Veterans Affairs
Sustained Management Commitment and Oversight Are Essential to Completing Information Technology Realignment and Strengthening Information Security
Gao ID: GAO-07-1264T September 26, 2007
The Department of Veterans Affairs (VA) has encountered numerous challenges in managing its information technology (IT) and securing its information systems. In October 2005, the department initiated a realignment of its IT program to provide greater authority and accountability over its resources. The May 2006 security incident highlighted the need for additional actions to secure personal information maintained in the department's systems. In this testimony, GAO discusses its recent reporting on VA's realignment effort as well as actions to improve security over its information systems. To prepare this testimony, GAO reviewed its past work on the realignment and on information security, and it updated and supplemented its analysis with interviews of VA officials.
VA has fully addressed two of six critical success factors GAO identified as essential to a successful transformation, but it has yet to fully address the other four, and it has not kept to its scheduled timelines for implementing new management processes that are the foundation of the realignment. That is, the department has ensured commitment from top leadership and established a governance structure to manage resources, both of which are critical success factors. However, the department continues to operate without a single, dedicated implementation team to manage the realignment; such a dedicated team is important to oversee the further implementation of the realignment, which is not expected to be complete until July 2008. Other challenges to the success of the realignment include delays in staffing and in implementing improved IT management processes that are to address long-standing weaknesses. The department has not kept pace with its schedule for implementing these processes, having missed its original scheduled time frames. Unless VA dedicates a team to oversee the further implementation of the realignment, including defining and establishing the processes that will enable the department to address its IT management weaknesses, it risks delaying or missing the potential benefits of the realignment. VA has begun or continued several major initiatives to strengthen information security practices and secure personally identifiable information within the department, but more remains to be done. These initiatives include continuing the department's efforts to reorganize its management structure; developing a remedial action plan; establishing an information protection program; improving its incident management capability; and establishing an office responsible for oversight and compliance of IT within the department. However, although these initiatives have led to progress, their implementation has shortcomings. For example, although the management structure for information security has changed under the realignment, improved security management processes have not yet been completely developed and implemented, and responsibility for the department's information security functions is divided between two organizations, with no documented process for the two offices to coordinate with each other. In addition, VA has made limited progress in implementing prior security recommendations made by GAO and the department's Inspector General, having yet to implement 22 of 26 recommendations. Until the department addresses shortcomings in its major security initiatives and implements prior recommendations, it will have limited assurance that it can protect its systems and information from the unauthorized disclosure, misuse, or loss of personally identifiable information.
GAO-07-1264T, Veterans Affairs: Sustained Management Commitment and Oversight Are Essential to Completing Information Technology Realignment and Strengthening Information Security
This is the accessible text file for GAO report number GAO-07-1264T
entitled 'Veterans Affairs: Sustained Management Commitment and
Oversight are Essential to Completing Information Technology
Realignment and Strengthening Information Security' which was released
on September 26, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the House Committee on Veterans' Affairs:
For Release on Delivery:
Expected at 10:00 a.m. EDT Wednesday, September 26, 2007:
Veterans Affairs:
Sustained Management Commitment and Oversight Are Essential to
Completing Information Technology Realignment and Strengthening
Information Security:
Statement of Valerie C. Melvin Director, Human Capital and Management
Information Systems Issues Gregory C. Wilshusen Director, Information
Security Issues:
GAO-07-1264T:
GAO Highlights:
Highlights of GAO-07-1264T, a testimony before the House Committee on
Veterans' Affairs.
Why GAO Did This Study:
The Department of Veterans Affairs (VA) has encountered numerous
challenges in managing its information technology (IT) and securing its
information systems. In October 2005, the department initiated a
realignment of its IT program to provide greater authority and
accountability over its resources. The May 2006 security incident
highlighted the need for additional actions to secure personal
information maintained in the department‘s systems.
In this testimony, GAO discusses its recent reporting on VA‘s
realignment effort as well as actions to improve security over its
information systems. To prepare this testimony, GAO reviewed its past
work on the realignment and on information security, and it updated and
supplemented its analysis with interviews of VA officials.
What GAO Found:
VA has fully addressed two of six critical success factors GAO
identified as essential to a successful transformation, but it has yet
to fully address the other four, and it has not kept to its scheduled
timelines for implementing new management processes that are the
foundation of the realignment. That is, the department has ensured
commitment from top leadership and established a governance structure
to manage resources, both of which are critical success factors.
However, the department continues to operate without a single,
dedicated implementation team to manage the realignment; such a
dedicated team is important to oversee the further implementation of
the realignment, which is not expected to be complete until July 2008.
Other challenges to the success of the realignment include delays in
staffing and in implementing improved IT management processes that are
to address long-standing weaknesses. The department has not kept pace
with its schedule for implementing these processes, having missed its
original scheduled time frames. Unless VA dedicates a team to oversee
the further implementation of the realignment, including defining and
establishing the processes that will enable the department to address
its IT management weaknesses, it risks delaying or missing the
potential benefits of the realignment.
VA has begun or continued several major initiatives to strengthen
information security practices and secure personally identifiable
information within the department, but more remains to be done. These
initiatives include continuing the department‘s efforts to reorganize
its management structure; developing a remedial action plan;
establishing an information protection program; improving its incident
management capability; and establishing an office responsible for
oversight and compliance of IT within the department. However, although
these initiatives have led to progress, their implementation has
shortcomings. For example, although the management structure for
information security has changed under the realignment, improved
security management processes have not yet been completely developed
and implemented, and responsibility for the department‘s information
security functions is divided between two organizations, with no
documented process for the two offices to coordinate with each other.
In addition, VA has made limited progress in implementing prior
security recommendations made by GAO and the department‘s Inspector
General, having yet to implement 22 of 26 recommendations. Until the
department addresses shortcomings in its major security initiatives and
implements prior recommendations, it will have limited assurance that
it can protect its systems and information from the unauthorized
disclosure, misuse, or loss of personally identifiable information.
What GAO Recommends:
In recent reports, GAO made recommendations aimed at improving VA‘s
management of its realignment efforts and information security program.
To view the full product, including the scope and methodology, click on
GAO-07-1264T.
For more information, contact Valerie Melvin at (202) 512-6304 or
melvinv@gao.gov.
[End of section]
Mr. Chairman and Members of the Committee:
Thank you for inviting us to participate in today's hearing on the
Department of Veterans Affairs (VA) realignment of its information
technology management structure and actions toward strengthening its
information security program. In carrying out its mission of serving
our nation's veterans, the department relies heavily on information
technology (IT), for which it expends about $1 billion annually. As you
know, however, VA has encountered persistent challenges in IT
management, having experienced cost, schedule, and performance problems
in its information system initiatives, as well as losses of sensitive
information contained in its systems. We have reported that a
contributing factor to VA's challenges in managing projects and
improving security was the department's management structure, which
until recently was decentralized, giving the administrations[Footnote
1] and headquarters offices[Footnote 2] control over a majority of the
department's IT budget.
In October 2005, VA initiated a realignment of its IT program to
provide greater authority and accountability over its resources. In
undertaking this realignment (due for completion in July 2008), the
department's goals are to centralize IT management under the department-
level Chief Information Officer (CIO) and standardize operations and
the development of systems across the department through the use of new
management processes based on industry best practices. This past June
we reported on the department's realignment initiative, noting progress
as well as the need for additional actions to be completed.[Footnote 3]
Just last week, we also released a report on VA information security,
which included an assessment of the realignment with regard to the
department's information security practices.[Footnote 4]
At your request, my testimony today will summarize the department's
actions to realign IT management and our findings regarding the
department's information security program. In developing this
testimony, we reviewed our previous work on the department's
realignment and efforts to strengthen information security. We also
obtained and analyzed pertinent documentation and supplemented our
analysis with interviews of responsible VA officials to determine the
current status of the department's realignment efforts. All work on
which this testimony is based was conducted in accordance with
generally accepted government auditing standards.
Results in Brief:
VA has fully addressed two of six critical success factors we have
identified as essential to a successful transformation, but it has not
kept to its timelines for implementing new management processes that
are the foundation of the realignment. Consequently, the department is
in danger of not being able to meet its 2008 targeted completion date.
The department has ensured commitment from top leadership and
established a governance structure to manage resources, both of which
are critical success factors. However, the department continues to
operate without a single, dedicated implementation team to manage the
realignment; such a dedicated team is important to oversee the further
implementation of the realignment. Other challenges to the success of
the realignment include delays in staffing and in implementing the IT
management processes that are the foundation of the realignment. The
department has not kept pace with its schedule for implementing these
processes, having missed its original scheduled time frames. Unless VA
dedicates a team to oversee the further implementation of the
realignment, including defining and establishing the processes that
will enable the department to address its IT management weaknesses, it
risks delaying or missing the potential benefits of the realignment.
VA has made progress in strengthening information security, but much
work remains to resolve long-standing security weaknesses. The
department has begun or has continued several major initiatives to
strengthen information security practices and secure personally
identifiable information[Footnote 5] within the department. These
initiatives include continuing the department's efforts, as described
above, to realign its management structure; developing a remedial
action plan; establishing an information protection program; improving
its incident management capability; and establishing an office
responsible for oversight and compliance of IT within the department.
However, although these initiatives have led to progress, their
implementation has shortcomings. For example, a new security management
structure has been implemented, but improved security management
processes have not yet been completely developed and implemented; in
addition, the new security management structure divides the
responsibility for the department's information security functions
between two organizations, with no documented process for the two
offices to coordinate with each other. Further, the department has made
limited progress in addressing prior GAO and Inspector General
recommendations to improve security: although VA has taken steps to
address these, it has not yet completed the implementation of 22 out of
26 prior recommendations.
In the reports covered by this testimony, we have made numerous
recommendations aimed at improving the department's management of its
realignment and information security program. VA has agreed with these
recommendations and has begun taking or plans to take action to
implement them. If this implementation is properly executed, it could
help the department to realize the expected benefits of the
realignment, as well as to better secure its information and systems.
Background:
VA's mission is to promote the health, welfare, and dignity of all
veterans in recognition of their service to the nation by ensuring that
they receive medical care, benefits, social support, and lasting
memorials. Over time, the use of IT has become increasingly crucial to
the department's effort to provide benefits and services. VA relies on
its systems for medical information and records for veterans, as well
as for processing benefit claims, including compensation and pension
and education benefits.
In reporting on VA's IT management over the past several years, we have
highlighted challenges the department has faced in enabling its
employees to help veterans obtain services and information more quickly
and effectively while also safeguarding personally identifiable
information. A major challenge was that the department's information
systems and services were highly decentralized, giving the
administrations a majority of the IT budget.[Footnote 6] In addition,
VA's policies and procedures for securing sensitive information needed
to be improved and implemented consistently across the department.
As we have previously pointed out,[Footnote 7] it is crucial for the
department CIO to ensure that well-established and integrated processes
for leading, managing, and controlling investments in information
systems and programs are followed throughout the department. Similarly,
a contractor's assessment of VA's IT organizational alignment, issued
in February 2005, noted the lack of control over how and when money is
spent.[Footnote 8] The assessment noted that the focus of department-
level management was only on reporting expenditures to the Office of
Management and Budget and Congress, rather than on managing these
expenditures within the department.
Centralized IT Organization:
In response to the challenges that we and others have noted, the
department officially began its effort to provide the CIO with greater
authority over IT in October 2005. At that time, the Secretary issued
an executive decision memorandum granting approval for the development
of a new management structure for the department. According to VA, its
goals in moving to centralized management are to enable the department
to perform better oversight of the standardization, compatibility, and
interoperability of systems, as well as to have better overall fiscal
discipline for the budget.
In February 2007, the Secretary approved the department's new
organizational structure, which includes the Assistant Secretary for
Information and Technology, who serves as VA's CIO. As shown in figure
1, the CIO is supported by a principal deputy assistant secretary and
five deputy assistant secretaries--new senior leadership positions
created to assist the CIO in overseeing functions such as cyber
security, IT portfolio management, systems development, and IT
operations.
Figure 1: Office of Information and Technology Organizational Chart:
[See PDF for image]
Source: VA.
Note: DAS = Deputy Assistant Secretary:
[End of figure]
In addition, the Secretary approved an IT governance plan in April 2007
that is intended to enable the Office of Information and Technology to
centralize its decision making. The plan describes the relationship
between IT governance and departmental governance and the approach the
department intends to take to enhance IT governance. The department
also made permanent the transfer of its entire IT workforce under the
CIO, consisting of approximately 6,000 personnel from the
administrations. Figure 2 shows a timeline of the realignment effort.
Figure 2: Timeline of Key Events for VA IT Realignment:
[See PDF for image]
Source: GAO analysis of VA data.
[End of figure]
Multiple Factors Increasing Risk to Success of Realignment:
Although VA has fully addressed two of six critical success factors
that we identified as crucial to a major organizational transformation
such as the realignment, it has not fully addressed the other four
factors, and it has not kept to its scheduled timelines for
implementing new management processes that are the foundation of the
realignment. Consequently, the department is in danger of not being
able to meet its target of completing the realignment in July 2008. In
addition, although it has prioritized its implementation of the new
management processes, none has yet been implemented. In our recent
report,[Footnote 9] we made six recommendations to ensure that VA's
realignment is successfully accomplished; the department generally
concurred with our recommendations and stated that it had actions
planned to address them.
VA Has Not Fully Addressed All Critical Success Factors:
We have identified critical factors that organizations need to address
in order to successfully transform an organization to be more results
oriented, customer focused, and collaborative in nature.[Footnote 10]
Large-scale change management initiatives are not simple endeavors and
require the concentrated efforts of both leadership and employees to
realize intended synergies and to accomplish new organizational goals.
There are a number of key practices that can serve as the basis for
federal agencies to transform their cultures in response to governance
challenges, such as those that an organization like VA might face when
transforming to a centralized IT management structure.
The department has fully addressed two of six critical success factors
that we identified (see table 1).
Table 1: Current Status of VA's Actions to Address Critical Success
Factors:
Critical success factor: Ensuring commitment from top leadership;
Status as of September 2007: Fully addressed: Secretary Nicholson
approved the new organization structure and the transfer of employees.
Critical success factor: Establishing a governance structure to manage
resources;
Status as of September 2007: Fully addressed: Secretary Nicholson
approved the IT governance plan, and VA established three new IT
governance boards that began meeting earlier this year.
Critical success factor: Linking IT strategic plan to organization
strategic plan;
Status as of September 2007: Partially addressed: The department has
developed a draft IT strategic plan and expects to finalize it in
October 2007.
Critical success factor: Using workforce strategic management to
identify proper roles for all employees;
Status as of September 2007: Partially addressed: VA has identified job
requirements, has begun to develop career paths for IT staff, and has
not yet established a knowledge and skills inventory.
Critical success factor: Communicating change to all stakeholders;
Status as of September 2007: Partially addressed: VA increased
communication on the realignment, but has not staffed a key
communication office.
Critical success factor: Dedicating an implementation team to manage
change;
Status as of September 2007: Not addressed: The department does not
have an implementation team to manage the realignment.
Source: GAO.
[End of table]
Ensuring commitment from top leadership. The department has fully
addressed this success factor. As described earlier, the Secretary of
VA has fully supported the realignment. He approved the department's
new organizational structure and provided resources for the realignment
effort.
However, the Secretary recently submitted his resignation, indicating
that he intended to depart by October 1, 2007. While it is unclear what
effect the Secretary's departure will have on the realignment, the
impending departure underscores the need for consistent support from
top leadership through the implementation of the realignment, to ensure
that its success is not at risk in the future.
Establishing a governance structure to manage resources. The department
has fully addressed this success factor. The department has established
three governance boards, which have begun operation. The VA IT
Governance Plan, approved April 2007, states that the establishment and
operation of these boards will assist in providing the department with
more cost-effective use of IT resources and assets.
The department also has plans to further enhance the governance
structure in response to operational experience. The department found
that the boards' responsibilities need to be more clearly defined in
the IT Governance Plan to avoid overlap. That is, one board (the
Business Needs and Investment Board) was involved in the budget
formulation for fiscal year 2009, but budget formulation is also the
responsibility of the Deputy Assistant Secretary for IT Resource
Management, who is not a member of this board. According to the
Principal Deputy Assistant Secretary for Information and Technology,
the department is planning to update its IT Governance Plan within a
year to include more specificity on the role of the governance boards
in VA's budget formulation process. Such an update could further
improve the structure's effectiveness.
