Font Size Down Font Size Up Reset Font Size

Sign Up for Committee Updates

 

Hearing Transcript on Assessing Information Security at the U.S. Department of Veterans Affairs.

Hearing on 05/19/2010: Assessing Information Security at the U.S. Department of Veterans Affairs

Printer-Friendly Version

 

 

ASSESSING INFORMATION SECURITY AT THE U.S. DEPARTMENT OF VETERANS AFFAIRS

 


 HEARING

BEFORE  THE

SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

OF THE

COMMITTEE ON VETERANS' AFFAIRS

U.S. HOUSE OF REPRESENTATIVES

ONE HUNDRED ELEVENTH CONGRESS

SECOND SESSION

MAY 19, 2010

SERIAL No. 111-78

Printed for the use of the Committee on Veterans' Affairs

 

snowflake

 

U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON, DC:  2010

For sale by the Superintendent of Documents,  U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; DC area (202) 512-1800
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001

 


COMMITTEE ON VETERANS' AFFAIRS
BOB FILNER, California, Chairman

 

CORRINE BROWN, Florida
VIC SNYDER, Arkansas
MICHAEL H. MICHAUD, Maine
STEPHANIE HERSETH SANDLIN, South Dakota
HARRY E. MITCHELL, Arizona
JOHN J. HALL, New York
DEBORAH L. HALVORSON, Illinois
THOMAS S.P. PERRIELLO, Virginia
HARRY TEAGUE, New Mexico
CIRO D. RODRIGUEZ, Texas
JOE DONNELLY, Indiana
JERRY MCNERNEY, California
ZACHARY T. SPACE, Ohio
TIMOTHY J. WALZ, Minnesota
JOHN H. ADLER, New Jersey
ANN KIRKPATRICK, Arizona
GLENN C. NYE, Virginia

STEVE BUYER,  Indiana, Ranking
CLIFF STEARNS, Florida
JERRY MORAN, Kansas
HENRY E. BROWN, JR., South Carolina
JEFF MILLER, Florida
JOHN BOOZMAN, Arkansas
BRIAN P. BILBRAY, California
DOUG LAMBORN, Colorado
GUS M. BILIRAKIS, Florida
VERN BUCHANAN, Florida
DAVID P. ROE, Tennessee

 

 

 

Malcom A. Shorter, Staff Director

SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
HARRY E. MITCHELL, Arizona, Chairman

ZACHARY T. SPACE, Ohio
TIMOTHY J. WALZ, Minnesota
JOHN H. ADLER, New Jersey
JOHN J. HALL, New York		 DAVID P. ROE, Tennessee, Ranking
CLIFF STEARNS, Florida
BRIAN P. BILBRAY, California

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Veterans' Affairs are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined.

 
       

C O N T E N T S
May 19, 2010

Assessing Information Security at the U.S. Department of Veterans Affairs

OPENING STATEMENTS

Chairman Harry E. Mitchell
    Prepared statement of Chairman Mitchell
Hon. David P. Roe, Ranking Republican Member
    Prepared statement of Congressman Roe
Hon. Steve Buyer

WITNESSES

U.S. Government Accountability Office, Gregory C. Wilshusen, Director, Information Security Issues
    Prepared statement of Mr. Wilshusen, and Valerie C. Melvin, Director, Information
        Management and Human Capital Issues
U.S. Department of Veterans Affairs:
    Belinda J. Finn, Assistant Inspector General for Audits and Evaluations, Office of Inspector General
        Prepared statement of Ms. Finn
    Hon. Roger W. Baker, Assistant Secretary for Information and Technology and Chief Information
        Officer, Office of Information and Technology
            Prepared statement of Mr. Baker

MATERIAL SUBMITTED FOR THE RECORD

Post-Hearing Questions and Responses for the Record:

Hon. Harry E. Mitchell, Chairman, Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs, to Hon. Gene L. Dodaro, Acting Comptroller General, U.S. Government Accountability Office, letter dated May 20, 2010, and response letter from Gregory C. Wilshusen, Director, Information Security Issues, and Valerie C. Melvin, Director, Information Management and Human Capital Issues. U.S. Government Accountability Office

Hon. Harry E. Mitchell, Chairman, Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs, to Hon. George J. Opfer, Inspector General, U.S. Department of Veterans of Affairs, letter dated May 20, 2010, and response letter dated June 21, 2010

Hon. Harry E. Mitchell, Chairman, and Hon. David P. Roe, Ranking Republican Member, Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs, to Hon. Eric K. Shinseki, Secretary, U.S. Department of Veterans Affairs, letter dated May 20, 2010, and VA responses

ASSESSING INFORMATION SECURITY AT THE U.S. DEPARTMENT OF VETERANS AFFAIRS

Wednesday, May 19, 2010
U. S. House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Veterans' Affairs,
Washington, DC.

The Subcommittee met, pursuant to notice, at 10:06 a.m., in Room 334, Cannon House Office Building, Hon. Harry E. Mitchell [Chairman of the Subcommittee] presiding.

Present:  Representatives Mitchell, Space, Walz, Alder, and Roe. 

Also Present:  Representative Buyer.

OPENING STATEMENT OF CHAIRMAN MITCHELL

Mr. MITCHELL.  Good morning and welcome to the Committee of Veterans' Affairs Subcommittee on Oversight and Investigation hearing on Assessing Information Security at the U.S. Department of Veterans Affairs (VA).  This hearing will come to order.

I ask unanimous consent that all Members have 5 legislative days to revise and extend their remarks and that statements may be entered into the record.  Hearing no objection, so ordered.

Today we will examine the current status of information security at the VA and its ability to protect itself against both malicious and accidental sensitive information breaches.

The Department of Veterans Affairs employs a sophisticated computing infrastructure to store the health and financial records of millions of American veterans and their families.  Each day, there is the potential for millions of attempts to gain unauthorized access to government computers that hold this information through unsecured ports and other means.

The risks to the VA of not implementing a sound information security program are considerable and, unfortunately, have already been seen through several situations in the past.

Just recently we have learned of two data breaches.  In Texas, 3,265 veterans' records were compromised when information went missing from a facility conducting lab tests.  In a second instance in Texas, a VA contracted company had a laptop stolen, comprising the records of 644 veterans. 

These recent data breaches are proof that VA still has a long way to go in ensuring our Nation's veterans that their most sensitive information is being safely stored and handled.

The Federal Information Security Management Act of 2002, or FISMA, is a critical and evolving mandate designed to help Federal Government entities, including the VA, protect personally identifiable and otherwise sensitive information.

In March of this year, the Office of Management and Budget (OMB), released its fiscal year 2009 report on FISMA.  Unfortunately, the VA ranked dead last among other FISMA monitored agencies in areas such as the percentage of log-in users trained on information security awareness and also in the issuance of personal identity verification.

Additionally, the OMB report also lists that VA is one of six Federal agencies identified as having a material weakness. 

It is clear that the VA has a wide range of areas in which it must improve its information security infrastructure.  Strengthening interagency network connections, access to controls, and improving configuration management are some of the things that will yield positive results in securing VA's computing network.

In light of the recent data breaches in Texas and OMB's recent release of its fiscal year 2009 FISMA report, there is no better time to review VA's information security posture and hear from the Department on how they plan to address the challenges they face securing the personal information of our Nation's veterans.

I am pleased that both the VA Office of Inspector General (OIG) and the U.S. Government Accountability Office (GAO) are here to shed light on additional improvements that the VA can make.  I look forward to their testimony. 

[The prepared statement of Chairman Mitchell appears in the Appendix.]

Mr. MITCHELL.  Before I recognize the Ranking Republican Member for his remarks, I would like to swear in our witnesses.  And I ask all witnesses from both panels to please stand and raise their right hand.

[Witnesses sworn.]

Mr. MITCHELL.  Thank you.

I would now like to recognize Dr. Roe for opening remarks.

OPENING STATEMENT OF HON. DAVID P. ROE

Mr. ROE.  Thank you, Mr. Chairman, and I appreciate you having this very important hearing.

And before we start, I would like to introduce a very close friend of mine, a highly decorated Vietnam veteran who is visiting in Washington, Mack McKinney.

Mack, if you would stand.  I certainly appreciate your service.

[Applause.]

Mr. ROE.  Mack is a Sergeant Major.  And, Ranking Member Buyer and Mr. Chairman, Mack did it on the ground in Vietnam. 

And thank you for your friendship.

The security of the information the Federal Government has under its purview is of high importance.  Recognizing that importance, Congress passed several Acts to increase security awareness throughout Federal agencies including the Department of Veterans Affairs.

In 2002, Congress passed the Federal Information Security Management Act, which permanently reauthorized the framework laid out by previous legislative initiatives such as the Computer Security Act of 1987, the Paperwork Reduction Act, that must be the oxymoron of all oxymorons right there, the Information Technology Reform Act of 1996, and the Government Information Security Reform Act of 2000.

The enactment of FISMA was a critical step to ensure the continuation of requirements and, therefore, the ability to effectively identify and track the Federal Government's information and security system status.

Prior to 2001, the VA Office of Inspector General and other outside agencies had expressed concern and identified material weaknesses regarding information security management at VA.

Since 2001, OIG reviews of VA FISMA compliance continued to identify significant information security vulnerabilities that placed VA at risk of denial of service attacks and disruption of mission critical systems and unauthorized access to sensitive data. 

Numerous security weaknesses were identified, but generally not corrected by VA even after the OIG identified repeated weaknesses over several years.

One glaring example of this state of affairs was demonstrated by a fiscal year 2004 report where the OIG made 16 recommendations to VA to strengthen information security management, which remained opened at least up until May 23rd, 2006.

Since the data breach of May 2006, the second largest in the Nation and the largest in the Federal Government, we have seen the centralization of VA's information management including information security. 

These efforts have continued through the current Administration under Assistant Secretary Baker's lead.  I appreciate the massive undertaking by both the previous Administration and the current Administration to tighten the controls on protecting the data of our Nation's veterans.

However, while progress has been made in centralizing the information technology (IT) Department at the VA, I am uncertain how much progress has been made in protecting information managed by the Department.

In reviewing the FISMA reports issued by OMB over the past 7 years, I am concerned about the VA's status with respect to information security.

In May of 2006, the VA did not even file a report on its  FISMA compliance.

In 2007, the VA received an F on its FISMA compliance.

Most glaring is the recent 2009 FISMA report which shows that even though VA has over 500 FTEs assigned to security related duties, it had the lowest percentage of log-in users trained in information security, 65 percent, and the lowest percentage of personal identifying verification credentials issued by the Agency, less than five percent to employees and contractors.

I am highly concerned that VA is just not taking information security seriously enough.  The protection of the personal information of our Nation's veterans should be a high priority at the Department.  We do not want another security breach at the Department and we certainly do not want another one that would reach the level of the May 2006 breach.  But if VA continues on its current path, we may just have that.

On April 28th, 2010, my staff was alerted to a stolen laptop which had access to VA medical center data.  This contractor owned the laptop, which was unencrypted and possibly contained the personal identification information of approximately 644 veterans.

Upon further investigation, we learned that in November 2009, the Department issued a directive for VA to incorporate VA Acquisition Regulations (VAAR) Clause 852.273-75, which provides security requirements for unclassified information technology resources.

The VA reviewed 22,729 contracts to determine whether the contracts required the inclusion of this clause.  Sixty-four hundred required the inclusion of VAAR contracts that has the clause inserted.  That is 88 percent.  Five hundred and seventy-eight contractors refused to sign the clause, nine percent, and an additional 197 still require clause.

I have many questions over this issue, some of which I hope we can answer in today's hearing. 

Why was the clause not enforced prior to 2009? 

Did Heritage Health Solutions have the clause included in their contract? 

What are VA's plans as far as the 578 contractors who refuse to sign the clause when added to their contract?   Number four, what was the primary reason that most of the contractors refused to sign on to the additional clause?  And, finally, what is VA going to do to tighten the controls on contractor-owned equipment that is regularly accessing the VA networks and storing data related to our Nation's veterans?

To place our veteran information at risk is irresponsible.  These men and women have fought for our Nation, have placed their own lives in jeopardy to secure our freedom, and we repay them by tossing caution to the wind with respect to their personal information.  This is totally unacceptable. 

VA must take immediate action to secure our veterans' information and to ensure that all contracts requiring access to any data at the VA include the protections our veterans need and require.

Thank you again, Mr. Chairman, and I yield back.

[The prepared statement of Congressman Roe appears in the Appendix.]

Mr. MITCHELL.  Thank you.

Mr. Walz?

Mr. WALZ.  I will yield.

Mr. MITCHELL.  Okay.  Mr. Buyer?

OPENING STATEMENT OF HON. STEVE BUYER

Mr. BUYER.  Mr. Chairman, I would ask unanimous consent that I may participate in today's hearing and I will ask questions at the end of all Members of the Committee.

Mr. MITCHELL.  Without objection.

Mr. BUYER.  I would also ask unanimous consent to give an opening statement.

Mr. MITCHELL.  Without objection.

Mr. BUYER.  All right.  Thank you very much.

I appreciate you allowing me to join in the O&I Subcommittee hearing.  As you know, the protection of personal information of the Nation's veterans has been a high priority of mine actually for the last decade.

During the 109th Congress, in order to address the serious deficiencies in data protection for personally identifying information maintained by the VA, I introduced legislation entitled the "Veterans Identity and Credit Security Act of 2006", H.R. 5835, which passed the House by a vote 408 to zero.

This legislation was later incorporated into legislation that became Public Law 109-461.  It is my hope that this Public Law would provide the VA with the necessary tools with which to combat information security flaws at the VA.

In August of 2006, the VA issued VA Directive 6500, which detailed the steps by which the Department would provide compliance with system security measures. 

And on September 18th of 2007, the Department issued national rules of behavior for employees and contractors to use as a means to secure the data contained in VA's information systems.

Upon further investigation, we learned that in November of 2009, the Department issued an additional directive for VA to incorporate VA Acquisition Regulation 852-273.75 into all contracts where this type of information might be accessed.

I applaud Secretary Shinseki and Assistant Security Baker for taking these measures to protect our Nation's veterans and their personal information.  Unfortunately, the recent data breaches in April are a stark reminder that the VA and Congress must always be vigilant in protecting this information wherever it may exist.

The details of these breaches clearly indicate that the VA is still unable to adequately protect veterans' personal information.  It also shows that senior managers do not know what their responsibilities are and that responsibilities are not clearly defined especially between the contracting process and the information security management process.

So that is why, Mr. Chairman, I am really pleased that you have not only our Chief Procurement Officer here but also our Chief Information Officer (CIO) so we can understand the delineations of their responsibilities.

Mr. Chairman, I am here to determine if there was something we missed in the legislation that we passed 4 years ago.  So I am hopeful that the Administration can advise us if there are any particular needs or if, in fact, there are problems with the legislation or where did we go wrong.  How do we improve this situation?  And I also want to hear about where we go about fixing the current situation with regard to the contracts.

This most current breach involves a contractor that had 69 contracts in 13 Veterans Integrated Service Networks (VISNs) involving over 30 VA medical centers.  Twenty five of these contracts were missing security clauses.  The contractor signed all certificates of compliance.  Nobody at the VA checked and verified to my knowledge.  I want to know who at the Veterans Health Administration (VHA) was asleep at the wheel.  Where is the accountability and, in fact, who is accountable, who is responsible?

When Secretary Shinseki ordered a review of 22,729 VHA contracts last February, over 6,000 were missing the basic IT security clause.  These contracts were modified over a period of 7 months to include the security clauses.  It appears to me that no one at VHA contracting verified any compliance in spite of certificates of compliance by contractors.  Disciplined contracting in the VA is dysfunctional and clearly broken.  It is highly decentralized and with almost total absence of contract review or oversight.  What is going to happen to the 578 contractors who refused to sign the modification to their contracts to put the information security clause in place? 

And who is going to step forward and pay for such compliance if, in fact, they do not want to or if we have got ourselves in a position whereby maybe they are providing a particular medical service, and I am leaning over to the VHA, to say that the service that they provide is so important, yet they refuse to sign the clause, what are you going to do and who is going to pay for what or do they feel that they have leverage over us that we are going to pay for the IT?

I do not know.  I am interested to see how you are going to be able to work that out or if you are going to have to reprogram monies or you have got monies to be able to do this type of thing.

I want to thank you, Mr. Chairman, for holding this hearing and to the Ranking Member. 

The record clearly shows that on May 6th, 2006, the data breach occurred.  This was the largest in the Federal Government and the second largest in American history.  This Committee worked side by side in a bipartisan manner to strengthen the IT security at VA.  And I look forward to working with you to resolve this matter.

