About the Chairman | About the Committee | Committee News | Committee Hearings | Committee Documents | Committee Legislation | VA Benefits | VA Health Care | Veterans' Links | Democrat's Home Page | Contact the Committee

VA’S INFORMATION TECHNOLOGY PROGRAM

TESTIMONY OF

RICHARD J. GRIFFIN, INSPECTOR GENERAL

DEPARTMENT OF VETERANS AFFAIRS

HOUSE COMMITTEE ON VETERANS’ AFFAIRS

SUBCOMMITTEE ON OVERSIGHT AND

INVESTIGATIONS

May 11, 2000

Mr. Chairman and Members of the Subcommittee, I am pleased to be here today to comment on the Department of Veterans Affairs (VA) Information Technology (IT) program. During the last several years, the Office of Inspector General (OIG) has reviewed selected VA IT system development initiatives, procurements, and capital asset acquisition practices that identified opportunities where the Department could enhance its IT investment efforts. Our IT review efforts have also focused on Department information system security controls.

As outlined in the Clinger-Cohen Act of 1996, Federal agencies are now required to focus more on the results achieved through IT investment while streamlining the Federal IT procurement process. The Act requires agency heads to design and develop a process for maximizing the value and assessing and managing the risk of an agency’s IT acquisitions. While the Department is taking certain positive actions to comply with the Act, our audits have found that the Department needs to more fully assure that IT resources are effectively used and user IT needs are efficiently met. Effective management and oversight of VA’s IT investment is important given the significant annual investment of over $1 billion in IT by the Department.

The OIG has been involved with review and oversight of Department IT program initiatives since 1995. These reviews have included IT system developments, procurement of Department-wide telecommunications support, initial efforts by the Department to address the requirements of the Clinger-Cohen Act that include IT capital investment initiatives, and information system security controls. In addition to these efforts, we review the IT acquisition process followed by local VA Medical Centers (VAMC) as part of our Combined Assessment Program (CAP). This review effort is being completed in response to a request from VA’s Principal Deputy Assistant Secretary for Information and Technology, to determine if any field activities may be acquiring IT (services and equipment) without following appropriate Departmental procedures for approval.

IT System Developments

Our review efforts have identified opportunities for enhancements in key VA system developments involving Electronic Data Interchange (EDI), human resources and payroll, and a management information system to support delivery of health care to veterans. Our review efforts included:

In 1995, the OIG evaluated VA’s EDI implementation efforts and focused on current EDI implementation initiatives in the acquisition and finance program areas and future Departmental expansion opportunities. VA estimated that efficiencies of $499 million over a 5-year period could be achieved by replacing commonly used business documents with their electronic equivalents. At the time of the audit, the Department was in the initial stages of EDI implementation and we provided an early assessment of implementation and identified opportunities to enhance VA’s efforts. We found that attention needed to be focused on assessing implementation results, identifying impact on program operations, and preparing a strategic marketing plan to facilitate and encourage the significant expansion opportunities that potentially could be achieved. In response to the audit recommendations, the Department’s implementation efforts have been significant with expansion of the EDI operating environment from a relatively small number of trading partners and associated transactions to over 1,700 trading partners and 1.8 million annual procurement transactions valued at over $3 billion.

In 1997, the OIG provided an early assessment of VA’s design, development, and implementation process for the new HR LINK$ system that is expected to streamline VA’s human resource and payroll functions. The Department was in the initial stages of the system development initiative. We found that project managers had established management control over the multi-faceted details this system development effort entailed, and user involvement was significant. However, we identified opportunities to enhance HR LINK$ implementation efforts concerning project documentation and workplans, cost information, contract deliverables, system security, correction of identified material weaknesses, training, and Contracting Officer’s Technical Representative (COTR) duties.

In 1999, the OIG reviewed the implementation of a new management information system intended to aid clinicians, managers, and executives in making decisions affecting the delivery of health care. This audit was requested by the Under Secretary for Health to determine if implementation of DSS was sufficiently standardized to ensure the usefulness of DSS data. DSS represents VHA’s first automated managerial cost accounting system for the delivery of medical care that will provide VHA managers with cost and clinical information for consideration when making clinical decisions, managing workload, and controlling medical costs. Our audit found that the potential usefulness of DSS and its data was being compromised because some VAMC staff had diverged from the system’s basic structural standard. Where such divergence had been detected, it prevented data from these VAMCs being accurately aggregated along with data from other facilities that did adhere to the structural standard. In order that DSS can achieve its full potential, the Department needs to ensure adherence with the standard DSS structure. We estimate that, through September 1998, DSS represented an investment of about $140 million for VHA.

Procurement and IT Capital Investment Initiatives

Our review efforts have identified opportunities for VA to enhance the efficiency and effectiveness of IT contracting initiatives and assure that the Department’s IT capital investment process addresses the requirements of the Clinger-Cohen Act. Our review efforts included:

In 1998, the OIG reviewed VA’s acquisition initiatives for procurement of computer hardware and software (PCHS) and the procurement of automated information resources solutions (PAIRS). These acquisition initiatives were to be the principle nationwide, non-mandatory sources for acquiring IT equipment and services for VA. Our review found that acquisition risks associated with the PCHS procurement had been effectively addressed by VA’s procurement planning actions. We also identified opportunities for VA to enhance its IT contracting initiatives and help address and meet IT performance expectations included in the Clinger-Cohen Act. Key issue areas requiring VA action included: (1) use of national contracts, (2) Veterans Health Administration’s major IT initiative for clinical workstation replacements (capital investment valued between $700 to $800 million), (3) IT performance expectations (audit found that VA needed to reduce IT costs by $22 million a year and by $101 million over 5 years), (4) IT hardware requirements (audit found that VA could potentially spend an additional $36 million for its replacement of dumb terminals with unnecessary upgraded equipment), (5) planning PAIRS procurement strategy, and (6) COTR training.

At the time of the audit, the Department was in the initial stages of taking actions to comply with the Clinger-Cohen Act. Since then, VA has developed a Department IT Portfolio, which contains a ranking of VA IT investments and a performance measurement/performance management strategy. VA has also developed an IT strategic planning process which includes an investment decision framework.

1998 Evaluation of VA Capital Programming Practices and Initiatives

In 1998, the OIG evaluated VA’s capital asset acquisition practices and efforts to implement a capital programming process. VA capital assets include land, structures, equipment, and IT hardware and software. We found that VA was making progress toward a comprehensive capital program for managing its capital investments, but additional policy was needed for VHA’s Veterans Integrated Service Network-level investments, and alternative capital funding strategies should be explored. Our evaluation found that VA’s capital investment initiatives for IT had made more progress than initiatives for other types of assets. VA was in the process of revising policies to meet the requirements of the Clinger-Cohen Act and related Office of Management and Budget initiatives. A significant accomplishment was the September 1997 VA Directive 6000, VA Information Resources Management Framework, that established an IT management framework and defined the responsibilities for planning, budgeting, procurement, and management in-use of IT assets.

1999 Audit of Procurement Initiatives for VA’s Integrated Data Communications Utility (IDCU) Telecommunications Support

The 1999 OIG audit examined the 10-year old contract and planned replacement efforts for VA’s IDCU telecommunications support for network interface facilities. The IDCU is a Department-wide data communications network enabling VA users to connect from one automated system to another and to access various databases.

The audit found that the Department took positive steps to transition to a new wide area network (WAN) contract, but issues were identified in the old IDCU contract that adversely impacted VA operations and costs. The IDCU system and contract were no longer meeting VA’s telecommunication requirements effectively or efficiently. Key audit finding areas included: (1) contract modifications totaling $142 million were not supported with adequate documentation to explain why the contract increases were fair and reasonable; (2) VA spent approximately $3.1 million leasing and maintaining an excessive number of unused ports over the life of the contract; (3) VA needs to recover over $1 million in payments to the contractor for the Performance Management System that was not accepted; (4) VA saved $944,891 by terminating the acquisition support contract in response to our audit results; and, (5) VA could save an estimated $60,000 if consultant services were acquired through competitive means. We also advised the Department that it needed to conduct a formal risk assessment to adequately assess, manage, and mitigate the levels of risk associated with transitioning to a new WAN solution. In addition, we identified some key business decisions made by the contracting officer at the time the contract was awarded that negatively impacted VA’s ability to effectively administer this contract over its 10-year life cycle.

In response to a November 3, 1999 memorandum from the Principal Deputy Assistant Secretary for Information and Technology, we agreed to include a review of the IT acquisition process as part of our regularly scheduled CAP reviews (30-35 reviews are planned annually). Our CAP reviews provide an independent and objective assessment of key operations and programs at VAMCs on a cyclical basis. The Principal Deputy Assistant Secretary wanted us to determine if any field activities may be acquiring IT (services and equipment) without following appropriate Department procedures for approval. So far, our review of IT acquisitions at VAMCs Dublin, GA, Biloxi, MS, and Denver, CO did not identify any problems in this area.

Information System Security Controls

Our review efforts over the last several years have identified Department-wide weaknesses in information system security that continue to make VA’s program and financial data vulnerable to error and fraud. These system security weaknesses are so serious that the Department has designated the information security area as a material weakness under the Federal Manager’s Financial Integrity Act. Our review efforts included:

The audit found a need for improvement in physical and electronic access controls over equipment, sensitive data, and critical applications maintained by the Center. Security control weaknesses left the Center systems vulnerable to unauthorized access, inappropriate disclosure, and destruction of data.

The audit found that VA needed to strengthen security controls to ensure that Center operations were adequately protected. A number of key security enhancement opportunities were identified that could help make the Center more physically secure as well as less vulnerable to unauthorized electronic access. The need for tighter security measures was also supported by the fact that the Center is located adjacent to an Internal Revenue Service Center that has been a target for bomb threats.

The audit found that security controls needed to be strengthened to ensure that Center operations were adequately protected. The review found that the Center’s security efforts could be better focused by establishing a proactive security program. Also, the Center needed to develop a current security risk assessment that adequately identified the criticality and sensitivity of the data processed and maintained, and the vulnerabilities to which the systems are exposed.

The audit found that security controls needed to be strengthened to ensure that IDCU operations were adequately protected. Key security improvements were needed to assure adequate physical security controls at major IDCU facility switch sites and better control of remote access to the IDCU. Maintaining appropriate security and continuity of IDCU operations is important because this network provides key data communications support to more than 500 VA facilities that are connected to the IDCU as well as transmitting financial transactions and data associated with VA’s $48 billion budget.

1999 Consolidated Financial Statements (CFS) Audit

Audit tests completed this year continue to demonstrate wide spread system security control weaknesses. We found that often, the needed improvements were well known within the security community such as installing and implementing patches, employing more secure configurations, and making use of more secure management procedures. Our security control testing found that:

• Access controls and monitoring were ineffective at VBA. Penetration tests at VBA demonstrated that weaknesses allowed us to obtain privileged access from outside and inside VBA to significant computing resources without being detected. This access was obtained using relatively unsophisticated methods and exploiting configuration weaknesses. These weaknesses could have been mitigated or prevented by stronger passwords, installing corrective patches, better configurations, and use of more secure management practices. We recommended that VA strengthen its password policy and suggested that the Principal Deputy Assistant Secretary for Information and Technology take specific actions to implement, and then to verify the successful implementation of a revised minimum password policy by December 31, 2000.

• Significant weaknesses in automated data processing general controls also continued within VHA. For example, at one facility we determined that 3,860 users inappropriately had the ability to obtain one of the password files, and that 90 accounts remained active despite the fact that the owners had not signed on in more than a year.

We have reported system security control weaknesses in our 1997 and 1998 CFS audits and made recommendations for VA to implement a comprehensive security program that would improve access controls. During 1999, VA had proposed and taken a number of corrective actions that could result in an effective security program with strengthened access controls. However, these efforts are just beginning to be implemented and have not had time to permeate the organization. With the apparent resolution of significant Year 2000 concerns within VA, the Department can now better focus its efforts on information security.

This concludes my testimony. I would be pleased to answer any questions you and the committee may have.

Back to Witness List