Linking IT strategic plan to organization strategic plan. The
department has partially addressed this success factor. VA has drafted
an IT Strategic Plan that provides a course of action for the Office of
Information and Technology over 5 years and addresses how IT will
contribute to the department's strategic plan. According to the Deputy
Director of the Quality and Performance Office, the draft IT strategic
plan should be formally approved in October 2007. Finalizing the plan
is essential to helping ensure that leadership understands the link
between VA's organizational direction and how IT is aligned to meet its
goals.
Using workforce strategic management to identify proper roles for all
employees. The department has partially addressed this success factor.
The department has begun to identify job requirements, design career
paths, and determine recommended training for the staff that were
transferred as part of the realignment. According to a VA official, the
department identified 21 specialized job activities, such as
applications software and end user support, and has defined competency
and proficiency targets[Footnote 11] for 6 of these activities. Also,
by November 2007, VA expects to have identified the career paths for
approximately 5,000 of the 6,000 staff that have been centralized under
the CIO. Along with the development of the competency and proficiency
targets, the department has identified recommended training based on
grade level. However, the department has not yet established a
knowledge and skills inventory to determine what skills are available
in order to match roles with qualifications for all employees within
the new organization. It is crucial that the department take the
remaining steps to fully address this critical success factor, so that
the staff transferred to the Office of Information and Technology are
placed in positions that best suit their knowledge and skills, and the
organization has the personnel resources capable of developing and
delivering the services required.
Communicating change to all stakeholders. The department has partially
addressed this success factor. The department began publishing a
bimonthly newsletter in June to better communicate with all staff about
Office of Information and Technology activities, including the
realignment. However, the department has not yet fully staffed the
Business Relationship Management Office or identified its leadership.
This office is to serve as the single point of contact between the
Office of Information and Technology and the administrations; in this
role, it provides the means for the Office of Information and
Technology to understand customer requirements, promote services to
customers, and monitor the quality of the delivered services. A fully
staffed and properly led Business Relationship Management Office is
important to ensure effective communication between the Office of
Information and Technology and the administrations.
Communicating the changed roles and responsibilities of the central IT
organization versus the administrations is one of the important
functions of the Business Relationship Management Office. These changes
are crucial to software development, among other things. Before the
centralization of the management structure, each of the administrations
was responsible for its own software development. For example, the
department's health information system--the Veterans Health Information
System and Technology Architecture (VistA)--was developed in a
decentralized environment. The developers and the doctors, closely
collaborating at local facilities, developed and adapted this system
for their own specific clinic needs. The result of their efforts is an
electronic medical record that has been fully embraced by the
physicians and nurses. However, the decentralized approach has also
resulted in each site running a stand-alone version of VistA[Footnote
12] that is costly to maintain; in addition, data at the sites are not
standardized, which impedes the ability to exchange computable
information.[Footnote 13]
Under the new organization structure, approval of development changes
for VistA will be centralized at the Veterans Health Administration
headquarters and then approved for development and implementation by
the Office of Information and Technology. The communications role of
the Business Relationship Management Office is thus an important part
of the processes needed to ensure that users' requirements will be
addressed in system development.
Dedicating an implementation team to manage change. The department has
not addressed this success factor. A dedicated implementation team that
is responsible for the day-to-day management of a major change
initiative is critical to ensure that the project receives the focused,
full-time attention needed to be sustained and successful.[Footnote 14]
VA has not identified such an implementation team to manage the
realignment. Rather, the department is currently managing the
realignment through two organizations: the Process Improvement Office
under the Quality and Performance Office (which will lead process
improvements) and the Organizational Management Office (which will
advise and assist the CIO during the final transformation to a
centralized structure). However, the Executive Director of the
Organizational Management Office[Footnote 15] has recently resigned his
position, leaving one of the two responsible offices without
leadership.
In our view, having a dedicated implementation team to manage major
change initiatives is crucial to successful implementation of the
realignment. An implementation team can assist in tracking
implementation goals and identifying performance shortfalls or schedule
slippages. The team could also provide continuity and consistency in
the face of any uncertainty that could potentially result from the
Secretary's resignation.
Accordingly, in our recent report we recommended that the department
dedicate an implementation team to be responsible for change management
throughout the transformation and that it establish a schedule for the
implementation of the management processes.
Department Is behind Schedule in Implementing IT Management Processes:
As the foundation for its realignment, VA plans to implement 36
management processes in five key areas: enterprise management, business
management, business application management, infrastructure, and
service support. These processes, which address all aspects of IT
management, were recommended by the department's realignment contractor
and are based on industry best practices.[Footnote 16] According to the
contractor, they are a key component of the realignment effort as the
Office of Information and Technology moves to a process-based
organization. Additionally, the contractor noted that with a system of
defined processes, the Office of Information and Technology could
quickly and accurately change the way IT supports the department.
The department had planned to begin implementing the 36 management
processes in March 2007; however, as of early May 2007, it had only
begun pilot testing two of these processes.[Footnote 17] The Deputy
Director of the Quality and Performance Office reported that the
initial implementation of the first two processes will begin in the
second quarter of 2008.
The Principal Deputy Assistant Secretary for Information and Technology
acknowledged that the department is behind schedule for implementing
the processes, but it has prioritized the processes and plans to
implement them in three groups, in order of priority (see attachment 1
for a description of the processes and their implementation priority).
According to the Deputy Director of the Quality and Performance Office,
the approach and schedule for process implementation is currently under
review. Work on the 10 processes associated with the first group is
under way, and implementation plans and time frames are being revised.
This official told us that initial planning meetings have occurred and
primary points of contact have been designated for the financial
management and portfolio management processes, which are to be
implemented as part of the first group. The department also noted that
it will work to meet its target date of July 2008 for the realignment,
but that all of the processes may not be fully implemented at that
time.
According to the Principal Deputy Assistant Secretary for Information
and Technology, the department has fallen behind schedule with process
implementation for two reasons:
* The department underestimated the amount of work required to redefine
the 36 process areas. Process charters for each of the processes were
developed by a VA contractor and provide an outline for operation under
the new management structure. Based on its initial review, the
department found that the processes are complicated and multilayered,
involving multiple organizations. In addition, the contractor provided
process charters and descriptions based on a commercial, for-profit
business model, and so the department must readjust them to reflect how
VA conducts business.
* With the exception of IT operations, the Veterans Health
Administration operates in a decentralized manner. For example, the
budget and spending for the medical centers are under the control of
the medical center directors. In addition, the Office of Information
and Technology only has ownership over about 30 percent of all
activities within the financial management process. For example some
elements within this process area (such as tracking and reporting on
expenditures) are the responsibility of the department's Office of
Management;[Footnote 18] this office is accountable for VA's entire
budget, including IT dollars. Thus, the Office of Information and
Technology has no authority to direct the Office of Management to take
particular actions to improve specific financial management activities.
The department faces the additional obstacle that it has not yet
staffed crucial leadership positions that are vital to the
implementation of the management processes. As part of the new
organizational structure, the department identified 25 offices whose
leaders will report to the five deputy assistant secretaries and are
responsible for carrying out the new management processes in daily
operations. However, as of early September, 7 of the leadership
positions for these 25 offices were vacant, and 4 were filled in an
acting capacity. According to the Principal Deputy Assistant Secretary
for Information and Technology, hiring personnel for senior leadership
positions has been more difficult than anticipated. With these
leadership positions remaining vacant, the department will face
increased difficulties in supporting and sustaining the realignment
through to its completion.
Until the improved processes have been implemented, IT programs and
initiatives will continue to be managed under previously established
processes that have resulted in persistent management challenges.
Without the standardization that would result from the implementation
of the processes, the department risks cost overruns and schedule
slippages for current initiatives, such as VistA modernization, for
which about $682 million has been expended through fiscal year 2006.
VA Has Much Work Remaining to Resolve Long-Standing Security
Weaknesses:
Recognizing the importance of securing federal systems and data,
Congress passed the Federal Information Security Management Act
(FISMA)[Footnote 19] in December 2002, which sets forth a comprehensive
framework for ensuring the effectiveness of information security
controls over information resources that support federal operations and
assets. Using a risk-based approach to information security management,
the act requires each agency to develop, document, and implement an
agencywide information security program for the data and systems that
support the operations and assets of the agency. According to FISMA,
the head of each agency has responsibility for delegating to the agency
CIO the authority to ensure compliance with the security requirements
in the act. To carry out the CIO's responsibilities in the area, a
senior agency official is to be designated chief information security
officer (CISO).
The May 2006 theft from the home of a VA employee of a computer and
external hard drive (which contained personally identifiable
information on approximately 26.5 million veterans and U.S. military
personnel) prompted Congress to pass the Veterans Benefits, Health
Care, and Information Technology Act of 2006.[Footnote 20] Under the
act, the VA's CIO is responsible for establishing, maintaining, and
monitoring departmentwide information security policies, procedures,
control techniques, training, and inspection requirements as elements
of the departmental information security program. The act also includes
provisions to further protect veterans and service members from the
misuse of their sensitive personally identifiable information. In the
event of a security incident involving personally identifiable
information, VA is required to conduct a risk analysis, and on the
basis of the potential for compromise of personally identifiable
information, the department may provide security incident
notifications, fraud alerts, credit monitoring services, and identity
theft insurance. Congress is to be informed regarding security
incidents involving the loss of personally identifiable information.
In a report released last week,[Footnote 21] we stated that although VA
has made progress in addressing security weaknesses, it has not yet
fully implemented key recommendations to strengthen its information
security practices. It has not implemented two of our four previous
recommendations and 20 of 22 recommendations made by the department's
inspector general. Among the recommendations not implemented are our
recommendation that it complete a comprehensive security management
program and inspector general recommendations to appropriately restrict
access to data, networks, and VA facilities; ensure that only
authorized changes are made to computer programs; and strengthen
critical infrastructure planning to ensure that information security
requirements are addressed. Because these recommendations have not yet
been implemented, unnecessary risk exists that personally identifiable
information of veterans and other individuals, such as medical
providers, will be exposed to data tampering, fraud, and inappropriate
disclosure.
The need to fully implement GAO and IG recommendations to strengthen
information security practices is underscored by the prevalence of
security incidents involving the unauthorized disclosure, misuse, or
loss of personal information of veterans and other individuals (see
table 2). These incidents were partially due to weaknesses in the
department's security controls. In these incidents, which include the
May 2006 theft of computer equipment from an employee's home (mentioned
earlier) and the theft of equipment from department facilities,
millions of people had their personal information compromised.
Table 2: Number of Incidents by Type Reported to VA's Network and
Security Operations Center from January 2003 to November 2006:
Type of incident involving the loss of personal information: Records
lost or misplaced;
2003: 19;
2004: 58;
2005: 41;
2006[A]: 316.
Type of incident involving the loss of personal information: Records or
hardware stolen;
2003: 7;
2004: 9;
2005: 14;
2006[A]: 65.
Type of incident involving the loss of personal information: Improper
disposal of records;
2003: 10;
2004: 27;
2005: 10;
2006[A]: 80.
Type of incident involving the loss of personal information:
Unauthorized access;
2003: 60;
2004: 120;
2005: 112;
2006[A]: 255.
Type of incident involving the loss of personal information:
Unencrypted e-mails sent;
2003: 8;
2004: 13;
2005: 16;
2006[A]: 170.
Type of incident involving the loss of personal information: Unintended
disclosure or release;
2003: 22;
2004: 48;
2005: 24;
2006[A]: 199.
Type of incident involving the loss of personal information: Total
number of incidents;
2003: 126;
2004: 275;
2005: 217;
2006[A]: 1085.
Source: GAO analysis of VA data on incidents.
[A] Numbers reported are from January 1, 2006, to November 3, 2006.
[End of table]
While the increase in reported incidents in 2006 reflects a heightened
awareness on the part of VA employees of their responsibility to report
incidents involving loss of personal information, it also indicates
that vulnerabilities remain in security controls designed to adequately
safeguard information.
Since the May 2006 security incident, VA has begun or has continued
several major initiatives to strengthen information security practices
and secure personally identifiable information within the department.
These initiatives include the realignment of its IT management
structure, as discussed earlier. Under the realignment, the management
structure for information security has changed. In the new
organization, the responsibility for managing the program lies with the
CISO/Director of Cyber Security (the CISO position has been vacant
since June 2006, with the CIO acting in this capacity), while the
responsibility for implementing the program lies with the Director of
Field Operations and Security. Thus, responsibility for information
security functions within the department is divided.
VA officials indicated that the heads of the two organizations are
communicating about the department's implementation of security
policies and procedures, but this communication is not defined as a
role or responsibility for either position in the new management
organization book, nor is there a documented process in place to
coordinate the management and implementation of the security program.
Both of these activities are key security management practices. Without
a documented process, policies or procedures could be inconsistently
implemented throughout the department, which could prevent the CISO
from effectively ensuring departmentwide compliance with FISMA. Until
the process and responsibilities for coordinating the management and
implementation of IT security policies and procedures throughout the
department are clearly documented, VA will have limited assurance that
the management and implementation of security policies and procedures
are effectively coordinated and communicated. Developing and
documenting these policies and procedures are essential for achieving
an improved and effective security management process under the new
centralized management model.
In addition to the realignment initiative, the department also has
others under way to address security weaknesses. These include
developing an action plan to correct identified weaknesses;
establishing an information protection program; improving its incident
management capability; and establishing an office to be responsible for
oversight of IT within the department. However, implementation
shortcomings limit the effectiveness of these initiatives. For example:
* VA's action plan has task owners assigned and is updated biweekly,
but department officials have not ensured that adequate progress has
been made to resolve items in the plan. Specifically, VA has extended
the completion date at least once for 38 percent of the plan items, and
it did not have a process in place to validate the closure of the
items. In addition, although numerous items in the plan were to develop
or revise a policy or procedure, 87 percent of these items did not have
a corresponding task with an established timeframe for implementation.
* VA installed encryption software on laptops at facilities
inconsistently; however, VA's directive on encryption did not address
the encryption of laptops that were categorized as medical devices,
which make up a significant portion of the population of laptops at
Veterans Health Administration facilities. In addition, the department
has not yet fully implemented the acquisition of software tools across
the department.
* VA has improved its incident management capability since May 2006 by
realigning and consolidating two incident management centers, and made
a notable improvement in its notification of major security incidents
to US-CERT (the U.S. Computer Emergency Readiness Team), the Secretary,
and Congress, but the time it took to send notification letters to
individuals was increased for some incidents because VA did not have
adequate procedures for coordinating incident response and mitigation
activities with other agencies and obtaining up-to-date contact
information.
* VA established the Office of IT Oversight and Compliance to conduct
assessments of its facilities to determine the adequacy of internal
controls and investigate compliance with laws, policies, and directives
and ensure that proper safeguards are maintained; however, the office
lacked a process to ensure that its examination of internal controls is
consistent across VA facilities.
Until the department addresses recommendations to resolve identified
weaknesses and implements the major initiatives it has undertaken, it
will have limited assurance that it can protect its systems and
information from the unauthorized use, disclosure, disruption, or loss.
In our report released last week, we made 17 recommendations to assist
the department in improving its ability to protect its information and
systems. These recommendations included that VA document clearly define
coordination responsibilities for the Director of Field Operations and
Security and the Director of Cyber Security and develop and implement a
process for these officials to coordinate on the implementation of IT
security policies and procedures throughout the department. We also
made recommendations to improve the department's ability to protect its
information and systems, including the development of various processes
and procedures to ensure that tasks in the department's security action
plans have time frames for implementation.
In summary, effectively instituting a realignment of the Office of
Information and Technology is essential to ensuring that VA's IT
programs achieve their objectives and that the department has a solid
and sustainable approach to managing its IT investments. VA continues
to work on improving such programs as information security and systems
development. Yet we continue to see management weaknesses in these
programs and initiatives (many of a long-standing nature), which are
the very weaknesses that VA aims to alleviate with its reorganized
management structure. Until the department fully addresses the critical
success factors that we identified and carries out its plans to
establish a comprehensive set of improved management processes, the
impact of this vital undertaking will be diminished. Further, the
department may not achieve a solid and sustainable foundation for its
new IT management structure.
Mr. Chairman and members of the committee, this concludes our
statement. We would be happy to respond to any questions that you may
have at this time.
Contacts and Acknowledgements:
For more information about this testimony, please contact Valerie C.
Melvin at (202) 512-6304 or Gregory C. Wilshusen at (202) 512-6244 or
by e-mail at melvinv@gao.gov or wilshuseng@gao.gov. Key contributors to
this testimony were made by Barbara Oliver, Assistant Director; Charles
Vrabel, Assistant Director; Barbara Collier, Nancy Glover, Valerie
Hopkins, Scott Pettis, J. Michael Resser, and Eric Trout.
Attachment 1. Key IT Management Processes to Be Addressed in VA
Realignment:
In the following table, the priority group number reflects the order in
which the department plans to implement each group of processes, with 1
being the first priority group.
Key area: Enterprise management;
IT management process: IT strategy;
Implementation priority group: 2;
Description: Addresses long-and short-term objectives, business
direction, and their impact on IT, the IT culture, communications,
information, people, processes, technology, development, and
partnerships.
Key area: Enterprise management;
IT management process: IT management;
Implementation priority group: 2;
Description: Defines a structure of relationships and processes to
direct and control the IT endeavor.
Key area: Enterprise management;
IT management process: Risk management;
Implementation priority group: See note a;
Description: Identifies potential events that may affect the
organization and manages risk to be within acceptable levels so that
reasonable assurance is provided regarding the achievement of
organization objectives.
Key area: Enterprise management;
IT management process: Architecture management;
Implementation priority group: 2;
Description: Creates, maintains, promotes, and governs the use of IT
architecture models and standards across and within the change programs
of an organization.
Key area: Enterprise management;
IT management process: Portfolio management;
Implementation priority group: 1;
Description: Assesses all applications, services, and IT projects that
consume resources in order to understand their value to the IT
organization.
Key area: Enterprise management;
IT management process: Security management;
Implementation priority group: 2;
Description: Manages the department's information security program, as
mandated by the Federal Information Security Management Act (FISMA) of
2002.
Key area: Enterprise management;
IT management process: IT research and innovation;
Implementation priority group: 3;
Description: Generates ideas, evaluates and selects ideas, develops and
implements innovations, and continuously recognizes innovators and
learning from the experience.
Key area: Enterprise management;
IT management process: Project management;
Implementation priority group: 1;
Description: Plans, organizes, monitors, and controls all aspects of a
project in a continuous process so that it achieves its objectives.
Key area: Business management;
IT management process: Stakeholder requirements management;
Implementation priority group: 1;
Description: Manages and prioritizes all requests for additional and
new technology solutions arising from a customer's needs.
Key area: Business management;
IT management process: Customer satisfaction management;
Implementation priority group: 3;
Description: Determines whether and how well customers are satisfied
with the services, solutions, and offerings from the providers of IT.
Key area: Business management;
IT management process: Financial management;
Implementation priority group: 1;
Description: Provides sound stewardship of the monetary resources of
the organization.
Key area: Business management;
IT management process: Service pricing and contract administration;
Implementation priority group: 3;
Description: Establishes a pricing mechanism for the IT organization to
sell its services to internal or external customers and to administer
the contracts associated with the selling of those services.
Key area: Business management;
IT management process: Service marketing and sales;
Implementation priority group: 3;
Description: Enables the IT organization to understand the marketplace
it serves, to identify customers, to "market" to these customers, to
generate "marketing" plans for IT services and support the "selling" of
IT services to internal customers.
Key area: Business management;
IT management process: Compliance management;
Implementation priority group: 2;
Description: Ensures adherence with laws and regulations, internal
policies and procedures, and stakeholder commitments.
Key area: Business management;
IT management process: Asset management;
Implementation priority group: 1;
Description: Maintains information regarding technology assets,
including leased and purchased assets, licenses, and inventory.
Key area: Business management;
IT management process: Workforce management;
Implementation priority group: 2;
Description: Enables an organization to provide the optimal mix of
staffing (resources and skills) needed to provide the agreed-on IT
services at the agreed-on service levels.
Key area: Business management;
IT management process: Service-level management;
Implementation priority group: 2;
Description: Manages service-level agreements and performs the ongoing
review of service achievements to ensure that the required and cost-
justifiable service quality is maintained and gradually improved.
Key area: Business management;
IT management process: IT service continuity management;
Implementation priority group: 1;
Description: Ensures that agreed-on IT services continue to support
business requirements in the event of a disruption to the business.
Key area: Business management;
IT management process: Supplier relationship management;
Implementation priority group: 3;
Description: Develops and exercises working relationships between the
IT organization and suppliers in order to make available the external
services and products that are required to support IT service
commitments to customers.
Key area: Business management;
IT management process: Knowledge management;
Implementation priority group: 3;
Description: Promotes an integrated approach to identifying, capturing,
evaluating, categorizing, retrieving, and sharing all of an
organization's information assets.
Key area: Business application management;
IT management process: Solution requirements;
Implementation priority group: 2;
Description: Translates provided customer (business) requirements and
IT stakeholder-generated requirements/constraints into solution-
specific terms, within the context of a defined solution project or
program.
Key area: Business application management;
IT management process: Solution analysis and design;
Implementation priority group: 1;
Description: Creates a documented design from agreed-on solution
requirements that describes the behavior of solution elements, the
acceptance criteria, and agreed-to measurements.
Key area: Business application management;
IT management process: Solution build;
Implementation priority group: 3;
Description: Brings together all the elements specified by a solution
design via customization, configuration, and integration of created or
acquired solution components.
Key area: Business application management;
IT management process: Solution test and acceptance;
Implementation priority group: See note a;
Description: Validates that the solution components and integrated
solutions conform to design specifications and requirements before
deployment.
Infrastructure;
IT management process: Service execution;
Implementation priority group: 2;
Description: Addresses the delivery of operational services to IT
customers by matching resources to commitments and employing the IT
infrastructure to conduct IT operations.
Infrastructure;
IT management process: Data and storage management;
Implementation priority group: 3;
Description: Ensures that all data required for providing and
supporting operational service are available for use and that all data
storage facilities can handle normal, expected fluctuations in data
volumes and other parameters within their designed tolerances.
Infrastructure;
IT management process: Event management;
Implementation priority group: 3;
Description: Identifies and prioritizes infrastructure, service,
business and security events, and establishes the appropriate response
to those events.
Infrastructure;
IT management process: Availability management;
Implementation priority group: 3;
Description: Plans, measures, monitors, and continuously strives to
improve the availability of the IT infrastructure and supporting
organization to ensure that agreed-on requirements are consistently
met.
Infrastructure;
IT management process: Capacity management;
Implementation priority group: 3;
Description: Matches the capacity of the IT services and infrastructure
to the current and future identified needs of the business.
Infrastructure;
IT management process: Facility management;
Implementation priority group: 1;
Description: Creates and maintains a physical environment that houses
IT resources and optimizes the capabilities and costs of that
environment.
Service support;
IT management process: Change management;
Implementation priority group: 1;
Description: Manages the life cycle of a change request and activities
that measure the effectiveness of the process and provides for its
continued enhancement.
Service support;
IT management process: Release management;
Implementation priority group: 1;
Description: Controls the introduction of releases (that is, changes to
hardware and software) into the IT production environment through a
strategy that minimizes the risk associated with the changes.
Service support;
IT management process: Configuration management;
Implementation priority group: 1;
Description: Identifies, controls, maintains, and verifies the versions
of configuration items and their relationships in a logical model of
the infrastructure and services.
Service support;
IT management process: User contact management;
Implementation priority group: 3;
Description: Manages each user interaction with the provider of IT
service throughout its life cycle.
Service support;
IT management process: Incident management;
Implementation priority group: 2;
Description: Restores a service affected by any event that is not part
of the standard operation of a service that causes or could cause an
interruption to or a reduction in the quality of that service.
Service support;
IT management process: Problem management;
Implementation priority group: 2;
Description: Resolves problems affecting the IT service, both
reactively and proactively.
Source: GAO.
[A] The department indicated that this process had completed a pilot,
but did not assign it to a priority group.
[End of table]
Footnotes:
[1] The VA comprises three administrations: the Veterans Benefits
Administration, the Veterans Health Administration, and the National
Cemetery Administration.
[2] The headquarters offices include the Office of the Secretary, six
Assistant Secretaries, and three VA-level staff offices.
[3] GAO, Veterans Affairs: Continued Focus on Critical Success Factors
Is Essential to Achieving Information Technology Realignment, GAO-07-
844 (Washington, D.C.: June 15, 2007).
[4] GAO, Information Security: Sustained Management Commitment and
Oversight Are Vital to Resolving Long-standing Weaknesses at the
Department of Veterans Affairs, GAO-07-1019 (Washington, D.C.: Sept. 7,
2007).
[5] Personally identifiable information, which can be used to locate or
identify an individual, includes things such as names, aliases, and
Social Security numbers.
[6] For example, according to an October 2005 memorandum from the
former CIO to the Secretary of Veterans Affairs, the CIO had direct
control over only 3 percent of the department's IT budget and 6 percent
of the department's IT personnel. In addition, in the department's
fiscal year 2006 IT budget request, the Veterans Health Administration
was identified to receive 88 percent of the requested funding, while
the department was identified to receive only 4 percent.
[7] GAO-07-844.
[8] Partner Consulting, One VA IT Organizational Alignment Assessment
Project "As-Is" Baseline (McLean, Virginia; Feb. 18, 2005).
[9] GAO-07-844.
[10] GAO, Results-Oriented Cultures: Implementation Steps to Assist
Mergers and Organizational Transformations, GAO-03-669 (Washington,
D.C.: July 2, 2003); and Highlights of a GAO Forum: Mergers and
Transformation: Lessons Learned for a Department of Homeland Security
and Other Federal Agencies, GAO-03-293SP (Washington, D.C.: Nov. 14,
2002).
[11] Competency refers to required capabilities for performing
specialized job activities, such as business process reengineering or
database administration. Proficiency targets indicate the level at
which the individual can perform these activities.
[12] VA has achieved an integrated medical information system through
the use of the Computerized Patient Record System in VistA, where
authorized users are able to access patient health care data from any
VA medical facility.
[13] Computable data are in a format that a computer application can
act on, for example, to provide alerts to clinicians (of such things as
drug allergies) or to plot graphs of changes in vital signs such as
blood pressure. VA has standardized its pharmacy and allergy data in
its health data repository.
[14] GAO-07-844.
[15] This official was previously the Director of the IT Realignment
Office.
[16] Specifically, these processes are derived from the IT Governance
Institute's Control Objectives for Information and related Technology
(CobiT®) and Information Technology Infrastructure Library (ITIL) as
configured by the Process Reference Model for IT (PRM-IT) from a VA
contractor.
[17] These are the risk management and solution test and acceptance
processes.
[18] The Assistant Secretary for Management, who leads the Office of
Management, is the department's Chief Financial Officer.
[19] FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347
(Dec. 17, 2002).
[20] Veterans Benefits, Health Care, and Information Technology Act of
2006, Pub. L. No. 109-461 (Dec. 22, 2006).
[21] GAO-07-1019.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Susan Becker, Acting Manager,Beckers@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: