VA attorney interpreted CIO out of enforcement

The Veterans Affairs Department's top attorney defended his legal opinion that federal security law does not require that the department CIO have authority over enforcement of IT security.

VA secretary Jim Nicholson has ultimate responsibility for ensuring compliance with federal security provisions and may delegate that authority to the department CIO, but it is not required or automatic, VA general counsel Tim McClain told House lawmakers yesterday.

'The CIO wanted authority that was not there in statute. The legal opinion was the interpretation of what the law provides,' McClain told the House Veterans Affairs Committee, which was questioning who has responsibility and authority over enforcement of VA IT security policies and procedures.

It was one of several hearings that committee chairman Steve Buyer (R-Ind.) has conducted in response to the recent theft of sensitive data from a VA employee's home.

The Federal Information Security Management Act requires the VA secretary to delegate to the CIO 'sufficient authority' to ensure compliance but does not direct the means for how the CIO ensures compliance, McClain said.

'That does not necessarily require delegation to the CIO of direct control over agency programs because such control is not the only means by which the information security objectives may be accomplished,' he said.

Buyer said that FISMA should be updated to give department CIOs the line of authority to enforce security policies and procedures.

'It's not to be subject to interpretation. It's incongruent to say that one has responsibility but no authority,' Buyer said.

VA has since adopted a federated model of centralizing the IT structure. The department CIO has authority over IT operations and maintenance and the IT employees associated with that. VA's benefits, health and burial administrations will retain authority over IT development and those employees. Consequently, IT security enforcement will remain somewhat decentralized. The House last year passed legislation that would centralize all IT authority under the department CIO.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group