Proponent of IT centralization declares victory at the VA

Eight months after the largest data breach in government history, the outgoing chairman of the House Veterans Affairs' Committee is declaring victory in the battle to centralize the massive information technology infrastructure at the Veterans Affairs Department.

In a press conference Wednesday with VA Secretary James Nicholson, Rep. Steve Buyer, R-Ind., said the new structure will not necessarily prevent future security lapses, but will empower "agents of change" to transform the department's culture so that sensitive personal information is treated with greater care.

With the decision to move the department's IT development personnel under the authority of the chief information officer, the VA is the first federal agency to implement a truly centralized IT management model, Buyer said. He added that it will be the envy of other department IT officials.

"Some of the CIOs in other departments are already talking to the VA CIO [Bob Howard] to ask, 'What did you do? How did you do it?' " Buyer said.

He said agencies will not centralize their IT infrastructure on their own and that such moves require the chairman of the agency's congressional oversight panel to take interest. "They also need to get squeezed by [the Office of Management and Budget]," Buyer said.

The VA's IT reorganization has given the technology chief "almost everything he ever asked for," Buyer said. "Unfortunately, it takes a bad incident to implement change."

Before the May 2006 data breach, which put at risk the identities of more than 26.5 million veterans and active duty members of the military, the VA was moving toward a "federated model" of IT management. This would have allowed the VA's three administrations to maintain control over IT application development.

But after eight hearings by Buyer's committee, the resignation of two senior VA officials who opposed centralization and a recommendation from IBM officials helping to implement the reorganization, the VA elected to move IT developers under the authority of the CIO. The developers will be detailed to the CIO Monday, and the move is expected to be made permanent in April 2007, Buyer said.

Legislation sponsored by Buyer that would have legally mandated the centralization of the VA's IT passed the House in November 2005, but the bill never made it out of the Senate Veterans' Affairs Committee because of concerns that it would hamper the VA's ability to provide services to veterans.

A second bill introduced by Buyer in July 2006 also mandated the centralization of the VA's IT management structure, but after passing the House, the legislation failed to gain Senate acceptance.

Compromise legislation included in a broad VA bill (S. 3421) that passed both chambers of Congress early Saturday morning requires the VA to provide notification to people affected by a data breach, deliver reports to Congress, issue fraud alerts, conduct an independent risk analysis of data breaches and provide credit monitoring services and identity theft insurance.

Buyer also praised Nicholson for showing leadership after the data breach was discovered.

The secretary said the new emphasis on IT security has caused embarrassment for some VA employees and it will be reflected in their performance reviews, which will affect their compensation.