VA Pushed to Pursue IT Overhaul

Stolen laptop is recovered, but agency is planning reorg to help boost security

The FBI last week recovered the stolen laptop and external disk drive containing personal information on some 26.5 million veterans and active-duty military personnel. But the return of the equipment did little to stanch the calls for a sweeping restructuring of the IT operations at the U.S. Department of Veterans Affairs, partly to help prevent more data breaches.

The organizational problems were highlighted by the disclosure of two additional breaches that potentially compromised the personal information of more than 16,500 veterans -- one involving a backup tape that was determined to be missing from a VA facility in early May, the other stemming from the loss of papers when an employee's rental car was stolen last year.

At a hearing held last Thursday by the House Committee on Veterans' Affairs, VA Secretary R. James Nicholson said the agency has signed on IBM to help implement a planned IT reorganization that was approved last fall in an effort to cut internal costs and improve efficiencies. The shift to a so-called federated IT structure is now seen as a vital step toward improving security.

Nicholson also said he had issued a memo last week that gives the agency's CIO a "stronger, clearer delegation of both responsibility and authority" for enforcing security policies and directives. In addition, Nicholson said he has created a chief financial officer position with budget authority in the VA's central IT office.

"One of the redemptive aspects [of the laptop theft] is the absolute wake-up call to make changes -- some of which will become models for other agencies that have similar complacency and laxity in information security," he said.

Rep. Bob Filner (D-Calif.), a member of the Veterans' Affairs Committee, said the planned IT overhaul at the VA needs to stay on course, as do ongoing investigations of how the culture inside the agency made it possible for the massive data breach to occur.

Robert McFarland, who was the VA's CIO from February 2004 until he resigned this past April, made a similar point at a separate hearing last Wednesday that the committee held on the VA's IT structure. "I believe that if you don't consolidate the infrastructure under the CIO, you can't ensure that the environment is safe," McFarland said.

Prior to quitting, McFarland had been trying to implement the new federated IT structure, which is designed to centralize budgeting as well as the management of IT operations and maintenance. Previously, virtually all IT spending was controlled by the agency's three main operating divisions. McFarland said at the hearing that the change to centralized budgeting provided better oversight of IT spending and that the VA had started to move toward a consolidation of its IT infrastructure.

But he noted that the VA's "history of decentralized management" has made the agency resistant to change. "A vast majority of the issues at the VA were not about technology but about culture," McFarland said. "The problem was disagreement over the change."

Cultural Barriers

John Gauss, who was CIO at the VA between 2001 and 2003, said at the Wednesday hearing that implementing a strong information security program had been his top priority at the agency. Gauss added that he thought all IT projects and technology activities should be managed by the central IT office. But, like McFarland, he said that "cultural impediments" precluded progress from being made. "There was commitment at the executive level to have reform," Gauss said. "But the attitude was to fix it within the current processes."

Nicholson and Robert Howard, the VA's acting CIO, said things have now changed. "There's no question that this can be fixed," Howard said on Wednesday. "We're heading in the right direction." He reiterated that point at Thursday's hearing, saying that Nicholson has given him the authority to "do what I need to do, and that is what I intend to do."

The reorganization plan would initially create two IT "domains" at the VA: one that is responsible for operations and maintenance and is directly under the control of the agency's CIO, and another that handles application development and is managed by the VA's health care, benefits and cemetery divisions.

But the overhaul isn't expected to be completed until July 2008, according to Nicholson.

Howard said at the Wednesday hearing that the plan also calls for eventually combining application development activities with operations and maintenance. That would completely centralize the VA's IT organization and is "a very important aspect" of ensuring that data is secured, he said.

However, Howard added that he has argued against a full centralization of IT at this point. "We can do it right away, but my opinion is that we shouldn't," he said. "We're deep into consolidating operations and maintenance."

In addition to the organizational changes, Nicholson said he is looking at ways to "put some teeth" into the VA's efforts to improve security. That could include withholding bonuses to key IT staffers if the agency continues to score poorly on the annual report card measuring its compliance with the Federal Information Security Management Act. However, the VA's security efforts were dealt a blow last week when Pedro Cadenas submitted his resignation as its chief information security officer on Thursday morning -- just before Nicholson testified at the hearing.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon