VA stymied in trying to provide responses to Congress

Congress keeps asking questions about data security at the Department of Veterans Affairs, but the VA hasn't come up with any answers yet. With another deadline coming this week, that appears unlikely to change -- the VA secretary's latest plan to get Congress the answers it seeks has been rejected by his own department's inspector general.

Beginning Oct. 23, the House Veterans Affairs Committee directed six formal inquiries totaling more than 100 questions to VA's Office of Information and Technology concerning IT security practices in relation to at least nine state-sponsored data breaches.

VA failed to respond to deadlines for the first three sets of congressional inquiries, a collection of 39 questions probing VA's adherence to the Information Technology Act of 2006, its safeguarding of veterans' personally identifiable information in accordance with privacy laws and the Health Information Technology for Economic and Clinical Health Act. Responses to those inquiries were due by 6 p.m. Nov. 6, 8 and 11, respectively.

Missed deadlines are nothing new for VA: The agency has more than 110 outstanding information requests dating back to June 2012.

VA Secretary Eric Shinseki came up with a plan to address this latest batch of inquiries, informing Rep. Mike Coffman (R-Colo.), chairman of the Subcommittee on Oversight and Investigations on Nov. 8 that he had asked the VA Office of Inspector General to expand its 2013 Federal Information Security Management Act audit to include the questions.

But in a Nov. 12 letter to Veterans Affairs Chairman Jeff Miller (R-Fla.), the VAOIG said it could not expand its 2013 audit work, which it described as "substantially complete" and due to the Office of Management and Budget in late November. VAOIG said it could potentially expand the scope of its FISMA work for VA in 2014, but would need to modify its existing contract for the work or pursue other acquisition strategies. The IG gave November 2014 as a possible date by which it could comply with the request, which, it acknowledged, "may not meet the Committee's timelines or the broad scope of your interests."

VAOIG's 2013 FISMA audit will be released publicly sometime in early 2014. Its 2012 FISMA audit was critical of VA, which did not remediate approximately 4,000 "outstanding system security risks" in its plans of action and milestones to "improve its overall information security posture." The report concluded material weakness still exists in VA's information security program.

Without VAOIG intervention, it remains unclear what course of action VA will take, but the latest congressional deadline will almost certainly be missed.

Sources within VA OIT told FCW that many of the questions contained sub-questions or required documentation, "making it more like 500 or 600 questions" that can be answered only by a team of about 20 of OIT's 8,000 employees.

Congress' vigor in probing VA's perceived IT security weaknesses comes following testimony from VA officials in June testimony regarding a series of data breaches that potentially put at risk private information such as Social Security numbers and names of more than 20 million veterans and their families.