I also want to thank Roger Baker.  You stepped forward into the breach.  I am not here to beat you up at all.  I recognize that this is work in progress.  This is maintenance.  And I am not downplaying this.  I know this is a very large system.  We worked very hard to centralize this IT.

I also recognize that you have not had the most cooperation or the best effort of cooperation from VHA over the years.  You know, they have done everything imaginable in my personal opinion to derail the centralized effort.  And they also have not been as forthcoming with regard to security compliance and assurances that I think they should.

So you stepping into this breach, accepting responsibilities, and then you ensuring that not only your eyes but the eyes of the men and women who then serve directly under you in your lines of authority put their eyes at the VISN and the medical centers into that process extremely important.

And you recognize that.  And I want to applaud you for doing that.  So when your CIO at the medical center wants to put their eyes into that medical contract and the Chief Medical Officer then sitting at that board table said get your nose out of my business, no, no, no, no, no, no.  It is your business.

And you were in the room when we designed this.  And that is why I am glad that you are in charge when problems arise too.  So you and I and this Committee are on the same page.  And I applaud you for that.

I also want to thank the GAO and the OIG for your work.  I read your reports last night.

Thank you, Mr. Chairman.  I yield back.

Mr. MITCHELL.  Thank you.

At this time, I would like to welcome panel one to the witness table.  And joining us on the first panel is Greg Wilshusen, Director of Information Security Issues at the U.S. Government Accountability Office, accompanied by Valerie Melvin, Director of Information Management and Human Capital Issues. 

I would also like to welcome Belinda Finn, Assistant Inspector General for Audits and Evaluations, Office of Inspector General, U.S. Department of Veterans Affairs.  Ms. Finn is accompanied by Michael Bowman, Director of Information Technology and Security Audits in the Office of Inspector General.

I ask that all witnesses stay within 5 minutes for their opening remarks.  Your complete statements will be made part of the hearing record. 

At this time, I would like to welcome and recognize Mr.  Wilshusen.

STATEMENTS OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; ACCOMPANIED BY VALERIE C. MELVIN, DIRECTOR, INFORMATION MANAGEMENT AND HUMAN CAPITAL ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; AND BELINDA J. FINN, ASSISTANT INSPECTOR GENERAL FOR AUDITS AND EVALUATIONS, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY MICHAEL BOWMAN, DIRECTOR, INFORMATION TECHNOLOGY AND SECURITY AUDITS, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF VETERANS AFFAIRS 

STATEMENT OF GREGORY C. WILSHUSEN

Mr. WILSHUSEN.  Chairman Mitchell, Members of the Subcommittee, thank you for the opportunity to participate at today's hearing on VA's information security program.

Since 1997, GAO has identified information security as a governmentwide high risk issue.  This has been particularly true at VA where the Department has been challenged in protecting the confidentiality, integrity, and availability of its computer systems and information.

At previous hearings before this Subcommittee, we have testified on some of these challenges.  Today we will discuss VA's progress in implementing information security and complying with FISMA.

Mr. Chairman, for over a decade, VA has faced long-standing information security weaknesses that have left it vulnerable to disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information.  Nevertheless, the Department has made limited progress in resolving these weaknesses.

In September 2007, GAO reported that shortcomings in the implementation of several departmental initiatives to strengthen security could limit their effectiveness.  At that time, we made 17 recommendations for improving the Department's security practices including, for example, developing guidance for its information security program and documenting related responsibilities.

VA has implemented five of those recommendations and has efforts underway to address eleven of the remaining twelve.  We plan to follow-up this year with the Department to determine whether it has fully implemented our recommendations.

For the 13th year in a row, VA's independent auditor reported that inadequate system controls over financial systems constituted a material weakness in fiscal year 2009.  Among 24 major Federal agencies, VA was one of six to report such a material weakness.

Deficiencies were reported in each of the five major categories of information security controls including, for example, access controls, which are intended to ensure that only authorized individuals can read, alter, or delete data, configuration management controls which provide assurance that only authorized programs are implemented, and segregation of duties which reduce the risk that one individual can independently perform inappropriate activities without detection.

Also for fiscal year 2009, the VA Office of Inspector General designated the Department's information security program as a major management challenge.  Of 24 major agencies, VA was 1 of 20 to have information security so designated.

In March 2010, we reported that Federal agencies including VA had made limited progress in implementing the governmentwide initiative to deploy a standardized set of configuration settings on Windows workstations.  We determined that VA had satisfied certain requirements of the initiative but had not fully implemented other key requirements.

Accordingly, we recommended that VA, among other things, complete implementation of its approved set of configuration settings and acquire and deploy a tool to monitor compliance with those settings.  VA concurred with our recommendations and indicated that it plans to implement them by September 2010.

VA's progress in implementing FISMA-related control activities has also been mixed.  For example, from fiscal year 2006 through 2009, the Department reported a dramatic increase in the percentage of systems for which a contingency plan was tested.  However, during the same period, the Department reported decreases in the percentage of employees who had received information security training.

Compared to 23 other major agencies, VA's performance in implementing these control activities was equal to or higher in some areas and lower in others.

In summary, Mr. Chairman, effective security controls are essential to securing the systems and information on which VA depends to carry out its mission.  The Department continues to face challenges in resolving long-standing weaknesses.  Overcoming these challenges will require sustained leadership, management commitment, and effective oversight. 

Until VA fully and effectively implements a comprehensive security program and mitigates known vulnerabilities, its computer systems and sensitive information will remain exposed to an unnecessary and increased risk of unauthorized use, disclosure, tampering, and theft.

