<DOC> [109th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:28450.wais] OVERSIGHT HEARING ON VETERANS BENEFITS ADMINISTRATION DATA SECURITY Tuesday, June 20, 2006 House of Representatives, Subcommittee on Disability Assistance and Memorial Affairs, Joint with/Subcommittee on Economic Opportunity, Committee on Veterans' Affairs, Washington, D.C. The Subcommittees met, pursuant to call, at 10:00 a.m., in Room 334, Cannon House Office Building, Hon. Jeff Miller [chairman of the Subcommittee on Disability Assistance and Memorial Affairs] and Hon. John Boozman [chairman of the Subcommittee on Economic Opportunity] Presiding. Present: Representatives Miller, Brown-Waite, Boozman, Berkley, Udall, Herseth, and Hooley. Mr. Miller. Good morning everybody. This joint hearing of the Subcommittees on Disability Assistance and Memorial Affairs and Economic Opportunity will come to order. I would like to begin by saying this morning that while testimony was due to the Subcommittees by June 16th, we did not receive the VBA statement until last night. We realize the Committee has scheduled a number of hearings this month. However, we gave plenty of notice, in my opinion, and receiving the testimony the night before a hearing does not serve us well in our oversight capacity. On the 22nd of May Congress and the public were informed that several weeks earlier there had been a severe data breach containing sensitive information on more than 26 million beneficiaries. We learned just last week that an additional 2.2 million active duty servicemembers, reservists, and guardsmen and women may be affected as well. Through testimony and briefings it is apparent that the Department's lack of specific policies and procedures has created security vulnerabilities. While none of us could have imagined a situation affecting so many millions of people, I am beginning to believe something like this was bound to happen. Since becoming chairman of this Subcommittee, a common thread is emerging. There appears to be a lack of uniformity within the Veterans Benefit Administration and certainly among the VBA. Please understand that I'm not criticizing any single person or office. There is certainly a cultural mentality that exists in many bureaucracies. One of the difficulties facing a large agency like VA is that it takes time, it takes money, and buy-in to change that culture. VA has not always been the most effective in keeping up with changing technologies, models or demands. What has recently occurred has been the product of that resistance to change. Whether it is lack of uniformity with how regional offices respond to a veteran or congressional inquiry, how claims are prioritized, or how information and technology and data security procedures are implemented, everyone seems to do things differently. The IG found data security deficiencies at 37 of 55 regional offices. Now if 37 regional offices have 37 different ways of doing business, that requires a lot more management muscle to correct a deficiency than if we have a uniform implementation of procedures. In order to receive benefits and services from VBA, veterans and survivors must provide at a minimum full names, social security numbers, and a home address. In order to receive benefits such as nonservice-connected pension, wage and other financial information must also be submitted. All of us trust that the federal government will do everything in its power to safeguard the information that has been provided. Thankfully, we have not yet heard of any reports of identity theft, but the trust placed in VA has certainly been broken. Our two subcommittees are holding this hearing to learn more about VBA's data security management program, what steps have been taken to educate its employees and how it intends to move forward to improve its data security policies. I do look forward to hearing from the witnesses that are here today, and I want to turn now to the chairman of the Economic Opportunity Subcommittee, Dr. Boozman, for his opening remarks. Mr. Boozman. Thank you very much, Mr. Chairman, and I certainly appreciate your leadership in this area. We appreciate you all being here. You will notice that we have a large print version that shows the 16 IT vulnerabilities cited by the VA Inspector General as yet to be addressed by the Department. The list shows a range of potential sources of data loss or compromise. The recent loss of over 26 million veterans personal data highlights several things. First, data security must be founded on laws and regulations that are dynamic and enforced. Second, the appropriate technologies must be in place to implement the right levels of security and assist in enforcement and prevention. And third, there must be aggressive and consistent enforcement by senior VA officials. I do not know the motivation of the employee who willfully disregarded whatever rules were in place regarding working on the sensitive data from home, but what I do know is the VA missed an opportunity to increase its corporate control over data by imposing the bipartisan legislation passed by the House during the first session. That bill, H.R. 4061, would reform the way VA structures its management of its information technology programs. Without a solid foundation, whether in a building or an organization, everything above it is suspect. The policies at H.R. 4061, if put in place, would have provided that foundation. And while H.R. 4061 alone would not have prevented what has happened, if adopted, the VA would have had the basis for a coherent technology development and management program. That would enable leadership to implement and enforce a whole range of policies designed to control not only the fiscal issues but also things like data security in combination with aggressive technical security applications. H.R. 4061 is the right answer at the right time and place. The Department should reconsider its position on this bill and move quickly to consolidate its information technology programs. I am not just worried about cyber security. I am also concerned about how programs like vocational rehabilitation and employment control access to veterans papers at the regional offices and their contractors. These files often contain very sensitive psychological and other medical data which, if accessed by unauthorized personnel, could have serious consequences. The constant theme in the testimony presented by the IG and GAO is the need for centralized cyber security among other things. If the VA refuses to adopt a centralized approach to managing its IT systems as prepared by H.R. 4061, how can you expect to achieve consistency throughout the VA system on anything related to IT. While we are talking about consistency, I want to broaden the scope just a little bit. We constantly hear about how each regional office has its own process for handling benefits and that the first thing newly trained staff returning from something like Challenge Training is, "We don't do it that way in this RO." It seems there is a lack of will by VA headquarters to impose and enforce best practices throughout its field operations. Everything seems to be a suggestion and is left to the RO director to choose whether or not to follow a policy. While I may be overstating the case slightly, it is a real problem facing the Department and certainly this is a tremendous challenge. It is something that we as a committee are committed to helping. Thank you very much, Mr. Chairman. [The statement of John Boozman appears on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> Mr. Miller. Thank you very much, Dr. Boozman. I would like to now recognize the Ranking Member of the Subcommittee on Disability Assistance and Memorial Affairs, Ms. Berkley, for an opening statement. Ms. Berkley. Thank you, Chairman Miller and Chairman Boozman, for holding this hearing. Since the Under Secretary for Benefits is responsible for information security at the Veterans Benefits Administration Office, I for one would like to understand what problems exist and the steps that are being taken to address these problems. Veterans and service members in my district, I can tell you -- and I assume throughout the United States, are rightfully outraged that the security of their personal data has been compromised by the Department of Veteran Affairs, and I can assure you right after this was disclosed my phone in my district office was ringing off the hook and the level of anger and concern was very concerning to me. In 2004, during a routine review by the Inspector General of the Reno, Nevada VA regional office, several deficiencies related to Benefits Delivery Network computer security and sensitive claims folders were identified. Similar deficiencies have been identified throughout the Nation. The Inspector General has reported that although the VA is responsible for promptly correcting identified deficiencies, there is no systematic action taken to assure that the deficiencies identified in one office aren't corrected at other offices. This piecemeal approach to fixing problems probably provides little assurance to our Nation's veterans and probably isn't a very effective way of conducting business. I am also concerned that there may be inadequate staff to perform audit functions at data centers. I am sure there is inadequate staff. In addition, it is not clear there is any method for assuring security and control of data extracts provided to various components of the VA. Extracts such as these were reportedly the source of the recent data theft. I hope_and I am looking forward to hearing what the witnesses have to say, but I hope that you will address these concerns. And again, thank you for being here today. I am looking forward to your testimony. Thank you. [The statement of Shelley Berkley appears on p. ] <GRAPHICS IS NOT AVAILABLE IN TIFF FORMAT> Mr. Miller. Thank you, Ms. Berkley. And now the Ranking Member of the Subcommittee on Economic Opportunity, Ms. Herseth. Ms. Herseth. Thank you and good morning to you, Chairman Miller, Chairman Boozman, and of course Ranking Member Berkley and other colleagues. I am pleased we are holding this hearing today to review the procedures at the Veterans Benefits Administration and the efforts to control and maintain veterans' personal and sensitive information in a secure manner. I welcome witnesses on both panels this morning. We appreciate your testimony. The topic of today's hearing is both important and timely given the recent loss of nearly 26.5 million veterans' and active service members' private information. Indeed, the Federal Government, as a whole, every federal agency and the VA specifically, must improve its data security measures and enhance its recognition of and respect for citizens' privacy and health information laws, and it is incumbent upon us as a subcommittee, as a full committee, and the other committees on which we serve to ask these questions and to get the answers that will guard us as well in the future as it relates to the resources that each of our federal agencies need and the continuity of each CIO organization and the strength of those organizations to implement what we passed 10 years ago to ensure the data security of citizens' privacy and other information. I have a chance to see a lot of veterans across South Dakota; in particular, a lot of our Vietnam veterans as we get ready for a Memorial dedication in Pierre, South Dakota this fall, and as we know, it took a number of those veterans sometimes a number of years to overcome a level of distrust to even reach out to the VA to obtain some of the benefits that they deserve and many of them that I see now just shake their heads when they received the information that their information was compromised. And in addition to that, many of them are serving to reach out to newly returned veterans, to work with them to make the adjustment back home after their deployments, and all of these men and women deserve our very best. We know that the employees at the VA feel the same, but we have to ensure levels of accountability and a system that is in place with policies and supervision and enforcement to maintain the integrity of this data and a fast changing financial services environment. So today, I am particularly interested in hearing about VBA's data security procedures with respect to information transferred to and from other Federal agencies, when information is controlled by contractors, such as the case when service members apply for education benefits or when contractors provide for vocational rehabilitation and employment services to a disabled veteran. So both chairman, ranking member, thank you again for the hearing today. We look forward to the testimony. [The statement of Stephanie Herseth appears on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> [The statement of Ginny Brown-Waite appears on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> Mr. Miller. Thank you very much. The first panel is already seated at the table. Mr. Ronald Aument is Deputy Under Secretary for Benefits at the Veterans Benefits Administration. He is accompanied this morning by Mr. Jack McCoy, Associate Deputy Under Secretary for Policy and Program Management; Mr. Michael Walcoff, Associate Deputy Under Secretary for Field Operations; and Mr. Thomas Lloyd, Deputy Chief Information Officer at VBA. Mr. Aument, you may begin. STATEMENT OF RONALD AUMENT, DEPUTY UNDER SECRETARY FOR BENEFITS, VETERANS BENEFITS ADMINISTRATION; ACCOMPANIED BY JACK McCOY, ASSOCIATE DEPUTY UNDER SECRETARY FOR POLICY AND PROGRAM MANAGEMENT, VETERANS BENEFITS ADMINISTRATION; MICHAEL WALCOFF, ASSOCIATE DEPUTY UNDER SECRETARY FOR FIELD OPERATIONS, VETERANS BENEFITS ADMINISTRATION; AND THOMAS LLOYD, DEPUTY CHIEF INFORMATION OFFICER, VETERANS BENEFITS ADMINISTRATION Mr. Aument. Thank you, Mr. Chairman. Chairman Miller, Chairman Boozman and members of the subcommittee, thank you for the opportunity to appear before you today to discuss data security and the Veterans Benefits Administration. I would like to open up with an apology for the lateness of our prepared statement, Mr. Chairman. I have no excuse for that. I am accompanied by Mr. Jack McCoy, the Associate Deputy Under Secretary for Policy and Program Management, Mr. Mike Walcoff, Associate Deputy Under Secretary for Field Operations, and Mr. Tom Lloyd, Deputy Chief Information Officer. With the committee's permission, I will offer a summary statement this morning and request that my written statement be submitted for the record. Mr. Miller. Without objection. Mr. Aument. Let me assure the subcommittee that VBA is thoroughly examining every aspect of our information security programs, our processes and our procedures to ensure that sensitive veterans data is neither mismanaged nor used for any unauthorized purpose. Although our review is ongoing, I will outline security measures we have had in place prior to May 3rd, 2006 and additional steps we have taken regarding our data security policies and procedures. I will also specifically address the security of the data feeds between VBA and the Department of Defense. Responsibility for all IT security policy is centralized to the Department's Office of Cyber and Information Security, which reports directly to the VA's Chief Information Officer. Implementation of IT security policy and procedures in VBA is through a three-layer organizational assignment of responsibilities. The Information Security Officer at each regional office is responsible for the execution and oversight of IT security policy and procedures. ISO has managed local access control to IT resources. It conducts security audits under the focal point for incident reporting in the VBA facility. The network support centers provide oversight of regional office compliance of IT security policy and procedures and expert advice to the regional office ISO community and IT staff on technical issues. The VBA IT organization and headquarters provides technological support which implements IT support and procedures on the computer applications and systems. The Secretary's recent decision to further centralize all IT operations and maintenance activities brings all of the VABs under the Department CIO. We believe this further centralization of IT security will raise the organizational focus on the critical security issues and challenges and will bring added oversight and safeguards for sensitive information and records. VBA has incorporated security into all of our information systems and benefits delivery processes. We have extensive well-articulated policies and procedures governing access requests, auditing and rules of behavior. These policies and procedures pertain to all VBA employees as well as any other individuals authorized access to VBA systems and data. In all VBA's benefit systems veteran data is protected by VA and VBA security policy and IT system and application security controls. Programmatic access controls restrict access according to the specific veteran's record level of sensitivity and the authority of the individual accessing the data. All individuals authorized access to VA systems must adhere to rules of behavior that govern the use of IT systems and capabilities. The rules of behavior ensure that all users of IT resources are aware that any source potentially contains valuable and sometimes sensitive government or personal information which must be protected to prevent disclosure, unauthorized change or loss. The VBA internal controls process requires regional office directors to conduct systematic analysis of their IT security operations and to certify annually that their facilities are in compliance with the directives. The network support centers conduct annual surveys to ensure that the ROs are adhering to all VA, VBA and all other Federal security directives in the handbooks and that the deficiencies identified through the Inspector Generals combine that assessment program reviews are remediated. In August of 2005, VBA completed the federally mandated certification and accreditation of 97 application systems on schedule. VBA has a secure technology solution in place for external system users. External access to VBA is controlled through the One-VA Virtual Private Network to a centralized terminal server. VBA outbased workers as well as authorized veteran service organization representatives used One-VA VPN capability. Additionally, the Veterans Administration Portal supplies secure encrypted user access to loan guarantee applications for internal and external users. In March of this year we started the process to accelerate the implementation of public key infrastructure technology throughout VBA. PKI will provide a common utility for VA to provide more secure electronic transactions and e- mail. VBA is supporting the Secretary's direction to accelerate to annually require privacy awareness and Social Security training. All VBA's employees are now required to complete these training programs by June 22nd. That will be this Thursday. We have compiled a list of VBA databases that contain sensitive information and all interfaces or data feeds that update these database. A VBA work group has been tasked with assessing all VBA policies and procedures related to the release of data protected by the Privacy Act to provide recommendations to improve protection of the data. We also updated and strengthened procedures for handling veterans' requests to change address and direct deposit information to ensure proper verification of identity of the individual requesting the change. In the average month, we receive in excess of 40,000 requests from VA beneficiaries to change their financial institution and/or their address. Effective June 7th, in accordance with the Secretary's direction, VBA suspended all work at home and Flexiplace arrangements for employees directly involved in disability claims processing. Employees who adjudicated claims at their homes or other non-VA work sites will now do all claims works requiring claims files in regional offices. While VBA evaluates various solutions to protect sensitive data transported to and from offices, we are also developing a standard work at home and Flexiplace agreement to ensure all employees absolutely understand the responsibilities to safeguard sensitive data. VBA will implement VA encryption solutions. We have procured encryption capabilities for laptop computers and are considering expanding the use of the terminal server concept as a means of reducing or eliminating the information stored locally on a user's work station. We are also working with the Office of Acquisition and Material Management to reinforce strong control of the shipping of records containing personal identifiable information. This includes review of tracking procedures, signature requirements and expedited shipments. Department of Defense data is delivered to VBA via secured transmission using commercial software products and direct computer-to- computer connection. These tools are used when sending or receiving files from the Defense Manpower Data Center. The VA is fully committed to the uninterrupted delivery of the benefits to those who have returned from the battlefield and who are transitioning into our VA system. We recognize the importance of securing the information shared with our DOD partners. Our mission is to serve veterans and to provide benefits to the best of our ability. IT is an essential tool that helps us serve veterans better, faster and more thoroughly. However, the rapid rate of technological advances, while offering improved and expanded benefits delivery, also presents an ongoing challenge to VA to keep pace with security and privacy demands. IT can make our service better and faster but the vulnerabilities increase just as fast. We must and will do what is necessary to protect as well as serve our veterans. Chairman Miller and Chairman Boozman, this conclude my statement. I will be happy to answer any questions you or any members of the subcommittee might have. [The statement of Ronald Aument appears on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> Mr. Miller. I don't know how many hearings that I have attended, and there are more to come in regards to this particular issue. I know my colleagues have all been involved in hearings, and this is not a question that was prepared, but probably one that all of my colleagues want asked. Every time I come into a Committee hearing where we are dealing with this issue, I am angry. More than angry. And then when I sit down and I hear the testimony that is given and the way the testimony is given and there is no emotion in the testimony, and I want to know what was your personal feeling when you heard that this had occurred. Mr. Aument. I felt somewhat betrayed that we had provided information to a trusted source that we expected to take the same level of care of that information that we would expect of our own employees and I felt betrayed and I felt as though we had betrayed our veterans. Mr. Miller. I am glad you ended your statement with "we have betrayed veterans" because the employee doesn't matter to me. That employee is gone. And whatever reason, it's over. But I sat in here, I think it was last week, and listened to testimony and there is no visceral reaction that I can tell except the Secretary was shaking profusely because he was so angry when he testified the first time. But I don't see it from anybody else, and I hope that it is just me not reading people's body language correctly. I would hope that everybody sitting at that table today would be mad as hell, and I don't see it. Can I ask the people who are with you if they are upset too? Mr. Aument. Of course. Mr. Miller. Mr. Lloyd. Mr. Lloyd. Yes, sir. Mr. Miller. Mr. McCoy. Mr. McCoy. Absolutely. Mr. Miller. Mr. Walcoff. Mr. Walcoff. Yes. Mr. Miller. Thank you. Who at VBA is responsible for implementing the new directive that is out there, Directive 6504, and how is it being implemented? Mr. Aument. Well, as with any directive, Mr. Chairman, the Under Secretary is ultimately responsible for its implementation. Directive 6504, and I may turn to my colleague, Mr. Lloyd is very much a technical_has many technical capabilities, that we would rely upon the IT organization for its ultimate implementation. Mr. Miller. Mr. Lloyd. Mr. Lloyd. With the implementation of the federated model the operations and maintenance people of VBA have been detailed to the CIO's office. We continue a close working relationship, and we are working to implement the directive. We have implemented the acquisition of the laptop software that Mr. Aument mentioned. We are working with the ISOs on our collection of information about who has access to every system, every application and the assurance that the documentation is appropriate for the access that the people have. We are looking at our databases, who has access for the appropriate approval and the documentation. We have developed a plan to implement all of the items in the Secretary's directive. Mr. Miller. As a follow-on, 6,000 accredited VSO representatives are out there today but only 1,300 have completed the training responsibility involved in preparation of claims. How do you ensure and monitor that only registered users have access to the system and how does VBA monitor representatives as fiduciaries? Mr. Aument. The Veterans Service Organization representatives have to undergo the same types of training both in IT security and in privacy training that we require of any VBA employee. Anyone accessing the VBA system has to submit a request that at the local level those are managed by the ISO, the Information Security Officer. We also require that before anyone is given_granted access to our systems in the VSO community that they would read, understand and sign the rules of behavior that we require of all VBA employees that we afford access to systems as well. Mr. Miller. I may have a follow-up question that I will submit for the record. Another question that has been asked in other hearings is about the_I guess it was in the mid-1970s C File numbers were used and then there was a transition to social security numbers. Are you exploring a change to the policy of using social security numbers? Mr. Aument. We have certainly discussed that. I know that is an idea that has generated a lot of interest from those concerned with this data loss. At the moment I believe that we are probably_ it is not a solution that we can take and run with, Mr. Chairman. We receive data importantly, most importantly from the Department of Defense, which uses as their unique identifier Social Security numbers for those transitioning from the military services. We are also required by law to provide extensive_have extensive information exchanges with other government partners. By law, we are required to do data matches with the Social Security Administration and the Internal Revenue Service to support the continuing payments of benefits to those individual unemployability or for means tested programs. We have to provide information through data matches to the Department of Education for veterans who are applying for assistance in the Department of Education programs. This is just to mention a couple of the types of exchanges that we have to make routinely with outside interests in support of veterans programs. These entities all use Social Security numbers as their unique identifier. So even if we for internal purposes decided to revert back to a unique claim number, we would still have to be able to cross-reference that in some fashion to Social Security numbers to facilitate these types of exchanges. Mr. Miller. Thank you. Dr. Boozman. Mr. Boozman. Why don't I yield to the gentlelady from Nevada, and then you can come back to me. Mr. Miller. I was going to do that, but then I was told protocol said I had to go to you first. Mr. Boozman. You did go to me and I yielded. Mr. Miller. Thank you. You are a kind gentlemen. You can be the hero. Ms. Berkley. Thank you all very much. You know, it is_how can I say this, I didn't have the same reaction that the chairman had about people not being mad enough because I didn't sense, quite frankly, that the Secretary_he was mad but I think he was mad because this happened under his administration and frankly, if it hadn't blown up in everybody's face, I don't think_I think he is so disengaged from the day-to- day operation of this department that he wouldn't have known, he wouldn't have cared, and he wouldn't have bothered to inquire. But what I am always struck with when people from the VA come and talk to us is how great the policies are. And I mean you can, you know, we have heard testimony about some of the best policies and signing in and signing out and handbooks and all of the employees have training and yet the reality is that we have got a mess on our hands. So it doesn't matter much what our policies are. If they are not implemented and if we don't have people making sure that these are implemented, and I might be wrong, but I understand that the employee who is no longer here that the 26 or 27 million names were stolen from, he had done everything he needed to do, signed the_signed whatever he needed to do, attended whatever seminars he needed to do and he went ahead and did something completely wrong for 3 years that he wasn't supposed to be doing. So it doesn't much matter what our policies are if we don't make sure that they are followed. Let me ask you a couple of questions, or I have a number of them but there may be a second round. How are all of the regional offices notified of patterns of deficiency identified by the IG? I mean, is there a method of letting everyone know? Mr. Aument. Yes, there is, Congresswoman. Ms. Berkley. Do we do it? Mr. Aument. Yes, we do. In fact, during the month of May, early in May, Admiral Cooper sent a memorandum to the regional officers bringing to their attention the deficiencies that were uncovered during the prior year's Inspector General CAP reviews. And I may ask Mr. Walcoff, my colleague, to discuss a little bit, you know, further about what the expectations are but_ Ms. Berkley. I would like to know once he sent out the notice in May, did we get feedback, do we know that they are now in compliance or moving towards compliance? How do we do this? Mr. Walcoff. The letter that Ron was talking about was dated May 10th, was sent out by the Under Secretary, and we have gotten confirmation from every regional office that they are in the process of working on every one of these areas that was identified by the IG in their reviews, even in the situation where they themselves weren't reviewed but our OS officers were. So they were supposed to review their own office to make sure they don't have deficiencies in that area. The IT recommendations will be fully implemented_I think I gave them till Friday of this week. The non-IT recommendations they have another 3 weeks after that to fully implement, but we will get a certification from every regional office director that it is done in their office. Ms. Berkley. Do you think you can provide us with a copy of that letter for the record? Mr. Walcoff. Sure. [The information appears on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> Ms. Berkley. How does VBA control data which is extracted from VBA's data system for use by a VBA office and other_VBA's other departments? Mr. Aument. Let me begin by giving you background and maybe transitioning into what we believe needs to be done as well. Presently, any outside entity, and that could be both from within VA or from outside of VA, first has to initiate a formal request that goes to our Chief Information Officer within VBA. They conduct a technical review of that request for data and then they consult back to the program office responsible for the contents of that system; for example, that would include our compensation and pension service or education service dependent upon the nature of the request, to try and make some determination of the appropriateness and the need for that request. They then would, based upon that consultation, make a determination as to whether or not to provide that information. At that point typically it has to go then to one of our data centers to have, you know, database administrators do the programming necessary to actually extract the data from the relevant system, and then it is made available based upon the requested arrangements with the requestor. That is quite a range of potential business partners that make use of that sort of information. Ms. Berkley. Do we have a log? How do we monitor this? Mr. Aument. Absolutely. There is a number of them that are routine data exchanges. We probably have some noted in the hundreds for that going to entities such as the Department of Defense, the Department of Education, other types of Federal partners as well as internal ones. Our Office of the Inspector General receives routine data extracts out of the compensation and pension system as well as from the BIRL system. This is an area that we have charged our performance analysis and integration to do some additional due diligence on behalf of VBA. We believe that we need to have better rules on monitoring that. For example, better rules governing how that information can be used, better rules that would make sure that that is not shared with any other entity or reconstituted in any other fashion, better rules saying the duration which they are allowed to maintain that data. If it is given to them for a specific purpose, we believe an improved system would require what they must do with it after they have completed that task is to destroy it, return it back to VBA. We have looked at some other entities, Social Security, for example, that we believe serves as a much better model for that. And it is our intention to try to strengthen this process considerably. Ms. Berkley. Thank you. Are we going to have a second round? In that case, I will yield. Thank you very much. Mr. Miller. Dr. Boozman. Mr. Boozman. It is interesting, the VA, you all can be complimented, I think the system can be complimented in the sense that you have really been a leader in getting our records into format, which is important. This whole country is going through this transformation process to make it easier for people to get access and yet along with that we want the access where we can use these things and yet now_and this is a huge thing that is something that again the whole country is struggling with how you protect access from unwarranted whatever. So like I say, you have done a good job at switching over. That is to be commended. But I think the committee feels like you have not done as good a job as we need to and certainly this new incident brings that to a head. I mentioned in my opening statement that we passed H.R. 4061 to consolidate IT policy and system development under the corporate Information Security Officer. In light of what has gone on and in light of showing some weaknesses in the system, is there any rethinking of your position on the bill? Is there any way we can work with you to_ Mr. Aument. Well, Mr. Chairman, I don't speak for the Department in that regard. The Secretary certainly has made a decision as to the organizational change that he believes is needed and our job is to make sure that we implement the Secretary's decision as thoroughly_ Mr. Boozman. We can assume that is a no. Mr. Aument. Right. We certainly agreed, I think_I mentioned that in my opening remarks, I think, that the IT security arrangements are going to be strengthened by the centralization of all security assets under the guidance of the CIO. Mr. Boozman. Last week's full committee hearing GAO and VA's own Inspector General's Office doesn't give its Chief Information Officer authority to implement the recommendations without approval from 33 Under Secretaries. Do you believe that that is appropriate and that the Under Secretary should have that authority? Mr. Aument. Do I believe that is appropriate? I believe the General Counsel is reviewing that issue at the moment as we speak, and I am not sure that is an accurate statement today given the centralization of all of the security assets now to the CIO. It is my belief he has direct line authority today over all of the ISOs and all of the field personnel responsible for maintaining our systems. Mr. Boozman. So the IG testified to that effect last week, so it is changed? Mr. Aument. Well, again, that is an area that is probably a little bit outside of my portfolio. But I do believe that with the detail of the personnel that are going to be permanently reassigned on October 1st that the CIO has direct line authority for all of the field IT staff within the Veterans Benefit Administration. Mr. Boozman. But you would agree that makes sense to do it that way? Mr. Aument. Yes, I do. Mr. Boozman. Do existing labor agreements contain any provisions for enforcing unauthorized use or access to data? If not, do we anticipate revising the labor agreements to enable the Department to hold employees accountable for these type of actions? Mr. Aument. Yes. It is not necessarily built into the labor agreement but our rules of behavior that every employee must sign it is explained in those rules of behavior