GovernmentExecutive.com

After five full committee hearings on a significant data breach at the Veterans Affairs Department, the House Veterans Affairs Committee plans to debate legislation Thursday in hopes of preventing a similar security problem.

The committee took comments on a draft of the bill during a hearing on Tuesday.

The measure proposes notification requirements for people who could be impacted by security breaches, credit-monitoring services for victims, and investigations after any breaches to determine risks of identity theft.

Chairman Steve Buyer, R-Ind., also wants to alter the Federal Information Security Management Act to define the responsibilities of an agency secretary and undersecretary on notification of security breaches.

The draft legislation would elevate the VA's chief information officer to Cabinet status as undersecretary for information security. The undersecretary would be given three deputy undersecretaries for security, operations management and policy planning.

Former top security officers at the VA offered feedback on the bill, which was first discussed in June.

John Gauss, who served as CIO until 2003, said, "As an undersecretary, the CIO will have a seat at the table where the real decisions are made."

"Without the ability to enforce, authority doesn't mean anything," said Robert McFarland, who left as CIO in May, after the disclosure of a breach that could have affected 26.5 million veterans and active-duty military personnel.

Gauss recommended that the bill be implemented within 90 to 180 days so improvements to cyber security do not get delayed and or endlessly studied without action. "The advocates of the status quo will argue that speed creates too much risk," Gauss said, but the security risk of doing nothing is greater.

He also recommended that the VA look for an undersecretary who has technology qualifications. "I believe this person must be a certified information systems security professional," Gauss said. To meet his proposed timetable and qualifications, he said the VA should be given hiring authority similar to the Homeland Security Department.

"If the VA uses business-as-usual hiring processes, it will take months or even years to properly staff the offices established by this legislation," Gauss said.

McFarland said the VA personnel office should be given the direction to hire outside personnel services and to run ads on Monster.com to get candidates with the necessary skills.

He said he had asked to try such practices during his tenure and was told that was not the way the agency did business. "One of the most frustrating parts of my two-and-a-half years there was [the hiring] process," McFarland told committee members.

Buyer said he tried to incorporate some provisions of competing House data-security bills into his legislation. Rep. Shelley Moore Capito, R-W.Va., has sponsored a bill that includes felony criminal penalties with two- to five-year prison sentences for employees who remove sensitive data.

Buyer told her that idea is outside his jurisdiction and that the Judiciary Committee would have to handle it.

VA Deputy Secretary Gordon Mansfield said that the agency will continue to work with committee staff in an effort to make its views known.

Because officials at the FBI and the VA inspector general's office are now highly confident files were not compromised as a result of the early May incident, some pieces of legislation that had been proposed are no longer needed, Mansfield said.

The Office of Management and Budget on Tuesday withdrew its request for $160.5 million in additional funding for identity theft protection for those with data included in the breach.

Daniel Pulliam of Government Executive contributed to this report.

COMMENTS

• How predictable. Elected officials decry the loss of millions of veterans' personal information, then claim to be in favor of pre-empting future debacles. So what do they do???? They create new laws to ensure that nothing is put in place to prevent the losses. From the article, legislators merely give post-failure remedies to a real and threatening problem which will continue to haunt everyone for the rest of time. Quote: "The measure proposes notification requirements for people who could be impacted by security breaches, credit-monitoring services for victims, and investigations after any breaches to determine risks of identity theft." From all us veterans: "Don't be idiots." Pass laws to prevent the loss of our information. Fix the root cause of the problem. Hold managers accountable. Enforce existing PC security policies. Fire all the idiots (in the VA) who were told their system was faulty and did nothing about it. Here's a no brainer ... Even Dell has PCs with fingerprint access technology and it doesn't even cost that much (cheaper than all those credit reports). Why even have Congress if lawmakers can't even address a simple problem and come up with a simple (cheap) solution? Un-Civil Servant GovExec.com reader Posted July 20, 2006 8:46 AM
• As a veteran and a VA employee I am perplexed that we would create another bureaucracy within VA just because our current (and past) management wouldn’t do their job. How much more money will be funneled away from veteran support so that this IT empire can be built? It seems odd to me that when confronted with a problem, the answer is developing a bureaucracy to remedy it, rather than to ensure the tools and leadership commitment and accountability are in place to make IT security possible. This attitude of weighing personal trust against public trust must be eliminated. Public trust is rooted in personal trust and personal trust holds public trust as its highest ideal in our society. It then follows that the mere inconvenience of signing a property pass for IT equipment and being held accountable for its care and use are part and parcel of the duties as a public official or employee. So in the end is it better to fund a bureaucracy or apply the security rules to all personnel and enforce the rules already in place? Or does the fiasco of COR-FLS and the loss of a notebook with 26,000,000 veterans’ personal information rise to the level of crisis that establishing a fourth undersecretary position becomes imperative? Or are they just failures of VA’s inability to manage itself? Sadly, another undersecretary cannot solve a systemic problem. J. Norton Phillips Posted July 19, 2006 11:38 AM