VA installs encryption software on thousands of laptops
Department’s acting CIO says personally owned computers used for work remain a security risk.
The Veterans Affairs Department installed encryption software on nearly 15,000 laptop computers during the past two weeks in an attempt to better protect sensitive information against misuse, officials told lawmakers Tuesday.
In testimony before the Senate Veterans' Affairs Committee, Robert Howard, the department's acting chief information officer, said this represents most of VA's laptops. He said his office was unable to encrypt some computers because they would not accept software from GuardianEdge, a San Francisco-based data security company.
But that affected fewer than 100 laptops, Howard said, and the unencrypted machines will not be used until they are properly secured.
Howard updated the committee on the status of VA encryption efforts during his confirmation hearing. He was nominated in August to fill the spot on a permanent basis.
VA awarded a $3.7 million contract to Syracuse, N.Y.-based Systems Made Simple Inc. to encrypt department computers and portable media, such as mobile e-mail devices, flash drives and CDs. When the contract was announced, officials said the department would encrypt all laptops by Sept. 15.
VA also is working to provide agency-owned computers to employees who currently use their personal machines for work purposes. Howard said the agency plans to wait for fiscal 2007, which begins Oct.1, because of the cost. In the meantime, employees who use their personally owned computers for work have been informed that they are required to protect any sensitive information.
"If you have to use a computer in your work and right now you're using a personally owned item, we want to issue you a government piece of equipment that we can control," Howard said.
He added VA is conducting an inventory to get an idea of the cost of replacing what could potentially be thousands of personally owned computers, many of them used by the Veterans Health Administration's doctors.
VA can track when employees log on to its network from personally owned computers, but cannot require the installation of security patches or see what employees are working on, Howard said.
"Is there vulnerability there? Sure," Howard said. "As long as we can't have full control of that device, there will be vulnerability and it's something we must correct."
Accomplishing VA Secretary James Nicholson's goal of making the department the "gold standard" for the government in information security will entail completing 322 actions listed in the department's Data Security-Assessment and Strengthening of Controls Program, Howard said.
A document outlining the status of those actions indicates that the Veterans Health Administration and the Veterans Benefits Administration have yet to finish assessing their contractors' IT activities. The document also states that the VA is 20 percent finished implementing standardized IT directives and 27 percent of the way toward enhancing IT management security controls.
VA officials also are working to fill 500 full-time positions created in the department's IT reorganization aimed at centralizing control over technology networks, Howard said.
Howard's testimony before the committee was well received by the three senators who questioned him, including Larry Craig, R-Idaho, chairman of the committee. Craig said he expects the full Senate to vote on the nomination by the end of the week. The committee is expected to vote Wednesday.