VA gives CIO IT security authority

Veterans Affairs secretary James Nicholson has given the VA CIO broad authority over information security policies and procedures, including enforcement, effective immediately.

Previously, the CIO did not have that authority; the CIO could only seek compliance from the heads of VA's health, benefits and burial administrations.

Congress and security experts have cited VA's decentralization as a major factor in VA's failing grade on the annual report card for adherence to the Federal Information Security Management Act and a contributing factor in the recent theft of sensitive data of up to 26.5 million veterans and others.

Nicholson announced yesterday at a hearing of the Veterans Affairs Committee that the stolen laptop and hard drive containing the data were <>, and added that he was optimistic that the culprits did not access the sensitive data.

House Veterans Affairs Committee chairman Steve Buyer (R-Ind.) praised Nicholson for his action, saying that at times he has not been well-served by others.

'I commend you for taking bold action to change the culture at VA and definitively granting [the] CIO the authority to manage and enforce VA's information systems,' he said

'I have been paying close attention to these hearings,' Nicholson told the committee.

Among the provisions in the VA directive dated Wednesday, the CIO has authority to require key officials to report on actions taken in response to any compliance failure or policy violation. The CIO also will bring background investigations on employees and contractors, and determination of risk and sensitivity levels of employee position descriptions into compliance with the security regulations.

VA's general counsel last week told lawmakers it was his legal opinion that FISMA did not require that the department CIO have authority over IT enforcement, only that the CIO could ensure compliance. The secretary had ultimate authority, and he could delegate that authority.

VA has begun implementing a federated model of centralizing the IT structure. The department CIO has authority over IT operations and maintenance, and the IT employees associated with that. VA's benefits, health and burial administrations will retain authority over IT development and those employees. The House last year passed legislation that would centralize all IT authority under the department CIO.

Nicholson also has established a program that will strengthen internal controls and establish enforcement mechanisms. VA is about to complete its assessment of existing security conditions, he said.

He has directed that all sensitive VA data be kept on VA equipment, such as laptops. Previously, many employees had used their own personal computers to conduct VA business. VA will determine who has been doing that, and why, and will issue guidance related to it.

Nicholson said that out of this bad situation he hopes to make VA a model for data security.

'I believe we can craft a structure that will be the gold standard for the government, much as the VA's vaunted electronic medical records and health care system are being held up as a standard to be emulated,' he said.

First, he plans to correct the deficiencies the inspector general has noted in the past and raise VA's FISMA's failing grade.

He also proposed that Congress legislate criminal penalties and fines for the misuse of sensitive personal information similar to those under the Health Insurance Portability and Accountability Act for intentional misuse of health information for private gain.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.