Veterans Affairs: Sustained Management Commitment and Oversight
Are Essential to Completing Information Technology Realignment
and Strengthening Information Security (26-SEP-07, GAO-07-1264T).
The Department of Veterans Affairs (VA) has encountered numerous
challenges in managing its information technology (IT) and
securing its information systems. In October 2005, the department
initiated a realignment of its IT program to provide greater
authority and accountability over its resources. The May 2006
security incident highlighted the need for additional actions to
secure personal information maintained in the department's
systems. In this testimony, GAO discusses its recent reporting on
VA's realignment effort as well as actions to improve security
over its information systems. To prepare this testimony, GAO
reviewed its past work on the realignment and on information
security, and it updated and supplemented its analysis with
interviews of VA officials.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-1264T
ACCNO: A76747
TITLE: Veterans Affairs: Sustained Management Commitment and
Oversight Are Essential to Completing Information Technology
Realignment and Strengthening Information Security
DATE: 09/26/2007
SUBJECT: Accountability
Agency evaluation
Information management
Information security
Information systems
Information technology
Performance measures
Program evaluation
Program management
Risk management
Schedule slippages
Veterans
Government agency oversight
Program coordination
Program implementation
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-1264T
* [1]Final To Hill REALIGNMENT_STATEMENT.DOC
* [2]ADP51B.tmp
* [3]Results in Brief
* [4]Background
* [5]Centralized IT Organization
* [6]Multiple Factors Increasing Risk to Success of
Realignment
* [7]VA Has Not Fully Addressed All Critical Success
Factors
* [8]Department Is behind Schedule in Implementing IT
Management
* [9]VA Has Much Work Remaining to Resolve Long-Standing
Security
* [10]Contacts and Acknowledgements
* [11]Attachment 1. Key IT Management Processes to Be
Addressed in
* [12]PDF6-Ordering Information.pdf
* [13]Order by Mail or Phone
United States Government Accountability Office
GAO
Testimony
Before the House Committee on Veterans' Affairs
For Release on Delivery
Expected at 10:00 a.m. EDT Wednesday, September 26, 2007
VETERANS AFFAIRS
Sustained Management Commitment and Oversight Are Essential to Completing
Information Technology Realignment and Strengthening Information Security
Statement of Valerie C. Melvin
Director, Human Capital and Management Information Systems Issues
Gregory C. Wilshusen
Director, Information Security Issues
GAO-07-1264T
To view the full product, including the scope
and methodology, click on [14]GAO-07-1264T .
For more information, contact Valerie Melvin at (202) 512-6304 or
[email protected].
Highlights of [15]GAO-07-1264T , a testimony before the House Committee on
Veterans' Affairs
September 26, 2007
VETERANS AFFAIRS
Sustained Management Commitment and Oversight Are Essential to Completing
Information Technology Realignment and Strengthening Information Security
The Department of Veterans Affairs (VA) has encountered numerous
challenges in managing its information technology (IT) and securing its
information systems. In October 2005, the department initiated a
realignment of its IT program to provide greater authority and
accountability over its resources. The May 2006 security incident
highlighted the need for additional actions to secure personal information
maintained in the department's systems.
In this testimony, GAO discusses its recent reporting on VA's realignment
effort as well as actions to improve security over its information
systems. To prepare this testimony, GAO reviewed its past work on the
realignment and on information security, and it updated and supplemented
its analysis with interviews of VA officials.
[16]What GAO Recommends
In recent reports, GAO made recommendations aimed at improving VA's
management of its realignment efforts and information security program.
VA has fully addressed two of six critical success factors GAO identified
as essential to a successful transformation, but it has yet to fully
address the other four, and it has not kept to its scheduled timelines for
implementing new management processes that are the foundation of the
realignment. That is, the department has ensured commitment from top
leadership and established a governance structure to manage resources,
both of which are critical success factors. However, the department
continues to operate without a single, dedicated implementation team to
manage the realignment; such a dedicated team is important to oversee the
further implementation of the realignment, which is not expected to be
complete until July 2008. Other challenges to the success of the
realignment include delays in staffing and in implementing improved IT
management processes that are to address long-standing weaknesses. The
department has not kept pace with its schedule for implementing these
processes, having missed its original scheduled time frames. Unless VA
dedicates a team to oversee the further implementation of the realignment,
including defining and establishing the processes that will enable the
department to address its IT management weaknesses, it risks delaying or
missing the potential benefits of the realignment.
VA has begun or continued several major initiatives to strengthen
information security practices and secure personally identifiable
information within the department, but more remains to be done. These
initiatives include continuing the department's efforts to reorganize its
management structure; developing a remedial action plan; establishing an
information protection program; improving its incident management
capability; and establishing an office responsible for oversight and
compliance of IT within the department. However, although these
initiatives have led to progress, their implementation has shortcomings.
For example, although the management structure for information security
has changed under the realignment, improved security management processes
have not yet been completely developed and implemented, and responsibility
for the department's information security functions is divided between two
organizations, with no documented process for the two offices to
coordinate with each other. In addition, VA has made limited progress in
implementing prior security recommendations made by GAO and the
department's Inspector General, having yet to implement 22 of 26
recommendations. Until the department addresses shortcomings in its major
security initiatives and implements prior recommendations, it will have
limited assurance that it can protect its systems and information from the
unauthorized disclosure, misuse, or loss of personally identifiable
information.
