<DOC> [109th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:28454.wais] WHICH VA IT ORGANIZATIONAL STRUCTURE WOULD HAVE BEST PREVENTED VA'S MELTDOWN IN INFORMATION MANAGEMENT HEARING BEFORE THE COMMITTEE ON VETERANS' AFFAIRS HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION JUNE 28, 2006 Printed for the use of the Committee on Veterans' Affairs Serial No. 109-58 U.S. GOVERNMENT PRINTING OFFICE 25-454 PDF WASHINGTON : 2007 --------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON VETERANS' AFFAIRS STEVE BUYER, Indiana, Chairman MICHAEL BILIRAKIS, Florida LANE EVANS, Illinois, Ranking TERRY EVERETT, Alabama BOB FILNER, California CLIFF STEARNS, Florida LUIS V. GUTIERREZ, Illinois DAN BURTON, Indiana CORRINE BROWN, Florida JERRY MORAN, KANSAS VIC SNYDER, Arkansas RICHARD H. BAKER, Louisiana MICHAEL H. MICHAUD, Maine HENRY E. BROWN, Jr., South Carolina STEPHANIE HERSETH, South JEFF MILLER, Florida Dakota JOHN BOOZMAN, Arkansas TED STRICKLAND, Ohio JEB BRADLEY, New Hampshire DARLENE HOOLEY, Oregon GINNY BROWN-WAITE, Florida SILVESTRE REYES, Texas MICHAEL R. TURNER, Ohio SHELLEY BERKLEY, Nevada JOHN CAMPBELL, California TOM UDALL, New Mexico JAMES M. LARIVIERE, Staff Director (II) CONTENTS June 28, 2006 Page Which VA It Organizational Structure Would Have Best Pre- vented VA's ``Meltdown'' In Information Management ..... 1 OPENING STATEMENTS Chairman Buyer ........................................... 1 Hon. Bob Filner .......................................... 3 Prepared statement of Mr. Filner ....................... 50 Hon. Sam Farr (introduction of his constituent, Robert J. Brandewie, Defense Manpower Data Center) ............... 4 WITNESSES Gauss, Hon. John A., Ph.D., President and Chief Operating Of- ficer, FGM, Inc. (former Chief Information Officer, U.S. De- partment of Veterans Affairs) .......................... 7 Prepared statement of Hon. John A. Gauss ................. 59 McFarland, Hon. Robert (former Assistant Secretary for Infor- mation and Technology, and former Chief Information Offi- cer, U.S. Department of Veterans Affairs) .............. 9 Howard, MG Robert T. (Ret.), Senior Advisory to the Deputy Secretary Supervisor, Office of Information Technology, U.S. Department of Veterans Affairs.......................... 10 Prepared statement of Hon. Robert Howard ................. 61 Brandewie, Robert J., Director, Defense Manpower Data Cen- ter..................................................... 12 Prepared statement of Mr. Robert Brandewie ............... Bresson, Jim, Vice President and Managing Partner, Gartner Consulting ............................................. 14 Prepared statement of Mr. Jim Bresson .................... 73 (III) WHICH VA IT ORGANIZATIONAL STRUCTURE WOULD HAVE BEST PREVENTED VA'S MELTDOWN IN INFORMATION MANAGEMENT Wednesday, June 28, 2006 House of Representatives Committee on Veterans' Affairs Washington, D.C. The committee met, pursuant to call, at 10:40 a.m., in Room 334, Cannon House Office Building, Hon. Steve Buyer [chairman of the committee] presiding. Present: Representatives Buyer, Bilirakis, Boozman, Filner, Brown of Florida, Brown-Waite, Udall, Salazar, Moran, Stearns, Herseth. The Chairman. The full Committee of House Veterans' Affairs Committee will come to order June 28th, 2006. Good morning, ladies and gentlemen. This is the fourth full Committee oversight hearing on the recent theft of sensitive information belonging to as many as 26.5 million veterans and 2.2 million servicemembers and their family members from a VA employee's home in May of 2006. We will receive testimony today from current and former Department of Veterans Affairs' Chief Information Officers. This testimony will help us examine the VA's information technology reorganization and review the Secretary's decision to move to a federated model versus a centralized approach recommended by VA's own consultant, Gartner Consulting, which is one of the most leading-edge technology companies and they are experts with whom we have consulted. That judgment was also in the complete opposite direction to that which the House had recommended in the passage of legislation last year. This hearing will also focus on institutional barriers to an integrated departmental policy on cyber security and to protection of sensitive personal data presented by VA's current IT organizational structure. Further, we will examine the implication of information security as it relates to the organization of VA IT. As we examine information management and security, two federal statutes are of central importance, the Clinger-Cohen Act of 1996 and the Federal Information Security Management Act of 2002, more commonly known as FISMA. The Clinger-Cohen Act created a Chief Information Officer for each federal agency. As defined by the Clinger- Cohen, the CIO's responsibilities include: One, assisting the agency head to ensure that IT is acquired and information resources are managed in a manner that implements the policies and procedures of the agency; Two, developing, maintaining, and facilitating a sound and integrated IT architecture for the agency; And, three, promoting an effective and efficient design and operation of all major information resources management processes of the agency. This Committee's examination of VA's information management over the past eight years have clearly shown the extent and impact of information management decentralization at the VA. The Department's CIO is not fully empowered to enforce policy and cannot fulfill either the letter or the intent of Clinger-Cohen. In our questioning last week of Tim McLain, the VA's General Counsel, we saw how the Department's lawyers in 2004 gave the narrowest of possible interpretations of then Secretary Anthony Principi's decision to centralize IT authority. The General Counsel's questionable opinion that his directive was outside the statutory authority of FISMA, I believe, was a contributing factor to the 16 unmitigated vulnerabilities. I have referred to his legal opinion as a heterodox legal opinion. The Federal Information Security Management Act or FISMA requires each agency to inventory its major computer systems, identify appropriate security protections, and develop, document, and implement an agency-wide information security program. FISMA also requires an annual independent review of agency information security program. This review assesses the effectiveness of the information security programs, plans, and compliance of FISMA. The Office of Management and Budget is then required to compile a summary of federal government security performance and report to Congress on the implementation of FISMA. In our hearing last week on academic and legal implications of the DA's data loss, I said the Department does not identify who is in charge of developing policy, implementing policy, or enforcing policy. The March 2006 FISMA report confirms my statement, indicating VA received a grade of "F" in a category on establishing and following information security policy. Today, despite evidence piled high over the years, the Department's refusal to get control of its IT systems undermines efficiency, threatens the security of sensitive information, and endangers patient safety, despite the fact of the unprecedented data compromise that has revealed much larger problems related to decentralization. The centurions of the status quo in VA administrations, especially in its health administration, insist on protecting their turf, and veterans and families, I believe, could pay the price. Today through the eyes of two former VA CIO's, Bob McFarland, Dr. John Gauss, we have unique opportunity to examine what occurred within the Department during the years that this evidence accumulated and was sadly disregarded by many who could have made a difference. We also welcome General Bob Howard, the VA's Acting Assistant Secretary for Information and Technology; Robert Brandewie is the Director of Defense Manpower Data Center; and Jim Bresson is a Managing Partner and Vice President of Gartner Consulting. Gentlemen, we thank you in advance for your willingness to be here and to contribute to these proceedings. I believe your insights today will be extremely important. I also would like to recognize in the audience today, we have veterans from the Merchant Marines of World War II. We thank you for your presence. We welcome you to the Veterans' Affairs Committee room, and we thank you for your service to country. You and your generation truly have made a difference in freedom of the world and you left liberty in your footsteps. I would like you to know we have some votes that are now about to occur. I will recognize Mr. Filner for an opening statement. And then I would welcome the Merchant Mariners to meet. There is a room directly behind. And what I will have is when we leave, I will turn you over to Kelly Craven, our Staff Director. Kelly is right here. Kelly, if you will stand up. And I will have Committee staff speak with the Merchant Mariners. Mr. Filner. Mr. Filner. Thank you, Mr. Chairman, and thank you for your courtesy to the Mariners who are here. As you know, many are in their late seventies and eighties, served our country in World War II, had the highest casualty rates of any service in the war. And, yet, when the war was over, the GI Bill did not apply to them. And even later attempts to make up for a past injustice was not done. They missed out on the college education provided by the GI Bill, purchase of homes. As you know, Mr. Chairman, I have a bill House Resolution 23 called a Belated Thank You to our Merchant Mariners of World War II. A majority of the Congress, over 260, have co-sponsored it. A majority of this Committee has co-sponsored it. And I think they would like to talk to you and your staff about trying to get a vote on that at some point in this Congress. So I appreciate your courtesy, Mr. Chairman. Am I recognized for the opening statement on this hearing? And we will have votes and the staff of both Democrats and Republicans will be talking to you and we will try to join you later during the hearing. Again, Mr. Chairman, your opening -- The Chairman. Mr. Filner -- Mr. Filner. Yes, sir. The Chairman. -- if I could do this by way of procedure. Mr. Farr of California is here and he would like to introduce one of the witnesses here today. Can we yield to Mr. Farr? Mr. Filner. Please. The Chairman. Can we do that for an introduction? Mr. Filner. I will be happy to. The Chairman. Mr. Farr. Mr. Farr. Thank you very much, Mr. Chairman and members of the Committee. It is a pleasure for me. I am a member of the Appropriations Subcommittee with this jurisdiction, the military quality of life and Veterans' Affairs. And we had a similar hearing yesterday. In that hearing, the Chairman was there and I appreciate this effort. I want to just tell you that out in my district, I represent the former Ft. Ord, which is the largest military base ever closed in the United States, and out of that, the Department of Defense kept a Manpower Development Center there. It is a center where all of the personnel information for all of the people in the military and their families is kept. And it is available 24/7, and you get calls from all over the world from spouses wondering about healthcare insurance or about issues of family or soldiers or, you know, divorce status or all the kinds of data that one would have. And that center has been leading in helping the Department of Veterans Affairs with their security issues. And the fellow who has really done the work to keep this center a state-of-the-art, quality center in that is Robert Brandewie who is here as a speaker today. He has developed the Defense Biometric Identify System which has centralized the database. It integrates biometric and other information. He has also received all kinds of awards and is now being considered as one of the four finalists for the 2006 Service to America Metal to be awarded in September. And it is just a pleasure to have somebody with such high skills and such incredible accomplishments come and share what they are actually doing on the ground to help men and women in uniform. So I thank you for allowing me to introduce my constituent to you and good luck with your Committee. The Chairman. Thank you very much, Mr. Farr. We appreciate your work on Appropriations as you work with us to come to these solutions and be of assistance to the VA. So thank you for your quality work. Members, we have one vote. It is a motion to adjourn. I would like to recess the Committee. When we return, then Mr. Filner will give an opening statement and we will proceed with testimony. The Committee stands in recess for about seven minutes. [Recess.] The Chairman. The Committee will come back to order. Mr. Filner, you are now recognized for an opening statement. Mr. Filner. Mr. Chairman, since we have kept these people waiting through the vote, I am going to submit my statement for the record. I do agree with what you said and so I do not need to add anything. I would just like to add one little remark, if I may. Mr. Chairman, Secretary Nicholson said that they are going to correct this problem, but we have to be patient. And I think we know what he means by being patient, as you have been personally working on it. It took the VA at least seven years to address this problem. And during our May 25th hearing, you directed VA officials to submit a chronology, time lines of events related to the handling of information related to the data loss, and you asked it for about ten days. I note that over one month has now elapsed since the breach, and we are still being asked to be patient to respond to your request. We might think about directing VA to provide these time lines by the end of close of business today. Maybe we should consider asking that they be prepared independently, have them signed under a perjury clause, witnessed and sealed by the Inspector General. We should have these time lines not only from the panel that we met with on May 25th, but also from the witnesses scheduled for tomorrow. I think it is time to send a message that we have been patient long enough. Thank you, Mr. Chairman. [The statement of Bob Filner appears on p. ] **********INSERT********** The Chairman. Mr. Filner, all members that may have opening statements will be submitted for the record. And I thank the gentleman for bringing that issue back to the Chair's attention. I note that sitting in the audience is the Deputy Secretary, and if you could make sure that someone has that prepared. Any questions on it, please be in touch with the Staff Director. And if you could bring that with you tomorrow and submit it to the Committee. Someone, I am sure, has been working on it. And I think that is probably the best way to handle that, Mr. Filner. Would that be acceptable? Mr. Filner. That is fine. The Chairman. All right. Should not be any problem with that, should there? Deputy Secretary Mansfield. No. The Chairman. Okay. All right. With this panel, we have an Army veteran, Robert McFarland. He served in the Vietnam War. He was nominated by President George W. Bush to serve as the Assistant Secretary for Information and Technology in the Department of Veterans Affairs on October 15th, 2003, and was confirmed by the Senate on January 22nd, 2004. Prior to his appointment, he served as Vice President of Government Relations for Dell Computer Corporation. Mr. McFarland left the Department of Veterans Affairs on May 18th of 2006. We will also hear testimony from Dr. John Gauss who served 32 years in the United States Navy. Following his retirement, Rear Admiral Gauss was nominated by the President and confirmed by the Senate to serve as the Assistant Secretary for Information and Technology and Chief Information Officer for the Department of Veterans Affairs from August 2001 through June 2003. Rear Admiral Gauss transitioned from government service to the private sector accepting a senior position with Science Application International Corporation in September of 2003. His primary focus at this company was the Olympic C41 Security Project considered critical for safe and successful 2004 Summer Olympic Games in Athens, Greece. In January of 2005, Admiral Gauss founded Gauss Consulting Services and in February 2006, he joined FGM, Incorporated as the company's President. We will also hear testimony from Major General Howard. General Howard is the Acting Assistant Secretary for Information and Technology and Acting Chief Information Officer at the Department of Veterans Affairs. We will also hear from Mr. Brandewie who currently serves as the Director, Defense Manpower Data Center, Field Activity, reporting to the Office of the Secretary of Defense, Personnel and Readiness. He is responsible for the oversight of the largest and most comprehensive automated personal database in DoD, management of a dozen major operational DoD programs, and supervision of a multi- disciplinary staff of approximately 800. Recently he led the DMDC efforts to redesign the Department's medical benefits and entitlements database for the new TRICARE system, to design and field a comprehensive web authentication capability for the Department of Defense, to develop and field an identification card and biometric- based force protection system now widely deployed throughout the world, and to design and develop and field the common access smart card as the new DoD identification card. Currently more than ten million have been issued. Pronounce it Bresson? Mr. Bresson. It is actually Bresson. The Chairman. Bresson. Jim Bresson is the Vice President of Gartner Consulting where he was the managing partner for U.S. Department of Veterans Affairs within Gartner's USA Federal Consulting Practice. He is based in Arlington, Virginia, and his responsibilities for Gartner Consulting involve business development, associate development, and engagement and delivery. We look forward to your testimony, and we will start with you Dr. Admiral Gauss. Which do you want, Dr., Admiral, Secretary? Admiral Gauss. John is fine, sir. The Chairman. All right, John. Proceed. Do all of you have written testimony? Admiral Gauss. Yes, sir. The Chairman. All of you do, even -- Mr. McFarland, do you not? Mr. McFarland. No. The Chairman. So Mr. Brandewie, Dr. Gauss, Major General Howard, and Mr. Bresson, all of you have written testimony. It will be submitted for the record. Hearing no objection, so ordered. You are now recognized, John. STATEMENTS OF HON. JOHN A. GAUSS, PRESIDENT AND CHIEF OPERATING OFFICER, FGM, INC., (FORMER ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY AND FORMER CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS); HON. ROBERT MCFARLAND (FORMER ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY AND FORMER CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS); MG ROBERT T. HOWARD (RET.), SENIOR ADVISOR TO THE DEPUTY SECRETARY SUPERVISOR, OFFICE OF INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS; ROBERT J. BRANDEWIE, DIRECTOR, DEFENSE MANPOWER DATA CENTER; JIM BRESSON, VICE PRESIDENT AND MANAGING PARTNER, GARTNER CONSULTING; ACCOMPANIED BY JOE CLARKE, DIRECTOR, GARTNER CONSULTING STATEMENT OF JOHN A. GAUSS Admiral Gauss. Thank you, Mr. Chairman. Good morning to members of the Committee. Thank you for inviting me here today to discuss the important issues related to the Department of Veterans Affairs' information technology reorganization efforts. I would like to provide the Committee with some background information to help in understanding the thought process that goes into the remarks that follow. At the time of my confirmation hearing as the VA's Chief Information Officer, the Department was faced with many challenges, including an ever-expanding IT budget, programs that were defined in a stovepipe manner due to the lack of an enterprise architecture, programs that were consistently overrunning budget, behind schedule, failing to meet their performance parameters. The Department was faced with implementing a comprehensive cyber security program and having to implement an executive oversight process which was a recurring deficiency in many GAO audits. As a result of the above and as presented in my opening statement before the Senate Veterans' Affairs Committee on 2 August 2001, during my confirmation hearing, I stated that I had five strategic objections: First, complete the enterprise architecture road map for the future; Two, integrate the disparate telecommunications networks to improve performance and responsiveness for our veterans; Three, implement a strong information security program and infrastructure; Four, create a program and project management process to oversee and help information technology program managers deliver products that meet requirements, are delivered on time, and stay within budget; And, finally, establish information technology metrics to continuously measure our ability to meet our veterans' needs. Although implementing a strong information security program is listed as number three in the above list, it was my number one priority. Establishing a comprehensive enterprise architecture and integrating the telecommunications networks will place higher in the order since I believe they are prerequisites to attacking the cyber security problem. During my 32 years in the Navy, I learned to address organizational issues by using the following simple thought process: First, define the problem to be solved; Second, define the optimal yet affordable solution to the problem; Three, define what work should be accomplished by government and what work should be performed by industry and then organize to implement. Given the problems and strategic objectives defined above, I concluded three things: First, all IT programs and IT related activities affecting the three administrations and the central office should be centrally managed at the Department level with funding located in the departments and not the administration's budgets, specifically enterprise architecture, cyber security, telecommunications networks, corporate data centers, any program with the above characteristic that would result from developing a comprehensive enterprise architecture such as VA-wide registration and eligibility and a central call center, and, finally, all IT programs under the auspices of any VA central office code; Second, all development activities related to individual administration of IT programs should be managed at the Department level and funded from the Administration budget because they are the ones who have the business requirement for the program; And, third, the operations and maintenance of in- service IT systems directly related to mission execution within an Administration should be managed by that Administration subject to a comprehensive budget and funding execution approval process with ultimate authority for approving the expenditure of funds residing in the Office of the CIO. I recognize that the above conclusions are not consistent with current thinking, but I would respectfully ask the Committee to consider the following: Without a central management of the development activities, how will the Department ever implement a comprehensive, enterprise-wide enterprise architecture to eliminate duplication, to cross-functionally integrate the business processes, and ultimately slow or stop the growth of the Department's IT budget? I hope this information will help the Committee in its deliberations. Thank you for the opportunity. I stand ready to answer questions. The Chairman. Thank you very much. Mr. McFarland, you are now recognized. [The statement of John A. Gauss appears on p. ] **********INSERT********** STATEMENT OF ROBERT MCFARLAND Mr. McFarland. Thank you, Mr. Chairman. Although I have no prepared statement, I have had the privilege to appear before this Committee on many occasions over the last two plus years. Our discussions have always been frank, and I have appreciated this Committee's support in my previous efforts to bring the VA's information and technology infrastructure into the 21st century. I am honored to be here today and would be pleased to answer any questions this Committee may have regarding my experiences while Assistant Secretary and CIO at the Department. The Chairman. You sound like a man that has been at a trout stream. Mr. Filner. Explain it to us city guys. The Chairman. Explain it to a city guy? Mr. Filner. Yeah. The Chairman. Well, you know, he worked at the Department for a long time. He took a break. He got jammed while he was there for a while. He went to a trout stream to gather his mind, and we have pulled him back to Washington, D.C. He is not too excited about being back in Washington, D.C. And he says I will show up, but that does not mean I have to give a statement. And if you want to ask any questions of me, go right ahead. Mr. Filner. Thank you, sir. The Chairman. So that sounds like a man with a clear mind that has been to a trout stream. Mr. Filner. All right. Now I get it. Thank you. The Chairman. You got it? Is that about right, Mr. McFarland? Mr. McFarland. That is pretty close, sir. The Chairman. All right. Thank you. General Howard, you are now recognized. STATEMENT OF ROBERT HOWARD General Howard. Mr. Chairman and members of the Committee, good morning. Thank you for your invitation to discuss the Department of Veterans Affairs' information and technology reorganization plan and the recent data loss incident. First a short update on the VA IT realignment. The VA IT system model has been developed and approved. The key focus is to transition the IT community to operate within a management system that separates the development and operations and maintenance domains. VA will establish required business practices and processes that harmonize the oversight and budgetary responsibilities of the Office of the CIO, the functionality of the domains, and business relationships of the IT service provider and the customer for all IT activities across the entire VA. As background, in an executive decision memo dated October 19th, 2005, the Secretary of the Department of Veterans Affairs approved the concept of a new IT management system for the VA. This decision to move to a new management construct was made to correct long-standing deficiencies in the current decentralized IT management system. The concept separates the IT community into two domains, an operations and maintenance domain that is the responsibility of the Assistant Secretary for Information and Technology and a smaller application development domain that is the responsibility of the administrations and staff offices. Although the domains are separated, the VA CIO will retain oversight responsibilities for all VA IT projects. As Secretary Nicholson testified at the House Appropriations Committee hearing yesterday, the long-range plan is to also centralize the application development domain under the CIO. The new VA IT management system will clearly enhance the Department's ability to strengthen the protection of sensitive information. With all information security officers reporting to the CIO under this new management system, the CIO will be able to: One, create and operate the agency-wide information security program; Two, establish information security policies and procedures and control techniques for the agency which when followed will ensure compliance with all of the above requirements; Three, to train and oversee personnel with significant responsibilities for information security; And, finally, assist senior agency officials concerning their information security responsibilities including the analysis process. The VA IT system model was developed as a framework for the future IT management system. The principal elements of the model include the following: Definitions of the roles, responsibilities, and initial boundaries between the operations and maintenance domain and the application development domain. And this includes determination of business needs and priorities. Although the domains are separated, the model prescribes procedures between the domains in order to provide the CIO with oversight and budget responsibilities for all VA IT projects. It also provides the authority, delegation of authority, and governance structure and process for the conduct of all VA IT related business. The model also contains key IT service delivery business process flows and sample scenarios to illustrate how domain activities are coordinated by these process flows. These flows must be clearly defined to reflect the critical interdependence of business applications and the performance of the IT infrastructure. Finally, the model contains a recommended "to be" organization for the Office of the CIO designed to balance the tactical needs of operating a complex infrastructure as a shared service with the strategic needs of aligning IT resources to best meet the mission requirements of the Department. Transitioning now to the recent data loss incident, as you are aware, the Secretary initiated several recent actions to tighten our privacy and data security programs. On May 24th, the Data Security Assessment and Strengthening of Control Program was established to provide a high priority, and much more focused effort to strengthen our data privacy and security procedures. The two principal objectives of this program are to first reduce the risk of a reoccurrence of incidents such as the recent data loss and second to remedy the material weakness reported by the Inspector General. There are three phases to this effort: Assessment, strengthening of controls, and enforcement. We are almost through the assessment phase and have actions underway in the other two phases as well. On May 26th, the Secretary issues a directive that requires the top leadership to instruct all VA managers, supervisors, and team leaders of their duty and responsibility to protect sensitive and confidential information. In this memo, the Secretary also announced that he had convened a task force of VA senior leaders to review all aspects of information security and make recommendations to strengthen our protection of sensitive information. One of the first tasks of this group is to complete an inventory of all positions requiring access to sensitive VA data and to complete that by the end of June. This past Monday, we began a Security Awareness Week at all VA facilities. We are emphasizing training and privacy and cyber security for all employees. We require all VA employees, contractors, and volunteers to complete both cyber security and privacy training annually. Normally employees are required to complete this training by September 30th of each year. However, given the recent incident, the Secretary has directed that this be accomplished by the end of June. We will be conducting a department-wide inventory of laptops to ensure that they carry the encryption and other cyber security software necessary to ensure remote access users are operating in a safe and secure environment. This effort is on hold, however, due to several class action lawsuits. It will continue once legal clearance is obtained. Finally we are reviewing all policies, directives, and handbooks related to privacy, cyber security, and records management to ensure they are accurate, clear, and focused. All of these efforts will provide for a more secure environment for sensitive data used in the VA. Mr. Chairman, that concludes my statement. Thank you for the opportunity to appear before you today. The Chairman. Thank you very much. Mr. Brandewie, you are now recognized. [The statement of Robert Howard appears on p. ] **********INSERT********** STATEMENT OF ROBERT BRANDEWIE Mr. Brandewie. Mr. Chairman and members of the Committee, thank you for the opportunity to appear before you today to discuss the data exchanges between the Department of Defense and the Department of Veterans Affairs. Our center is a central repository of automated human resource information in the Department of Defense, and we have been actively engaged with the DVA on most of the personnel information flowing between the two departments. These exchanges are very basic to providing an improved experience for the veteran and also for coordination of benefits between the two departments. It is important to note that these exchanges have been ongoing for more than 25 years. The purpose of the data exchanges between DVA and DoD are twofold: To provide information to the DVA on currently serving and recently separated individuals who are eligible for DVA benefits and services, and to competently administer programs in both agencies that benefit servicemembers, former servicemembers, and their families. These data exchanges can be categorized as follows: Data for administering educational benefits, active duty and selected Reserve, Montgomery GI Bill; data for administering insurance programs, specifically veterans group life insurance; data for epidemiological studies and for assessing post-war illness; data for coordination of benefits and prevention of fraud, waste, and abuse; and data to estimate veteran population and expedite delivery of benefits. Data exchanges with the VA, although long-standing, have expanded in breadth in recent years. And an effort to consolidate the exchanges began in earnest about three years ago. Close cooperation and increased exchanges of information have also received encouragement from the Congress and the Administration. For example, the President's management agenda directed efforts to make the transition from DoD to the DVA seamless, and I quote, `` Transition should be seamless from the veterans' perspective and could be made seamless through data sharing between VA and DoD as well as within VA.'' Public Law 108-136 established an interagency Committee known as the DVA DoD Joint Executive Council to direct joint coordination and data sharing efforts between the two departments. DoD believes there is great value to current servicemembers and veterans in the close cooperation evidenced by these data exchanges that has developed between DoD and the Department of Veterans Affairs. However, it is equally important that the exchanges are done with utmost attention to security to ensure no unauthorized disclosure of information. The DVA has been a partner with us in the implementation of secure transfer between the two agencies. In that regard, we have continued to improve that process and add security to this data transfer process. My organization did the work to assess the impact of the recent data breach on currently serving active duty, Reserve, and Guard members. We continue to work on mitigation efforts with respect to the compromised information. In spite of this tragic loss, it is important to reinforce the point there are many benefits to current data exchanges between the two departments. They are done securely and they result in better service and better benefit delivery for servicemembers and veterans. Mr. Chairman, I thank the Committee for the opportunity to report on data exchanges between DoD and DVA and would welcome the opportunity to answer any questions. The Chairman. Thank you very much. [The statement of Robert Brandewie appears on p. ] **********INSERT********** The Chairman. We have another vote, just one vote. It is a procedural vote. So we are going to have to stand in recess for about seven minutes, and we will return. [Recess.] The Chairman. All right. The hearing will come back to order. The Chair now recognizes Mr. Bresson for his statement. STATEMENT OF JIM BRESSON Mr. Bresson. Mr. Chairman, Mr. Vice Chairman, and members of the Committee, I appreciate the opportunity to participate in today's hearing regarding the Department of Veterans Affairs' information technology reorganization plan and VA's decision to pursue the federated model. I am a managing partner within the consulting division at Gartner, the leading provider of research and analysis in the global IT industry. I am accompanied today by my colleague, Joe Clarke, Director with Gartner Consulting, who is the lead subject matter expert in the methodologies we employed in our most recent consulting engagement for the VA. Unlike many of our competitors, Gartner does not offer IT systems or software implementation services that would compromise our independence and objectivity. It is our objectivity combined with our past performance at the VA that was the basis for Gartner Consulting being selected to convert our originally recommended centralized model to a federated model at VA leadership's direction. I was the lead consultant for this effort. In December 2005, the Assistant Secretary for IT directed Gartner Consulting to determine the best approach to implement a federated model for VA. Our focus was on ensuring that the VA's federated model would yield a blueprint for implementation that incorporated the seven critical dimensions to achieving a higher performing IT organization at the VA. Those seven dimensions are: One, organizational structure, the structure in which the IT organization delivers value at a risk level that is tolerable to the Department and best supports its one VA mission; Two, processes, the critical IT processes, their interfaces, and their dependencies required for IT delivery across the Department; Three, roles, the IT management practices, responsibilities, and accountabilities required for IT delivery, what VA associates need to do to deliver IT value; Four, IT services, the necessary IT capabilities that are valued and readily understood by the VA's business community, not just the IT community; Five, guiding principles, the IT policies that establish focus, governance, and the decision-making fabric within and between VA's IT and business communities; Six, performance management, the definition of IT performance objectives and success criteria and high-level analysis of IT performance relative to peers in government, insurance, and healthcare delivery; Seven, culture and norms, the changes required in the underlying culture and norms to effect improved IT management behaviors. In my written testimony, I have provided details about how Gartner Consulting derived roles and responsibilities and simulated scenarios to illustrate for VA's consideration how the federated approach would work within VA's environment. It is important to note as we have in our intermittent engagements with the VA that organizational structure alone is not the silver bullet. It is just one dimension of necessary change to the existing IT organization at VA. There is a tendency for government agencies to want to jump straight to organizational structure alone when seeking to initiate and drive change. Encouraging desirable IT management behavior is less about structure and is more about relentless focus on strategy and execution. Gartner research and our engagement results indicate that the VA must allow for a balance between line of business autonomy and common enterprise-wide needs. VA's desired end state is not small change. It will require overt, firm, sustained action and persistent messaging supportive of the change from all levels of leadership across the Department. What will be critical is sustaining the focus of executive leadership in seeing this change through and realizing improved IT performance. Whether VA leadership will achieve the desired end state in an expeditious manner may be less important than whether they are able to successfully institutionalize the federated IT management system. I firmly believe that VA leadership is taking the right steps forward. Mr. Chairman, Mr. Vice President, and members of the Committee, this concludes my statement. Thank you again for the opportunity to discuss such an important matter to support our veterans. I would be pleased to respond to any questions that you or other members of the Committee may have at this time. [The statement of Jim Bresson appears on p. ] **********INSERT********** The Chairman. Well, I would like to pick up right where you left off. I firmly believe the VA is now taking the right steps. You have to reconcile that. You have to reconcile that with the testimony that Gartner Consulting gave to this Committee and your recommendation for a centralized model that was stiff-armed by the VA. You are a consultant to the VA; are you not? Mr. Bresson. We have been a consultant on occasion to the VA. We are -- The Chairman. Are you a consultant to the VA right now? Mr. Bresson. We are currently not under engagement with the VA. The Chairman. Okay. And were you hired in as a consultant to the VA with regard to the federated approach and its implementation? Mr. Bresson. Yes, we were. The Chairman. Do you anticipate future work with the VA? Mr. Bresson. I would like to anticipate future work with the VA, yes, sir. The Chairman. And would your future anticipation to work with the VA have anything to do with your last statement before this Committee? Mr. Bresson. Not at all, sir. Not at all. The Chairman. Then reconcile your testimony, sir. Mr. Bresson. Okay. I believe, as I said earlier, that organizational structure is one dimension. The work that we did in converting the model that was recommended last spring, 2005 that is, to the federated model dove down deep into processes, roles, services, principles, performance management, and culture and norms. And in constructing that model, we identified for the VA what path forward they should take in order to make this adhere in their environment. And I believe that from that model they are stepping toward that direction heeding what we advised them to do. The Chairman. Does Gartner Consulting as a company still stand by its recommendation to the United States Congress that the VA centralize, have a centralized model for IT management? Mr. Bresson. We do stand by that, sir. The Chairman. In your written testimony to the Committee, I note that you have a quote in here, `` Given the poor state of the VA's IT investment management process and the stated demand to drive benefits over a shorter horizon, we recommended the centralization option to maximize the opportunity to create value for our veterans.'' You stand by that statement today? Mr. Bresson. Yes, we do, sir. The Chairman. Okay. Now, Gartner has given this statement, calls it, ``The poor state of VA's IT investment management.'' Well, now I am going to turn to Dr. Gauss and Mr. McFarland. Can you explain to me why Gartner Consulting would call it a poor state of investment management when, in fact, both of you were the managers? Admiral Gauss. Mr. Chairman, I really have no idea why that finding was uncovered. I can speak to the time between July of 2001 and June of 2003. When I first became CIO, our capital investment control process for IT was poor. And with a focused effort and working with the Office of Management and Budget, within one year, we turned around our process from a budget submission to OMB of about a five percent first pass acceptance to about a 95 percent first pass acceptance. And after I departed VA, there was a substantial gap before Mr. McFarland became CIO. And during that interval, I know I do not know what went on at VA and I am not sure whether Mr. McFarland does. The Chairman. Mr. McFarland, what are your thoughts with regard to that statement? Mr. McFarland. Sir, I believe that we continued the enterprise information board environment that Dr. Gauss started which was to review the individual development projects and sustainment projects. But our biggest issue was not making the decisions over which investments were good investments, although where I came from, we dealt with ROI, which is a difficult thing to do in the government because it is not the same as it is in the private sector. But what we had a problem with was the use of the funds, and this, as you know, is something I was focused on for quite a while, which was to change the budget environment. So when you use the words poor state of investment management, I think what Gartner was trying to say is that you may pass at an executive level a project spin plan and a project budget, and then the dissemination of that money and the use of that money in many cases which is not being able to be tracked and followed through the chain as it is used out in the field. And I think that to me was the area where I felt the investment management process was failing, in the budget itself and the expense of the money, because we were never sure that the money was spent on exactly what it had been appropriated for. And to me, that, I think, is what Gartner was trying to say when they said part of the issue of poor investment management process. The Chairman. To Mr. Bresson, I want you to know that we recognize that a movement to cure is more than just about structure. We recognize that. But we also have painfully recognized over the years, and we have embraced the testimony that Gartner had given to this Committee and the counsel that they gave to the VA prior to their judgment on which option to choose. The reason we do focus on structure and lines of authority is that as we do the forensics here of trying to put this together in understanding what went wrong, we cannot move to cure until we create the right structure with the proper lines of authority so that we know who has authority to do what, who has the tools to do what. And so that is kind of why we are focusing on those kinds of things at the moment. We recognize culture and many other things that you also had testified to. The ROI mentality, Mr. McFarland, that you brought to the VA, we have no objections to that at all because we are looking out at the interest of taxpayers, had to deal with the pains that you did with regard to the core FLS and the vets net. And there is a reason that we here in Congress wanted the development side under your gentlemen's authorities. And we understand that they fight against that, and we recognize that there are crucibles out there for initiative and that your job is not to say no to that, but just to make sure that it is all compliant under the one architecture. Gentlemen, we are considering many things in our packages. So what I would like to do here today, we want to do some forensics, we want your opinion on cure. What are your thoughts that if we were to, in our package we are to elevate the position of the CIO to an Under Secretary? Mr. McFarland? Mr. McFarland. I would think that would be a good move, sir. I believe that in this day and age, the VA like any other agency simply cannot do business for its veterans without an IT infrastructure. The Chairman. And then if we make the CISO a Deputy Secretary right under the CIO as an Under Secretary? Mr. McFarland. You mean an Assistant Secretary, sir? The Chairman. Assistant Secretary, yes. Mr. McFarland. I certainly would applaud those moves because I think that the infrastructure that runs the VA today in its current state is an IT infrastructure and it is important enough that given the past history that those moves would certainly help. It would give the CIO an equal seat at the table with the main administrations to be able to provide the service that keeps the business running. The Chairman. Admiral Gauss? Admiral Gauss. Mr. Chairman, I think your idea is an excellent one. And if I may, I have been associated in management positions in the last 14 years of government service where I have had the opportunity to observe how Chief Information Officers can be effective not only at the Department of Veterans Affairs but in other parts of government as well. Without the Chief Information Officer being elevated to the status of Under Secretary or Under Secretary equivalent, the CIO does not have a seat at the table at any department within government, and the founders or the people who created the Clinger-Cohen Act will continue to be disappointed in results until such a bold action is taken. I would highly endorse your suggestion, sir. The Chairman. Thank you. Mr. Filner. Mr. Filner. Thank you, Mr. Chairman. Thank you for putting together this panel. I learned a lot today. Mr. Chairman, you said you cannot move to a cure unless certain steps were taken, and I would include in those steps at least a recognition of the problem and get out of a sense of denial. Every time Mr. Howard referred to what happened on May 3rd, the incident. I do not know if you have been out in the field talking to veterans, but they are scared to death. You got 26 million or more people worried about identity theft. We have had testimony here that if it was a professional has the data, and there are some circumstances about the theft that may lead to that conclusion, it may be a year before they even know that their identity has been stolen. So we have a major disaster here. And until you guys start calling it that, I do not think we are going to get the kind of response that we need. So I hope you folks in the front row there will take that message back to the Secretary, that if he is in a state of denial still, although, I do not know, it took a week to hear the other news, maybe he will not get this message by tomorrow. Dr. Gauss, you started, your opening sentence was quite an indictment of this situation. Could you just read that for me again or did you have that written out? Admiral Gauss. Yes, sir. At the time of my confirmation hearing -- Mr. Filner. No, no. Before that. I think it was the first sentence. You outlined the situation as you saw what was -- Admiral Gauss. Yes, sir. That was at the time of my confirmation -- Mr. Filner. Oh, okay. Admiral Gauss. -- the Department was faced with -- Mr. Filner. Okay. Right. Admiral Gauss. -- an ever-expanding IT budget, programs that were defined in a stovepipe manner due to the lack of an enterprise architecture, programs that were consistently overrunning budget, behind schedule, and failing to meet their performance requirements, was faced with implementing a comprehensive cyber security program, and having to institute executive-level oversight process as a result of a recurring theme of GAO reports. Mr. Filner. I mean, I would like to ask a very generalized set of questions that maybe several of you can respond to. I mean, that is a cultural indictment, and I would like to know if it still exists as you see it, Mr. McFarland? Has it changed? Why hasn't it changed? What did you think of the polyanna statement by Mr. Howard, everything has changed and we are moving forward? And I might just for Dr. Gauss, I was not at the hearing, but I think at one hearing where Chairman Buyer said to you, would you like to have centralized line control of the system, and I guess you had to say no at that time. I do not know if that was your personal opinion or OMB's opinion because I think they had to approve your statements here. But if you can go back from that statement, and has anything changed since you have left? Does Mr. Howard's statement sound right to you? I mean, and what needs to be changed for it to come true? Please, and then Mr. McFarland if he can. Get him off the trout stream there. Admiral Gauss. Let us see. I am really not qualified to discuss what has happened recently because my knowledge of what has happened is what I have read in the newspaper and in preparing for this hearing, material that I found on the VA web site. Mr. Filner. But you were there for a couple years. Admiral Gauss. Yes, sir. Mr. Filner. So did it change while you were there? Admiral Gauss. During that time -- Mr. Filner. You mentioned one major thing. Admiral Gauss. For the record, sir, all of the testimony that I gave in front of this Committee was my testimony. It was the truth. I was not influenced by OMB or my senior -- Mr. Filner. They did not have to be approved? Admiral Gauss. I am sure it had to be approved, but I held no punches and I spoke my views. Mr. Filner. We did have testimony at an earlier hearing of one of, I think, your successors, Mr. Brody, right, who said, because I asked him, he said that he could not say what he wanted to say because it was approved by OMB. So that seemed to be the procedure. Admiral Gauss. I stand by today -- Mr. Filner. Okay. Thank you. Admiral Gauss. -- the testimony that I gave in front of the Subcommittee at the hearings for which I participated. Now, from a cultural perspective -- Mr. Filner. Did I get that right that you said no to Mr. Buyer when he said would you like to have the centralized control? Admiral Gauss. I believe that in my answer, I qualified it along the terms of what I had in my opening statement, that I felt that the development activity should be centralized. The CIOs should have the authority over all development activities, but that the operations and maintenance of the products that were deployed to the field should still be distributed within the administrations. And a little bit of the background, we are all an invention of our past. And having served for 32 years in the Navy, I look at the model that is proposed today and it equates to allowing commanding officers to develop their command and control capability, but, yet, to operate it, maintain it, and fix it, you have to go back to the Pentagon. And somehow that just does not seem right based on my experience. As far as the culture goes, there were cultural impediments at VA that precluded making progress while I was there. Specifically at the executive level, there was commitment to have reform, but there was not commitment to effect the type of change necessary to make that reform. When you find you are broke, the processes and procedures you operate under are not going to fix you because if they would, you would not be broke in the first place. So change was fundamental, but the attitude was fix it within the current process. Second, the VA concurrence process is onerous. In my testimony in September of 2002, I talked about a memo the Secretary had signed in August directing the centralization of IT activities. I testified in front of the Subcommittee that we put a team together to build a plan and it would go to the Secretary by November of 2002. That did not happen. It took until May to get it done because the VA concurrence process waters everything down to the lowest common denominator in which people can agree. I was told one time I could not offer a differing view because nothing goes to the Secretary without the principals concurring. And, three, the financial management of the programs, the money is distributed into the Administration budget, at least it was during the two years I was there, for such things as enterprise architecture, cyber security, the data networks, all of the infrastructure things needed to run, the machinery needed to run the IT at the Department and for the administrations, and it was left to my office to have to get the money from the administrations in the year of execution. The budgets should reflect the execution because at the end of the day, the real organization follows the flow of the money. And with the money spread in execution, it is very difficult to get the resources one needs to execute the job. Mr. Filner. Okay. That was pretty clear. Mr. McFarland, would you concur or do you have anything to add to that? Mr. McFarland. I do concur with Dr. Gauss on the state of what he left was pretty much what I found when I got there. I believe the VA has moved forward in doing some things that will make the job easier. With the help of this Committee and Congress, there is now a consolidated budget, although I would tell you that I was disappointed that the budget contained only nonpay dollars and not the full budget. I will be frank about that. That does allow better oversight over the spend. There is now under this federated model at least a consolidation of the infrastructure. And where I might disagree with Dr. Gauss a little bit, I do believe that the infrastructure has to be consolidated because I believe that if you do not consolidate the infrastructure under the CIO, then all you will do is be involved with directives and guidelines over policy of privacy and security. Without control of that infrastructure, technical control of that infrastructure, you cannot ensure that the environment is safe. So I would disagree. I believe the infrastructure should be consolidated and that not only -- all those assets need to be under a single control. The -- Mr. Filner. Mr. Howard, are you heading in that direction or not? General Howard. Sir, with respect to the operations and maintenance domain, we are. And as I indicated in my testimony -- Mr. Filner. Wait, wait. He just said something very clear. He said control of the infrastructure. General Howard. Yes, sir. Mr. Filner. Is that what you are talking about or not? General Howard. With respect to the operations and maintenance infrastructure, that is correct. The data centers -- Mr. Filner. But he was not restricting it like you are. I mean, he did not have any qualification over infrastructure. What other part of the infrastructure there is? Development? General Howard. Development is not included in the -- Mr. Filner. Why not? General Howard. -- IT organization that has currently been approved. Mr. Filner. That is the point, Mr. Howard. I am saying should it be in that? Mr. McFarland, did you include what he said, operations, maintenance, and development in the consolidated structure -- Mr. McFarland. Under the current plan -- Mr. Filner. -- infrastructure? Mr. McFarland. Under the current plan -- Mr. Filner. I do not even talk the language you do, so I am trying to get this. Mr. McFarland. I understand. Infrastructure to me does not include development. Infrastructure is the basic assets and people necessary to provide the IT service to the community. In the current federated model, that infrastructure is supposed to be consolidated under the CIO. And the administrations and staff offices become users of that infrastructure. I strongly believe you cannot allow the infrastructure to be managed by administrations and staff offices. Mr. Filner. So explain to me the differences in federated model and the centralized model. I mean, what -- Mr. McFarland. The difference -- Mr. Filner. -- is included in one and not the other? Mr. McFarland. The difference under the Gartner scenarios that were developed is only one issue, that the applications development, the development of new products to serve the needs of veterans in each of the administrations and staff offices, whether it be a financial system or whether it be a medical system, the development of those products, application development, is done in the federated model by the administrations. Everything else is managed by the CIO. In the centralized model, all of that would be managed by the CIO. And what would happen would be the staff offices and the administrations would provide the specifications and requirements for their needs to the CIO who would then go to the marketplace and develop those products for them. Mr. Filner. And you agree that that is okay? Mr. McFarland. I am sorry, sir. Mr. Filner. We got word directly from the Secretary about what Mr. Howard should say, so maybe you should read the note for us, Mr. Howard. The Chairman. Mr. McFarland, to be responsive to the question, I think it would be that do you concur with the centralized model that development should be under authorities of the CIO? I think that is where Mr. Filner was getting to. Mr. McFarland. I have been on record from day one as being preferring the centralized model. I have agreed to support the federated model when I was in office because that was the recommendation of the agency and it was candidly the best I could get. Mr. Filner. And give me again as concise as you can why -- you defined the federated -- you gave us a clear explanation, but why would you prefer the centralized? I mean, what did it do that the other did not? Mr. McFarland. I believe you have to have control over development. Mr. Filner. Well, that is what I asked you at the beginning, and you said no. I asked what did consolidation of infrastructure mean, and you said operation, maintenance, but not development. Now you are saying development should be. Mr. McFarland. Let me define infrastructure for you, sir. Mr. Filner. Okay. Mr. McFarland. Infrastructure is the assets and people that provide IT services -- Mr. Filner. Okay. Mr. McFarland. -- provide the electrons to anyone who uses those electrons, your e-mail, your whatever, no matter whether you are a doctor, a benefits coordinator, whatever, the users of those workstations. That is the infrastructure. The development of product is actually the generation of new code -- Mr. Filner. All right. Mr. McFarland. -- to run applications. Mr. Filner. And both should be under the CIO in your preference? Mr. McFarland. It has been my professional -- Mr. Filner. Okay. Mr. McFarland. -- opinion that they should be consolidated -- Mr. Filner. Okay. Mr. McFarland. -- under one environment. Mr. Filner. And so they are going in a different direction than that right now? Mr. McFarland. They are using -- Mr. Filner. All right. That is all. Mr. McFarland. -- the federated model, yes. Mr. Filner. Thank you. Thank you, sir. The Chairman. Mr. Bilirakis, just as a follow-up, if I may. Mr. Bresson, Gartner Consulting, you are consulting to the leading top 100 companies in the world; are you not? Mr. Bresson. Yes, sir. The Chairman. Are there any of these companies that you are a consultant to in the world of these companies ever take the development side outside the -- to take the development outside the authority of the CIO? Mr. Bresson. Indeed there are, yes, sir. And I think one of the nuances to the federated model as it may exist in commercial and outside of public sector is that while development may remain outside the CIO's control, in order for those products to run on the infrastructure, they still must, you know, pass through the wickets and be certified to run on that infrastructure. So there is a transfer. The Chairman. Thank you. Mr. Bilirakis. Mr. Bilirakis. Mr. Chairman, virtually everything has kind of been covered on a detailed basis. If this continues on, it is just going to continue to make work for us and take us away from being concerned about healthcare and about claims processing and things of this nature. Somewhere along the line, it has got to be solved. Let me ask. My impression is that all testimony, I mean, for -- it goes all the way back, not just this Administration, the prior Administration and Administration before that. All testimony before coming before Congress has to go to OMB; is that correct? Does anybody know? That is true, right? General Howard. [Nods head affirmatively.] Mr. McFarland. [Nods head affirmatively.] Mr. Bilirakis. Okay. So this is not something that is new. Dr. Gauss, you prepared your testimony. Of course, obviously, OMB does not tell you what to respond to when you are asked questions from the panel up here. But you prepared your testimony for today, and then there is a process? It went up the line, did it, up through the -- Admiral Gauss. [Shakes head negatively.] Mr. Bilirakis. No? Where does your testimony go? Admiral Gauss. As a private citizen -- Mr. Bilirakis. You are a private citizen, right. All right. I am going to go to General Howard. Forgive me for doing this. Getting a good opportunity for this old Staff Sergeant to talk to a Major General. General Howard. It has to go through OMB, sir. Mr. Bilirakis. Has to go. All right. But does it go up the line through the VA first -- General Howard. Yes, sir. Mr. Bilirakis. -- before it goes to OMB? General Howard. Yes, sir, it does. General Counsel- - Mr. Bilirakis. Do you like that as a former General officer? General Howard. Sir, it was probably the same way in the Pentagon, although I cannot remember. Mr. Bilirakis. Yeah, I will bet. I will bet. General