GAO-10-170R, Department of Veterans Affairs' Implementation of Information Security Education Assistance Program


This is the accessible text file for GAO report number GAO-10-170R 
entitled 'Department of Veterans Affairs' Implementation of Information 
Security Education Assistance Program' which was released on December 
18, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-10-170R: 

United States Government Accountability Office: 
Washington, DC 20548: 

December 18, 2009: 

The Honorable Daniel K. Akaka:
Chairman:
The Honorable Richard Burr:
Ranking Member:
Committee on Veterans' Affairs:
United States Senate: 

The Honorable Bob Filner:
Chairman:
The Honorable Steve Buyer:
Ranking Member:
Committee on Veterans' Affairs:
House of Representatives: 

Subject: Department of Veterans Affairs' Implementation of Information 
Security Education Assistance Program: 

The Veterans Benefits, Health Care, and Information Technology Act of 
2006 authorizes the Secretary of Veterans Affairs to establish an 
educational assistance program for information security.[Footnote 1] 
The Information Security Education Assistance Program is envisioned as 
a means for the Department of Veterans Affairs (VA) to attract and 
retain individuals with advanced skills in information security. The 
legislation authorizes the agency to establish scholarships for 
qualified students who pursue doctoral degrees in computer science and 
electrical and computer engineering at accredited institutions and to 
offer educational debt reduction for VA employees who hold doctoral 
degrees in these fields. 

This letter responds to the act's requirement that we report on the 
scholarship and education debt reduction programs within 3 years of the 
act's December 22, 2006, enactment.[Footnote 2]As agreed with your 
offices, our objective was to determine the status of VA's 
implementation of the program. To accomplish this objective, we 
analyzed section 903 of the act, the status of the draft regulations 
governing the program, and the agency's process for implementing the 
program. We interviewed officials in VA's Office of Information and 
Technology, Office of General Counsel, and Office of Congressional and 
Legislative Affairs and reviewed documents related to the 
implementation process. To gain an understanding of how the department 
manages other education programs, we also interviewed officials in the 
Veterans Health Administration. In addition, we met with officials in 
the Office of Inspector General and reviewed that office's reports on 
VA's Office of Information and Technology. We performed our work from 
April 2009 to December 2009 in accordance with generally accepted 
government auditing standards. These standards require that we plan and 
perform audits to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objective. 

Results in Brief: 

The Department of Veterans Affairs has not begun to award scholarships 
or offer and disburse loan repayments under the Information Security 
Education Assistance Program, although it has taken some steps to 
implement the program. Since 2006, VA has drafted governing 
regulations, which are now undergoing internal review, and has 
developed a budget impact analysis. After the department's internal 
review is completed, several additional steps are planned before the 
regulations are issued, including review by the Office of Management 
and Budget (OMB) and a public comment period. Department officials 
anticipate that the debt-reduction portion of the program will begin, 
and the first scholarship candidates will be selected, during 2011. 

Background: 

The Veterans Benefits, Health Care, and Information Technology Act was 
enacted after a serious loss of data in 2006 revealed weaknesses in 
VA's handling of personally identifiable information. Specifically, in 
May 2006, an information security breach at the department occurred 
involving a stolen hard drive with personal data on millions of 
veterans and their dependents. The incident highlighted the seriousness 
of weaknesses in the department's information security. In testimony 
shortly after the breach, we noted that for many years, significant 
concerns had been raised about VA's information security--particularly 
its lack of a robust information security program, which is vital to 
minimizing the risk of compromise of government information, including 
sensitive personal information.[Footnote 3] 

One of the programs authorized by the Veterans Benefits, Health Care, 
and Information Technology Act in response to these concerns about VA's 
longstanding information security weaknesses and the data breach was 
the Information Security Education Assistance Program. Under the act, 
the Secretary of the Department of Veterans Affairs was authorized to 
establish an education assistance program for doctoral students in 
computer science and computer and electrical engineering to strengthen 
VA's ability to recruit and retain individuals who have necessary 
information security skills. The program is to have two parts: a debt- 
reduction program for VA employees who have recently earned doctoral 
degrees, and a scholarship program for qualified individuals who must 
agree to work for the agency on completion of their academic programs. 
The agency is authorized to repay up to $16,500 of student loan debt 
each year for qualified employees up to a total of 5 years and $82,500. 
Doctoral students may receive full tuition scholarships plus a monthly 
stipend for up to 5 years, not to exceed a total of $200,000. According 
to section 903(c) of the act, the scholarship program may only apply to 
financial assistance provided for an academic semester or term that 
begins on or after August 1, 2007. Authorization to make payments under 
the program expires on July 31, 2017. The act also requires VA to 
prescribe regulations for administering the program. 

The VA unit responsible for implementing the Information Security 
Education Assistance Program is the Office of Information and 
Technology (OI&T), which oversees the department's information 
technology (IT) assets and resources including information security and 
privacy. Within OI&T, two offices have managed the implementation 
efforts: the Office of Information Technology Resource Management, 
which is responsible for human capital and IT budgeting, and the Office 
of Information Protection and Risk Management, which is responsible for 
information security. VA's Office of General Counsel also has a role. 
General Counsel's Office of Regulation Policy and Management monitors 
and reviews proposed regulations, provides regulatory impact analyses, 
and is VA's regulatory liaison with OMB. 

VA Has Begun Implementing the Program but Considerable Work Remains 
Before Financial Assistance Can Begin: 

VA is in the process of developing regulations for administering the 
program, as called for by the act. OI&T's Office of Information 
Technology Resource Management began work on the regulations and had a 
draft ready for internal review and concurrence by August 2007. 
Responsibility for managing the concurrence process and ensuring that 
other VA offices reviewed and concurred with the program regulations 
was assigned, on August 1, 2007, to the Office of Information 
Protection and Risk Management since, according to a senior OI&T 
official, this office would most benefit from the program. The status 
of the review and concurrence process was to be monitored by General 
Counsel's Office of Regulation Policy and Management. 

The regulations have not yet been issued. During 2007 and 2008, the 
Office of Regulation Policy and Management sent multiple status 
inquiries to Information Protection and Risk Management. In April 2008, 
Regulation Policy and Management noted that it had received no status 
updates in about a year. In the summer of 2008, OI&T's Office of 
Information Technology Resource Management learned, according to a 
senior official within the office, that the draft regulations were 
still in Information Protection and Risk Management and no apparent 
action had been taken. At that point, Resource Management took 
responsibility for ensuring that the draft regulations were sent 
forward for review and concurrence. Subsequently, in January 2009, the 
draft regulations were sent to VA's Office of General Counsel for 
review. In September 2009, the Office of General Counsel provided 
initial comments on the draft regulations. 

VA plans several other actions before issuing the regulations and has 
outlined a project plan for issuing the regulations that includes the 
remaining steps and milestones. Specifically, after final concurrence 
by the Office of General Counsel and concurrence by the other 
departmental offices, the draft regulations must be approved by the 
Secretary of Veterans Affairs. The department will then submit the 
draft regulations for review by OMB and then for comment from the 
public. VA officials estimate that, after the department addresses 
these comments and OMB performs another review, the final regulations 
could be issued in January 2011. 

VA Plans to Begin Program Activities in January 2011: 

VA officials anticipate that, if funds are available, the agency will 
announce the program and begin seeking candidates in January 2011 for 
both the debt reduction and scholarship components of the program. More 
time will elapse before any scholarship candidates receive doctoral 
degrees and are able to apply that educational experience to VA's 
information security needs.[Footnote 4] 

VA has drafted an impact analysis that estimates the costs for the 
program and has identified two current staff members who may be 
eligible for debt repayments. In its impact analysis, VA estimates that 
the program will cost at least $217,000 by 2015, based on a survey 
which suggests that the department will have one candidate for the 
scholarship program and three candidates for the debt reduction program 
within the next 5 years. According to VA officials, no funds were 
allocated to the program in the department's fiscal year 2010 budget. 

Figure 1 summarizes VA's actions and planned actions, from enactment of 
the authorizing legislation through program implementation. 

Figure 1: Completed and Planned Actions for the Information Security 
Education Assistance Program: 

[Refer to PDF for image: illustration] 

Completed Activities: 

Authorizing legislation enacted: December 2006. 

Task: Regulations drafted: February-June, 21007; 

Task: Internal review begins: July 2007-December 2008; 

Task: Reviewed by General Counsel: January-September, 2009; 

Milestone: Impact analysis complete: October, 2009; 

Planned Activities: 

Task: Agency concurrence process continues: October, 2009-April, 2010; 

Milestone: Signed by Secretary: January, 2010 

Task: OMB review: January-March, 2010; 

Task: Public comment: March-April, 2010; 

Task: Respond to comments: May-June, 2010; 
	
Task: Final reviews by General Counsel and OMB: July-December, 2010; 

Milestone: Regulations issued, programs announced: January, 2011; 

Task: Loan repayments available: January 2011-July, 2017; 

Task: Scholarships available (next full academic year): September, 2011-
July, 2017; 

Milestone: Program authority ends: July 2017. 

Source: GAO analysis of agency data. 

[End of figure] 

In comments provided via e-mail on a draft of this correspondence, the 
GAO liaison, VA Office of Congressional and Legislative Affairs, stated 
that the department had reviewed the draft report and had no comments 
to offer at this time. 

We are sending a copy of this letter to the Secretary of Veterans 
Affairs. In addition, the document will be available at no charge on 
GAO's Web site at [hyperlink, http://www.gao.gov]. 

If you have any questions regarding this letter, please contact Gregory 
C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Valerie C. 
Melvin at (202) 512-6304 or melvinv@gao.gov. Contact points for our 
Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. 

GAO staff who made major contributions to this letter are Charles 
Vrabel (Assistant Director), Monica Perez Anatalio, Neil Doherty, Nancy 
Glover, Mary Marshall, Lee McCracken, Kate Nielsen, Sylvia Shanks, 
Glenn Spiegel, and Adam Vodraska. 

Signed by: 

Gregory C. Wilshusen:
Director, Information Security Issues: 

Signed by: 

Valerie C. Melvin:
Director, Information Management and Human Capital Issues: 

[End of section] 

Footnotes: 

[1] Pub. L. No. 109-461, § 903, 120 Stat. 3403, 3460 (Dec. 22, 2006), 
adding a new Chapter 79, Information Security Education Assistance 
Program, to Title 38 of the U.S. Code. This program is part of Title IX 
of the act known as the Department of Veterans Affairs Information 
Security Enhancement Act of 2006. 

[2] Pub. L. No. 109-461, § 903(b), 120 Stat. 3464. 

[3] GAO, Veterans Affairs: Leadership Needed to Address Information 
Security Weaknesses and Privacy Issues, [hyperlink, 
http://www.gao.gov/products/GAO-06-866T], (Washington, D.C.: June 14, 
2006). 

[4] The earliest date to hire a doctoral program graduate who receives 
a scholarship might be around January 2012. This date assumes that VA 
selects a graduate at the program's start in January 2011 who is in the 
last year of doctoral study. A candidate just starting a doctoral 
program might take considerably longer. For example, Carnegie Mellon 
University suggests it may take 6 years to complete a Ph.D. in computer 
science and the University of Texas, Austin, estimates 3 to 5 years. 

[End of setion] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: