VA awards cybersecurity contract

The Department of Veterans Affairs has awarded a $103 million contract to a consortium of five small businesses to develop and manage its response to cyberattacks — an innovative approach to deal with hackers that could become a model for other federal agencies.

Known as the VA Security Team (VAST), the consortium won the one-year contract with 10 one-year add-ons for the VA's Computer Incident Response Capability (VA-CIRC). The team, which began its work Aug. 1, will be responsible for protecting the VA's entire network, including hospitals, cemeteries, medical records and insurance.

SecureInfo Corp., a San Antonio-based cybersecurity company that has done similar work for the Defense Department, is leading the joint venture to detect and respond to threats and real-time incidents around the clock.

Other VAST members include:

* Applied Engineering Management Corp., a software development firm.

* DSD Laboratories Inc., a systems engineering firm.

* Seidcon Inc., a company that specializes in certification and accreditation of networks.

* TeamBI Solutions Inc., a security knowledge management company.

Other business partners include Compaq Computer Corp. — now merged with Hewlett-Packard Co. — which is providing hardware; Science Applications International Corp., handling long-distance support; and Signal Corp., which is providing telecommunications support.

"We're the second-largest federal government computing enterprise. The magnitude of our enterprise alone makes it a target of malicious intent," said Bruce Brody, the VA's cybersecurity chief.

The VA has long been a target of hackers. Since January, VA computer systems have blocked more than 2 million virus infection attempts. In the past, the agency has been criticized for its failure to deal with the problem.

A private auditing firm that the VA's inspector general hired easily broke into computers at the agency "dozens of times," gaining total control of data, according to a report submitted to Congress in 2001.

Security bugs plaguing the system have been known for at least five years, a period during which the VA has spent more than $5 billion on information technology. In March 2001, Brody was hired as the associate deputy assistant secretary for cybersecurity to fix the problem.

Brody said VAST would handle incident analysis, management and response for the VA's nationwide system that will include dealing with vulnerabilities and handling computer forensics.

In addition, the consortium will handle managed security services nationwide that will be "mandatory for every hospital."

"The VA is obviously serious about improving its cybersecurity and becoming a world-class system," said John Linton, SecureInfo's chief operating officer.