VA attorney interpreted CIO out of enforcement

The Veterans Affairs Department's top attorney defended his legal opinion that federal security law does not require that the department CIO have authority over enforcement of IT security.

VA secretary Jim Nicholson has ultimate responsibility for ensuring compliance with federal security provisions and may delegate that authority to the department CIO, but it is not required or automatic, VA general counsel Tim McClain told House lawmakers yesterday.

'The CIO wanted authority that was not there in statute. The legal opinion was the interpretation of what the law provides,' McClain told the House Veterans Affairs Committee, which was questioning who has responsibility and authority over enforcement of VA IT security policies and procedures.

It was one of several hearings that committee chairman Steve Buyer (R-Ind.) has conducted in response to the recent theft of sensitive data from a VA employee's home.

The Federal Information Security Management Act requires the VA secretary to delegate to the CIO 'sufficient authority' to ensure compliance but does not direct the means for how the CIO ensures compliance, McClain said.

'That does not necessarily require delegation to the CIO of direct control over agency programs because such control is not the only means by which the information security objectives may be accomplished,' he said.

Buyer said that FISMA should be updated to give department CIOs the line of authority to enforce security policies and procedures.

'It's not to be subject to interpretation. It's incongruent to say that one has responsibility but no authority,' Buyer said.

VA has since adopted a federated model of centralizing the IT structure. The department CIO has authority over IT operations and maintenance and the IT employees associated with that. VA's benefits, health and burial administrations will retain authority over IT development and those employees. Consequently, IT security enforcement will remain somewhat decentralized. The House last year passed legislation that would centralize all IT authority under the department CIO.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected