Thank you to everyone for attending today’s Oversight and Investigations Subcommittee hearing entitled, Assessing Information Security at the U.S. Department of Veterans Affairs. 

Today, we will examine the current status of information security at the VA and its ability to protect itself against both malicious and accidental sensitive information breaches.  The Department of Veterans Affairs employs its sophisticated computing infrastructure to store the health and financial records of millions of American veterans and their families. Each day, there is the potential for millions of attempts to gain unauthorized access to government computers that hold this information through unsecure ports and other means.

The risks to the VA of not implementing a sound information security program are considerable, and unfortunately, have already been seen through several situations in the past.  Just recently, we have learned of two data breaches: In Texas, 3, 265 veteran’s records were compromised when information went missing from a facility conducting lab tests.  In a second instance in Texas, a VA contracted company had a laptop stolen compromising the records of 644 veterans. These recent data breaches are proof that the VA still has a long ways to go in ensuring our nation’s veterans that their most sensitive information is being safely stored and handled.

The Federal Information Security Management Act of 2002 or FISMA is a critical and evolving mandate designed to help federal government entities, including the VA, protect personally identifiable and otherwise sensitive information.  In March of this year, the Office of Management and Budget (OMB) released its FY 2009 report on FISMA. Unfortunately, the VA ranked dead last among other FISMA monitored agencies in areas such as the percent of log-in users trained on information security awareness, and also in the issuance of personal identity verification.   Additionally, the OMB report also lists the VA as one of 6 federal agencies identified as having a material weakness.

It is clear that the VA has a wide range of areas in which it must improve its information security infrastructure.  Strengthening interagency network connections, access controls, and improving configuration management are some of the things that will yield positive results in securing VA’s computing network.  In light of the recent data breaches in Texas and OMB’s recent release of it FY2009 FISMA report, there is no better time to review VA’s information security posture, and hear from the Department how they plan to address the challenges they face in  securing the personal information of our nation’s veterans.

I am pleased that both the VA Office of Inspector General and the Government Accountability Office are here to shed light on additional improvements that the VA can make.  I look forward to your testimony.