability

follow the DSS basic structure for capturing workload data and associated of
DSS Data

costs, VHA has taken several actions, including

implementing a VHA decision support system standardization directive that
requires annual standardization audits and the reporting of consecutive
repeat occurrences of non- compliance to the assistant deputy under
secretary for health;

developing an audit tool for use in determining a facility' s compliance
with the DSS basic model for capturing workload data and associated costs;
and

performing a standardization audit in September 2001 to assess the extent to
which each facility s DSS departments and products complied with national
standards. 26

24 GAO- 01- 550T. 25 Department of Veterans Affairs, Office of Inspector
General, Audit of Veterans Health Administration Decision Support System
Standardization, Report No. 9R4- A19- 075 ( Washington, D. C. , March 31,
1999) . 26 The standardization audit revealed a 99. 6 percent compliance
rate with the National Department List, a 98. 8 percent compliance rate with
the National Product List, and a 99. 5 percent match between facilities cost
centers and DSS departments.

Page 25 GAO- 02- 369T

Further, in response to managers concerns that DSS data are not timely and
easy to access, the DSS program office initiated several actions. These
include establishing a working group last July to identify best practices
and recommend actions for improving processing efficiency and the timeliness
and availability of DSS data. To date, the working group has provided all
DSS sites with an updated monthly guide detailing each step of the process,
and has distributed a pharmacy rejects database and a stepby- step guide for
processing these rejects. These products should help increase the efficiency
of the monthly processing and facilitate more

accurate and timely data. In addition, the program office has authorized two
sites to pilot test an application aimed at providing the end user or
manager with a user- friendly front end to display DSS information and

allow patient inquiry. In addition, several VISNs have independently begun
exploring options for providing easier access to DSS data. For example, one
is examining the feasibility of establishing a data warehouse where data
extracted from DSS can be transformed into a format that will facilitate
queries and reports that are simple to create and quick to run. 27 Another
has begun building a data repository for use in creating an application to
compile and deliver data requested by managers or clinicians.

28 Even with these accomplishments, however, top management involvement and
continued support will be critical to ensuring that VHA continues to make
progress in improving the operational efficiency and effectiveness of DSS,
and that it realizes the full clinical and financial benefits of this
system. In March 2001, oversight for the DSS program was transferred from
VHA s chief information officer to its chief financial officer. Since that
time, VHA has also assigned three different acting directors to lead the
program. However, VHA has not yet selected a permanent director to provide
consistent management and oversight. In addition, of 56 personnel positions
allotted to the DSS program office, 19 positions had not been filled at the
end of January 2002. Without a permanent director to lead the DSS program or
full staffing to support the system s operation, VHA runs the risk that
continued increases in usage of DSS, along with its associated benefits,
could be imperiled.

27 Veterans integrated service network 16 ( Jackson, Mississippi) . 28
Veterans integrated service network 13 ( Minneapolis, Minnesota) Page 26
GAO- 02- 369T

The Government Mr. Chairman, you also asked us to update you on VA s
progress, in

Computer- based conjunction with the Department of Defense ( DOD) and the
Indian Health

Service ( IHS) , in achieving the ability to share patient health care data
as Patient Record

part of the government computer- based patient record ( GCPR) project.
Initiative Is Moving

Having readily accessible data to facilitate services to our nations
military Away From Its personnel and others has proved particularly
significant in light of recent terrorist actions and the associated
responses that have been required.

Original Goal The GCPR project developed out of VA and DOD discussions about
ways to share data in their health information systems and from efforts to
create

electronic records for active duty personnel and veterans. As you know, the
patients served by VA s and DOD s systems tend to be highly mobile, and
consequently, their health records may be at multiple federal and nonfederal
medical facilities, both in and outside of the United States. In November
1997, the president called for the two departments to develop a

comprehensive, life- long medical record for each service member, and in
August 1998 8 months after the GCPR project was officially established
issued a directive requiring VA and DOD to develop a

computer- based patient record system that will accurately and efficiently
exchange information. 29 IHS later became involved because of its expertise
in population- based research and its longstanding relationship with VA in
caring for the Indian veteran population.

As originally envisioned, GCPR was not intended to be a separate
computerized health information system, nor was it meant to replace VA s,
DOD s, and IHS s existing systems. Rather, it was intended to allow
physicians and other authorized users at these agencies health facilities to
access data from any of the other agencies' health facilities by serving as
an electronic interface among their health information systems. The
interface was expected to compile requested patient information in a
temporary, virtual record, that could be displayed on a user s computer
screen.

In April 2001, we reported that expanding time frames and cost estimates, as
well as inadequate accountability and poor planning, tracking and oversight,
had raised doubts about GCPR s ability to provide the benefits expected. 30
In particular, we noted that the project s time frames had significantly
expanded and that its costs had continued to increase. In

29 National Science and Technology Council, A National Obligation: Planning
for Health Preparedness for and Readjustment of the M il itary, Veterans,
and Their Fam il ies After Future Deployments, Presidential Review Directive
5 ( Washington, D. C. , Executive Office of the President, Office of Science
and Technology Policy, August 1998) . 30 U. S. General Accounting Office,
Computer- Based Pa tt

ient Records: Be ter Planning and Oversight by VA, DOD, and IHS Would
Enhance Health Data Sharing, GAO- 01- 459 ( Washington, D. C. , April 30,
2001) . Page 27 GAO- 02- 369T

addition, basic principles of sound IT project planning, development, and
oversight had not been followed, creating barriers to progress. For example,
clear goals and objectives had not been set; detailed plans for developing,
testing, and implementing the new software had not been established; and
critical decisions regarding goals, costs, and time frames were not binding
on all parties. Further, data exchange and privacy and security issues
critical to the project s success remained to be addressed.

As a result of these concerns, we recommended that the three agencies ( 1)
designate a lead entity with final decisionmaking authority and establish a
clear line of authority for the GCPR project and ( 2) create comprehensive
and coordinated plans that included an agreed- upon mission and clear goals,
objectives, and performance measures, to ensure that the agencies can share
comprehensive, meaningful, accurate, and secure patient health care data. In
commenting on the report, VA, DOD, and IHS all concurred with our findings
and recommendations.

Nonetheless, progress on the GCPR initiative continues to be disappointing.
The scope of the project increasingly has been narrowed from its original
objectives and it continues to proceed without a comprehensive strategy. For
example, in responding to our report, VA, DOD, and IHS provided information
on a new, near- term strategy for GCPR. However, this revised strategy is
considerably less encompassing than the project was originally intended to
be. Specifically, rather than serve as an interface to allow data sharing
across the three agencies disparate systems, as originally envisioned, a
first phase of the revised

strategy calls only for a one- way transfer of data from DOD s current
health care information system to a separate database that VA hospitals can
access. While even this degree of data sharing is a positive development, VA
s clinicians, nonetheless, will only be allowed to read, but not perform any
calculations on the data received. VA and DOD officials had initially
planned to implement this near- term capability in November 2001, but
recently stated that they now expect to do so by this July 2002. Further,
the officials stated that they plan to change the name of the project to the
Federal Health Information Exchange.

Subsequent phases of the effort that were to further expand GCPR s
capabilities have also been revised. A second phase that would have enabled
information exchange among all three agencies VA, DOD, and IHS is now
expected to enable only a bilateral read- only exchange of data between VA
and IHS. Further, according to VA officials, plans for a third phase, which
was to

expand GCPR s capabilities to public and private national health information
standards groups, are no longer being considered for the project. Instead,
the third phase is now expected to focus only on expanding the data exchange
between VA and IHS and allowing limited data calculations and some
translation of terminology between the two

Page 28 GAO- 02- 369T

agencies. Under the revised strategy, there are no plans for DOD to receive
data from VA.

In addition, concerns expressed in our April 2001 report still need to be
addressed. For example, the GCPR project continues to operate without clear
lines of authority or a lead entity responsible for final decisionmaking.
Last August, the VHA CIO informed us that a draft memorandum of agreement,
designating VHA as the lead entity, was being considered within VA, DOD, and
IHS. However, this memorandum had not been approved or implemented at the
time that we concluded our review. The project also continues to move
forward without comprehensive and coordinated plans, including an agreed-
upon mission and clear goals, objectives, and performance measures. Without
clearly defined lines of authority and a comprehensive and coordinated
strategy, even the revised GCPR initiative is destined to continue on an
uncertain course one that is unlikely to deliver substantial results.

* * * * * In summary, VA has made good progress toward addressing a number
of important information technology concerns, but it still has much work to
do. Its current leadership is to be commended for the dedication that it has
demonstrated regarding VA s information technology problems. However, in
totality, the steps taken to date have not been sufficient to overcome the
wide range of deficiencies that threaten VA s operational effectiveness.
Many of VA s problems are longstanding and pervasive, and can be attributed
to fundamental weaknesses in management accountability some of which can
only be overcome through serious restructuring of

current reporting relationships and lines of authority. Until VA makes a
concerted effort to ensure that all necessary processes and controls exist
to guide the management of its information technology program, it will
continue to fall short of its goals of enhancing operational efficiency and,
ultimately, improving service delivery to our nation s veterans.

Mr. Chairman, this concludes my statement. I would be pleased to respond to
any questions that you or other members of the subcommittee may have at this
time.

Contacts and For information about this testimony, please contact me at (
202) 512- 6257 Acknowledgments or by e- mail at mcclured@ gao. gov.
Individuals making key contributions to

this testimony included Nabajyoti Barkakati, Amanda C. Gill, David W. Irvin,
Tonia L. Johnson, Valerie C. Melvin, Barbara S. Oliver, J. Michael Resser,
Rosanna Villa, and Charles M. Vrabel.

Page 29 GAO- 02- 369T

GAO Products Highlighting Concerns with VETSNET C& P Replacement

Issuance date Report/ testimony Summary of report findings and conclusions

April 4, 2001 The project s viability was still a concern. It continued to
lack an integrated GAO- 01- 550T project plan and schedule addressing all
critical systems development areas, to

be used as a means of determining what needs to be done and when. A pilot
test of 10 original claims that did not require significant development work
may not have been sufficient to demonstrate that the product was capable of
working as intended in an organizationwide operational setting. September
21, 2000 VBA s software development capability remained ad hoc and chaotic.
The

GAO/ T- AIMD- 00- 321 VETSNET implementation approach lacked key elements,
including a strategy for data conversion and an integrated project plan and
schedule incorporating all

critical systems development areas. Further, data exchange issues had not
been fully addressed. May 11, 2000 $ 11 million had reportedly been spent on
VETSNET C& P; both the May 1998 GAO/ T- AIMD- 00- 74 completion date and
revised completion date of December 1998 were not met.

Contributing factors included lack of an integrated architecture defining
the business processes, information flows and relationships, business
requirements, and data descriptions, and VBA s immature software development
capability. September 15, 1997 VBA s software development capability
remained ad hoc and chaotic, subjecting

GAO/ AIMD- 97- 154 the agency to continuing risk of cost overruns, poor
quality software, and schedule delays in software development.

May 30, 1997 VETSNET experienced schedule delays and missed deadlines
because ( 1) it GAO/ AIMD- 97- 79 employed a new software development
language not previously used by the

development team, one that was inconsistent with the agency s other systems
development efforts; ( 2) the department s software development capability
was immature and it had lost critical systems control and quality assurance
personnel, and ( 3) VBA lacked a complete systems architecture; for example,
neither a security architecture nor performance characteristics had been
defined for the project. June 19, 1996 VETSNET had inherent risks in that (
1) it did not follow sound systems GAO/ T- AIMD- 96- 103 development
practices, such as validation and verification of systems

requirements; ( 2) it employed a new systems development methodology and
software development language not previously used; and ( 3) VBA did not
develop the cost- benefit information necessary to track progress or assess
return on investment ( for example, total software to be developed and cost
estimates) . June 19, 1996 VBA s software development capability was
immature and it could not reliably

GAO/ AIMD- 96- 90 develop and maintain high- quality software on any major
project within existing cost and schedule constraints, placing its software
development projects at significant risk. VBA showed significant weaknesses
in requirements

management, software project planning, and software subcontract management,
with no identifiable strengths.

( 310419)

Page 30 GAO- 02- 369T

Comments from the Secretary of Veterans

Appendi x II Affairs

(310434)

GAO s Mission The General Accounting Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of
the federal government for the American people. GAO examines the use of
public funds; evaluates federal programs and

policies; and provides analyses, recommendations, and other assistance to
help Congress make informed oversight, policy, and funding decisions. GAO s
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of The fastest and easiest way to obtain copies of GAO
documents at no cost is through the Internet. GAO s Web site ( www. gao.
gov) contains abstracts and full- GAO Reports and

text files of current reports and testimony and an expanding archive of
older Testimony

products. The Web site features a search engine to help you locate documents
using key words and phrases. You can print these documents in their
entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as Today s Reports, on its Web
site daily. The list contains links to the full- text document files. To
have GAO e- mail this list to you every afternoon, go to www. gao. gov and
select Subscribe to daily E- mail alert for newly released products under
the GAO Reports heading.

Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $ 2 each. A check or money order should be made out to
the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U. S. General Accounting Office 441 G Street NW, Room LM Washington, D. C.
20548

To order by Phone: Voice: ( 202) 512- 6000 TDD: ( 202) 512- 2537 Fax: ( 202)
512- 6061

To Report Fraud, Contact: Waste, and Abuse in

Web site: www. gao. gov/ fraudnet/ fraudnet. htm E- mail: fraudnet@ gao. gov

Federal Programs Automated answering system: ( 800) 424- 5454 or ( 202) 512-
7470

Public Affairs Jeff Nelligan, managing director, NelliganJ@ gao. gov ( 202)
512- 4800 U. S. General Accounting Office, 441 G Street NW, Room 7149

Washington, D. C. 20548

a

GAO United States General Accounting Office

Page 1 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology United States General Accounting Office

Washington, D. C. 20548 Page 1 GAO- 02- 703 Recommendations on Veterans
Affairs' Information Technology

A

Page 2 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Page 3 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Page 4 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Page 5 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Page 6 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Page 7 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Page 8 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I

Appendix I GAO?s March 13, 2002, Testimony

Page 9 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 10 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 11 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 12 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 13 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 14 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 15 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 16 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 17 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 18 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 19 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 20 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 21 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 22 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 23 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 24 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 25 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 26 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 27 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 28 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 29 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 30 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 31 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 32 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 33 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 34 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 35 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 36 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 37 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix I GAO?s March 13, 2002, Testimony

Page 38 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Page 39 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

Appendix II

Appendix II Comments from the Secretary of Veterans Affairs

Page 40 GAO- 02- 703 Recommendations on Veterans Affairs' Information
Technology

United States General Accounting Office Washington, D. C. 20548- 0001

Official Business Penalty for Private Use $300

Address Service Requested Presorted Standard

Postage & Fees Paid GAO Permit No. GI00
*** End of document. ***