U.S. Department of Veterans Affairs Information Technology Inventory Management.
U.S. DEPARTMENT OF VETERANS AFFAIRS INFORMATION TECHNOLOGY INVENTORY MANAGEMENT
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
COMMITTEE ON VETERANS' AFFAIRS
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
JULY 24, 2007
SERIAL No. 110-36
Printed for the use of the Committee on Veterans' Affairs
U.S. GOVERNMENT PRINTING OFFICE
For sale by the Superintendent of Documents, U.S. Government Printing Office
CORRINE BROWN, Florida
STEVE BUYER, Indiana, Ranking
Malcom A. Shorter, Staff Director
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public hearing records of the Committee on Veterans' Affairs are also published in electronic form. The printed hearing record remains the official version. Because electronic submissions are used to prepare both printed and electronic versions of the hearing record, the process of converting between various electronic formats may introduce unintentional errors or omissions. Such occurrences are inherent in the current publication process and should diminish as the process is further refined.
C O N T E N T S
July 24, 2007
U.S. Department of Veterans Affairs Information Technology Inventory Management
U.S. Government Accountability Office, McCoy Williams, Director, Financial Management and Assurance
Prepared statement of Mr. Williams
U.S. Department of Veterans Affairs:
Hon. Robert T. Howard, Assistant Secretary for Information and Technology, and Chief Information Officer
Prepared statement of Mr. Howard
Hon. Robert J. Henke, Assistant Secretary for Management
SUBMISSIONS FOR THE RECORD
MATERIAL SUBMITTED FOR THE RECORD
United States Government Accountability Office, Report to Congressional Requesters, July 2007, entitled, "Veterans Affairs: Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation," GAO-07-505
Tables and Figures from GAO-07-505 [The Tables and Figures are included in the GAO report and will not be reprinted.]
Post Hearing Questions and Responses for the Record:
Hon. Harry E. Mitchell, Chairman, and Hon. Ginny Brown-Waite, Ranking Republican Member, Subcommittee on Oversight and Investigations, to Hon. R. James Nicholson, Secretary, U.S. Department of Veterans Affairs, letter dated July 20, 2007, requesting the VA to provide the most recent equipment inventory certification letters from all facility directors [The information was provided to the Subcommittee and will be retained in the Committee files.]
U.S. DEPARTMENT OF VETERANS AFFAIRS INFORMATION TECHNOLOGY INVENTORY MANAGEMENT
Tuesday, July 24, 2007
U. S. House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Veterans' Affairs,
The Subcommittee met, pursuant to notice, at 2:07 p.m., in Room 334, Cannon House Office Building, Hon. Harry E. Mitchell [Chairman of the Subcommittee] presiding.
Present: Representatives Mitchell, Walz and Brown-Waite.
Mr. MITCHELL. Good afternoon. Welcome to the Subcommittee on Oversight and Investigations, and today's hearing is on information technology (IT). This hearing will come to order.
I want to thank everyone for coming here today. I am very pleased that so many folks could attend this oversight hearing on the U.S. Department of Veterans Affairs (VA) information technology inventory issues. We know that VA has serious problems with keeping track of its IT inventory. This is not just a dollar issue, although it is certainly that; it is also a security and privacy issue. VA's inventory deficiencies mean that VA cannot assure that private medical and other information belonging to the Nation's veterans remains private.
We are going to begin the hearing today by hearing from the U.S. Government Accountability Office (GAO) and their GAO report, and this is the report that is being released today: Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss and Misappropriation. This was just released today, showing the results of its testing of inventory systems and procedures at four VA locations.
The results are not pretty. As you can see from the chart, and there is a chart over here, most of you cannot see it here, but Members on the dais can see it. The sample location GAO tested showed that from 6 to 28 percent of IT items listed as being in inventory could not be located. The Washington, D.C., VA Medical Center could not find an astonishing 28 percent of the IT items in inventory. The missing items at the four locations had a combined value of $6.4 million.
Sad to say, this is not a recent problem. In July 2004, GAO reported that the six VA medical centers it audited did not have reliable property databases. GAO followed up on these sites as part of its current report and concluded that more than $13 million in IT equipment was still missing from those sites. Incredibly, an inventory being conducted by one of these sites in response to the 2004 GAO report is still not complete.
If this were not bad enough, GAO further reports that VA has seriously flawed policies and procedures. Again, the chart illustrates the extent of the problem. One line says "incorrect user organization." That means the inventory system is incorrectly identified to whom the equipment was assigned.
Look at the numbers: 80 percent of the Washington, D.C., medical facility, 69 percent in Indianapolis, 70 percent in San Diego.
VA's central headquarters does better, only 11 percent, but more than makes up for this with physical location of 44 percent of its IT equipment misidentified in its inventory database.
The issue of security could not be better illustrated than by a photograph you see over here, and there is a photograph, a blowup. And this photograph is of an IT equipment storeroom at VA central headquarters. It seems hardly necessary for GAO to have pointed out that this storeroom did not meet VA's requirements for motion intrusion detection alarm, secure doors, locks and special access keys.
Security is no small matter, and we are not concerned only about hardware. GAO found hard drives at two of the four locations that were designated as excess property to be disposed of. It still had hundreds of veterans' names and Social Security numbers. This is completely unacceptable.
At this time, I ask unanimous consent that the complete GAO report be entered into the record. Seeing no objection, so ordered.
[The report, GAO-07-505, entitled, "Veterans Affairs: Inadequate Controls over IT Equipment in Selected VA Locations Pose Continuing Risk of Theft, Loss and Misappropriation," appears in the Appendix.]
Mr. MITCHELL. I can assure you, we will be back to hear this. We intend to ask GAO to conduct other checks of VA's inventory system in a few months' time, and if another hearing turns out to be necessary, we will have another one.
Last week, Ms. Brown-Waite and I sent a letter to the VA—and this is part of our letter—requesting copies of the most recent annual equipment inventory certification letters from all facility directors. We also requested a list of all facility directors who did not provide certification for completing their annual inventories. I would like to thank the VA for their prompt response.
At this time, I ask unanimous consent that Ms. Brown-Waite's and my letter be entered into the record. Seeing no objection, so ordered.
[The July 20, 2007, letter to U.S. Department of Veterans Affairs Secretary Nicholson, appears in the Appendix.]
Mr. MITCHELL. Before I recognize the ranking Republican Member for her remarks, I would like to swear in our witnesses, and I would like to ask all witnesses if they would please come forward and rise, both the first panel and the second panel. If you would, all please rise.
Mr. MITCHELL. Thank you.
[The statement of Chairman Mitchell appears in the Appendix.]
Mr. MITCHELL. I now recognize Ms. Brown-Waite for opening remarks.
Ms. BROWN-WAITE. I thank the Chairman very much, and I also thank those who will be presenting today. My goal for this hearing is not just to learn where VA is relative to the current IT inventory management, but to learn where and how they are working to improve security controls, maintenance and management of their equipment.
The July 2007 GAO report, which the Chairman just had admitted to the record, increased my growing concern over VA's control over its inventories from my reading of the weekly Security Operations Center (SOC) reports. The GAO report reflected four specific sites for their report. During this study fewer than half of the items GAO selected for testing could be located, and most of the items were information technology equipment.
GAO found that the four VA locations reported over 2,400 missing IT equipment items valued at about $6.4 million. These were identified in inventories performed during fiscal years 2005 and 2006.
Equally troubling in the information in the report was that missing items were not always reported right away, and in some instances, not for several years. At one of the locations, as shown on the easel, 28 percent of the items surveyed during the GAO audit were missing.
Mr. Chairman, I find the lack of control over equipment completely unacceptable. Here in the House of Representatives our acquisition offices perform annual equipment inventories in all offices. The Chief Administrative Officer's staff comes into our offices either to tag equipment we have purchased, remove equipment we no longer use, or inventory the equipment under our control. By keeping a centralized acquisition and inventory process, the House is able to maintain tight control over its equipment inventory. Given the results of the GAO report, it appears that the VA is unable to do likewise.
According to the report, there is also a lack of user-level accountability for the IT equipment due to weak overall control of the equipment environment. The IT personnel and IT coordinators do not have physical possession or custody of all the IT equipment under their purview. Therefore, they are not held accountable for IT equipment determined to be missing during physical inventories.
In my opinion, Mr. Chairman, there needs to be accountability for inventories from the chief executive officer clear down the line to the user who is ultimately using the product. But I guess you could also say "using or losing the product."
The weekly SOC reports consistently show missing IT-related items from the VA's inventories, whether it is listing old equipment that possibly had been disposed of after it was no longer of use to the VA, or new equipment that had been stolen.
I am heartened to note that the VA is working with local and Federal law enforcement to track down and retrieve newer stolen equipment, but dismayed to see the number of equipment items that were either transferred to other facilities and not tracked or disposed of without proper notation in the equipment inventories.
As of February 28th, the GAO report found four case-study locations covered in their report that were—2,400 IT equipment items weren't found, it was revealed, with a combined original acquisition value of about $6.4 million, as a result of inventories VA performed during fiscal years 2005 and 2006.
Based on information GAO obtained through March 2, 2007, the five case-study locations previously audited had identified over 8,600 missing IT equipment items, with a combined original acquisition value of over $13.2 million. GAO reported that the missing IT items represent recordkeeping errors, the loss, theft or misappropriation of IT equipment.
The GAO also cited that, because most of the nine case-study locations had not consistently performed required annual physical inventories or completed reports of survey promptly, which prevented the reporting of missing IT equipment in some instances for several years. I am also surprised when I see a report—see a SOC report reporting the first instance of listing a missing piece of IT equipment from the mid-1990s; operating systems for this equipment would be totally out of date long ago, and it leaves me wondering just how long the equipment was actually missing before it was reported.
Mr. Chairman, this is not the first time that GAO has reported on deficiencies in information technology equipment controls. In 2004, there was a similar report on VA medical centers entitled Internal Control Over Selected Operating Functions Needs Improvement. In this report, GAO indicated that the six VA medical centers they audited lacked a reliable property control database. One of the medical centers reviewed also was included in the most recent report, and yet those issues still remain.
I look forward to today's hearing and hearing from today's witnesses and those accompanying them on how VA plans on moving forward, and how quickly and efficiently we can hope and encourage them to follow up on GAO's recommendation.
I thank you, Mr. Chairman. I yield back the balance of my time.
[The statement of Congresswoman Brown-Waite appears in the Appendix.]
Mr. MITCHELL. Thank you.
Mr. WALZ. Thank you, Mr. Chairman, thank you to the Ranking Member, and thank you to our panelists for being here today at this incredibly important hearing. Those of us that go out and talk to our veterans, this issue is still very, very important and at the forefront of what they are concerned about.
I am one of those 26 million veterans who received the infamous letter saying my information may have been compromised, and what this does, from the sinking feeling of loss of personal security and the concern over data theft, is concern for the individual. It has a very corrosive effect on trust in the VA in general, and that is the part I am most concerned about.
I am here today welcoming all of us as team players to figure out how we get at this, but I think each of the Members up here is sensing the frustration amongst our constituents and our veterans that this is another one of those issues we speak of often, yet see very little movement forward.
So this is, to me, an absolute priority. We have to make sure that faith in the VA system remains strong and that data security is protected.
So with that I look forward to these panels, and thank you again, Mr. Chairman, for holding this hearing.
Mr. MITCHELL. Thank you, Mr. Walz.
At this time, I ask unanimous consent that all Members have 5 legislative days to submit a statement for the record. Seeing no objection, so ordered.
Mr. MITCHELL. I will now proceed to Panel 1. Mr. McCoy Williams is the Director of Financial Management and Assurance for the U.S. Government Accountability Office. Mr. Williams' team was responsible for writing this troubling report on VA's IT inventory management. We look forward to hearing his views on what VA needs to do to improve inventory controls.
Mr. Williams, if you would proceed but also keep in mind that we would like to keep this at 5 minutes.
STATEMENT OF McCOY WILLIAMS, DIRECTOR, FINANCIAL MANAGEMENT AND ASSURANCE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE, ACCOMPANIED BY GAYLE L. FISCHER, ASSISTANT DIRECTOR, FINANCIAL MANAGEMENT AND ASSURANCE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Mr. WILLIAMS. Thank you. Mr. Chairman, Members of the Subcommittee, Ms. Fischer and I thank you for the opportunity to discuss our recent audit of controls over IT equipment at the Department of Veterans Affairs.
In light of reported weaknesses in VA inventory controls and reported thefts of laptop computers and data breaches, the adequacy of such controls has been an ongoing concern. Today, I will summarize the results of our recent work, the details of which are included in our audit report, which the Subcommittee is releasing today. This audit followed a July 2004 report in which we identified weak practices and lax implementation of controls of equipment at the six VA medical centers we audited.
For today's testimony, I will provide the highlights of our current findings related to three key issues: first, the risk of theft, loss or misappropriation of IT equipment at selected VA locations; second, whether selected VA locations have adequate procedures in place to assure physical security and accountability over IT equipment and excess property disposal process; and third, what actions VA management has taken to address identified IT equipment inventory control weaknesses.
First, we concluded that for the four case-study locations we audited, there was an overall lack of accountability for IT equipment. Based on our tests of IT equipment inventory controls, we estimated that the percentage of inventory control failures related to missing items ranged from 6 percent at the Indianapolis Medical Center to 28 percent at the Washington, D.C., Medical Center.
In addition, we determined that VA property management policy does not establish accountability with individual users of IT equipment. Consequently, our control tests identified a pervasive lack of user level accountability across the four case-study locations and significant errors in recorded IT inventory information concerning user organization and location.
Our analysis of the results of physical inventories performed by the four case-study locations in our current audit identified over 2,400 missing IT equipment items with a combined original acquisition value of about $6.4 million. In addition, the five locations we previously audited had reported over 8,600 missing IT equipment items, with a combined original acquisition value of over $13.2 million.
Further, we found that missing IT items were often not reported for several months, and in some cases, several years, because most of the case-study locations had not consistently performed physical inventories or promptly completed the required report of survey.
Second, Mr. Chairman, our limited tests of computer hard drives in the excess property disposal process at the four case-study locations found no data on those hard drives that were certified as sanitized. However, file dates on the hard drives we tested indicate that some of them had been in the disposal process for several years without being sanitized, creating an unnecessary risk that sensitive personal and medical information could be compromised.
We also found numerous unofficial IT equipment storage locations in VA headquarters area office buildings that did not meet VA physical security requirements. For example, at some VA headquarters locations excess computer equipment was stored in open, unsecured areas.
Finally, VA has made limited progress in addressing these problems since our July 2004 report, including, among other things, clarifying property management policies and centralizing IT functions under the new Chief Information Officer (CIO) organization. However, the Department has not yet ensured consistent implementation of effective controls for accountability of IT equipment inventory.
Mr. Chairman, until these shortcomings are addressed, VA will continue to face major challenges in safeguarding IT equipment and sensitive personal data stored on this equipment from loss, theft and misappropriation.
In conclusion, Mr. Chairman, strengthening the overall control environment and establishing specific IT controls will require a renewed focus, oversight and continuing commitment throughout the organization.
This concludes our prepared statement. Ms. Fischer and I would be very happy to answer any questions that you or other Members of the Subcommittee may have at this time. Thank you.
[The statement of Mr. Williams appears in the Appendix.]
Mr. MITCHELL. Thank you, Mr. Williams.
In your first—in your most recent report, the GAO concluded that poor accountability and weak control environment have left the four VA case-study organizations vulnerable to continuing theft, loss and misappropriation of IT equipment and sensitive personal data. This conclusion is no different than what the GAO reached in 2004. Is that true?
Mr. WILLIAMS. That is true, Mr. Chairman. While the conclusion is the same, if you look at the specific numbers as far as the amount of items that we were unable to find in the audit that we did in 2004, there has been some improvement there, but there is still a lot of work to be done. Given that amount of time frame, there are some things that you would have expected to have been completed by this time based on those findings, but the conclusion is definitely the same.
Mr. MITCHELL. In your opinion, what is the VA's problem. Why hasn't anything really been done?
Mr. WILLIAMS. I think, to address this problem, there are two or three things that need to be done; and I think one of the things that I would start out with is that there needs to be accountability, as we have stated in the report, at the individual level.
When you have got accountability that is not assigned to the individuals in a situation which, as I like to say, when everybody is accountable, you end up with no one being accountable. Then you need to make sure that you have policies and procedures that are in place that are consistent throughout the organization, and they are carried out.
It is one thing to have policies and procedures in place, but you want to make sure you have that oversight to make sure those policies and procedures are being implemented by management in the organization.
Mr. MITCHELL. Thank you. A bad inventory system obviously raises concern about wasting taxpayers' money, but there are also security concerns, concerns that are particularly acute given the VA's recent episodes on data loss.
Your report describes concerns with the security of private veteran data. Please tell us about how the VA's inadequacy of their inventory system creates a danger for data loss.
Mr. WILLIAMS. I think one of the examples that I just finished talking about in my opening statement was, we did not find any data on those hard drives that had been identified as being sanitized. The problem comes in, the risk comes in when you have hard drives that are waiting to be sanitized, and those are in file cabinets or in storage bins and they have been there for years.
So when you leave those hard drives there, there is always the risk that someone can come along and take it and extract that information and use it for reasons that are not good.
The other concern that we had was the security around the locations where the items were actually stored. As you can tell from one of the pictures that we have here, that there are certain requirements as far as what type of security is supposed to be associated with this type of equipment. Rooms are supposed to be locked, et cetera, there are supposed to be floor-to-ceiling walls so that individuals cannot get over and take some of these items out.
So that is the concern we have. You want to make sure that you have got those controls in place so that this sensitive and very important data is properly protected and not in the hands—the possibility of its being in the hands of someone that would use it for bad purposes.
Mr. MITCHELL. You mentioned just a second ago about the importance of user-level accountability and how important that is. You also pointed out that they don't have it in the VA except for IT equipment that is taken off-site.
What is the current process the VA has for assigning custody for IT equipment?
Mr. WILLIAMS. As we stated in the report, there is a process in which you basically get a hand receipt for items that you are going to be—I guess mobile items, things you take off site.
The concern that was raised in our review of that particular area—and I will let Ms. Fischer chime in on the specific numbers if I am off. I think we requested about 15 items to look at, items to identify if the policy was actually being followed, if there was actually a hand receipt for those items being taken off; and of that number, I think six items we were unable to get the hand receipt—the documentation to show the support for this is a receipt for this item being taken out.
There were about nine other items; I think six of those nine we basically found that the documentation was recorded after the fact, I believe. And for two of the items we found it was valid. So out of those 15, we were only able to identify 2 in which the process had actually been followed.
Mr. MITCHELL. One very quick follow-up, if the Subcommittee will indulge me here.
How difficult would it be to implement a user accountability system?
Mr. WILLIAMS. I think it would take some time to set that system up initially, but from a cost-benefit standpoint, once you get that particular process set up and you do that inventory on an annual basis, or whatever basis that you decide you want to do it, I think it is a process that could be followed and implemented throughout the organization.
We have it at my organization. Once a year I get a call and I am notified that there is an inventory that is going to be performed. When that piece of equipment was assigned to me, I signed off on a sheet of paper and basically stated that, McCoy Williams, you are responsible for this particular computer, this particular device or what have you. It is only a matter of time, of another person coming through, independent verification; they will look at the code that is on the equipment and basically check it off as being in my control.
So I don't think it is a major, major problem. I will let Ms. Fischer add.
Ms. FISCHER. Mr. Chairman, I do want to point out that the Washington, D.C., Medical Center implemented user level accountability for their IT equipment during March of 2007 as we were wrapping up our work. We have looked at their policy. It looks pretty good.
When a user signs for accountability of their IT equipment, they are acknowledging at least eight rules and guidelines that they are attesting to that they will follow; and you might want to ask your witnesses today in Panel 2 how that is working for them.
Mr. MITCHELL. Thank you.
At this time I would like to recognize Ms. Brown-Waite.
Ms. BROWN-WAITE. Thank you, Mr. Chairman. I first of all thank both of you for being here.
Mr. WILLIAMS. Thank you.
Ms. BROWN-WAITE. Mr. Williams, is it that the policies VA currently has aren't being followed or that they need totally new policies?
Mr. WILLIAMS. I wouldn't say that they need totally new policies, but I think there need to be some revisions to the policies to strengthen some of the controls. But there are also some controls that they currently have in place in those policies that we found were not being followed, so I would say it is a combination.
Ms. BROWN-WAITE. A combination.
Let me ask you this. In your report you mention the fact that VA policy mandates that a report of survey be appointed when there is a possibility that a VA employee may be assessed pecuniary liability or disciplinary action as a result of loss, damage or destruction of property and the value of the property is $5,000 or more.
