VA’S INFORMATION
TECHNOLOGY PROGRAM
TESTIMONY OF
RICHARD J. GRIFFIN,
INSPECTOR GENERAL
DEPARTMENT OF
VETERANS AFFAIRS
HOUSE COMMITTEE ON
VETERANS’ AFFAIRS
SUBCOMMITTEE ON
OVERSIGHT AND
INVESTIGATIONS
May 11, 2000
Mr. Chairman and
Members of the Subcommittee, I am pleased to be here today to comment
on the Department of Veterans Affairs (VA) Information Technology (IT)
program. During the last several years, the Office of Inspector
General (OIG) has reviewed selected VA IT system development
initiatives, procurements, and capital asset acquisition practices
that identified opportunities where the Department could enhance its
IT investment efforts. Our IT review efforts have also focused on
Department information system security controls.
As outlined in the
Clinger-Cohen Act of 1996, Federal agencies are now required to focus
more on the results achieved through IT investment while streamlining
the Federal IT procurement process. The Act requires agency heads to
design and develop a process for maximizing the value and assessing
and managing the risk of an agency’s IT acquisitions. While the
Department is taking certain positive actions to comply with the Act,
our audits have found that the Department needs to more fully assure
that IT resources are effectively used and user IT needs are
efficiently met. Effective management and oversight of VA’s IT
investment is important given the significant annual investment of
over $1 billion in IT by the Department.
The OIG has been
involved with review and oversight of Department IT program
initiatives since 1995. These reviews have included IT system
developments, procurement of Department-wide telecommunications
support, initial efforts by the Department to address the requirements
of the Clinger-Cohen Act that include IT capital investment
initiatives, and information system security controls. In addition to
these efforts, we review the IT acquisition process followed by local
VA Medical Centers (VAMC) as part of our Combined Assessment Program
(CAP). This review effort is being completed in response to a request
from VA’s Principal Deputy Assistant Secretary for Information and
Technology, to determine if any field activities may be acquiring IT
(services and equipment) without following appropriate Departmental
procedures for approval.
IT System Developments
Our review efforts have
identified opportunities for enhancements in key VA system
developments involving Electronic Data Interchange (EDI), human
resources and payroll, and a management information system to support
delivery of health care to veterans. Our review efforts included:
1995 Evaluation of
Electronic Data Interchange (EDI) Implementation in VA
In 1995, the OIG
evaluated VA’s EDI implementation efforts and focused on current EDI
implementation initiatives in the acquisition and finance program
areas and future Departmental expansion opportunities. VA estimated
that efficiencies of $499 million over a 5-year period could be
achieved by replacing commonly used business documents with their
electronic equivalents. At the time of the audit, the Department was
in the initial stages of EDI implementation and we provided an early
assessment of implementation and identified opportunities to enhance
VA’s efforts. We found that attention needed to be focused on
assessing implementation results, identifying impact on program
operations, and preparing a strategic marketing plan to facilitate and
encourage the significant expansion opportunities that potentially
could be achieved. In response to the audit recommendations, the
Department’s implementation efforts have been significant with
expansion of the EDI operating environment from a relatively small
number of trading partners and associated transactions to over 1,700
trading partners and 1.8 million annual procurement transactions
valued at over $3 billion.
1997 Evaluation of the
Design and Implementation of PAY-VA (Now called HR LINK$)
In 1997, the OIG
provided an early assessment of VA’s design, development, and
implementation process for the new HR LINK$ system that is expected to
streamline VA’s human resource and payroll functions. The Department
was in the initial stages of the system development initiative. We
found that project managers had established management control over
the multi-faceted details this system development effort entailed, and
user involvement was significant. However, we identified opportunities
to enhance HR LINK$ implementation efforts concerning project
documentation and workplans, cost information, contract deliverables,
system security, correction of identified material weaknesses,
training, and Contracting Officer’s Technical Representative (COTR)
duties.
1999 Audit of Veterans
Health Administration (VHA) Decision Support System (DSS)
Standardization
In 1999, the OIG
reviewed the implementation of a new management information system
intended to aid clinicians, managers, and executives in making
decisions affecting the delivery of health care. This audit was
requested by the Under Secretary for Health to determine if
implementation of DSS was sufficiently standardized to ensure the
usefulness of DSS data. DSS represents VHA’s first automated
managerial cost accounting system for the delivery of medical care
that will provide VHA managers with cost and clinical information for
consideration when making clinical decisions, managing workload, and
controlling medical costs. Our audit found that the potential
usefulness of DSS and its data was being compromised because some VAMC
staff had diverged from the system’s basic structural standard.
Where such divergence had been detected, it prevented data from these
VAMCs being accurately aggregated along with data from other
facilities that did adhere to the structural standard. In order that
DSS can achieve its full potential, the Department needs to ensure
adherence with the standard DSS structure. We estimate that, through
September 1998, DSS represented an investment of about $140 million
for VHA.
Procurement and IT
Capital Investment Initiatives
Our review efforts have
identified opportunities for VA to enhance the efficiency and
effectiveness of IT contracting initiatives and assure that the
Department’s IT capital investment process addresses the
requirements of the Clinger-Cohen Act. Our review efforts included:
1998 Audit of VA
Procurement Initiatives for Computer Hardware, Software, and Services
(PCHS/PAIRS) and Selected Information Technology Investments
In 1998, the OIG
reviewed VA’s acquisition initiatives for procurement of computer
hardware and software (PCHS) and the procurement of automated
information resources solutions (PAIRS). These acquisition initiatives
were to be the principle nationwide, non-mandatory sources for
acquiring IT equipment and services for VA. Our review found that
acquisition risks associated with the PCHS procurement had been
effectively addressed by VA’s procurement planning actions. We also
identified opportunities for VA to enhance its IT contracting
initiatives and help address and meet IT performance expectations
included in the Clinger-Cohen Act. Key issue areas requiring VA action
included: (1) use of national contracts, (2) Veterans Health
Administration’s major IT initiative for clinical workstation
replacements (capital investment valued between $700 to $800 million),
(3) IT performance expectations (audit found that VA needed to reduce
IT costs by $22 million a year and by $101 million over 5 years), (4)
IT hardware requirements (audit found that VA could potentially spend
an additional $36 million for its replacement of dumb terminals with
unnecessary upgraded equipment), (5) planning PAIRS procurement
strategy, and (6) COTR training.
At the time of the
audit, the Department was in the initial stages of taking actions to
comply with the Clinger-Cohen Act. Since then, VA has developed a
Department IT Portfolio, which contains a ranking of VA IT investments
and a performance measurement/performance management strategy. VA has
also developed an IT strategic planning process which includes an
investment decision framework.
1998 Evaluation of
VA Capital Programming Practices and Initiatives
In 1998, the OIG
evaluated VA’s capital asset acquisition practices and efforts to
implement a capital programming process. VA capital assets include
land, structures, equipment, and IT hardware and software. We found
that VA was making progress toward a comprehensive capital program for
managing its capital investments, but additional policy was needed for
VHA’s Veterans Integrated Service Network-level investments, and
alternative capital funding strategies should be explored. Our
evaluation found that VA’s capital investment initiatives for IT had
made more progress than initiatives for other types of assets. VA was
in the process of revising policies to meet the requirements of the
Clinger-Cohen Act and related Office of Management and Budget
initiatives. A significant accomplishment was the September 1997 VA
Directive 6000, VA Information Resources Management Framework,
that established an IT management framework and defined the
responsibilities for planning, budgeting, procurement, and management
in-use of IT assets.
1999 Audit of
Procurement Initiatives for VA’s Integrated Data Communications
Utility (IDCU) Telecommunications Support
The 1999 OIG audit
examined the 10-year old contract and planned replacement efforts for
VA’s IDCU telecommunications support for network interface
facilities. The IDCU is a Department-wide data communications network
enabling VA users to connect from one automated system to another and
to access various databases.
The audit found that
the Department took positive steps to transition to a new wide area
network (WAN) contract, but issues were identified in the old IDCU
contract that adversely impacted VA operations and costs. The IDCU
system and contract were no longer meeting VA’s telecommunication
requirements effectively or efficiently. Key audit finding areas
included: (1) contract modifications totaling $142 million were not
supported with adequate documentation to explain why the contract
increases were fair and reasonable; (2) VA spent approximately $3.1
million leasing and maintaining an excessive number of unused ports
over the life of the contract; (3) VA needs to recover over $1 million
in payments to the contractor for the Performance Management System
that was not accepted; (4) VA saved $944,891 by terminating the
acquisition support contract in response to our audit results; and,
(5) VA could save an estimated $60,000 if consultant services were
acquired through competitive means. We also advised the Department
that it needed to conduct a formal risk assessment to adequately
assess, manage, and mitigate the levels of risk associated with
transitioning to a new WAN solution. In addition, we identified some
key business decisions made by the contracting officer at the time the
contract was awarded that negatively impacted VA’s ability to
effectively administer this contract over its 10-year life cycle.
Combined Assessment
Program (CAP) Reviews of Facility IT Acquisitions
In response to a
November 3, 1999 memorandum from the Principal Deputy Assistant
Secretary for Information and Technology, we agreed to include a
review of the IT acquisition process as part of our regularly
scheduled CAP reviews (30-35 reviews are planned annually). Our CAP
reviews provide an independent and objective assessment of key
operations and programs at VAMCs on a cyclical basis. The Principal
Deputy Assistant Secretary wanted us to determine if any field
activities may be acquiring IT (services and equipment) without
following appropriate Department procedures for approval. So far, our
review of IT acquisitions at VAMCs Dublin, GA, Biloxi, MS, and Denver,
CO did not identify any problems in this area.
Information System
Security Controls
Our review efforts over
the last several years have identified Department-wide weaknesses in
information system security that continue to make VA’s program and
financial data vulnerable to error and fraud. These system security
weaknesses are so serious that the Department has designated the
information security area as a material weakness under the Federal
Manager’s Financial Integrity Act. Our review efforts included:
1995 Audit of Security
at the Central Office Automation Center
The audit found a need
for improvement in physical and electronic access controls over
equipment, sensitive data, and critical applications maintained by the
Center. Security control weaknesses left the Center systems vulnerable
to unauthorized access, inappropriate disclosure, and destruction of
data.
1996 Audit of Security
Controls at the Austin Automation Center
The audit found that VA
needed to strengthen security controls to ensure that Center
operations were adequately protected. A number of key security
enhancement opportunities were identified that could help make the
Center more physically secure as well as less vulnerable to
unauthorized electronic access. The need for tighter security measures
was also supported by the fact that the Center is located adjacent to
an Internal Revenue Service Center that has been a target for bomb
threats.
1997 Audit of Security
Controls at the Hines Benefits Delivery Center
The audit found that
security controls needed to be strengthened to ensure that Center
operations were adequately protected. The review found that the Center’s
security efforts could be better focused by establishing a proactive
security program. Also, the Center needed to develop a current
security risk assessment that adequately identified the criticality
and sensitivity of the data processed and maintained, and the
vulnerabilities to which the systems are exposed.
1998 Audit of Security
Controls for the Integrated Data Communications Utility (IDCU)
The audit found that
security controls needed to be strengthened to ensure that IDCU
operations were adequately protected. Key security improvements were
needed to assure adequate physical security controls at major IDCU
facility switch sites and better control of remote access to the IDCU.
Maintaining appropriate security and continuity of IDCU operations is
important because this network provides key data communications
support to more than 500 VA facilities that are connected to the IDCU
as well as transmitting financial transactions and data associated
with VA’s $48 billion budget.
1999 Consolidated
Financial Statements (CFS) Audit
Audit tests completed
this year continue to demonstrate wide spread system security control
weaknesses. We found that often, the needed improvements were well
known within the security community such as installing and
implementing patches, employing more secure configurations, and making
use of more secure management procedures. Our security control testing
found that:
- Access controls and monitoring were
ineffective at VBA
.
Penetration tests at VBA demonstrated that weaknesses allowed us to
obtain privileged access from outside and inside VBA to significant
computing resources without being detected. This access was obtained
using relatively unsophisticated methods and exploiting
configuration weaknesses. These weaknesses could have been mitigated
or prevented by stronger passwords, installing corrective patches,
better configurations, and use of more secure management practices.
We recommended that VA strengthen its password policy and suggested
that the Principal Deputy Assistant Secretary for Information and
Technology take specific actions to implement, and then to verify
the successful implementation of a revised minimum password policy
by December 31, 2000.
- Significant weaknesses in automated
data processing general controls also continued within VHA
.
For example, at one facility we determined that 3,860 users
inappropriately had the ability to obtain one of the password files,
and that 90 accounts remained active despite the fact that the
owners had not signed on in more than a year.
We have reported system
security control weaknesses in our 1997 and 1998 CFS audits and made
recommendations for VA to implement a comprehensive security program
that would improve access controls. During 1999, VA had proposed and
taken a number of corrective actions that could result in an effective
security program with strengthened access controls. However, these
efforts are just beginning to be implemented and have not had time to
permeate the organization. With the apparent resolution of significant
Year 2000 concerns within VA, the Department can now better focus its
efforts on information security.
This concludes my
testimony. I would be pleased to answer any questions you and the
committee may have.
Back to Witness List |