VA Testimony of Robert Howard before Congress on February 28, 2007

United States Department of Veterans Affairs

STATEMENT OF

ROBERT T. HOWARD
ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY
DEPARTMENT OF VETERANS AFFAIRS
BEFORE THE
COMMITTEE ON VETERANS' AFFAIRS
US HOUSE OF REPRESENTATIVES

February 28, 2007

Thank you, Mr. Chairman. I would like to expand on Deputy Secretary Mansfield's comments regarding the changes underway in the area of Information Technology. There are two specific areas I will focus on. First is the extensive reorganization taking place and second is the overarching program we have established to provide focus to all our remediation efforts.

The IT Realignment Program to transition the VA's IT Management System remains on track and is scheduled to be fully implemented by July 2008. By April 1, 2007, software development employees and programs will be permanently reassigned to the CIO. This action follows the consolidation of operations and maintenance under the CIO, which was finalized beginning this FY. We are implementing a process based organizational structure, rooted in best practice processes that are aimed at correcting IT deficiencies that resulted in a loss of standardization, compatibility, interoperability and fiscal discipline. There are a total of four processes that are being introduced with the assistance of IBM, from a 'best practices' standpoint. We have also developed a different organizational framework to provide focus in key areas. The Office of Information and Technology is now comprised of five major organizational elements, built around these core process areas. These will report to the CIO.

Each of the five major organizational elements is led by a Deputy CIO. One Deputy CIO is charged with directing the information protection and privacy protection programs in VA. This official is also responsible for risk assessment, risk mitigation, evaluation and assessment as it relates to information protection. The DCIO for Information Protection and Risk Management has already drafted regulations as required by the Veterans Benefits, Healthcare and Information Technology Act of 2006. The regulations will address at minimum, notification, data mining, fraud alerts, data breach analysis, credit monitoring, identity theft insurance and credit protection services.

To reach the "Gold Standard," as directed by the Secretary, we have implemented a new program to assess our information protection controls, develop plans to strengthen the controls where necessary, enforce the controls, and continuously monitor the information protection program. The action plan we have developed includes Development and Issuance of Policies and Procedures, Training and Education, Securing of Devices, Encryption of Data, Enhanced Data Security for VA's Sensitive Information, Enhanced Protection for Shared Data in Interconnected Systems, and Incident Management and Monitoring. A number if the specific requirements of the new law have already been introduced into our comprehensive plan. Regarding this plan I personally review progress on a weekly basis.

In closing, I believe we have made progress in improving IT Operations in VA and we are working hard in partnership with the administrations and staff offices to improve our business practices to ensure the protection of veterans sensitive information. Mr. Chairman, that concludes my testimony. I would be pleased to answer any questions that the Committee may have.