Howard. But that is the process. Mr. Bilirakis. You know, what is happening here is, you know, we have got a Veterans Administration that I have always had very high regard for. When I came to Congress 24 years ago, there was one committee that I specifically fought for. I guess I did not have to fight too very hard, but the point is I wanted to get a VA Committee, and I did 24 years ago, first day one. And Mr. Buyer may not know this, but when our side came up with this idea of grading committees, certain committees are considered A committees, B committees, C committees. The rule was that if you had an A committee, you could not serve on any other committee. And the Veterans Committee was considered other than an A committee. And so Energy and Commerce was considered and still is considered an A committee. And the deal was if you wanted to stay on an A committee, you had to give up any other committees. I let it be known that I would be glad to give up Energy and Commerce if I could keep Veterans Committee. That is how much I feel about this Committee and that is why I get awfully frustrated and angry sometimes when we get partisan here and throw stones at each other, which is something we did not used to do on this Committee. But that is besides the point. The point here is that activity like this, promises made to Congress on record and whatnot and not kept on what, you know, contract on IT was to be awarded June the 10th and contract work was to be started on June the 15th of this year of 2006 when, in fact, that has not taken place, that is the result of testimony before this Committee back in March of this year. Other things. We have gone through hearing after hearing. We have had round-table discussions, everything on IT, and still do not see very much progress being made. I mean, that hurts the image of the Veterans Administration. And, you know, we would like to hear from the veterans, complaints about maybe healthcare, about their claims, or something of that nature. And what we are hearing is they are concerned about privacy and the lack of privacy and their concern about what might happen to their personal situation as a result of what has transpired. Mr. McFarland, you came aboard with a heck of a background, a tremendous IT background. You were given a certain responsibility. Was your background respected in the VA? Now, you should be free to respond here. Mr. McFarland. Yes, sir. I never got a feeling that my background was not respected. I think I felt I brought a business acumen to the VA -- Mr. Bilirakis. Yeah. Mr. McFarland. -- which I think was -- Mr. Bilirakis. All right. But -- Mr. McFarland. -- somewhat new, and I think it was respected certainly in the beginning. I am not sure -- Mr. Bilirakis. In the beginning. What happened -- Mr. McFarland. -- if it is respected today. Mr. Bilirakis. What happened after the beginning? Mr. McFarland. Well, I think whenever you embark on change, you are going to run into culture. I have said many times I did not believe that a majority of the issues at VA were so much about technology as they were about culture. Mr. Bilirakis. Yeah. Mr. McFarland. It is a long-standing history of decentralized management. And when you bring a business acumen that says you want to centralize many of those management functions, I think you run into cultural problems. But that being said, I do not think anyone disrespected my background. I never had -- Mr. Bilirakis. Well -- Mr. McFarland. -- anybody chastise me for it, so -- Mr. Bilirakis. Yeah. I do not think anybody would have done that, but I am not referring to that obviously. I am referring to -- I mean, were you paid attention to? Were you taken seriously in terms of some of the changes as a result of your actual background and experience and that sort of thing? Mr. McFarland. Oh, I think I was taken very seriously, sir, on many occasions. I do not think it was ever an issue of taking me seriously. It was that the problem was the disagreement over the change. Mr. Bilirakis. All right. So you were taken seriously, but there were disagreements? Some people disagreed with you? Mr. McFarland. Yeah. Mr. Bilirakis. General Howard, you know, here we are. And the Chairman's idea of legislation, basically upgrading the CIO position and whatnot is a good idea. But here we are trying to micro manage. And damn it, we should not be doing that. And, yet, we feel that we almost have to from the questions that have been asked here, detailed-type questions for crying out loud. We should not have to be concerned with something like that, I do not think. And, yet, we are because we see a process that just is not moving. It is not progressing the way it should be. And then, of course, these errors such as the loss of those files. General Howard, your testimony had to be cleared, but your responses to us are not cleared, do not have to be cleared. General Howard. No, sir. That is correct. Mr. Bilirakis. All right. Now, you are a General Officer. Are we going to fix this? I mean, Mr. McFarland mentioned the word culture. He knew darn well that I was going to mention culture because I talked about it constantly during our past hearings. There is a culture there. There is a turf thing there that exists up here, too, and I am the first one to admit that. If I had to say the one thing that bothers me about the Congress is the turf, turf fighting, and committees' jurisdictions and things of that nature. What do you think? Are we on the right path here? Are we going to fix this? Are we going to be as proud of the VA in terms of IT as we are on our work on healthcare and the Spinal Cord Injury Center, for instance, Haiti Hospital in Tampa? There was a young lady here with Pfizer who lives down in that area and who volunteers there one day a week. And as I went out to vote, she was boasting to me about the great work that they do. I mean, there is a lot of pride there. But the pride does not exist as far as IT is concerned. Respond to that. General Howard. Sir, there is, first of all, no question that this can be fixed. Obviously we cannot predict the future. But in my mind -- Mr. Bilirakis. What do you mean by that? General Howard. You said will we fix it. We can fix it and we are heading in the right direction. There is no question about that. The issue regarding centralization is still, you know, full centralization, that is, including the development domain, is still on the table. But I think based on the Secretary's testimony yesterday, that also will be centralized. And he went public with that yesterday during the Appropriations hearing. I think that is a very important aspect of it. Can we do it right away? My personal opinion is we should not. We are already very deep into moving the operations and maintenance and consolidating that. In the contract you refer to, you are correct. That was delayed due to contracting procedures, but that is ready to be signed. If it is not signed today, it will be in the next few days to bring in the contractor who is going to help us further refine the details of the current approved IT reorganization. But as the Secretary mentioned yesterday, he is going to take the next step. Mr. Bilirakis. All right. You said something, you mentioned contract procedures, delays as a result of the contract procedures. Should those procedures in your opinion be changed? General Howard. Sir, those are typical government procedures. It just takes time to work through that. I did not see anything really out of line. It just took longer than we thought. I mean, we followed all of the procedures. We had written proposals. We had oral presentations and a thorough review. The last reviews that had to take place were with General Counsel and the Contracting Office. You know, I got an e-mail this morning that indicated those are complete. So there is no reason why this contract should not be signed. And that will be a very significant piece to what we are discussing today because they will come in, this contractor will come in and help us refine the processes and procedures under which we should operate. Mr. Bilirakis. Are we going to pay attention to them? Are we going to -- General Howard. Sir, we are going to pay a lot of attention to them. And the fact of the matter is, you know, we have already detailed 4,600 people to the Office of Information and Technology. And that detail will become permanent on the 1st of October. Sir, that is in effect as we would refer to in DoD, that is a field operating agency. That is not a staff section. That is a large number of people, and we are now in the process of organizing them, delivering the guidance, an important subset, for example, of the Information Security Offices that exist throughout the VA. There is slightly over 300 of them. They are now under my control. You know, we are the ones that issue them instructions, that give them the training, that develop their careers, all of that. Bob McFarland did not have that, but we do. And that alone is very helpful in terms of improving our information security. Mr. Bilirakis. Well, I am reminded by staff that this was said something like last October that it was going to take place, and here it is what, June, almost July of the next year. General Howard. Yes, sir. It happened in April, sir. That is -- Mr. Bilirakis. In April. General Howard. That is when the detail took place. But to sort of summarize, I am fully confident that we can fix this problem. Clearly it is an organization issue, but it is more than just moving the boxes around. As Gartner mentioned, processes are very important and probably more important than anything else is the leadership and the emphasis we place upon the whole enterprise. Mr. Bilirakis. Yeah. Just my last question. What say you to this culture thing that has been admitted to over a period of time in the VA? General Howard. Sir, I have been in the VA just a little over a year. I came out of the private sector. There is a culture issue. And one of the reasons for that, I think we all know that we are operating with an agency that is very decentralized. And you cannot fix that overnight. I mean, that has to be done over time. We need to put more emphasis on it. But, again, under Dr. Kaiser, it was deliberately decentralized and the result of that, quite frankly, was more effective healthcare. I mean, it was, you know, innovation in the field and all of that. And in many ways, that is a good thing. What we probably did not do is maintain sufficient controls over that decentralization. Even in the Army, you know, you can encourage innovation and to a degree decentralization, but you have regulations and clear directives to make sure that things are followed correctly. And one comment on directives. The business about are we going to fix this. Sir, one first step, a major first step is to publish very clear directives. I have only been in OI&T a little over a month and clearly that is a problem. Bob McFarland had difficulty with that. And no longer guidelines and handbooks and all of that. Our policies need to be in very clear directives with signatures on them so that people are very clear about what they -- Mr. Bilirakis. Yeah. That seems natural. Why did Mr. McFarland have trouble with it and why do you say that it is going to be difficult? I mean, why? General Howard. Sir, I do not see that difficulty anymore. Mr. Bilirakis. All right. Why was it -- General Howard. It took us less than a week to publish 6504. In fact, the Deputy Secretary was a co- signature on it along with myself. And 6500 is another very critical directive that we are currently working on. Mr. Bilirakis. Yeah. General Howard. And there are more. We cannot rely on memos and guidance that is not signed out and approved at the very high level. Mr. Bilirakis. Will enforcement exist? General Howard. Sir, on the enforcement part, I mentioned in my testimony that we have established an overarching program to address these issues, the Data Security Assessment and Strengthening of Controls Program. This is an overarching program sanctioned by the Deputy Secretary. We have a very detailed list of actions that must occur. In fact, we would be happy to brief this Committee at any time. There are a lot of things that need to be done. As I mentioned to you, there were three phases to it. The last phase is enforcement. And to give you an example, I think in the area of enforcement, one of the most important things we can do is improve our audit and inspection capability. As an old Army guy, if you roll into an organization and you do not have a good inspection program, you got a problem right from the very beginning. And we do not have that right now. We have some. We have the IG, of course. But within OI&T, for example, it is relatively small. It is nowhere near as robust as it needs to be. And along with that capability needs to be the authority to go anywhere within the VA, knock on the door, and walk in and see what is going on. Sir, I know you are laughing, but we need that and it needs to be robust. And you know what I am talking about. You are talking about unit inspection programs. Mr. Bilirakis. I am not sure why the Chair is laughing. I think because he is happy. But we had testimony what, last week from the counsel that you did not have the authority, the enforcement authority. Am I wrong there or do you have it? Do you feel that you have it? General Howard. Sir, right now I have certain authority as a result of the approval of the IT organization up to this point. For example, in the area of information security, I own these people. I am responsible for telling them what to do. I have the authority to discipline them. What I do not have is the authority to discipline somebody in VHA. I do have the authority to lay out the policies and regulations that must be adhered to. And if the VHA folks, for example, do not discipline someone who violates these policies, you know, then it is a matter for the tenth floor, you know, the Secretary level. Now, I will say that so basically within what has already happened, I do have some authority. Now, with respect to additional authority, there is a memo being debated right -- not debated. It is being finalized and reviewed by the Secretary, regarding further delegation of authority. It has not been signed yet. He may talk to that tomorrow. But there is more to come on that issue. Mr. Bilirakis. Well, I know I have taken much more time than I should have. Thank you, General, gentlemen. Mr. Chairman, we all have suffered through an awful lot of frustration here. I yield back whatever time. The Chairman. Well, Mr. Bilirakis, this is a challenge. It has been a challenge for us for a long time. And I am smiling whenever I can hear you talk about authority. Back in 2002, Ms. Carson asked you, Dr. Gauss, a direct question, are you the man in charge. That is exactly how she asked it. And you said, yes, ma'am, it is me. Very close. You may have been in charge, but you did not have a lot of authority in reality. And that is what also then we learned with your successor, Mr. McFarland. He was in charge. The Secretary even wrote a directive, and then that is undercut by a General Counsel in his interpretation of FISMA that says that you have responsibility, but you do not have authorities. General, reflecting upon your days in the United States Army, pretty hard for you to have received responsibility to ensure compliance, but then you have no authority to accomplish a mission. You are to take the hill. You are to ensure compliance of having taken the hill, but you have no authority to give orders to anyone. That is why I use the form heterodox, because it is totally against everything in our society. So my challenge with the Office of the General Counsel, it is how you get to yes. How do you get to yes? You do not create these odd anomalies that then has a detrimental impact upon an organization. We figure out how we get to work together and pull in the same direction, not to create these divisions and as someone had earlier testified to as decentralizations of mass dispersions, equate to mass dispersions in the VA. So that is why I am smiling. I am pleased that the VA is moving toward that direction with regard to lines of authority. I now recognize Ms. Herseth. Ms. Herseth. Thank you, Mr. Chairman. Let me just follow-up on the line of questioning of Mr. Bilirakis and some of the comments that the Chairman just made. And I appreciate the testimony that you have offered, written testimony that I had a chance to review and some of your oral testimony today that in the light of the vote, some of us missed. But I just want to make sure that we have turned a corner and that we will be able to confirm some of this further with the Secretary tomorrow. But the Chairman says, you know, how do we get to yes. It is sort of like what we say to members of our staff here in Washington or back home serving constituents. You know, it is one thing to move the ball down the field and get to the five yard line, but they all need to get it over the line. It is not just about getting it close. It is getting it there. And in the questions that Mr. Bilirakis posed to Mr. McFarland about how you were received given your background, your experience when you arrived at the VA, you felt that, you know, you brought this business acumen, it was respect, but there was disagreement then based on the proposals of centralizing the IT function. And then in response to the question posed to you, General Howard, about once we get the contractor, are you going to pay attention to them. You said, yes, you are going to pay attention to them. But what if there is disagreement with how they are advising to refine the processes? Have we turned the corner to say now that the Secretary has made the decision to centralize, we have got the contractor that is going to be in place, are we behind that now? It is not about disagreement anymore? It is about simply executing and implementing the recommendations of refining the processes? General Howard. Ma'am, I cannot say there will never be disagreements. I mean, you are always likely to run into that. But my feeling right now is those have been greatly minimized. Ms. Herseth. May I interrupt? Even if there is disagreement, though, you are right. There is going to be disagreement. But despite the disagreement, are we going to just rehash the disagreement and -- General Howard. No. Ms. Herseth. -- push back on the contractor about the recommendations or is it, you know, we disagree, but your job was to advise us, recommend, now we are going to implement the recommendations? General Howard. We have turned the corner. There is no doubt in my mind about this. Just the reassignment of people alone, you know, including the empty spaces that have been given to us upon the insistence of the Deputy Secretary. He says do not just move the people. We want the spaces, too, so that we can flesh out this organization in the correct manner. So everything that I see from our leadership is heading in the right direction. There is no doubt in my mind about that. Ms. Herseth. Okay. General Howard. But to execute is going to require very strong leadership and determination right down until when you finally take the hill, sir, you are right. Ms. Herseth. And authorities, right, General Howard? So do you feel -- General Howard. And the authorities. And as I mentioned, a very important delegation memo is currently being worked and -- Ms. Herseth. Great. We hope to see that soon and to ask the Secretary about it tomorrow because that was again a line of questioning we pursued last week with the General Counsel who kind of, I felt, was trying to have it both ways by reiterating his interpretation of FISMA, but then talking about certain options the Secretary had to delegate certain authorities. And it was just really hard to pin him down on whether or not he was trying to allow his interpretation of FISMA to trump what these reserved powers that could be delegated from the Secretary. So I hope we have turned the corner there, that we are getting very close, that we are moving in the right direction, but not just moving in the right direction and down the field, but that delegation exists to get us to score the goal. Let me move to a different line of questioning. Mr. Brandewie, we have also in past weeks in different hearings gone into what is happening in other federal agencies with the relative organization of the CIO. Are there some weaknesses? Are there strengths that we should be evaluating to assist us with the Department of Veterans Affairs' situation? I know that the Chairman has asked for a GAO investigation and report on other interpretations of FISMA by other General Counsels and different agencies. And so in your statement, you note that the DMDC is at the center of most of the human resource information flowing between DoD and the Department of Veterans Affairs. Under the definition in FISMA, is DMDC considered a strategic security system? Mr. Brandewie. No, ma'am, it is not. The data sources for the information that flows to the VA are not classified as national security systems. Ms. Herseth. Okay. So it does not contain information about security clearances and military job codes? Mr. Brandewie. No, it does not. If I could just comment in a little more detail. The information that goes to the VA starts out very skeletal. I mean, it is just the basic identification information. It grows as events happen in a servicemember's life. For example, they become eligible for Montgomery GI Bill is a good example. Then we add information on that program and feed it to the VA. So the information that goes from DoD to VA is basic identification and then programmatic information. Ms. Herseth. Okay. Mr. Brandewie. It is not national security information. Ms. Herseth. I appreciate your responses and it relieves me of some of the concerns there. However, let me just ask this question. I know the Chairman is interested whether, you know, based on your responses that it does not include national security information. But over the course of a servicemember's lifetime as that information grows, you know, how do you feel about data sharing with an agency system plagued by such vulnerabilities as we know the Department of Veterans Affairs' system has been? Mr. Brandewie. Well, I mean, naturally we are concerned. I mean, we are concerned because of the massiveness of the scale. Essentially as came out in the data breach, a vast majority of our active duty and Reserve members' information potentially was compromised in the data breach. However, in our data use agreements with the VA, we require security evaluations be done on the recipient systems. They have been studious about doing that. I know they are rereviewing a number of the systems right now to make sure that they are, in fact, meeting the security requirements. And so we have to in a partnership sense rely on our partner in the VA to maintain security in the system, but we all remain concerned. One fix that we have been pursuing actually began under Admiral Gauss is to consolidate the feeds that go from DoD to VA and try and minimize the kind of proliferation of data throughout the agency. And by concentrating that information, I think we can concentrate our efforts to make it more secure and protected. Ms. Herseth. I agree. But I think a very important first step, especially in light of the concern that as it does get spread out more, you then have the potential of employees within the different administrations -- well, just the potential for more possibilities of compromise, I should say. One last line of questioning, if I might pursue that, Mr. Chairman. The Chairman. Yes, ma'am. Ms. Herseth. And I think, Admiral Gauss, you answered part of this question when you were talking about the VA concurrence process and that you were told at one point within the chain of command, so to speak, in the VA that you could not go to the Secretary with some of your concerns unless it was consistent, unless it meant these concurrence principles. And, otherwise, if things got watered down to the point that some of your concerns were inconsistent with the minimum threshold of what it was watered down to that it was hard for you to reach the Secretary with those concerns. So my question is for Mr. McFarland and for you, Admiral. Last week, Bruce Brody, who was a former Associate Deputy Assistant Secretary for cyber and information security at VA, testified before the Committee. And he explained that while he served in that capacity, he was not permitted to speak openly about many of the problems associated with VA's management and information security. So during each of your tenures as Chief Information Officer for DVA, were you ever instructed by the Secretary or other senior Department officials to withhold from members of Congress any concerns you held regarding the Department's information system? Admiral Gauss. Let me start since Bruce worked for me first before he worked for Bob. I was never instructed nor did I direct Bruce to withhold information from Congress. What I did, and this is me doing it, is Bruce sometimes could be quite colorful in the presentation of his issues, and sometimes the importance of his issue could be lost in the colorful flavor that he would present them. And I did ask him to tone some things down, but never to obfuscate an issue. Ms. Herseth. I appreciate the response. Admiral Gauss. And if I may on the first part -- Ms. Herseth. Yes. Admiral Gauss. -- when I talked about the concurrence process, I did not mean to imply that I could not go to see the Secretary. The process, though, required as you lumbered your way through to get a document that could be approved, it required the concurrence. In fact, I was called once by the former Deputy Secretary, and he said I need you to take your nonconcurrence off. And I said why. It is my view. And he said, well, if it goes the other way, will you support it. And I said of course I will. And that is the only time a dissenting view got documented from my office. Mr. McFarland. I would concur with Admiral Gauss on the issues. I also managed Bruce Brody and I did see some of the colorful presentation, but he was always straightforward and given the ability to speak his mind. And never was I ever either told that I had to water down my opinions or could not speak, nor was I ever told not to submit anything to Congress. The concurrence process to me, I agree with Admiral Gauss, is troublesome. Unlike what I understand DoD's concurrence to be, at the VA, there is no penalty for not meeting concurrence deadlines. And so what happens is you get the slow roll. And without having a defined, definitive concurrence deadline such as, I believe, DoD has where if you do not concur or nonconcur, you do not do anything, then you opt out and have no say because one of the reasons you have problems in getting things done quickly is because this concurrence process takes a long time when people simply do not concur, neither nonconcur or concur. The process allows nonconcurrence. That is not an issue. I believe that we have moved ahead with issues at the VA. Even with nonconcurrence, we have moved ahead. An example would be the federated model. I did not concur with the federated model, but I agreed to support it. So my nonconcurrence on the federated model was well-documented. The issue is the time frame and this problem of slow roll, which is what happens, is what causes you the delays in many of these occurrences from happening in the time frame they should happen. And I strongly believe that that time frame should be changed and I have spoken so. Ms. Herseth. One last question then. Do you feel that the Chairman's proposal to elevate the status and authority of the CIO position would be sufficient to effect the concurrent process or do we also need -- again, not that we want to micro manage, but do we also need to somehow specifically address the time frame of the concurrence process or would elevating the position of the CIO with that type of authority make that move on its own? Would it effectuate the change on its own as opposed to independently from another proposal of the Committee? Mr. McFarland. Well, I support the move, the proposed move to Under Secretary status. And I think that will help. I also believe that the VA has at the top level competent management and I believe competent management can deal with this issue. I do not believe personally that Congress should have to deal with an issue of concurrence in its time lines. People at the VA at executive level are competent. They can deal with this. Ms. Herseth. I know I have taken up a lot of time, and I appreciate that response. So may I read into your response that with the competent senior leadership at the VA that elevating CIO to an Under Secretary status would allow the competency of senior management in addition to the individual holding the CIO position to address the issue of the concurrence process because if both you and the Admiral are saying that this has been a problem because it has been taking too long, but, yet, you have confidence in senior management at the VA, is it just that one move of elevating the position to Under Secretary status, and will it happen eventually because I also get the sense that you really do not think the Committee should have to do anything on that front, but is there something else that needs to happen to address it effectively? Mr. McFarland. I think it will help greatly because at an Under Secretary level that the CIO will get to sit regularly with Admiral Cooper, Dr. Perlin, Bill Tuork and discuss these issues at that level which should ferret the problems out earlier. That is my opinion. Ms. Herseth. Thank you. Thank you, Mr. Chairman. The Chairman. I would like to thank Minority Council. They have brought to this hearing testimony of March 13th, 2002. It is you and me, Dr. Gauss. You got this one too? Admiral Gauss. Is it the verbal? If it is the verbal, I do not have that one. The Chairman. You know, that is all right. Yesterday Chairman Walsh referred to this as groundhog day. And, you know, I listened to him, and I kind of half chuckled. Reading this, now I almost want to laugh out loud. There are things that we have talked about here. This is back in 2002. You and I had a little banter going back and forth here and I asked you a specific question. Oh, gosh. We talked about who is in charge. I am in charge. A lot of your questions, I mean, you are the Admiral here. I am in charge. I am responsible. I am in charge of the ship. But then when we got into specific lines of authority, do you have the specific line authority, and your answer is, no, sir, I do not have direct line authority. I have indirect authority for matters of IT and I have suborganizations within the structure where I deal directly with these people on matters of enterprise architecture and cyber security and that it is an efficiency gained over the past year because I do not have to go to an Under Secretary to get it approved to go to the Deputy Under Secretary in order to get one of the CIOs. I pick up the phone. I call. I direct. So basically you are saying that I could get it done. I could achieve even though I do not have line authority. I think looking back on all of that, you would probably look at this and say that was pretty hard to accomplish because what we have learned here is that unless we give you the tools, how can you really accomplish that, you know? I mean, that is kind of where we are. I am not picking on your testimony and your role. What I am trying to do is is I am trying to go back in time, see where we were, where are we today, and how we move to cure. And there is something else in here. Let me go to this one. We even had a conversation, and this deals with compliance, and we were talking about the lines of authority again. And then I got into the question about the rating of people. And I asked you what input do you have with regard to rating people, and you said I have direct input to the reporting seniors of these folks for what goes into their performance evaluation. I then say okay. Then with regard to promotions and merit bonuses, do you have an input into that also, and you then say the process at the VA? And I said if you are working with someone in one of those administrations who is messing with you and making life difficult to get implementation to the one VA is what you were talking about at the time, going, do you have the ability to say no to a merit bonus. And you say I do not have that. The reason I took time to go back in history with regard to this conversation is that since your days at the VA to today, we advance ourselves, the VA has continued to receive this failing grade, yet, we have individuals of whom received bonuses. Now, going back to this whole question that Mr. Bilirakis brought up about micro management, you are absolutely right. We do not like to do that. We have an oversight responsibility and function. But if we are going to create a package and part of that package is also going to be on personnel issues, whether it is in specific statutory authority or in report language, if we are to say that with regard to performance reviews, if as a CIO you are to ensure compliance, should IT compliance be one of the criteria of performance reviews or merit bonus? So I am interested in your thoughts, Dr. Gauss, Mr. McFarland, General Howard. Admiral Gauss. Mr. Chairman, as far as the recommendation of including those as part of the evaluations, I would agree. The Chairman. All right. Thank you. Mr. McFarland. Mr. McFarland. I would submit to you that I not only agree. I would submit to you that there is proof that it works because if you remember last time we got an F, one of the major reasons we got an F is because we did not have our 600 major systems certified and accredited. And when Secretary Principi got very upset about that, we asked for authority to include the potential of bonuses not being paid in the outcome if all of those 600 systems did not get C and A'd within a year. Those 600 systems did get C and A'd in a year and it was because of that potential financial threat. I am convinced of that because he was very clear with the management team that he would look very harshly on bonuses and people's paychecks would be affected if this did not happen. So I would submit to you that it does work. The Chairman. General Howard. General Howard. I totally agree, sir. It is a good mechanism that ought to be put in place. The Chairman. All right. Let us envision this for a moment. How would this work under the federated model? You are now an Under Secretary. You have the responsibility under FISMA to ensure compliance. The Secretary has now directed authorities to you. I am anticipating that finally this slow roll approach over Directive 6500 after three years is finally coming and that is what I am hoping for. How do we do it? How do you do this? General Howard. Sir, the area that it would be difficult is punitive action, you know, any action that must be taken against a person from the person's supervisor. In other words, if Art, for example, worked in another department and violated one of these policies and violated an item -- The Chairman. Can you turn that on for me, your microphone on, please. General Howard. -- you know, violated one of these policies, we can make it very clear that he has done so. But the punitive action itself cannot be taken by the CIO. It would have to be taken by his supervisor. The Chairman. Right. But let us keep it to the question on a performance measure. General Howard. Right. The Chairman. So I am in one of the stovepipes. General Howard. Right. The Chairman. So I am now a middle-level manager, just like you, directing a battalion. General Howard. Right. The Chairman. You have given a directive to your battalion commander that you want certain things to be noted. So all of your officers, they have to make sure that they are compliant with one of your directives. So how do you as now an Under Secretary and CIO, and you now have got CIOs completely under you, right? General Howard. Right. And I -- The Chairman. So how are we going to do that? General Howard. Those folks belong to me. There is no question about, you know, disciplinary action, any kind of action against folks who directly work for the CIO. If they work somewhere else, you know, clearly violations of anything should be reported to the CIO. You can have that provision. The Chairman. All right. Wait. You are off subject again. Let us go back to the issue on bonuses. General Howard. On bonuses? The Chairman. On merit, performance, and bonus. General Howard. And the individual is in one of the stovepipes? The Chairman. Yes. General Howard. And gets a bonus? The Chairman. Wants a bonus. General Howard. And should not have gotten -- The Chairman. But is not compliant. General Howard. And should not have gotten the bonus? The Chairman. Uh-huh. General Howard. The only thing you can do is elevate it to a higher level because, you know, or -- The Chairman. Wait. Time out. Let us break this out. One of your CIOs is at one of the medical centers. General Howard. So he belongs to me. The Chairman. But he is at one of the medical centers. General Howard. Does not matter. He belongs to me. The Chairman. He is at one of the medical centers and he belongs to you? General Howard. Yes, sir. The Chairman. He is sitting at the table as any good hospital administrator would do. He has got him at the table there, and that hospital administrator, one of his issues is to be compliant. And what I am trying to figure out under the federated approach, since the CIO is not going to be in these lines of authority with regard to punitive actions, but if you make it a performance measure, then it is the Secretary through the Under Secretary that has to ensure that certain directives are made and have compliance. General Howard. Yes. The Chairman. That is our challenge with tomorrow's panel -- General Howard. Sir -- The Chairman. -- because what is clear today is that with regard to the General Counsel's legal opinion that said unto Bob McFarland that you do not have this authority, then that authority then vested with the Secretary, and directive 6500 just sat out there. Nothing was really acted on with regard to those authorities. It vested with the Deputy and the three Under Secretaries. And even though you had the responsibility of compliance, authority was not exercised to bring the Department in compliance with FISMA. General Howard. Sir -- The Chairman. I am just letting you know that. General Howard. Okay, sir. The Chairman. So my challenge here is if we are going to go under the federated approach and we say, fine, we are going to bring it into a performance measure, your CIOs out there can be counsel to that administrator, you know, meeting with them, making sure that they are compliant because here is what is in the pipeline or here is what is going on. That is what he is there for. He is to be the counsel to the administrator. You agree with that? General Howard. Sir, he also has a black hat on his head, too, that -- The Chairman. What does that mean? General Howard. -- needs -- he needs to report instances that are not in compliance. The Chairman. And who does he report that to? General Howard. Up the chain to me. The Chairman. All right. But he also has a responsibility to the hospital administrator, correct? General Howard. Yes, sir. He sure does as a customer. You know, he is a service provider. The Chairman. Okay. General Howard. But he also has eyes and ears and he needs to keep them open. And if he uncovers things that are not going on, I expect him to do something about it. Obviously to inform the hospital director, but me too. I mean, it is like first brigade and second brigade. You know, I cannot give an Article 15 to some guy in first brigade, but I sure can put heat on that brigade commander through the division commander. And it is particularly a problem in the punitive type of action. The Chairman. So this is going to require -- let me turn now to Gartner -- under this federated approach, in order for this to work, this is going to require some pretty stern leadership from the Secretary, Deputy Secretary to the Under Secretaries to perfect it. Mr. Bresson. It does not relinquish leadership at any level, sir. You characterized it as stern. That would probably be a good thing. But the model itself does not preclude that leadership from being exercised, those authorities to be implemented. The Chairman. I appreciated your insights with regard to Ms. Herseth's questions. You did a very good job today with regard to the concurrence and nonconcurrence. That was insightful or us. And I appreciate the Deputy Secretary being here today, that you are hearing this, and those are things that you struggled with over the years that you have worked. But those time lines, I think, that have been recommended are probably pretty important. Having that directive sitting out there for three years was probably not a good thing, and we will get a chance to talk about that tomorrow. With regard to nonpay contractors involved in software development, do you know how many there are? General Howard. Numbers of contractors, sir, I am not sure. I will have to get that for you. The Chairman. Mr. McFarland, would you have any idea approximately? Mr. McFarland. Contractors are in nonpay, yes. I do not know exactly how many are there. I could give you an educated guess. I would say it is somewhere between 500 to 700, I would guess, throughout the Department. And that is made up of administrations and staff offices. That would be my guess. The Chairman. Now, there is -- General Howard. Sir, if I could pile on. I mentioned that we have phase one of this program we put in place, assessment. We finished the internal part. The next steps is contractors, you know, where are they, what are they doing, et cetera, et cetera. The Chairman. The -- General Howard. When we get through with that, we can give you some feedback. The Chairman. The Secretary gave testimony yesterday to Mr. Walsh's Subcommittee on Appropriations with regard to the concerns about a subcontractor perhaps releasing data if they did not receive a proper payment. The Secretary responded that he was not aware that he had any prime contractors that were offshore. Now, as I understand, this may be, in fact, technically correct. But what happens if we also put in our package so that we are not jeopardized nor our national security, if we are going to have contractors, that they may not subcontract with any off-shore entity. What are your thoughts? General Howard. Sir, I am not familiar with the details of the incident. I believe you are right. It was a subcontractor that was involved. The Chairman. If you know about that, will you make sure the Secretary is briefed for tomorrow? General Howard. Yes, sir. The Chairman. All right. Mr. McFarland, your thoughts. Mr. McFarland. I think it is important to know who subcontractors are. There are difficulties in the IT world today. It is an international product. So much of what is put into IT both hardware and software today, much of it does come from various overseas subsidiaries and various overseas environments through contracts. I think it is wise in the contracting process to understand who your subcontractors are and put in a requirement that requires they notify you if they intend to push any of that work offshore, and then you can make a decision at that point whether you believe that is -- I mean, pushing something offshore to Britain, for example, may not be near the issue it would be to pushing something offshore to China. And I think it is a matter of understanding and having a requirement would be good to know what, if any, off-shore requirements come up. The Chairman. All right. I am going to go to Dr. Gauss, but I want you to think about this because I am going to come right back to you, Mr. McFarland, about your counsel to us with regard to what should be included in our package. But I want you to think about it and I am going to come back to you. Dr. Gauss. Admiral Gauss. I would think that in dealing with the purchase of purely commercial products and the support services that go with those commercial products, it would be very difficult to sever off-shore relationships. That said, any contract that is done for the government where the government is getting specific products and services that meet a specific government need, I think you could impose restrictions that limit off-shore involvement. But there are two separate camps here, I believe. The Chairman. Well, we have experience in this in the Department of Defense with regard to our procurement policies, who is going to build what, who gains access to what, from weapons systems to guidance systems. I mean, you name it. I hate to create that type of system, but I am very insulted that there is a company out there in another country that would try to blackmail our country, and that is what they tried to do. And what that does is create a heightened awareness. And you are absolutely right. You do not want to penalize Great Britain or penalize any of our valued allies in the world, but I am pretty concerned. I am going to come back to you, Mr. McFarland. Take your concept and take it to the next step. What is your best counsel to me? Mr. McFarland. Well, as Dr. Gauss said, there are two distinct domains here. Those are products and services that are bundled, if you will, such as a workstation, a printer, any kind of bundled service where components come from all over the world. You have things called TAA and BAA by American act, those kinds of acts that preclude you from taking product made in certain countries that do not meet those requirements. So you are protected there. I think your biggest problem is the other domain which is the services domain where you contract with someone for a service, transcription services, you name it. And there you run into the problem. I think you should require that before any subcontractor, allow any of that work to go off-shore, that he get clearance from the VA so that the VA has an understanding of whether that offshore is Great Britain or if that offshore is China. And I think it would be wise to- - The Chairman. So, number one, would be a notification procedure? Mr. McFarland. Right. And then an approval. The Chairman. And then an approval process, right? Mr. McFarland. Right. The Chairman. Go ahead. Mr. McFarland. I mean, I am not familiar enough with our contracts for services in the VA to know, and I am sure each of them is unique for the service. But those to me ought to be clauses that are boiler plate and that an approval process be required if a subcontractor is an off- shore entity or any of the information is offshore. The Chairman. All right. Here is why I am taking a little time on this particular issue. Mr. Bresson. Excuse me, Mr. Chairman. The Chairman. Yes. Mr. Bresson. The only thing I might add with respect to services is it would be significant, yes, to identify the subcontractor as an entity, but quite often knowing the key personnel and their background and/or other attributes about them might also be significant and important to such an action. The Chairman. Thank you for that because the Secretary has brought up several times the issue about, background checks -- that individuals with access to certain data even within the VA have not had background checks. So what? We are going to highly scrutinize Americans, yet permit some of the services and access to data to be subcontracted to a third-world country with no form of notification or compliance or approval. So I think we need to pause and think about that as we develop our systems. So thank you very much. So now let me turn to DoD, and that is why I am pretty concerned. My first question would be, because I do not know the answer to this, when a forensic analysis of the data was done with regard to what was stolen, with regard to active duty Guard and Reserve, were MOSs included? Mr. Brandewie. No, sir. The Chairman. No? Mr. Brandewie. No, sir. The Chairman. Okay. Does the VA within the universe of their data, would they have the MOS? Mr. Brandewie. No. We do not furnish the MOS as part of our data transfer. On separatees, the DOD Form 214, and I am not exactly a hundred percent positive, on separatees, I believe the MOS is included on the DOD Form 214. That does not come in a data exchange. It comes through a basically paper form and is actually automated by the VA. When it is automated, I am not sure if they include the MOS, but I would assume they do. But it is not part of our automated feed from the Department of Defense to VA. The Chairman. Much of our present War on Terror is operated in the dark world. And I have heightened awareness of our special operators and they sure do not want the world to know who they are and what they have done. And I am really concerned with regard to protections of data that is out there because I look at this and say, well, yes, this may have happened, but what is next, what could happen. And I do not want to blow up worst case scenarios, but, Mr. Deputy Secretary, this is an issue I want to explore with you over the next several weeks, and we will bring it up tomorrow on how we develop a system because, you know, as we work here with the Department of Defense, they are not going to be too keen about how do we gto health medical records. You know, if we cannot give veterans assurances, how can we give our partners assurances? I do not have an expertise or background in procurement law and so I am going to have to turn to experts to help us on how we devise a system to do this. Let me ask a question about biometrics, user ID numbers. I am also considering placing in our package -- this package will be large enough that it will have jurisdictional referrals to other committees. We are going to recommend changes to FISMA. I am not going to have any of this in the future about lawyers' interpretations. We are going to make this pretty doggone clear. And I have already spoken with Mr. Davis about it, so we are going to make those corrections. I am also considering saying to the Department of Defense in this legislation and the VA that you cannot use the Social Security number. So let me ask for your thoughts about that. Mr. Brandewie. If could start out -- The Chairman. You are going to have to come up with a soldier's ID number or some type of number that both the VA and DoD use that is not the Social Security number. Mr. Brandewie. In passing, sir, I referred to a consolidated feed between DoD and the VA which were to replace the legacy feeds that we do. In that consolidated feed, we feed the VA a new ID number which we give a very odd name to. It is called electronic data interchange personal ID. It is a made up number. And it is the number we actually trade with the VA in the consolidated feed instead of Social Security number. And it could form the basis for interaction between the two departments without reliance on Social Security number. Having said that, Social Security number remains an important identifier in establishing identity. Once identity is established, then between agencies and in large- scale computer systems, it would be possible to only use Social Security number simply as an identity anchor and not a way to trade information between systems. I might add we do that also with the medical community and we have established this number as a patient ID with the medical community, and also pass that over to the VA as well. There are new technologies that are emerging that would allow us to deemphasize Social Security number as a universal identifier. Having said that, totally banning it from IT systems would create chaos, but it could be deemphasized especially in terms of data interchange. And, again, once identity is established, its importance recedes, and that could be emphasized in legislation. The Chairman. Our challenge here is that so long as the financial services industries rely upon that Social Security number, therein lies our challenge. So if I take that out of their criteria, you know, I at least can protect our veterans and our military. What we would have to do is is when they take their oath of enlistment or commission, we are reverting back to the old days where you get your ID number, your soldier number, or whatever. Do you remember what yours is, Mr. McFarland? Mr. McFarland. Yes, sir. The Chairman. What is it? Mr. McFarland. US54342381. The Chairman. There you go. You guys knows yours? General Howard. Yes, sir, 097560. The Chairman. Wow. Well, I am just letting you know that is where I am considering going. And it might create a heartache for you because if you have come up with some other kind of number, we will figure out how we can best do this, and we want to work with DoD to do that because that will also be what we will use with regard to our patient medical records and that type of thing. General Howard. Sir, I might add within the VA for employees, we have discussed going to ID numbers for employees. The Chairman. Just to let you know some of the major areas where we are thinking about, and this is not an exclusive list at all, as this Committee and others work together, we are going to look at this issue on performance reviews and criteria. We are going to consider this movement of the CIO to an Under Secretary and elevate the CISO to the Deputy Secretary or Assistant Secretary. I am sorry. I personally asked the Secretary what personnel changes, if any, does he need with regard to his authorities with regard to disciplinary actions to make sure he can ensure compliance or fire someone. We are going to look at the issue on the credit monitoring package. I am deeply appreciative to the VA on what they had done in stepping forth to offer that to veterans along with the insurance package. That was a good thing. I am deeply disturbed with regard to the lawsuit. For the VA to move forward, to take actions to help the veterans and now for a class action lawsuit to prevent you from advertising that assistance, what it does for us is it shows that time is of the essence for us to move our package, and we are going to have to give a directive. The Secretary shall. And we want to work with you with regard to our language. But when I come in and I use mandatory language instead of discretionary language, what I have done is I have shot a hole through this class action lawsuit out there. We will also include some FISMA changes and that DoD, VA are not authorized to use Social Security numbers with regard to personal identification. We might direct them to really create a soldier's number, an identification number. It probably would be better to do it in the prospective manner than to say that you shall not or cannot use a Social Security number. I mean, that does not make a lot of sense. We want to address the issue with regard to the outsourcing and we are also going to bring back our issue on centralization. I have not let it go. I cannot let it go. I respect your opinions. I got to figure out how we can get there. Let me ask Gartner. I will not keep you here much longer, but let me ask Gartner Consulting. When you turn to one of your major corporations out there and you have now said we need to centralize your IT, how long does that take? Mr. Bresson. Mr. Chairman, there are a number of factors in that kind of advice, particularly the current business environment, because, as we all know, it is not all about IT meaning that the way decisions are made in the business or in this case in the mission and the business will set the stage for how successful centralizing and/or federating the IT portion of that business. We do counsel that once the decision is made, centralization, rough order of magnitude, would probably take anywhere between 12 and 36 months, and there are a lot of variables there, the global dispersion of the assets and the people and the organization, the sheer volume of systems and other items that need to be brought under control. The Chairman. All right. Let me break it down and go right to security. So when the VA designs a security policy, they finally get that done, what kind of training is going to be needed to promulgate that policy to make sure it is properly implemented? What kind of time are we looking at? Mr. Bresson. I would be guessing, sir. The Chairman. I mean, you are consulting a lot of companies out there that make changes and all. I mean, three months, six months, nine months? Mr. Bresson. Right. There is probably a footprint that needs to be established that has a defined period in which it should be established. And then beyond that, there is the continual changes of new personnel coming aboard, potentially other changes in personnel roll, et cetera, that would need to be addressed. In terms of time -- The Chairman. Let me reask the question because you are very good at dancing now. What is a reasonable time line with regard to implementation of a security policy for an entity such as the VA or a major corporation? Mr. Bresson. Implementation of a security policy. Well, I am not a security expert, sir, but I would imagine that something implementation-wise starts within a 90-day period and potentially to a 180-day period. The Chairman. How long did it take DoD? Mr. BRANDEWIE. To implement a security policy? The Chairman. Yes. Mr. BRANDEWIE. I mean, in the basics, it has taken a number of years. I mean, and security is always evolving and changing. I mean, the centralization of the global information grid took probably over two years, you know, and the security policies associated with it. But we are very diverse and decentralized with IT, so I am not sure there is a corollary there for the VA. The Chairman. Well, kind of because you are very decentralized and so is the VA. And it is not that it is all that bad either. Mr. BRANDEWIE. No. The Chairman. And just because it is decentralized does not mean you do not have security policies. They have security policies. It is that it is agency-wide security policy. So it is the development of the agency-wide security policy and its implementation as you centralize that is our challenge, right? Mr. BRANDEWIE. If I could make one comment. I mean, there are policies all over the place and security policy is certainly one of them. It takes a long time to articulate and work its way through the system. One thing that DoD has done that has been very effective, I believe, is the establishment of a joint task force for network operations protection, JTFGNO. And they are very fast in terms of identifying a security issue, finding a fix to a security problem, mandating that the fix be implemented, and enforcing the implementation of that fix. It is like, if you will, a kind of go team that takes the security policy, puts it against the real world threats that are out there, monitors those threats, and then takes action. And that I found to be particularly effective within DoD. The Chairman. So let me ask this about FISMA for a moment. When the FISMA audits have come back and have given the VA very poor ratings over the last four years, as we proceed in this federated model, the responsibility here rests with the Secretary. He acknowledges responsibility. Who does he delegate this to with regard to compliance based on the FISMA audit? Are you aware, General Howard? General Howard. Sir, it will be cleared up with this delegation memo I referred to. But as I sit here today, it is my problem, you know, to set the policies and set the actions that need to take place to alleviate a deficiency because the reorganization that will take place, a good number of those will rely with me now. For example, take the protection of server rooms and things like that. That is now my responsibility with the current direction we are going in the IT reorganization. I do not know if that answers your question, but -- The Chairman. You have a really difficult job. You do. I am not here to beat you up at all because you are saying to this Committee it is me. That is no different than what Admiral Gauss said back in 2002 to Ms. Carson, it is me. So you can do everything you want. But if you do not get the backing from the Deputy Secretary or the Secretary to make sure things happen to those Under Secretaries, you are going to be back before this Committee. Members of Congress are going to be asking you why once again did you get an "F" in the audit. General Howard. Sir, the backing is absolutely necessary. You are exactly right. But it is up to me to make it clear as to what should occur. That is my problem. And we have got a lot of work to do in that area. The Chairman. DoD, you received an "F" on your audit, too, did you know, from FISMA? Mr. BRANDEWIE. I believe that is correct. The Chairman. Why did that happen? Mr. BRANDEWIE. I really do not know. I am not familiar with the detailed reasons for the DOD score. The Chairman. All right. I just thought I would let you know I knew. You thought you were going to get away with it, didn't you? All right. I want to thank all of you for coming. I have a great deal of respect for you and what you are trying to do here. It is hard for me. I have never been a CEO. I have never run a major organization. It is hard for me, though, in today's time whether it is a government department or agency or whether it is a company or any form of entity, when I have IT involved, why I would not make the CIO my new best friend. I do not understand why that would not happen. I had an opportunity, just to let you know, McKesson Company out there. Bloomington Hospital just outside of my district, they wanted to modernize their IT. They wanted to do some centralization and do some things. And they brought in McKesson. And the hospital administrator brought in someone from Purdue University, very sharp in information management, and made that CIO his best friend. And it sent such an incredible signal to the medical director to get on board, that these things are coming, these changes are made, whether it came from the business side of the house; tell me what your recommendations are, what you are looking for. The CIO is going to look at it. On the medical side of the house, whether it is filmless or that medical technologies, everything had to be compatible and everything had to go through the CIO. And everybody at the board table knew that and everybody was also enthused to talk about how as a team they were all going to work. And they all wanted to know and associate with the CIO. That was a system of pure empowerment, and they were able to perfect changes in a hospital setting rapidly. So it is challenging for me, General Howard, why you are not the new best friend. I do not know if you are or you are not. But what I am saying is that I recognize you have a very difficult job because you have to be the agent of change. And I do not care if you are going to change the flavor of ice cream at lunch, you are going to have somebody attack the agent of change. And it should never be taken personally when you are the agent of change. All right? General Howard. Yes, sir. I agree. The Chairman. We want to continue to work with you. Please, if you have recommendations based on the questions, please be in touch with the Committee as we formulate the package. To Gartner Consulting, thank you very much. You have well earned your pay in your counsel and advice to the VA. It has been very sound, and we appreciate that. To DOD, you have still got your own work to do, and we will send you back. We appreciate you coming out here today. This hearing is now concluded. [Whereupon, at 1:42 p.m., the Committee was adjourned.]