Department of Veterans Affairs' Implementation of Information Security Education Assistance Program
Gao ID: GAO-10-170R December 18, 2009
The Veterans Benefits, Health Care, and Information Technology Act of 2006 authorizes the Secretary of Veterans Affairs to establish an educational assistance program for information security. The Information Security Education Assistance Program is envisioned as a means for the Department of Veterans Affairs (VA) to attract and retain individuals with advanced skills in information security. The legislation authorizes the agency to establish scholarships for qualified students who pursue doctoral degrees in computer science and electrical and computer engineering at accredited institutions and to offer educational debt reduction for VA employees who hold doctoral degrees in these fields. This letter responds to the act's requirement that we report on the scholarship and education debt reduction programs within 3 years of the act's December 22, 2006, enactment.
The Department of Veterans Affairs has not begun to award scholarships or offer and disburse loan repayments under the Information Security Education Assistance Program, although it has taken some steps to implement the program. Since 2006, VA has drafted governing regulations, which are now undergoing internal review, and has developed a budget impact analysis. After the department's internal review is completed, several additional steps are planned before the regulations are issued, including review by the Office of Management and Budget (OMB) and a public comment period. Department officials anticipate that the debt-reduction portion of the program will begin, and the first scholarship candidates will be selected, during 2011.
GAO-10-170R, Department of Veterans Affairs' Implementation of Information Security Education Assistance Program
This is the accessible text file for GAO report number GAO-10-170R
entitled 'Department of Veterans Affairs' Implementation of Information
Security Education Assistance Program' which was released on December
18, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO-10-170R:
United States Government Accountability Office:
Washington, DC 20548:
December 18, 2009:
The Honorable Daniel K. Akaka:
Chairman:
The Honorable Richard Burr:
Ranking Member:
Committee on Veterans' Affairs:
United States Senate:
The Honorable Bob Filner:
Chairman:
The Honorable Steve Buyer:
Ranking Member:
Committee on Veterans' Affairs:
House of Representatives:
Subject: Department of Veterans Affairs' Implementation of Information
Security Education Assistance Program:
The Veterans Benefits, Health Care, and Information Technology Act of
2006 authorizes the Secretary of Veterans Affairs to establish an
educational assistance program for information security.[Footnote 1]
The Information Security Education Assistance Program is envisioned as
a means for the Department of Veterans Affairs (VA) to attract and
retain individuals with advanced skills in information security. The
legislation authorizes the agency to establish scholarships for
qualified students who pursue doctoral degrees in computer science and
electrical and computer engineering at accredited institutions and to
offer educational debt reduction for VA employees who hold doctoral
degrees in these fields.
This letter responds to the act's requirement that we report on the
scholarship and education debt reduction programs within 3 years of the
act's December 22, 2006, enactment.[Footnote 2]As agreed with your
offices, our objective was to determine the status of VA's
implementation of the program. To accomplish this objective, we
analyzed section 903 of the act, the status of the draft regulations
governing the program, and the agency's process for implementing the
program. We interviewed officials in VA's Office of Information and
Technology, Office of General Counsel, and Office of Congressional and
Legislative Affairs and reviewed documents related to the
implementation process. To gain an understanding of how the department
manages other education programs, we also interviewed officials in the
Veterans Health Administration. In addition, we met with officials in
the Office of Inspector General and reviewed that office's reports on
VA's Office of Information and Technology. We performed our work from
April 2009 to December 2009 in accordance with generally accepted
government auditing standards. These standards require that we plan and
perform audits to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objective.
Results in Brief:
The Department of Veterans Affairs has not begun to award scholarships
or offer and disburse loan repayments under the Information Security
Education Assistance Program, although it has taken some steps to
implement the program. Since 2006, VA has drafted governing
regulations, which are now undergoing internal review, and has
developed a budget impact analysis. After the department's internal
review is completed, several additional steps are planned before the
regulations are issued, including review by the Office of Management
and Budget (OMB) and a public comment period. Department officials
anticipate that the debt-reduction portion of the program will begin,
and the first scholarship candidates will be selected, during 2011.
Background:
The Veterans Benefits, Health Care, and Information Technology Act was
enacted after a serious loss of data in 2006 revealed weaknesses in
VA's handling of personally identifiable information. Specifically, in
May 2006, an information security breach at the department occurred
involving a stolen hard drive with personal data on millions of
veterans and their dependents. The incident highlighted the seriousness
of weaknesses in the department's information security. In testimony
shortly after the breach, we noted that for many years, significant
concerns had been raised about VA's information security--particularly
its lack of a robust information security program, which is vital to
minimizing the risk of compromise of government information, including
sensitive personal information.[Footnote 3]
One of the programs authorized by the Veterans Benefits, Health Care,
and Information Technology Act in response to these concerns about VA's
longstanding information security weaknesses and the data breach was
the Information Security Education Assistance Program. Under the act,
the Secretary of the Department of Veterans Affairs was authorized to
establish an education assistance program for doctoral students in
computer science and computer and electrical engineering to strengthen
VA's ability to recruit and retain individuals who have necessary
information security skills. The program is to have two parts: a debt-
reduction program for VA employees who have recently earned doctoral
degrees, and a scholarship program for qualified individuals who must
agree to work for the agency on completion of their academic programs.
The agency is authorized to repay up to $16,500 of student loan debt
each year for qualified employees up to a total of 5 years and $82,500.
Doctoral students may receive full tuition scholarships plus a monthly
stipend for up to 5 years, not to exceed a total of $200,000. According
to section 903(c) of the act, the scholarship program may only apply to
financial assistance provided for an academic semester or term that
begins on or after August 1, 2007. Authorization to make payments under
the program expires on July 31, 2017. The act also requires VA to
prescribe regulations for administering the program.
The VA unit responsible for implementing the Information Security
Education Assistance Program is the Office of Information and
Technology (OI&T), which oversees the department's information
technology (IT) assets and resources including information security and
privacy. Within OI&T, two offices have managed the implementation
efforts: the Office of Information Technology Resource Management,
which is responsible for human capital and IT budgeting, and the Office
of Information Protection and Risk Management, which is responsible for
information security. VA's Office of General Counsel also has a role.
General Counsel's Office of Regulation Policy and Management monitors
and reviews proposed regulations, provides regulatory impact analyses,
and is VA's regulatory liaison with OMB.
VA Has Begun Implementing the Program but Considerable Work Remains
Before Financial Assistance Can Begin:
VA is in the process of developing regulations for administering the
program, as called for by the act. OI&T's Office of Information
Technology Resource Management began work on the regulations and had a
draft ready for internal review and concurrence by August 2007.
Responsibility for managing the concurrence process and ensuring that
other VA offices reviewed and concurred with the program regulations
was assigned, on August 1, 2007, to the Office of Information
Protection and Risk Management since, according to a senior OI&T
official, this office would most benefit from the program. The status
of the review and concurrence process was to be monitored by General
Counsel's Office of Regulation Policy and Management.
The regulations have not yet been issued. During 2007 and 2008, the
Office of Regulation Policy and Management sent multiple status
inquiries to Information Protection and Risk Management. In April 2008,
Regulation Policy and Management noted that it had received no status
updates in about a year. In the summer of 2008, OI&T's Office of
Information Technology Resource Management learned, according to a
senior official within the office, that the draft regulations were
still in Information Protection and Risk Management and no apparent
action had been taken. At that point, Resource Management took
responsibility for ensuring that the draft regulations were sent
forward for review and concurrence. Subsequently, in January 2009, the
draft regulations were sent to VA's Office of General Counsel for
review. In September 2009, the Office of General Counsel provided
initial comments on the draft regulations.
VA plans several other actions before issuing the regulations and has
outlined a project plan for issuing the regulations that includes the
remaining steps and milestones. Specifically, after final concurrence
by the Office of General Counsel and concurrence by the other
departmental offices, the draft regulations must be approved by the
Secretary of Veterans Affairs. The department will then submit the
draft regulations for review by OMB and then for comment from the
public. VA officials estimate that, after the department addresses
these comments and OMB performs another review, the final regulations
could be issued in January 2011.
VA Plans to Begin Program Activities in January 2011:
VA officials anticipate that, if funds are available, the agency will
announce the program and begin seeking candidates in January 2011 for
both the debt reduction and scholarship components of the program. More
time will elapse before any scholarship candidates receive doctoral
degrees and are able to apply that educational experience to VA's
information security needs.[Footnote 4]
VA has drafted an impact analysis that estimates the costs for the
program and has identified two current staff members who may be
eligible for debt repayments. In its impact analysis, VA estimates that
the program will cost at least $217,000 by 2015, based on a survey
which suggests that the department will have one candidate for the
scholarship program and three candidates for the debt reduction program
within the next 5 years. According to VA officials, no funds were
allocated to the program in the department's fiscal year 2010 budget.
Figure 1 summarizes VA's actions and planned actions, from enactment of
the authorizing legislation through program implementation.
Figure 1: Completed and Planned Actions for the Information Security
Education Assistance Program:
[Refer to PDF for image: illustration]
Completed Activities:
Authorizing legislation enacted: December 2006.
Task: Regulations drafted: February-June, 21007;
Task: Internal review begins: July 2007-December 2008;
Task: Reviewed by General Counsel: January-September, 2009;
Milestone: Impact analysis complete: October, 2009;
Planned Activities:
Task: Agency concurrence process continues: October, 2009-April, 2010;
Milestone: Signed by Secretary: January, 2010
Task: OMB review: January-March, 2010;
Task: Public comment: March-April, 2010;
Task: Respond to comments: May-June, 2010;
Task: Final reviews by General Counsel and OMB: July-December, 2010;
Milestone: Regulations issued, programs announced: January, 2011;
Task: Loan repayments available: January 2011-July, 2017;
Task: Scholarships available (next full academic year): September, 2011-
July, 2017;
Milestone: Program authority ends: July 2017.
Source: GAO analysis of agency data.
[End of figure]
In comments provided via e-mail on a draft of this correspondence, the
GAO liaison, VA Office of Congressional and Legislative Affairs, stated
that the department had reviewed the draft report and had no comments
to offer at this time.
We are sending a copy of this letter to the Secretary of Veterans
Affairs. In addition, the document will be available at no charge on
GAO's Web site at [hyperlink, http://www.gao.gov].
If you have any questions regarding this letter, please contact Gregory
C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Valerie C.
Melvin at (202) 512-6304 or melvinv@gao.gov. Contact points for our
Offices of Congressional Relations and Public Affairs may be found on
the last page of this report.
GAO staff who made major contributions to this letter are Charles
Vrabel (Assistant Director), Monica Perez Anatalio, Neil Doherty, Nancy
Glover, Mary Marshall, Lee McCracken, Kate Nielsen, Sylvia Shanks,
Glenn Spiegel, and Adam Vodraska.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
Signed by:
Valerie C. Melvin:
Director, Information Management and Human Capital Issues:
[End of section]
Footnotes:
[1] Pub. L. No. 109-461, § 903, 120 Stat. 3403, 3460 (Dec. 22, 2006),
adding a new Chapter 79, Information Security Education Assistance
Program, to Title 38 of the U.S. Code. This program is part of Title IX
of the act known as the Department of Veterans Affairs Information
Security Enhancement Act of 2006.
[2] Pub. L. No. 109-461, § 903(b), 120 Stat. 3464.
[3] GAO, Veterans Affairs: Leadership Needed to Address Information
Security Weaknesses and Privacy Issues, [hyperlink,
http://www.gao.gov/products/GAO-06-866T], (Washington, D.C.: June 14,
2006).
[4] The earliest date to hire a doctoral program graduate who receives
a scholarship might be around January 2012. This date assumes that VA
selects a graduate at the program's start in January 2011 who is in the
last year of doctoral study. A candidate just starting a doctoral
program might take considerably longer. For example, Carnegie Mellon
University suggests it may take 6 years to complete a Ph.D. in computer
science and the University of Texas, Austin, estimates 3 to 5 years.
[End of setion]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: