Submission For The Record of Hon. Cliff Stearns, a Representative in Congress from the State of Florida
Thank you for holding this very important hearing regarding inventory management of the VA’s IT equipment. I have long been concerned regarding the security of personal information at the VA, particularly with regard to the immediate need to equip each laptop with basic security encryption. However, there is a critical oversight we must address before we can fully encrypt all VA laptops, and that is we do not know how many laptops there are to secure! The VA has yet to complete a full and accurate accounting of all its IT equipment and systems. Without that, it is a fool’s errand to pursue real IT security.
On February 28, 2007, we heard testimony from Mr. Gregory Wilshusen of the GAO that the Department of Veterans’ Affairs needed to address long-standing weaknesses in its IT security. He testified that the GAO had made several recommendations in 2002 for improving security management, including the basic restriction of access to IT equipment and network to only authorized users. However, Mr. Wilshusen summarized that, “In the auditors’ report on internal controls prepared at the completion of VA’s 2006 financial statement audit, information technology security controls were identified as a material weakness because of serious weaknesses related to access control, segregation of duties, change control, and service continuity. These areas of weakness are virtually identical to those that we had identified years earlier.” And here we are again to hear basically the same testimony as a result of yet another investigation of IT security by the GAO.
In its most recent report, the GAO stated that the six VA medical centers it audited lacked a reliable property control database and had problems with implementation of VA inventory policies and procedures. They then make several recommendations, such as clarifying existing policy regarding sensitive items that must be accounted for in the property control records; providing a more comprehensive list of the type of personal property assets that are considered sensitive for accountability purposes; and reinforcing the VA’s requirement to attach bar code labels to agency property. Unfortunately, GAO’s tests of physical inventory controls at four VA locations identified 123 missing IT equipment items that could have stored sensitive data, including 53 missing computers! At these locations, investigators discovered there were over 2,400 missing IT equipment items, totaling around $6.4 million. Immediate reporting of missing items as recommended by the GAO in 2002 is clearly not followed through in practice, as many missing items were not reported for several months and, in some cases, several years.
This dangerous mix of a lack of user accountability and hopelessly inaccurate records creates an environment that will lead to further loss of equipment, and makes another security breach highly likely. For these IT security weaknesses to have been identified and yet unaddressed for over five years is frankly inexcusable. I look forward to hearing from our panel of witnesses regarding what steps they are taking now to correct this problem, and how they will work to ensure that this round of recommendations are implemented department wide.