VA attorney interpreted CIO out of enforcement

The Veterans Affairs Department's top attorney defended his legal opinion that federal security law does not require that the department CIO have authority over enforcement of IT security.

VA secretary Jim Nicholson has ultimate responsibility for ensuring compliance with federal security provisions and may delegate that authority to the department CIO, but it is not required or automatic, VA general counsel Tim McClain told House lawmakers yesterday.

'The CIO wanted authority that was not there in statute. The legal opinion was the interpretation of what the law provides,' McClain told the House Veterans Affairs Committee, which was questioning who has responsibility and authority over enforcement of VA IT security policies and procedures.

It was one of several hearings that committee chairman Steve Buyer (R-Ind.) has conducted in response to the recent theft of sensitive data from a VA employee's home.

The Federal Information Security Management Act requires the VA secretary to delegate to the CIO 'sufficient authority' to ensure compliance but does not direct the means for how the CIO ensures compliance, McClain said.

'That does not necessarily require delegation to the CIO of direct control over agency programs because such control is not the only means by which the information security objectives may be accomplished,' he said.

Buyer said that FISMA should be updated to give department CIOs the line of authority to enforce security policies and procedures.

'It's not to be subject to interpretation. It's incongruent to say that one has responsibility but no authority,' Buyer said.

VA has since adopted a federated model of centralizing the IT structure. The department CIO has authority over IT operations and maintenance and the IT employees associated with that. VA's benefits, health and burial administrations will retain authority over IT development and those employees. Consequently, IT security enforcement will remain somewhat decentralized. The House last year passed legislation that would centralize all IT authority under the department CIO.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • senior center (vuqarali/

    Bmore Responsive: Home-grown emergency response coordination

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected