<DOC>
[109th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:28450.wais]
OVERSIGHT HEARING ON VETERANS
BENEFITS ADMINISTRATION
DATA SECURITY
Tuesday, June 20, 2006
House of Representatives,
Subcommittee on Disability Assistance and
Memorial Affairs, Joint with/Subcommittee
on Economic Opportunity, Committee on
Veterans' Affairs, Washington, D.C.
The Subcommittees met, pursuant to call, at 10:00 a.m., in Room 334, Cannon
House Office Building, Hon. Jeff Miller [chairman of the Subcommittee on
Disability Assistance and Memorial Affairs] and Hon. John Boozman [chairman of
the Subcommittee on Economic Opportunity] Presiding.
Present: Representatives Miller, Brown-Waite, Boozman, Berkley, Udall,
Herseth, and Hooley.
Mr. Miller. Good morning everybody. This joint hearing of the Subcommittees
on Disability Assistance and Memorial Affairs and Economic Opportunity will
come to order.
I would like to begin by saying this morning that while testimony was due to
the Subcommittees by June 16th, we did not receive the VBA statement until
last night. We realize the Committee has scheduled a number of hearings this
month. However, we gave plenty of notice, in my opinion, and receiving the
testimony the night before a hearing does not serve us well in our oversight
capacity.
On the 22nd of May Congress and the public were informed that several weeks
earlier there had been a severe data breach containing sensitive information
on more than 26 million beneficiaries. We learned just last week that an
additional 2.2 million active duty servicemembers, reservists, and guardsmen
and women may be affected as well.
Through testimony and briefings it is apparent that the Department's lack of
specific policies and procedures has created security vulnerabilities. While
none of us could have imagined a situation affecting so many millions of
people, I am beginning to believe something like this was bound to happen.
Since becoming chairman of this Subcommittee, a common thread is emerging.
There appears to be a lack of uniformity within the Veterans Benefit
Administration and certainly among the VBA. Please understand that I'm not
criticizing any single person or office. There is certainly a cultural
mentality that exists in many bureaucracies. One of the difficulties facing a
large agency like VA is that it takes time, it takes money, and buy-in to
change that culture. VA has not always been the most effective in keeping up
with changing technologies, models or demands. What has recently occurred has
been the product of that resistance to change.
Whether it is lack of uniformity with how regional offices respond to a
veteran or congressional inquiry, how claims are prioritized, or how
information and technology and data security procedures are implemented,
everyone seems to do things differently.
The IG found data security deficiencies at 37 of 55 regional offices. Now if
37 regional offices have 37 different ways of doing business, that requires a
lot more management muscle to correct a deficiency than if we have a uniform
implementation of procedures.
In order to receive benefits and services from VBA, veterans and survivors
must provide at a minimum full names, social security numbers, and a home
address. In order to receive benefits such as nonservice-connected pension,
wage and other financial information must also be submitted.
All of us trust that the federal government will do everything in its power to
safeguard the information that has been provided. Thankfully, we have not yet
heard of any reports of identity theft, but the trust placed in VA has
certainly been broken.
Our two subcommittees are holding this hearing to learn more about VBA's data
security management program, what steps have been taken to educate its
employees and how it intends to move forward to improve its data security
policies. I do look forward to hearing from the witnesses that are here
today, and I want to turn now to the chairman of the Economic Opportunity
Subcommittee, Dr. Boozman, for his opening remarks.
Mr. Boozman. Thank you very much, Mr. Chairman, and I certainly appreciate
your leadership in this area.
We appreciate you all being here. You will notice that we have a large print
version that shows the 16 IT vulnerabilities cited by the VA Inspector General
as yet to be addressed by the Department. The list shows a range of potential
sources of data loss or compromise. The recent loss of over 26 million
veterans personal data highlights several things.
First, data security must be founded on laws and regulations that are dynamic
and enforced. Second, the appropriate technologies must be in place to
implement the right levels of security and assist in enforcement and
prevention. And third, there must be aggressive and consistent enforcement by
senior VA officials.
I do not know the motivation of the employee who willfully disregarded
whatever rules were in place regarding working on the sensitive data from
home, but what I do know is the VA missed an opportunity to increase its
corporate control over data by imposing the bipartisan legislation passed by
the House during the first session. That bill, H.R. 4061, would reform the
way VA structures its management of its information technology programs.
Without a solid foundation, whether in a building or an organization,
everything above it is suspect. The policies at H.R. 4061, if put in place,
would have provided that foundation. And while H.R. 4061 alone would not have
prevented what has happened, if adopted, the VA would have had the basis for a
coherent technology development and management program.
That would enable leadership to implement and enforce a whole range of
policies designed to control not only the fiscal issues but also things like
data security in combination with aggressive technical security applications.
H.R. 4061 is the right answer at the right time and place. The Department
should reconsider its position on this bill and move quickly to consolidate
its information technology programs.
I am not just worried about cyber security. I am also concerned about how
programs like vocational rehabilitation and employment control access to
veterans papers at the regional offices and their contractors. These files
often contain very sensitive psychological and other medical data which, if
accessed by unauthorized personnel, could have serious consequences.
The constant theme in the testimony presented by the IG and GAO is the need
for centralized cyber security among other things. If the VA refuses to adopt
a centralized approach to managing its IT systems as prepared by H.R. 4061,
how can you expect to achieve consistency throughout the VA system on anything
related to IT.
While we are talking about consistency, I want to broaden the scope just a
little bit. We constantly hear about how each regional office has its own
process for handling benefits and that the first thing newly trained staff
returning from something like Challenge Training is, "We don't do it that way
in this RO."
It seems there is a lack of will by VA headquarters to impose and enforce best
practices throughout its field operations. Everything seems to be a
suggestion and is left to the RO director to choose whether or not to follow a
policy.
While I may be overstating the case slightly, it is a real problem facing the
Department and certainly this is a tremendous challenge. It is something that
we as a committee are committed to helping.
Thank you very much, Mr. Chairman.
[The statement of John Boozman appears on p. ]
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
Mr. Miller. Thank you very much, Dr. Boozman.
I would like to now recognize the Ranking Member of the Subcommittee on
Disability Assistance and Memorial Affairs, Ms. Berkley, for an opening
statement.
Ms. Berkley. Thank you, Chairman Miller and Chairman Boozman, for holding
this hearing.
Since the Under Secretary for Benefits is responsible for information security
at the Veterans Benefits Administration Office, I for one would like to
understand what problems exist and the steps that are being taken to address
these problems.
Veterans and service members in my district, I can tell you -- and I assume
throughout the United States, are rightfully outraged that the security of
their personal data has been compromised by the Department of Veteran Affairs,
and I can assure you right after this was disclosed my phone in my district
office was ringing off the hook and the level of anger and concern was very
concerning to me.
In 2004, during a routine review by the Inspector General of the Reno, Nevada
VA regional office, several deficiencies related to Benefits Delivery Network
computer security and sensitive claims folders were identified. Similar
deficiencies have been identified throughout the Nation.
The Inspector General has reported that although the VA is responsible for
promptly correcting identified deficiencies, there is no systematic action
taken to assure that the deficiencies identified in one office aren't
corrected at other offices. This piecemeal approach to fixing problems
probably provides little assurance to our Nation's veterans and probably isn't
a very effective way of conducting business.
I am also concerned that there may be inadequate staff to perform audit
functions at data centers. I am sure there is inadequate staff. In addition,
it is not clear there is any method for assuring security and control of data
extracts provided to various components of the VA. Extracts such as these
were reportedly the source of the recent data theft.
I hope_and I am looking forward to hearing what the witnesses have to say, but
I hope that you will address these concerns. And again, thank you for being
here today. I am looking forward to your testimony.
Thank you.
[The statement of Shelley Berkley appears on p. ]
<GRAPHICS IS NOT AVAILABLE IN TIFF FORMAT>
Mr. Miller. Thank you, Ms. Berkley. And now the Ranking Member of the
Subcommittee on Economic Opportunity, Ms. Herseth.
Ms. Herseth. Thank you and good morning to you, Chairman Miller, Chairman
Boozman, and of course Ranking Member Berkley and other colleagues. I am
pleased we are holding this hearing today to review the procedures at the
Veterans Benefits Administration and the efforts to control and maintain
veterans' personal and sensitive information in a secure manner. I welcome
witnesses on both panels this morning. We appreciate your testimony.
The topic of today's hearing is both important and timely given the recent
loss of nearly 26.5 million veterans' and active service members' private
information. Indeed, the Federal Government, as a whole, every federal agency
and the VA specifically, must improve its data security measures and enhance
its recognition of and respect for citizens' privacy and health information
laws, and it is incumbent upon us as a subcommittee, as a full committee, and
the other committees on which we serve to ask these questions and to get the
answers that will guard us as well in the future as it relates to the
resources that each of our federal agencies need and the continuity of each
CIO organization and the strength of those organizations to implement what we
passed 10 years ago to ensure the data security of citizens' privacy and other
information.
I have a chance to see a lot of veterans across South Dakota; in particular, a
lot of our Vietnam veterans as we get ready for a Memorial dedication in
Pierre, South Dakota this fall, and as we know, it took a number of those
veterans sometimes a number of years to overcome a level of distrust to even
reach out to the VA to obtain some of the benefits that they deserve and many
of them that I see now just shake their heads when they received the
information that their information was compromised.
And in addition to that, many of them are serving to reach out to newly
returned veterans, to work with them to make the adjustment back home after
their deployments, and all of these men and women deserve our very best. We
know that the employees at the VA feel the same, but we have to ensure levels
of accountability and a system that is in place with policies and supervision
and enforcement to maintain the integrity of this data and a fast changing
financial services environment.
So today, I am particularly interested in hearing about VBA's data security
procedures with respect to information transferred to and from other Federal
agencies, when information is controlled by contractors, such as the case when
service members apply for education benefits or when contractors provide for
vocational rehabilitation and employment services to a disabled veteran.
So both chairman, ranking member, thank you again for the hearing today. We
look forward to the testimony.
[The statement of Stephanie Herseth appears on p. ]
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
[The statement of Ginny Brown-Waite appears on p. ]
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
Mr. Miller. Thank you very much.
The first panel is already seated at the table. Mr. Ronald Aument is Deputy
Under Secretary for Benefits at the Veterans Benefits Administration. He is
accompanied this morning by Mr. Jack McCoy, Associate Deputy Under Secretary
for Policy and Program Management; Mr. Michael Walcoff, Associate Deputy Under
Secretary for Field Operations; and Mr. Thomas Lloyd, Deputy Chief Information
Officer at VBA.
Mr. Aument, you may begin.
STATEMENT OF RONALD AUMENT, DEPUTY UNDER SECRETARY FOR BENEFITS, VETERANS
BENEFITS ADMINISTRATION; ACCOMPANIED BY JACK McCOY, ASSOCIATE DEPUTY UNDER
SECRETARY FOR POLICY AND PROGRAM MANAGEMENT, VETERANS BENEFITS ADMINISTRATION;
MICHAEL WALCOFF, ASSOCIATE DEPUTY UNDER SECRETARY FOR FIELD OPERATIONS,
VETERANS BENEFITS ADMINISTRATION; AND THOMAS LLOYD, DEPUTY CHIEF INFORMATION
OFFICER, VETERANS BENEFITS ADMINISTRATION
Mr. Aument. Thank you, Mr. Chairman. Chairman Miller, Chairman Boozman and
members of the subcommittee, thank you for the opportunity to appear before
you today to discuss data security and the Veterans Benefits Administration.
I would like to open up with an apology for the lateness of our prepared
statement, Mr. Chairman. I have no excuse for that.
I am accompanied by Mr. Jack McCoy, the Associate Deputy Under Secretary for
Policy and Program Management, Mr. Mike Walcoff, Associate Deputy Under
Secretary for Field Operations, and Mr. Tom Lloyd, Deputy Chief Information
Officer.
With the committee's permission, I will offer a summary statement this morning
and request that my written statement be submitted for the record.
Mr. Miller. Without objection.
Mr. Aument. Let me assure the subcommittee that VBA is thoroughly examining
every aspect of our information security programs, our processes and our
procedures to ensure that sensitive veterans data is neither mismanaged nor
used for any unauthorized purpose. Although our review is ongoing, I will
outline security measures we have had in place prior to May 3rd, 2006 and
additional steps we have taken regarding our data security policies and
procedures. I will also specifically address the security of the data feeds
between VBA and the Department of Defense.
Responsibility for all IT security policy is centralized to the Department's
Office of Cyber and Information Security, which reports directly to the VA's
Chief Information Officer. Implementation of IT security policy and
procedures in VBA is through a three-layer organizational assignment of
responsibilities. The Information Security Officer at each regional office is
responsible for the execution and oversight of IT security policy and
procedures. ISO has managed local access control to IT resources. It
conducts security audits under the focal point for incident reporting in the
VBA facility. The network support centers provide oversight of regional
office compliance of IT security policy and procedures and expert advice to
the regional office ISO community and IT staff on technical issues. The VBA
IT organization and headquarters provides technological support which
implements IT support and procedures on the computer applications and systems.
The Secretary's recent decision to further centralize all IT operations and
maintenance activities brings all of the VABs under the Department CIO. We
believe this further centralization of IT security will raise the
organizational focus on the critical security issues and challenges and will
bring added oversight and safeguards for sensitive information and records.
VBA has incorporated security into all of our information systems and benefits
delivery processes. We have extensive well-articulated policies and
procedures governing access requests, auditing and rules of behavior. These
policies and procedures pertain to all VBA employees as well as any other
individuals authorized access to VBA systems and data. In all VBA's benefit
systems veteran data is protected by VA and VBA security policy and IT system
and application security controls. Programmatic access controls restrict
access according to the specific veteran's record level of sensitivity and the
authority of the individual accessing the data.
All individuals authorized access to VA systems must adhere to rules of
behavior that govern the use of IT systems and capabilities. The rules of
behavior ensure that all users of IT resources are aware that any source
potentially contains valuable and sometimes sensitive government or personal
information which must be protected to prevent disclosure, unauthorized change
or loss.
The VBA internal controls process requires regional office directors to
conduct systematic analysis of their IT security operations and to certify
annually that their facilities are in compliance with the directives. The
network support centers conduct annual surveys to ensure that the ROs are
adhering to all VA, VBA and all other Federal security directives in the
handbooks and that the deficiencies identified through the Inspector Generals
combine that assessment program reviews are remediated.
In August of 2005, VBA completed the federally mandated certification and
accreditation of 97 application systems on schedule. VBA has a secure
technology solution in place for external system users. External access to
VBA is controlled through the One-VA Virtual Private Network to a centralized
terminal server. VBA outbased workers as well as authorized veteran service
organization representatives used One-VA VPN capability. Additionally, the
Veterans Administration Portal supplies secure encrypted user access to loan
guarantee applications for internal and external users.
In March of this year we started the process to accelerate the implementation
of public key infrastructure technology throughout VBA. PKI will provide a
common utility for VA to provide more secure electronic transactions and e-
mail. VBA is supporting the Secretary's direction to accelerate to annually
require privacy awareness and Social Security training. All VBA's employees
are now required to complete these training programs by June 22nd. That will
be this Thursday.
We have compiled a list of VBA databases that contain sensitive information
and all interfaces or data feeds that update these database. A VBA work group
has been tasked with assessing all VBA policies and procedures related to the
release of data protected by the Privacy Act to provide recommendations to
improve protection of the data.
We also updated and strengthened procedures for handling veterans' requests to
change address and direct deposit information to ensure proper verification of
identity of the individual requesting the change. In the average month, we
receive in excess of 40,000 requests from VA beneficiaries to change their
financial institution and/or their address.
Effective June 7th, in accordance with the Secretary's direction, VBA
suspended all work at home and Flexiplace arrangements for employees directly
involved in disability claims processing. Employees who adjudicated claims at
their homes or other non-VA work sites will now do all claims works requiring
claims files in regional offices. While VBA evaluates various solutions to
protect sensitive data transported to and from offices, we are also developing
a standard work at home and Flexiplace agreement to ensure all employees
absolutely understand the responsibilities to safeguard sensitive data.
VBA will implement VA encryption solutions. We have procured encryption
capabilities for laptop computers and are considering expanding the use of the
terminal server concept as a means of reducing or eliminating the information
stored locally on a user's work station. We are also working with the Office
of Acquisition and Material Management to reinforce strong control of the
shipping of records containing personal identifiable information. This
includes review of tracking procedures, signature requirements and expedited
shipments. Department of Defense data is delivered to VBA via secured
transmission using commercial software products and direct computer-to-
computer connection. These tools are used when sending or receiving files
from the Defense Manpower Data Center.
The VA is fully committed to the uninterrupted delivery of the benefits to
those who have returned from the battlefield and who are transitioning into
our VA system. We recognize the importance of securing the information shared
with our DOD partners.
Our mission is to serve veterans and to provide benefits to the best of our
ability. IT is an essential tool that helps us serve veterans better, faster
and more thoroughly. However, the rapid rate of technological advances, while
offering improved and expanded benefits delivery, also presents an ongoing
challenge to VA to keep pace with security and privacy demands. IT can make
our service better and faster but the vulnerabilities increase just as fast.
We must and will do what is necessary to protect as well as serve our
veterans.
Chairman Miller and Chairman Boozman, this conclude my statement. I will be
happy to answer any questions you or any members of the subcommittee might
have.
[The statement of Ronald Aument appears on p. ]
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
Mr. Miller. I don't know how many hearings that I have attended, and there
are more to come in regards to this particular issue. I know my colleagues
have all been involved in hearings, and this is not a question that was
prepared, but probably one that all of my colleagues want asked.
Every time I come into a Committee hearing where we are dealing with this
issue, I am angry. More than angry. And then when I sit down and I hear the
testimony that is given and the way the testimony is given and there is no
emotion in the testimony, and I want to know what was your personal feeling
when you heard that this had occurred.
Mr. Aument. I felt somewhat betrayed that we had provided information to a
trusted source that we expected to take the same level of care of that
information that we would expect of our own employees and I felt betrayed and
I felt as though we had betrayed our veterans.
Mr. Miller. I am glad you ended your statement with "we have betrayed
veterans" because the employee doesn't matter to me. That employee is gone.
And whatever reason, it's over. But I sat in here, I think it was last week,
and listened to testimony and there is no visceral reaction that I can tell
except the Secretary was shaking profusely because he was so angry when he
testified the first time. But I don't see it from anybody else, and I hope
that it is just me not reading people's body language correctly.
I would hope that everybody sitting at that table today would be mad as hell,
and I don't see it. Can I ask the people who are with you if they are upset
too?
Mr. Aument. Of course.
Mr. Miller. Mr. Lloyd.
Mr. Lloyd. Yes, sir.
Mr. Miller. Mr. McCoy.
Mr. McCoy. Absolutely.
Mr. Miller. Mr. Walcoff.
Mr. Walcoff. Yes.
Mr. Miller. Thank you.
Who at VBA is responsible for implementing the new directive that is out
there, Directive 6504, and how is it being implemented?
Mr. Aument. Well, as with any directive, Mr. Chairman, the Under Secretary is
ultimately responsible for its implementation. Directive 6504, and I may turn
to my colleague, Mr. Lloyd is very much a technical_has many technical
capabilities, that we would rely upon the IT organization for its ultimate
implementation.
Mr. Miller. Mr. Lloyd.
Mr. Lloyd. With the implementation of the federated model the operations and
maintenance people of VBA have been detailed to the CIO's office. We continue
a close working relationship, and we are working to implement the directive.
We have implemented the acquisition of the laptop software that Mr. Aument
mentioned. We are working with the ISOs on our collection of information
about who has access to every system, every application and the assurance that
the documentation is appropriate for the access that the people have. We are
looking at our databases, who has access for the appropriate approval and the
documentation. We have developed a plan to implement all of the items in the
Secretary's directive.
Mr. Miller. As a follow-on, 6,000 accredited VSO representatives are out
there today but only 1,300 have completed the training responsibility involved
in preparation of claims. How do you ensure and monitor that only registered
users have access to the system and how does VBA monitor representatives as
fiduciaries?
Mr. Aument. The Veterans Service Organization representatives have to undergo
the same types of training both in IT security and in privacy training that we
require of any VBA employee. Anyone accessing the VBA system has to submit a
request that at the local level those are managed by the ISO, the Information
Security Officer. We also require that before anyone is given_granted access
to our systems in the VSO community that they would read, understand and sign
the rules of behavior that we require of all VBA employees that we afford
access to systems as well.
Mr. Miller. I may have a follow-up question that I will submit for the
record. Another question that has been asked in other hearings is about the_I
guess it was in the mid-1970s C File numbers were used and then there was a
transition to social security numbers. Are you exploring a change to the
policy of using social security numbers?
Mr. Aument. We have certainly discussed that. I know that is an idea that
has generated a lot of interest from those concerned with this data loss. At
the moment I believe that we are probably_ it is not a solution that we can
take and run with, Mr. Chairman. We receive data importantly, most
importantly from the Department of Defense, which uses as their unique
identifier Social Security numbers for those transitioning from the military
services. We are also required by law to provide extensive_have extensive
information exchanges with other government partners. By law, we are required
to do data matches with the Social Security Administration and the Internal
Revenue Service to support the continuing payments of benefits to those
individual unemployability or for means tested programs. We have to provide
information through data matches to the Department of Education for veterans
who are applying for assistance in the Department of Education programs.
This is just to mention a couple of the types of exchanges that we have to
make routinely with outside interests in support of veterans programs.
These entities all use Social Security numbers as their unique identifier. So
even if we for internal purposes decided to revert back to a unique claim
number, we would still have to be able to cross-reference that in some fashion
to Social Security numbers to facilitate these types of exchanges.
Mr. Miller. Thank you.
Dr. Boozman.
Mr. Boozman. Why don't I yield to the gentlelady from Nevada, and then you
can come back to me.
Mr. Miller. I was going to do that, but then I was told protocol said I had
to go to you first.
Mr. Boozman. You did go to me and I yielded.
Mr. Miller. Thank you. You are a kind gentlemen. You can be the hero.
Ms. Berkley. Thank you all very much.
You know, it is_how can I say this, I didn't have the same reaction that the
chairman had about people not being mad enough because I didn't sense, quite
frankly, that the Secretary_he was mad but I think he was mad because this
happened under his administration and frankly, if it hadn't blown up in
everybody's face, I don't think_I think he is so disengaged from the day-to-
day operation of this department that he wouldn't have known, he wouldn't have
cared, and he wouldn't have bothered to inquire.
But what I am always struck with when people from the VA come and talk to us
is how great the policies are. And I mean you can, you know, we have heard
testimony about some of the best policies and signing in and signing out and
handbooks and all of the employees have training and yet the reality is that
we have got a mess on our hands. So it doesn't matter much what our policies
are. If they are not implemented and if we don't have people making sure that
these are implemented, and I might be wrong, but I understand that the
employee who is no longer here that the 26 or 27 million names were stolen
from, he had done everything he needed to do, signed the_signed whatever he
needed to do, attended whatever seminars he needed to do and he went ahead and
did something completely wrong for 3 years that he wasn't supposed to be
doing. So it doesn't much matter what our policies are if we don't make sure
that they are followed.
Let me ask you a couple of questions, or I have a number of them but there may
be a second round.
How are all of the regional offices notified of patterns of deficiency
identified by the IG? I mean, is there a method of letting everyone know?
Mr. Aument. Yes, there is, Congresswoman.
Ms. Berkley. Do we do it?
Mr. Aument. Yes, we do. In fact, during the month of May, early in May,
Admiral Cooper sent a memorandum to the regional officers bringing to their
attention the deficiencies that were uncovered during the prior year's
Inspector General CAP reviews. And I may ask Mr. Walcoff, my colleague, to
discuss a little bit, you know, further about what the expectations are but_
Ms. Berkley. I would like to know once he sent out the notice in May, did we
get feedback, do we know that they are now in compliance or moving towards
compliance? How do we do this?
Mr. Walcoff. The letter that Ron was talking about was dated May 10th, was
sent out by the Under Secretary, and we have gotten confirmation from every
regional office that they are in the process of working on every one of these
areas that was identified by the IG in their reviews, even in the situation
where they themselves weren't reviewed but our OS officers were. So they were
supposed to review their own office to make sure they don't have deficiencies
in that area.
The IT recommendations will be fully implemented_I think I gave them till
Friday of this week. The non-IT recommendations they have another 3 weeks
after that to fully implement, but we will get a certification from every
regional office director that it is done in their office.
Ms. Berkley. Do you think you can provide us with a copy of that letter for
the record?
Mr. Walcoff. Sure.
[The information appears on p. ]
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
Ms. Berkley. How does VBA control data which is extracted from VBA's data
system for use by a VBA office and other_VBA's other departments?
Mr. Aument. Let me begin by giving you background and maybe transitioning
into what we believe needs to be done as well.
Presently, any outside entity, and that could be both from within VA or from
outside of VA, first has to initiate a formal request that goes to our Chief
Information Officer within VBA. They conduct a technical review of that
request for data and then they consult back to the program office responsible
for the contents of that system; for example, that would include our
compensation and pension service or education service dependent upon the
nature of the request, to try and make some determination of the
appropriateness and the need for that request.
They then would, based upon that consultation, make a determination as to
whether or not to provide that information.
At that point typically it has to go then to one of our data centers to have,
you know, database administrators do the programming necessary to actually
extract the data from the relevant system, and then it is made available based
upon the requested arrangements with the requestor. That is quite a range of
potential business partners that make use of that sort of information.
Ms. Berkley. Do we have a log? How do we monitor this?
Mr. Aument. Absolutely. There is a number of them that are routine data
exchanges. We probably have some noted in the hundreds for that going to
entities such as the Department of Defense, the Department of Education, other
types of Federal partners as well as internal ones. Our Office of the
Inspector General receives routine data extracts out of the compensation and
pension system as well as from the BIRL system.
This is an area that we have charged our performance analysis and integration
to do some additional due diligence on behalf of VBA. We believe that we need
to have better rules on monitoring that. For example, better rules governing
how that information can be used, better rules that would make sure that that
is not shared with any other entity or reconstituted in any other fashion,
better rules saying the duration which they are allowed to maintain that data.
If it is given to them for a specific purpose, we believe an improved system
would require what they must do with it after they have completed that task is
to destroy it, return it back to VBA. We have looked at some other entities,
Social Security, for example, that we believe serves as a much better model
for that. And it is our intention to try to strengthen this process
considerably.
Ms. Berkley. Thank you. Are we going to have a second round? In that case,
I will yield. Thank you very much.
Mr. Miller. Dr. Boozman.
Mr. Boozman. It is interesting, the VA, you all can be complimented, I think
the system can be complimented in the sense that you have really been a leader
in getting our records into format, which is important. This whole country is
going through this transformation process to make it easier for people to get
access and yet along with that we want the access where we can use these
things and yet now_and this is a huge thing that is something that again the
whole country is struggling with how you protect access from unwarranted
whatever.
So like I say, you have done a good job at switching over. That is to be
commended. But I think the committee feels like you have not done as good a
job as we need to and certainly this new incident brings that to a head.
I mentioned in my opening statement that we passed H.R. 4061 to consolidate IT
policy and system development under the corporate Information Security
Officer.
In light of what has gone on and in light of showing some weaknesses in the
system, is there any rethinking of your position on the bill? Is there any
way we can work with you to_
Mr. Aument. Well, Mr. Chairman, I don't speak for the Department in that
regard. The Secretary certainly has made a decision as to the organizational
change that he believes is needed and our job is to make sure that we
implement the Secretary's decision as thoroughly_
Mr. Boozman. We can assume that is a no.
Mr. Aument. Right. We certainly agreed, I think_I mentioned that in my
opening remarks, I think, that the IT security arrangements are going to be
strengthened by the centralization of all security assets under the guidance
of the CIO.
Mr. Boozman. Last week's full committee hearing GAO and VA's own Inspector
General's Office doesn't give its Chief Information Officer authority to
implement the recommendations without approval from 33 Under Secretaries. Do
you believe that that is appropriate and that the Under Secretary should have
that authority?
Mr. Aument. Do I believe that is appropriate? I believe the General Counsel
is reviewing that issue at the moment as we speak, and I am not sure that is
an accurate statement today given the centralization of all of the security
assets now to the CIO. It is my belief he has direct line authority today
over all of the ISOs and all of the field personnel responsible for
maintaining our systems.
Mr. Boozman. So the IG testified to that effect last week, so it is changed?
Mr. Aument. Well, again, that is an area that is probably a little bit
outside of my portfolio. But I do believe that with the detail of the
personnel that are going to be permanently reassigned on October 1st that the
CIO has direct line authority for all of the field IT staff within the
Veterans Benefit Administration.
Mr. Boozman. But you would agree that makes sense to do it that way?
Mr. Aument. Yes, I do.
Mr. Boozman. Do existing labor agreements contain any provisions for
enforcing unauthorized use or access to data? If not, do we anticipate
revising the labor agreements to enable the Department to hold employees
accountable for these type of actions?
Mr. Aument. Yes. It is not necessarily built into the labor agreement but
our rules of behavior that every employee must sign it is explained in those
rules of behavior that there are consequences for violation of those practices
and policies. It is explained to them. That range of consequence can be from
terminating their access privileges to systems up to removal from Federal
service.
Mr. Boozman. Could you give us copies of the rule?
Mr. Aument. I would be happy to.
[The information appears on p. ]
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
Mr. Boozman. Thank you, Mr. Chairman.
Mr. Miller. Ms. Herseth.
Ms. Herseth. Thank you, Mr. Chairman.
Mr. Aument, I notice on your written testimony on page 10, actions taken to
inform veterans about the data theft, that you talk about public contact teams
working extended hours contracting with GSA, meeting with other contractors.
I am somewhat familiar with what GSA charges our Federal judges and their
chambers to rent space and provide other services. So can you tell me how
much the VA has expended on notices to veterans operations to call centers and
other activities related to the data breach and from what accounts the funds
are being provided?
Mr. Aument. I certainly can, Congresswoman. Let me begin with the mailings,
the direct mailings that have been made to veterans and service members to
inform them of this data breach. A total of 17-1/2 million letters were sent
out in this first round of mailings. The cost for that was over $7 million.
Around a million dollars cost for the printing costs and somewhat over $6
million for the postage cost of that mailing.
For the call centers, we have spent to date the last I was informed on this
was 3 to 4 business days ago we had spent slightly over $7 million for the
operations of the call centers. And that we are probably spending today a
little bit over $200,000 a day for their continued operation.
That money at the moment I must say is not strictly a VBA expenditure but
departmental expenditure in that they had made arrangements with the
Appropriations Committee for reprogramming for other funds to support this
effort.
Ms. Herseth. And are the mailings coming out of_you said the first round of
mailings. Is it coming out of VBA or_
Mr. Aument. We are anticipating there may be follow-up communications that
are warranted on whatever types of follow-up actions that the administration
and Congress feel may be needed to help veterans in this matter.
The compromised information came from the BIRL system. I am sure you have
seen referenced in some of the explanations here_contains_not contain veterans
addresses. So we really did not know the addresses of these individuals, many
of whom are not receiving benefits from VA.
We obtained_we did not really even obtain those addresses, but we had to send
data or our data files to Social Security Administration who reviewed through
their records to try to find valid addresses and Social Security numbers.
They did some Social Security number validation on that. They in turn shared
the information with the Internal Revenue Service to try and find as many
accurate addresses as could be possible from those data files. Then that
information was then passed along to contractors to the Government Printing
Office. But none of that information actually came back to VA.
Ms. Herseth. Okay. I think I followed the circuitous route that this took.
So you mentioned that there has been a request to the Appropriations Committee
both for fiscal year 2006 and fiscal year 2007 and reprogram moneys.
Mr. Aument. Not fiscal year 2007.
Ms. Herseth. Do you think there will_anticipate there will be a request?
Mr. Aument. I really hate to speculate on that. I don't know of anything
that is planned on that at the moment.
Ms. Herseth. Along the lines of what VBA understands to be within this
universe of compromise data, let us say hypothetically_well, let me first ask
the question of the 17-1/2 million letters that have been sent, those have all
gone to and what you just described there in trying to verify matching Social
Security numbers up with addresses to those within the universe of the 26-1/2
million veterans whose data was compromised?
Mr. Aument. Yes.
Ms. Herseth. If an active duty airman has only contact with the VA, has been
to apply for a home loan, was he informed within_I am still trying to
understand who was really encompassed by_
Mr. Aument. The process of information entering into that system today since
the early 1990s, the Department of Defense has sent us information at the time
of enlistment in the service, so that the service member need not have applied
for any VA benefits to have had their information included in this system.
Ms. Herseth. And I know there will be a chance for a second round. So is the
VA, VBA, everyone is still trying to figure out just how this universe came
together with this particular employee's project that he was working on so it
is more just what you had as of enlistment, but we still aren't quite sure how
someone could have been drawn into that pool, that universe of individuals
whose data was compromised? We are trying to figure that out?
Mr. Aument. We believe we know the one large file that we are speaking of,
this extract from BIRLS. We understand the programming that was used to
select the records that went into that. So we believe we understand the
universe of compromised records.
The 26-1/2 million, it is the difference between 26-1/2 million records versus
the 17.5 million records was sent out, was that not all of those records
contained all of the complete data. For example, I ran 7 million of those
records, they contained no Social Security number. Without that Social
Security number, it was not possible to conduct any sort of accurate address
determination on that.
So we also found that in the records, included in the records were invalid
Social Security numbers in some cases, which once again would have prevented
any sort of a finding of address, and in some cases it involved deceased
veterans as well.
Ms. Herseth. I will wait for the second round. Thank you, Mr. Chairman.
Mr. Miller. Ms. Brown-Waite.
Ms. Brown-Waite. Thank you very much, Mr. Chairman. In reading over the
testimony, it was noted that VBA has recalled all work-at-home employees and
required them to return all files and equipment to VBA. How do you know what
files they have?
Mr. Aument. I am probably going to turn this over to Mr. Walcoff, but there
have always been in existence for all of our claims adjudicators who are
working at home fairly rigid check-out/check-in practices for any files that
they take away from the regional office, you know, for work home_under
work-at-home agreements.
Ms. Brown-Waite. Do these include electronic files? If they downloaded an
electronic file, what record do you have of that? And I will let the
gentleman answer.
Mr. Walcoff. Well, the_
Mr. Miller. If you pull your mike and then turn it on.
Mr. Walcoff. The vast majority of the work-at-home people were rating
specialists and we have_we use a system called COVERS to electronically track
where a folder is so when they take folders home, we will wand it and it will
be electronically recorded that that folder is being taken home by that
particular rating specialist. So we are able to make sure that every folder
that was taken out by our rating specialist back to his house was brought back
when he brought all of the equipment in and all of the hard copy folders.
Ms. Brown-Waite. I am not sure that I got the answer to the electronic files.
Mr. Aument. We may have to turn to Mr. Lloyd on that. But I believe that the
on-line components of the veterans' record are not downloadable to these
individuals' work station. They would have the narrative descriptions of the
rating decisions that they are working on for the immediate case that they are
working on on the personal computer. But_
Ms. Brown-Waite. I would also ask what COVERS, the acronym, what that stands
for?
Mr. Aument. I am not sure, Congresswoman. It is the tracking system that we
use internally and externally in the regional office to track the locations of
veterans' claims folders.
Ms. Brown-Waite. Is that the same system that when I call in on behalf of a
veteran that the file could never be found?
Mr. Aument. I am not really able to answer that question.
Ms. Brown-Waite. Or is that another acronym?
Mr. Aument. Could you restate the question, please?
Ms. Brown-Waite. Is that the same system that when I call in inquiring on
behalf of a constituent that the file can't be found, is this the same system?
Mr. Aument. Quite possibly, yes. The difficulty there would be within the
regional office we could identify it is within the service center but as to
whether or not it is on an individual's desk or on a file cabinet sometimes it
might be imprecise in that fashion. We would be able to track if it has left
the building under the work-at-home program.
Ms. Brown-Waite. I still need the answer to the electronic files question.
Mr. Lloyd. When a veteran rating specialist works at home, they take the
folders with them and they use an application called RBA 2000. That
application allows them to work at home in the development of their rating
information. There is a local database on the PC they use at home that
contains the work that they are doing while they are at home. When they come
back to the office, which I believe is weekly or biweekly, they upload that
information into the corporate database. So while they are working at home
there is information in the development of the ratings that they are doing.
Ms. Brown-Waite. Just a follow-up question, Mr. Chairman.
When you ask them to return all files and equipment, what sanctions were there
if this request was ignored?
Mr. Aument. There were 370 ratings specialists in total working from their
homes who were required to return to the regional offices. I believe that
involved most, if not at all regional offices.
Mike?
Mr. Walcoff. Yeah. Not every station had work at home_had people working at
home. I would say about two-thirds of the stations did and every one of them
has come back to the office with their equipment, with their files.
Ms. Brown-Waite. One other question.
On page 13 of the testimony of Mr. Aument, there was a statement that said
VBA_it is about, almost halfway down the page_information security officers
are required to review users' access and privileges at least quarterly or when
a job change occurs.
After a job change occurs, how soon does that review take place, you know, and
you know job change could be termination?
Mr. Aument. Tom, do you have an answer to that?
Mr. Lloyd. Specifically for the terminations part of the check-out procedure,
the supervisor and HR staff are to inform the Information Security Officer
that the employee has been terminated and the ISO is supposed to remove all
permissions and access on the day that the person leaves. That is the
process.
Ms. Brown-Waite. Has there been any examples of when the access continued after
the employee was terminated?
Mr. Lloyd. I am aware over the course of the years where_especially
interorganizational terminations that we don't always inform each other and
the ISOs didn't know an employee has been terminated.
Ms. Brown-Waite. Has that situation been remedied?
Mr. Aument. One of the things we are doing at the moment with Mr. Lloyd, an
example that he might be referring to where a VHA employee has access to a VBA
system, authorized access, and we may not follow as closely when that
individual changes jobs, is reassigned, retires or is terminated. We are
working with the Department for a solution on that today. That would allow us
access to our payroll system to have these automatic updates provided from the
payroll system to that effect.
Ms. Brown-Waite. Just one quick_
Mr. Miller. Let's go to the other two members and then we will come back.
Ms. Brown-Waite. Okay.
Mr. Miller. Did I hear you right that every file that is taken out or all
information that is taken out you have the ability to track when the
information leaves; is that true?
Mr. Aument. All the files, you know, have a bar code attached to the file.
The procedure is that when a file is_it leaves the building under the work-at-
home program would be to, you know, using the bar code reader check that file
out and at the time it returns check the file back in.
Mr. Miller. But going back to Ms. Brown-Waite's question, that is not an
electronic file, correct? That could be a paper file?
Mr. Aument. That is a paper file.
Mr. Miller. So an electronic file could have been removed and you don't have
a way to track that?
Mr. Aument. We do not have all of the veterans' data_I wish I could say
otherwise_contained in anelectronic file.
Mr. Miller. We know that. All Members of Congress are aware of that.
Mr. Aument. Right. So that the information that they would have access to at
home through RBA 2000 is the information accessible to them.
Mr. Miller. I guess I am still trying to figure out how we are still not sure
today of the information that is missing, who it affects, and it seems like
every week we get a new group of people that are included. How is that so?
Mr. Aument. I believe, and you will certainly have an opportunity to speak to
the next panel, the Inspector General has been looking carefully as to what
access to data this employee actually had. I would like to think that, you
know, we know fully today and that there will be no further disclosures, sir.
Mr. Miller. Thank you.
Mr. Udall, questions?
Mr. Udall. Thank you, Mr. Chairman. According to the IG testimony, a
contractor successfully penetrated the VBA system access to regional office
files, created a fictitious veteran, established an award and mailed an award
letter to a real address.
If all of the policies and procedures you described were in place and
functioning, how was this possible.
Mr. Aument. This incident, Congressman, took place a little over a year ago
at our Waco regional office. Let me start to begin with, and I am sure you
will follow up with our colleagues from the Inspector Generals Office, that
first of all, they were already afforded access to the system. The IG had
requested permission to get inside the firewall. So this did not replicate
the situation where an entity outside VA would have broken into the system to
have done this type of fraudulent activity.
Mr. Udall. Would somebody with the information that was taken out in the case
of this recent employee, would they have been able to use that information and
access the system?
Mr. Aument. No, they would not have.
Mr. Udall. Go ahead.
Mr. Aument. But the Inspector General was already given privileged status to
be inside the system wherein they then conducted what is the equivalent of
sophisticated hacking of captured passwords.
What this really demonstrated would be that a sufficiently skilled VBA
employee with fraudulent intent inside a system, you know, could go ahead and
have replicated the IG's efforts to create a fictitious payment. Now, they
have identified to us the shortcomings, you know, the critical vulnerabilities
and we have taken actions to address those vulnerabilities.
Mr. Udall. So from what you are saying then no longer would somebody within
the system with the access they have be able to do what they did?
Mr. Aument. I believe we have remediated. There was about a dozen different
vulnerabilities they have raised. We have remediated most of those. Any of
those who have not been completed, they are in the process of remediation.
Mr. Udall. According to the IG, VBA senior leadership is not receiving
information concerning the financial costs of correcting conditions identified
by the IG. How can VBA obtain a complete and accurate picture of the
resources and funding needed to remediate security deficiencies without such
information?
Mr. Aument. I am not really certain of what the IG's particular findings and
recommendations are in that regard. I do know that one of the largest
undertakings that we have begun over the past year was the completion of the
original round of certification and accreditation of application systems that
were completed by the end of fiscal year 2005. We have gone through and we
have identified all the tasks that need to be undertaken to remediate the
findings of that process, and we have attached a price tag to each and every
one of those remediations.
We understand what it is going to cost us to solve those problems. Other
types of problems that we believe that we need to be addressing, it is in a
full encryption solution, both for, you know, desktop systems as well as the
transmission systems and our legacy systems. We have attached price tags to
those as well, too.
There may be some financial unknowns, but we believe that we have tried to
address, get our arms around those as best as we possibly can.
Mr. Udall. According to your testimony, in the average month VA receives in
excess of 40,000 requests to change the financial institution or address for
receipt of benefits.
I understand that all financial institution changes for veterans being paid on
Vets Net must be manually adjusted at the Hines BDN. Is this still the case
and when will VetsNet be able to handle such transactions without manual
rekeying of information?
Mr. Aument. Tom, can you answer that? I am not sure that is still true or not.
Mr. Lloyd. I believe, Congressman, that is in the August release. It is the
issue of when they change from check to or from EFT to check.
Mr. Aument. I see.
Mr. Lloyd. And that is in the remediation that was_
Mr. Aument. I don't know if you got that.
Mr. Udall. So they are able to do that now?
Mr. Aument. They will be in August.
Mr. Udall. Thank you very much. Appreciate it.
Mr. Miller. Ms. Hooley.
Ms. Hooley. Thank you, Mr. Chairman. I want to follow up on Ms.
Brown-Waite's question.
I know that you stopped the work-at-home privileges. And a lot of those paper
files had irreplaceable documents in it.
My question is when they took them home, they could, it seems to me they could
take something out of that file and still scan it in. Are there backup copies
of those documents? Are there electronic copies of those documents?
I don't think there is anyone in the room_maybe there is someone here -- that
hasn't at some point lost something out of some file. And so assuming that
they didn't take them deliberately, maybe they just lost them. Are there
backup copies of those documents.
Mr. Aument. No, there are not, Congresswoman.
Ms. Hooley. Is that changing?
Mr. Aument. No, it is not.
Ms. Hooley. Do you think it needs to be changed? If they have irreplaceable
documents, don't you think you need a scan of those?
Mr. Aument. I think we should ultimately move to an electronic record system.
I could not agree more.
Ms. Hooley. And when do you think you can move to an electronic system?
I mean, when you are dealing with that much paper, we have all, every single
one of us here, every Member has known about cases where they can't find the
files. They can't find the documents. But when are we going to get there?
RPTS CALHOUN DCMN MAYER
Mr. Aument. In some of our program business lines we are already there. Our
insurance program uses a totally electronic record, our education program uses
electronic records, totally imaged files. The real challenge for us is our
compensation and pension business line.
I would_one of the places I would encourage you to visit, if you have an
opportunity, is our Records Management Center in St. Louis. There are over 20
million files in that building that represent veterans' claims folders, as well
as service medical records that we receive from the various military services.
The process of converting those files to either electronic images or, more
importantly, data that can be used within the systems is a daunting challenge.
We are attempting to tackle that in the pension component of the compensation
and pension business line through our pension maintenance centers. They are
moving to a totally electronic record, but we are not there yet, Congresswoman.
Ms. Hooley. I saw the letter that went out to the veterans notifying them of
that data breach. My question is_I saw the letter and I didn't think the
information in there was very useful about what to do. So my question is, now
you have got the call centers, and you have got your employees. Have they
been trained to handle questions from the veterans that come up in the process
of their casework? Have they been trained to know what the answers are to the
questions they ask?
Mr. Aument. Yes, we have, Congresswoman. We have attempted to provide a set
of_I hesitate to use the word, but "scripts" or "answers to frequently asked
questions" from concerned veterans. We have been providing those both to the
contract call centers as well as to our public contact teams at our regional
offices.
We are probably now on our fifteenth iteration of updating that list of
frequently asked questions, based upon our experience, coming in from
concerned veterans and callers and their family members. So we have been
doing our best to try and keep them informed with what we understand to be the
types of questions most veterans are asking.
Ms. Hooley. A couple of the most useful things I think you can tell the
veterans is that they can put a fraud alert on their credit reports and they
can get free credit reports, and yet when I went online after this happened,
if you went through the whole system, you might get to that answer.
Are those kinds of things being told to the veterans now?
Mr. Aument. Today, at the call centers and at our regional offices we attempt
to respond to the questions. So if that question is posed, we certainly
provide that information.
Ms. Hooley. That question may not be posed because they may not know enough
to ask that question.
Mr. Aument. Correct.
Ms. Hooley. It seems to me those are things that people should be told that
they can do. They could be told immediately one way to help prevent identity
theft, which is_the whole idea behind this is to prevent identity theft, which
is a very long, tedious process if that happens to you, that they can put a
fraud alert on immediately, and that lasts for 90 days; and they can get a
free credit report, which helps them keep track, to make sure nothing is
happening to their account.
Why isn't that information given to them now?
Mr. Aument. I think I mentioned, in response to Congresswoman Herseth's
question about our mailings, that we are potentially contemplating a second
mailing. Some of the drafts of communications I have read included precisely
that sort of information.
Ms. Hooley. Again, the letter is not being sent, but I would hope that at the
call centers, that is information_without them asking the question, that is
information, here is what you can do.
Mr. Aument. We will take that one on, Congresswoman.
Ms. Hooley. Thank you.
Mr. Miller. We will go to a second round, and I would like to ask the members
if you could ask just one more question to each person so we can move to the
second panel.
To follow up on Ms. Hooley's question, when somebody puts a fraud alert on
their credit file, do you know what the impact is to that file?
Mr. Aument. I profess no expertise in that, Mr. Chairman. As far as_I have
seen some different iterations of the various levels of protections, just over
the past couple of weeks, that can be involved and the terms of art that apply
to a fraud alert versus a credit freeze versus something else. I know that
there are various levels of protection afforded there. Some would require
that the individual who invokes that type of a credit check would ask to be
contacted by one of the credit bureaus in the event that anyone attempted to
obtain credit using that Social Security number.
We also understand that some of these types of provisions vary on a State-to-
State basis as well, so that there are some differences based upon where a
veteran may reside.
Mr. Miller. I think the thing that confuses a lot of us is that the mistake
was made by VA, yet the burden has been placed on the back of the veteran. I
am trying to figure out, why isn't VA being more proactive, other than sending
out a letter, and if there is a way to make a mass notification to credit
bureaus of the information, because you know who they are because you sent
letters to them.
If it is not going to negatively affect them in one way or another and their
ability to get credit or their borrowing power, wouldn't that be a
responsibility of VA?
I mean, every time I hear VA talk about the issue, it is what the veteran can
do to protect their identity. My God, they thought their identity was
protected. VA screwed up and now we are putting the onus on the backs of the
veterans that are out there.
Mr. Aument. There have been_I would acknowledge that too. I believe_I feel
that all of us in VA are very concerned about that, that we believe that we
need to be doing more to try, as you have suggested, proactively to help
assist veterans in this process.
Some of the solutions that I have seen proposed so far_I believe that we will
be seeing further steps that are going to be taken, but there has to have been
some actual vetting of what the best solution actually is.
Mr. Miller. Do you know how long it takes to steal somebody's identity? We
are vetting. We are how many weeks past the time it was stolen and we are
still vetting?
Mr. Aument. Part of the question there, Mr. Chairman, is whether or not all
veterans want to have a solution imposed upon them, and that is_one of the
questions that we are wrestling with is, will all veterans, for example, want
to have credit freezes or fraud alerts established on their accounts? Because
there is some difference of views on that.
Mr. Miller. That is why I asked not about a credit freeze but a fraud alert.
There is a difference.
Dr. Boozman.
Mr. Boozman. I will go ahead and yield again to the gentlelady.
Ms. Berkley. Thank you, Chairman Miller and Mr. Boozman.
You said that you would like us to go to electronic as fast as possible. Is
it a matter of money? Is it a matter of personnel? Because if I am here 20
years from now I have this sinking sensation that you and I will be having the
same conversation.
One thing I have noticed about government is that we are very slow to embrace
technology. Even the United States Congress isn't where it needs to be.
Is it a matter of money or personnel or a lack of desire? When are we moving
actually to the 21st century?
Mr. Aument. Congresswoman, I believe it is probably a combination of all of
the above to one degree or another.
There is probably_one other factor to add to the list that you have just put
out too is trying maintain our focus on bringing through to completion some of
the projects that we are already undertaking_VETS NET, for example. I am sure
everybody wants to have an opportunity to mention that.
Ms. Berkley. What is the current status of VETS NET, since I can only ask one
question?
Mr. Aument. We were up here on May 12th briefing the staff. We gave a
relatively complete briefing there.
We are in the process of attempting to implement all of the recommendations
that the Software Engineering Institute had given to us in their report they
completed last fall, and we owe the committee a report back by the end of
August with an end-to-end plan for implementation of VETS NET.
However, my point was that moving now to tackle an electronic records project,
as valuable as it is_I think that one of the reasons we are still uncompleted
on VETS NET is moving to other distractions. And not that it is not a very
important undertaking on that, too, but we believe that we need to first
deliver on those things that we already have in progress.
Mr. Miller. Dr. Boozman.
Ms. Berkley. Thank you.
Mr. Boozman. When will VBA be fully compliant with the Federal Information
Security Management Act?
Mr. Aument. The first steps we have at the moment are to complete the
certification and accreditation, remediation projects that are on our plate.
We have_most of those are either under way or scheduled for completion. We
believe that we should complete those. I would say that we could probably
complete those within the next 2 years.
Some of those involve minor construction types of projects to control physical
security, but I would say probably within 2 years.
Mr. Boozman. So compliant within 2 years, you think?
Mr. Aument. I believe so.
Mr. Boozman. I guess, and I am trying to adhere to the chairman's wish of one
question thing, but I would like to comment again, you have done a tremendous
job of getting records. You are moving that right in that direction.
I am an optometrist. I know how it is with charts, when you have got 100,000
patients among the clinic and you have got a chart on somebody's desk. And
you have a system of dealing with that now that I am sure works pretty well.
You lose charts now, you lose records.
On the other hand, we are faced with this challenge of moving over in the
other direction. But it does seem like it makes sense to me that rather than
the VA spending a tremendous amount of money, which we are doing_Social
Security spending a tremendous amount of money, DOD, Medicare. Medicare is
pushing very hard for physicians to get all of their stuff electronic. So you
can imagine the challenge that they are going to have in securing this stuff.
It does seem like the Secretary, yourself, your counterparts at HHS would sit
down and say, I will give so much, you give so much, let's come up with a deal
because it is interoperable as far as security. That is the only comment I
have got.
I wish you would carry that back. And, again, somebody has got to show some
leadership in this area and kind of get it going in the right direction.
Mr. Aument. I will take that back, Mr. Chairman.
Mr. Miller. Ms. Herseth.
Ms. Herseth. Thank you.
On page 13 of your written testimony_and you referred to it in your oral
testimony today_you mentioned that VBA is also considering expanding the use
of terminal servers as a means of reducing or eliminating the amount of
information stored locally on a remote user's work station.
I would contend that you need to move beyond considering and actually move to
expanding it. And in the first hearing we had I shared a little bit of
experience in the private sector where even at my work station in the office I
couldn't save anything other than what was centrally located in the system,
let alone accessing information remotely and storing it_the way I read that
is, if you are a remote user, that means you are outside of the VA facility,
your office, and you are able to store something locally. That means at home,
to me. That is sort of what brought us here today.
So I would just make that point and ask you if_what are the barriers to
expanding the use of these terminal servers? Is it just a matter of resources?
Mr. Aument. Resources is a consideration, but it also takes some technical
engineering as well to make sure that we would be able to put in place a
solution such as terminal servers.
Let me suggest to you that we are already_before we would even consider
putting the ratings specialist back in a position working at home, that is, a
solution that we would be imposing on them for any of the work-at-homes, would
be that they would only be able to access the application, the RBA 2000, only
be able to access that via terminal server.
Mr. Miller. Ms. Hooley.
Ms. Hooley. Thank you.
I am just going to go back to the fraud alert, credit freeze, credit monitoring.
Fraud alert and credit freeze are very different. Everybody can do a fraud
alert that has had their data security breached. Not every State allows a
credit freeze, we don't have a national standard, but you can do a fraud
alert; and you need to tell veterans they can do that and what it means.
They can get a free credit report, which they need to do; and again, you can
tell them all they need to do is call one number or go online and they can do
that. So you need to make sure that they know that.
And then what I would hope you would do is look at_for those that want it,
that you have some kind of credit monitoring service, which I think is really
how you best help the veteran.
I know, Mr. Miller, when you were talking about the veteran has to do this,
the veteran has to do that, putting_first of all, they need to know that they
can do a fraud alert, a free credit report, but free credit monitoring is a
one thing you can do for veterans. They still have to sign up for it.
I know I was a victim of a security breach, and they allowed us to have free
credit monitoring; and actually what I was told is, they couldn't sign us up
for it, but we could subscribe to it. So we got the paperwork at home; it was
very simple, it was literally signing your name and a date, saying, I want
free credit monitoring service.
I would hope that you would seriously look at that as an option for our
veterans. I think they need some peace of mind, and that is really how they
are going to get it, is through a credit monitoring system.
The question I have is, you talked about the number of files that are sitting
in your_one of your offices. How long is that going to take to get all of
those on electronic files so that we don't have_so we aren't losing,
literally, documents that are_I mean, they are not duplicated anywhere. How
long is that going to take?
Mr. Aument. For the 20 million records that reside at our Records Management
Center, Congresswoman, I would probably propose that we would probably never
image those. Many of those are inactive files, some pertaining to deceased
veterans that because of Federal records management requirements we need to
maintain for some specified period of time. Many of those inactive files
would not be certainly where we would begin in moving towards imaging of
records.
We would likely begin probably making some conscious business decisions with
those records that enter into the system that are newly created and entering
into the system and going backwards then with those at the time that veterans
reopen claims, possibly seeking increased ratings or claiming other
disabilities.
We would probably try to put together a logical progression such as that.
Ms. Hooley. How long would that take?
Mr. Aument. I have no idea.
Mr. Miller. Thank you very much for your testimony this morning. I am sure
members have other questions and they will be getting to you after the
hearing. Thank you very much.
I would like to ask the second panel, if they would, to move forward. While
everybody's getting situated I am going to go ahead and introduce the second
panel.
Mr. Michael Staley is the Assistant Inspector General for Audit at VA's Office
of Inspector General. He is accompanied by Mr. Stephen Gaskell, Director of
Central Office Audit Operations.
Mr. Gregory Wilshusen is the Director of Information Security Issues at the
U.S. Government Accountability Office, and he is accompanied by Ms. Linda
Koontz, Director of Information Management Issues.
STATEMENTS OF MICHAEL STALEY, ASSISTANT INSPECTOR GENERAL FOR AUDIT,
ACCOMPANIED BY STEPHEN GASKELL, DIRECTOR, CENTRAL OFFICE AUDIT OPERATIONS
DIVISION, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS' AFFAIRS;
AND GREGORY WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, ACCOMPANIED BY
LINDA KOONTZ, DIRECTOR, INFORMATION MANAGEMENT ISSUES, U.S. GOVERNMENT
ACCOUNTABILITY OFFICE
Mr. Miller. We thank you for being with the Subcommittees today; and, Mr.
Staley, we will begin with you, please.
STATEMENT OF MICHAEL STALEY
Mr. Staley. Mr. Chairman and members of the subcommittee, thank you for the
opportunity to testify today on the results of our, reviews, which continue to
address information security vulnerabilities in the VA and to report on the
status of VA's implementation of our records.
I have with me today Stephen Gaskell, who served as a project manager on these
IT audits.
We have conducted a number of audits and evaluations on information management
security and information technology systems that have shown the need for
continued improvements in addressing security vulnerabilities in VA and, as
such, we have included IT security as a major management challenge for the
Department in all of the major challenge reports issued since the fiscal year
2000.
In our annual financial statements we have reported VA information security
controls as a material weakness since our fiscal year 1997 audit.
Specifically, we have reported that VA's financial data and sensitive veteran
medical and disability information are at risk due to vulnerabilities related
to access controls, change controls, the need to segregate duties and the need
to improve service continuity practices.
My IT security program auditors have identified and reported on significant
information security weaknesses since 2001. All four of these annual audits
have reported on similar issues, and the recurring themes in these reports are
the need for a centralized approach and to achieve standardization,
remediation of identified weaknesses, and accountability in VA information
security.
For the Veterans Benefit Administration we have continued to report control
weaknesses in access controls, physical security, electronic security and
employee security. Our combined assessment program reviews continue to report
security and access control vulnerabilities at VA regional offices where
security issues were evaluated.
For example, at regional offices we have identified the need to strengthen
physical security and access controls, procedures for providing employee
security training and for obtaining background checks.
We have issued our most recent IT security program review in draft to VA for
comment. While it is not our general practice to comment on draft reports
before they are published, because of the extensive public interest in these
information security issues, I have described the issues that VA is addressing
in my written testimony.
In closing, I would like the committee to know the reviews of the VA's
information security will remain a top priority for my office. We remain
committed to reporting on the adequacy of IT security controls, and following
up on actions taken by VA to strengthen these controls, we remain dedicated to
the goal of protecting our Nation's veterans.
Mr. Chairman and members of the subcommittee, thank you again for this
opportunity. I would be pleased to answer any questions.
[The statement of Mr. Staley appears on p. ]
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
Mr. Miller. In the past, the IG has found some instances where terminated or
separated employees retained access to critical systems identified at various
locations.
Whose responsibility is it to ensure that former VBA employees don't have
access to computer systems and information and such?
Mr. Staley. That is correct, Mr. Chairman. We have been finding that during
our combined assessment program reviews. Access controls actually have been
found during our financial statement audits and when we do testing during our
FISMA reviews.
Mr. Miller. Can you tell who is making_are they accessing or do they just
have the ability to access?
Mr. Staley. They have the ability to access.
Mr. Miller. Are you finding that anybody is trying to access after the fact?
Mr. Staley. Not any specific examples I can give you at this time.
Mr. Miller. I would go to Dr. Boozman, but he will yield to Ms. Berkley. So
Ms. Berkley.
Ms. Berkley. Cut out the middleman.
Let me ask you a question. According to your opening statement, this was a
disaster waiting to happen, so I assume that you weren't overwhelmingly
surprised when this theft occurred?
Mr. Staley. I would have to say that I think you are always concerned when
something like this happens to_whether it be one veteran or all of us
veterans. I know myself, my data is also on that listing.
Ms. Berkley. My husband received his letter as well.
Had the VA implemented your recommendations, could this have been avoided?
Mr. Staley. It is very difficult to say whether this particular incident
could be avoided. The issues that we have talked about for these many years
have addressed network security issues, access control issues.
In response to this specific issue, we do have an administrative investigation
ongoing which we hope to report on to the Department at the end of this month.
And we will be asking for comments and hope to actually issue the report for
you mid-July or so.
Ms. Berkley. During the prior two hearings on this topic, we heard a
significant amount about the culture at the VA. This culture is characterized
as entrenched and indifferent relating to IT projects.
Does VBA's fielding of VETS NET, a project that is in the works for over a
decade now, relate to such cultural problems?
Mr. Staley. I think what we had been talking about is the 16 or so issues
that we presented, before you really speak to the issue of standardization;
and that can only be accomplished if the three administrations work
collectively to address them as one voice.
Ms. Berkley. Is VETS NET the solution to the problems?
Mr. Staley. Well, VETS NET is a solution to an aging benefits delivery
network system. I think_of course, I joined the VA in 1971, and I believe
Target 1 by Honeywell was just starting at that time, so it is 30 years, may
even be 40 years old. We need to find solutions to replace these platforms,
and VETS NET is attempting to do that.
We have not reviewed VETS NET, we have not studied VETS NET; we are waiting
for this contractor to complete his review, which I believe is due this
summer. But we have been overseeing the progress and getting briefings on the
progress of VETS NET.
Ms. Berkley. Thank you.
Mr. Miller. Dr. Boozman.
Mr. Boozman. Thank you, Mr. Chairman.
Earlier we had testimony that VBA estimates that they will have full
compliance in 2 years with the Federal Information Securtiy Management Act.
Do you feel like that is possible?
Mr. Staley. I feel for many of the issues that we have been identifying each
year, the fixes are fairly dependent on vigilance. It is an issue of having
very strong access controls, having your users only have information that they
need information for. Many of these fixes can be done relatively soon.
For the bigger issues, such as VETS NET and replacing platforms, I do know
that the Department is working on these major system initiatives; and I have
seen their timelines and charts and whatnot. Some of them are out to fiscal
year 2008, 2009 and 2010.
Mr. Boozman. As we move_is that a "yes" or a "no"?
Mr. Staley. For many of them, a 2-year timeline is feasible. For platform
replacement issues, I could not say.
Mr. Boozman. When you get into going from one extreme to the other, when you
get into encrypting and things like that, will that slow down_do you run into
problems then with a slowdown of the systems?
Mr. Staley. That is one of the issues that the Department is facing with many
of these aging systems and that they were constructed 30-some-odd years ago.
From what the technicians are telling us, that could be a possible outcome to
adding software that would encrypt data. So it is possible.
Mr. Boozman. Our current system, can it identify instances of large downloads
of data?
Mr. Staley. It is my understanding that you can_you will get a log of the
time that someone is in a system but not necessarily what is being downloaded.
Mr. Boozman. Do you, in investigating this and being a part of it, do you see
any accompanying legislation that we need to do for VA to help them in dealing
with the problem?
Mr. Staley. Well, I am really not in a position to comment on new
legislation. Obviously, from my audit perspective, compliance with FISMA and
remediating the issues that we have identified is one issue. I do know
thatsometime in May, OMB issued instructions to all the agencies to take a
strong look at the security issue, which I believe they are required to report
in their next FISMA report in 2006.
Mr. Boozman. You mentioned security access and then also you mentioned
background checks. So we have got the problem that we are dealing with in
this regard, and then too, as far as the background checks, to actually_even
if you have those systems in place and having the appropriate people hired,
what is the problem with background checks?
We learned at an earlier hearing that we have a physician that has a history
of being a sexual offender. What's the deal?
Mr. Staley. From what we are seeing, it is a coordination problem from the
point of the program office that that employee begins to work for, the HR
division that is responsible for processing paperwork, and then the security
and law enforcement. So it is the process of actually requesting these
background checks timely, to get them done.
And then the Department has also discussed the fact that it does take time to
do these background checks; but there are various tiers of background checks
that can be performed, and some of them only require law enforcement,
fingerprinting-type procedures, and others are far more extensive and they
take more time.
Mr. Boozman. Does it is make sense that all of our agencies_again, Medicare,
as they go to an all-physician record situation and stuff where all that is
digitalized and things, does it make sense for the agencies to talk to each
other and try and figure this out together versus spending millions of dollars
independently?
Mr. Staley. It would make sense to communicate and work with as many agencies
as possible.
Mr. Boozman. Thank you, Mr. Chairman.
Mr. Miller. If we could, Mr. Wilshusen, if you would proceed with your
testimony.
STATEMENT OF GREGORY WILSHUSEN
Mr. Wilshusen. Chairman Miller, Chairman Boozman and members of the
subcommittees, thank you for inviting us to participate in today's joint
hearing on data security at the Veterans Benefits Administration.
The recent well-publicized security breach at the Department of Veterans'
Affairs has highlighted the importance of good information security controls
and protecting personally identifiable information not only at VA but
throughout government.
As we have reported on many occasions, poor information security controls is a
widespread problem that can have devastating consequences such as the
disruption of critical operations and unauthorized disclosure of highly
sensitive information.
Today, I will discuss the recurring security weaknesses that have been
reported at VA, including those at VBA, what agencies can do to prevent
breaches of personal information and the notification of individuals when
such breaches occur.
Since 1998, GAO and the VA IG have reported on wide-ranging deficiencies in
VA's information security controls, including the lack of effective controls
to prevent individuals from gaining unauthorized access to VA systems and
sensitive data. In addition, the Department had not consistently provided
adequate physical security for its computer facilities, assigned duties in a
manner that segregated incompatible functions, controlled changes to its
operating systems, or updated and tested its disaster recovery plans.
These deficiencies existed in part because VA had not fully implemented key
components of a comprehensive information security program, including the lack
of centralized management and an approach for addressing security challenges.
Although VA has taken steps to improve security, its efforts have not been
sufficient to effectively protect its information and information systems. As
a result, these remain vulnerable to inadvertent or deliberate misuse, loss or
improper disclosure, as the recent breach demonstrates.
In addition to providing and implementing a robust security program, agencies
such as VBA can better protect personally identifiable information by
conducting privacy impact assessments that determine up front how personal
information is to be collected, stored, shared and managed, so that controls
can be built in from the beginning, by limiting access to the information and
training personnel accordingly, and appropriately using technology controls
such as encryption.
VBA officials have informed us that since the May 3rd incident they have
taken, or plan to take, a number of steps to enhance protection of veterans'
personal information. These include reviewing and recertifying user access to
sensitive information, evaluating encryption technologies for transmitting and
storing data, and requiring privacy and cybersecurity training for all VBA
employees by June 30.
Although we have not reviewed these actions and cannot comment on their
sufficiency or effectiveness at this time, they appear to be important first
steps. However, the true test will be VBA's ability to fully implement and
sustain appropriate protections over the long term.
Nonetheless, even with security and privacy protections in place, breaches can
occur, particularly if enforcement is lax or employees willfully disregard
policy. When such breaches occur, appropriate, sufficient, and timely
notification to those affected have clear benefits, allowing people the
opportunity to protect themselves from identity theft.
In summary, long-standing control weaknesses at VA have placed its information
systems and information at increased risk of misuse and improper disclosure.
Although VA has made progress in mitigating previously reported weaknesses, it
has not taken all the steps necessary to address these serious issues. Only
through strong leadership and sustained management commitment can VA implement
a comprehensive information security program that can effectively manage risk
on an ongoing basis.
Mr. Chairman, this concludes my statement. Ms. Koontz and I will be happy to
answer questions.
[The statement of Mr. Wilshusen and Ms. Koontz appears on p. ]
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
Mr. Miller. In terms of information security can you give us some type of a
feel as to how VA or VBA fits within other agencies? Is everybody failing?
Mr. Wilshusen. No, everybody is not failing. One measure that would be
important is, the FISMA reports that agencies are required to submit to
Congress and to the OMB regarding their implementation of the provisions of
the Federal Information Security Management Act, or FISMA. Each year we
perform an analysis of those reports, and we found that over the past 4 out of
5 years VA typically has ended up towards the bottom end of the scale whereas
other agencies, particularly some of the smaller, single-mission-type
organizations tend to score higher. But what VA has done, too, is not
dissimilar to other large complex organizations.
Mr. Miller. Do you have any role in seeing that your recommendations are
implemented? Is there any follow-up at all with the reports that you make?
Mr. Wilshusen. Yes, there is. We follow up on all of our recommendations
that we make, yes.
Mr. Miller. And when a recommendation is not followed then next year, you
bring it up again and you follow it up and you do it again next year? It
would seem pretty exasperating if that was what your job was year in and year
out.
Mr. Wilshusen. We do find that agencies, including VA, do take some
corrective actions to address specific weaknesses, but often they do not
address the larger recommendations that relate to the underlying causes of
those weaknesses.
For example, we have routinely reported_again, we haven't done much work at VA
for a number of years, but we would follow up and look at the underlying
reasons that we felt dealt with not having a comprehensive information
security program that has been fully developed, documented and implemented at
the agency.
And so what that does is, while they may take corrective actions on specific
technical findings that we identify, often what may happen is, they only
correct them at the sites or the systems that we looked at and they don't look
across the organization, across other similar systems, to take corrective
actions on those same weaknesses.
Mr. Miller. Do they ever come back and say, this is a distraction, we can't
deal with this right now, we have this other thing we are working on right here?
Mr. Wilshusen. Never in those blunt words. We often -- often they concur
with our recommendations, and I think they try to take action. But sometimes
it is a challenging endeavor for many organizations in the Federal Government
because, one, the computing environment is very complex and the threats and
the types of risks are constantly changing. It is a very dynamic environment.
There are challenges. But with appropriate and well-defined and executed
information security programs, they can address those risks.
Mr. Miller. Thank you.
Ms. Berkley.
Ms. Berkley. Thank you. I wish that we would have had this panel before the
first panel because I would like to have heard the first panel's response to
some of your testimony.
Since May 3rd, have you detected any change in behavior or attitude with the
VA? In your opinion, do they recognize the seriousness of what has transpired
and are moving to implement corrective action so this can't happen again?
Mr. Wilshusen. We had one meeting with the VBA officials in order to collect
some of the information about actions that they have taken or plan to take in
response to this incident. Just from that one meeting it seems like they are
very concerned and are trying to take the actions, but again, the proof is in
the pudding.
Once the actions and policies have been decided and developed, they need to
execute and implement those. That will take time and commitment over a long
period of time.
Ms. Berkley. So you had a meeting with the VBA officials, discussed with them
what they need to do. And now how do you follow up and make sure this is
happening? Or is that not your job? If it is not your job, whose job is it?
Mr. Wilshusen. Actually, the work we do is, by and large, requested by_either
requested by Congress or congressional committees and/or mandated.
We have received several requests, and there have been some potential mandates
proposed where we would do some work in this area, but we have not done any
yet.
Ms. Berkley. Perhaps Mr. Boozman is going to ask the question that he asked
previously, but what is it that_would you need any additional legislation from
Congress, or how could we do our jobs better so that you can do your job
better, and ultimately, VBA and the Veterans Administration can protect the
privacy of our veterans?
Mr. Wilshusen. Well, with regard to information security, as Mr. Staley
pointed out, there is a law called the Federal Information Security Management
Act of 2002, FISMA, and that provides a comprehensive framework for
implementing security throughout a Federal agency; assigns specific
responsibilities to the head of the agency, senior managers, to the CIO. In
addition, it requires each agency to develop, document and implement an
agency-wide security information program that contains several elements.
That law has, I believe, raised the level of attention given to information
security and provides a solid framework for agencies to follow in order to
implement better security.
The fact is that many agencies still have difficulty in fully implementing
those programs. So I don't know if additional legislation is needed.
Certainly in terms of what we need to do in having been requested to go in and
do follow-up work, we can do that.
Ms. Berkley. Thank you.
Mr. Miller. Dr. Boozman.
Mr. Boozman. Thank you.
Mr. Wilshusen, we talked earlier about H.R. 4061, and the approach the
committee felt might be a little more effective by centralizing the system a
little bit more than they are now. As you work with the other agencies, can
you comment on that? Is this something that you found to be effective or is
the decentralized approach better?
Mr. Wilshusen. We haven't done a systematic review of the other Federal
agencies in terms of their organization, of how the CIO is organized relative
to the other program offices; but what we have found is that for information
security, centralization having a central management approach is preferable,
because the interconnections between the systems and the types of policies and
procedures that are in place at one agency or component could have an impact
on other elements or components within that agency.
So we wholeheartedly endorse having a centralized managed approach to
implementing security at a Federal agency.
Mr. Boozman. As you deal with these problems system-wide, it does seem
like_again, with Medicare pushing hard to get electronic records, things like
that, that ability is far outpacing again the transition from where do we put
the charts, where do we put the records versus we can secure that, how do we
secure this other thing.
What_in your experience, what agencies are doing a better job?
Mr. Wilshusen. Well, certainly the use of electronic records and using the
interconnectivity of systems has brought tremendous benefits to Federal
agencies in terms of being able to deliver government services to the people.
But those same benefits and opportunities are subjected to and can create
significant risks if adequate safeguards are not built into those
technologies.
We have found that it is imperative that agencies consider and build security
into these systems from the very beginning throughout the entire life cycle,
rather than trying to add them on as an afterthought. They tend to be more
expensive and they tend to be less effective.
So certainly one of the things that agencies need to do when converting paper
records to electronic records is think about and implement and design security
controls up front.
Mr. Boozman. Is there a model agency out there?
Mr. Wilshusen. I think that probably some of the different agencies have
varied experiences in doing this. I don't know if there is a model agency per
se in terms of implementing security on electronic systems. At most of the
agencies we go to, where we have done specific testing of the controls, we
generally find weaknesses on each system or most of the systems we look at.
Mr. Boozman. It doesn't make sense_again, I am harping on this. It doesn't
make sense to me; I guess I am asking if it does to you.
But we want VA_and VA has done a good job of switching over; we want VA to be
able to talk to DOD. We want Medicare_I think we will foresee a time where
Medicare and VA should be talking to each other as far as medical records and
pharmacy records and all those kinds of things.
But it does seem like, in making things interoperable and in solving some of
these problems, you want more access to the records through all these different
agencies. But then how do you secure that access?
It does seem like that needs to be set up as you go along, as you just said,
rather than trying to backtrack at some point and figure out how do we do
this.
I guess my question is, how do you do that? There doesn't seem to be much
talk among the agencies, so that_you really wouldn't comment on a model out
there, but I am sure there are some good ones that are better than others.
How do we get that done?
Mr. Wilshusen. Well, one way is, what agencies need to do_and I believe there
is a CIO Council that can meet to discuss issues that cut across different
agencies. And certainly this could be a topic for that council to start
addressing, looking at government-wide security requirements that are needed
for these systems as they develop them. So that would be one way, through
there.
But definitely what agencies need to do, as they develop their systems, is to
assess the risks, categorize the type of information they are going to be
collecting and storing on those systems, and determine what the appropriate
level of security over that information will be.
Ms. Koontz. If I can just add, from a privacy perspective, too, this is one
of the reasons that we have emphasized the importance of agencies implementing
the privacy impact assessments which are required under the
E-Government Act, and that is a way of looking at the implications of
collecting, handling and disseminating personally identifiable information in
an agency and being able to build controls up front before the information is
collected and before the system is built.
You are absolutely right that once these things are done, it is very difficult
to retrofit. And I think that you are also right in that technology is
creating tremendous challenges for agencies in terms of balancing
accessibility with security and privacy concerns; and I think there is a role
here for the Congress in terms of policy, as well as for agencies in terms of
implementation.
Mr. Boozman. Thank you very much.
Thank you, Mr. Chairman.
Mr. Miller. Dr. Boozman, any closing comments?
Mr. Boozman. I appreciate your leadership in this area and getting the two
committees together. I think the VA is to be complimented in the sense that
it has done a very good job of moving forward. We pressed them hard to get
the records in digital format and things like that.
So we have done a good job that way, but we have lagged much, much behind and
as we have talked about, having the security that goes along with that. It is
something that not only VA has got to work very hard on, but it is a
system-wide problem. Testimony mentioned the problems not only of the data
but having the right people there.
So there are so many things like this that we have really got to shore up not
only in the VA, but system-wide.
Again, I know that our Subcommittee, the Committee in general, in a very
bipartisan way, is committed to doing whatever it takes legislatively to give
the agencies, in our case, specifically, the VA, the tools.
Thank you, Mr. Chairman.
Mr. Miller. Thank you very much, also, for your leadership and again for a
bipartisan approach.
We thank everybody for their testimony today. While there has apparently been
no identity theft that we are aware of, we all agree that the potential is
great. We must continue to work together to make sure that nothing like this
happens again, and while this information continues to be floating out there
somewhere, that nobody's credit or identity is harmed by what has happened.
I appreciate everybody being here today. Members will have 5 legislative days
in which to add their statements to the record.
[The statements appear on p. ]
<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>
Mr. Miller. Without any further comment, this joint subcommittee meeting is
adjourned.
[Whereupon, at 11:54 a.m., the joint hearing of the subcommittees was
adjourned.]