Mr. Chairman and Members of the Committee:
Thank you for inviting us to participate in today's hearing on the
Department of Veterans Affairs (VA) realignment of its information
technology management structure and actions toward strengthening its
information security program. In carrying out its mission of serving our
nation's veterans, the department relies heavily on information technology
(IT), for which it expends about $1 billion annually. As you know,
however, VA has encountered persistent challenges in IT management, having
experienced cost, schedule, and performance problems in its information
system initiatives, as well as losses of sensitive information contained
in its systems. We have reported that a contributing factor to VA's
challenges in managing projects and improving security was the
department's management structure, which until recently was decentralized,
giving the administrations^1 and headquarters offices^2 control over a
majority of the department's IT budget.
In October 2005, VA initiated a realignment of its IT program to provide
greater authority and accountability over its resources. In undertaking
this realignment (due for completion in July 2008), the department's goals
are to centralize IT management under the department-level Chief
Information Officer (CIO) and standardize operations and the development
of systems across the department through the use of new management
processes based on industry best practices. This past June we reported on
the department's realignment initiative, noting progress as well as the
need for additional actions to be completed.^3 Just last week, we also
released a report on VA information security, which included an assessment
of the realignment with regard to the department's information security
practices.^4
^1The VA comprises three administrations: the Veterans Benefits
Administration, the Veterans Health Administration, and the National
Cemetery Administration.
^2The headquarters offices include the Office of the Secretary, six
Assistant Secretaries, and three VA-level staff offices.
^3GAO, Veterans Affairs: Continued Focus on Critical Success Factors Is
Essential to Achieving Information Technology Realignment, GAO-07-844
(Washington, D.C.: June 15, 2007).
At your request, my testimony today will summarize the department's
actions to realign IT management and our findings regarding the
department's information security program. In developing this testimony,
we reviewed our previous work on the department's realignment and efforts
to strengthen information security. We also obtained and analyzed
pertinent documentation and supplemented our analysis with interviews of
responsible VA officials to determine the current status of the
department's realignment efforts. All work on which this testimony is
based was conducted in accordance with generally accepted government
auditing standards.
Results in Brief
VA has fully addressed two of six critical success factors we have
identified as essential to a successful transformation, but it has not
kept to its timelines for implementing new management processes that are
the foundation of the realignment. Consequently, the department is in
danger of not being able to meet its 2008 targeted completion date. The
department has ensured commitment from top leadership and established a
governance structure to manage resources, both of which are critical
success factors. However, the department continues to operate without a
single, dedicated implementation team to manage the realignment; such a
dedicated team is important to oversee the further implementation of the
realignment. Other challenges to the success of the realignment include
delays in staffing and in implementing the IT management processes that
are the foundation of the realignment. The department has not kept pace
with its schedule for implementing these processes, having missed its
original scheduled time frames. Unless VA dedicates a team to oversee the
further implementation of the realignment, including defining and
establishing the processes that will enable the department to address its
IT management weaknesses, it risks delaying or missing the potential
benefits of the realignment.
^4GAO, Information Security: Sustained Management Commitment and Oversight
Are Vital to Resolving Long-standing Weaknesses at the Department of
Veterans Affairs, GAO-07-1019 (Washington, D.C.: Sept. 7, 2007).
VA has made progress in strengthening information security, but much work
remains to resolve long-standing security weaknesses. The department has
begun or has continued several major initiatives to strengthen information
security practices and secure personally identifiable information^5 within
the department. These initiatives include continuing the department's
efforts, as described above, to realign its management structure;
developing a remedial action plan; establishing an information protection
program; improving its incident management capability; and establishing an
office responsible for oversight and compliance of IT within the
department. However, although these initiatives have led to progress,
their implementation has shortcomings. For example, a new security
management structure has been implemented, but improved security
management processes have not yet been completely developed and
implemented; in addition, the new security management structure divides
the responsibility for the department's information security functions
between two organizations, with no documented process for the two offices
to coordinate with each other. Further, the department has made limited
progress in addressing prior GAO and Inspector General recommendations to
improve security: although VA has taken steps to address these, it has not
yet completed the implementation of 22 out of 26 prior recommendations.
In the reports covered by this testimony, we have made numerous
recommendations aimed at improving the department's management of its
realignment and information security program. VA has agreed with these
recommendations and has begun taking or plans to take action to implement
them. If this implementation is properly executed, it could help the
department to realize the expected benefits of the realignment, as well as
to better secure its information and systems.
^5Personally identifiable information, which can be used to locate or
identify an individual, includes things such as names, aliases, and Social
Security numbers.
Background
VA's mission is to promote the health, welfare, and dignity of all
veterans in recognition of their service to the nation by ensuring that
they receive medical care, benefits, social support, and lasting
memorials. Over time, the use of IT has become increasingly crucial to the
department's effort to provide benefits and services. VA relies on its
systems for medical information and records for veterans, as well as for
processing benefit claims, including compensation and pension and
education benefits.
In reporting on VA's IT management over the past several years, we have
highlighted challenges the department has faced in enabling its employees
to help veterans obtain services and information more quickly and
effectively while also safeguarding personally identifiable information. A
major challenge was that the department's information systems and services
were highly decentralized, giving the administrations a majority of the IT
budget.^6 In addition, VA's policies and procedures for securing sensitive
information needed to be improved and implemented consistently across the
department.
As we have previously pointed out,^7 it is crucial for the department CIO
to ensure that well-established and integrated processes for leading,
managing, and controlling investments in information systems and programs
are followed throughout the department. Similarly, a contractor's
assessment of VA's IT organizational alignment, issued in February 2005,
noted the lack of control over how and when money is spent.^8 The
assessment noted that the focus of department-level management was only on
reporting expenditures to the Office of Management and Budget and
Congress, rather than on managing these expenditures within the
department.
^6For example, according to an October 2005 memorandum from the former CIO
to the Secretary of Veterans Affairs, the CIO had direct control over only
3 percent of the department's IT budget and 6 percent of the department's
IT personnel. In addition, in the department's fiscal year 2006 IT budget
request, the Veterans Health Administration was identified to receive 88
percent of the requested funding, while the department was identified to
receive only 4 percent.
^7GAO-07-844.
Centralized IT Organization
In response to the challenges that we and others have noted, the
department officially began its effort to provide the CIO with greater
authority over IT in October 2005. At that time, the Secretary issued an
executive decision memorandum granting approval for the development of a
new management structure for the department. According to VA, its goals in
moving to centralized management are to enable the department to perform
better oversight of the standardization, compatibility, and
interoperability of systems, as well as to have better overall fiscal
discipline for the budget.
In February 2007, the Secretary approved the department's new
organizational structure, which includes the Assistant Secretary for
Information and Technology, who serves as VA's CIO. As shown in figure 1,
the CIO is supported by a principal deputy assistant secretary and five
deputy assistant secretaries--new senior leadership positions created to
assist the CIO in overseeing functions such as cyber security, IT
portfolio management, systems development, and IT operations.
^8Gartner Consulting, OneVA IT Organizational Alignment Assessment Project
"As-Is" Baseline (McLean, Virginia; Feb. 18, 2005).
Figure 1: Office of Information and Technology Organizational Chart
Note: DAS = Deputy Assistant Secretary
In addition, the Secretary approved an IT governance plan in April 2007
that is intended to enable the Office of Information and Technology to
centralize its decision making. The plan describes the relationship
between IT governance and departmental governance and the approach the
department intends to take to enhance IT governance. The department also
made permanent the transfer of its entire IT workforce under the CIO,
consisting of approximately 6,000 personnel from the administrations.
Figure 2 shows a timeline of the realignment effort.
Figure 2: Timeline of Key Events for VA IT Realignment
Multiple Factors Increasing Risk to Success of Realignment
Although VA has fully addressed two of six critical success factors that
we identified as crucial to a major organizational transformation such as
the realignment, it has not fully addressed the other four factors, and it
has not kept to its scheduled timelines for implementing new management
processes that are the foundation of the realignment. Consequently, the
department is in danger of not being able to meet its target of completing
the realignment in July 2008. In addition, although it has prioritized its
implementation of the new management processes, none has yet been
implemented. In our recent report,^9 we made six recommendations to ensure
that VA's realignment is successfully accomplished; the department
generally concurred with our recommendations and stated that it had
actions planned to address them.
^9GAO-07-844.
VA Has Not Fully Addressed All Critical Success Factors
We have identified critical factors that organizations need to address in
order to successfully transform an organization to be more results
oriented, customer focused, and collaborative in nature. ^10 Large-scale
change management initiatives are not simple endeavors and require the
concentrated efforts of both leadership and employees to realize intended
synergies and to accomplish new organizational goals. There are a number
of key practices that can serve as the basis for federal agencies to
transform their cultures in response to governance challenges, such as
those that an organization like VA might face when transforming to a
centralized IT management structure.
The department has fully addressed two of six critical success factors
that we identified (see table 1).
Table 1: Current Status of VA's Actions to Address Critical Success
Factors
Critical success factor Status as of September 2007
Ensuring commitment from top Fully addressed: Secretary Nicholson
leadership approved the new organization structure and
the transfer of employees.
Establishing a governance Fully addressed: Secretary Nicholson
structure to manage resources approved the IT governance plan, and VA
established three new IT governance boards
that began meeting earlier this year.
Linking IT strategic plan to Partially addressed: The department has
organization strategic plan developed a draft IT strategic plan and
expects to finalize it in October 2007.
Using workforce strategic Partially addressed: VA has identified job
management to identify proper requirements, has begun to develop career
roles for all employees paths for IT staff, and has not yet
established a knowledge and skills
inventory.
Communicating change to all Partially addressed: VA increased
stakeholders communication on the realignment, but has
not staffed a key communication office.
Dedicating an implementation Not addressed: The department does not have
team to manage change an implementation team to manage the
realignment.
Source: GAO.
^10GAO, Results-Oriented Cultures: Implementation Steps to Assst Mergers
and Organizational Transformations, GAO-03-669 (Washington, D.C.: July 2,
2003); and Highlights of aGAO Forum: Mergers and Transformation: Lessons
Learned for a Department of Homeland Security and Other Federal Agencies,
GAO-03-293SP (Washington, D.C.: Nov. 14, 2002).
Ensuring commitment from top leadership. The department has fully
addressed this success factor. As described earlier, the Secretary of VA
has fully supported the realignment. He approved the department's new
organizational structure and provided resources for the realignment
effort.
However, the Secretary recently submitted his resignation, indicating that
he intended to depart by October 1, 2007. While it is unclear what effect
the Secretary's departure will have on the realignment, the impending
departure underscores the need for consistent support from top leadership
through the implementation of the realignment, to ensure that its success
is not at risk in the future.
Establishing a governance structure to manage resources. The department
has fully addressed this success factor. The department has established
three governance boards, which have begun operation. The VA IT Governance
Plan, approved April 2007, states that the establishment and operation of
these boards will assist in providing the department with more
cost-effective use of IT resources and assets.
The department also has plans to further enhance the governance structure
in response to operational experience. The department found that the
boards' responsibilities need to be more clearly defined in the IT
Governance Plan to avoid overlap. That is, one board (the Business Needs
and Investment Board) was involved in the budget formulation for fiscal
year 2009, but budget formulation is also the responsibility of the Deputy
Assistant Secretary for IT Resource Management, who is not a member of
this board. According to the Principal Deputy Assistant Secretary for
Information and Technology, the department is planning to update its IT
Governance Plan within a year to include more specificity on the role of
the governance boards in VA's budget formulation process. Such an update
could further improve the structure's effectiveness.
Linking IT strategic plan to organization strategic plan. The department
has partially addressed this success factor. VA has drafted an IT
Strategic Plan that provides a course of action for the Office of
Information and Technology over 5 years and addresses how IT will
contribute to the department's strategic plan. According to the Deputy
Director of the Quality and Performance Office, the draft IT strategic
plan should be formally approved in October 2007. Finalizing the plan is
essential to helping ensure that leadership understands the link between
VA's organizational direction and how IT is aligned to meet its goals.
Using workforce strategic management to identify proper roles for all
employees. The department has partially addressed this success factor. The
department has begun to identify job requirements, design career paths,
and determine recommended training for the staff that were transferred as
part of the realignment. According to a VA official, the department
identified 21 specialized job activities, such as applications software
and end user support, and has defined competency and proficiency
targets^11 for 6 of these activities. Also, by November 2007, VA expects
to have identified the career paths for approximately 5,000 of the 6,000
staff that have been centralized under the CIO. Along with the development
of the competency and proficiency targets, the department has identified
recommended training based on grade level. However, the department has not
yet established a knowledge and skills inventory to determine what skills
are available in order to match roles with qualifications for all
employees within the new organization. It is crucial that the department
take the remaining steps to fully address this critical success factor, so
that the staff transferred to the Office of Information and Technology are
placed in positions that best suit their knowledge and skills, and the
organization has the personnel resources capable of developing and
delivering the services required.
Communicating change to all stakeholders. The department has partially
addressed this success factor. The department began publishing a bimonthly
newsletter in June to better communicate with all staff about Office of
Information and Technology activities, including the realignment. However,
the department has not yet fully staffed the Business Relationship
Management Office or identified its leadership. This office is to serve as
the single point of contact between the Office of Information and
Technology and the administrations; in this role, it provides the means
for the Office of Information and Technology to understand customer
requirements, promote services to customers, and monitor the quality of
the delivered services. A fully staffed and properly led Business
Relationship Management Office is important to ensure effective
communication between the Office of Information and Technology and the
administrations.
^11Competency refers to required capabilities for performing specialized
job activities, such as business process reengineering or database
administration. Proficiency targets indicate the level at which the
individual can perform these activities.
Communicating the changed roles and responsibilities of the central IT
organization versus the administrations is one of the important functions
of the Business Relationship Management Office. These changes are crucial
to software development, among other things. Before the centralization of
the management structure, each of the administrations was responsible for
its own software development. For example, the department's health
information system--the Veterans Health Information System and Technology
Architecture (VistA)--was developed in a decentralized environment. The
developers and the doctors, closely collaborating at local facilities,
developed and adapted this system for their own specific clinic needs. The
result of their efforts is an electronic medical record that has been
fully embraced by the physicians and nurses. However, the decentralized
approach has also resulted in each site running a stand-alone version of
VistA^12 that is costly to maintain; in addition, data at the sites are
not standardized, which impedes the ability to exchange computable
information.^13
Under the new organization structure, approval of development changes for
VistA will be centralized at the Veterans Health Administration
headquarters and then approved for development and implementation by the
Office of Information and Technology. The communications role of the
Business Relationship Management Office is thus an important part of the
processes needed to ensure that users' requirements will be addressed in
system development.
^12VA has achieved an integrated medical information system through the
use of the Computerized Patient Record System in VistA, where authorized
users are able to access patient health care data from any VA medical
facility.
^13Computable data are in a format that a computer application can act on,
for example, to provide alerts to clinicians (of such things as drug
allergies) or to plot graphs of changes in vital signs such as blood
pressure. VA has standardized its pharmacy and allergy data in its health
data repository.
Dedicating an implementation team to manage change. The department has not
addressed this success factor. A dedicated implementation team that is
responsible for the day-to-day management of a major change initiative is
critical to ensure that the project receives the focused, full-time
attention needed to be sustained and successful.^14 VA has not identified
such an implementation team to manage the realignment. Rather, the
department is currently managing the realignment through two
organizations: the Process Improvement Office under the Quality and
Performance Office (which will lead process improvements) and the
Organizational Management Office (which will advise and assist the CIO
during the final transformation to a centralized structure). However, the
Executive Director of the Organizational Management Office^15 has recently
resigned his position, leaving one of the two responsible offices without
leadership.
In our view, having a dedicated implementation team to manage major change
initiatives is crucial to successful implementation of the realignment. An
implementation team can assist in tracking implementation goals and
identifying performance shortfalls or schedule slippages. The team could
also provide continuity and consistency in the face of any uncertainty
that could potentially result from the Secretary's resignation.
Accordingly, in our recent report we recommended that the department
dedicate an implementation team to be responsible for change management
throughout the transformation and that it establish a schedule for the
implementation of the management processes.
^14GAO-07-844.
^15This official was previously the Director of the IT Realignment Office.
Department Is behind Schedule in Implementing IT Management Processes
As the foundation for its realignment, VA plans to implement 36 management
processes in five key areas: enterprise management, business management,
business application management, infrastructure, and service support.
These processes, which address all aspects of IT management, were
recommended by the department's realignment contractor and are based on
industry best practices.^16 According to the contractor, they are a key
component of the realignment effort as the Office of Information and
Technology moves to a process-based organization. Additionally, the
contractor noted that with a system of defined processes, the Office of
Information and Technology could quickly and accurately change the way IT
supports the department.
The department had planned to begin implementing the 36 management
processes in March 2007; however, as of early May 2007, it had only begun
pilot testing two of these processes.^17 The Deputy Director of the
Quality and Performance Office reported that the initial implementation of
the first two processes will begin in the second quarter of 2008.
The Principal Deputy Assistant Secretary for Information and Technology
acknowledged that the department is behind schedule for implementing the
processes, but it has prioritized the processes and plans to implement
them in three groups, in order of priority (see attachment 1 for a
description of the processes and their implementation priority). According
to the Deputy Director of the Quality and Performance Office, the approach
and schedule for process implementation is currently under review. Work on
the 10 processes associated with the first group is under way, and
implementation plans and time frames are being revised. This official told
us that initial planning meetings have occurred and primary points of
contact have been designated for the financial management and portfolio
management processes, which are to be implemented as part of the first
group. The department also noted that it will work to meet its target date
of July 2008 for the realignment, but that all of the processes may not be
fully implemented at that time.
^16Specifically, these processes are derived from the IT Governance
Institute's Control Objectives for Information and related Technology
(CobiT(R)) and Information TechnologyInfrastructure Library (ITIL) as
configured by the Process Reference Model for IT (PRM-IT)from a VA
contractor.
^17These are the risk management and solution test and acceptance
processes.
According to the Principal Deputy Assistant Secretary for Information and
Technology, the department has fallen behind schedule with process
implementation for two reasons:
o The department underestimated the amount of work required to
redefine the 36 process areas. Process charters for each of the
processes were developed by a VA contractor and provide an outline
for operation under the new management structure. Based on its
initial review, the department found that the processes are
complicated and multilayered, involving multiple organizations. In
addition, the contractor provided process charters and
descriptions based on a commercial, for-profit business model, and
so the department must readjust them to reflect how VA conducts
business.
o With the exception of IT operations, the Veterans Health
Administration operates in a decentralized manner. For example,
the budget and spending for the medical centers are under the
control of the medical center directors. In addition, the Office
of Information and Technology only has ownership over about 30
percent of all activities within the financial management process.
For example some elements within this process area (such as
tracking and reporting on expenditures) are the responsibility of
the department's Office of Management;^18 this office is
accountable for VA's entire budget, including IT dollars. Thus,
the Office of Information and Technology has no authority to
direct the Office of Management to take particular actions to
improve specific financial management activities.
^18The Assistant Secretary for Management, who leads the Office of
Management, is the department's Chief Financial Officer.
The department faces the additional obstacle that it has not yet
staffed crucial leadership positions that are vital to the
implementation of the management processes. As part of the new
organizational structure, the department identified 25 offices
whose leaders will report to the five deputy assistant secretaries
and are responsible for carrying out the new management processes
in daily operations. However, as of early September, 7 of the
leadership positions for these 25 offices were vacant, and 4 were
filled in an acting capacity. According to the Principal Deputy
Assistant Secretary for Information and Technology, hiring
personnel for senior leadership positions has been more difficult
than anticipated. With these leadership positions remaining
vacant, the department will face increased difficulties in
supporting and sustaining the realignment through to its
completion.
Until the improved processes have been implemented, IT programs
and initiatives will continue to be managed under previously
established processes that have resulted in persistent management
challenges. Without the standardization that would result from the
implementation of the processes, the department risks cost
overruns and schedule slippages for current initiatives, such as
VistA modernization, for which about $682 million has been
expended through fiscal year 2006.
VA Has Much Work Remaining to Resolve Long-Standing Security Weaknesses
Recognizing the importance of securing federal systems and data, Congress
passed the Federal Information Security Management Act (FISMA)^19 in
December 2002, which sets forth a comprehensive framework for ensuring the
effectiveness of information security controls over information resources
that support federal operations and assets. Using a risk-based approach to
information security management, the act requires each agency to develop,
document, and implement an agencywide information security program for the
data and systems that support the operations and assets of the agency.
According to FISMA, the head of each agency has responsibility for
delegating to the agency CIO the authority to ensure compliance with the
security requirements in the act. To carry out the CIO's responsibilities
in the area, a senior agency official is to be designated chief
information security officer (CISO).
^19FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec.
17, 2002).
The May 2006 theft from the home of a VA employee of a computer and
external hard drive (which contained personally identifiable information
on approximately 26.5 million veterans and U.S. military personnel)
prompted Congress to pass the Veterans Benefits, Health Care, and
Information Technology Act of 2006.^20 Under the act, the VA's CIO is
responsible for establishing, maintaining, and monitoring departmentwide
information security policies, procedures, control techniques, training,
and inspection requirements as elements of the departmental information
security program. The act also includes provisions to further protect
veterans and service members from the misuse of their sensitive personally
identifiable information. In the event of a security incident involving
personally identifiable information, VA is required to conduct a risk
analysis, and on the basis of the potential for compromise of personally
identifiable information, the department may provide security incident
notifications, fraud alerts, credit monitoring services, and identity
theft insurance. Congress is to be informed regarding security incidents
involving the loss of personally identifiable information.
In a report released last week,^21 we stated that although VA has made
progress in addressing security weaknesses, it has not yet fully
implemented key recommendations to strengthen its information security
practices. It has not implemented two of our four previous recommendations
and 20 of 22 recommendations made by the department's inspector general.
Among the recommendations not implemented are our recommendation that it
complete a comprehensive security management program and inspector general
recommendations to appropriately restrict access to data, networks, and VA
facilities; ensure that only authorized changes are made to computer
programs; and strengthen critical infrastructure planning to ensure that
information security requirements are addressed. Because these
recommendations have not yet been implemented, unnecessary risk exists
that personally identifiable information of veterans and other
individuals, such as medical providers, will be exposed to data tampering,
fraud, and inappropriate disclosure.
^20Veterans Benefits, Health Care, and Information Technology Act of 2006,
Pub. L. No. 109-461 (Dec. 22, 2006).
^21GAO-07-1019.
The need to fully implement GAO and IG recommendations to strengthen
information security practices is underscored by the prevalence of
security incidents involving the unauthorized disclosure, misuse, or loss
of personal information of veterans and other individuals (see table 2).
These incidents were partially due to weaknesses in the department's
security controls. In these incidents, which include the May 2006 theft of
computer equipment from an employee's home (mentioned earlier) and the
theft of equipment from department facilities, millions of people had
their personal information compromised.
Table 2: Number of Incidents by Type Reported to VA's Network and Security
Operations Center from January 2003 to November 2006
Type of incident involving the loss of personal
information 2003 2004 2005 2006^a
Records lost or misplaced 19 58 41 316
Records or hardware stolen 7 9 14 65
Improper disposal of records 10 27 10 80
Unauthorized access 60 120 112 255
Unencrypted e-mails sent 8 13 16 170
Unintended disclosure or release 22 48 24 199
Total number of incidents 126 275 217 1085
Source: GAO analysis of VA data on incidents.
^aNumbers reported are from January 1, 2006, to November 3, 2006.
While the increase in reported incidents in 2006 reflects a heightened
awareness on the part of VA employees of their responsibility to report
incidents involving loss of personal information, it also indicates that
vulnerabilities remain in security controls designed to adequately
safeguard information.
Since the May 2006 security incident, VA has begun or has continued
several major initiatives to strengthen information security practices and
secure personally identifiable information within the department. These
initiatives include the realignment of its IT management structure, as
discussed earlier. Under the realignment, the management structure for
information security has changed. In the new organization, the
responsibility for managing the program lies with the CISO/Director of
Cyber Security (the CISO position has been vacant since June 2006, with
the CIO acting in this capacity), while the responsibility for
implementing the program lies with the Director of Field Operations and
Security. Thus, responsibility for information security functions within
the department is divided.
VA officials indicated that the heads of the two organizations are
communicating about the department's implementation of security policies
and procedures, but this communication is not defined as a role or
responsibility for either position in the new management organization
book, nor is there a documented process in place to coordinate the
management and implementation of the security program. Both of these
activities are key security management practices. Without a documented
process, policies or procedures could be inconsistently implemented
throughout the department, which could prevent the CISO from effectively
ensuring departmentwide compliance with FISMA. Until the process and
responsibilities for coordinating the management and implementation of IT
security policies and procedures throughout the department are clearly
documented, VA will have limited assurance that the management and
implementation of security policies and procedures are effectively
coordinated and communicated. Developing and documenting these policies
and procedures are essential for achieving an improved and effective
security management process under the new centralized management model.
In addition to the realignment initiative, the department also has others
under way to address security weaknesses. These include developing an
action plan to correct identified weaknesses; establishing an information
protection program; improving its incident management capability; and
establishing an office to be responsible for oversight of IT within the
department. However, implementation shortcomings limit the effectiveness
of these initiatives. For example:
o VA's action plan has task owners assigned and is updated
biweekly, but department officials have not ensured that adequate
progress has been made to resolve items in the plan. Specifically,
VA has extended the completion date at least once for 38 percent
of the plan items, and it did not have a process in place to
validate the closure of the items. In addition, although numerous
items in the plan were to develop or revise a policy or procedure,
87 percent of these items did not have a corresponding task with
an established timeframe for implementation.
o VA installed encryption software on laptops at facilities
inconsistently; however, VA's directive on encryption did not
address the encryption of laptops that were categorized as medical
devices, which make up a significant portion of the population of
laptops at Veterans Health Administration facilities. In addition,
the department has not yet fully implemented the acquisition of
software tools across the department.
o VA has improved its incident management capability since May
2006 by realigning and consolidating two incident management
centers, and made a notable improvement in its notification of
major security incidents to US-CERT (the U.S. Computer Emergency
Readiness Team), the Secretary, and Congress, but the time it took
to send notification letters to individuals was increased for some
incidents because VA did not have adequate procedures for
coordinating incident response and mitigation activities with
other agencies and obtaining up-to-date contact information.
o VA established the Office of IT Oversight and Compliance to
conduct assessments of its facilities to determine the adequacy of
internal controls and investigate compliance with laws, policies,
and directives and ensure that proper safeguards are maintained;
however, the office lacked a process to ensure that its
examination of internal controls is consistent across VA
facilities.
Until the department addresses recommendations to resolve
identified weaknesses and implements the major initiatives it has
undertaken, it will have limited assurance that it can protect its
systems and information from the unauthorized use, disclosure,
disruption, or loss.
In our report released last week, we made 17 recommendations to
assist the department in improving its ability to protect its
information and systems. These recommendations included that VA
document clearly define coordination responsibilities for the
Director of Field Operations and Security and the Director of
Cyber Security and develop and implement a process for these
officials to coordinate on the implementation of IT security
policies and procedures throughout the department. We also made
recommendations to improve the department's ability to protect its
information and systems, including the development of various
processes and procedures to ensure that tasks in the department's
security action plans have time frames for implementation.
In summary, effectively instituting a realignment of the Office of
Information and Technology is essential to ensuring that VA's IT
programs achieve their objectives and that the department has a
solid and sustainable approach to managing its IT investments. VA
continues to work on improving such programs as information
security and systems development. Yet we continue to see
management weaknesses in these programs and initiatives (many of a
long-standing nature), which are the very weaknesses that VA aims
to alleviate with its reorganized management structure. Until the
department fully addresses the critical success factors that we
identified and carries out its plans to establish a comprehensive
set of improved management processes, the impact of this vital
undertaking will be diminished. Further, the department may not
achieve a solid and sustainable foundation for its new IT
management structure.
Mr. Chairman and members of the committee, this concludes our
statement. We would be happy to respond to any questions that you
may have at this time.
Contacts and Acknowledgements
For more information about this testimony, please contact Valerie C.
Melvin at (202) 512-6304 or Gregory C. Wilshusen at (202) 512-6244 or by
e-mail at [17][email protected] or [email protected]. Key contributors to
this testimony were made by Barbara Oliver, Assistant Director; Charles
Vrabel, Assistant Director; Barbara Collier, Nancy Glover, Valerie
Hopkins, Scott Pettis, J. Michael Resser, and Eric Trout.
Attachment 1. Key IT Management Processes to Be Addressed in VA Realignment
In the following table, the priority group number reflects the order in
which the department plans to implement each group of processes, with 1
being the first priority group.
