United States Department of Veterans Affairs
United States Department of Veterans Affairs

Congressional and Legislative Affairs

STATEMENT OF
DR. JOHN A. GAUSS
ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY
DEPARTMENT OF VETERANS AFFAIRS
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
COMMITTEE ON VETERANS' AFFAIRS
U. S. HOUSE OF REPRESENTATIVES

March 13, 2002

Good morning Mr. Chairman and members of the subcommittee. On behalf of the Secretary of Veterans Affairs, I am pleased to have this opportunity to come here today and update you on the progress the Department has made in strengthening our Information Technology program, and specifically address issues relating to:

  • VA's Enterprise Architecture;
  • Cyber Security program;
  • VBA's VETSNET program;
  • VHA's Decision Support System; and,
  • VHA's Government Computer-Based Patient Records Program.

On April 4, 2001, the Secretary appeared before this committee and gave you his personal commitment to reform the way VA uses information technology. He committed to:

  • Developing a comprehensive integrated Enterprise Architecture that would end "stove-pipe" system design and incompatible system development;
  • Ensuring that networks and systems we depend upon are secure and available;
  • Conducting an independent audit of VETSNET to enable us to chart the proper course for future modernization of our Compensation & Pensions System; and,
  • Standardizing the use of the Decision Support System ( DSS ) in VHA to support day-to-day business and management decision processes.

I am pleased to report to you today that it is no longer "business as usual" in VA's information technology program. With respect to Enterprise Architecture ( EA), the Department has selected a methodology known as the Zachman Framework to develop and maintain its One- VA EA. This methodology requires us to define all aspects of the VA Enterprise from a business process, data, technical, location, personnel, and requirements perspective. This has been accomplished. The next step in implementing the Zachman methodology is to define all functions related to each business process and identify associated data elements. Once identified, duplication of function and inconsistency in data definition can be identified. The hard job then follows to de-conflict the data definitions and resolve duplicative implementations of the same business function. This work is underway. Concurrent with reconciling business functions and data definitions, we have developed a technical implementation model for the future VA Information Technology ( IT) Enterprise and are completing the development of a set of technical standards that will apply to all IT projects. Some of these standards will be based on open system commercial standards and some of these standards will be based on individual products for those cases where industry standards are immature or incomplete.

Companies in the private sector that have successfully modernized their IT enterprises have taken a two-pronged approach to their modernization. First they modernized their IT infrastructure to provide a network and computing environment capable of implementing re-engineered business processes. In parallel, they re-engineered their business processes, modernized the IT used to implement those processes, and finally implemented the IT on the modern, high performance, cost effective infrastructure. These commercial best practices are part of our overall strategy. Enterprise Architecture imposes a discipline on how we manage and implement our IT programs. Implementing these disciplines will be accomplished in the near term; however, completing the Zachman Framework for the entire VA enterprise will take several years and will require modernization of several of our major IT systems such as VistA.

Specific progress since the last hearing follows:

  • The Department of Veterans Affairs "Enterprise Architecture: Strategy, Governance & Implementation" was approved in September 2001.
  • The Information Technology Board (ITB), which is a critical element of the Enterprise Architecture Governance, was established in October 2001.
  • VA's ITB has chartered an Enterprise Architecture Council (EAC), and an Enterprise Architecture Working Group has been established.
  • An Acting Chief Architect has been appointed. We are in the process of establishing and recruiting for a VA Chief Architect (SES level); and a program-staffing plan has been developed.
  • The top-level definition of the VA enterprise has been completed.
  • A technical model for the implementation of new IT projects has been defined.
  • A comprehensive change in how we oversee the management of our IT Projects has recently been approved. This new oversight process will ensure that all new IT projects are developed in compliance with the Enterprise Architecture.
  • A draft Enterprise Architecture Implementation Plan is under final review by my staff and will be approved by no later than 30 April 2002.

