The Department of Veterans Affairs (VA) is making more progress in strengthening its data security than is reflected in a recent report from the Government Accountability Office (GAO), testified Robert Howard, chief information officer (CIO) of the VA, at a House Committee on Veterans Affairs hearing.
This month, the GAO reported that the VA has not implemented 22 of 26 IT security recommendations from the GAO and the Office of the Inspector General (OIG), and has yet to fill the position of chief information security officer (CISO) that has been vacant since June 2006.
In July, the VA closed its third round of accepting applications for the position, and it is weeks away from a decision, Howard said. After the second round of interviews, the VA selected an individual, but that person took another job within days of being hired, according to Howard.
The GAO faulted the VA for not having clear guidance for identifying devices that require encryption functionality. But “all along, the guidance has been that mobile devices will be encrypted,” Howard said. He believes GAO investigators may not have fully understood the steps VA was taking to improve security, including more than 400 items in an action plan signed on May 24, 2006.
Howard testified that the department is making progress, but is slowed by customary federal contracting and other requirements.
Other security improvements include testing 10,000 security controls on 603 computer systems throughout the VA. A new contract with Dell Computer to standardize desktops across the VA also will improve security, Howard contends.
Howard also asserted that VA’s IT systems would be centralized by July 2008.