This is the accessible text file for GAO report number GAO-10-170R entitled 'Department of Veterans Affairs' Implementation of Information Security Education Assistance Program' which was released on December 18, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-10-170R: United States Government Accountability Office: Washington, DC 20548: December 18, 2009: The Honorable Daniel K. Akaka: Chairman: The Honorable Richard Burr: Ranking Member: Committee on Veterans' Affairs: United States Senate: The Honorable Bob Filner: Chairman: The Honorable Steve Buyer: Ranking Member: Committee on Veterans' Affairs: House of Representatives: Subject: Department of Veterans Affairs' Implementation of Information Security Education Assistance Program: The Veterans Benefits, Health Care, and Information Technology Act of 2006 authorizes the Secretary of Veterans Affairs to establish an educational assistance program for information security.[Footnote 1] The Information Security Education Assistance Program is envisioned as a means for the Department of Veterans Affairs (VA) to attract and retain individuals with advanced skills in information security. The legislation authorizes the agency to establish scholarships for qualified students who pursue doctoral degrees in computer science and electrical and computer engineering at accredited institutions and to offer educational debt reduction for VA employees who hold doctoral degrees in these fields. This letter responds to the act's requirement that we report on the scholarship and education debt reduction programs within 3 years of the act's December 22, 2006, enactment.[Footnote 2]As agreed with your offices, our objective was to determine the status of VA's implementation of the program. To accomplish this objective, we analyzed section 903 of the act, the status of the draft regulations governing the program, and the agency's process for implementing the program. We interviewed officials in VA's Office of Information and Technology, Office of General Counsel, and Office of Congressional and Legislative Affairs and reviewed documents related to the implementation process. To gain an understanding of how the department manages other education programs, we also interviewed officials in the Veterans Health Administration. In addition, we met with officials in the Office of Inspector General and reviewed that office's reports on VA's Office of Information and Technology. We performed our work from April 2009 to December 2009 in accordance with generally accepted government auditing standards. These standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Results in Brief: The Department of Veterans Affairs has not begun to award scholarships or offer and disburse loan repayments under the Information Security Education Assistance Program, although it has taken some steps to implement the program. Since 2006, VA has drafted governing regulations, which are now undergoing internal review, and has developed a budget impact analysis. After the department's internal review is completed, several additional steps are planned before the regulations are issued, including review by the Office of Management and Budget (OMB) and a public comment period. Department officials anticipate that the debt-reduction portion of the program will begin, and the first scholarship candidates will be selected, during 2011. Background: The Veterans Benefits, Health Care, and Information Technology Act was enacted after a serious loss of data in 2006 revealed weaknesses in VA's handling of personally identifiable information. Specifically, in May 2006, an information security breach at the department occurred involving a stolen hard drive with personal data on millions of veterans and their dependents. The incident highlighted the seriousness of weaknesses in the department's information security. In testimony shortly after the breach, we noted that for many years, significant concerns had been raised about VA's information security--particularly its lack of a robust information security program, which is vital to minimizing the risk of compromise of government information, including sensitive personal information.[Footnote 3] One of the programs authorized by the Veterans Benefits, Health Care, and Information Technology Act in response to these concerns about VA's longstanding information security weaknesses and the data breach was the Information Security Education Assistance Program. Under the act, the Secretary of the Department of Veterans Affairs was authorized to establish an education assistance program for doctoral students in computer science and computer and electrical engineering to strengthen VA's ability to recruit and retain individuals who have necessary information security skills. The program is to have two parts: a debt- reduction program for VA employees who have recently earned doctoral degrees, and a scholarship program for qualified individuals who must agree to work for the agency on completion of their academic programs. The agency is authorized to repay up to $16,500 of student loan debt each year for qualified employees up to a total of 5 years and $82,500. Doctoral students may receive full tuition scholarships plus a monthly stipend for up to 5 years, not to exceed a total of $200,000. According to section 903(c) of the act, the scholarship program may only apply to financial assistance provided for an academic semester or term that begins on or after August 1, 2007. Authorization to make payments under the program expires on July 31, 2017. The act also requires VA to prescribe regulations for administering the program. The VA unit responsible for implementing the Information Security Education Assistance Program is the Office of Information and Technology (OI&T), which oversees the department's information technology (IT) assets and resources including information security and privacy. Within OI&T, two offices have managed the implementation efforts: the Office of Information Technology Resource Management, which is responsible for human capital and IT budgeting, and the Office of Information Protection and Risk Management, which is responsible for information security. VA's Office of General Counsel also has a role. General Counsel's Office of Regulation Policy and Management monitors and reviews proposed regulations, provides regulatory impact analyses, and is VA's regulatory liaison with OMB. VA Has Begun Implementing the Program but Considerable Work Remains Before Financial Assistance Can Begin: VA is in the process of developing regulations for administering the program, as called for by the act. OI&T's Office of Information Technology Resource Management began work on the regulations and had a draft ready for internal review and concurrence by August 2007. Responsibility for managing the concurrence process and ensuring that other VA offices reviewed and concurred with the program regulations was assigned, on August 1, 2007, to the Office of Information Protection and Risk Management since, according to a senior OI&T official, this office would most benefit from the program. The status of the review and concurrence process was to be monitored by General Counsel's Office of Regulation Policy and Management. The regulations have not yet been issued. During 2007 and 2008, the Office of Regulation Policy and Management sent multiple status inquiries to Information Protection and Risk Management. In April 2008, Regulation Policy and Management noted that it had received no status updates in about a year. In the summer of 2008, OI&T's Office of Information Technology Resource Management learned, according to a senior official within the office, that the draft regulations were still in Information Protection and Risk Management and no apparent action had been taken. At that point, Resource Management took responsibility for ensuring that the draft regulations were sent forward for review and concurrence. Subsequently, in January 2009, the draft regulations were sent to VA's Office of General Counsel for review. In September 2009, the Office of General Counsel provided initial comments on the draft regulations. VA plans several other actions before issuing the regulations and has outlined a project plan for issuing the regulations that includes the remaining steps and milestones. Specifically, after final concurrence by the Office of General Counsel and concurrence by the other departmental offices, the draft regulations must be approved by the Secretary of Veterans Affairs. The department will then submit the draft regulations for review by OMB and then for comment from the public. VA officials estimate that, after the department addresses these comments and OMB performs another review, the final regulations could be issued in January 2011. VA Plans to Begin Program Activities in January 2011: VA officials anticipate that, if funds are available, the agency will announce the program and begin seeking candidates in January 2011 for both the debt reduction and scholarship components of the program. More time will elapse before any scholarship candidates receive doctoral degrees and are able to apply that educational experience to VA's information security needs.[Footnote 4] VA has drafted an impact analysis that estimates the costs for the program and has identified two current staff members who may be eligible for debt repayments. In its impact analysis, VA estimates that the program will cost at least $217,000 by 2015, based on a survey which suggests that the department will have one candidate for the scholarship program and three candidates for the debt reduction program within the next 5 years. According to VA officials, no funds were allocated to the program in the department's fiscal year 2010 budget. Figure 1 summarizes VA's actions and planned actions, from enactment of the authorizing legislation through program implementation. Figure 1: Completed and Planned Actions for the Information Security Education Assistance Program: [Refer to PDF for image: illustration] Completed Activities: Authorizing legislation enacted: December 2006. Task: Regulations drafted: February-June, 21007; Task: Internal review begins: July 2007-December 2008; Task: Reviewed by General Counsel: January-September, 2009; Milestone: Impact analysis complete: October, 2009; Planned Activities: Task: Agency concurrence process continues: October, 2009-April, 2010; Milestone: Signed by Secretary: January, 2010 Task: OMB review: January-March, 2010; Task: Public comment: March-April, 2010; Task: Respond to comments: May-June, 2010; Task: Final reviews by General Counsel and OMB: July-December, 2010; Milestone: Regulations issued, programs announced: January, 2011; Task: Loan repayments available: January 2011-July, 2017; Task: Scholarships available (next full academic year): September, 2011- July, 2017; Milestone: Program authority ends: July 2017. Source: GAO analysis of agency data. [End of figure] In comments provided via e-mail on a draft of this correspondence, the GAO liaison, VA Office of Congressional and Legislative Affairs, stated that the department had reviewed the draft report and had no comments to offer at this time. We are sending a copy of this letter to the Secretary of Veterans Affairs. In addition, the document will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you have any questions regarding this letter, please contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Valerie C. Melvin at (202) 512-6304 or melvinv@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this letter are Charles Vrabel (Assistant Director), Monica Perez Anatalio, Neil Doherty, Nancy Glover, Mary Marshall, Lee McCracken, Kate Nielsen, Sylvia Shanks, Glenn Spiegel, and Adam Vodraska. Signed by: Gregory C. Wilshusen: Director, Information Security Issues: Signed by: Valerie C. Melvin: Director, Information Management and Human Capital Issues: [End of section] Footnotes: [1] Pub. L. No. 109-461, § 903, 120 Stat. 3403, 3460 (Dec. 22, 2006), adding a new Chapter 79, Information Security Education Assistance Program, to Title 38 of the U.S. Code. This program is part of Title IX of the act known as the Department of Veterans Affairs Information Security Enhancement Act of 2006. [2] Pub. L. No. 109-461, § 903(b), 120 Stat. 3464. [3] GAO, Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues, [hyperlink, http://www.gao.gov/products/GAO-06-866T], (Washington, D.C.: June 14, 2006). [4] The earliest date to hire a doctoral program graduate who receives a scholarship might be around January 2012. This date assumes that VA selects a graduate at the program's start in January 2011 who is in the last year of doctoral study. A candidate just starting a doctoral program might take considerably longer. For example, Carnegie Mellon University suggests it may take 6 years to complete a Ph.D. in computer science and the University of Texas, Austin, estimates 3 to 5 years. [End of setion] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: