- Contact the Committee

Opening Statement of
John A. Gauss
Former Assistant Secretary for Information and Technology
And Chief Information Officer
At the Department of Veterans Affairs
Before the
Committee on Veterans’ Affairs
U. S. House of Representatives

July 18, 2006

Good morning, Mr. Chairman and Members of the Committee. Thank you for inviting me here today to discuss some of the important issues related to the draft legislation to enact the “Veterans Identity and Credit Protection Act of 2006”.

My comments today are focused on those elements of the draft legislation relating to the management of the Department of Veterans’ Affairs (VA) Information Technology and Information Security programs.

As a private citizen interested in the welfare of our nation’s veterans and the efficient operation of government, I would like to commend the Chairman and this Committee for exercising such bold leadership by moving forward with this groundbreaking piece of legislation. By elevating the positions of the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) at the VA to Under Secretary and Deputy Under Secretary positions respectively, you are blazing a trail for the rest of the executive branch of government to follow. Based on 34 years of government service in the Department of Defense and at the VA, it has become clear to me that until the position of CIO is elevated to an Under Secretary position within all Departments of the Executive Branch of government, the authors of the Information Technology Management Reform Act of 1996 will remain disappointed. As an Under Secretary, the CIO will have a “seat at the table” where the real decisions are made with respect to the operation of the Department and he or she will not be relegated to subordinate “working groups” that can only recommend and not decide.

I know the Committee is struggling to determine the appropriate level of legislative direction to enact into law. Too little direction will allow the advocates of the status quo to find loopholes in the law or legal interpretations to preserve “business as usual”. Conversely, too much detail becomes legislative micromanagement which I know is not the intent of this Committee. With that said, although some of the recommendations I will put forth below are aimed at proposing changes to the draft legislation, other recommendations should be considered for direction to be placed in appropriations bills, policy to be implemented by the Office of Management and Budget, and/or discussion points that could be used during future Senate confirmation hearings.

With respect to the draft legislation, I would respectfully request that the Committee consider the following:

(1) Section 2 of the draft legislation provides for strengthening the CIO’s ability to enforce information security requirements to achieve compliance with the Federal Information Security Management Act of 2002 (FISMA). Since FISMA applies to all Departments and Agencies of the federal government, I can appreciate the difficulty in legislating enforcement authority for all Departments and Agencies. However, given that enforcement has been a key issue with the VA at previous hearings, I recommend the Senate Veterans’ Affairs Committee consider asking future VA Secretary nominees about their views regarding Section 2 of this legislation with respect to, and I quote, “to the extent determined necessary by the head of the agency, to enforce”, during future confirmation hearings.

(2) Section 3 of the draft legislation establishes the position of Under Secretary for Information Services, elevating the CIO position from an Assistant Secretary. Section 3(c) of the draft legislation is titled “Conforming Amendment”. It addresses a change to the existing statute regarding the responsibilities of Assistant Secretaries and Deputy Assistant Secretaries at the VA by removing the responsibilities for Information management functions. Since the draft legislation elevates the CIO from the position of an Assistant Secretary to the position of an Under Secretary, the Committee may want to consider decrementing the number of Assistant Secretaries defined in Section 308(a) of the same statute from seven to six as a part of this “Conforming Amendment” of the draft legislation.

(3) In Section 4 of the draft legislation, a new Section to Title 38, United States Code defines three Deputy Under Secretary positions that would report to the new Under Secretary for Information Services. At a recent House Veterans’ Affairs Committee hearing, the representative from the Gartner Group, my colleague on this panel and I testified that, in our expert opinion, the VA should centralize the management of all systems development activities under the Office of the CIO. Although this legislation does not specifically mandate this degree of centralization for the VA, I believe there are program management oversight and Enterprise Architecture responsibilities that must be carried out by the CIO independent of the centralization issue. Lack of an effective Enterprise Architecture and inadequate executive oversight of ongoing development programs have been long standing issues identified by the GAO. Both my colleague and I addressed these issues during our tenures as VA CIO. In order not to loose sight of these important functions, I am recommending to the Committee that a fourth Deputy Under Secretary position be established as part of the draft legislation – Deputy Under Secretary for Enterprise Architecture and IT Program Management Oversight.

