VA official opposes centralization of IT management

The Veterans Affairs Department general counsel resisted repeated attempts by the agency's chief information security officer to centralize authority for IT security, according to internal memorandums.

IT management at the VA is gaining congressional attention as lawmakers look into how a long-time agency employee was able to take veterans' sensitive personal records home unauthorized for three years, culminating in last month's data breach. The House Veterans' Affairs Committee is holding a hearing Thursday focusing on the management structure governing IT security.

VA officials have said they believe the department's "federated" IT management model, adopted last year, gives the chief information officer the necessary authority and enforcement powers to improve information security.

But a review of department memos written over last three years and interviews with former agency officials and congressional staff members familiar with the matter reveal an organization intensely resistant to change and program offices tenaciously opposing attempts to impose central authority on the department's wide-ranging technology operations.

VA Secretary James Nicholson has acknowledged in congressional testimony that there is long-standing resistance to change in the department and said Wednesday the agency has become lax in enforcing its security practices.

An Aug. 1, 2003, memo from the VA's general counsel to Bruce Brody, the department's associate deputy assistant secretary for cyber and information security at the time, declared that the authority to enforce security, including information security, physical security and personnel security, would remain with the respective offices involved.

The memo gave these instructions even though the Clinger Cohen Act grants such authority to the CIO and the 2002 Federal Information Security Management Act leaves it with the chief information security officer, according to two congressional sources.

A second memo from McClain, dated April 7, 2004, reinforced VA's policy, stating that the CIO cannot enforce information security requirements because FISMA uses the word "ensure" with regard to CIO authority, rather than "enforce." If VA organizations fail to comply with information security policies, the CIO's only recourse is to appeal to the department secretary, the memo stated.

McClain and Brody are on the witness list for Thursday's hearing.

In written testimony scheduled to be delivered at the hearing, VA General Counsel Tim McClain, who signed the memo, said FISMA does not provide a means for CIOs to ensure compliance.

McClain argued that the law does not require giving the CIO direct control over agency programs because that type of control "is not the only means" by which information security can be accomplished.

A March, 16, 2004, memo from then-VA Secretary Anthony Principi stated that then-CIO Robert McFarland was responsible for implementing a departmentwide information security program, but McClain said in his testimony that the memo merely stated the secretary's "intention" to give McFarland the "power and authority needed" over employees involved with cybersecurity.

Brody, now vice president for information security at the Reston, Va.-based market research firm INPUT, said his attempts to enforce security policies at the agency were "fought off at every turn by the administrations and program offices that were resistant to change."

"Anything related to central security controls was fiercely resisted," Brody said. "The fragmentation of security in the eyes of the general counsel made it impossible to put a security program in place. Those two memos [from McClain] alone served to fragment security and then clip its wings."

Len Sistek, Democratic staff director for the House Veterans' Affairs Subcommittee on Oversight and Investigations, said it is clear that the CIO had the power to advise and encourage, "but the enforcement teeth rested elsewhere."