VA NEWS FLASH from Larry Scott at VA Watchdog dot Org -- 06-22-2006 #8       

Want more information on this and other veterans' topics?
 Try the VA Watchdog dot Org Search Engine.

VA OFFICIAL OPPOSES CENTRALIZATION OF IT MANAGEMENT --

Department memos show resistance to change.

 

 

Story here... http://www.govexec.com/dailyfed/0606/062106p2.htm

Story below:

---------------

VA official opposes centralization of IT management

By Daniel Pulliam
dpulliam@govexec.com



The Veterans Affairs Department general counsel resisted repeated attempts by the agency's chief information security officer to centralize authority for IT security, according to internal memorandums.

IT management at the VA is gaining congressional attention as lawmakers look into how a long-time agency employee was able to take veterans' sensitive personal records home unauthorized for three years, culminating in last month's data breach. The House Veterans' Affairs Committee is holding a hearing Thursday focusing on the management structure governing IT security.

VA officials have said they believe the department's "federated" IT management model, adopted last year, gives the chief information officer the necessary authority and enforcement powers to improve information security.

But a review of department memos written over last three years and interviews with former agency officials and congressional staff members familiar with the matter reveal an organization intensely resistant to change and program offices tenaciously opposing attempts to impose central authority on the department's wide-ranging technology operations.

VA Secretary James Nicholson has acknowledged in congressional testimony that there is long-standing resistance to change in the department and said Wednesday the agency has become lax in enforcing its security practices.

An Aug. 1, 2003, memo from the VA's general counsel to Bruce Brody, the department's associate deputy assistant secretary for cyber and information security at the time, declared that the authority to enforce security, including information security, physical security and personnel security, would remain with the respective offices involved.

The memo gave these instructions even though the Clinger Cohen Act grants such authority to the CIO and the 2002 Federal Information Security Management Act leaves it with the chief information security officer, according to two congressional sources.

A second memo from McClain, dated April 7, 2004, reinforced VA's policy, stating that the CIO cannot enforce information security requirements because FISMA uses the word "ensure" with regard to CIO authority, rather than "enforce." If VA organizations fail to comply with information security policies, the CIO's only recourse is to appeal to the department secretary, the memo stated.

McClain and Brody are on the witness list for Thursday's hearing.

In written testimony scheduled to be delivered at the hearing, VA General Counsel Tim McClain, who signed the memo, said FISMA does not provide a means for CIOs to ensure compliance.

McClain argued that the law does not require giving the CIO direct control over agency programs because that type of control "is not the only means" by which information security can be accomplished.

A March, 16, 2004, memo from then-VA Secretary Anthony Principi stated that then-CIO Robert McFarland was responsible for implementing a departmentwide information security program, but McClain said in his testimony that the memo merely stated the secretary's "intention" to give McFarland the "power and authority needed" over employees involved with cybersecurity.

Brody, now vice president for information security at the Reston, Va.-based market research firm INPUT, said his attempts to enforce security policies at the agency were "fought off at every turn by the administrations and program offices that were resistant to change."

"Anything related to central security controls was fiercely resisted," Brody said. "The fragmentation of security in the eyes of the general counsel made it impossible to put a security program in place. Those two memos [from McClain] alone served to fragment security and then clip its wings."

Len Sistek, Democratic staff director for the House Veterans' Affairs Subcommittee on Oversight and Investigations, said it is clear that the CIO had the power to advise and encourage, "but the enforcement teeth rested elsewhere."

---------------


Larry Scott

 

(go back to VA Watchdog dot Org Home Page)

Google
 
Web www.vawatchdog.org


FAIR USE NOTICE: This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such materials available in an effort to advance understanding of veterans' issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed an interest in receiving the included information for educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
 

Send this page to a friend:    


Now we have VA Watchdog Stuff

Cups, Hats, Shirts and more

Click here to order and support the site


Here's the link to subscribe to VA NEWS FLASH as an RSS feed
 

Comments on this VA NEWS FLASH?  Email Larry
key available on request

 

  

YOUR AD HERE  - Advertise on VA Watchdog dot Org and reach veterans worldwide - click