Veterans Affairs: Progress Made in Centralizing Information
Technology Management, but Challenges Persist (19-SEP-07,
GAO-07-1246T).
The Department of Veterans Affairs (VA) depends on information
technology (IT) to effectively serve our nation's veterans, with
an IT budget of about $1 billion annually. However, it has
encountered numerous challenges in managing its IT programs and
initiatives. To address these challenges, VA is realigning its IT
organization and management to a centralized model founded on a
defined set of improved management processes. Begun in October
2005, the realignment is planned to be complete by July 2008. In
this testimony, GAO discusses its recent reporting on VA's
realignment effort and its management of other IT programs and
initiatives, including ongoing systems development efforts and
work to share electronic health information with the Department
of Defense (DOD). To prepare this testimony, GAO reviewed its
past work in these areas.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-1246T
ACCNO: A76494
TITLE: Veterans Affairs: Progress Made in Centralizing
Information Technology Management, but Challenges Persist
DATE: 09/19/2007
SUBJECT: Information management
Information security
Information security management
Information technology
Internal controls
Inventory control
Medical records
Program evaluation
Program management
Technology assessment
Technology modernization programs
Veterans
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-1246T
* [1]Results in Brief
* [2]Background
* [3]VA Is Transforming its IT Organization to a Centralized Mode
* [4]VA's Realignment Depends on Establishing Standardized IT Man
* [5]Successful Organization Transformations Are Based on Critica
* [6]Successful Implementation of the Realignment Effort Requires
* [7]Improved Processes Planned under the Realignment Are Not Yet
* [8]Sustained Management Commitment and Oversight Are Vital to R
* [9]Inadequate Controls over IT Equipment at Selected VA Locatio
* [10]Challenges Persist for Efforts to Migrate from the Aging Ben
* [11]Progress Made in Long-Term Effort to Replace Benefits
Paymen
* [12]Improved Planning Needed to Guide Development and
Implementa
* [13]VA Is Making Progress in Sharing Medical Information with DO
* [14]Contacts and Acknowledgements
* [15]Attachment 1. Key Information Technology Management Processe
* [16]PDF6-Ordering Information.pdf
* [17]Order by Mail or Phone
Mr. Chairman and Members of the Committee:
I am pleased to participate in today's hearing on the information
technology program of the Department of Veterans Affairs (VA). As you
know, the department depends on information technology (IT) to effectively
serve our nation's veterans, with an IT budget that amounts to about $1
billion annually. However, VA has encountered numerous challenges in
managing its IT resources, as we have reported over the years. In our more
recent reporting, we have identified challenges in security management,
inventory control, project management, and other IT management
processes.^1 One factor contributing to the development of these
challenges has been the department's management structure, ^2 which until
recently was decentralized and gave the VA administrations^3 and
headquarters offices^4 control over a majority of the department's IT
budget.
In October 2005, VA initiated a realignment of its IT program to provide
greater authority and accountability over its resources. The goals of the
realignment were to centralize IT management under the department-level
Chief Information Officer (CIO) and to standardize operations and
development of systems across the department through the use of new
management processes based on industry best practices. Completion of the
realignment is scheduled for July 2008.
^1For example, GAO, Information Security: Sustained Management Commitment
and Oversight Are Vital to Resolving Long-standing Weaknesses at the
Department of Veterans Affairs, GAO-07-1019 (Washington, D.C.: Sept. 7,
2007); Veterans Affairs: Inadequate Controls over IT Equipment at Selected
VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation,
GAO-07-505 (Washington, D.C.: July 16, 2007); Veterans Affairs: Lack of
Accountability and Control Weaknesses over IT Equipment at Selected VA
Locations, GAO-07-1100T (Washington, D.C.: July 24, 2007); and Veterans
Benefits Administration: Progress Made in Long-Term Effort to Replace
Benefits Payment System, but Challenges Persist, GAO-07-614 (Washington,
D.C.: Apr. 27, 2007).
^2GAO, Veterans Affairs: The Role of the Chief Information Officer in
Effectively Managing Information Technology, GAO-06-201T (Washington,
D.C.: Oct. 20, 2005); and Veterans Affairs: The Critical Role of the Chief
Information Officer Position in Effective Information Technology
Management, GAO-05-1017T (Washington, D.C.: Sept. 14, 2005).
^3The VA comprises three separate administrations: the Veterans Benefits
Administration, the Veterans Health Administration, and the National
Cemetery Administration.
^4The headquarters offices include the Office of the Secretary, six
Assistant Secretaries, and three VA-level staff offices.
At your request, my testimony today will summarize our work on the
department's efforts in moving to a centralized IT management model, which
will affect all of VA's IT programs and initiatives. In this context, we
will also discuss our recent work on
o information security,
o inventory control over IT equipment,
o migrating existing ("legacy") benefits systems to modern
platforms, and
o sharing electronic health information with the Department of
Defense (DOD) and the prognosis for a DOD/VA bidirectional
interoperable electronic health record.
In developing this testimony, we reviewed our previous work in
these areas. All work covered in this testimony was performed in
accordance with generally accepted government auditing standards.
Results in Brief
VA has made progress in moving to a centralized management structure for
IT; however, at the time of our review in May 2007, it had still to
address some critical success factors for transformation, and it had not
yet institutionalized key IT management processes.^5 The department's
plans for realigning the management of its IT program include elements of
several of the six factors that we identified as critical for its
implementation of a centralized management structure. However, as of May
2007, VA did not plan to address one of the critical success factors:
dedicating an implementation team to manage change. Having such a team is
important at this stage, because the realignment is not expected to be
completed until July 2008. Without a team dedicated to managing the
realignment, it is less likely that the department will be able to ensure
that the realignment is managed effectively throughout its implementation.
In addition, although the department had begun to take action to establish
improved IT management processes--a cornerstone of the realignment--it had
not made significant progress at the time of our report. As of May 2007,
it had begun pilot testing 2 of 36 planned new processes. Until it
institutionalizes key management processes throughout the department, the
full benefits of the realignment may not be realized.
^5GAO, Veterans Affairs: Continued Focus on Critical Success Factors Is
Essential to Achieving Information Technology Realignment, GAO-07-844
(Washington, D.C.: June 15, 2007).
In the meantime, VA is undertaking a number of programs and initiatives
that depend on the effective management and use of IT resources. The
department has made progress in its programs and initiatives, but much
work remains.
o In a September 2007 report, we state that although VA has made
progress in addressing security weaknesses, it has not yet fully
implemented key recommendations to strengthen its information
security practices.^6 In addition, although the management
structure for information security has changed under the
realignment, improved security management processes have not yet
been completely developed and implemented, and responsibility for
the department's information security functions is divided between
two organizations, with no documented process for the two offices
to coordinate with each other.
o With regard to the department's IT inventory control, we
reported recently that a weak overall control environment for IT
equipment at four audited locations posed a significant security
vulnerability to the nation's veterans with regard to sensitive
data maintained on this equipment.^7 VA had taken some actions to
improve controls over IT equipment, such as issuing several new
policies to establish guidance and controls for information
security. In addition, the organizational realignment had begun,
but as it was not yet fully implemented, improved processes for
inventory control had not been established.
^6 GAO, Information Security: Sustained Management Commitment and
Oversight Are Vital to Resolving Long-standing Weaknesses at the
Department of Veterans Affairs, GAO-07-1019 (Washington, D.C.: Sept. 7,
2007).
^7 GAO, Veterans Affairs: Inadequate Controls over IT Equipment at
Selected VA Locations Pose Continuing Risk of Theft, Loss, and
Misappropriation, GAO-07-505 (Washington, D.C.: July 16, 2007) and
Veterans Affairs: Lack of Accountability and Control Weaknesses over IT
Equipment at Selected VA Locations, GAO-07-1100T (Washington, D.C.: July
24, 2007).
o VBA has been pursuing efforts to migrate benefits processing
from its aging legacy system and develop modernized replacement
systems.^8 We reported that two initiatives (one on compensation
and pension payments and another on education benefits) had both
been hindered by project management weaknesses and in particular
the lack of integrated project plans. In April 2007, we reported
that the compensation and pension replacement project had improved
its management processes and made progress; VA concurred with our
recommendation that the improved processes be incorporated into
specific policy and guidance for all IT projects in the
department. Such processes could benefit the education benefits
project: when we reported in July 2007, the initiative had
achieved some enhancements in claims processing, but the absence
of an integrated project plan meant that critical elements were
missing for effectively guiding the project to completion, such as
an overall approach for coordinating various improvement
initiatives.
o As we testified in May 2007, VA and DOD have made progress in
both long- and short-term initiatives to share health information,
but much work remains to achieve the goal of a shared electronic
medical record and seamless transition between the two
departments.^9
^8 GAO, Veterans Benefits Administration: Progress Made in Long-Term
Effort to Replace Benefits Payment System, but Challenges Persist,
GAO-07-614 (Washington, D.C.: Apr. 27, 2007), and Veterans Affairs:
Improved Planning Needed to Guide Development and Implementation of
Education Benefits System, GAO-07-1045 (Washington, D.C.: July 31, 2007).
o Under their long-term initiative, the departments
had begun to exchange limited medical data (at
selected sites) through an interface between the data
repositories for the modern health information
systems that each department is developing. Although
implementing this interface is a milestone toward the
departments' long-term goal, VA and DOD must still
extend the current capability throughout both
departments, finish developing their two modernized
systems, and transition from their existing
systems.^10 The departments have not yet projected a
final completion date for the whole initiative.
o In their near-term efforts, the departments have
completed a system for one-way transfer of health
information from DOD to VA when service members leave
the military, and they are conducting demonstration
projects to exchange limited data at selected sites.
The departments have also established ad hoc
processes (such as scanning paper records) to meet
the immediate need to provide data on severely
wounded service members to VA's polytrauma centers.
These multiple initiatives and ad hoc processes highlight the need
for a project plan that integrates both long- and short-term
initiatives. Without such a plan, it remains unclear how all the
initiatives are to be incorporated into an overall strategy
focused on achieving the departments' goal of comprehensive,
seamless exchange of health information.
In the reports covered by this testimony, we have made numerous
recommendations aimed at improving the department's management of
its IT programs and initiatives. VA has agreed with these
recommendations and has taken action or plans to take action to
implement them. If this implementation is properly executed, it
could help the department to realize the expected benefits of the
realignment, as well as the aims of its programs and initiatives.
^9GAO, Information Technology: VA and DOD Are Making Progress in Sharing
Medical Information, but Are Far from Comprehensive Electronic Medical
Records, GAO-07-852T (Washington, D.C.: May 8, 2007).
^10Among other tasks required to complete development, the two departments
must agree to standards and populate the data repositories for the
categories of medical information that have not yet been addressed: that
is, all categories except outpatient pharmacy and drug allergy data.
Background
VA's mission is to promote the health, welfare, and dignity of all
veterans in recognition of their service to the nation by ensuring that
they receive medical care, benefits, social support, and lasting
memorials. Its three major components, the Veterans Benefits
Administration (VBA), the Veterans Health Administration (VHA), and the
National Cemetery Administration, are primarily responsible for carrying
out this mission. Over time, the use of IT has become increasingly crucial
to the department's effort to provide benefits and services. VA relies on
its systems for providing access to medical information to ensure
high-quality health care for veterans as well as for processing benefit
claims, including compensation and pension and education benefits.
In reporting on VA's IT management over the past several years, we have
highlighted challenges the department has faced in achieving its vision of
creating "One VA"--that is, integrating IT resources to enable department
employees to help veterans obtain services and information more quickly
and effectively. One major challenge was that the department's information
systems and services were highly decentralized and that its
administrations controlled a majority of the IT budget.^11 As we have
previously pointed out, it is crucial for the department CIO to ensure
that well-established and integrated processes for leading, managing, and
controlling investments are followed throughout the department. Similarly,
a contractor's assessment of VA's IT organizational alignment, issued in
February 2005, noted the lack of control over how and when money is
spent.^12 The assessment found that project managers within the
administrations had the ability to shift money to support individual
projects. Also, according to the assessment, the focus of department-level
management was only on reporting expenditures to the Office of Management
and Budget and Congress, rather than on managing these expenditures within
the department.
^11For example, according to an October 2005 memorandum from the former
CIO to the Secretary of Veterans Affairs, the CIO had direct control over
only 3 percent of the department's IT budget and 6 percent of the
department's IT personnel. In addition, in the department's fiscal year
2006 IT budget request, the Veterans Health Administration was identified
to receive 88 percent of the requested funding, while the department was
identified to receive only 4 percent.
VA Is Transforming its IT Organization to a Centralized Model
In response to the challenges that we and others noted, the department
officially began its effort to provide the CIO with greater authority over
IT in October 2005. At that time, the Secretary issued an executive
decision memorandum granting approval for the development of a new IT
management structure for the department. According to VA, its goals in
moving to centralized management are to provide the department better
oversight over the standardization, compatibility, and interoperability of
IT systems, as well as better overall fiscal discipline for the budget. By
July 2006, the department's realignment contractor began work to assist
with the realignment effort.
In February 2007, the Secretary approved the department's new organization
structure, which includes the Assistant Secretary for Information and
Technology, who serves as VA's CIO. As shown in figure 1, the CIO is
supported by a Principal Deputy Assistant Secretary and five Deputy
Assistant Secretaries--new senior leadership positions created to assist
the CIO in overseeing functions such as cyber security, IT portfolio
management, systems development, and IT operations.
^12Gartner Consulting, OneVA IT Organizational Alignment Assessment
Project "As-Is" Baseline (McLean, Virginia; Feb. 18, 2005).
Figure 1: Organizational Chart for VA Office of Information and Technology
Note: DAS = Deputy Assistant Secretary.
In April 2007, the Secretary approved a governance plan that is intended
to enable the Office of Information and Technology to centralize its
decision making. The plan describes the relationship between IT governance
and departmental governance and the approach the department intends to
take to enhance governance.
VA's Realignment Depends on Establishing Standardized IT Management Processes
As the foundation for its realignment, VA plans to implement improved
management processes in five key areas: enterprise management, business
management, business application management, infrastructure, and service
support. The particular management processes, recommended by the
department's realignment contractor, were based on industry best
practices^13 and encompass all areas of IT management, such as those
necessary for effective IT programs (such as security management and asset
management processes) and IT initiatives (such as risk management and
project management processes). In attachment 1, we provide brief
descriptions of the 36 IT management processes to be addressed in VA's
realignment.
^13 Specifically, these processes are derived from the IT Governance
Institute's Control Objectives for Information and Related Technology
(CobiT(R)) and Information Technology Infrastructure Library (ITIL) as
configured by the Process Reference Model for IT (PRM-IT) from a VA
contractor.
According to the contractor, establishing improved management processes
and standardizing these processes across the department are essential to
the effectiveness of the centralized management model. By implementing
these improved processes, VA expects to correct deficiencies it has
encountered as a result of its decentralized management approach. Proper
implementation should result in institutionalizing best management
practices that will be sustained regardless of future leadership changes
at the department. According to the contractor, with a system of defined
management processes, the Office of Information and Technology could
quickly and accurately change the way IT supports the department. The
contractor also noted that failure to include such processes in the
realignment would introduce the risk that any progress in completing the
realignment would be the result of trial and error.
Successful Organization Transformations Are Based on Critical Success Factors
We have reported in the past^14 on key factors that are needed in order to
successfully transform an organization to be more results oriented,
customer focused, and collaborative in nature. We reported that
large-scale change management initiatives are not simple endeavors and
require the concentrated efforts of both leadership and employees to
realize intended synergies and to accomplish new organizational goals. We
also noted that there are a number of key practices that can serve as the
basis for federal agencies to transform their cultures in response to
governance challenges, such as those that an organization like VA might
face when transforming to a centralized IT management structure. Among the
significant factors we identified as critical for ensuring the success of
VA's move to centralized management are
^14GAO, Results-Oriented Cultures: Implementation Steps to Assist Mergers
and Orgnizational Transformations, GAO-03-669 (Washington, D.C.: July 2,
2003); and Highlights of a GAO Forum: Mergers and Transformations: Lessons
Learned for a Department of Homeland Security and Other Federal Agencies,
GAO-03-293SP (Washington, D.C.: Nov. 14, 2002).
o ensuring commitment from top leadership,
o establishing a governance structure to manage resources,
o linking the IT strategic plan to the organization strategic
plan,
o using workforce strategic management to identify proper roles
for all employees,
o communicating change to all stakeholders, and
o dedicating an implementation team to manage change.
Successful Implementation of the Realignment Effort Requires Continued Focus on
Critical Success Factors and Implementation of Improved Management Processes
In our recent review of the department's effort to realign its IT program,
we evaluated, among other things, whether the realignment plan includes
the critical factors for successful transformation as discussed above.^15
We reported that VA's realignment plan included elements of several of the
six critical success factors that we identified. However, VA had not fully
addressed all six factors. Only one factor had been fully addressed;
additional work remained on the other five factors, as shown in table 1.
^15GAO, Veterans Affairs: Continued Focus on Critical Success Factors Is
Essential to Achieving Information Technology Realignment, GAO-07-844
(Washington, D.C.: June 15, 2007).
Table 1: Summary of VA's Actions Addressing Critical Success Factors as of
May 2007
Critical success factor Addressed Progress
Ensuring commitment from Yes Secretary approved the new IT
top leadership organization structure and the
transfer of employees
Establishing a governance Partially Secretary approved the IT governance
structure to manage plan, but VA has not established IT
resources governance boards or process
descriptions for centrally managing IT
Linking IT strategic plan No VA has not yet updated its IT
to organization strategic strategic plan to reflect the new
plan organization, but it has established a
date by which it intends to update the
plan
Using workforce strategic Partially VA has identified workforce management
management to identify responsibilities, but it has not
proper roles for all established a knowledge and skills
employees inventory
Communicating change to Partially VA has addressed staff concerns about
all stakeholders the realignment through memorandums
and conferences, but it has not fully
staffed offices that will facilitate
communication
Dedicating an No VA does not plan to establish a
implementation team to realignment implementation team
manage change
Source: GAO.
The department had fully addressed the first critical success factor,
ensuring commitment from top leadership, as demonstrated by the
Secretary's actions in support of the realignment. Besides approving the
transfer of personnel to the centralized office, the Secretary approved in
February 2007 a new organization structure for centralized IT management.
Since undertaking the realignment, VA concentrated its efforts on
transferring approximately 6,000 staff to the CIO's office from the
administrations and staff offices and on creating the new centralized
organizational structure. As shown in the table, VA had begun or planned
to begin actions on four other critical success factors, but it had not
completed the actions. For example, the department approved its governance
plan to address how the Office of Information and Technology will manage
resources; however, it had not yet established the boards that are to
provide governance over the centralized structure. In addition, although
the department had identified the responsibilities for managing its
workforce within its new structure, it had not yet established a knowledge
and skills inventory to help determine the proper roles for all employees
in the new organization.
VA had neither addressed nor planned to address the last critical success
factor: dedicating an implementation team to manage change. Although it
had highlighted the importance of managing change in its realignment
documentation, VA did not plan to establish a realignment implementation
team. As we have pointed out,^16 a dedicated implementation team that is
responsible for the day-to-day management of a major change initiative is
critical to ensure that the project receives the focused, full-time
attention needed to be sustained and successful. Specifically, the
implementation team is important to ensuring that various change
initiatives are implemented in a coherent and integrated way. The team
must have the necessary authority and resources to set priorities, make
timely decisions, and move quickly to implement the transformation. In
addition, the implementation team can assist in tracking implementation
goals for a change initiative and identifying performance shortfalls or
schedule slippages. It is important for the team to use performance
metrics to provide a succinct and concrete statement of expected
performance versus actual performance. Because of its close involvement
with the change initiative, the implementation team can also suggest
corrections to remedy any problems.
The department had not addressed this critical success factor: it had not
dedicated an implementation team to manage the realignment effort and
track its progress. At the conclusion of our review in June 2007, staff
from the IT realignment office, which was responsible for overseeing the
realignment, had been reassigned to other areas of responsibility within
the department's new structure. In addition, the Director of the
Realignment Office told us that multiple offices would assume
responsibility for managing the realignment through July 2008: the Office
of Quality and Performance Management would oversee process implementation
across the Office of Information and Technology, and the Office of
Oversight and Compliance Management would assess whether the department is
complying with the new processes. However, there was no one group
responsible for managing the realignment in its entirety. Without such a
dedicated group, it is less likely that VA will be able to ensure that the
realignment is managed effectively throughout its implementation.
^16 GAO, Results-Oriented Cultures: Implementation Steps to Assist Mergers
and Organizational Transformations, GAO-03-669 (Washington, D.C.: July 2,
2003).
With regard to the new IT management processes, the department had begun
to take action, but it had not made significant progress at the time of
our report. The department had planned to begin implementing 9 of the 36
new processes in March 2007. However, the department had missed key
implementation dates for these processes. As of May 2007, it had begun
pilot testing two of the new processes: the risk management process and
the solution (that is, business application) test and acceptance process.
Thus, although the department had taken positive steps in moving to
centralized IT management, it had much more work to complete before the
realignment can be considered finished and a success. If VA does not
continue to address the critical success factors we identified and develop
and implement the new management processes by their target date, the
department may continue to operate in a decentralized manner and risk not
fully realizing the long-term benefits of the realignment.
Accordingly, we recommended that the department dedicate an implementation
team responsible for change management throughout the transformation and
that it develop detailed IT governance process descriptions that identify
how IT resources will be managed in the centralized organization. We also
made seven additional recommendations aimed at ensuring that the
realignment is successfully accomplished. The department generally
concurred with our recommendations and stated that it has taken action or
has actions under way to address each of our recommendations.
Improved Processes Planned under the Realignment Are Not Yet in Place for IT
Programs and Initiatives
Although IT management has been centralized under the CIO, at the time of
our review, IT programs and initiatives continued to be managed under
previously established processes. The key processes to be used as the
foundation for the realignment had not yet had an impact on IT programs
(specifically, security and inventory management) or initiatives (such as
VBA's modernization efforts and VHA's initiatives on sharing medical data
with DOD).
Sustained Management Commitment and Oversight Are Vital to Resolving
Long-Standing Security Weaknesses
As mandated by the Federal Information Security Management Act (FISMA) of
2002,^17 every agency is to establish an information security program. In
addition, security management is a key management process that under the
realignment is to be established uniformly across the department. VA's IT
systems contain sensitive information that is vulnerable to inadvertent or
deliberate misuse, loss, or improper disclosure.
This vulnerability was highlighted by an incident in May 2006, when VA
announced that computer equipment containing personally identifiable
information^18 on approximately 26.5 million veterans and active duty
members of the military was stolen from the home of a VA employee. Until
the equipment was recovered, veterans did not know whether their
information was likely to be misused.
^17FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec.
17, 2002). Further, the Veterans Benefits, Health Care, and Information
Technology Act of 2006, Pub. L. No. 109-461 (Dec. 22, 2006) contains
specific requirements for VA's information security program.
^18"Personally identifiable information" refers to any information about
an individual maintained by an agency, including any information that can
be used to distinguish or trace an individual's identity, such as his or
her name, Social Security number, date and place of birth, mother's maiden
name, biometric records, etc., or any other personal information that is
linked or linkable to an individual.
In a September 2007 report, we state that although VA has made progress in
addressing security weaknesses, it has not yet fully implemented key
recommendations to strengthen its information security practices.^19 It
has implemented 2 of our 4 previous recommendations and only 2 of the 22
recommendations made by the department's inspector general (IG). Among
those recommendations not implemented are our recommendation that it
complete a comprehensive security management program and an IG
recommendation to strengthen critical infrastructure planning to ensure
that information security requirements are addressed. Because these
recommendations have not yet been implemented, the department will be at
increased risk that personal information of veterans and other
individuals, such as medical providers, may be exposed to data tampering,
fraud, and inappropriate disclosure.
Our report describes several major initiatives that VA has begun or
continued since the May 2006 security incident, in efforts to strengthen
information security practices and secure personal information within the
department. Among these initiatives are the department's efforts to
reorganize its management structure to provide better oversight and fiscal
discipline over its IT systems.^20
Establishing an effective IT management structure is the starting point
for coordinating and communicating the continuous cycle of information
security activities necessary to address current risks on an ongoing basis
while providing guidance and oversight for the security of the entity as a
whole. Under FISMA and the Veterans Benefits, Health Care, and Information
Technology Act of 2006, the CIO ensures compliance with requirements of
these laws and designates a chief information security officer (CISO) to
assist in carrying out his responsibilities. One mechanism organizations
can adopt to achieve effective coordination and communication is to
establish a central security management office or group to coordinate
departmentwide security-related activities.^21 To ensure that information
security activities are effective across an organization, the management
structure should also include clearly defined roles and responsibilities
for all security staff and coordination of responsibilities among
individual staff.
^19 GAO, Information Security: Sustained Management Commitment and
Oversight Are Vital to Resolving Long-standing Weaknesses at the
Department of Veterans Affairs, GAO-07-1019 (Washington, D.C.: Sept. 7,
2007).
^20 Other initiatives are developing a remedial action plan; establishing
an information protection program; improving incident management
capability; and establishing an office responsible for oversight and
compliance of IT within the department.
Under the realignment, the management structure for information security
has changed, but improved security management processes have not yet been
completely developed and implemented. In particular, under the new
structure, responsibility for information security functions within the
department is divided between two organizations (see fig. 2), but no
documented process yet exists for the two responsible offices to
coordinate with each other in managing and implementing the departmentwide
security program.
Figure 2: Security Functions in New Office of Information and Technology
Structure
Note: DAS = Deputy Assistant Secretary.
^21This is one of the identified activities described in our 1998 study of
security management practices: GAO, Executive Guide: Information Security
Management--Learning from Leading Organizations, GAO/AIMD-98-68
(Washington, D.C.: May 1998).
Under the new organization, the Director of the Cyber Security Office (who
is also the department's designated CISO)^22 has responsibility for
developing and maintaining a departmentwide security program, among other
things. However, the Director of the Field Operations and Security Office
is responsible for implementing the program. Although VA officials
indicated that these officials are communicating about the department's
implementation of security policies and procedures, this communication is
not defined as a role or responsibility for either position in the new
management organization book, nor is there a documented process in place
to coordinate the management and implementation of the security program.
Both of these activities are key security management practices. Without a
documented process, policies or procedures could be inconsistently
implemented throughout the department, which could prevent the CISO from
effectively ensuring departmentwide compliance with FISMA. In addition,
without a defined process and responsibilities, VA will have limited
assurance that the management and implementation of security policies and
procedures are effectively coordinated and communicated. Developing and
documenting these policies and procedures are essential for achieving an
improved and effective security management process under the new
centralized management model.
Accordingly, among the actions we recommended to the department was to
document clearly defined coordination responsibilities for the Director of
Field Operations and Security and the Director of Cyber Security, as well
as to develop and implement a process for these officials to coordinate on
the implementation of IT security policies and procedures throughout the
department. We also made 15 other recommendations to improve the
department's ability to protect its information and systems, including the
development of various processes and procedures to ensure that tasks in
the department's security action plans have time frames for
implementation. VA generally agreed with our recommendations and stated
that it had already implemented some of the recommendations and had
actions under way to address the others.
^22 The CISO position is currently unfilled, having been vacant since June
2006. Currently, the CIO is the acting CISO of the department. The
department has been attempting to fill the position of the CISO since
October 2006.
Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing
Risk of Theft, Loss, and Misappropriation
In light of reported weaknesses in VA inventory controls and reported
thefts of laptop computers and data breaches, the adequacy of such
controls has been an ongoing concern. In July 2007, we reported and
testified on an assessment of the risk of theft, loss, or misappropriation
of IT equipment at selected VA medical centers.^23 Our assessment found
that a weak overall control environment for IT equipment at the four
locations we audited posed a significant security vulnerability to the
nation's veterans with regard to sensitive data maintained on this
equipment. According to our Standards for Internal Control in the Federal
Government, agencies are required to establish physical controls to
safeguard vulnerable assets, such as IT equipment, which might be
vulnerable to risk of loss; in addition, federal records management law
requires federal agencies to record essential transactions. However, we
reported in July that current VA property management policy does not
provide guidance for creating records of inventory transactions as changes
occur. Also, policies requiring annual inventories of sensitive items
(such as IT equipment), adequate physical security, and immediate
reporting of lost and missing items had not been enforced.
Our statistical tests of physical inventory controls at the four locations
identified a total of 123 missing IT equipment items, including 53
computers that could have stored sensitive data. The lack of user-level
accountability and inaccurate records on status, location, and item
descriptions make it difficult to determine the extent to which actual
theft, loss, or misappropriation may have occurred without detection.
Table 2 summarizes the results of our statistical tests at each location.
^23 GAO, Veterans Affairs: Inadequate Controls over IT Equipment at
Selected VA Locations Pose Continuing Risk of Theft, Loss, and
Misappropriation, GAO-07-505 (Washington, D.C.: July 16, 2007) and
Veterans Affairs: Lack of Accountability and Control Weaknesses over IT
Equipment at Selected VA Locations, GAO-07-1100T (Washington, D.C.: July
24, 2007).
Table 2: Current IT Inventory Control Failures at Four Test Locations
San Diego,
Washington, D.C., Indianapolis, medical VA HQ
Control failures medical center medical center center offices
Missing items 28% 6% 10% 11%
Incorrect user 80% 69% 70% 11%
organization
Incorrect 57% 23% 53% 44%
location
Recordkeeping 5% 0% 5% 3%
errors
Source: GAO analysis.
Note: Each of these estimates has a margin of error, based on a two-sided,
95 percent confidence interval, of +-10 percent or less.
We also found that the four VA locations had reported over 2,400 missing
IT equipment items, valued at about $6.4 million, identified during
physical inventories performed in fiscal years 2005 and 2006. Missing
items were often not reported for several months and, in some cases,
several years. It is very difficult to investigate these losses because
information on specific events and circumstances at the time of the losses
is not known. Further, our limited tests of computer hard drives in the
excess property disposal process found hard drives at two of the four case
study locations that contained personal information, including veterans'
names and Social Security numbers. Our tests did not find any remaining
data after sanitization procedures were performed.^24 However, weaknesses
in physical security at IT storage locations and delays in completing the
data sanitization process heighten the risk of data breach.
Although VA had taken some actions to improve controls over IT equipment
(such as issuing several new policies to establish guidance and controls
for IT security) and had reorganized and centralized the IT function
within the department under the CIO, we reported that these actions had
not yet been fully implemented. The new CIO organization had no formal
responsibility for medical equipment that stored or processed patient data
and did not address roles or necessary coordination between information
resource management and property management personnel with regard to
inventory control of IT equipment. The Assistant Secretary for Information
and Technology, who serves as the CIO, told us that the new CIO
organization structure will include a unit that will have responsibility
for IT equipment asset management once it becomes operational. However, at
the time of our report, this unit had not yet been funded or staffed. To
ensure accountability and safeguarding of sensitive IT equipment,
effective implementation will be key to the success of the department's IT
policy and organizational changes.
^24 Sanitization is the process of removing all information from computer
media. VA information resource management (IRM) personnel and contractors
follow National Institute of Standards and Technology (NIST) Special
Publication 800-88 guidelines, as well as more stringent Department of
Defense (DOD) policy in DOD 5220.22-M, National Industrial Security
Program Operating Manual, ch. 8, S 8-301, which requires performing three
separate erasures for media sanitization.
We made 12 recommendations for actions to be taken by the department to
help minimize the risk of loss, theft, and misappropriation of government
IT equipment used in VA operations. The recommendations included
establishing policies and procedures that require, among other things,
recording inventory transactions and establishing specific, individual
user-level accountability. VA management generally agreed with our
findings and concurred with all 12 recommendations, noting that it had
actions planned or under way to address them.
Challenges Persist for Efforts to Migrate from the Aging Benefits Delivery
Network
To administer various benefits programs, VBA relies on an aging system,
the Benefits Delivery Network (BDN). The BDN, which has been in operation
for more than 40 years, is based on antiquated software programs, which
have become increasingly difficult and costly to maintain. VBA is in the
process of replacing the BDN with a faster, more flexible, and higher
capacity system.
Replacing the BDN has been a focus of systems development efforts at VBA
since 1986.^25 VBA currently depends on the BDN to administer programs for
three types of benefits: (1) compensation and pension, (2) education, and
(3) vocational rehabilitation and employment (VRE) services.^26
Originally, the administration planned to modernize the entire system, but
after experiencing numerous false starts and spending approximately $300
million on the overall modernization of the BDN, VBA revised its strategy
in 1996. First, it narrowed its focus to replacing only those
functionalities that support the compensation and pension program, and
began developing a replacement system, which it generally refers to as the
Veterans Service Network (VETSNET).^27 Then, in December 1999, it began an
initiative, The Education Expert System (TEES), to move its education
claims processing systems from the BDN to new technology platforms and a
new architecture, as a way to improve its education benefits delivery
services. (We have not evaluated the VRE program or possible plans to
migrate VRE operations from the BDN.)
Progress Made in Long-Term Effort to Replace Benefits Payment System, but
Challenges Persist
When VBA began the VETSNET project in 1996, it planned to complete the
replacement system in May 1998 at an estimated cost of $8 million.
However, over the years, VBA encountered numerous problems in completing
the replacement system. We have reported on this topic several times,
making numerous recommendations. ^28 Although VA concurred with our
recommendations and took several actions to address them, its actions were
not sufficient to implement all our recommendations or establish the
program on a solid footing: certain basic requirements of sound project
management, such as an integrated project plan for the replacement system,
continued to be lacking.
^25 The BDN currently runs on aging software: COBOL programs and a
nonrelational database. Analysts have indicated that moving from a
nonrelational database of the BDN type to a more modern relational
database is a challenging task.
^26 VBA also provides loan guaranty and life insurance benefits for
veterans and their families, but these programs do not depend on the BDN.
^27 It also refers to the initiative as the compensation and pension or
C&P replacement system.
In 2005, because of concerns about continuing problems with the
replacement project, VA contracted for an independent assessment of the
department's options for the project, including whether the project should
be terminated. This assessment, conducted by the Carnegie Mellon Software
Engineering Institute (SEI), concluded that the replacement project faced
many risks arising from management and organizational issues, but no
technical barriers that could not be overcome.^29 According to SEI, a new
system was still needed, and VBA would not be able to successfully deliver
a full, workable solution unless it addressed its management and
organizational weaknesses. SEI recommended that VBA continue to work on
the project at a reduced pace, while taking an aggressive approach to
addressing the identified weaknesses.
We reported in April 2007^30 that VBA was generally following the course
of action recommended by SEI: it was continuing to work on the replacement
initiative at a slower pace, while taking action to address identified
weaknesses in overall management and software development processes. For
example, VBA established a new governance structure, and it took steps to
improve its software development processes, such as establishing risk and
requirements management processes. However, some processes had not been
addressed, such as capacity planning and management, which will be
important for ensuring that further development does not lead to
processing slowdowns. Further, VBA had not yet documented policies and
procedures to institutionalize all the process improvements that it made
on the replacement initiative, having first concentrated its efforts on
establishing the governance and building the organization. If VBA does not
institutionalize these improvements, it increases the risk that they may
not be maintained through the life of the project or be available for
application to other development initiatives.
^28 GAO, Software Capability Evaluation: VA's Software Development Process
Is Immature, GAO/AIMD-96-90 (Washington, D.C.: June 19, 1996); Veterans
Benefits Modernization: VBA Has Begun to Address Software Development
Weaknesses But Work Remains, GAO/AIMD-97-154 (Washington, D.C.: Sept.15,
1997); VA Information Technology: Progress Continues Although
Vulnerabilities Remain, GAO/T-AIMD-00-321 (Washington, D.C.: Sept. 21,
2000); VA Information Technology: Important Initiatives Begun, Yet Serious
Vulnerabilities Persist, GAO-01-550T (Washington, D.C.: Apr. 4, 2001); VA
Information Technology: Management Making Important Progress in Addressing
Key Challenges, GAO-02-1054T (Washington, D. C.: Sept. 26, 2002); and
Information Technology: VA and DOD Face Challenges in Completing Key
Efforts, GAO-06-905T (Washington, D.C.: June 22, 2006).
^29 Kathryn Ambrose, William Novak, Steve Palmquist, Ray Williams, and
Carol Woody, Report of the Independent Technical Assessment on the
Department of Veterans Affairs VETSNET Program (Carnegie Mellon Software
Engineering Institute, September 2005).
^30 GAO, Veterans Benefits Administration: Progress Made in Long-Term
Effort to Replace Benefits Payment System, but Challenges Persist,
GAO-07-614 (Washington, D.C.: Apr. 27, 2007).
As of April 2007, VBA had developed critical functionalities needed to
process and pay certain original compensation claims using the replacement
system. According to VBA officials, all five of the major software
applications that make up the new system were being used in VA's regional
offices to establish and process new compensation claims for veterans. In
April 2007, the replacement system was providing monthly compensation
payments to almost 50,000 veterans (out of about 3 million veterans who
receive such payments). Nonetheless, the system requires further
development, and VBA still faces the substantial task of converting
records for the approximately 3.5 million beneficiaries on the BDN to the
replacement system.
Under the realignment, the responsibility for all system development
projects has moved from VBA to the central CIO organization: specifically,
the Deputy Assistant Secretary for Enterprise Development. Thus, this
official is now responsible for completing the development and
implementation of VETSNET. Accordingly, we recommended that the CIO
document and incorporate the improved processes for managing risks,
requirements, and defects into specific policy and guidance for the
replacement initiative and for future use throughout VBA. VA concurred
with our recommendation and stated that the VETSNET project management
processes will be incorporated into a set of standard project management
policies, processes, and procedures for all IT projects in VA. Further,
the CIO has identified the VETSNET governance model as the model for all
VA enterprisewide IT projects, and it is being implemented in other VA
priority IT development programs.
In addition, we made five other recommendations aimed at sustaining the
improved management and software development processes currently being
used by VETSNET project management, including processes for capacity
planning and management. The Secretary also agreed with these
recommendations and described actions planned in response.
Improved Planning Needed to Guide Development and Implementation of Education
Benefits System
The Education Expert System (or TEES) effort aims to replace the existing
education benefits systems on the BDN with a new rules-based system that
will add more automated capabilities, eliminate most human intervention,
and enable faster and more accurate processing of education claims. When
it began the initiative, VBA had planned to complete the new system by
September 2005; however, in 2004, the department refocused and rebaselined
the system's development effort. VA currently estimates that the TEES
initiative will be completed by 2011.
When we reported on this matter in July 2007, VBA had enhanced education
benefits claims processing by developing certain functionalities to allow
information to be captured in an electronic format.^31 For example, it had
developed automated systems that allow (1) education institutions to
provide online enrollment certifications, (2) students to provide online
and telephonic verification of enrollment, and (3) the public to inquire
about approved academic programs, licensing and certification programs,
and national exams. However, although VBA had identified other initiatives
as necessary to complete the new system and eliminate most human
intervention, it had not taken action on these initiatives, which included
moving the processing and payment functionality used for many education
claims from the BDN to new technology.
^31 GAO, Veterans Affairs: Improved Planning Needed to Guide Development
and Implementation of Education Benefits System, GAO-07-1045 (Washington,
D.C.: July 31, 2007).
Contributing to our concerns was that VBA did not have an integrated
project plan for the TEES initiative. According to agency officials, the
plan that had been developed in 2001 has not been updated since 2004, when
program goals were modified. Because VBA did not have an integrated
project management plan, it lacked critical elements needed to effectively
guide the initiative to completion (such as a full description of the
scope of the system development efforts) and an overall approach for
coordinating its various education claims initiatives (such as the BDN
code conversion effort). Without these critical elements, the department
would be at risk of wasting millions of dollars on education claims
processing initiatives that may overlap or be duplicative.
One reason for this management weakness is the lack of well-defined IT
management processes across VA, which is to be addressed by the
realignment. Under the realignment, the responsibility for TEES, like
other system development projects, has moved from VBA to the Deputy
Assistant Secretary for Enterprise Development, who is part of the central
CIO organization. At the time of our report, the TEES project had not yet
been affected by VA's stated intention of incorporating the VETSNET
project management processes into a set of standard project management
policies, processes, and procedures for all IT projects in the department.
Establishing improved IT management processes is vital to ensuring
effective project management and thus the future development and
implementation of TEES.
To ensure the successful implementation of TEES, we made three
recommendations aimed at ensuring that a comprehensive, integrated project
plan to coordinate and manage the initiative would be developed. VA
concurred with our recommendations and described actions planned to
address them.
VA Is Making Progress in Sharing Medical Information with DOD, but the Two
Departments Are Far from Comprehensive Electronic Medical Records
For almost 10 years, VA and DOD have been engaged in multiple efforts to
share electronic medical information, which is important in helping to
ensure that active-duty military personnel and veterans receive
high-quality health care. These include efforts focused on the long-term
vision of a single "comprehensive, lifelong medical record for each
service member"^32 that would allow a seamless transition between the two
departments, as well as more near-term efforts to meet immediate needs to
exchange health information, including responding to current military
crises.
As we testified in May 2007, VA and DOD have made progress in sharing
health information, but much work remains to achieve the goal of a shared
electronic medical record and seamless transition between the two
departments.^33 In their long-term initiatives, each department is
developing its own modern health information system to replace its legacy
systems, and they are collaborating on a program to develop an interface
to enable these modernized systems to share data and ultimately to have
interoperable^34 electronic medical records. Unlike the legacy systems,
the modernized systems are to be based on computable data: that is, the
data are to be in a format that a computer application can act on, for
example, to provide alerts to clinicians (of such things as drug
allergies) or to plot graphs of changes in vital signs such as blood
pressure. According to the departments, such computable data contribute
significantly to patient safety and the usefulness of electronic medical
records.
^32 In 1996, the Presidential Advisory Committee on Gulf War Veterans'
Illnesses reported on many deficiencies in VA's and DOD's data
capabilities for handling service members' health information. In November
1997, the President called for the two agencies to start developing a
"comprehensive, lifelong medical record for each service member," and in
1998 issued a directive requiring VA and DOD to develop a "computer-based
patient record system that will accurately and efficiently exchange
information."
^33 GAO, Information Technology: VA and DOD Are Making Progress in Sharing
Medical Information, but Are Far from Comprehensive Electronic Medical
Records, GAO-07-852T (Washington, D.C.: May 8, 2007).
^34 Interoperability is the ability of two or more systems or components
to exchange information and to use the information that has been
exchanged.
At the time of our testimony, the departments had begun to implement the
first release of the interface between their modernized data repositories,
and computable outpatient pharmacy and drug allergy data were being
exchanged at seven VA and DOD sites. Although the data being exchanged
were limited, implementing this interface is a milestone toward the
long-term goal of modernized systems with interoperable electronic medical
records.
While working on this long-term effort, the two departments also made
progress in various near-term initiatives to exchange electronic medical
information in their existing systems. The departments completed
development of a system to allow the one-way transfer of health
information from DOD to VA when service members leave the military. DOD
has been using this system (the Federal Health Information Exchange or
FHIE) to transfer information to VA since 2002. According to department
officials, as of March 2007, over 184 million clinical messages on more
than 3.8 million veterans had been transferred to the FHIE data
repository, and VA had been given access to data for more than 681,000
separated service members and demobilized Reserve and National Guard
members who had been deployed. Transfers are done in batches once a month,
or weekly for veterans who have been referred to VA treatment facilities.
According to a joint DOD/VA report,^35 FHIE has made a significant
contribution to the delivery and continuity of care of separated service
members as they transition to veteran status, as well as to the
adjudication of disability claims.
In addition, two ongoing demonstration projects were successfully
exchanging particular types of data at selected sites:
o The Laboratory Data Sharing Interface allows DOD and VA
facilities serving the same geographic area to share laboratory
resources. As of May 2007, this capability had been deployed at 9
localities to communicate orders for lab tests and their results
electronically and could be deployed at others if the need is
demonstrated.
^35 December 2004 VA and DOD Joint Strategic Plan.
o The Bidirectional Health Information Exchange allows a
real-time, two-way view of health data from existing systems.^36
As of May 2007, this system provided this capability (for
outpatient data) to all VA sites and 25 DOD sites and (for certain
inpatient discharge summary data)^37 to all VA sites and 5 DOD
sites. Expanding this interface is the foundation of the
departments' interim strategy to share information among their
existing systems.
The two departments had also undertaken ad hoc activities to
accelerate the transmission of health information on severely
wounded patients from DOD to VA's four polytrauma centers. These
centers care for veterans and service members with disabling
injuries to more than one physical region or organ system. The ad
hoc processes include manual workarounds such as scanning paper
records and individually transmitting radiological images. Such
processes were generally feasible only because the number of
polytrauma patients was small (about 350 in all as of May 2007).
Through all these efforts, VA and DOD have achieved exchanges of
health information. However, these exchanges are as yet limited,
and it is not clear how they are to be integrated into an overall
strategy toward achieving the departments' long-term goal of
comprehensive, seamless exchange of health information.
Significant work remains to be done for the departments to achieve
their long-term goals, including agreeing to standards for the
remaining categories of medical information, populating the data
repositories with all this information, completing the development
of their modernized systems, and transitioning from the legacy
systems. In addition, the departments have not yet projected a
completion date for the project as a whole. Consequently, it is
essential for the departments to develop a comprehensive project
plan to guide this effort to completion. In previous work, we have
made numerous recommendations with regard to this effort, placing
particular stress on the need for comprehensive planning.^38 VA
and DOD have agreed with our recommendations, and have taken
action to implement them. However, at the time of our May
testimony, the two departments had not yet developed a
comprehensive integrated project plan.
^36 DOD's Composite Health Care System (CHCS) and VA's VistA (Veterans
Health Information Systems and Technology Architecture).
^37 Specifically, inpatient discharge summary data stored in VA's VistA
and DOD's Clinical Information System (CIS), a commercial health
information system customized for DOD.
The need for such a comprehensive plan is further highlighted by
the strategy announced by the two departments in January 2007:
that is, to jointly develop a new inpatient medical record system.
The departments have indicated that by adopting a joint solution,
they could realize significant cost savings and make inpatient
health care data immediately accessible to both departments.
Incorporating this new strategy into the departments' ongoing
efforts would be greatly facilitated by a comprehensive project
plan.
In summary, effectively instituting the realignment is essential
to ensuring that its IT programs achieve their objectives and that
VA has a solid and sustainable approach to managing its IT
investments. The department continues to work on improving such
programs as information security and asset control, and it
currently has many significant initiatives under way, for which
substantial investments have been made. Yet we continue to see
management weaknesses in these programs and initiatives (many of a
long-standing nature), which are the very weaknesses that VA aims
to alleviate with its reorganized management structure. However,
until the department provides the foundation for its new IT
management structure by carrying out its plans to establish a
comprehensive set of improved management processes, the impact of
this vital undertaking will be diminished. Implementation of the
recommendations that we have made in this area could play a
significant role in resolving many of these concerns.
^38 GAO, Computer-Based Patient Records: VA and DOD Made Progress, but
Much Work Remains to Fully Share Medical Information, GAO-05-1051T
(Washington, D.C.: Sept. 28, 2005) and Information Technology: VA and DOD
Face Challenges in Completing Key Efforts, GAO-06-905T (Washington, D.C.:
June 22, 2006).
Mr. Chairman, this concludes my statement. I would be pleased to
respond to any questions that you or other members of the
committee may have at this time.
Contacts and Acknowledgements
For information about this testimony, please contact Valerie C. Melvin at
(202) 512-6304 or [18][email protected] . Key contributions to this
testimony were made by Barbara Oliver, Assistant Director; Barbara
Collier, B. Scott Pettis; J. Michael Resser; Eric Trout, and Charles
Youman.
Attachment 1. Key Information Technology Management Processes to Be Addressed in
VA Realignment
IT management
Key area process Description
Enterprise Information Addressing long- and short-term
management technology (IT) objectives, business direction, and
strategy their impact on IT, the IT culture,
communications, information,
people, processes, technology,
development, and partnerships.
IT management Defining a structure of
relationships and processes to
direct and control the IT endeavor.
Risk management Identifying potential events that
may affect the organization and
managing risk to be within
acceptable levels so that
reasonable assurance is provided
regarding the achievement of
organization objectives.
Architecture Creating, maintaining, promoting,
management and governing the use of IT
architecture models and standards
across and within the change
programs of an organization.
Portfolio Assessing all applications,
management services, and IT projects that
consume resources in order to
understand their value to the IT
organization.
Security Managing the department's
management information security program, as
mandated by the Federal Information
Security Management Act (FISMA) of
2002.
IT research and Generating ideas, evaluating and
innovation selecting ideas, developing and
implementing innovations, and
continuously recognizing innovators
and learning from the experience.
Project management Planning, organizing, monitoring,
and controlling all aspects of a
project in a continuous process so
that it achieves its objectives.
Business management Stakeholder Managing and prioritizing all
requirements requests for additional and new
management technology solutions arising from a
customer's needs.
Customer Determining whether and how well
satisfaction customers are satisfied with the
management services, solutions, and offerings
from the providers of IT.
Financial Providing sound stewardship of the
management monetary resources of the
organization.
Service pricing Establishing a pricing mechanism
and contract for the IT organization to sell its
administration services to internal or external
customers and to administer the
contracts associated with the
selling of those services.
Service marketing Enabling the IT organization to
and sales understand the marketplace it
serves, to identify customers, to
"market" to these customers, to
generate "marketing" plans for IT
services and support the "selling"
of IT services to internal
customers.
Compliance Ensuring adherence with laws and
management regulations, internal policies and
procedures, and stakeholder
commitments.
Asset management Maintaining information regarding
technology assets, included leased
and purchased assets, licenses, and
inventory.
Workforce Enabling an organization to provide
management the optimal mix of staffing
(resources and skills) needed to
provide the agreed-on IT services
at the agreed-on service levels.
Service-level Managing service-level agreements
management and performing the ongoing review
of service achievements to ensure
that the required and
cost-justifiable service quality is
maintained and gradually improved.
IT service Ensuring that agreed-on IT services
continuity continue to support business
management requirements in the event of a
disruption to the business.
Supplier Developing and exercising working
relationship relationships between the IT
management organization and suppliers in order
to make available the external
services and products that are
required to support IT service
commitments to customers.
Knowledge Promoting an integrated approach to
management identifying, capturing, evaluating,
categorizing, retrieving, and
sharing all of an organization's
information assets.
Business Solution Translating provided customer
application requirements (business) requirements and IT
management stakeholder-generated
requirements/constraints into
solution-specific terms, within the
context of a defined solution
project or program.
Solution analysis Creating a documented design from
and design agreed-on solution requirements
that describes the behavior of
solution elements, the acceptance
criteria, and agreed-to
measurements.
Solution build Bringing together all the elements
specified by a solution design via
customization, configuration, and
integration of created or acquired
solution components.
Solution test and Validating that the solution
acceptance components and integrated solutions
conform to design specifications
and requirements before deployment.
Infrastructure Service execution Addressing the delivery of
operational services to IT
customers by matching resources to
commitments and employing the IT
infrastructure to conduct IT
operations.
Data and storage Ensuring that all data required for
management providing and supporting
operational service are available
for use and that all data storage
facilities can handle normal,
expected fluctuations in data
volumes and other parameters within
their designed tolerances.
Event management Identifying and prioritizing
infrastructure, service, business,
and security events, and
establishing the appropriate
response to those events.
Availability Planning, measuring, monitoring,
management and continuously striving to
improve the availability of the IT
infrastructure and supporting
organization to ensure that
agreed-on requirements are
consistently met.
Capacity Matching the capacity of the IT
management services and infrastructure to the
current and future identified needs
of the business.
Facility Creating and maintaining a physical
management environment that houses IT
resources and optimizes the
capabilities and costs of that
environment.
Service support Change management Managing the life cycle of a change
request and activities that measure
the effectiveness of the process as
well as providing for its continued
enhancement.
Release management Controlling the introduction of
releases (that is, changes to
hardware and software) into the IT
production environment through a
strategy that minimizes the risk
associated with the changes.
Configuration Identifying, controlling,
management maintaining, and verifying the
versions of configuration items and
their relationships in a logical
model of the infrastructure and
services.
User contact Managing each user interaction with
management the provider of IT service
throughout its life cycle.
Incident Restoring a service affected by any
management event that is not part of the
standard operation of a service
that causes or could cause an
interruption to or a reduction in
the quality of that service.
Problem management Resolving problems affecting the IT
service, both reactively and
proactively.
Source: GAO analysis of VA documentation.
(310911)
To view the full product, including the scope
and methodology, click on [19]GAO-07-1246T .
For more information, contact Valerie Melvin at (202) 512-6304 or
[email protected].
Highlights of [20]GAO-07-1246T , a testimony before the Senate Committee
on Veterans' Affairs
September 19, 2007
VETERANS AFFAIRS
Progress Made in Centralizing Information Technology Management, but
Challenges Persist
The Department of Veterans Affairs (VA) depends on information technology
(IT) to effectively serve our nation's veterans, with an IT budget of
about $1 billion annually. However, it has encountered numerous challenges
in managing its IT programs and initiatives. To address these challenges,
VA is realigning its IT organization and management to a centralized model
founded on a defined set of improved management processes. Begun in
October 2005, the realignment is planned to be complete by July 2008.
In this testimony, GAO discusses its recent reporting on VA's realignment
effort and its management of other IT programs and initiatives, including
ongoing systems development efforts and work to share electronic health
information with the Department of Defense (DOD). To prepare this
testimony, GAO reviewed its past work in these areas.
[21]What GAO Recommends
In the reports covered by this testimony, GAO made recommendations aimed
at improving VA's management of its IT programs and initiatives.
VA has made progress in moving to a centralized management structure for
IT; however, at the time of GAO's review in May 2007, the department had
still to address certain critical success factors for transformation, and
it had not yet institutionalized key IT management processes. VA's plans
for realigning the management of its IT program include elements of
several of the six factors that GAO identified as critical for the
department's implementation of a centralized management structure, and it
had fully addressed one factor--ensuring commitment from top
leadership--having obtained the Secretary's approval of the realignment
and the new IT governance structure. However, as of May 2007, the
department did not plan to address one of the critical success factors:
dedicating an implementation team to manage change. Having such a team is
important, since the implementation of the realignment is expected to
continue until July 2008. Without a dedicated team, it is less likely that
the implementation will be managed effectively. In addition, although the
department had begun to take action to establish improved management
processes--a cornerstone of the realignment--it had not made significant
progress. As of May 2007, it had begun pilot testing 2 of 36 planned new
processes. Until it institutionalizes key processes throughout the
department, the full benefits of the realignment may not be realized.
At the same time that it is implementing the realignment, VA is managing
ongoing IT programs such as information security and inventory control,
and it is continuing initiatives to develop IT systems. The department is
managing these programs and initiatives using existing management
processes, many of which display the long-standing weaknesses that VA aims
to alleviate through its realignment. Some progress has been made: for
example, the department took actions to improve controls over IT
equipment, such as issuing several new policies to establish guidance and
controls for information security, but because the realignment was not yet
fully implemented, improved processes for inventory control had not been
established. In addition, progress on the development of a modernized
compensation and benefits system occurred after the project implemented
improved management processes, which the department now plans to apply to
all its IT projects. VA also achieved a milestone in the long-term effort
to share electronic health information with DOD, having begun to exchange
limited medical data with DOD (at selected sites) through an interface
between the data repositories for the modern health information systems
that each department is developing. To achieve their long-term vision, VA
and DOD have much work still to do (such as extending the current
capability throughout both departments), and the two departments have not
yet projected a final completion date for the whole initiative. Further
progress in VA's IT programs and initiatives could be significantly aided
by the improved processes that are the cornerstone of the realignment.
Until these are fully implemented, the impact of the realignment on these
programs and initiatives is uncertain.
United States Government Accountability Office
GAO
Testimony
Before the Senate Committee on Veterans' Affairs
For Release on Delivery
Expected at 9:30 a.m. EDT Wednesday, September 19, 2007
VETERANS AFFAIRS
Progress Made in Centralizing Information Technology Management, but
Challenges Persist
Statement of Valerie C. Melvin, Director
Human Capital and Management Information Systems Issues
GAO-07-1246T
This is a work of the U.S. government and is not subject to copyright
protection in the United States. The published product may be reproduced
and distributed in its entirety without further permission from GAO.
However, because this work may contain copyrighted images or other
material, permission from the copyright holder may be necessary if you
wish to reproduce this material separately.
GAO's Mission
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [22]www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[23]www.gao.gov and select "E-mail Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
DC 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [24]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [25][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [26][email protected] , (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548
Public Affairs
Susan Becker, Acting Manager, [27][email protected] , (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
DC 20548
References
Visible links
18. mailto:[email protected]
19. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1246T
20. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1246T
22. http://www.gao.gov/
23. http://www.gao.gov/
24. http://www.gao.gov/fraudnet/fraudnet.htm
25. mailto:[email protected]
26. mailto:[email protected]
27. mailto:[email protected]
*** End of document. ***