Thank you Mr. Chairman.  I appreciate you holding this important hearing.

The security of the information the federal government has under its purview is of paramount importance.  Recognizing that importance, Congress passed several acts to increase security awareness throughout federal agencies, including the Department of Veterans Affairs.   In 2002, Congress passed the Federal Information Security Management Act (FISMA), which permanently reauthorized the framework laid out by previous legislative initiatives such as the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, the Information Technology Reform Act of 1996 (Clinger-Cohen), and the Government Information Security Reform Act of 2000.  The enactment of FISMA was a critical step to ensure the continuation of requirements and therefore the ability to effectively identify and track the federal government’s information and system security status.

Prior to 2001, the VA Inspector General (IG) and other outside agencies had expressed concern and identified material weaknesses regarding information security management at VA.  Since 2001, IG reviews of VA FISMA compliance continued to identify significant information security vulnerabilities that placed VA at risk of denial of service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data.  Numerous security weaknesses were identified, but generally not corrected by VA, even after the IG identified repeat weaknesses over several years.  One glaring example of this state of affairs was demonstrated by the FY 2004 report where the IG made 16 recommendations to VA to strengthen information security management, which remained open at least up to May 23, 2006. 

Since the data breach of May 2006, the second largest in the nation and the largest in the federal government, we have seen the centralization of VA’s information management, including information security.  These efforts have continued through the current administration under Assistant Secretary Baker’s lead.  I appreciate the massive undertaking by both the previous Administration and the current Administration to tighten the controls on protecting the data of our nation’s veterans.  However, while progress has been made in centralizing the IT Department at the VA, I am uncertain how much progress has been made in protecting the information managed by the department. 

In reviewing the FISMA reports issued by OMB over the past seven years, I am concerned about VA’s status with respect to information security.  In May 2006, the VA did not even file a report on its FISMA compliance.  In 2007, the VA received an “F” on its FISMA compliance.  Most glaring is the recent 2009 FISMA report, which shows that even though VA has over 500 FTE assigned to security-related duties, it has the lowest percentage of log-in users trained in information security (>65%), and the lowest percentage of Personal Identity Verification credentials issued by the agency (<5%) to employees and contractors.

I am highly concerned that VA is just not taking information security seriously enough.  The protection of the personal information of our nation’s veterans should be a high priority at the Department.  We do not want another security breach at the Department, and we certainly don’t want one that would reach the level of the May 2006 breach.  But if VA continues on its current path, we may have just that.

On April 28, 2010, my staff was alerted to a stolen laptop which had access to VA medical center data.  This contractor owned laptop was unencrypted, and possibly contained the personal identifying information (PII) of approximately 644 veterans.   Upon further investigation, we learned that in November of 2009, the Department issued a directive for VA to incorporate VA Acquisition Regulation (VAAR) clause 852.273-75, which provides for the “Security Requirements for Unclassified Information Technology Resources.”  VA reviewed 22,729 contracts to determine whether the contracts required the inclusion of this clause –  6,440 required the inclusion of VAAR 852.273-75, 5,665 contracts has the clause inserted (88 percent), 578 contractors refused to sign the clause (9 percent) and an additional 197 still require the clause (3.1 percent).

I have many questions over this issue, some of which I hope we can answer in this hearing:  1) Why was the clause not enforced prior to November 2009; 2) Did Heritage Health Solutions have the clause included in their contract; 3) What are VA’s plans as far as the 578 contractors who refused to sign the clause when added to their contract; 4) What was the primary reason that most of these contractors refused to sign onto the additional clause; and finally 5) What is VA going to do to tighten the controls on contractor owned equipment that is regularly accessing the VA networks and storing data relating to our nation’s veterans?

To place our veterans information at risk is irresponsible.  These men and women have fought for our nation, have placed their own lives in jeopardy to secure our freedom, and we repay them by tossing caution to the wind with respect to their personal information.  This is totally unacceptable.  VA must take immediate action to secure our veterans information, and to ensure that all contracts requiring access to any data at the VA include the protections our veterans need and require.

Again, thank you Mr. Chairman, and I yield back my time.