IT management Implementation
Key area process priority group Description
Enterprise IT strategy 2 Addresses long- and
management short-term objectives,
business direction, and
their impact on IT, the IT
culture, communications,
information, people,
processes, technology,
development, and
partnerships
IT management 2 Defines a structure of
relationships and processes
to direct and control the
IT endeavor
Risk management See note a Identifies potential events
that may affect the
organization and manages
risk to be within
acceptable levels so that
reasonable assurance is
provided regarding the
achievement of organization
objectives
Architecture 2 Creates, maintains,
management promotes, and governs the
use of IT architecture
models and standards across
and within the change
programs of an organization
Portfolio 1 Assesses all applications,
management services, and IT projects
that consume resources in
order to understand their
value to the IT
organization
Security 2 Manages the department's
management information security
program, as mandated by the
Federal Information
Security Management Act
(FISMA) of 2002
IT research and 3 Generates ideas, evaluates
innovation and selects ideas, develops
and implements innovations,
and continuously recognizes
innovators and learning
from the experience
Project 1 Plans, organizes, monitors,
management and controls all aspects of
a project in a continuous
process so that it achieves
its objectives
Business Stakeholder 1 Manages and prioritizes all
management requirements requests for additional and
management new technology solutions
arising from a customer's
needs
Customer 3 Determines whether and how
satisfaction well customers are
management satisfied with the
services, solutions, and
offerings from the
providers of IT
Financial 1 Provides sound stewardship
management of the monetary resources
of the organization
Service pricing 3 Establishes a pricing
and contract mechanism for the IT
administration organization to sell its
services to internal or
external customers and to
administer the contracts
associated with the selling
of those services
Service 3 Enables the IT organization
marketing and to understand the
sales marketplace it serves, to
identify customers, to
"market" to these
customers, to generate
"marketing" plans for IT
services and support the
"selling" of IT services to
internal customers
Compliance 2 Ensures adherence with laws
management and regulations, internal
policies and procedures,
and stakeholder commitments
Asset 1 Maintains information
management regarding technology
assets, including leased
and purchased assets,
licenses, and inventory
Workforce 2 Enables an organization to
management provide the optimal mix of
staffing (resources and
skills) needed to provide
the agreed-on IT services
at the agreed-on service
levels
Service-level 2 Manages service-level
management agreements and performs the
ongoing review of service
achievements to ensure that
the required and
cost-justifiable service
quality is maintained and
gradually improved
IT service 1 Ensures that agreed-on IT
continuity services continue to
management support business
requirements in the event
of a disruption to the
business
Supplier 3 Develops and exercises
relationship working relationships
management between the IT organization
and suppliers in order to
make available the external
services and products that
are required to support IT
service commitments to
customers
Knowledge 3 Promotes an integrated
management approach to identifying,
capturing, evaluating,
categorizing, retrieving,
and sharing all of an
organization's information
assets
Business Solution 2 Translates provided
application requirements customer (business)
management requirements and IT
stakeholder-generated
requirements/constraints
into solution-specific
terms, within the context
of a defined solution
project or program
Solution 1 Creates a documented design
analysis and from agreed-on solution
design requirements that describes
the behavior of solution
elements, the acceptance
criteria, and agreed-to
measurements
Solution build 3 Brings together all the
elements specified by a
solution design via
customization,
configuration, and
integration of created or
acquired solution
components
Solution test See note a Validates that the solution
and acceptance components and integrated
solutions conform to design
specifications and
requirements before
deployment
Infrastructure Service 2 Addresses the delivery of
execution operational services to IT
customers by matching
resources to commitments
and employing the IT
infrastructure to conduct
IT operations
Data and 3 Ensures that all data
storage required for providing and
management supporting operational
service are available for
use and that all data
storage facilities can
handle normal, expected
fluctuations in data
volumes and other
parameters within their
designed tolerances.
Event 3 Identifies and prioritizes
management infrastructure, service,
business and security
events, and establishes the
appropriate response to
those events.
Availability 3 Plans, measures, monitors,
management and continuously strives to
improve the availability of
the IT infrastructure and
supporting organization to
ensure that agreed-on
requirements are
consistently met
Capacity 3 Matches the capacity of the
management IT services and
infrastructure to the
current and future
identified needs of the
business
Facility 1 Creates and maintains a
management physical environment that
houses IT resources and
optimizes the capabilities
and costs of that
environment
Service support Change 1 Manages the life cycle of a
management change request and
activities that measure the
effectiveness of the
process and provides for
its continued enhancement
Release 1 Controls the introduction
management of releases (that is,
changes to hardware and
software) into the IT
production environment
through a strategy that
minimizes the risk
associated with the changes
Configuration 1 Identifies, controls,
management maintains, and verifies the
versions of configuration
items and their
relationships in a logical
model of the infrastructure
and services
User contact 3 Manages each user
management interaction with the
provider of IT service
throughout its life cycle
Incident 2 Restores a service affected
management by any event that is not
part of the standard
operation of a service that
causes or could cause an
interruption to or a
reduction in the quality of
that service
Problem 2 Resolves problems affecting
management the IT service, both
reactively and proactively
Source: GAO.
a The department indicated that this process had completed a pilot, but
did not assign it to a priority group.
(310901)
This is a work of the U.S. government and is not subject to copyright
protection in the United States. The published product may be reproduced
and distributed in its entirety without further permission from GAO.
However, because this work may contain copyrighted images or other
material, permission from the copyright holder may be necessary if you
wish to reproduce this material separately.
GAO's Mission
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [18]www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[19]www.gao.gov and select "E-mail Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
DC 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [20]www.gao.gov/fraudnet/fraudnet.htm E-mail:
[21][email protected] Automated answering system: (800) 424-5454 or (202)
512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [22][email protected] , (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548
Public Affairs
Susan Becker, Acting Manager, [23][email protected] , (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
DC 20548
References
Visible links
14. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1264T
15. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1264T
17. mailto:[email protected]
18. http://www.gao.gov/
19. http://www.gao.gov/
20. http://www.gao.gov/fraudnet/fraudnet.htm
21. mailto:[email protected]
22. mailto:[email protected]
23. mailto:[email protected]
*** End of document. ***