This concludes our opening statement.  And Ms. Melvin and I would be happy to answer your questions.

[The prepared statement of Mr. Wilshusen and Ms. Melvin appears in the Appendix.]

Mr. MITCHELL.  Thank you very much.

Ms. Finn?

STATEMENT OF BELINDA J. FINN

Ms. FINN.  Thank you, Chairman Mitchell.

Chairman Mitchell and Members of the Subcommittee, thank you again for the opportunity to discuss our work on VA's implementation of an agency-wide information security program.

With me today is Mr. Michael Bowman, Director of Information Technology and Security Audits for the OIG.

In March 2010, we issued our report on the fiscal year 2009 assessment of FISMA implementation.  That report included 40 recommendations for improving VA's information security program.

Seven years after FISMA's enactment, we continue to find significant deficiencies with information system security controls that could have potentially alarming consequences.

While VA has made progress defining policies and procedures, it faces significant challenges implementing effective controls over system and network access, system interconnections, configuration management, and contingency planning practices.

For example, during our testing of access controls, we identified significant weaknesses that expose VA mission critical systems to unauthorized access.  We found numerous weak or default passwords on application servers, databases, and networking devices at most VA facilities.  These weak or default passwords can allow malicious users to easily gain unauthorized access to mission critical systems.

For example, using a default password, a hacker could easily access a Microsoft database with administrative rights and change data or establish a back door to allow future entry into the database.

Second, our testing of system interconnections revealed a significant number of external connections that VA had not identified and were not actively monitoring.  This lack of comprehensive monitoring of these connections represents a significant risk that a hacker could penetrate the network and systems over an extended period of time without being detected.

Configuration management controls ensure that only authorized, tested, and adequately protected systems operate on our protected networks. 

We identified significant problems with software updates, virus protection, and other controls that resulted in unsecure web application servers, servers hosting vulnerable third-party applications, and excessive user access on critical database platforms.

These weaknesses could again allow malicious users to exploit the vulnerabilities and gain unauthorized access to VA systems.

Finally, our review of the contingency planning processes revealed many instances where VA facilities did not validate that personnel could restore mission critical systems at a remote processing site as planned.  Without in-depth and realistic contingency plan testing, VA cannot be certain that it can readily restore systems in the event of a disaster or service disruption.

Weaknesses in information security, policies, and practices can expose critical systems and data to unauthorized access and disclosure. 

While VA has made progress defining policies and procedures, implementing effective controls to protect systems and data from unauthorized access, alteration, or destruction represents a significant challenge in VA's highly decentralized and complex infrastructure.

We believe that the VA systems will remain at increased risk until VA fully addresses our recommendations and implements an effective information security program.

Mr. Chairman, that would conclude my oral statement.  Mr. Bowman and I will be happy to answer any questions that you or other Members of the Subcommittee may have.

[The prepared statement of Ms. Finn appears in the Appendix.]

Mr. MITCHELL.  Thank you.

Mr. Wilshusen, we learned recently of an incident in which the VA contractor's laptop, their computer that was unencrypted with veterans' information was lost or stolen.

What can the VA do to ensure that its contractors effectively secure the system and information that they operate or process on the VA's behalf?  And is the VA doing anything about this?

Mr. WILSHUSEN.  Well, as you know, under FISMA, agencies are responsible for assuring the security over their systems and information including those that are operated by contractors and other third parties or information that those contractors and third parties possess on behalf of the Agency.  VA can do a number of things and should be doing a number of things to protect that information.

First of all, it should be including and incorporating security requirements into its contracts with its contractors.  It should also assure and require that contractors certify that they are meeting the requirements of the contract.

But, importantly, it should also establish mechanisms for an independent confirmation that contractors are actually performing as they should be and as they are required to do under the contract. 

Clearly establishing and implementing a mechanism for monitoring contract performance and compliance will be critical to assure that agencies, I am sorry, that contractors are implementing those controls.

And then if there are instances where contractors are not complying with the required security measures, then they should be held accountable. 

And that is one of the areas, as I understand it, even though we have not yet looked at VA's actions in this area at present, the last we looked at VA was back in September 2007 where we identified a number of vulnerabilities with its information security program, but that is one area certainly that is important for VA to assure that contractors are implementing the appropriate security requirements over its information systems.

Mr. MITCHELL.  It seems like several of the high-profile data breaches affecting veterans' information occurred as a result of physical theft of IT resources such as a laptop computer or thumb drive.

What can the VA do to protect veterans and itself from these types of security incidents?

Mr. WILSHUSEN.  Well, you are absolutely correct.  For example, the May 2006 data theft involved the physical theft of an external hard drive and laptop as well as the more recent one from the contractor.  And, indeed, that across government is one of the types of incidents that results in significant data loss.

And what VA can do is a number of things.  One is ensuring that those laptops have strong authentication on them that require, for example, two factor authentication.  So someone who steals a laptop would need to not only know a particular piece of information such as a password or a PIN number but also possess either a token or some sort of biometric that would allow only one user then to access and authenticate to that system.

Certainly another key point is encrypting the data on the laptop.  That is essential.  VA has made progress with that on the Agency's laptops. 

In 2007, we did a test where we tested 248 laptops at eight locations and found that they had encrypted the laptops for 244, about 98 percent of the laptops.  But those were Agency laptops.  Where they often have had issues is when the contractors have not encrypted data on the laptops.

Another key thing is just to limit and restrict the amount of sensitive information that is contained or stored on these laptops.  They should only—the information should only be on the laptop for the limited period of time that is required and the amount of sensitive information should only be stored on the laptop to the extent that it is for authorized, legitimate business purposes.

Other types of controls that should be in place on laptops include just general maintenance including that they have intrusion prevention systems or personal firewalls on the laptops, that the laptops are protected with current antivirus software, and all security patches have been installed on those systems.

Mr. MITCHELL.  Thank you.

Dr. Roe?

Mr. ROE.  Thank you.  Thank you, Mr. Chairman.

Obviously the VA has an enormous job in managing hundreds of millions, if not billions of bits of information.  And let me suggest to you that that is a good thing because one of the problems we have had is being able to quickly get claims done and this is important. 

The advantage of paper is you cannot haul out 26 million of them under your arms and carry them out.  You just physically cannot do it.  So before the VA was slow, but it was very difficult to lose much information.  Someone might take a chart or two home, but they are not going to take 26 million of them home like a guy did on his laptop.

And it appears to me that the problem is that we do not or have not had adequate encryption and so forth on all the pieces of information.  And it is important sometimes for these folks to take the work home.

Let me give you an example.  A physician friend of mine at the VA, he is not allowed to take his laptop away with him, which he would go away for, let us say, a week or two vacation.  He would work at that time and expedite things.  He is a gastroenterologist.  He is a consultant.  They are way behind on those consults.  He could do a lot of work.  But he cannot take it with him because of this issue that occurred with the 26 million people. 

And it is also incredibly expensive when that happened.  I know I was one of the veterans who got the letter.  And I think one mail-out was $14 million.  Two mail-outs went out.  That was $28 million to let veterans know that, hey, guess what, we goofed, we let your information with your Social Security number and so forth get out there on the World Wide Web.  Not a real good feeling.  And I think we have to do better.

I guess one of the questions I have, and you made some great points in here and in your testimony, your written testimony, the VA continues to report significant information security shortcomings and you go through these, and my question is, why have they not been corrected?  I mean, it has clearly been pointed out, so why has it not been done?

Mr. WILSHUSEN.  I think there is probably a number of different reasons why they have not.  One of the issues is in years past, VA has been decentralized, particularly with the organization of responsibilities for information security.  With the 2006 legislation and bill, I am sorry, Act that was passed, that helped to centralize some of that responsibility within the CIO's and Chief Information Security Officer's (CISO’s) offices.  And that was a key moment, I think.

Certainly another key area is prior to May 2006 when that incident occurred, the emphasis on information security may not have been as great as subsequent to that.  So since 2006, there has been some progress.  Certainly they now have very capable individuals in place as Congressman Buyer has pointed out with the new CIO.

Mr. ROE.  I guess the question I have with that is this, is that the FISMA Act had been passed along with—

Mr. WILSHUSEN.  Oh, yes.

Mr. ROE [continuing]. Four or five things I mentioned ahead of that time, it appears that nobody was paying any attention to the problem and did not take it seriously and still, even after a huge breach like that, apparently not serious enough that it is still not going on. 

And, Ms. Finn, just a thought occurred to me when you were speaking.  You raised a tremendous point.  If a hacker, because our Web site was hacked in my office here in DC, if you could hack into a VA data system and you said, I think, in your testimony that you could change information, could you change information about me as a veteran if I am in that system and then file a false claim?  It looks to me like that would be easy to do if the data were changed.

Ms. FINN.  I would say if a hacker got into that particular database, that quite likely they could do that.

Mr. ROE.  So you could go in there and change your information about where you served or what disability you might have?  I mean, that is a tremendous opportunity for fraud.

Ms. FINN.  Yes.  I will say that I do not know that we saw specific vulnerabilities in those large databases.

Mr. ROE.  I guess my question was, if you do not have the security system, because, I mean, everybody's e-mail has a password and a user name, and is there any way to know that that has happened?  I mean, could it have been breached and anybody not even know?

Ms. FINN.  Yes, it could have.

Mr. BOWMAN.  We did work on some of those mission critical systems and we found instances where audit logs were not being maintained.  So if systems were actually infiltrated, there were not records identifying that and responding to it.

We also identified instances where the databases on some of these larger systems did have default credentials.  So probably the risk is more from the internal threat than it is from the internet, but the threat does exist.

Mr. ROE.  I think the reason, before I yield back, Mr. Chairman, I think this is important because as a physician, we make decisions based on what is in those records.  And if those records are manipulated in a negative way, you will end up making very bad decisions.  The more I listen to this and read the testimony last night, the more critical I realized this was to get this right.

So I yield back.

Mr. MITCHELL.  Thank you.

Mr. Walz?

Mr. WALZ.  Thank you, Mr. Chairman and Ranking Member Roe, and the Ranking Member of the full Committee, for your attention to this and your work on it. 

I, like Dr. Roe, was one of those veterans that received the letters and I hear much about this.

I want to thank all of you for your commitment and public service and also your commitment to good governance and oversight and to all of our folks here from the VA.  This room is absolutely committed to the best care of our veterans.  That goes without question.  We are here to figure out how to do that.

So, Assistant Secretary Baker, I share the Ranking Member's admiration for you.  And I guess he used the right term in this regard, stepping into the breach.  And I do appreciate that.

A couple questions I have.  And in recognizing that we are making progress and where there is other things, my concern and where I am coming from, the broken record in me, as we move forward to the smart policy of seamless transition, this issue is going to become even more important, the idea of the virtual lifetime record, the electronic record, the idea of sharing between U.S. Department of Defense (DoD) and VA have become even more important.

And I am trying to find out here that balancing absolute security and access because one of the problems I find in rural areas is the access issue for our county veteran service officers and things like this. 

I just came from a meeting where I sat down purposely to talk of this information security side from the private sectors with Thomson Reuters folks.  And they were talking about, yes, the encryption, yes, all those things, but also the credentialing side of things, that there is that other level of safeguard of who has got access to this and why.

I guess my question is, and this might be to Ms. Finn, have any of these breaches occurred with people like in my State, one of the 26 States that has county veteran service officers, are co-located veterans service organization (VSO) representatives at the VA, have any of the breaches of data come out of those folks?  Can you speak to that with any authority?

Ms. FINN.  No, sir.  I am afraid I cannot.  I would have to do some research in order to answer your question.

[The VA OIG subsequently submitted the following information:]

In response to your question, we contacted VA for information related to security incidents. VA provided the OIG with information on security incidents for the period of February 2010 through May 2010. During this limited period, no cases of VSOs gaining unauthorized electronic access to VA’s internal systems and networks were reported. However, in one instance, an individual misused authorized access to the Patient Inquiry Database. We understand that the Office of Information and Technology is working to limit access to the database so that a similar incident does not occur again. To answer the question for a broader time period, we would have to defer to VA to provide any additional information.

Mr. WALZ.  Well, if we could get that because I think we are seeing the answer is, is there have not been any. 

And my question is, I have limited access for these folks even something as simple as a DD-214 and then you get into the compensation and pension side of things that we need to speed the transition for benefits.  My experts, my veterans, my folks that are county veteran service officers are being denied access on the basis of it could be a security breach.

As we move forward on this and as you hear details and as we find wherever our Achilles heel is in strengthening this, we have to be very cognizant of we can lock this stuff away in a vault, but if the right people do not have access to see it, we still cause damage to our veterans.  And I want to know how we get that.  And I do not know if anyone has any comments. 

The Ranking Member brought up a great point in seeing that this might be an opportunity with the DoD folks or whatever to strengthen that.  I guess maybe I was being a little more pessimistic and seeing that this is going to compound the problem and make it more difficult.

Do you see this as a challenge or an opportunity?  And maybe when Assistant Secretary Baker and his folks come up, they may comment too.

Mr. WILSHUSEN.  I would say it is both an opportunity and a challenge.  Certainly the sharing of information will help get information to the people who need it when they need it and making sure that the information is accurate at that time.

It is also a challenge, though, to assure that those individuals only receive the information that they need and to assure that they are the correct people in receiving that information.  And that is where with information sharing and providing appropriate security, there is always that balance.

Mr. WALZ.  Do we do a good job on this credentialing or who has this?  I keep hearing of these contractors and stuff.  I am wondering, do these people need to—there are cases where they need to take it home.  I think Dr. Roe is right. 

But are we credentialing the right people?  Is there that side of the security or is this all a software physical infrastructure side of things issue or is it more of a cultural attitude on protection of data?

Could anyone speak to that as you see it?

Ms. FINN.  I think it is definitely a cultural issue and that has been the biggest change that I have seen in VA over the last 3 and 1/2 years in information security.  The struggle to establish the policies and procedures that addressed, the need for encryption on devices was huge. And it was a big culture shift.

Mr. WALZ.  Because I think the public sees this and they said encrypt the dang things and do not let anybody get in and do not have default passwords and everything will be fixed. 

What I am hearing, what I am feeling is that is not enough, that there still needs to be this credentialing, there still needs to be a culture shift on data security.  And we need to make sure that access to the right information to the right people is still granted.  Is that true?

Ms. FINN.  Yes, sir.  I would agree.  The biggest vulnerability I think for data is at the end user, you know, the laptop that is not encrypted.  And as you said, it is easy to have 26 million records or data about individuals’ privacy information.

Mr. WALZ.  And, again, I appreciate all the work you are doing and all the folks that are here.

I yield back, Mr. Chairman.

Mr. MITCHELL.  Thank you.

Mr. Buyer?

Mr. BUYER.  Thank you very much.

With regard to the security awareness training, where is this type of training done?  So, in other words, at a medical center, a new employee comes in, who is responsible for that type of training?

Ms. FINN.  In VA for VA employees and I believe contractors also, we take an online course many times.  It goes through the principles of information security and awareness and the vulnerabilities.

Mr. BUYER.  And who is responsible to ensure that that training actually took place or the person actually did it online?

Ms. FINN.  Well, I as the supervisor am responsible for ensuring that the people who work for me take it.

Mr. BUYER.  Okay.

Ms. FINN.  So for an employee within my own organization, we would monitor it.

Mr. BUYER.  Who within a medical center?

Ms. FINN.  Ultimately I would assume that it would be the Director of the medical center, through the various departments in the hospital.

Mr. BUYER.  Uh-huh.  And what role or responsibility would the CIO at the medical center have to ensure that everyone is compliant?

Ms. FINN.  I am not certain whether they would receive a report or not.  So I think probably VHA would be more able to address that and tell you how that works.

Mr. BUYER.  Okay.  All right.  I am here trying to figure out the best process.

Okay?  So, you know, when we talked about the centralizing, the purpose of centralizing and coming up with delineations of responsibilities, you know, I guess I am trying to—I agree with Roger Baker here that if, in fact, if it has the word computer on it, he owns it, you know.  And so if, in fact, there is some training out there that is required, even if it comes under VHA, that CIO at that medical center, it is his business to get in somebody else’s business.

So you cannot stovepipe this type of stuff.  Would you agree with that?  I am trying to figure out, you know, you cannot just say, well, you are a supervisor, you have new employees, you just have to make sure it happens.  Okay?  Where does the accountability function come in?  How do we do the check in the box?  I do not want to build bureaucracies here, but I am trying to—

Ms. FINN.  Well, I think it is important that accountability is on everybody, that it is not just the CIO’s problem.

Mr. BUYER.  Okay.  It is not happening.  You say that in your report.