that there are consequences for violation of those practices and policies. It is explained to them. That range of consequence can be from terminating their access privileges to systems up to removal from Federal service. Mr. Boozman. Could you give us copies of the rule? Mr. Aument. I would be happy to. [The information appears on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> Mr. Boozman. Thank you, Mr. Chairman. Mr. Miller. Ms. Herseth. Ms. Herseth. Thank you, Mr. Chairman. Mr. Aument, I notice on your written testimony on page 10, actions taken to inform veterans about the data theft, that you talk about public contact teams working extended hours contracting with GSA, meeting with other contractors. I am somewhat familiar with what GSA charges our Federal judges and their chambers to rent space and provide other services. So can you tell me how much the VA has expended on notices to veterans operations to call centers and other activities related to the data breach and from what accounts the funds are being provided? Mr. Aument. I certainly can, Congresswoman. Let me begin with the mailings, the direct mailings that have been made to veterans and service members to inform them of this data breach. A total of 17-1/2 million letters were sent out in this first round of mailings. The cost for that was over $7 million. Around a million dollars cost for the printing costs and somewhat over $6 million for the postage cost of that mailing. For the call centers, we have spent to date the last I was informed on this was 3 to 4 business days ago we had spent slightly over $7 million for the operations of the call centers. And that we are probably spending today a little bit over $200,000 a day for their continued operation. That money at the moment I must say is not strictly a VBA expenditure but departmental expenditure in that they had made arrangements with the Appropriations Committee for reprogramming for other funds to support this effort. Ms. Herseth. And are the mailings coming out of_you said the first round of mailings. Is it coming out of VBA or_ Mr. Aument. We are anticipating there may be follow-up communications that are warranted on whatever types of follow-up actions that the administration and Congress feel may be needed to help veterans in this matter. The compromised information came from the BIRL system. I am sure you have seen referenced in some of the explanations here_contains_not contain veterans addresses. So we really did not know the addresses of these individuals, many of whom are not receiving benefits from VA. We obtained_we did not really even obtain those addresses, but we had to send data or our data files to Social Security Administration who reviewed through their records to try to find valid addresses and Social Security numbers. They did some Social Security number validation on that. They in turn shared the information with the Internal Revenue Service to try and find as many accurate addresses as could be possible from those data files. Then that information was then passed along to contractors to the Government Printing Office. But none of that information actually came back to VA. Ms. Herseth. Okay. I think I followed the circuitous route that this took. So you mentioned that there has been a request to the Appropriations Committee both for fiscal year 2006 and fiscal year 2007 and reprogram moneys. Mr. Aument. Not fiscal year 2007. Ms. Herseth. Do you think there will_anticipate there will be a request? Mr. Aument. I really hate to speculate on that. I don't know of anything that is planned on that at the moment. Ms. Herseth. Along the lines of what VBA understands to be within this universe of compromise data, let us say hypothetically_well, let me first ask the question of the 17-1/2 million letters that have been sent, those have all gone to and what you just described there in trying to verify matching Social Security numbers up with addresses to those within the universe of the 26-1/2 million veterans whose data was compromised? Mr. Aument. Yes. Ms. Herseth. If an active duty airman has only contact with the VA, has been to apply for a home loan, was he informed within_I am still trying to understand who was really encompassed by_ Mr. Aument. The process of information entering into that system today since the early 1990s, the Department of Defense has sent us information at the time of enlistment in the service, so that the service member need not have applied for any VA benefits to have had their information included in this system. Ms. Herseth. And I know there will be a chance for a second round. So is the VA, VBA, everyone is still trying to figure out just how this universe came together with this particular employee's project that he was working on so it is more just what you had as of enlistment, but we still aren't quite sure how someone could have been drawn into that pool, that universe of individuals whose data was compromised? We are trying to figure that out? Mr. Aument. We believe we know the one large file that we are speaking of, this extract from BIRLS. We understand the programming that was used to select the records that went into that. So we believe we understand the universe of compromised records. The 26-1/2 million, it is the difference between 26-1/2 million records versus the 17.5 million records was sent out, was that not all of those records contained all of the complete data. For example, I ran 7 million of those records, they contained no Social Security number. Without that Social Security number, it was not possible to conduct any sort of accurate address determination on that. So we also found that in the records, included in the records were invalid Social Security numbers in some cases, which once again would have prevented any sort of a finding of address, and in some cases it involved deceased veterans as well. Ms. Herseth. I will wait for the second round. Thank you, Mr. Chairman. Mr. Miller. Ms. Brown-Waite. Ms. Brown-Waite. Thank you very much, Mr. Chairman. In reading over the testimony, it was noted that VBA has recalled all work-at-home employees and required them to return all files and equipment to VBA. How do you know what files they have? Mr. Aument. I am probably going to turn this over to Mr. Walcoff, but there have always been in existence for all of our claims adjudicators who are working at home fairly rigid check-out/check-in practices for any files that they take away from the regional office, you know, for work home_under work-at-home agreements. Ms. Brown-Waite. Do these include electronic files? If they downloaded an electronic file, what record do you have of that? And I will let the gentleman answer. Mr. Walcoff. Well, the_ Mr. Miller. If you pull your mike and then turn it on. Mr. Walcoff. The vast majority of the work-at-home people were rating specialists and we have_we use a system called COVERS to electronically track where a folder is so when they take folders home, we will wand it and it will be electronically recorded that that folder is being taken home by that particular rating specialist. So we are able to make sure that every folder that was taken out by our rating specialist back to his house was brought back when he brought all of the equipment in and all of the hard copy folders. Ms. Brown-Waite. I am not sure that I got the answer to the electronic files. Mr. Aument. We may have to turn to Mr. Lloyd on that. But I believe that the on-line components of the veterans' record are not downloadable to these individuals' work station. They would have the narrative descriptions of the rating decisions that they are working on for the immediate case that they are working on on the personal computer. But_ Ms. Brown-Waite. I would also ask what COVERS, the acronym, what that stands for? Mr. Aument. I am not sure, Congresswoman. It is the tracking system that we use internally and externally in the regional office to track the locations of veterans' claims folders. Ms. Brown-Waite. Is that the same system that when I call in on behalf of a veteran that the file could never be found? Mr. Aument. I am not really able to answer that question. Ms. Brown-Waite. Or is that another acronym? Mr. Aument. Could you restate the question, please? Ms. Brown-Waite. Is that the same system that when I call in inquiring on behalf of a constituent that the file can't be found, is this the same system? Mr. Aument. Quite possibly, yes. The difficulty there would be within the regional office we could identify it is within the service center but as to whether or not it is on an individual's desk or on a file cabinet sometimes it might be imprecise in that fashion. We would be able to track if it has left the building under the work-at-home program. Ms. Brown-Waite. I still need the answer to the electronic files question. Mr. Lloyd. When a veteran rating specialist works at home, they take the folders with them and they use an application called RBA 2000. That application allows them to work at home in the development of their rating information. There is a local database on the PC they use at home that contains the work that they are doing while they are at home. When they come back to the office, which I believe is weekly or biweekly, they upload that information into the corporate database. So while they are working at home there is information in the development of the ratings that they are doing. Ms. Brown-Waite. Just a follow-up question, Mr. Chairman. When you ask them to return all files and equipment, what sanctions were there if this request was ignored? Mr. Aument. There were 370 ratings specialists in total working from their homes who were required to return to the regional offices. I believe that involved most, if not at all regional offices. Mike? Mr. Walcoff. Yeah. Not every station had work at home_had people working at home. I would say about two-thirds of the stations did and every one of them has come back to the office with their equipment, with their files. Ms. Brown-Waite. One other question. On page 13 of the testimony of Mr. Aument, there was a statement that said VBA_it is about, almost halfway down the page_information security officers are required to review users' access and privileges at least quarterly or when a job change occurs. After a job change occurs, how soon does that review take place, you know, and you know job change could be termination? Mr. Aument. Tom, do you have an answer to that? Mr. Lloyd. Specifically for the terminations part of the check-out procedure, the supervisor and HR staff are to inform the Information Security Officer that the employee has been terminated and the ISO is supposed to remove all permissions and access on the day that the person leaves. That is the process. Ms. Brown-Waite. Has there been any examples of when the access continued after the employee was terminated? Mr. Lloyd. I am aware over the course of the years where_especially interorganizational terminations that we don't always inform each other and the ISOs didn't know an employee has been terminated. Ms. Brown-Waite. Has that situation been remedied? Mr. Aument. One of the things we are doing at the moment with Mr. Lloyd, an example that he might be referring to where a VHA employee has access to a VBA system, authorized access, and we may not follow as closely when that individual changes jobs, is reassigned, retires or is terminated. We are working with the Department for a solution on that today. That would allow us access to our payroll system to have these automatic updates provided from the payroll system to that effect. Ms. Brown-Waite. Just one quick_ Mr. Miller. Let's go to the other two members and then we will come back. Ms. Brown-Waite. Okay. Mr. Miller. Did I hear you right that every file that is taken out or all information that is taken out you have the ability to track when the information leaves; is that true? Mr. Aument. All the files, you know, have a bar code attached to the file. The procedure is that when a file is_it leaves the building under the work-at- home program would be to, you know, using the bar code reader check that file out and at the time it returns check the file back in. Mr. Miller. But going back to Ms. Brown-Waite's question, that is not an electronic file, correct? That could be a paper file? Mr. Aument. That is a paper file. Mr. Miller. So an electronic file could have been removed and you don't have a way to track that? Mr. Aument. We do not have all of the veterans' data_I wish I could say otherwise_contained in anelectronic file. Mr. Miller. We know that. All Members of Congress are aware of that. Mr. Aument. Right. So that the information that they would have access to at home through RBA 2000 is the information accessible to them. Mr. Miller. I guess I am still trying to figure out how we are still not sure today of the information that is missing, who it affects, and it seems like every week we get a new group of people that are included. How is that so? Mr. Aument. I believe, and you will certainly have an opportunity to speak to the next panel, the Inspector General has been looking carefully as to what access to data this employee actually had. I would like to think that, you know, we know fully today and that there will be no further disclosures, sir. Mr. Miller. Thank you. Mr. Udall, questions? Mr. Udall. Thank you, Mr. Chairman. According to the IG testimony, a contractor successfully penetrated the VBA system access to regional office files, created a fictitious veteran, established an award and mailed an award letter to a real address. If all of the policies and procedures you described were in place and functioning, how was this possible. Mr. Aument. This incident, Congressman, took place a little over a year ago at our Waco regional office. Let me start to begin with, and I am sure you will follow up with our colleagues from the Inspector Generals Office, that first of all, they were already afforded access to the system. The IG had requested permission to get inside the firewall. So this did not replicate the situation where an entity outside VA would have broken into the system to have done this type of fraudulent activity. Mr. Udall. Would somebody with the information that was taken out in the case of this recent employee, would they have been able to use that information and access the system? Mr. Aument. No, they would not have. Mr. Udall. Go ahead. Mr. Aument. But the Inspector General was already given privileged status to be inside the system wherein they then conducted what is the equivalent of sophisticated hacking of captured passwords. What this really demonstrated would be that a sufficiently skilled VBA employee with fraudulent intent inside a system, you know, could go ahead and have replicated the IG's efforts to create a fictitious payment. Now, they have identified to us the shortcomings, you know, the critical vulnerabilities and we have taken actions to address those vulnerabilities. Mr. Udall. So from what you are saying then no longer would somebody within the system with the access they have be able to do what they did? Mr. Aument. I believe we have remediated. There was about a dozen different vulnerabilities they have raised. We have remediated most of those. Any of those who have not been completed, they are in the process of remediation. Mr. Udall. According to the IG, VBA senior leadership is not receiving information concerning the financial costs of correcting conditions identified by the IG. How can VBA obtain a complete and accurate picture of the resources and funding needed to remediate security deficiencies without such information? Mr. Aument. I am not really certain of what the IG's particular findings and recommendations are in that regard. I do know that one of the largest undertakings that we have begun over the past year was the completion of the original round of certification and accreditation of application systems that were completed by the end of fiscal year 2005. We have gone through and we have identified all the tasks that need to be undertaken to remediate the findings of that process, and we have attached a price tag to each and every one of those remediations. We understand what it is going to cost us to solve those problems. Other types of problems that we believe that we need to be addressing, it is in a full encryption solution, both for, you know, desktop systems as well as the transmission systems and our legacy systems. We have attached price tags to those as well, too. There may be some financial unknowns, but we believe that we have tried to address, get our arms around those as best as we possibly can. Mr. Udall. According to your testimony, in the average month VA receives in excess of 40,000 requests to change the financial institution or address for receipt of benefits. I understand that all financial institution changes for veterans being paid on Vets Net must be manually adjusted at the Hines BDN. Is this still the case and when will VetsNet be able to handle such transactions without manual rekeying of information? Mr. Aument. Tom, can you answer that? I am not sure that is still true or not. Mr. Lloyd. I believe, Congressman, that is in the August release. It is the issue of when they change from check to or from EFT to check. Mr. Aument. I see. Mr. Lloyd. And that is in the remediation that was_ Mr. Aument. I don't know if you got that. Mr. Udall. So they are able to do that now? Mr. Aument. They will be in August. Mr. Udall. Thank you very much. Appreciate it. Mr. Miller. Ms. Hooley. Ms. Hooley. Thank you, Mr. Chairman. I want to follow up on Ms. Brown-Waite's question. I know that you stopped the work-at-home privileges. And a lot of those paper files had irreplaceable documents in it. My question is when they took them home, they could, it seems to me they could take something out of that file and still scan it in. Are there backup copies of those documents? Are there electronic copies of those documents? I don't think there is anyone in the room_maybe there is someone here -- that hasn't at some point lost something out of some file. And so assuming that they didn't take them deliberately, maybe they just lost them. Are there backup copies of those documents. Mr. Aument. No, there are not, Congresswoman. Ms. Hooley. Is that changing? Mr. Aument. No, it is not. Ms. Hooley. Do you think it needs to be changed? If they have irreplaceable documents, don't you think you need a scan of those? Mr. Aument. I think we should ultimately move to an electronic record system. I could not agree more. Ms. Hooley. And when do you think you can move to an electronic system? I mean, when you are dealing with that much paper, we have all, every single one of us here, every Member has known about cases where they can't find the files. They can't find the documents. But when are we going to get there? RPTS CALHOUN DCMN MAYER Mr. Aument. In some of our program business lines we are already there. Our insurance program uses a totally electronic record, our education program uses electronic records, totally imaged files. The real challenge for us is our compensation and pension business line. I would_one of the places I would encourage you to visit, if you have an opportunity, is our Records Management Center in St. Louis. There are over 20 million files in that building that represent veterans' claims folders, as well as service medical records that we receive from the various military services. The process of converting those files to either electronic images or, more importantly, data that can be used within the systems is a daunting challenge. We are attempting to tackle that in the pension component of the compensation and pension business line through our pension maintenance centers. They are moving to a totally electronic record, but we are not there yet, Congresswoman. Ms. Hooley. I saw the letter that went out to the veterans notifying them of that data breach. My question is_I saw the letter and I didn't think the information in there was very useful about what to do. So my question is, now you have got the call centers, and you have got your employees. Have they been trained to handle questions from the veterans that come up in the process of their casework? Have they been trained to know what the answers are to the questions they ask? Mr. Aument. Yes, we have, Congresswoman. We have attempted to provide a set of_I hesitate to use the word, but "scripts" or "answers to frequently asked questions" from concerned veterans. We have been providing those both to the contract call centers as well as to our public contact teams at our regional offices. We are probably now on our fifteenth iteration of updating that list of frequently asked questions, based upon our experience, coming in from concerned veterans and callers and their family members. So we have been doing our best to try and keep them informed with what we understand to be the types of questions most veterans are asking. Ms. Hooley. A couple of the most useful things I think you can tell the veterans is that they can put a fraud alert on their credit reports and they can get free credit reports, and yet when I went online after this happened, if you went through the whole system, you might get to that answer. Are those kinds of things being told to the veterans now? Mr. Aument. Today, at the call centers and at our regional offices we attempt to respond to the questions. So if that question is posed, we certainly provide that information. Ms. Hooley. That question may not be posed because they may not know enough to ask that question. Mr. Aument. Correct. Ms. Hooley. It seems to me those are things that people should be told that they can do. They could be told immediately one way to help prevent identity theft, which is_the whole idea behind this is to prevent identity theft, which is a very long, tedious process if that happens to you, that they can put a fraud alert on immediately, and that lasts for 90 days; and they can get a free credit report, which helps them keep track, to make sure nothing is happening to their account. Why isn't that information given to them now? Mr. Aument. I think I mentioned, in response to Congresswoman Herseth's question about our mailings, that we are potentially contemplating a second mailing. Some of the drafts of communications I have read included precisely that sort of information. Ms. Hooley. Again, the letter is not being sent, but I would hope that at the call centers, that is information_without them asking the question, that is information, here is what you can do. Mr. Aument. We will take that one on, Congresswoman. Ms. Hooley. Thank you. Mr. Miller. We will go to a second round, and I would like to ask the members if you could ask just one more question to each person so we can move to the second panel. To follow up on Ms. Hooley's question, when somebody puts a fraud alert on their credit file, do you know what the impact is to that file? Mr. Aument. I profess no expertise in that, Mr. Chairman. As far as_I have seen some different iterations of the various levels of protections, just over the past couple of weeks, that can be involved and the terms of art that apply to a fraud alert versus a credit freeze versus something else. I know that there are various levels of protection afforded there. Some would require that the individual who invokes that type of a credit check would ask to be contacted by one of the credit bureaus in the event that anyone attempted to obtain credit using that Social Security number. We also understand that some of these types of provisions vary on a State-to- State basis as well, so that there are some differences based upon where a veteran may reside. Mr. Miller. I think the thing that confuses a lot of us is that the mistake was made by VA, yet the burden has been placed on the back of the veteran. I am trying to figure out, why isn't VA being more proactive, other than sending out a letter, and if there is a way to make a mass notification to credit bureaus of the information, because you know who they are because you sent letters to them. If it is not going to negatively affect them in one way or another and their ability to get credit or their borrowing power, wouldn't that be a responsibility of VA? I mean, every time I hear VA talk about the issue, it is what the veteran can do to protect their identity. My God, they thought their identity was protected. VA screwed up and now we are putting the onus on the backs of the veterans that are out there. Mr. Aument. There have been_I would acknowledge that too. I believe_I feel that all of us in VA are very concerned about that, that we believe that we need to be doing more to try, as you have suggested, proactively to help assist veterans in this process. Some of the solutions that I have seen proposed so far_I believe that we will be seeing further steps that are going to be taken, but there has to have been some actual vetting of what the best solution actually is. Mr. Miller. Do you know how long it takes to steal somebody's identity? We are vetting. We are how many weeks past the time it was stolen and we are still vetting? Mr. Aument. Part of the question there, Mr. Chairman, is whether or not all veterans want to have a solution imposed upon them, and that is_one of the questions that we are wrestling with is, will all veterans, for example, want to have credit freezes or fraud alerts established on their accounts? Because there is some difference of views on that. Mr. Miller. That is why I asked not about a credit freeze but a fraud alert. There is a difference. Dr. Boozman. Mr. Boozman. I will go ahead and yield again to the gentlelady. Ms. Berkley. Thank you, Chairman Miller and Mr. Boozman. You said that you would like us to go to electronic as fast as possible. Is it a matter of money? Is it a matter of personnel? Because if I am here 20 years from now I have this sinking sensation that you and I will be having the same conversation. One thing I have noticed about government is that we are very slow to embrace technology. Even the United States Congress isn't where it needs to be. Is it a matter of money or personnel or a lack of desire? When are we moving actually to the 21st century? Mr. Aument. Congresswoman, I believe it is probably a combination of all of the above to one degree or another. There is probably_one other factor to add to the list that you have just put out too is trying maintain our focus on bringing through to completion some of the projects that we are already undertaking_VETS NET, for example. I am sure everybody wants to have an opportunity to mention that. Ms. Berkley. What is the current status of VETS NET, since I can only ask one question? Mr. Aument. We were up here on May 12th briefing the staff. We gave a relatively complete briefing there. We are in the process of attempting to implement all of the recommendations that the Software Engineering Institute had given to us in their report they completed last fall, and we owe the committee a report back by the end of August with an end-to-end plan for implementation of VETS NET. However, my point was that moving now to tackle an electronic records project, as valuable as it is_I think that one of the reasons we are still uncompleted on VETS NET is moving to other distractions. And not that it is not a very important undertaking on that, too, but we believe that we need to first deliver on those things that we already have in progress. Mr. Miller. Dr. Boozman. Ms. Berkley. Thank you. Mr. Boozman. When will VBA be fully compliant with the Federal Information Security Management Act? Mr. Aument. The first steps we have at the moment are to complete the certification and accreditation, remediation projects that are on our plate. We have_most of those are either under way or scheduled for completion. We believe that we should complete those. I would say that we could probably complete those within the next 2 years. Some of those involve minor construction types of projects to control physical security, but I would say probably within 2 years. Mr. Boozman. So compliant within 2 years, you think? Mr. Aument. I believe so. Mr. Boozman. I guess, and I am trying to adhere to the chairman's wish of one question thing, but I would like to comment again, you have done a tremendous job of getting records. You are moving that right in that direction. I am an optometrist. I know how it is with charts, when you have got 100,000 patients among the clinic and you have got a chart on somebody's desk. And you have a system of dealing with that now that I am sure works pretty well. You lose charts now, you lose records. On the other hand, we are faced with this challenge of moving over in the other direction. But it does seem like it makes sense to me that rather than the VA spending a tremendous amount of money, which we are doing_Social Security spending a tremendous amount of money, DOD, Medicare. Medicare is pushing very hard for physicians to get all of their stuff electronic. So you can imagine the challenge that they are going to have in securing this stuff. It does seem like the Secretary, yourself, your counterparts at HHS would sit down and say, I will give so much, you give so much, let's come up with a deal because it is interoperable as far as security. That is the only comment I have got. I wish you would carry that back. And, again, somebody has got to show some leadership in this area and kind of get it going in the right direction. Mr. Aument. I will take that back, Mr. Chairman. Mr. Miller. Ms. Herseth. Ms. Herseth. Thank you. On page 13 of your written testimony_and you referred to it in your oral testimony today_you mentioned that VBA is also considering expanding the use of terminal servers as a means of reducing or eliminating the amount of information stored locally on a remote user's work station. I would contend that you need to move beyond considering and actually move to expanding it. And in the first hearing we had I shared a little bit of experience in the private sector where even at my work station in the office I couldn't save anything other than what was centrally located in the system, let alone accessing information remotely and storing it_the way I read that is, if you are a remote user, that means you are outside of the VA facility, your office, and you are able to store something locally. That means at home, to me. That is sort of what brought us here today. So I would just make that point and ask you if_what are the barriers to expanding the use of these terminal servers? Is it just a matter of resources? Mr. Aument. Resources is a consideration, but it also takes some technical engineering as well to make sure that we would be able to put in place a solution such as terminal servers. Let me suggest to you that we are already_before we would even consider putting the ratings specialist back in a position working at home, that is, a solution that we would be imposing on them for any of the work-at-homes, would be that they would only be able to access the application, the RBA 2000, only be able to access that via terminal server. Mr. Miller. Ms. Hooley. Ms. Hooley. Thank you. I am just going to go back to the fraud alert, credit freeze, credit monitoring. Fraud alert and credit freeze are very different. Everybody can do a fraud alert that has had their data security breached. Not every State allows a credit freeze, we don't have a national standard, but you can do a fraud alert; and you need to tell veterans they can do that and what it means. They can get a free credit report, which they need to do; and again, you can tell them all they need to do is call one number or go online and they can do that. So you need to make sure that they know that. And then what I would hope you would do is look at_for those that want it, that you have some kind of credit monitoring service, which I think is really how you best help the veteran. I know, Mr. Miller, when you were talking about the veteran has to do this, the veteran has to do that, putting_first of all, they need to know that they can do a fraud alert, a free credit report, but free credit monitoring is a one thing you can do for veterans. They still have to sign up for it. I know I was a victim of a security breach, and they allowed us to have free credit monitoring; and actually what I was told is, they couldn't sign us up for it, but we could subscribe to it. So we got the paperwork at home; it was very simple, it was literally signing your name and a date, saying, I want free credit monitoring service. I would hope that you would seriously look at that as an option for our veterans. I think they need some peace of mind, and that is really how they are going to get it, is through a credit monitoring system. The question I have is, you talked about the number of files that are sitting in your_one of your offices. How long is that going to take to get all of those on electronic files so that we don't have_so we aren't losing, literally, documents that are_I mean, they are not duplicated anywhere. How long is that going to take? Mr. Aument. For the 20 million records that reside at our Records Management Center, Congresswoman, I would probably propose that we would probably never image those. Many of those are inactive files, some pertaining to deceased veterans that because of Federal records management requirements we need to maintain for some specified period of time. Many of those inactive files would not be certainly where we would begin in moving towards imaging of records. We would likely begin probably making some conscious business decisions with those records that enter into the system that are newly created and entering into the system and going backwards then with those at the time that veterans reopen claims, possibly seeking increased ratings or claiming other disabilities. We would probably try to put together a logical progression such as that. Ms. Hooley. How long would that take? Mr. Aument. I have no idea. Mr. Miller. Thank you very much for your testimony this morning. I am sure members have other questions and they will be getting to you after the hearing. Thank you very much. I would like to ask the second panel, if they would, to move forward. While everybody's getting situated I am going to go ahead and introduce the second panel. Mr. Michael Staley is the Assistant Inspector General for Audit at VA's Office of Inspector General. He is accompanied by Mr. Stephen Gaskell, Director of Central Office Audit Operations. Mr. Gregory Wilshusen is the Director of Information Security Issues at the U.S. Government Accountability Office, and he is accompanied by Ms. Linda Koontz, Director of Information Management Issues. STATEMENTS OF MICHAEL STALEY, ASSISTANT INSPECTOR GENERAL FOR AUDIT, ACCOMPANIED BY STEPHEN GASKELL, DIRECTOR, CENTRAL OFFICE AUDIT OPERATIONS DIVISION, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS' AFFAIRS; AND GREGORY WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, ACCOMPANIED BY LINDA KOONTZ, DIRECTOR, INFORMATION MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Miller. We thank you for being with the Subcommittees today; and, Mr. Staley, we will begin with you, please. STATEMENT OF MICHAEL STALEY Mr. Staley. Mr. Chairman and members of the subcommittee, thank you for the opportunity to testify today on the results of our, reviews, which continue to address information security vulnerabilities in the VA and to report on the status of VA's implementation of our records. I have with me today Stephen Gaskell, who served as a project manager on these IT audits. We have conducted a number of audits and evaluations on information management security and information technology systems that have shown the need for continued improvements in addressing security vulnerabilities in VA and, as such, we have included IT security as a major management challenge for the Department in all of the major challenge reports issued since the fiscal year 2000. In our annual financial statements we have reported VA information security controls as a material weakness since our fiscal year 1997 audit. Specifically, we have reported that VA's financial data and sensitive veteran medical and disability information are at risk due to vulnerabilities related to access controls, change controls, the need to segregate duties and the need to improve service continuity practices. My IT security program auditors have identified and reported on significant information security weaknesses since 2001. All four of these annual audits have reported on similar issues, and the recurring themes in these reports are the need for a centralized approach and to achieve standardization, remediation of identified weaknesses, and accountability in VA information security. For the Veterans Benefit Administration we have continued to report control weaknesses in access controls, physical security, electronic security and employee security. Our combined assessment program reviews continue to report security and access control vulnerabilities at VA regional offices where security issues were evaluated. For example, at regional offices we have identified the need to strengthen physical security and access controls, procedures for providing employee security training and for obtaining background checks. We have issued our most recent IT security program review in draft to VA for comment. While it is not our general practice to comment on draft reports before they are published, because of the extensive public interest in these information security issues, I have described the issues that VA is addressing in my written testimony. In closing, I would like the committee to know the reviews of the VA's information security will remain a top priority for my office. We remain committed to reporting on the adequacy of IT security controls, and following up on actions taken by VA to strengthen these controls, we remain dedicated to the goal of protecting our Nation's veterans. Mr. Chairman and members of the subcommittee, thank you again for this opportunity. I would be pleased to answer any questions. [The statement of Mr. Staley appears on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> Mr. Miller. In the past, the IG has found some instances where terminated or separated employees retained access to critical systems identified at various locations. Whose responsibility is it to ensure that former VBA employees don't have access to computer systems and information and such? Mr. Staley. That is correct, Mr. Chairman. We have been finding that during our combined assessment program reviews. Access controls actually have been found during our financial statement audits and when we do testing during our FISMA reviews. Mr. Miller. Can you tell who is making_are they accessing or do they just have the ability to access? Mr. Staley. They have the ability to access. Mr. Miller. Are you finding that anybody is trying to access after the fact? Mr. Staley. Not any specific examples I can give you at this time. Mr. Miller. I would go to Dr. Boozman, but he will yield to Ms. Berkley. So Ms. Berkley. Ms. Berkley. Cut out the middleman. Let me ask you a question. According to your opening statement, this was a disaster waiting to happen, so I assume that you weren't overwhelmingly surprised when this theft occurred? Mr. Staley. I would have to say that I think you are always concerned when something like this happens to_whether it be one veteran or all of us veterans. I know myself, my data is also on that listing. Ms. Berkley. My husband received his letter as well. Had the VA implemented your recommendations, could this have been avoided? Mr. Staley. It is very difficult to say whether this particular incident could be avoided. The issues that we have talked about for these many years have addressed network security issues, access control issues. In response to this specific issue, we do have an administrative investigation ongoing which we hope to report on to the Department at the end of this month. And we will be asking for comments and hope to actually issue the report for you mid-July or so. Ms. Berkley. During the prior two hearings on this topic, we heard a significant amount about the culture at the VA. This culture is characterized as entrenched and indifferent relating to IT projects. Does VBA's fielding of VETS NET, a project that is in the works for over a decade now, relate to such cultural problems? Mr. Staley. I think what we had been talking about is the 16 or so issues that we presented, before you really speak to the issue of standardization; and that can only be accomplished if the three administrations work collectively to address them as one voice. Ms. Berkley. Is VETS NET the solution to the problems? Mr. Staley. Well, VETS NET is a solution to an aging benefits delivery network system. I think_of course, I joined the VA in 1971, and I believe Target 1 by Honeywell was just starting at that time, so it is 30 years, may even be 40 years old. We need to find solutions to replace these platforms, and VETS NET is attempting to do that. We have not reviewed VETS NET, we have not studied VETS NET; we are waiting for this contractor to complete his review, which I believe is due this summer. But we have been overseeing the progress and getting briefings on the progress of VETS NET. Ms. Berkley. Thank you. Mr. Miller. Dr. Boozman. Mr. Boozman. Thank you, Mr. Chairman. Earlier we had testimony that VBA estimates that they will have full compliance in 2 years with the Federal Information Securtiy Management Act. Do you feel like that is possible? Mr. Staley. I feel for many of the issues that we have been identifying each year, the fixes are fairly dependent on vigilance. It is an issue of having very strong access controls, having your users only have information that they need information for. Many of these fixes can be done relatively soon. For the bigger issues, such as VETS NET and replacing platforms, I do know that the Department is working on these major system initiatives; and I have seen their timelines and charts and whatnot. Some of them are out to fiscal year 2008, 2009 and 2010. Mr. Boozman. As we move_is that a "yes" or a "no"? Mr. Staley. For many of them, a 2-year timeline is feasible. For platform replacement issues, I could not say. Mr. Boozman. When you get into going from one extreme to the other, when you get into encrypting and things like that, will that slow down_do you run into problems then with a slowdown of the systems? Mr. Staley. That is one of the issues that the Department is facing with many of these aging systems and that they were constructed 30-some-odd years ago. From what the technicians are telling us, that could be a possible outcome to adding software that would encrypt data. So it is possible. Mr. Boozman. Our current system, can it identify instances of large downloads of data? Mr. Staley. It is my understanding that you can_you will get a log of the time that someone is in a system but not necessarily what is being downloaded. Mr. Boozman. Do you, in investigating this and being a part of it, do you see any accompanying legislation that we need to do for VA to help them in dealing with the problem? Mr. Staley. Well, I am really not in a position to comment on new legislation. Obviously, from my audit perspective, compliance with FISMA and remediating the issues that we have identified is one issue. I do know thatsometime in May, OMB issued instructions to all the agencies to take a strong look at the security issue, which I believe they are required to report in their next FISMA report in 2006. Mr. Boozman. You mentioned security access and then also you mentioned background checks. So we have got the problem that we are dealing with in this regard, and then too, as far as the background checks, to actually_even if you have those systems in place and having the appropriate people hired, what is the problem with background checks? We learned at an earlier hearing that we have a physician that has a history of being a sexual offender. What's the deal? Mr. Staley. From what we are seeing, it is a coordination problem from the point of the program office that that employee begins to work for, the HR division that is responsible for processing paperwork, and then the security and law enforcement. So it is the process of actually requesting these background checks timely, to get them done. And then the Department has also discussed the fact that it does take time to do these background checks; but there are various tiers of background checks that can be performed, and some of them only require law enforcement, fingerprinting-type procedures, and others are far more extensive and they take more time. Mr. Boozman. Does it is make sense that all of our agencies_again, Medicare, as they go to an all-physician record situation and stuff where all that is digitalized and things, does it make sense for the agencies to talk to each other and try and figure this out together versus spending millions of dollars independently? Mr. Staley. It would make sense to communicate and work with as many agencies as possible. Mr. Boozman. Thank you, Mr. Chairman. Mr. Miller. If we could, Mr. Wilshusen, if you would proceed with your testimony. STATEMENT OF GREGORY WILSHUSEN Mr. Wilshusen. Chairman Miller, Chairman Boozman and members of the subcommittees, thank you for inviting us to participate in today's joint hearing on data security at the Veterans Benefits Administration. The recent well-publicized security breach at the Department of Veterans' Affairs has highlighted the importance of good information security controls and protecting personally identifiable information not only at VA but throughout government. As we have reported on many occasions, poor information security controls is a widespread problem that can have devastating consequences such as the disruption of critical operations and unauthorized disclosure of highly sensitive information. Today, I will discuss the recurring security weaknesses that have been reported at VA, including those at VBA, what agencies can do to prevent breaches of personal information and the notification of individuals when such breaches occur. Since 1998, GAO and the VA IG have reported on wide-ranging deficiencies in VA's information security controls, including the lack of effective controls to prevent individuals from gaining unauthorized access to VA systems and sensitive data. In addition, the Department had not consistently provided adequate physical security for its computer facilities, assigned duties in a manner that segregated incompatible functions, controlled changes to its operating systems, or updated and tested its disaster recovery plans. These deficiencies existed in part because VA had not fully implemented key components of a comprehensive information security program, including the lack of centralized management and an approach for addressing security challenges. Although VA has taken steps to improve security, its efforts have not been sufficient to effectively protect its information and information systems. As a result, these remain vulnerable to inadvertent or deliberate misuse, loss or improper disclosure, as the recent breach demonstrates. In addition to providing and implementing a robust security program, agencies such as VBA can better protect personally identifiable information by conducting privacy impact assessments that determine up front how personal information is to be collected, stored, shared and managed, so that controls can be built in from the beginning, by limiting access to the information and training personnel accordingly, and appropriately using technology controls such as encryption. VBA officials have informed us that since the May 3rd incident they have taken, or plan to take, a number of steps to enhance protection of veterans' personal information. These include reviewing and recertifying user access to sensitive information, evaluating encryption technologies for transmitting and storing data, and requiring privacy and cybersecurity training for all VBA employees by June 30. Although we have not reviewed these actions and cannot comment on their sufficiency or effectiveness at this time, they appear to be important first steps. However, the true test will be VBA's ability to fully implement and sustain appropriate protections over the long term. Nonetheless, even with security and privacy protections in place, breaches can occur, particularly if enforcement is lax or employees willfully disregard policy. When such breaches occur, appropriate, sufficient, and timely notification to those affected have clear benefits, allowing people the opportunity to protect themselves from identity theft. In summary, long-standing control weaknesses at VA have placed its information systems and information at increased risk of misuse and improper disclosure. Although VA has made progress in mitigating previously reported weaknesses, it has not taken all the steps necessary to address these serious issues. Only through strong leadership and sustained management commitment can VA implement a comprehensive information security program that can effectively manage risk on an ongoing basis. Mr. Chairman, this concludes my statement. Ms. Koontz and I will be happy to answer questions. [The statement of Mr. Wilshusen and Ms. Koontz appears on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> Mr. Miller. In terms of information security can you give us some type of a feel as to how VA or VBA fits within other agencies? Is everybody failing? Mr. Wilshusen. No, everybody is not failing. One measure that would be important is, the FISMA reports that agencies are required to submit to Congress and to the OMB regarding their implementation of the provisions of the Federal Information Security Management Act, or FISMA. Each year we perform an analysis of those reports, and we found that over the past 4 out of 5 years VA typically has ended up towards the bottom end of the scale whereas other agencies, particularly some of the smaller, single-mission-type organizations tend to score higher. But what VA has done, too, is not dissimilar to other large complex organizations. Mr. Miller. Do you have any role in seeing that your recommendations are implemented? Is there any follow-up at all with the reports that you make? Mr. Wilshusen. Yes, there is. We follow up on all of our recommendations that we make, yes. Mr. Miller. And when a recommendation is not followed then next year, you bring it up again and you follow it up and you do it again next year? It would seem pretty exasperating if that was what your job was year in and year out. Mr. Wilshusen. We do find that agencies, including VA, do take some corrective actions to address specific weaknesses, but often they do not address the larger recommendations that relate to the underlying causes of those weaknesses. For example, we have routinely reported_again, we haven't done much work at VA for a number of years, but we would follow up and look at the underlying reasons that we felt dealt with not having a comprehensive information security program that has been fully developed, documented and implemented at the agency. And so what that does is, while they may take corrective actions on specific technical findings that we identify, often what may happen is, they only correct them at the sites or the systems that we looked at and they don't look across the organization, across other similar systems, to take corrective actions on those same weaknesses. Mr. Miller. Do they ever come back and say, this is a distraction, we can't deal with this right now, we have this other thing we are working on right here? Mr. Wilshusen. Never in those blunt words. We often -- often they concur with our recommendations, and I think they try to take action. But sometimes it is a challenging endeavor for many organizations in the Federal Government because, one, the computing environment is very complex and the threats and the types of risks are constantly changing. It is a very dynamic environment. There are challenges. But with appropriate and well-defined and executed information security programs, they can address those risks. Mr. Miller. Thank you. Ms. Berkley. Ms. Berkley. Thank you. I wish that we would have had this panel before the first panel because I would like to have heard the first panel's response to some of your testimony. Since May 3rd, have you detected any change in behavior or attitude with the VA? In your opinion, do they recognize the seriousness of what has transpired and are moving to implement corrective action so this can't happen again? Mr. Wilshusen. We had one meeting with the VBA officials in order to collect some of the information about actions that they have taken or plan to take in response to this incident. Just from that one meeting it seems like they are very concerned and are trying to take the actions, but again, the proof is in the pudding. Once the actions and policies have been decided and developed, they need to execute and implement those. That will take time and commitment over a long period of time. Ms. Berkley. So you had a meeting with the VBA officials, discussed with them what they need to do. And now how do you follow up and make sure this is happening? Or is that not your job? If it is not your job, whose job is it? Mr. Wilshusen. Actually, the work we do is, by and large, requested by_either requested by Congress or congressional committees and/or mandated. We have received several requests, and there have been some potential mandates proposed where we would do some work in this area, but we have not done any yet. Ms. Berkley. Perhaps Mr. Boozman is going to ask the question that he asked previously, but what is it that_would you need any additional legislation from Congress, or how could we do our jobs better so that you can do your job better, and ultimately, VBA and the Veterans Administration can protect the privacy of our veterans? Mr. Wilshusen. Well, with regard to information security, as Mr. Staley pointed out, there is a law called the Federal Information Security Management Act of 2002, FISMA, and that provides a comprehensive framework for implementing security throughout a Federal agency; assigns specific responsibilities to the head of the agency, senior managers, to the CIO. In addition, it requires each agency to develop, document and implement an agency-wide security information program that contains several elements. That law has, I believe, raised the level of attention given to information security and provides a solid framework for agencies to follow in order to implement better security. The fact is that many agencies still have difficulty in fully implementing those programs. So I don't know if additional legislation is needed. Certainly in terms of what we need to do in having been requested to go in and do follow-up work, we can do that. Ms. Berkley. Thank you. Mr. Miller. Dr. Boozman. Mr. Boozman. Thank you. Mr. Wilshusen, we talked earlier about H.R. 4061, and the approach the committee felt might be a little more effective by centralizing the system a little bit more than they are now. As you work with the other agencies, can you comment on that? Is this something that you found to be effective or is the decentralized approach better? Mr. Wilshusen. We haven't done a systematic review of the other Federal agencies in terms of their organization, of how the CIO is organized relative to the other program offices; but what we have found is that for information security, centralization having a central management approach is preferable, because the interconnections between the systems and the types of policies and procedures that are in place at one agency or component could have an impact on other elements or components within that agency. So we wholeheartedly endorse having a centralized managed approach to implementing security at a Federal agency. Mr. Boozman. As you deal with these problems system-wide, it does seem like_again, with Medicare pushing hard to get electronic records, things like that, that ability is far outpacing again the transition from where do we put the charts, where do we put the records versus we can secure that, how do we secure this other thing. What_in your experience, what agencies are doing a better job? Mr. Wilshusen. Well, certainly the use of electronic records and using the interconnectivity of systems has brought tremendous benefits to Federal agencies in terms of being able to deliver government services to the people. But those same benefits and opportunities are subjected to and can create significant risks if adequate safeguards are not built into those technologies. We have found that it is imperative that agencies consider and build security into these systems from the very beginning throughout the entire life cycle, rather than trying to add them on as an afterthought. They tend to be more expensive and they tend to be less effective. So certainly one of the things that agencies need to do when converting paper records to electronic records is think about and implement and design security controls up front. Mr. Boozman. Is there a model agency out there? Mr. Wilshusen. I think that probably some of the different agencies have varied experiences in doing this. I don't know if there is a model agency per se in terms of implementing security on electronic systems. At most of the agencies we go to, where we have done specific testing of the controls, we generally find weaknesses on each system or most of the systems we look at. Mr. Boozman. It doesn't make sense_again, I am harping on this. It doesn't make sense to me; I guess I am asking if it does to you. But we want VA_and VA has done a good job of switching over; we want VA to be able to talk to DOD. We want Medicare_I think we will foresee a time where Medicare and VA should be talking to each other as far as medical records and pharmacy records and all those kinds of things. But it does seem like, in making things interoperable and in solving some of these problems, you want more access to the records through all these different agencies. But then how do you secure that access? It does seem like that needs to be set up as you go along, as you just said, rather than trying to backtrack at some point and figure out how do we do this. I guess my question is, how do you do that? There doesn't seem to be much talk among the agencies, so that_you really wouldn't comment on a model out there, but I am sure there are some good ones that are better than others. How do we get that done? Mr. Wilshusen. Well, one way is, what agencies need to do_and I believe there is a CIO Council that can meet to discuss issues that cut across different agencies. And certainly this could be a topic for that council to start addressing, looking at government-wide security requirements that are needed for these systems as they develop them. So that would be one way, through there. But definitely what agencies need to do, as they develop their systems, is to assess the risks, categorize the type of information they are going to be collecting and storing on those systems, and determine what the appropriate level of security over that information will be. Ms. Koontz. If I can just add, from a privacy perspective, too, this is one of the reasons that we have emphasized the importance of agencies implementing the privacy impact assessments which are required under the E-Government Act, and that is a way of looking at the implications of collecting, handling and disseminating personally identifiable information in an agency and being able to build controls up front before the information is collected and before the system is built. You are absolutely right that once these things are done, it is very difficult to retrofit. And I think that you are also right in that technology is creating tremendous challenges for agencies in terms of balancing accessibility with security and privacy concerns; and I think there is a role here for the Congress in terms of policy, as well as for agencies in terms of implementation. Mr. Boozman. Thank you very much. Thank you, Mr. Chairman. Mr. Miller. Dr. Boozman, any closing comments? Mr. Boozman. I appreciate your leadership in this area and getting the two committees together. I think the VA is to be complimented in the sense that it has done a very good job of moving forward. We pressed them hard to get the records in digital format and things like that. So we have done a good job that way, but we have lagged much, much behind and as we have talked about, having the security that goes along with that. It is something that not only VA has got to work very hard on, but it is a system-wide problem. Testimony mentioned the problems not only of the data but having the right people there. So there are so many things like this that we have really got to shore up not only in the VA, but system-wide. Again, I know that our Subcommittee, the Committee in general, in a very bipartisan way, is committed to doing whatever it takes legislatively to give the agencies, in our case, specifically, the VA, the tools. Thank you, Mr. Chairman. Mr. Miller. Thank you very much, also, for your leadership and again for a bipartisan approach. We thank everybody for their testimony today. While there has apparently been no identity theft that we are aware of, we all agree that the potential is great. We must continue to work together to make sure that nothing like this happens again, and while this information continues to be floating out there somewhere, that nobody's credit or identity is harmed by what has happened. I appreciate everybody being here today. Members will have 5 legislative days in which to add their statements to the record. [The statements appear on p. ] <GRAPHICS NOT AVAILABLE IN TIFF FORMAT> Mr. Miller. Without any further comment, this joint subcommittee meeting is adjourned. [Whereupon, at 11:54 a.m., the joint hearing of the subcommittees was adjourned.]