VA’s PC encryption puzzle

The department has installed fewer than 16 percent of software packages purchased for $6 million since 2006, IG says.

Who do you believe?

The Veterans Affairs Department Inspector General reported yesterday that the VA Office of Information Technology has purchased 400,000 licenses since 2006 at a cost of $5.9 million to encrypt its desktop and laptop computers, but as of this July, had only installed the software on 65,000, or 16 percent, of the PCs.

This is a big deal, as VA acquired the encryption software in a hurry-up procurement in response to the largest data breach in history -- the theft in May 2006 of hard drive containing personally identifiable information for 26 million veterans.

VA mandated disk encryption in August 2006 and bought scads of Guardian Edge software to do the job, but it has encrypted few machines due to a variety of reasons, including a change in operating systems, the IG said.

Not so, said VA Chief Information Officer Roger Baker. In a statement, he said VA “has successfully encrypted over 99 percent of our laptop computers,” but far fewer of its desktops due to an ongoing switch to Windows 7.

This does not square with language in the IG report, which says, “OIT acknowledged that VA laptop and desktop computers remain unencrypted. As a result, veterans’ data remained at risk due to unencrypted computers.”

Maybe next week Baker can resolve this confusion and also detail the number of laptops and desktops in the VA inventory -- encrypted and unencrypted.