Witness Testimony of Hon. Gordon H. Mansfield, U.S. Department of Veterans Affairs, Deputy Secretary
Thank you, Mr. Chairman. I am here before this Committee on behalf of the Secretary and the Department to discuss with you the changes underway in the Department of Veterans Affairs Information Protection program. The Department has committed itself to becoming the “gold standard” in Information Protection within the Federal Government. We have made significant progress in a very short period of time to reach this goal. Nonetheless, we realize that there is much more to do, and we have positioned our Information Protection program to undertake the challenges before us … and to succeed.
Early on, the Secretary recognized the need to reorganize our IT assets to give the Department’s Chief Information Officer, and Assistant Secretary for Information and Technology, full control over our IT budget, people, and programs.
This Committee was heavily invested in that decision. It held numerous hearings to assist the Department in addressing the many issues involved in centralizing our IT function.
We created the Office of Information Technology and transferred over 4500 employees to this new organization. These VA employees are under the supervision and direction of VA’s CIO, Bob Howard. We are currently completing the final phase of our reorganization by bringing the full complement of IT programs, dollars, and people under Assistant Secretary Howard’s control.
This reorganization is a Departmental priority. All leadership elements—from Central Office to field locations from Maine to Manila—have been briefed and instructed. Command emphasis is firmly on information security. And it is squarely focused on revamping our IT infrastructure—from practices and procedures … to our Department’s data security culture.
We are also committed to creating a dedicated IT career field that will help us to develop, recruit, and retain the bedrock of professional IT careerists we need today if we are to meet the challenges of tomorrow. I personally have spoken to departmental leaders on this critical issue.
To improve the delivery of IT services as we transition to a centralized IT program, we brought in outside consultants, including IBM, to assist in professionalizing our systems. IBM recommended that we change the way we manage and direct IT. We have done that. We have reduced the scope of work and narrowed the span of control of our IT senior leaders. By telescoping their management focus, we expect more efficient execution of their responsibilities and, in turn, better results and outcomes.
Significant issues remain in the area of Information Protection. We are addressing them head-on. We have begun to revamp our entire program, consistent with IBM recommendations. Over the past six months, I have spoken with many VA employees, at all levels, to underscore the Department’s unqualified position on the IT reorganization. I have stressed the importance moving-out smartly to take charge of the difficult issues at hand. And I believe the vast majority of VA employees are now more aware … more sensitive about data management and security in both the administration … and in the delivery of services to veterans and their families.
Previously, the head of our Office of Cyber and Information Security was assigned such a wide span of control that it was difficult to excel in all areas of responsibility. As a result, support of our Administrations and staff offices suffered.
We have since created a more comprehensive approach by establishing an Office of Information Protection and Risk Management. Its management oversees several key areas. Cyber Security focuses on FISMA reporting and policy development. Risk Management and Incident Response addresses risk assessment, incident resolution and credit monitoring. Records Management and Privacy focuses on policy development and oversight of privacy and records. Data protection analysis and lessons learned are also an integral part of this new management focus.
Our field-based Information Security Officers have been operationally realigned to report to the Office of Field Operations and Security.
And finally, we consolidated several IT compliance programs within the Office of Oversight and Compliance, which reports directly to the Assistant Secretary for Information and Technology. This office will conduct rigorous assessments nationwide. Both announced and unannounced, these reviews rigorously evaluate facility compliance with legislative directives as well as policies, procedures, and practices relating to information protection, data management and control, data, records management, privacy, and IT security programs.
This office will be the first responder to facilities where serious IT security incidents occur and that require the immediate review of records management, privacy, and cyber security business practices. I am confident that this office will provide the further assurance necessary to bolster our records management, privacy, and data security measures.
On June 28, 2006, the Secretary delegated to the Assistant Secretary for Information and Technology the responsibility for Departmental Information Security. Since the May 2006 data security breach, VA has issued eight IT directives on specific IT security safeguard requirements. We have developed a comprehensive strategy to incident resolution that includes procedures for notifying veterans of incidents where personal information has been compromised We have drafted a regulation to implement the Veterans Benefits, Health Care, and Information Technology Act of 2006. And our Oversight and Compliance Office, established this month, has already completed several facility assessments.
We have launched a number of technology initiatives, both completed and underway, to protect sensitive information. We have encrypted over 15,000 VA laptops. We are minimizing the use of thumb drives and mobile devices. Where authorized, we are requiring them to be encrypted. Very importantly, we are in the process of testing technology that will check for proper encryption, codewords, and security credentials necessary to be permitted entry into VA’s information network.
The gravity of information security is undeniable. Data security incidents such as we have seen tarnish VA’s reputation and the peace of mind of those we serve.
We are aggressively instituting a VA-wide change in culture and mindset across the length and breadth of our facilities, urban and remote.
VA has already committed time and resources to educate our work force about the importance of data security.
Through formal training, printed communications, and other media, the focus is on good stewardship of data privacy. Our employees are now more aware about data management and security in the administration … and in the delivery of services to veterans and their families.
Our culture is changing. Change always takes great effort. It is disorienting and it is disruptive. But formerly acceptable business practices, as we have come to realize, are simply no longer acceptable. We are communicating this cultural reorientation across our Department, at all locations and at all levels. No one person, office, or Administration is exempt.
On February 21st, the Secretary convened an off-site meeting attended by all VA’s senior leadership. He reviewed the recently-issued information security directives and procedures as well as the information protection incidents and vulnerabilities. The Secretary reiterated, in no uncertain terms, his order that all supervisors fully execute their responsibilities in the area of information protection. In late March there will be a data security ‘Update’ seminar for our senior leaders. In April, VA’s annual Information Security Conference will address the theme of “Strengthening [IT] Capabilities to Achieve the Gold Standard.” And in June, we will conduct Awareness Week and the systemic Security and Privacy Training ongoing across the Department.
We are working hard to achieve our goal—full protection of VA’s sensitive data and information. We have made substantial progress in a relatively short timeframe … and we expect nothing less than continuous improvement. We have implemented corrective policies and procedures. Deployed the necessary technologies. Trained our work force. And we will not relent in our efforts ensure that every veteran’s personal data is safe and secure.
While we have made great progress, we have clearly not fully achieved our objective. In our defense, I want to say that when data was lost, we did not stand still. We notified affected veterans by letter. We began investigations to determine root causes. We took preventive measures to improve security. And we communicated these incidents to the Congress. I don’t believe there is any other Federal Department as forthcoming and public about this issue.
I can assure you we will continue work to improve our processes. We know all too well that lapses in information security … such as the one that occurred last year, and recently in Birmingham, weaken the confidence of our veterans, their families, and the American public in our ability to perform the mission that has been entrusted to us.
Mr. Chairman that concludes my testimony. I will answer any questions that the Committee may have.