Big Challenges Remain to Secure VA IT

Congressman Confronts VA Officials at House Hearing
Big Challenges Remain to Secure VA IT
The chief information officer of the Department of Veterans Affairs told a House panel Wednesday that the VA has taken significant steps to prevent further IT security breaches that have plagued the agency.

"VA has put in place a plan to employ many of the successful approaches and technologies used by effective, large-scale private sector organizations to ensure that we have visibility into and control over every aspect of our electronic enterprise," Roger Baker, the VA's assistant secretary for information and technology, said in his prepared testimony to the House Veterans Affairs Subcommittee on Oversight and Investigation.

But investigators from Government Accountability Office and the VA's inspector general office told the House Veterans Affairs Subcommittee on Oversight and Investigation that the department hasn't yet gotten its act together in complying with federal rules to safeguard IT systems, including the Federal Information Security Management Act.

"Seven years after FISMA's enactment, we continue to report significant deficiencies with controls supporting VA's information security program, which could have potentially alarming consequences," Belinda Finn, the VA's assistant IG for audit and evaluations, said in her prepared testimony.

The panel's chairman, Rep. Harry Mitchell, D.-Ariz., agreed the risk continues, citing recent data breaches in Texas that exposed the personal identifiable information of nearly 4,000 veterans. "These recent data breaches are proof that the VA still has a long ways to go in ensuring our nation's veterans that their most sensitive information is being safely stored and handled," Mitchell said.

And, in an exchange between Rep. Steve Buyer, R.-Ind., and Jan Frye, VA deputy assistant secretary of acquisition and logistics, the congressman testily complained that no one seems to be accepting blame for the breaches. "I dislike the decentralized process," Buyer said about a system in which individual departmental units are responsible for IT security. "I dislike it, I detest it. I would prefer to have testimony from someone who would say, 'I own it.'"

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.