Joint Hearing of the Committee on Homeland Security and Governmental Affairs of the U.S. Senate and the Committee on Veterans’ Affairs of the U.S. House of Representatives at 1:00 p.m. CDT.
Witness Testimony of Hon. Robert T. Howard, Office of Information and Technology, Assistant Secretary for Information and Technology and Chief Information Officer, U.S. Department of Veterans Affairs
Thank you, Mr. Chairman. I would like to thank you for the opportunity to testify on the realignment progress in the Office of Information & Technology (OIT).
This is such a crucial issue, and I appreciate the Committee’s interest. With me today from OIT is Arnie Claudio (Director, Oversight and Compliance). I am also accompanied by:
- Adair Martinez (Deputy Assistant Secretary for Information Protection & Management)
- Jeff Shyshka (Deputy CIO for Enterprise Operations & Infrastructure)
And on a separate panel will be Paul Tibbits (Deputy CIO for Enterprise Development).
First, I would like to thank you Mr. Chairman for giving me the opportunity to testify about the progress being made in OIT’s realignment. This Committee has demonstrated great support for and interest in this issue, and we genuinely appreciate it.
Last week, during a similar hearing conducted by the Senate Committee on Veterans Affairs, I began by talking about my top seven priorities as Assistant Secretary for the Office of Information and Technology. Today, I would like to do that again as these priorities are guiding the realignment process we see taking place. Briefly, they include (1) establishing a well-led, high-performing, IT organization that delivers responsive IT support to the three Administrations and Central Office staff sections; (2) standardizing IT infrastructure and IT business processes throughout VA; (3) establishing programs that make VA’s IT system more interoperable and compatible; (4) effectively managing the VA IT appropriation to ensure sustainment and modernization of our IT infrastructure and more focused application development to meet increasing and changing requirements of our business units; (5) strengthening data security controls within VA and among our contractors in order to substantially reduce the risk of unauthorized exposure of veteran or VA employee sensitive personal information; (6) creating an environment of vigilance and awareness to the risks of compromising veteran or employee sensitive personal information within the VA by integrating security awareness into daily activities; and (7) remedying the Department’s longstanding IT material weaknesses relating to a general lack of security controls. I assure you that we are working hard to give these priorities the required attention.
As you know, the Government Accountability Office (GAO) recently released a report on our realignment progress and correctly identified that there is more work to be done to have a successful transition from a decentralized to a centralized organization. We have already begun implementing some of their recommendations such as establishing an IT governance plan, continuing with process development, and expediting the development of performance metrics to track realignment progress. Implementing these recommendations will certainly aid in the realignment.
We have made, I believe, solid progress in other areas of this realignment. We have dramatically improved incident response because of the significant amount of policy, guidance and training conducted on information protection. Since we have begun this, we have seen an increase in self-reporting security and privacy violations and incidents. We are also making great improvements in the area of data protection by encrypting over 18,000 laptops, implementing procedures for issuing encrypted portable data storage devices, purchasing software to address the encryption of data at-rest this month, reducing the use of social security numbers, and reviewing and eliminating a significant amount of personally identifiable information VA currently holds. Regarding these last two points, VA has drafted two documents outlining plans to achieve both these goals. These plans were developed in accordance with the Office of Management and Budget (OMB) Memorandum M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information” and will be included in this year’s Federal Information Security Management Act (FISMA) report. Regarding the FISMA report, not only will we submit one this year, (we got an incomplete last year), but we have, for the first time, completed testing of over 10,000 security controls on our 603 computer systems. Mr. Chairman, you will be pleased to know that we recently awarded a contract for extensive port monitoring which will help us better control network access – a very important tool in our information protection tool kit.
Through this realignment, we are also addressing the critical issue of asset management. As you remember, the House Veterans Affairs Oversight & Investigations Committee recently held a hearing on VA’s IT asset management based on a GAO report (report 07-505) which found inadequate controls and risk associated with theft, loss, and misappropriation of IT equipment at selected VA locations. In that report, GAO found many problems regarding the IT asset management environment and included a number of important recommendations – with which we agree and are implementing. We have completed a handbook on the Control of Information Technology Equipment within the VA which includes each of the recommendations made by GAO in its report. These documents are now being finalized within the Department, but we have already implemented the procedures they describe. They will provide clear direction on all aspects of IT asset management.
For the past six months, tightening IT inventory control throughout VA has been the focus of a cross-functional Tiger Team. In addition, VA has issued a memorandum requiring each VA facility to complete, by the end of December of this year, a wall-to-wall inventory of all IT equipment assets, including sensitive items, regardless of cost. Reporting requirements have been established at the Facility, Regional and Field Operations levels to ensure that issues are identified and addressed early in the process. By way of support, we have established an IT
Center that is accessible by all VA personnel. This website provides references, templates, definitions, frequently asked questions and a link to contact the Tiger Team directly. Also, the Office of Oversight and Compliance is working with Tiger Team members to develop a compliance checklist that will be used for scheduled and unscheduled audits regarding IT assets. This initial inventory will help provide a VA IT asset baseline—something that has not existed before and is a direct result of the realignment.
Lastly, an important and fair question to ask regarding this realignment is how has it impacted the delivery of healthcare and benefits to our veterans. In my opinion, there has been no significant change in these two areas—which was a key objective of this reorganization – to do no harm. This is not to say we have not had problems - we have. But we have also experienced improvements in our ability to gain knowledge over IT activities that were not very visible in the past, in IT funding details across the VA, and in our ability to protect the sensitive information of our veterans.
In closing, I want to assure you, Mr. Chairman, that a successful realignment in OIT is a key goal within the VA. I have good people in my office who all share this commitment and work hard to achieve it. We have accomplished many things this past year but more remains to be done. I appreciate having this opportunity to discuss this with you and will gladly respond to your questions.