New VA CIO Issues Cyber Strategy, Wants to Tackle ‘Quick Wins’

The Department of Veterans Affairs' new top tech official can check off “job No. 1” from her lengthy to-do list.

LaVerne Council, the assistant VA secretary for information and technology and the agency’s chief information officer, said the agency submitted an enterprise cybersecurity strategy to Congress on Sept. 28, ahead of schedule.

During her confirmation hearing in June -- hers is one of the few agency CIO positions requiring Senate approval -- Council pledged to strengthen the agency’s cybersecurity posture.

The new cyber strategy, under development since Council joined VA in July, spells out the department’s plan for shoring up security across thousands of desktop computers and even Internet-connected medical devices.

Council, a former IT executive at Dell and pharmaceutical giant Johnson & Johnson, laid out her playbook for transforming VA’s IT shop in an Oct. 15 speech at an event sponsored by the Government Information Technology Executive Council.

VA’s IT shop has at times come under intense scrutiny from lawmakers over the agency’s handling of veterans’ private data.

The department’s inspector general has called out VA’s information security practices as a “material weakness” on the agency’s annual Federal Information Security Management Act audit for the past 16 years. And VA continues to battle millions of malware and intrusion attempts every month -- more than 1 billion in March, alone -- according to semi-regular updates provided by the CIO office.

Cyber Strategy Tackles Medical Devices, Privacy

Council acknowledged “pressure” on the IT shop from a number of factors, including the changing demographics of veterans seeking care -- more Vietnam-era vets contrary to public perception -- the "consumerization of IT" and “growing cyber threats.”

She added, "the external forces and the internal complexity demand change.”

Council tasked Susan McHugh-Polley, the IT shop’s executive director for field operations, with leading the team that developed the new cyber strategy.

The plan covers eight “domains,” McHugh-Polley said later during a panel discussion following Council’s remarks. The plan includes a new focus on medical cybersecurity and privacy as well as access control and identity management, and risk management, among others

"The hardest work is the implementation plan,” McHugh-Polley said.

As for Council’s other big plans, she said she wants to streamline “core processes and platforms” -- she’s tasked a team with rethinking the software development process at the agency to be more agile -- and also start to address some of those longstanding IG recommendations for resolving material weaknesses.

“That's what we've got to do,” Council said. “If that's how the IG looks at it, let's just call it out, get it done, put it to sleep, move on. It's a good thing."

In particular, Council said she’s focused on “quick wins.”

“You've got to show that you can do these things, that you can make impact and change quickly,” she said. “It drives energy to the team; it drives energy in the leader. Everybody gets hyped."

Speeding up a ‘Laborious’ Software Dev Process

Council tasked Rob Thomas, assistant deputy CIO for integration, with streamlining VA’s internal software development methods, at times a “lengthy and laborious” process, Thomas said.

"In fact, if you wanted to deliver some software, you would need 57 artifacts” -- use cases, essentially -- “in order to prove that that software could be developed and it can be delivered," he added. “So, my first priority right now is to change that."

Thomas is leading a team focused on “getting software out to the field better, faster and cheaper than we have done in the past," he said, in part by adopting a “full-blown agile” process.

A formal plan is due by the end of December, Thomas said.

‘Buy First?’

Some elements of Council’s “transformation playbook” could spell even more dramatic shifts for the agency. Among them: privileging the acquisition of commercial tech products rather than in-house development.

"We have to institutionalize a 'buy first' strategy,” Council said. “Now, this could have been a 'make first' or a 'buy first' strategy. But the fact is, it's 'buy first,' because business cases defining which direction we go have got to become critical parts of our DNA. We've got to ask ourselves critical questions -- with the finite resources we have -- how best to go forward and what is the life cycle that will enable the [best] veteran experience, to meet the needs that we have for the future?"

How does that square with continued development of the next-generation version of the Veterans Health Information Systems and Technology Architecture, the department-built electronic health record system?

It’s still unclear. Alan Constantian, assistant deputy CIO for product and platform management who’s part of VA's ongoing VistA revamp, said he just learned of the “buy first” strategy the day before.

"Buy first is a challenge, I think, for any kind of home-grown system,” he said. But the policy itself doesn’t outright bar in-house development, it only shifts the “burden of proof” onto proving why doing so is necessary, he added.

Constantian said his team is meeting with Council to lay out their case for sticking with the existing plan for the VistA upgrade, known as VistA Evolution.