VA attorney interpreted CIO out of enforcement

The Veterans Affairs Department's top attorney defended his legal opinion that federal security law does not require that the department CIO have authority over enforcement of IT security.

VA secretary Jim Nicholson has ultimate responsibility for ensuring compliance with federal security provisions and may delegate that authority to the department CIO, but it is not required or automatic, VA general counsel Tim McClain told House lawmakers yesterday.

'The CIO wanted authority that was not there in statute. The legal opinion was the interpretation of what the law provides,' McClain told the House Veterans Affairs Committee, which was questioning who has responsibility and authority over enforcement of VA IT security policies and procedures.

It was one of several hearings that committee chairman Steve Buyer (R-Ind.) has conducted in response to the recent theft of sensitive data from a VA employee's home.

The Federal Information Security Management Act requires the VA secretary to delegate to the CIO 'sufficient authority' to ensure compliance but does not direct the means for how the CIO ensures compliance, McClain said.

'That does not necessarily require delegation to the CIO of direct control over agency programs because such control is not the only means by which the information security objectives may be accomplished,' he said.

Buyer said that FISMA should be updated to give department CIOs the line of authority to enforce security policies and procedures.

'It's not to be subject to interpretation. It's incongruent to say that one has responsibility but no authority,' Buyer said.

VA has since adopted a federated model of centralizing the IT structure. The department CIO has authority over IT operations and maintenance and the IT employees associated with that. VA's benefits, health and burial administrations will retain authority over IT development and those employees. Consequently, IT security enforcement will remain somewhat decentralized. The House last year passed legislation that would centralize all IT authority under the department CIO.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected