Big Challenges Remain to Secure VA ITCongressman Confronts VA Officials at House Hearing
"VA has put in place a plan to employ many of the successful approaches and technologies used by effective, large-scale private sector organizations to ensure that we have visibility into and control over every aspect of our electronic enterprise," Roger Baker, the VA's assistant secretary for information and technology, said in his prepared testimony to the House Veterans Affairs Subcommittee on Oversight and Investigation.
But investigators from Government Accountability Office and the VA's inspector general office told the House Veterans Affairs Subcommittee on Oversight and Investigation that the department hasn't yet gotten its act together in complying with federal rules to safeguard IT systems, including the Federal Information Security Management Act.
"Seven years after FISMA's enactment, we continue to report significant deficiencies with controls supporting VA's information security program, which could have potentially alarming consequences," Belinda Finn, the VA's assistant IG for audit and evaluations, said in her prepared testimony.
The panel's chairman, Rep. Harry Mitchell, D.-Ariz., agreed the risk continues, citing recent data breaches in Texas that exposed the personal identifiable information of nearly 4,000 veterans. "These recent data breaches are proof that the VA still has a long ways to go in ensuring our nation's veterans that their most sensitive information is being safely stored and handled," Mitchell said.
And, in an exchange between Rep. Steve Buyer, R.-Ind., and Jan Frye, VA deputy assistant secretary of acquisition and logistics, the congressman testily complained that no one seems to be accepting blame for the breaches. "I dislike the decentralized process," Buyer said about a system in which individual departmental units are responsible for IT security. "I dislike it, I detest it. I would prefer to have testimony from someone who would say, 'I own it.'"