Are you aware, has this board survey ever been appointed and has anybody ever been held accountable for missing items?
Mr. WILLIAMS. We will take this one jointly.
Ms. FISCHER. They have appointed boards of survey to further investigate items that are identified as missing in their physical inventories. We don't know of any specific instances where individuals have been held liable for lost equipment. However, VA probably has that information. You could ask the witnesses on Panel 2 if they have examples of that.
Ms. BROWN-WAITE. If I may follow up with another question for Ms. Fischer, the report mentions a problem with purchase cards.
Could you explain why IT equipment bought with a government purchase card was not recorded in the property records?
Ms. FISCHER. Yes, Congresswoman Brown-Waite. Their policy did not require the purchase card holders to notify the property officers when they acquired computer equipment with the purchase card. So it was put into service and never entered in the inventory records.
We made a recommendation, and VA has stated that they will have that policy in place this month. Our recommendation was that they, of course, implement that requirement.
Ms. BROWN-WAITE. And were they receptive to implementing that requirement? It just—to the average citizen out there, it just seems as if one hand does not know what the other hand is doing when it comes to inventory in the VA. It really does seem that way. And the sad part of it is, that translates into fewer dollars actually being used for the veterans, which I know troubles every Member of this Subcommittee up here. So is that—
Mr. WILLIAMS. Let me take that.
I would start by saying that having read VA's testimony for today, I think that if those actions that have been identified in today's testimony are followed through on, it looks like that is putting them on track to address these problems that we have identified back in 2004, as well as the problems that we have identified in our report that is being released today. That means that it is probably too soon to tell at this particular point in time.
We have laid out the issues and we have laid out the recommendations. I think that this is a good first start, based on what I see in the testimony today. The proof will be in the actions that will follow down the road to see if these recommendations are actually implemented.
Ms. BROWN-WAITE. Based on what we have heard so far, how is the team able to find most of the equipment when VA didn't know who had the equipment or where it was?
Ms. FISCHER. They were pretty familiar with the process by the time we did our second audit; and they had a team accompanying us, and when items could not be located, they sent people out to look for, say, turn-in documentation that may exist where items hadn't been updated in inventory as being disposed of. They looked at where IT equipment was plugged into the networks. Sometimes the central system could tell them where that equipment was located. And in some cases they did a full facility search.
VA headquarters actually sent teams to the field to determine whether some of the IT equipment had been transferred to field locations without updating the inventory record. So all of these human intervention efforts helped them locate some of the items we couldn't initially identify during our inventory.
Mr. WILLIAMS. May I add a point to that, because I was involved in the 2004 inventory also; and I remember to this date one location that I actually visited, and we had the same type of assistance in which VA staff would actually go to the various locations, and we would try to identify the properties and all.
At this one particular location I recall my staff and I pulled up to the building and basically introduced ourselves and stated what we were there for, and we basically got the old-fashioned cold shoulder that you're here during my lunch time and this is not an important event for me.
I would add the attitude this time, I think, based on Ms. Fischer's team going out, is the organization understands the importance of taking these inventories and why it is important you have these good records for the property that is in your control.
Ms. BROWN-WAITE. With that, I yield back.
Mr. MITCHELL. Thank you.
Mr. WALZ. Thank you, Mr. Williams and Ms. Fischer. I really appreciate this; I appreciate the work that you are doing on this.
I, for one, again can't stress enough that I believe that the work that the VA is doing and all the good that it is doing is almost immeasurable. But any time we have these types of issues, it totally undermines everything we are doing. So the criticalness of this and the sense of urgency is very much here with this Subcommittee.
I want to just lay out a bit of a scenario and talk to you about this, having had some experience in Federal Government. But I think—Mr. Williams had me intrigued with his idea of this individual accountability thing.
At one time, when I was a lowly GS-7, I was in charge of managing a National Guard armory, and I can remember signing those property books and being in charge of those, and I was the only one there and there were millions of dollars of equipment, from howitzers to mop heads, and they were all on the property books. I had to be accountable for every single one of them.
I can remember turning an armory upside down looking for little radiac meters they gave us to see radiation in there that we weren't sure how to use them, but they had been given to us and they had a value; and the checklist and the accountability on that was so strong. I was absolutely there, and I actually processed some of these, on myself and others, a statement of charges if things were lost and they were under your care; and sometimes they were accidental and they would find out what happened and you would be cleared because it got run over accidentally in a training exercise. But there was no doubt in my mind somebody was watching, and I was accountable, and my commander, for every single piece of equipment. And this was back in 1989 when you had the big green printout sheets that would come.
With the ability we know now to organize data, it seems amazing to me, because every month a random inventory, a partial inventory of our whole inventory would come out to us and we would have to physically sign off at the end. It behooved you to be organized, to know where this was and to know there was a day of reckoning if it was not there.
My question is, especially on a large scale like that—there were thousands of armories across the United States, and if you don't think these inventories were detailed, it was down to every single socket in tool kits, and if you didn't have the 3/16th socket, no matter what else you had, somebody wanted to know about it and somebody was going to pay for it.
So my question to you is, it seems to me the ability to do this and the best practices and the checklist are out there. We had to close the shop at the end of the day; that included security of the primitive technology at the time. But it was locked in the vault, it was signed off, it was secured; and when I opened that vault, my signature went on that. And those sheets were checked when someone would come through, and we didn't brush you off because when someone came to say they were going to look, we had to provide it and knew we had to provide it.
So my question to you is, I know the ability to deliver this, at least I feel, is there; and I know that the culture at that time was for me to make sure I delivered it.
Is there anything about what I am saying on this that is applicable to the VA?
Mr. WILLIAMS. I will start by saying, in addition to having responsibility for the financial management at the VA, I also have responsibility for financial management at the Department of Defense and Homeland Security, so I am familiar with those property books that you are talking about.
No, you are not being unreasonable in anything that you said, because I see that type of activity taking place now at the various agencies I have responsibility for. There are other problems as far as having good systems to keep track of those property books and all that we have reported on, but that process is one that can be done, and it is not something that you have to do everything, wall to wall, at one time.
There are various ways in which you can rotate doing that inventory, maybe this unit this month, this unit that month, et cetera. If it is looking like it is going to interfere with your operations, you just shut everything down and try to do it.
There are various ways that it can be done, but nothing you have said is unreasonable to expect, nothing that you have said is unreasonable, and in my mind that couldn't be done to get this accountability down to the individual levels and have individuals accountable for the property that has been assigned to them.
Mr. WALZ. And I guess my final question is, just thinking of how these things rolled down as we have issues. After the breach in the laptop computer and the 26 million individual records, or roughly what the number was, we saw—I think VA and the government responded, and what they did was, they started strengthening those Health Insurance Portability and Accountability Act rules, making sure privacy was there. And now I see what I think is an unintended consequence in our county service officers who are having a hard time accessing the VA system in terms of they now have to get the sign-off from them for power of attorney and those types of things.
I am wondering, have we gone over on that or is that just part of strengthening this system?
Mr. WILLIAMS. That is something you have to look at. When you are looking at a control environment and you are putting controls in place, you have to look at everything from a cost-benefit standpoint, and you don't want to put anything in place that is actually going to cost you more than the benefits that you are going to expect to derive. So it is a balancing act.
Mr. WALZ. I thank you.
And I yield back, Mr. Chairman. Thank you.
Mr. MITCHELL. Thank you.
Ms. BROWN-WAITE. The one question that I was going to ask, which may be very similar, is, in our offices we are required to keep track of anything over $500 as part of the inventory. Is part of VA's problem that a lot of the missing equipment was under not $500, but $5,000, that it was never actually inventoried before? Is that part of the problem?
Mr. WILLIAMS. Part of the problem is that a lot of these items are under that $5,000 window that we are talking about. But we did find some items missing that were over the $5,000 amount. But there are a lot of computers and things along this line that cost $2,000, $1,000, what have you. These are items that you can easily walk out the door with, and that is why we feel that it is important that, as we recommended, I think, in the 2004 report, you properly identify those items that are sensitive and less than $5,000 and make sure you put the controls in place so that those items that can easily walk out the door, that you have got some controls around them so you know where they are and you have got individuals that are accountable for those individual items.
Ms. BROWN-WAITE. When I asked about the dollar amount and found out that it is $5,000 for inventory for the VA, I was told that they inventory vehicles, ammunition, weapons, canines. What is the value of a canine? And the reason I am asking this is, think about it, that canine is not going to jeopardize anyone's security out there. But I just find it very strange that that was the response that we got.
Mr. WILLIAMS. I will be honest with you, I asked my staff the same question before the hearing today from the standpoint of—well, my first question was, am I properly pronouncing this? I thought it was maybe some other type of equipment. But my understanding is that these are valuable assets that are used in the process of carrying out VA operations, so they are actually classified as assets that fall into that sensitive category as defined by VA.
Ms. BROWN-WAITE. I am sure that they are. My canine at home is priceless. But the point being that while my Bentley at home may be priceless—that is my dog's name, not my vehicle—certainly the canines do not have identifying information that could be misused; and I guess I am questioning the priority of the inventory.
Mr. WILLIAMS. Yes.
Ms. BROWN-WAITE. And I just found it so totally strange that canines are inventoried, but computers aren't. Laptops and Blackberries and other things aren't. The average citizen out there is asking, What the heck is going on up there?
I thank you very much.
Mr. WILLIAMS. Thank you.
Mr. MITCHELL. Mr. Walz, any other questions?
Mr. WALZ. I just had one more question and I may know this answer, but I am going to get it from the experts.
What I am reading on the San Diego facility, it talked about the personnel there created their cuff records. Can you tell me what that is?
Ms. FISCHER. They were maintaining cuff records at San Diego and at VA headquarters, and these were records maintained outside the central inventory system for various reasons. At San Diego, the IT staff did not have access to the property system, so they felt the need to keep their own records to show when they removed a computer for repair or moved one to another location, so they could track it.
They were trying to keep accountability there. The problem was, they didn't have access to the central system, so they couldn't update the central system for those changes; and so the central inventory system was out-of-date because of that.
Mr. WALZ. But it would be unfair to characterize this as a second set of books?
Ms. FISCHER. It was, in fact, a second set of records. Both sets of records, the central system and the cuff records, are considered official records.
Mr. WALZ. Okay.
Mr. WILLIAMS. I would add, if you are looking at a good control environment, you would want the records to be in your main system, you wouldn't want to be relying on cuff records. You would like to have it in your official system in a good, internal control environment.
Mr. WALZ. Very good.
Ms. FISCHER. The cuff records were on somebody's personal computer on a spread sheet.
Mr. WALZ. They were making an effort at accountability because the system was hindering them from doing what they needed to do.
Ms. FISCHER. They were the only ones that had access to the records they created, so they weren't available for management information.
Mr. WALZ. Thank you.
I yield back, Mr. Chairman.
Mr. MITCHELL. Thank you very much. Thank you for your testimony and for being here today.
At this time I would like to welcome Panel 2 to the witness table. Mr. Robert T. Howard is the Assistant Secretary for Information and Technology at the VA and the Department's CIO. Assistant Secretary Howard is a former Major General in the Army Corps of Engineers and joined the VA in 2006 to head up the IT reorganization project. The Subcommittee has been most happy with Mr. Howard's progress in this project, but we understand that there is still a long way to go. We look forward to hearing Assistant Secretary Howard's testimony.
And, Mr. Howard, would you please introduce the rest of your staff?
STATEMENTS OF HON. ROBERT T. HOWARD, ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY, AND CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF VETERANS AFFAIRS; AND HON. ROBERT J. HENKE, ASSISTANT SECRETARY FOR MANAGEMENT, U.S. DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY ADAIR MARTINEZ, DEPUTY ASSISTANT SECRETARY, INFORMATION PROTECTION AND RISK MANAGEMENT, OFFICE OF INFORMATION AND TECHNOLOGY; ARNIE CLAUDIO, DIRECTOR, INFORMATION TECHNOLOGY OVERSIGHT AND COMPLIANCE, OFFICE OF INFORMATION AND TECHNOLOGY; RAY SULLIVAN, DIRECTOR OF FIELD OPERATIONS, OFFICE OF INFORMATION AND TECHNOLOGY; SANDFORD GARFUNKEL, DIRECTOR, VETERANS INTEGRATED SERVICE NETWORK 5, VETERANS HEALTH ADMINISTRATION; LARRY BIRO, DIRECTOR, VETERANS INTEGRATED SERVICE NETWORK 7, VETERANS HEALTH ADMINISTRATION; FERNANDO O. RIVERA, DIRECTOR, WASHINGTON, DC, VA MEDICAL CENTER, VETERANS HEALTH ADMINISTRATION; AND STEVE ROBINSON, CHIEF, ACQUISITION AND MATERIEL MANAGEMENT SERVICE, WASHINGTON, DC, VA MEDICAL CENTER, VETERANS HEALTH ADMINISTRATION, U.S. DEPARTMENT OF VETERANS AFFAIRS
Mr. HOWARD. Yes, sir. Thank you, Mr. Chairman. I would like to thank you for the opportunity to testify on IT asset management within the Department of Veterans Affairs.
Mr. MITCHELL. Is your microphone on?
Mr. HOWARD. Yes, sir. Anyway, I do thank you for the opportunity to testify today on IT asset management within the Department of Veterans Affairs.
I am joined today by Mr. Bob Henke, Assistant Secretary For Management, and I am also accompanied by Ms. Adair Martinez, my Deputy Assistant Secretary for Information Protection and Risk Management; Mr. Ray Sullivan, my Director of Field Operations; Mr. Arnie Claudio, my Director of IT Oversight and Compliance.
In the group behind me are Mr. Sandford Garfunkel, Director of Veterans Health Administration's (VHA's) Veterans Integrated Services Network (VISN) 5; Mr. Larry Biro, of VISN 7, Mr. Fernando Rivera, Director of the Washington, DC, VA Medical Center; and Mr. Steve Robinson, Chief Acquisition and Material Management Service for the Washington, DC, VA Medical Center.
Sir, IT asset management is a critically important issue that also, as you have mentioned, has a direct bearing on our ability to enhance information protection throughout VA. As you know, the recent GAO report on VA's IT asset management found inadequate controls and risk associated with threat, loss and misappropriation of IT equipment at selected VA locations. In that report, GAO found inadequate accountability and included a number of very important recommendations with which we agree.
As the Chief of Information and Technology for VA, I am responsible for ensuring compliance with the integrity and security of VA's IT assets. I understand that when poor IT inventory procedures exist, both the loss of expensive equipment as well as the loss of any sensitive information resident in the equipment could occur.
This is a situation of the utmost importance. It is a situation that we are working hard to remedy. We are prepared to answer your questions today about procedures that already exist, as well as more rigorous and standard procedures that are being implemented.
The GAO findings demonstrate a need for more emphasis and vigilance in this area. With the establishment of a single IT authority in the VA we are now in a much better posture to improve the IT asset management situation, and we have a number of actions already under way. We currently have several systems in VA that capture IT assets, and we are working to standardize this and move to a single IT management system.
We have been able to locate some of the equipment that was reported missing. For example, regarding the items of missing equipment that were assigned to the previous Office of Information and Technology, we have been able to locate most of them. We assembled a team to conduct a search for missing items—network equipment servers, digital cameras, et cetera—that were assigned to the Office of Information and Technology prior to the consolidation of IT in the VA.
At the end of this review, which took place over a 3-month period, the team had located about 90 percent of the equipment; and though much of the equipment was found, the lack of accountability was clearly evident. You should not have to go through that in order to find your equipment.
To improve our asset management and accountability within VA, a special team has been established to develop standard procedures; a new directive and accompanying handbook on the control of information technology equipment within the VA have been prepared, and we have already implemented some of the procedures they describe. The directive and handbook will provide clear direction on all aspects of IT asset management.
Additionally, we have expanded the responsibility of my Office of Information Technology Oversight and Compliance. This office was established in February of 2007 to conduct on-site assessments of IT security, privacy and records management at VA facilities. As of today, the office has completed over 58 assessments, and the oversight of physical security for IT assets is now a part of their assessment routine. The results of the reviews will help us support and strengthen VA IT security controls.
This office ensures that facilities are aligned with the National Institute of Standards and Technologies' recommended security controls for Federal information systems.
We must also increase awareness at the individual user level regarding accountability for IT equipment. The new directive and handbook mentioned earlier will require employees who have been assigned VA IT equipment to sign a receipt for the IT equipment in their possession. Supervisors will be held responsible for common equipment that is not assigned to individuals. The receipt used is the printout of the equipment inventory list which describes equipment assigned to employees by name. These procedures have already been implemented.
We have begun to deploy network monitoring software. This is a very critical aspect of this issue, sir, that will help us detect and monitor any device that is connected to the VA network. Special procedures are also being implemented for equipment that may be considered expendable, but which must be accounted for, not because of the cost, but because the equipment has the potential for storing sensitive information. An example of such low-cost IT equipment that must be tracked are the encrypted thumb drives being distributed throughout the VA.
In closing, I want to assure you, Mr. Chairman, that we will remain focused in our efforts to improve all aspects of the information technology environment in VA, including the overall accountability and control of IT equipment, as well as certain medical equipment that could potentially store sensitive information.
It is about the sensitive information that we are particularly concerned. This will not only reduce the loss of expensive equipment, but also the potential loss of sensitive information the equipment may contain.
Thank you for your time and the opportunity to speak to you on this issue and we would be pleased to answer any questions you may have.
Mr. MITCHELL. Thank you, Mr. Howard.
[The statement of Mr. Howard appears in the Appendix.]
Mr. MITCHELL. Mr. Henke, do you care to make a statement?
Mr. HENKE. Sir, just two or three brief points and then we will turn to your questions, if you don't mind.
Sir, from my perspective as the agency's Chief Financial Officer, any internal control deficiency, whether it is material or not to our financial posture, our financial statements, has my attention.
First, in the GAO report, we concurred on all 12 of the recommendations and moved to change our policies and purchase card policies and modify our inventory system to add user level accountability to it.
The second thing I would like to point out is that my internal auditors also do property reviews at VA medical centers. We have visited 14 medical centers to date this year, and in some of their findings they found stations that have zero discrepancies—zero discrepancies on their equipment inventories. What that tells me is that this can be done with the right amount of management attention. Salt Lake City, Utah, zero percent discrepancies; Muskogee, Oklahoma, 3.2 percent discrepancies; Wilmington, Delaware, 4.5 percent. So with management attention it can be done.
Number three, we are going through a Sarbanes-Oxley-type process we're in year 2 of a 3-year process where we look at internal controls over our financial reporting. One of the processes we are looking at this year is property and equipment. We had some results come back, fairly mixed results. We told the teams, the national auditors we have and my auditors, to go out and do more site assessments and come back with more information.
Finally, sir, I would like to point out that you mentioned, and Ms. Brown-Waite mentioned, the 2005 and 2006 inventories that were being done. We have results for 2007 to date, on inventories, and we can speak to those. The results are very different, and I can speak to the point that I believe the institution has gotten religion about accounting for IT equipment.
Mr. MITCHELL. Thank you. I just have a couple questions.
Mr. Howard, your organization has devoted a great deal of time to ensuring that the personal data of veterans is protected from disclosure. Encryption of the data is one of the main defenses against disclosure; do you agree with that?
Mr. HOWARD. Yes, sir.
Mr. MITCHELL. If GAO reports that your inventory records are incomplete and inaccurate, how do you know if all IT equipment requiring encryption has been encrypted?
Mr. HOWARD. Sir, not all the IT equipment has been encrypted. In fact, some of it, we cannot encrypt. An example of that is IT equipment that is actually a part of a medical device that we cannot necessarily place encryption.
I would agree with you that encryption is an extremely important tool and we need to encrypt everything we possibly can, but there are some items that you can't, which means there are other methodologies you have to follow.
The basic rule that we have established in the VA is that sensitive equipment—sensitive information, rather, must be in a protected environment at all times or it must be encrypted. What I mean by that is, for example, if the Veterans Benefit Administration—they deal with paper, lots of paper; you can't encrypt it. But you also must protect it in a protected environment—listings of names and Social Security numbers, and what have you.
So although encryption is an extremely important tool, and we are expanding that to the maximum possible degree, it is not the final answer. You still have to have some procedures that must be followed where encryption can't help you.
Mr. MITCHELL. Thank you. Let me ask a further question here. Are you aware of a single instance in which the problems with the VA inventory system that the GAO has very clearly identified that have existed for years have resulted in any disciplinary action by anyone at the VA.
Mr. HOWARD. Sir, we got into that discussion this morning. The answer is "yes." I don't know about disciplinary, but I will tell you that people have been held pecuniarily liable for missing equipment; I don't know the numbers per se, but I do know that