Witness Testimony of Arnaldo Claudio, Office of Information and Technology, Executive Director, Office of IT Oversight and Compliance, U.S. Department of Veterans Affairs
Thank you, Mr. Chairman and members of the Committee. I appreciate the opportunity to speak with you today on the topic of the Department’s Information Technology (IT) reorganization and to share with you the impact and progress that the Department of Veterans Affairs (VA) has achieved as a result of the establishment of the Office of IT Oversight and Compliance (ITOC).
ITOC was established in February of 2007, as a response to the need for the VA to enhance the protection of our veterans’ sensitive information. This concept was initially addressed by Professor Eugene H. Spafford, during his Congressional testimony shortly after the data breach of May 2006; and later by the IBM study in their December 2006 publication entitled: High Level Target Organizational Structure on VA’s IT realignment. Furthermore, in February of 2007, Secretary Nicholson conveyed a strong message regarding the importance of proactively identifying, addressing and mitigating any risks that could jeopardize the potential loss of Veterans’ sensitive information.
To fulfill this vital requirement, ITOC is charged with providing independent, objective, and quality oversight and compliance assessment services in the area of information and technology to include Cyber Security, Records Management, Privacy and Physical Security.
The concept of ITOC is not entirely new to VA. Prior to ITOC’s establishment, a smaller scale initiative collocated within the Office of Cyber and Information Security (OCIS) known as the Review Inspection Division (RID) existed.
In October 2002, the RID was created to fulfill the requirements set by the Office of Management and Budget (OMB), VA Directive 6210, VA policy and Departmental commitments to Congress, which mandated security audits (reviews and inspections) be conducted at every VA facility on a recurring basis. Although RID was given a mission to review the entire Department’s cyber and information security program at all VA facilities, it was never given sufficient resources and authority to carry out all but a small fraction of these tasks. Staffing was inadequate with only five VA employees and a handful of contractors. Considering VA has over 1200 sites, RID was given an impossible task to perform. In addition, none of the detailed reports created and forwarded to OCIS senior management were approved or forwarded to sites.
Today with the establishment of ITOC, that is no longer the case. We are now resourced and equipped to identify issues and to address our observations immediately after the completion of our assessments with the hospital leadership including the facility Director, Chief Information Officer, Information Security Officer, Privacy Officer and other important members in the hospital staff; and thereafter, we report our findings directly to the VA CIO Mr. Robert Howard. The ITOC has the robustness and appropriate strategic planning, focus, and vision necessary to successfully address the new paradigm facing VA.
Since its creation earlier this year, ITOC has grown from 7 to 128 employees and, by the end of Phase 2 in FY 2009, it is expected to have a total workforce of 165 employees. This is in itself a success story. Most government programs take years before they can be stood up and become fully operational. Our employees have been selected from a pool of talented subject matter experts from both industry and government.
The ITOC has achieved a great deal in just a few months and it is already showing dramatic results and measurable benefits across VA. As of today, we have conducted over 100 assessments—a rate of 18 to 20 assessments per month, versus 2 per month compared to our predecessor organization.
We have experienced our share of significant challenges—but none so far that have proven impossible. The assessments performed by my staff are very thorough. We are working together with VHA, VBA and NCA to correct and eliminate, the existing deficiencies found by the Inspector General (IG) and the General Accounting Office (GAO) over the last few years.
As Executive Director, for the Office of IT Oversight and Compliance at VA, but first and foremost, as a veteran, I truly feel the responsibility for ensuring compliance with the integrity and security of VA’s sensitive information and IT assets. I understand that security awareness is a paradigm change—a change to our business operations culture and simply the way we do things. My staff and I have found that the field facilities welcome our independent and objective assessments as the leadership across VA continues to drive home, to each employee, the importance of securing sensitive information. I am prepared to answer your questions today about what the Office of IT Oversight and Compliance is doing to effect real change to improve VA’s FISMA scorecard, as well as how we are working together with other VA Administrations to mentor, train, coach and optimize our valuable resources to better serve our Nation’s veterans.
In closing, I want to assure you, Mr. Chairman, and the members of this committee that we will continue to be diligent in our efforts to improve and remedy VA’s Information Technology environment. Thank you for your time and the opportunity to speak on this issue. I would be happy to answer any questions you may have.