(4) In Section 4 of the draft legislation, several new Sections to Title 38, United States Code relate to contracting activities associated with the handling of sensitive personal information. In my review of the draft legislation, I was unable to find any prohibitions for offshore storage of, or access to, this sensitive information from companies that might operate outside the United States. I recommend the Committee consider adding such prohibitions to the draft legislation.

(5) A CIO must be more than just the “IT person” for a Department or Agency. To be effective as a CIO, I believe the CIO also must be the “change agent” of the organization from a business perspective. The CIO, working with the Administrations and Department’s offices, must lead the cross functional integration of business processes in order to improve mission effectiveness and gain efficiency. A single 1-800 number for a Veteran to call to obtain service and one integrated registration process are but two examples of improvements that should be pursued. The CIO must establish plans and have the authority to implement those plans to control the growth of Information Technology spending. The CIO must understand that data is a strategic capital asset. He or she must understand how best to store the information and make it available only to those who must use the data to service our nations’ veterans in a secure and protected manner. Mr. Chairman and Members of the Committee, I most strongly recommend that future nominees for the newly established position of Under Secretary for Information Services be required to have these skills and demonstrate during the confirmation process how they will apply these skills at the VA.

(6) The qualifications for the Deputy Under Secretary for Security are equally as important as the qualifications for the CIO. I believe this person must be a Certified Information Systems Security Professional (CISSP) and demonstrate a comprehensive understanding of cyber security in general, information security, details of FISMA and be thoroughly versed in physical and personnel security related issues as they pertain to electronic and information security. Security is all about risk management. The only secure computer is one you never turn on. The only secure building is one that no one can ever enter. The Deputy Under Secretary for Security must demonstrate that he or she knows how to evaluate risk and take steps to mitigate that risk. I most strongly recommend that future candidates for the newly established position of Deputy Under Secretary for Security be required to have these skills and demonstrate during the hiring process how they will apply these skills at the VA.

(7) In executing the duties of the Under Secretary for Information Services, the CIO must not forget the times that we live in where Continuity of Government, Continuity of Operations and the VA’s fourth mission in support of emergency preparedness are missions critical to servicing our veterans and the nation. The CIO must be intimately involved in using Information Technology to further these objectives.

(8) With respect to accessing sensitive and critical information, I believe it is imperative that the CIO be responsible for electronic identity management at VA and that electronic identity management be implemented with a sense of urgency to comply with Homeland Security Presidential Directive 12 (HSPD 12). Electronic identify management will not only strengthen access controls for electronically stored data, it can also be used to strengthen physical access controls throughout the VA.

(9) Policies need to be implemented and funding must be provided to encrypt data while in motion or at rest. The implementation of data encryption must be closely coupled with the electronic identity management process just discussed.

(10) Finally, I once had the privilege to meet Mr. Louis Gerstner when he was the Chief Executive Officer of IBM. He shared with me the actions he took to transform IBM’s business processes and information technology from a collection of stovepipes to a highly integrated machine. He reorganized the management of all of IBM’s Information Technology by centralizing the authority with the Corporate CIO in less than 90 days. Over the next two years and on a global basis, IBM transitioned its IT stovepipe infrastructure to a modern, integrated corporate wide infrastructure. During the same two year period, he led the modernization of IBM’s business processes focusing on eliminating duplication, improving productivity, increasing efficiency and effectiveness, and reducing IT cost. Mr. Gerstner emphasized the need for speed. He believed that the absence of speed would allow the inertia of the status quo to prevail. Since this legislation is clearly focused on effecting real change at the VA, this change must be implemented with lightning speed to be effective. Therefore, I recommend the committee consider including two additional items in this legislation to enable a high velocity change at VA.

(a) First, the VA should be given 90 to 180 days to fully implement this legislation. The advocates of the status quo will argue that speed will create too much risk and that deliberate thought and study is necessary to avoid creating problems. Given the current situation at the VA, isn’t the risk associated with the status quo significantly greater than whatever damage might be caused by moving forward with lightning speed?

(b) Second, the VA should be given the same hiring authority to support the implementation of this legislation that was given to the Department of Homeland Security in the legislation that formed that Department. If VA uses the “business as usual” hiring processes, it will take months or even years to properly staff the offices established by this legislation.

I hope the information I have provided in this opening statement will help the Committee in its deliberations and thank you for this opportunity to discuss this landmark legislation. I will be happy to answer any questions you might have.