IT security measure may founder in lame-duck Senate

A bill that would substantially change the Veterans Affairs Department's technology management structure and the law governing federal information security appears to be dead in the water.

House Veterans' Affairs Committee spokeswoman Brooke Adams said there's still time for the bill to move forward during the lame-duck session and would not rule out passage. But Jeff Schrade, a spokesman for the Senate Veterans' Affairs Committee, said the measure's chances of clearing the Senate grow worse every day.

The Senate is still in negotiations over whether to advance the bill, sponsored by House Veterans' Affairs Committee Chairman Steve Buyer, R-Ind. But the effort remains "an uphill battle," Schrade said.

A year ago, the Senate panel opposed a separate House-approved bill -- also sponsored by Buyer -- that would have mandated the centralization of IT resources at VA.

VA has been able to consolidate its IT operations under recently confirmed Chief Information Officer Robert Howard, achieving many of the objectives Buyer called for in his latest bill, Schrade said.

According to a recent internal organizational chart, VA's IT operations, including the hotly contested development of applications, fall under the assistant secretary for information technology (another title held by the CIO). Rather than use the word "centralization" to describe the plan, department officials have opted to say the revised organizational structure creates a "single authority for IT," sources told Government Executive.

The recent organizational chart represents a shift from an October 2005 plan, which would have moved the department's IT functions to a compromise "federated" model. Under that model, the CIO would have controlled all IT operations and maintenance functions but not applications development, which would have remained under VA's three administrations.

The Buyer bill aims to further centralize IT authority by making the CIO an undersecretary. It also would require the department to provide credit protection and fraud resolution services upon request in the event of a data breach.

Buyer's measure comes in response to a rash of data breaches reported across the government, starting with the early May theft of a computer containing personal information on 26.5 million people from the home of a VA employee. The computer subsequently was recovered. Other agencies have reported data smaller breaches.

One congressional source close to the matter said he sees signs VA is moving in the right direction, but added there is no guarantee the goals in the Buyer bill will be met without legislation.

The Buyer measure is aimed at strengthening the 2002 Federal Information Security Management Act. Language contributed by the House Government Reform Committee would give all government CIOs the responsibility to enforce rules to help account for and secure IT equipment containing sensitive information. It would require agencies to inform the public when data breaches involving sensitive information occur. The Office of Management and Budget would have to establish procedures for responding to breaches.

The language is in response to the VA data breach and a subsequent report from the Commerce Department revealing that, of more than 30,000 laptops inventoried since 2001 across its 15 organizations, 1,137 had been lost or stolen. In particular, the report noted that half the lost computers at the Census Bureau within Commerce were missing because employees did not return them when they left their jobs.

Another report last month found that the loss of personal data is common across government, largely because of poor physical security.

David Marin, staff director for the Government Reform Committee, said moving a separate piece of legislation that encompasses just the FISMA language remains a top priority for committee chairman Rep. Tom Davis, R-Va., come December.

David Perera contributed to this report.