HAROLD F. GRACEY, JR.
ACTING ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY
DEPARTMENT OF VETERANS AFFAIRS
UNITED STATES SENATE
COMMITTEE ON GOVERNMENTAL AFFAIRS
September 23, 1998
Good morning, Mr. Chairman and members of the Committee. I am pleased to testify before you today to discuss computer security issues at the Department of Veterans Affairs.
The Department provides services to veterans and their families. These benefits primarily are for veterans in the form of Compensation, Pension and Education programs through Regional Offices; in the form of medical care and services through medical centers, domiciliaries and outpatient clinics; and in the form of graveside and burial services for deserving veterans and qualifying family members. VA operates from almost 1200 facilities across the nation, employing approximately two hundred nineteen thousand employees. There are approximately seventy million persons who are veterans, dependents and survivors of deceased veterans who are potentially eligible for VA benefits and services.
To facilitate these services, VA has extensive computer system networks and electronic information. The systems are generally aligned with each major administration within VA: the Veteran Benefits Administration, the Veteran Health Administration, and the National Cemetery System. Additionally, Departmental administrative systems which support all elements of VA are supported through a large centralized service center. While much of VA information is contained in what may be considered "legacy" systems, all of the information centers are interconnected so that limited critical forms of information may be exchanged among various sites and information applications. This information is not classified as secret information, but is highly sensitive since it includes personal information about a large body of the nation’s population. In addition to information about veteran programs, VA has virtually completed implementation of an integrated administrative E-mail network which permits seamless exchange of electronic mail across the breadth of the Department.
We have recently experienced several General Accounting Office (GAO) and VA Office of Inspector General (OIG) reviews of our information technology security. There are a number of findings which identify vulnerabilities and needed improvements at specific sites, among specific organizations, and in VA wide security program management. We do not dispute the GAO and OIG findings, and have already acted upon most of their recommendations. We have contracted for third party reviews of our major centers in the past, and despite our concerns with continuing vulnerabilities, we view the recent reports as providing us an opportunity to strengthen our information security program with a more comprehensive computer security planning and management program.
We intend to address each of the recommendations identified by the GAO and VA’s OIG in their four recent reviews, including VA’s:
As GAO indicates, VA immediately corrected the identified computer control weaknesses and implemented oversight mechanisms to ensure that these problems do not re-occur. In September 1998, my office finalized with the full participation of the respective Administration Chief Information Officers a detailed Integrated VA Security Plan for implementing each of the recommendations. Each VA Administration is responsible to complete a specific series of tasks structured to correct deficiencies. Plan status and progress will be provided monthly to the OIG. The projected date of completion for the tasks in this plan is December 1998.
We also have prepared a Draft VA Information Technology Security Program Plan that addresses department-wide computer security issues, including policies, guidance and procedures and responsibilities. This plan addresses the recent reports, as well as other program shortcomings. It is expected to create more explicit guidance to VA Administrations with increased oversight requirements.
I am committed to a strong information technology security program, and I intend to ensure security receives adequate attention with an elevated level of scrutiny in VA.
I appreciate the opportunity to address this important matter and will be pleased to answer any questions you may have.