GAO-11-663T, Information Technology: Department of Veterans Affairs Faces Ongoing Management Challenges


This is the accessible text file for GAO report number GAO-11-633T 
entitled 'Information Technology: Department of Veterans Affairs Faces 
Ongoing Management Challenges' which was released on May 11, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Testimony before the Subcommittee on Oversight and Investigations, 
Committee on Veterans' Affairs, U.S. House of Representatives. 

For release on delivery: 
expected at 10:00 a.m. EDT: 
May 11, 2011: 

Information Technology: 

Department of Veterans Affairs Faces Ongoing Management Challenges: 

Statement of Joel C. Willemssen,
Managing Director, Information Technology: 

GAo-11-663T: 

GAO Highlights: 

Highlights from GAO-11-663T, a testimony before the Subcommittee on 
Oversight and Investigations, Committee on Veterans' Affairs, U.S. 
House of Representatives. 

Why GAO Did This Study: 

The use of information technology (IT) is crucial to helping the 
Department of Veterans Affairs (VA) effectively serve the nation’s 
veterans, and the department has expended billions of dollars annually
over the last several years to manage and secure its information systems
and assets. VA has, however, experienced challenges in managing its 
IT. GAO has previously highlighted VA’s weaknesses in managing and
securing its information systems and assets. 

GAO was asked to testify on its past work on VA’s weaknesses in
managing its IT resources, specifically in the areas of systems 
development, information security, and collaboration with the 
Department of Defense (DOD) on efforts to meet common health system 
needs. 

What GAO Found: 

Recently, GAO reported on two VA systems development projects that have
yielded mixed results. For its outpatient appointment scheduling 
project, VA spent an estimated $127 million over 9 years and was 
unable to implement any of the planned capabilities. The application 
software project was hindered by weaknesses in several key management 
disciplines, including acquisition planning, requirements analysis, 
testing, progress reporting, risk management, and oversight. For its 
Post 9/11 GI Bill educational benefits system, VA used a new 
incremental software development approach and deployed the first two
of four releases of its long-term system solution by its planned 
dates, thereby providing regional processing offices with key 
automated capabilities to prepare original and amended benefits 
claims. However, VA had areas for improvement, including establishing 
business priorities, testing the new systems, and providing oversight. 

Effective information security controls are essential to securing the
information systems and information on which VA depends to carry out its
mission. For over a decade, VA has faced long-standing information 
security weaknesses as identified by GAO, VA’s Office of the Inspector 
General, VA’s independent auditor, and the department itself. The 
department continues to face challenges in maintaining its information 
security controls over its systems and in fully implementing the 
information security program required under the Federal Information 
Security Management Act of 2002. These weaknesses have left VA 
vulnerable to disruptions in critical operations, theft, fraud, and 
inappropriate disclosure of sensitive information. 

VA and DOD operate two of the nation’s largest health care systems, 
providing health care to 6 million veterans and 9.6 million active 
duty service members at estimated annual costs of about $48 billion 
and $49 billion, respectively. To provide this care, both departments 
rely on electronic health record systems to create, maintain, and 
manage patient health information. GAO reported earlier this year that 
VA faced barriers in establishing shared electronic health record 
capabilities with DOD in three key IT management areas—strategic
planning, enterprise architecture (i.e., a description of business 
processes and supporting technologies), and IT investment management. 
Specifically, the departments were unable to articulate explicit 
plans, goals, and time frames for jointly addressing the health IT 
requirements common to both departments’ electronic health record 
systems. Additionally, although VA and DOD took steps toward 
developing and maintaining artifacts related to a joint health 
architecture, the architecture was not sufficiently mature to guide the
departments’ joint health IT modernization efforts. Lastly, VA and DOD 
did not have a joint process for selecting IT investments based on 
criteria that consider cost, benefit, schedule, and risk elements, 
which would help to ensure that the chosen solution both meets the 
departments’ common health IT needs and provides better value and 
benefits to the government as a whole. Subsequent to our report, the 
Secretaries of Veterans Affairs and Defense agreed to pursue 
integrated electronic health record capabilities. 

What GAO Recommends: 

In previous reports in recent years, GAO has made numerous 
recommendations to VA aimed at improving the department’s IT 
management capabilities. These recommendations were focused on:
improving two projects to develop and implement new systems, 
strengthening information security practices and ensuring that security
issues are adequately addressed, and overcoming barriers VA faces in
collaborating with DOD to jointly address the departments’ common
health care business needs. 

View [hyperlink, http://www.gao.gov/products/GAO-11-663T] or key 
components. For more information, contact Joel C
Willemssen at (202) 512-6253 or willemssenj@gao.gov or Valerie C. 
Melvin at (202) 512-6304 or melvinv@gao.gov. 

[End of section] 

Mr. Chairman and Members of the Subcommittee: 

I am pleased to be a part of today's dialogue with the subcommittee on 
the Department of Veterans Affairs' (VA) actions to better manage its 
information technology (IT) resources. The use of IT is crucial to 
helping VA effectively serve the nation's veterans and the department 
has expended billions of dollars over the last several years to manage 
and secure its information systems and assets--the department's budget 
for IT now exceeds $3 billion annually. 

VA has, however, experienced challenges in managing its IT resources, 
as we have previously reported.[Footnote 1] As you requested, in my 
testimony today, I will describe those challenges, specifically in the 
areas of systems development, information security, and collaborating 
with the Department of Defense (DOD) to jointly develop electronic 
health record system capabilities. 

The information in my testimony is based primarily on our previous 
work at VA. We also obtained and analyzed pertinent documentation to 
determine the current status of selected department management 
efforts. We conducted our work in support of this testimony during May 
2011 in the Washington, D.C., area. All work on which this testimony 
is based was conducted in accordance with generally accepted 
government auditing standards. 

Background: 

VA's mission is to promote the health, welfare, and dignity of all 
veterans in recognition of their service to the nation by ensuring 
that they receive medical care, benefits, social support, and lasting 
memorials. According to information from the department, its employees 
maintain the largest integrated health care system in the nation for 
more than 5 million patients at more than 1,500 sites of care, provide 
compensation and pension benefits for nearly 4 million veterans and 
beneficiaries, and maintain nearly 3 million gravesites at 163 
properties. Over time, the use of IT has become increasingly important 
to the department's efforts to provide these benefits and services to 
veterans; VA relies on its IT systems for medical information and 
records and for processing benefits claims, including compensation and 
pension and education benefits. Further, VA is increasingly expected 
to improve its service to veterans by sharing information with other 
departments, especially DOD. 

VA's fiscal year 2012 request for almost $3.2 billion in IT budget 
authority indicates the range of the department's IT activities. For 
example, the request includes: 

* about $1.4 billion to operate and maintain existing infrastructure 
and systems; 

* approximately $650 million to develop new system capabilities to 
support, for example, faster compensation and pension claims 
processing, elimination of veteran homelessness, and improvement of 
veteran mental health; 

* $68 million for information security activities; and: 

* $915 million to fund about 7,000 IT personnel. 

Our prior work has shown that success in managing IT depends, among 
other things, on having and using effective system development 
capabilities and having effective controls over information and 
systems. We have issued several products on VA in important management 
areas where the department faces challenges. My testimony today will 
briefly summarize these products. 

Recent System Development Projects Have Achieved Varied Degrees of 
Success: 

Historically, VA has experienced significant IT development and 
delivery difficulties. We recently reported on two important VA 
systems development projects.[Footnote 2] The first project expended 
an estimated $127 million without delivering any of the planned 
capabilities. VA has begun implementing capabilities from the second 
project, although we identified opportunities for improvement. 

VA's Scheduling Replacement Project Was Hindered by Systems 
Development and Acquisition Weaknesses: 

To carry out VA's daily operations in providing care to veterans and 
their families, the department relies on an outpatient appointment 
scheduling system. However, according to the department, this current 
scheduling system has had long-standing limitations that have impeded 
its effectiveness. Consequently, VA began work on a replacement system 
in 2000. However, after spending an estimated $127 million over 9 
years, VA had not implemented any of the planned capabilities. 

VA's efforts to successfully complete the Scheduling Replacement 
Project were hindered by weaknesses in several key project management 
disciplines and a lack of effective oversight. Specifically, 

* VA did not adequately plan its acquisition of the scheduling 
application and did not obtain the benefits of competition. The 
Federal Acquisition Regulation (FAR) required preparation of 
acquisition plans[Footnote 3] that must address how competition will 
be sought, promoted, and sustained.[Footnote 4] VA did not develop an 
acquisition plan until May 2005, about 4 years after the department 
first contracted for a new scheduling system. Further, VA did not 
promote competition in contracting for its scheduling system. Instead, 
VA issued task orders against an existing contract that the department 
had in place for acquiring services such as printing, computer 
maintenance, and data entry. These weaknesses in VA's acquisition 
management reflected the inexperience of the department's personnel in 
administering major IT contracts. To address identified shortcomings, 
we recommended that VA ensure that future acquisition plans document 
how competition will be sought, promoted, and sustained. 

* VA did not ensure that requirements were complete and sufficiently 
detailed. Effective, disciplined practices for defining requirements 
include analyzing requirements to ensure that they are complete, 
verifiable, and sufficiently detailed.[Footnote 5] For example, 
maintaining bidirectional traceability from high-level operational 
requirements through detailed low-level requirements to test cases is 
a disciplined requirements management practice. However, VA did not 
adequately define requirements. For example, in November 2007, VA 
determined that performance requirements were missing and that some 
requirements were not testable. Further, according to project 
officials, some requirements were vague and open to interpretation. 
Also, requirements for processing information from other systems were 
missing. The incomplete and insufficiently detailed requirements 
resulted in a system that did not function as intended. In addition, 
VA did not ensure that requirements were fully traceable. As early as 
October 2006, an internal review noted that the requirements did not 
trace to business rules or to test cases. By not ensuring requirements 
traceability, the department increased the risk that the system could 
not be adequately tested and would not function as intended. We 
therefore recommended that VA ensure implementation of a requirements 
management plan that reflected leading practices. 

* VA's concurrent approach to performing system tests increased risk. 
Best practices in system testing indicate that testing activities 
should be performed incrementally, so that problems and defects 
[Footnote 6] with software versions can be discovered and corrected 
early. VA's guidance on conducting tests is consistent with these 
practices and specifies four test stages and associated criteria for 
progressing through the stages.[Footnote 7] For example, defects 
categorized as critical, major, and average severity identified in 
testing stage one are to be resolved before testing in stage two is 
begun. Nonetheless, VA took a high-risk approach to testing by 
performing tests concurrently rather than incrementally. Scheduling 
project officials told us that they ignored their own testing guidance 
and performed concurrent testing at the direction of Office of 
Enterprise Development senior management in an effort to prevent 
project timelines from slipping. The first version to undergo stage 
two testing had 370 defects that should have been resolved before 
stage two testing was begun. Almost 2 years after beginning stage two 
testing, 87 defects that should have been resolved before stage two 
testing began had not been fixed. As a result of a large number of 
defects that VA and the contractor could not resolve, the contract was 
terminated. To prevent these types of problems with future system 
development efforts, we recommended that VA adhere to its own guidance 
for system testing. 

* VA's reporting based on earned value management data was unreliable. 
The Office of Management and Budget (OMB) and VA policies require 
major projects to use earned value management[Footnote 8] to measure 
and report progress. Earned value management is a tool for measuring a 
project's progress by comparing the value of work accomplished with 
the amount of work expected to be accomplished. Such a comparison 
permits actual performance to be evaluated and is based on variances 
[Footnote 9] from the cost and schedule baselines. In January 2006, 
the scheduling project began providing monthly reports to the 
department's Chief Information Officer based on earned value 
management data. However, the progress reports included contradictory 
information about project performance. Specifically, the reports 
featured stoplight indicators (green, yellow, or red) that frequently 
were inconsistent with the reports' narrative. For example, the June 
2007 report identified project cost and schedule performance as green, 
despite the report noting that the project budget was being increased 
by $3 million to accommodate schedule delays. This inconsistent 
reporting continued until October 2008, when the report began to show 
cost and schedule performance as red, the actual state of the project. 
Further, the former program manager noted that the department 
performed earned value management for the scheduling project only to 
fulfill the OMB requirement, and that the data were not used as the 
basis for decision making because doing so was not a part of the 
department's culture. To address these weaknesses, we recommended that 
VA ensure effective implementation of earned value management. 

* VA did not effectively identify, mitigate, and communicate project 
risks. Federal guidance and best practices advocate risk management. 
[Footnote 10] To be effective, risk management activities should 
include identifying and prioritizing risks as to their probability of 
occurrence and impact, documenting them in an inventory, and 
developing and implementing appropriate risk mitigation strategies. VA 
established a process for managing the scheduling system project's 
risks that was consistent with relevant best practices. Specifically, 
project officials developed a risk management plan that defined five 
phases--risk identification, risk analysis, risk response planning, 
risk monitoring and control, and risk review. However, the department 
did not take key project risks into account. Senior project officials 
indicated that staff members were often reluctant to raise risks or 
issues to leadership due to the emphasis on keeping the project on 
schedule. Accordingly, VA did not identify as risks (1) using a 
noncompetitive acquisition approach, (2) conducting concurrent testing 
and initiation of stage two testing with significant defects, and (3) 
reporting unreliable project cost and schedule performance 
information. Any one of these risks alone had the potential to 
adversely impact the outcome of the project. The three of them 
together dramatically increased the likelihood that the project would 
not succeed. To improve management of the project moving forward, we 
recommended that VA identify risks related to the scheduling project 
and prepare plans and strategies to mitigate them. 

* VA's oversight boards did not take corrective actions despite the 
department becoming aware of significant issues. GAO and OMB guidance 
call for the use of institutional management processes to control and 
oversee IT investments.[Footnote 11] Critical to these processes are 
milestone reviews that include mechanisms to identify underperforming 
projects, so that timely steps can be taken to address deficiencies. 
These reviews should be conducted by a department-level investment 
review board composed of senior executives. In this regard, VA's 
Enterprise Information Board was established to provide oversight of 
IT projects through in-process reviews when projects experience 
problems. Similarly, the Programming and Long-Term Issues Board is 
responsible for performing milestone reviews and program management 
reviews of projects. However, between June 2006 and May 2008, the 
department did not provide oversight of the Scheduling Replacement 
Project, even though the department had become aware that the project 
was having difficulty meeting its schedule and performance goals. 
According to the chairman of the Programming and Long-Term Issues 
Board, it did not conduct reviews of the scheduling project prior to 
June 2008 because it was focused on developing the department's IT 
budget strategy. To address these deficiencies, in June 2009, VA began 
establishing the Program Management Accountability System to promote 
visibility into troubled programs and allow the department to take 
corrective actions. We recommended that VA ensure the policies and 
procedures it was establishing were executed effectively. 

In response to our report, VA concurred with our recommendations and 
described its actions to address them. For example, the department 
stated that it would work closely with contracting officers to ensure 
future acquisition plans clearly identify an acquisition strategy that 
promotes full and open competition. In addition, the department stated 
that the Program Management Accountability System will provide near- 
term visibility into troubled programs, allowing the Principal Deputy 
Assistant Secretary for Information and Technology to provide help 
earlier and avoid long-term project failures. 

In May 2011, VA's program manager stated that the department's effort 
to develop a new outpatient scheduling system--now referred to as 21st 
Century Medical Scheduling--consists largely of planning activities, 
including the identification of requirements. However, according to 
the manager, the project is not included in the department's fiscal 
year 2012 budget request. As a result, the department's plans for 
addressing the limitations that it had identified in its current 
scheduling system are uncertain. 

VA Has Partially Delivered New Education Benefits System Capabilities, 
but Can Improve Its Development Process: 

In contrast to the scheduling system project failure, VA has begun 
implementing a new system for processing a recently established 
education benefit for veterans. The Post-9/11 GI Bill provides 
educational assistance for veterans and members of the armed forces 
who served on or after September 11, 2001. VA concluded that its 
existing system and manual processes were insufficient to support the 
new benefits. For instance, the system was not fully integrated with 
other information systems such as VA's payments system, requiring 
claims examiners to access as many as six different systems and 
manually input claims data. Consequently, claims examiners reportedly 
took up to six times longer to pay Post-9/11 GI Bill program claims 
than other VA education benefit claims. The challenges associated with 
its processing system contributed to a backlog of 51,000 claims in 
December 2009. In response to this situation, the department began an 
initiative to modernize its benefits processing capabilities. VA chose 
an incremental development approach, referred to as Agile software 
development,[Footnote 12] which is intended to deliver functionality 
in short increments before the system is fully deployed. 

In December 2010, we reported that VA had delivered key automated 
capabilities used to process the new education benefits. Specifically, 
it deployed the first two of four releases of its long-term system 
solution by its planned dates, thereby providing regional processing 
offices with key automated capabilities to prepare original and 
amended benefits claims. Further, VA established Agile practices 
including a cross-functional team that involves senior management, 
governance boards, key stakeholders, and distinct Agile roles and 
began using three other Agile practices--focusing on business 
priorities, delivering functionality in short increments, and 
inspecting and adapting the project. 

However, to help guide the full development and implementation of the 
new system, we reported that VA could make further improvements to 
these practices in five areas. 

1. Business priorities. To ensure business priorities are a focus, a 
project starts with a vision that contains, among other things, a 
purpose, goals, metrics, and constraints. In addition, it should be 
traceable to requirements. VA established a vision that captured the 
project purpose and goals; however, it had not established metrics for 
the project's goals or prioritized project constraints. Department 
officials stated that project documentation was evolving and they 
intended to improve their processes based on lessons learned; however, 
until it identified metrics and constraints, the department did not 
have the means to compare the projected performance with the actual 
results. We recommended that VA establish performance measures for 
goals and identify constraints to provide better clarity in the vision 
and expectations of the project. 

2. Traceability. VA had also established a plan that identified how to 
maintain requirements traceability within an Agile environment; 
however, the traceability was not always maintained between 
legislation, policy, business rules, and test cases. We recommended 
that VA establish bidirectional traceability between requirements and 
legislation, policies, and business rules. 

3. Definition of "done." To aid in delivering functionality in short 
increments, defining what constitutes completed work and testing 
functionality is critical.[Footnote 13] However, VA had not 
established criteria for work that was considered "done" at all levels 
of the project. Program officials stated that each development team 
had its own definition of "done" and agreed that they needed to 
provide a standard definition across all teams. Without a mutual 
agreement for what constitutes "done" at each level, the resulting 
confusion can lead to inconsistent quality. We therefore recommended 
that VA define the conditions that must be present to consider work 
"done" in adherence with agency policy and guidance. 

4. Testing. While the department had established an incremental 
testing approach, the quality of unit and functional testing performed 
during Release 2 was inadequate in 10 of the 20 segments of system 
functionality we reviewed. Program officials stated that they placed 
higher priority on user acceptance testing at the end of a release and 
relied on users to identify defects that were not detected during unit 
and functional testing. Without improved testing quality, the 
department risks deploying future releases that contain defects that 
may require rework. To reduce defects and rework to fix them, we 
recommended that VA improve the adequacy of the unit and functional 
testing processes. 

5. Oversight. In order for projects to be effectively inspected and 
adapted, management must have tools to provide effective oversight. 
For Agile development, progress and the amount of work remaining can 
be reflected in a burn-down chart, which depicts how factors such as 
the rate at which work is completed (velocity) and changes in overall 
product scope affect the project over time. While VA had an oversight 
tool that showed the percentage of work completed to reflect project 
status at the end of each iteration, it did not depict the velocity of 
the work completed and the changes to scope over time. We therefore 
recommended that VA implement an oversight tool to clearly communicate 
velocity and the changes to project scope over time. 

VA concurred with three of our five recommendations. It did not concur 
with our recommendation that it implement an oversight tool to clearly 
communicate velocity. However, without this level of visibility in its 
reporting, management and the development teams may not have all the 
information they need to fully understand project status. VA also did 
not concur with our recommendation to improve the adequacy of the unit 
and functional testing processes to reduce the amount of system 
rework. However, without increased focus on the quality of testing 
early in the development process, VA risks delaying functionality 
and/or deploying functionality with unknown defects that could require 
future rework that may be costly and ultimately impede the claims 
examiners' ability to process claims efficiently. 

In early May 2011, we reported that the implementation of remaining 
capabilities is behind schedule and additional modifications are 
needed.[Footnote 14] According to VA officials, system enhancements 
such as automatic verification of the length of service were delayed 
because of complexities with systems integration and converting data 
from the interim system. Additionally, recent legislative changes to 
the program required VA to modify the system and its deployment 
schedule. For instance, VA will need to modify its system to reflect 
changes to the way tuition and fees are calculated--an enhancement 
that officials described as difficult to implement. Because of these 
delays, final deployment of the system is now scheduled for the end of 
2011--a year later than planned. 

VA Continues to Face Information Security Challenges: 

Effective information security controls[Footnote 15] are essential to 
securing the information systems and information on which VA depends 
to carry out its mission. Without proper safeguards, the department's 
systems are vulnerable to individuals and groups with malicious intent 
who can intrude and use their access to obtain sensitive information, 
commit fraud, disrupt operations, or launch attacks against other 
computer systems and networks. The consequence of weak information 
security controls was illustrated by VA's May 2006 announcement that 
computer equipment containing personal information on veterans and 
active duty military personnel had been stolen. Further, over the last 
few years, VA has reported an increasing number of security incidents 
and events. Specifically, each year during fiscal years 2007 through 
2009, the department reported a higher number of incidents and the 
highest number of incidents in comparison to 23 other major federal 
agencies. 

To help protect against threats to federal systems, the Federal 
Information Security Management Act of 2002 (FISMA) sets forth a 
comprehensive framework for ensuring the effectiveness of information 
security controls over information resources that support federal 
operations and assets. The framework creates a cycle of risk 
management activities necessary for an effective security program. In 
order to ensure the implementation of this framework, FISMA assigns 
specific responsibilities to OMB, agency heads, chief information 
officers, inspectors general, and the National Institute of Standards 
and Technology (NIST), in particular requiring chief information 
officers and inspectors general to submit annual reports to OMB. 

In addition, Congress enacted the Veterans Benefits, Health Care, and 
Information Technology Act of 2006.[Footnote 16] Under the act, VA's 
Chief Information Officer is responsible for establishing, 
maintaining, and monitoring departmentwide information security 
policies, procedures, control techniques, training, and inspection 
requirements as elements of the department's information security 
program. It also reinforced the need for VA to establish and carry out 
the responsibilities outlined in FISMA, and included provisions to 
further protect veterans and service members from the misuse of their 
sensitive personal information and to inform Congress regarding 
security incidents involving the loss of that information. 

Weaknesses in Security Controls Have Placed VA's Systems at Risk: 

Information security has been a long-standing challenge for the 
department, as we have previously reported. In 2010, for the 14th year 
in a row, VA's independent auditor reported that inadequate 
information system controls over financial systems constituted a 
material weakness.[Footnote 17] Among 24 major federal agencies, VA 
was one of eight agencies in fiscal year 2010 to report such a 
material weakness. 

VA's independent auditor stated that, while the department continued 
to make steady progress, IT security and control weaknesses remained 
pervasive and placed VA's program and financial data at risk. The 
auditor noted the following weaknesses: 

* Passwords for key VA network domains and financial applications were 
not consistently configured to comply with agency policy. 

* Testing of contingency plans for financial management systems at 
selected facilities was not routinely performed and documented to meet 
the requirements of VA policy. 

* Many IT security control deficiencies were not analyzed and 
remediated across the agency and a large backlog of deficiencies 
remained in the VA plan of action and milestones system. In addition, 
previous plans of action and milestones were closed without sufficient 
and documented support for the closure. 

In addition, VA has consistently had weaknesses in major information 
security control areas. As shown in table 1, for fiscal years 2007 
through 2010, deficiencies were reported in each of the five major 
categories of information security access controls[Footnote 18] as 
defined in our Federal Information System Controls Audit Manual. 
[Footnote 19] 

Table 1: Control Weaknesses for Fiscal Years 2007 - 2010: 

Security control category: Access control; 
2007: [Check]; 
2008: [Check]; 
2009: [Check]; 
2010: [Check]. 

Security control category: Configuration management; 
2007: [Check]; 
2008: [Check]; 
2009: [Check]; 
2010: [Check]. 

Security control category: Segregation of duties; 
2007: [Check]; 
2008: [Check]; 
2009: [Check]; 
2010: [Check]. 

Security control category: Contingency planning; 
2007: [Check]; 
2008: [Check]; 
2009: [Check]; 
2010: [Check]. 

Security control category: Security management; 
2007: [Check]; 
2008: [Check]; 
2009: [Check]; 
2010: [Check]. 

Source: GAO analysis based on VA and Inspector General reports. 

[End of table] 

In fiscal year 2010, for the 11th year in a row, the VA's Office of 
Inspector General designated VA's information security program and 
system security controls as a major management challenge for the 
department. Of 24 major federal agencies, the department was 1 of 23 
to have information security designated as a major management 
challenge. The Office of Inspector General noted that the department 
had made progress in implementing components of an agencywide 
information security program, but nevertheless continued to identify 
major IT security deficiencies in the annual information security 
program audits. To assist the department in improving its information 
security, the Office of Inspector General made recommendations for 
strengthening access controls, configuration management, change 
management, and service continuity. Effective implementation of these 
recommendations could help VA to prevent, limit, and detect 
unauthorized access to computerized networks and systems and help 
ensure that only authorized individuals can read, alter, or delete 
data. 

In March 2010, we reported[Footnote 20] that federal agencies, 
including VA, had made limited progress in implementing the Federal 
Desktop Core Configuration (FDCC) initiative to standardize settings 
on workstations.[Footnote 21] We determined that VA had implemented 
certain requirements of the initiative, such as documenting deviations 
from the standardized set of configuration settings for Windows 
workstations and putting a policy in place to officially approve these 
deviations. However, VA had not fully implemented several key 
requirements. For example, the department had not included language in 
contracts to ensure that new acquisitions address the settings and 
that products of IT providers operate effectively using them. 
Additionally, VA had not obtained a NIST-validated tool to monitor 
implementation of standardized workstation configuration settings. To 
improve the department's implementation of the initiative, we made 
four recommendations: (1) complete implementation of VA's baseline set 
of configuration settings, (2) acquire and deploy a tool to monitor 
compliance with FDCC, (3) develop, document, and implement a policy to 
monitor compliance, and (4) ensure that FDCC settings are included in 
new acquisitions and that products operate effectively using these 
settings. VA concurred and has addressed the recommendation to ensure 
settings are included in new acquisitions. The department intends to 
implement the remaining recommendations in the future. 

VA's Uneven Implementation of FISMA Has Limited the Effectiveness of 
Security Efforts: 

FISMA requires each agency, including agencies with national security 
systems, to develop, document, and implement an agencywide information 
security program to provide security for the information and 
information systems that support the operations and assets of the 
agency, including those provided or managed by another agency, 
contractor, or other source. As part of its oversight 
responsibilities, OMB requires agencies to report on specific 
performance measures, including the percentage of: 

* employees and contractors receiving IT security awareness training 
and those who have significant security responsibilities and have 
received specialized security training, 

* systems whose controls were tested and evaluated, have tested 
contingency plans, and are certified and accredited.[Footnote 22] 

Since fiscal year 2006, VA's progress in fully implementing the 
information security program required under FISMA and following the 
policies issued by OMB has been mixed. For example, from 2006 to 2009, 
the department reported a dramatic increase in the percentage of 
systems for which a contingency plan was tested in accordance with OMB 
policy. However, during the same period, it reported decreases in both 
the percentage of employees who had received security awareness 
training and the percentage of employees with significant security 
responsibilities who had received specialized security training. These 
decreases in the percentage of individuals who had received 
information security training could limit the ability of VA to 
effectively implement security measures. 

For fiscal year 2009, in comparison to 23 other major federal 
agencies, VA's efforts to implement these information security control 
activities were equal to or higher in some areas and lower in others. 
For example, VA reported equal or higher percentages than other 
federal agencies in the number of systems for which security controls 
had been tested and reviewed in the past year, the number of systems 
for which contingency plans had been tested in accordance with OMB 
policy, and the number of systems that had been certified and 
accredited. However, VA reported lower percentages of individuals who 
received security awareness training and lower percentages of 
individuals with significant security responsibilities who received 
specialized security training. 

Cloud Computing Presents Opportunities but Poses IT Security 
Challenges: 

Cloud computing is an emerging form of computing that relies on 
Internet-based services and resources to provide computing services to 
customers, while freeing them from the burden and costs of maintaining 
the underlying infrastructure. Examples of cloud computing include Web-
based e-mail applications and common business applications that are 
accessed online through a browser, instead of through a local 
computer. The President's budget has identified the adoption of cloud 
computing in the federal government as a way to more efficiently use 
the billions of dollars spent annually on IT. However, as we reported 
in May 2010,[Footnote 23] federal guidance and processes that 
specifically address information security for cloud computing had not 
yet been developed, and those cloud computing programs that have been 
implemented may not have effective information security controls in 
place. 

As we reported, cloud computing can both increase and decrease the 
security of information systems in federal agencies. Potential 
information security benefits include those related to the use of 
virtualization, such as faster deployment of patches, and from 
economies of scale, such as potentially reduced costs for disaster 
recovery. Risks include dependence on the security practices and 
assurances of the provider, dependence on the provider, and concerns 
related to sharing computing resources. However, these risks may vary 
based on the cloud deployment model. Private clouds may have a lower 
threat exposure than public clouds, but evaluating this risk requires 
an examination of the specific security controls in place for the 
cloud's implementation. We made recommendations to OMB, the General 
Services Administration, and NIST to assist agencies in identifying 
uses of cloud computing and necessary security measures, selecting and 
acquiring cloud computing products and services, and implementing 
appropriate information security controls when using cloud computing. 

VA Faces Barriers to Establishing Shared Electronic Health Record 
Capabilities with DOD: 

VA and DOD have two of the nation's largest health care operations, 
providing health care to 6 million veterans and 9.6 million active 
duty service members and their beneficiaries at estimated annual costs 
of about $48 billion and $49 billion, respectively. Although the 
results of a 2008 study found that more than 97 percent of functional 
requirements for an inpatient electronic health record system are 
common to both departments, the departments have spent large sums of 
money to separately develop and operate electronic health record 
systems. Furthermore, the departments have each begun multimillion 
dollar modernizations of their electronic health record systems. 
Specifically, VA reported spending almost $600 million from 2001 to 
2007 on eight projects as part of its Veterans Health Information 
Systems and Technology Architecture (VistA) modernization. In April 
2008, VA estimated an $11 billion total cost to complete the 
modernization by 2018. For its part, DOD has obligated approximately 
$2 billion over the 13-year life of its Armed Forces Health 
Longitudinal Technology Application (AHLTA) and requested $302 million 
in fiscal year 2011 funds for a new system. 

Additionally, VA and DOD are working to establish the Virtual Lifetime 
Electronic Record (VLER), which is intended to facilitate the sharing 
of electronic medical, benefits, and administrative information 
between the departments. VLER is further intended to expand the 
departments' health information sharing capabilities by enabling 
access to private sector health data. The departments are also 
developing joint IT capabilities for the James A. Lovell Federal 
Health Care Center (FHCC) in North Chicago, Illinois. The FHCC is to 
be the first VA/DOD medical facility operated under a single line of 
authority to manage and deliver medical and dental care for veterans, 
new Naval recruits, active duty military personnel, retirees, and 
dependents. 

In February 2011, we reported that VA and DOD lacked mechanisms for 
identifying and implementing efficient and effective IT solutions to 
jointly address their common health care system needs as a result of 
barriers in three key IT management areas--strategic planning, 
enterprise architecture, and investment management. 

* Strategic planning: The departments were unable to articulate 
explicit plans, goals, and time frames for jointly addressing the 
health IT requirements common to both departments' electronic health 
record systems. For example, VA's and DOD's joint strategic plan did 
not discuss how or when the departments propose to identify and 
develop joint health IT solutions, and department officials did not 
determine whether the IT capabilities developed for the FHCC could or 
would be implemented at other VA and DOD medical facilities. 

* Enterprise architecture: Although VA and DOD had taken steps toward 
developing and maintaining artifacts related to a joint health 
architecture (i.e., a description of business processes and supporting 
technologies), the architecture was not sufficiently mature to guide 
the departments' joint health IT modernization efforts. For example, 
the departments did not define how they intended to transition from 
their current architecture to a planned future state. 

* Investment management: VA and DOD did not establish a joint process 
for selecting IT investments based on criteria that consider cost, 
benefit, schedule, and risk elements, which would help to ensure that 
a chosen solution both meets the departments' common health IT needs 
and provides better value and benefits to the government as a whole. 

These barriers resulted in part from VA's and DOD's decision to focus 
on developing VLER, modernizing their separate electronic health 
record systems, and developing IT capabilities for FHCC, rather than 
determining the most efficient and effective approach to jointly 
addressing their common requirements. Because VA and DOD continued to 
pursue their existing health information sharing efforts without fully 
establishing the key IT management capabilities described, they may 
have missed opportunities to successfully deploy joint solutions to 
address their common health care business needs. 

VA's and DOD's experiences in developing VLER and IT capabilities for 
FHCC offered important lessons to improve the departments' management 
of these ongoing efforts. Specifically, the departments can improve 
the likelihood of successfully meeting their goal to implement VLER 
nationwide by the end of 2012 by developing an approved plan that is 
consistent with effective IT project management principles. Also, VA 
and DOD can improve their continuing effort to develop and implement 
new IT system capabilities for FHCC by developing a plan that defines 
the project's scope, estimated cost, and schedule in accordance with 
established best practices. Unless VA and DOD address these lessons, 
the departments will jeopardize their ability to deliver expected 
capabilities to support their joint health IT needs. 

We recommended several actions that the Secretaries of Veterans 
Affairs and Defense could take to overcome barriers that the 
departments face in modernizing their electronic health record systems 
to jointly address their common health care business needs, including 
the following: 

* Revise the departments' joint strategic plan to include information 
discussing their electronic health record system modernization efforts 
and how those efforts will address the departments' common health care 
business needs. 

* Further develop the departments' joint health architecture to 
include their planned future state and transition plan from their 
current state to the next generation of electronic health record 
capabilities. 

* Define and implement a process, including criteria that considers 
costs, benefits, schedule, and risks, for identifying and selecting 
joint IT investments to meet the departments' common health care 
business needs. 

We also recommended that the Secretaries of Veterans Affairs and 
Defense strengthen their ongoing efforts to establish VLER and the 
joint IT system capabilities for FHCC by developing plans that include 
scope definition, cost and schedule estimation, and project plan 
documentation and approval. 

Both departments concurred with our recommendations and on March 17, 
2011, the Secretaries of Veterans Affairs and Defense committed their 
respective departments to pursue joint development and acquisition of 
integrated electronic health record capabilities. 

In summary, effective IT management is critical to the performance of 
VA's mission. However, the department faces challenges in key areas, 
including systems development, information security, and collaboration 
with DOD. Until VA fully addresses these and implements key 
recommendations, the department will likely continue to (1) deliver 
system capabilities later than expected; (2) expose its computer 
systems and sensitive information (including personal information of 
veterans and their beneficiaries) to an unnecessary and increased risk 
of unauthorized use, disclosure, tampering, theft, and destruction; 
and (3) not provide efficient and effective joint DOD/VA solutions to 
meet the needs of our nation's veterans. 

Mr. Chairman, this concludes my statement today. I would be pleased to 
answer any questions you or other members of the subcommittee may have. 

Contacts and Acknowledgments: 

If you have questions concerning this statement, please contact Joel 
C. Willemssen, Managing Director, Information Technology Team, at 
(202) 512-6253 or willemssenj@gao.gov; or Valerie C. Melvin, Director, 
Information Management and Human Capital Issues, at (202) 512-6304 or 
melvinv@gao.gov. Other individuals who made key contributions include 
Mark Bird, Assistant Director; Mike Alexander; Nancy Glover; Paul 
Middleton; and Glenn Spiegel. 

[End of section] 

Footnotes: 

[1] GAO, Electronic Health Records: DOD and VA Should Remove Barriers 
and Improve Efforts to Meet Their Common System Needs, [hyperlink, 
http://www.gao.gov/products/GAO-11-265] (Washington, D.C.: February 
2011); Information Technology: Veterans Affairs Can Further Improve 
Its Development Process for Its New Education Benefits System, 
[hyperlink, http://www.gao.gov/products/GAO-11-115] (Washington, D.C.: 
December 2010); Information Security: Federal Guidance Needed to 
Address Control Issues with Implementing Cloud Computing, [hyperlink, 
http://www.gao.gov/products/GAO-10-513] (Washington, D.C.: May 2010); 
Information Technology: Management Improvements Are Essential to VA's 
Second Effort to Replace Its Outpatient Scheduling System, [hyperlink, 
http://www.gao.gov/products/GAO-10-579 (Washington, D.C.: May 2010); 
and Information Security: Veterans Affairs Needs to Resolve Long-
Standing Weaknesses, [hyperlink, 
http://www.gao.gov/products/GAO-10-727T] (Washington, D.C.: May 19, 
2010). 

[2] [hyperlink, http://www.gao.gov/products/GAO-10-579] and 
[hyperlink, http://www.gao.gov/products/GAO-11-115]. 

[3] See FAR, subpart 7.1. See also FAR 34.004. 

[4] See FAR 7.105 b(2). 

[5] See Carnegie Mellon Software Engineering Institute, Capability 
Maturity Model® Integration for Development, version 1.2 (Pittsburgh, 
Pa., August 2006), and Software Acquisition Capability Maturity Model 
(SA-CMM) version 1.03, CMU/SEI-2002-TR-010 (Pittsburgh, Pa., March 
2002). 

[6] Defects are system problems that require a resolution and can be 
due to a failure to meet the system specifications. 

[7] According to VA testing documentation, these stages are (1) 
testing within the VA development team, (2) testing services, (3) 
field testing, and (4) final review and acceptance testing. 

[8] OMB issued policy guidance (M-05-23) to agency CIOs on improving 
technology projects that includes requirements for reporting 
performance to OMB using earned value management (August 2005). 

[9] Cost variances compare the value of the completed work (i.e., the 
earned value) with the actual cost of the work performed. Schedule 
variances are also measured in dollars, but they compare the earned 
value of the completed work with the value of the work that was 
expected to be completed. Positive variances indicate that activities 
cost less or are completed ahead of schedule. Negative variances 
indicate activities cost more or are falling behind schedule. 

[10] OMB Circular A-130 (Nov. 30, 2000) and Carnegie Mellon Software 
Engineering Institute, Capability Maturity Model Integration for 
Development, version 1.2 (Pittsburgh, Pa., August 2006). 

[11] GAO, Information Technology Investment Management: A Framework 
for Assessing and Improving Process Maturity, [hyperlink, 
http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 
2004) and OMB, Capital Programming Guide: Supplement to Circular A-11, 
Part 7, Planning, Budgeting, and Acquisition of Capital Assets 
(Washington, D.C., June 2006). 

[12] Agile software development is not a set of tools or a single 
methodology, but a philosophy based on selected values, such as, the 
highest priority is to satisfy customers through early and continuous 
delivery of valuable software; delivering working software frequently, 
from a couple of weeks to a couple of months; and that working 
software is the primary measure of progress. For more information on 
Agile development, see [hyperlink, http://www.agilealliance.org]. 

[13] One of the key Agile principles is that the delivery of completed 
software be defined, commonly referred to as the definition of "done." 
This is critical to the development process to help ensure that, among 
other things, testing has been adequately performed and the required 
documentation has been developed. 

[14] GAO, Veterans' Education Benefits: Enhanced Guidance and 
Collaboration Could Improve Administration of the Post-9/11 GI Bill 
Program, [hyperlink, http://www.gao.gov/products/GAO-11-356R] 
(Washington, D.C.: May 2011). 

[15] Information system general controls affect the overall 
effectiveness and security of computer operations and are not unique 
to specific computer applications. These controls include security 
management, configuration management, operating procedures, software 
security features, and physical protections designed to ensure that 
access to data is appropriately restricted, that only authorized 
changes to computer programs are made, that incompatible computer- 
related duties are segregated, and that backup and recovery plans are 
adequate to ensure the continuity of operations. 

[16] Veterans Benefits, Health Care, and Information Technology Act of 
2006, Pub. L. No. 109-461, 120 Stat. 3403, 3450 (Dec. 22, 2006). 

[17] A material weakness is a significant deficiency, or combination 
of significant deficiencies, that results in more than a remote 
likelihood that a material misstatement of the financial statements 
will not be prevented or detected by the entity's internal control. 

[18] Access controls ensure that only authorized individuals can read, 
alter, or delete data; configuration management controls provide 
assurance that only authorized software programs are implemented; 
segregation of duties reduces the risk that one individual can 
independently perform inappropriate actions without detection; 
continuity of operations planning provides for the prevention of 
significant disruptions of computer-dependent operations; and an 
agencywide information security program provides the framework for 
ensuring that risks are understood and that effective controls are 
selected and properly implemented. 

[19] GAO, Federal Information System Controls Audit Manual (FISCAM), 
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, 
D.C.: Feb. 2009). 

[20] GAO, Information Security: Agencies Need to Implement Federal 
Desktop Core Configuration Requirements, [hyperlink, 
http://www.gao.gov/products/GAO-10-202] (Washington, D.C.: March 12, 
2010). 

[21] In March 2007, OMB launched the FDCC initiative to standardize 
and strengthen information security at federal agencies. Under the 
initiative, agencies were to implement a standardized set of 
configuration settings on workstations with Microsoft Windows XP or 
Vista operating systems. OMB intended that by implementing the 
initiative, agencies would establish a baseline level of information 
security, reduce threats and vulnerabilities, and improve protection 
of information and related assets. 

[22] Certification is a comprehensive assessment of management, 
operational, and technical security controls in an information system, 
made in support of security accreditation, to determine the extent to 
which the controls are implemented correctly, operating as intended, 
and producing the desired outcome with respect to meeting the security 
requirements for the system. Accreditation is the official management 
decision to authorize operation of an information system and to 
explicitly accept the risk to agency operations based on 
implementation of controls. 

[23] [hyperlink, http://www.gao.gov/products/GAO-10-513]. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: