VA IT moves earn praise

VA Information Technology: Management Making Important Progress in Addressing Key Challenges

With strong leadership and a broad reorganization of its information technology operations, the Department of Veterans Affairs has made major improvements in managing and securing its systems, according to a new report.

In a near reversal of its past criticism, the General Accounting Office gave the VA high marks for its overall IT management, including centralizing IT functions and laying a solid foundation for "detecting, reporting and responding to security incidents."

"Over the past six months, VA has shown clear progress in addressing some of the critical weaknesses that have plagued its management of information technology," according to a report released at a Sept. 26 hearing of the House Veterans' Affairs Committee's Oversight and Investigations Subcommittee.

VA Secretary Anthony Principi has pledged to create "One VA." In August, he ordered the consolidation of the VA's IT management, giving the agency's chief information offier, John Gauss, authority over the agency's $1 billion IT budget and requiring the VA's three administration-level CIOs to report to Gauss.

GAO and members of Congress applauded the moves. In the past, the CIOs at the Veterans Health Administration, the Veterans Benefits Administration and the National Cemetery Administration could spend their budgets as they saw fit and make other IT policy decisions.

"Secretary Principi has led the VA toward a clearly defined strategic plan that integrates the planning, funding, project execution and project management oversight of VA information technology," said Rep. Steve Buyer (R-Ind.), chairman of the subcommittee.

The GAO report called the moves a "bold and innovative step." According to the report, only one other agency — the General Services Administration — has taken similar steps to give its department-level CIO authority over all IT funding.

"These efforts demonstrate our very strong commitment at all levels to building an effective information technology program for the long term," Gauss told the panel.

Nevertheless, Richard Griffin, the VA's inspector general, told the subcommittee there is room for improvement. The VA needs to "establish a comprehensive, integrated VA-wide security program," he said.

There are still major security vulnerabilities that "represent an unacceptable level of risk to VA operations and its mission of providing health care and delivering benefits to the nation's veterans," Griffin said.

Denial-of-service attacks on mission-critical systems, unauthorized access to data and fraudulent payments continue to occur, he said. In the coming year, it is imperative that the VA install intrusion-detection systems at its facilities nationwide, complete infrastructure protection activities and control physical access to computer rooms, he stressed.

Despite those shortcomings, Gauss said the VA continues to make progress on cybersecurity. "We are building a strong foundation for our IT program, but much remains to be done," he told lawmakers.

Under the direction of cybersecurity chief Bruce Brody, the department has awarded a $103 million contract to a consortium of five companies to tighten the VA's security systems, detect hacker attacks and prevent them.

Security officers at the three VA administrations will report directly to Brody. Security officers at each hospital, regional office and cemetery will report directly to the facility's manager instead of keeping the hodgepodge of existing reporting arrangements.

Still, the VA's actions are a work in progress, according to the GAO report, and they "have not yet been sufficient to fully implement all of the key elements of a comprehensive computer security management program."

Meanwhile, Gauss said he is tackling the troubled VetsNet program for compensation and pension payments. The VA has spent six years and more than $300 million trying to deploy the system, but continues to rely on an aging network to make 3.5 million benefits payments to veterans and their dependents each month.

Gauss said he's committed to getting VetsNet working by April 2004 and has hired a project manager to oversee its completion.

***

High score

In a report released Sept. 26, the General Accounting Office said the Department of Veterans Affairs has made substantial progress in improving its management of information technology.

Among the activities the VA is doing right:

* Consolidating and restructuring the chief information officer's authority.

* Developing an enterprise architecture.

* Improving computer security.

* Hiring a consortium to respond to cybersecurity breaches.

* Enhancing the monitoring and detection of security problems.

* Making progress in securely sharing health care data with the Defense Department to improve medical services to veterans.

* In the process of recruiting a permanent chief enterprise architect.