GovernmentExecutive.com

The Veterans Affairs Department has issued a series of directives intended to prevent future security breaches, but the rules lack firm enforcement mechanisms, a lawmaker and congressional staff member said.

A June 7 directive, signed by Gordon Mansfield, the department's deputy secretary and chief operating officer, and Robert T. Howard, supervisor of the Office of Information Technology, establishes security measures for all data handled by employees. In particular, it covers the transmission of data and the use of nonelectronic records outside a regular agency work site.

Rep. Bob Filner, D-Calif., a member of the House Veterans' Affairs Committee, said the policies are "somewhat light on enforcement and on [the] specific liabilities and punitive actions" for employees who fail to protect sensitive information.

Len Sistek, Democratic staff director for the House Veterans' Affairs Subcommittee on Oversight and Investigations, noted the directive uses the word "enforcing," but said the policy does not make clear what that means or where the enforcement authority resides.

Considering that VA Secretary James Nicholson wants stiffer penalties for government employees who mishandle sensitive information, the document, while generally an improvement, is still light on explaining the repercussions for noncompliance, Sistek said.

House Veterans Affairs Committee Chairman Steve Buyer, R-Ind., said he had not seen the directive and could not comment on it.

A VA spokesman cited testimony presented by Nicholson last week before the House Government Reform Committee, stating that the department has the authority "to discipline employees and possibly bring criminal actions against those who willfully disregard the safeguards" needed to protect sensitive data.

Nicholson also said the centralization of information technology management will enhance the VA's ability enforce address information security policies.

Bruce Brody, vice president for information security at the Reston, Va-based market research firm INPUT and associate deputy assistant secretary for cyber and information security at the VA from 2001 to 2004, said the chief information officer's office attempted to put a similar policy in place years ago, but experienced resistance from VA leaders.

Brody questioned how the directive would be enforced because, he said, "central authority over information security doesn't exist" at the VA.

"Everyone is in charge, therefore no one is in charge," he said.

COMMENTS

• "Everyone is in charge. Therefore, no one is in charge." That is how the federal government operates. I don't see how the VA can be singled out when the Defense Department, the Labor Department and many other agencies deliberately operate in this manner. They do it so no one can be held accountable for violating federal laws on a routine basis. It really bugs me that any congressional representative can act like he has made this amazing observation. Congress has looked the other way for years knowing darn well that many innocent people get walked all over and lives are often destroyed by federal agencies breaking the law. Just try and get your congressional representative to stand up for you when your lawful rights are being violated by federal agencies. They blow you off like you don't exist. Robert M. Posted June 16, 2006 1:20 PM