With respect to ensuring that the networks and systems we depend upon are secure and available, Cyber Security is another issue that has the Secretary's highest priority. In order to effectively secure our networked information, we must completely understand the topology of our data network. Our current network is overly complex, too expensive for the performance it provides, and does not have an enterprise wide network management capability. This complexity and lack of network management capability seriously impede our ability to properly secure and assure network services. Further, our current network infrastructure will not support the modernization of our enterprise as previously discussed. To correct these deficiencies, we have embarked on a project to re-architect our data network and change the network from a circuit-based network to a performance-based network. The VA Strategic Management Council reviewed and the Deputy Secretary has approved this project in concept. The detailed Business Case Analysis, Cost Benefit Analysis, Return on Investment Analysis, and Analysis of Alternatives are being developed. I anticipate these analyses will show that converting our data network from a circuit-based network to a performance-based network will:

  • Simplify the complexity;
  • Substantially improve performance in support of our EA efforts;
  • Establish a network management capability;
  • Significantly improve the security and assurance of service;
  • Remain within the current data network budget; and,
  • Be accomplished within the scope of the existing FTS2001 telecommunications contract managed by GSA.

As Secretary Principi stated in his April 4, 2001 testimony, he takes the privacy and security of the information VA collects on our veterans very seriously. Since the last hearing, our Office of Cyber Security has conducted a review of the Department's security posture, paying particular attention to the findings of our Office of Inspector General ( OIG) and the General Accounting Office ( GAO). As a result of this review, we have established Department-wide priorities for securing VA's computing enterprise. Our first priority is securing VA's boundary against external attack. An Enterprise Cyber Security project, approved for project initiation by VA's Strategic Management Council in February, was the first step in meeting this priority.

This project will coincide with the previously discussed data network project. As we transition to a performance-based network, we will collapse the total number of gateways to external networks to a manageable number while providing significantly increased security protections at these gateways. Design and implementation of this standardized architecture and configuration will better protect VA's information systems and internal critical information repositories from external and internal attack. This and our data network project are key components of our approach to implementing a secure Enterprise Architecture and correcting Cyber Security deficiencies noted by our OIG and the GAO.

Other major improvements in our Cyber Security posture include:

  • Deployment of anti-virus software across the entire Department;
  • Implementation of a VA-wide firewall policy to protect the boundaries of our enterprise from external attack;
  • Development of an acquisition strategy to enhance VA's existing central incident response capabilities, thereby ensuring immediate and effective action to counter such threats as the recent Code Red virus attack;
  • Development of a comprehensive Certification and Accreditation policy to ensure that IT systems undergo a rigorous security review prior to being authorized to process sensitive information; and
  • Deployment of several intrusion detection system pilot projects, which will serve as components of the Enterprise Cyber Security Infrastructure Project, to detect when external sources are attempting to intrude our networks so that proper defensive measures can be taken to protect the confidentiality of veteran data.

Since completing the GISRA self-assessment survey last August, the Department has aggressively pursued remediation of its reported information technology security deficiencies. Remediation of many of these deficiencies has increased our compliance with security requirements considered essential in ensuring data integrity, confidentiality, and sensitivity.

Concerning VETSNET, as you are aware, VBA embarked on a path to modernize and integrate IT used to support all of their business lines in the mid 1990s; however, they embarked on this path without the benefit of creating an Enterprise Architecture with its associated disciplines. When this "grand design" was found to be too hard to execute in the late 1990s, VETSNET became the name applied to the development and modernization of IT used to support the Compensation & Pension ( C&P) program. VETSNET became a set of independently developed applications that, when fully fielded, would replace the Benefits Delivery Network (BDN). Many of these VETSNET applications have been fielded. Development activities remain on two applications required to replace BDN.

This past summer, Secretary Principi directed an independent audit of VETSNET to determine if the entire collection of VETSNET applications would be capable of operating under a full workload if deployed in all of VBA's Regional Offices (ROs). This audit examined the overall architecture of VETSNET and included a set of stress tests to determine if the system could perform as required. The results of this audit determined that the system would be capable of performing acceptably, in a fully loaded environment, once several changes are made to the system. This audit did not include a comprehensive set of functional tests to determine if each function performed as designed.

As a result of this audit, I directed VBA's CIO to develop a comprehensive plan to bring VETSNET into compliance with the Enterprise Architecture to include completing the two remaining VETSNET, or C&P Replacement, applications; implementing the changes recommended from the independent audit; performing detailed functional testing of all VETSNET applications; and conducting a comprehensive stress test to ensure all changes are implemented correctly. FY2003 and FY2004 funding will be used to complete this effort. I anticipate these actions will be completed in April 2004. Actual deployment of VETSNET ( C&P Replacement) will be determined as a function of when VBA can afford to insert a new system into the ROs, with the companion learning curve, such that the impact on working off backlogged claims can be effectively managed.

I know this is a very sensitive issue and I will personally oversee progress to ensure VETSNET meets the projected time line. Should this effort proceed with the same problems of its past, I will recommend to the Secretary that the effort be terminated.

With respect to the Decision Support System ( DSS), we have made significant strides to improve data quality and access. Combining clinical and financial information from existing data systems into an integrated database to support informed decision-making, DSS serves all VA Medical Centers and about 800 Outpatient Clinics. Not only does the system continue to provide critical data for making informed decisions for planning, programming and budgeting, DSS also aids in patient care process improvement and quality control.

A DSS Steering Committee, comprised of field representatives and chaired by a Veterans Integrated Service Network (VISN) Director, serves as VHA's advisory body to ensure field requirements are identified and considered as functional upgrades. Further, this steering committee works to achieve standard operation of DSS across all of VHA.

Much progress has been made in achieving VHA-wide standardization in the way DSS is utilized; however, this is still work in progress that is being addressed through improved staff training. We have identified numerous Centers of Excellence for DSS application that will impart best practices across all of VHA.

I recently conducted a post implementation review of DSS. During that review, I directed VHA's CIO to develop a proposal for modernizing DSS to address several noted deficiencies for consideration in the FY2004 budget submission. DSS was developed in late 1980s technology and is therefore very expensive to operate, maintain and implement new functions identified by the DSS Steering Committee. Further, since DSS was developed prior to the definition of today's cyber security requirements, DSS was not designed with the proper level of cyber security protection. Considering all of these factors, it is worth developing a Business Case, performing an Analysis of Alternatives and determining the possible return on investment for a potential FY2004 modernization project.

With respect to the Government Computer Patient Records ( GCPR) program, we have re-baselined and re-scoped the program to address issues identified in a 2001 GAO report. The re-baselined GCPR program uses a VA application called the Computer Patient Record System ( CPRS) as a fundamental building block. CPRS enables a clinician to access clinical data from any VA health facility. GCPR is a database that receives DoD clinical data (but not physician notes). CPRS is the application that will enable VA to import clinical data from the GCPR database in addition to clinical data available within VA as previously described. GCPR is in the final stages of field-testing. As part of the test program, DoD has completed transmitting health information on approximately 3.7 million records on separated service members to GCPR (note: a separated service member may have more than one record if treated at more than one military heath facility). Within the next few weeks, I will chair a review of the test results to determine whether or not the first phase of GCPR is ready for deployment. Future investment in GCPR will enhance functionality based on clinician feedback once operational.

This implementation of GCPR addresses only part of the ultimate solution of medical information sharing with DoD. We are currently working closely with DoD to determine the correct path for the future. We need to address matters of data standardization, technology sharing, and the establishment of interoperable data interfaces.

Mr. Chairman, I am very concerned about two other areas in addition to what I have presented to you today.

  • First, we need to reverse the trend in IT spending in two different areas. Our overall IT budget continues to grow. Even more troubling is the sustainment costs to operate and maintain in-service IT systems as a percentage of the overall budget. For example, 62% of our current FY 2002 budget is earmarked for sustainment. As the current systems continue to age, we can expect the percentage of our IT dollars that we spend for maintaining the current state to increase dramatically. As we formulate the IT budget for FY2004, we will develop a five-year strategy to reverse these two trends of IT spending.
  • Second, just like other agencies, our IT workforce is aging, with a large percentage nearing retirement. To address this issue, I have launched an aggressive IT Workforce Initiative to develop and implement a plan for evolving the workforce, recruiting new people, training current employees with modern skills, and managing workforce sustainment and succession. In addition to the business and technical elements of the Enterprise Architecture, this workforce initiative will complete the last critical element of the Enterprise Architecture.

I hope I have provided some insight as to why it is no longer "business as usual" at VA. I believe these efforts demonstrate our very strong commitment, at all levels, to building an effective information technology program for the long-term. I also hope to establish confidence that we will be successful in implementing a comprehensive, coordinated, and efficient IT program within the Department. With your assistance, we will be able to continue on this path forward to ensure our continued ability to service the health and benefit requirements of our veteran population and their dependents.

Thank you for this opportunity to discuss these very important IT issues. I will be happy to answer your questions.

House Committees | Senate Committees | Find my Representative | Find my Senator

Veterans and their family members who wish to contact the Department regarding a claim, benefits, or services, may call VA Toll-Free at 1 (800) 827-1000 or 1 (800) 829-4833 [TDD], or Contact the VA via the web.