Ms. FINN.  Yes.

Mr. BUYER.  So how do we get to there?

Ms. FINN.  How do we get to hold everybody accountable?

Mr. BUYER.  Yes.

Ms. FINN.  That will take a concerted push from all across the organization.

Mr. BUYER.  Well, I will tell you what.  If we make sure that Roger Baker completely understands that if it deals with computers and it is security awareness and assurances, he owns it. 

And if it means that those of whom work for him at the VISNs and at the medical centers, if he has to get a little rough with the Chief Medical Officer or whomever at that medical center, if they are responsible, that is his business. 

Is that a good idea to do that or is that a bad idea to do that?

Ms. FINN.  I think I will take the high road and say I think it is a very intriguing idea.  And I would have to look at the implementation over time to see how that would work out.

Mr. BUYER.  Well, I look at, you know, your report.  Basically it comes back, sir, and says mixed reviews.

Mr. WILSHUSEN.  Right.

Mr. BUYER.  So I am trying to figure out if, in fact, we are saying to Roger Baker that you own it, he steps forward and says I accept responsibility, right, well, and then if you have individuals within VHA or in contracting want to go, ooh, not me, you know what, then whom? 

And if Roger Baker is going to say it is me, then he is not saying it is just me.  He is saying it is my lines of authority.  And if, in fact, it is his lines of authority, then sitting at that table when that Director sits at the head of the table and he has all of his staff there, that CIO has to be off the heels and on their toes and in people’s business if, in fact, it is a computer system, right?  I mean, am I—

Mr. WILSHUSEN.  What I would just say is that, you know, certainly the CIO under law, and this is including FISMA’s responsibilities that it assigns to specific individuals, to the head of the Agency, to senior agency program managers as well, as well as the CIO, senior agency program officials also have responsibilities to ensure that security is appropriately implemented within their sphere of influence and over the IT resources supporting their program.

The CIO, of course, is responsible for implementing the different aspects of an agency-wide information security program, which includes computer security and awareness training.  And the CIO is also supposed to assist and help assure that the senior program managers are performing their responsibilities.

So I would just submit that it is important for the CIO and those individuals that are responsible for ensuring that information security activities such as providing computer security awareness training to their employees are held accountable to assure that they, in fact, do that.  One way to do that is to make that part of their performance appraisal system.

Mr. BUYER.  Bingo.

Mr. WILSHUSEN.  Is it part of the responsibilities of those individuals and are they being held accountable?

Mr. BUYER.  We talked about that 4 years ago.

Mr. WILSHUSEN.  That is exactly right.

Mr. BUYER.  Okay? 

Mr. WILSHUSEN.  And we made that recommendation—

Mr. BUYER.  I remember this conversation.

Mr. WILSHUSEN [continuing].  In the 2007 report.  You know, to the extent that VA has implemented that particular aspect of that is one of the things we will be following up this year.

Mr. BUYER.  Mr. Chairman and to the Ranking Member here, that is an extremely important thing.  I mean, that is something we do not have to legislate, you know.  The Executive Branch can actually put this in.  And I will be interested when the VHA comes up and testifies.  We can ask them. 

We should not be handing out bonuses, right, you know, to individuals of whom are not in compliance with the law?  And if we actually put it in their performance reviews or it is one of their line items, right, and they have not, then guess what, you get dinged.  I mean, boy, you can get somebody’s attention pretty quick, you know, and we do not have to legislate that.  I mean, the Executive Branch can lean forward on it.

And your point is very well taken.  We have talked about that.  I really do not know what has happened over the last few years with regard to that particular issue.

But I yield back.  Thank you.

Mr. MITCHELL.  Thank you.

Dr. Roe?

Mr. ROE.  Just one brief comment.  What the Ranking Member is stating I think very clearly is those of us who have been in the military understand the chain of command.  If you have two silver bars, the guy with one silver bar will say, yes, sir, no, sir, yes, ma’am, no, ma’am.  We understand that.  We get it.  And so it is the chain of command. 

And my question, Mr. Chairman, is in the testimony here is in addition, Congress enacted the Veterans Benefit Healthcare and Information Technology Act of 2006 after a serious loss of data earlier that year revealed a weakness in the VA’s handling of personal information. 

Under the Act, VA’s Chief Information Officer is responsible for establishing, maintaining, monitoring Department-wide information security policies, procedures, control techniques, training and inspection requirements as elements of the Department’s information security program.  And that is very clear to me.  Whoever that person is, whatever that name is, they are the ones.  The buck stops on their desk.  And, I mean, it seems very clear to me that that is what you do. 

And I agree with you 100 percent that we should not be handing out bonuses.  It is clearly stated right here in your testimony where this responsibility is. 

And I guess my question is, why did it happen?

I yield back.

Mr. BUYER.  Would the gentlemen, would you yield to me for a second?

Mr. ROE.  I will. 

I will yield, Mr. Chairman.

Mr. BUYER.  When we designed this system, the reason that we sort of took the CIO and said, okay, we have them at the top and we are going to take the CIO out of this direct—actually, we did a direct chain of responsibility and authorities. 

I did not want a Medical Director to sit there when the CIO gives some push back to that CIO to be big-footed, you know.  If there is a real serious concern, I do not want the Medical Director to big-foot him.  That CIO works for the VISN CIO and works directly for Roger Baker.  So we designed that system.  It is sort of like the OIG being outside the system for the accountability function. 

And that is why I guess I am leaning right now on saying I think it is a good thing the way we have designed this system for that CIO at the medical center to get in people’s business.  I mean, it is his job.  That is the reason we designed it that way.

And you know what?  It does not make them very popular at the table.&