The key to improving information security at the Department of Veterans Affairs is to centralize management of all IT programs and activities, two former CIOs said yesterday at a hearing held by the House Committee on Veterans' Affairs.
Also important is the need for the agency's CIO and chief information security officer to have more direct authority for enforcing policy directives and information security mandates, they said.
The hearing took place before today's announcement that a laptop containing sensitive data on 26.5 million veterans and military personnel -- reported stolen last month -- had been recovered (see "Stolen VA laptop recovered"). The hearing had been called to discuss a reorganization of the IT environment at the VA following the disclosure of that massive security breach.
John Gauss, a former CIO at the VA, said that implementing a strong information security program had been his "No. 1" priority at the agency. At that time, though, he said the VA was grappling with an "ever-expanding IT budget, programs that were defined in a stovepipe manner and programs that were consistently overrunning budget, behind schedule and failing to meet their performance requirements."
Given those problems and his strategic objectives as CIO, "I concluded that all IT programs and IT-related activities affecting the three administrations and the VA central office should be centrally managed at the department level," Gauss said.
But "cultural impediments" precluded progress at the time, he explained.
"There was commitment at the executive level to have reform," he said. "But the attitude was to fix it within the current processes." The highly siloed nature of operations at the VA also created an "onerous concurrence process" which often delayed projects, he added.
Robert McFarland, who took over as the CIO at the VA in February 2004 and resigned this past April, said that the VA's "long-standing history of decentralized management" made it resistant to change.
Prior to quitting in frustration, McFarland had been trying to implement a new "federated" IT management system at the VA that was designed to cut costs and improve efficiencies.
The reorganization was approved by VA Secretary Jim Nicholson last October and involved the separation of the IT organization at the agency into two separate domains: an operations and maintenance domain directly under the control of the CIO and an application development domain supported by the VA's health, benefits and cemetery administrations and staff offices. As part of the reorganization, Congress last fall passed a bill consolidating all IT spending at the VA under a single CIO.
The changes have allowed for better oversight of IT spending and a move toward a consolidation of the IT infrastructure at the VA, McFarland said. "I believe that if you don't consolidate the infrastructure under the CIO... you can't ensure that the environment is safe," he said.
The plan now is to integrate the VA's application development domain with the operations and maintenance domains, said acting VA CIO Robert Howard. That move would complete a total centralization of the VA's IT infrastructure and would be a "very important aspect" of the effort to ensure security, Howard said. But it might be better to put off the integration of the application development domain until the operations and maintenance groups are consolidated, he added.
Both McFarland and Gauss concurred with a proposal by Committee Chairman Steve Buyer (R-Ind.) that the VA CIO's role be elevated to the rank of an undersecretary while the chief information security officer be promoted to an assistant secretary rank.
"I would certainly applaud those moves because I think the infrastructure that runs the VA today is an IT infrastructure," McFarland said. "Those moves would help give the CIO an equal seat at the table with the main administrators" in making decisions he said.
In testimony this morning before the same committee, Nicholson -- after announcing that the stolen VA laptop had been recovered -- said IBM would be brought in to help integrate the operations and maintenance groups at the VA. That job is expected to be completed by July 2008 and will result in an organization of around 4,600 VA full-time IT operations and maintenance staff, he said.
Nicholson said today he is also giving specific enforcement authority to the VA's CIO to make it easier to push changes at the agency and said a new chief financial officer position with budget authority would be created in the VA's office of IT.