Chairwoman Herseth Sandlin, Ranking Member Boozman, and members of the Subcommittee, thank you for the opportunity to testify today on the implementation of the Post – 9/11 G.I. Bill Support Services Project, Chapter 33 benefits.

I have the distinct honor of being Dean of the College of Engineering at Carnegie Mellon University.  The College of Engineering is ranked as a top 10 school for both undergraduate and graduate education and is housed at one of the most respected research universities in the country.  Our commitment to providing an unparalleled educational experience to our students extends outside of the country as well.  Today, we offer 12 different degree programs in 10 countries, and have institution building, joint degree programs, and formal collaborative research activities in Singapore, Taiwan, India, China and Portugal.  Additionally, we have an official presence in Greece, Qatar, Japan, and Australia.  As a steward of high education, it is an honor to be here today as you examine the best ways to support the delivery of enhanced education benefits to members of the military.

It has been well documented that at the end of World War II, the original G.I. Bill, the Serviceman’s Readjustment Act of 1944, had a profound impact of the United States.  This impact was, and is still felt, at the individual, economic, and larger societal level.  From my perspective as an academic, I can think no other stand alone piece of federal legislation that has also had an equally profound effect on institutions of higher education. It has been estimated that at the time of its enactment, less than 2/5 of those serving in World War II had even a high school education.  This makes the fact that 10 million soldiers went on to college as even more astounding outcome.

I think we would all agree that the “middle class” in America of the time would not have been created if not for this landmark legislation.  The human factor is also worth stressing.  In Over Here:  How the G.I. Bill Transformed the American Dream, Edward Humes sites that it helped to produce 14 Nobel Prize winners, 3 Supreme Court Justices, 3 U.S. presidents, and 12 U.S. senators.  It also, however, helped to train an estimated 67,000 doctors and 91,000 scientists.  No small feat.  As you might assume, I am particularly interested in the technological advancements that came to the fore from these individuals. It is my hope that your efforts today will similarly help others achieve their academic dreams and support additional economic and technological sea changes.

I have been asked to comment from a technical perspective on four different areas of concern related to the Chapter 33 benefits implementation RFP language.  These areas are: 1) overall feasibility of the proposal; 2) August 1, 2009 implementation deadline; 3) possible problems that may be encountered in creating the program; and 4) recommendations on industries’ best practices in creating a similar program.

Before I begin my comments about these areas of concern, I do want acknowledge my awareness of the tension surrounding the implementation of the program as it relates to outsourcing and the possible displacement of current employees.  In the Department of Veterans’ Affairs testimony from the Subcommittee’s initial September 11, 2008 hearing, it was emphatically stated that “no VA staff will lose federal employment as a result of the Post 9-11 G.I. Bill”.  It is my sincere hope that this matter is sufficiently addressed to the satisfaction of the Committee and members of the full House such that efforts can move forward with providing enhanced educational benefits to today’s veterans.

Feasibility

The RFP specifies in reasonable detail the objectives of the project.  It clearly identifies that the VA is responsible for specifying the “What” and the contractor is responsible for delivering the “How”.  This allows for adequate flexibility on the offeror’s part to propose a state of the art, and scalable solution based on industry best practices. 

The ability to support more than a half million students requesting benefits annually, including approximately 1.4 million claims is certainly feasible provided the contractor is skilled in the implementation of large scale IT projects and handling personally identifiable information (“PII”) and processing financial benefits.  Areas that could undermine the feasibility – and success – of this important initiative include:

• Selecting the right technology (hardware and software) and ensuring that interoperability and system interconnection issues are addressed up front and factored into the technology selection process.  This should include personal identity authentication and authorization.

• Ensuring that the contractor has the skills and experience to properly handle, store, process, and transmit large amounts of PII and financial data and meet the security requirements set forth in the RFP, including compliance with the Privacy Act of 1974, the Federal Information Security Management Act (“FISMA”), privacy requirements of the E-Government Act of 2002, NIST guidance and standards, and other regulatory guidance or requirements, as set forth in the RFP.  Security of PII both during transmission and storage is of paramount importance.  PII is usually disclosed through one of many means that include, for example, a dishonest insider, lost or stolen computer, hacking, and lost or stolen backup tape. 

While I do not see any technical barriers, it is important to recognize that the requested secure solution can be technically complicated.

• Project management capabilities, especially with respect to managing the implementation goals of to ensure that:
  
  • A secure solution is implemented by the target deadline;
  • Stakeholders stay involved throughout the project and have a reasonable means of providing input without creating unnecessary changes or disruptions that could jeopardize project implementation
  • Testing of the system, including pilot trials, are carefully orchestrated and planned to meet the requirement of a seamless transfer of data with uninterrupted service (stakeholder input could be particularly valuable at this stage);
  • The VA provides the contractor with necessary system data and access to VA personnel to enable the contractor to develop the solution without using VA IT resources. 

The RFP requirement that VA IT resources will not be provided to support development of the solution (including unit, integration, and performance testing) is too stringent.  The VA needs to have liaison personnel working closely with the contractor to ensure that the solution meets the benefit needs of veterans and has a successful implementation without IT or public relations problems.  This does not mean that VA IT resources need to be used; but to clarify that VA personnel need to be available and assigned to interface with the contractor from beginning through implementation. 

Best practices in outsourcing call for careful management from the company outsourcing the work; this is discussed further in the section on best practices.

Implementation Deadline

As I mentioned earlier, the implementation of this project can be expected to be complicated and complex to implement.  Therefore, I believe that the time frame of implementation by August 1, 2009 (as requested in the RFP) may be too aggressive. 

Successful implementation within the requested time frame would require that the evaluation of the responses to the RFP be thoroughly evaluated including, if possible, a site visit to the offeror for an in-depth analysis of their capabilities.  A more reasonable implementation deadline would be twelve (12) months after the award of the contract. 

The evaluation process will involve multiple considerations, as noted above, that will require various areas of expertise and review by internal VA personnel.  A reasonable timeframe for review of complex proposals and assessment of the offerors’ capabilities is about three months.  Even with an aggressive schedule and the RFP going out next week, it is unlikely that proposals could be received, evaluated, and a contract awarded prior to February 2009.  This would leave the contractor only six months to bring the team together, develop the solution, have the system undergo certification and accreditation (C&A), prepare and receive approval of a privacy impact assessment (PIA), and implement the solution.  The deadline may well undermine the objectives of the project. 

In order to minimize this risk, the RFP correctly requests weekly meetings to discuss various aspects of the project including risk reduction (Section C, item 4), and the offeror’s approach to risk management as part of the project management plan (Deliverable for Task 1). 

In addition, the project plan should contain sub-plans for various aspects critical to implementation, such as the selection and testing of hardware, the preparation of the required PIA, the system C&A, testing, and pilot implementation.   This will help ensure that stakeholder involvement is included at critical points in these areas and will help avoid implementation bottlenecks and delays.

Possible Problems

The RFP mandates a response time of 10 days for original claims and 7 days for supplemental claims.  In addition it requires that there exist a capability for the claims to be handled both electronically and in paper form, and also a capability for electronic and check payments.  Given the number of claims that are expected to be filed, it is likely that the deadline imposed for processing paper claims may require significant amount of staff resources.  This would be especially true if most of the claims were submitted around the same time.  For example, most university tuition payments are required within a few weeks of the start of classes and, therefore, fall within a common timeframe.  Surge periods must be anticipated and planned for in the system requirements.  The 10- and 7-day processing requirements may be too stringent for surge periods, especially for paper claims.

Best Practices

The RFP adequately addresses the standards and best practices as related to security and financial administration.  FISMA has strong security standards and NIST guidance is world-class and consistent with internationally accepted best practices and standards. 

Outsourcing best practices also call for contract clauses that will protect operational data, business processes, and compliance requirements.  The offeror selected for this work should be required to meet best practices for financial outsource providers.  The Financial Roundtable and Federal financial regulators have compiled excellent guidance on managing outsource providers and security risks.  The VA would benefit significantly and provide important leadership to this project if it examined these materials and included relevant portions in the RFP.

It is my hope that my testimony has helped to clarify some of the major technical matters and logistics associated with the RFP for members of the subcommittee.  For non-technical practitioners, I recognize that digesting the details and evaluating the merits of the concepts put forth in the 152 page document is no easy feat.  Without question, the task posed by the subcommittee required me to call upon all of my professional experiences: educator, engineer, DARPA program manager, security researcher and technical advisory board member.

I fully realize how important it is for members of the Subcommittee to have trust and confidence in the IT solutions sought for in the RFP to deliver education benefits to our nation’s veterans.  As leaders in the realm of technology and innovation, please know that the College of Engineering at Carnegie Mellon University stands ready to assist you in dealing with technical matters as they relate to your efforts to craft sound public policy and implement VA projects.  We applaud your diligence in reviewing this specific matter.

Again, thank you for the opportunity to testify.  I would be happy to answer any questions the Subcommittee might have.