December 18, 2009. The Honorable Daniel K. Akaka Chairman The Honorable Richard Burr Ranking Member Committee on Veterans Affairs United States Senate



Similar documents
ELECTRONIC HEALTH RECORDS. Fiscal Year 2013 Expenditure Plan Lacks Key Information Needed to Inform Future Funding Decisions

United States Government Accountability Office November 2010 GAO

SOFTWARE LICENSES. DOD s Plan to Collect Inventory Data Meets Statutory Requirements

GAO. INFORMATION SECURITY Governmentwide Guidance Needed to Assist Agencies in Implementing Cloud Computing

GAO INFORMATION TECHNOLOGY. SBA Needs to Strengthen Oversight of Its Loan Management and Accounting System Modernization

GAO. HEALTH INFORMATION TECHNOLOGY HHS Is Pursuing Efforts to Advance Nationwide Implementation, but Has Not Yet Completed a National Strategy

GAO. VA HEALTH CARE Weaknesses in Policies and Oversight Governing Medical Equipment Pose Risks to Veterans Safety

FEDERAL STUDENT LOANS Oversight of Defaulted Loan Rehabilitation Needs Strengthening

GAO. DEPARTMENT OF HOMELAND SECURITY Organizational Structure, Spending, and Staffing for the Health Care Provided to Immigration Detainees

GAO. VA HEALTH CARE Appointment Scheduling Oversight and Wait Time Measures Need Improvement. Statement of Debra A. Draper Director, Health Care

GAO. INFORMATION SECURITY Additional Guidance Needed to Address Cloud Computing Concerns

GAO. VA HEALTH CARE Reported Outpatient Medical Appointment Wait Times Are Unreliable

GAO VA STUDENT FINANCIAL AID

VA PRIMARY CARE Improved Oversight Needed to Better Ensure Timely Access and Efficient Delivery of Care

GAO STUDENT LOANS. Federal Web-based Tool on Private Loans Would Pose Implementation Challenges and May Be Unnecessary

March 14, The Honorable Carl Levin Chairman The Honorable James N. Inhofe Ranking Member Committee on Armed Services United States Senate

November 17, Congressional Committees

GAO. DEFENSE CONTRACTING Progress Made in Implementing Defense Base Act Requirements, but Complete Information on Costs Is Lacking

April 1, The Honorable Henry A. Waxman Chairman Committee on Oversight and Government Reform House of Representatives

GAO. STUDENT AND EXCHANGE VISITOR PROGRAM DHS Needs to Take Actions to Strengthen Monitoring of Schools

VETERANS AFFAIRS CONTRACTING Improved Oversight Needed for Certain Contractual Arrangements

GAO. TAX DEBT COLLECTION Measuring Taxpayer Opinions Regarding Private Collection Agencies

April 30, The Honorable Max Baucus Chairman The Honorable Charles E. Grassley Ranking Member Committee on Finance United States Senate

September 2, The Honorable John Lewis Chairman Subcommittee on Oversight Committee on Ways and Means House of Representatives

Depot Maintenance: Status of the Public-Private Partnership for Repair of the Dual-Mode Transmitter in the F-16 Fire-Control Radar

Border Security: U.S. Customs and Border Protection Provides Integrity-Related Training to Its Officers and Agents throughout Their Careers

a GAO GAO LOAN MONITORING SYSTEM SBA Needs to Evaluate Use of Software Report to Congressional Requesters

a GAO GAO VA LONG-TERM CARE More Accurate Measure of Home-Based Primary Care Workload Is Needed Report to the Secretary of Veterans Affairs

How To Determine The Cost Of A Juror Retirement Plan

GAO. MEDICARE ADVANTAGE Quality Bonus Payment Demonstration Has Design Flaws and Raises Legal Concerns. Statement of

GAO Report: Higher Loan Limits Didn't Drive Up College Costs

GAO COMPUTER-BASED PATIENT RECORDS. Improved Planning and Project Management Are Critical to Achieving Two- Way VA DOD Health Data Exchange

April 30, The Honorable Edward M. Kennedy Chairman Committee on Health, Education, Labor, and Pensions United States Senate

November 16, Subject: Tax Compliance: Some Hurricanes Katrina and Rita Disaster Assistance Recipients Have Unpaid Federal Taxes

GAO. SOCIAL SECURITY ADMINISTRATION Effective Information Technology Management Essential for Data Center Initiative

HEALTHCARE.GOV. Information Security and Privacy Controls Should Be Enhanced to Address Weaknesses

1 GAO R Equipment Lease versus Purchase Analysis

GAO. HEALTH SAVINGS ACCOUNTS Participation Grew, and Many HSA-Eligible Plan Enrollees Did Not Open HSAs while Individuals Who Did Had Higher Incomes

GAO. Federal Agencies Experiences Demonstrate Challenges to Successful Implementation HEALTH INFORMATION TECHNOLOGY

September 9, The Honorable John D. Rockefeller, IV United States Senate. Subject: Overview of the Long-Term Care Partnership Program

April 16, Congressional Committees

December 23, Congressional Committees

a GAO T GAO DIPLOMA MILLS Diploma Mills Are Easily Created and Some Have Issued Bogus Degrees to Federal Employees at Government Expense

GAO. VETERANS HEALTH ADMINISTRATION Inadequate Controls over Miscellaneous Obligations Increase Risk over Procurement Transactions

GAO. INFORMATION TECHNOLOGY Challenges Remain for VA s Sharing of Electronic Health Records with DOD

GAO ADOPTION TAX CREDIT. IRS Can Reduce Audits and Refund Delays. Report to Congressional Requesters. United States Government Accountability Office

GAO AVIATION SECURITY. Measures for Testing the Impact of Using Commercial Data for the Secure Flight Program. Report to Congressional Committees

GAO HIGHER EDUCATION. Issues Related to Law School Accreditation. Report to Congressional Requesters. United States Government Accountability Office

The term bid can be confusing because no competitive bidding takes place. If CMS accepts plan bids, it signs contracts with the MAOs.

June 14, Congressional Committees. Subject: Private Health Insurance: Waivers of Restrictions on Annual Limits on Health Benefits

June 30, The Honorable James L. Oberstar Chairman Committee on Transportation and Infrastructure House of Representatives

June 14, Congressional Committees. Subject: Commerce Information Technology Solutions Next Generation Governmentwide Acquisition Contract

VETERANS' EDUCATION BENEFITS

GAO TAX ADMINISTRATION. Expanded Information Reporting Could Help IRS Address Compliance Challenges with Forgiven Mortgage Debt

GAO WHISTLEBLOWER PROTECTION. Sustained Management Attention Needed to Address Long-standing Program Weaknesses. Report to Congressional Requesters

WHISTLEBLOWER PROTECTION Additional Actions Needed to Improve DOJ's Handling of FBI Retaliation Complaints

GAO. HEALTH INFORMATION TECHNOLOGY Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy. Testimony

How To Measure Performance

GAO. SMALL BUSINESS ADMINISTRATION Continued Attention Needed to Address Reforms to the Disaster Loan Program

GAO. FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM Premiums Continue to Rise, but Rate of Growth Has Recently Slowed. Testimony

January 27, Subject: Program Fraud Civil Remedies Act: Observations on Implementation

GAO HIGHER EDUCATION. Issues Related to Law School Cost and Access. Report to Congressional Committees. United States Government Accountability Office

GAO. ENTREPRENEURIAL ASSISTANCE Opportunities Exist to Improve Programs Collaboration, Data-Tracking, and Performance Management

Page 1. June 26, The Honorable Carl Levin Chairman The Honorable John McCain Ranking Member Committee on Armed Services United States Senate

1 In addition, VHA provides outpatient care at more than 800 community-based outpatient clinics.

Office of Workers Compensation Programs, which includes injuries, illnesses, and non-injuries.

DEFENSE CONTRACT AUDIT AGENCY. Additional Guidance Needed Regarding DCAA's Use of Companies Internal Audit Reports

February 27, Subject: Military Personnel: Bankruptcy Filings among Active Duty Service Members

GAO. INFORMATION SECURITY Concerted Response Needed to Resolve Persistent Weaknesses

GAO. TAXES AND IDENTITY THEFT Status of IRS Initiatives to Help Victimized Taxpayers

January 30, Subject: Meal Counting and Claiming by Food Service Management Companies in the School Meal Programs

Hurricane Katrina and PCASG

GAO. STUDENT LOAN PROGRAMS Lower Interest Rates and Higher Loan Volume Have Increased Federal Consolidation Loan Costs

January 25, Congressional Requesters

VETERANS AFFAIRS Sustained Management Attention Needed to Address Numerous IT Challenges

PROCUREMENT. Actions Needed to Enhance Training and Certification Requirements for Contracting Officer Representatives OIG-12-3

VA HEALTH CARE Ongoing and Past Work Identified Access Problems That May Delay Needed Medical Care for Veterans

GAO TAX ADMINISTRATION. Electronic Filing s Past and Future Impact on Processing Costs Dependent on Several Factors

INFORMATION MANAGEMENT

January 31, Subject: Rail Transit: Reliability of FTA s Rail Accident Database

The Honorable Jo Ann Davis Chairwoman Subcommittee on Civil Service and Agency Organization Committee on Government Reform House of Representatives

Subject: GAO Review of the Department of Homeland Security s Certification of the Secure Flight Program Cost and Schedule Estimates

GAO. INDIAN ISSUES Spokane Tribe s Additional Compensation Claim for the Grand Coulee Dam

A GAO T GAO. SENIOR EXECUTIVE SERVICE Enhanced Agency Efforts Needed to Improve Diversity as the Senior Corps Turns Over

GAO. CONTRACT MANAGEMENT Reporting of Small Business Contract Awards Does Not Reflect Current Business Size

GAO. SCIENCE TECHNOLOGY, ENGINEERING, AND MATHEMATICS EDUCATION Governmentwide Strategy Needed to Better Manage Overlapping Programs

Major Public Health Threat

April 29, The Honorable John Warner Chairman The Honorable Carl Levin Ranking Minority Member Committee on Armed Services United States Senate

GAO. NUCLEAR WASTE Preliminary Observations on the Quality Assurance Program at the Yucca Mountain Repository

GAO. PRIVATE PENSIONS Conflicts of Interest Can Affect Defined Benefit and Defined Contribution Plans

F-35 JOINT STRIKE FIGHTER Preliminary Observations on Program Progress

GAO. VETERANS AFFAIRS Status of Effort to Consolidate VA Data Centers. Report to the Honorable Chaka Fattah, House of Representatives

INFORMATION SECURITY. Evaluation of GAO s Program and Practices for Fiscal Year 2012 OIG-13-2

GAO. HUBZONE PROGRAM SBA s Control Weaknesses Exposed the Government to Fraud and Abuse

a GAO GAO CHIEF INFORMATION OFFICERS Responsibilities and Information and Technology Governance at Leading Private-Sector Companies

GAO SEPTEMBER 11. Federal Assistance for New York Workers Compensation Costs

GAO. UNEMPLOYMENT INSURANCE Receipt of Benefits Has Declined, with Continued Disparities for Low-Wage and Part-Time Workers

October 19, The Honorable John Warner Chairman The Honorable Carl Levin Ranking Minority Member Committee on Armed Services United States Senate

a GAO GAO JUDGMENT FUND Treasury s Estimates of Claim Payment Processing Costs under the No FEAR Act and Contract Disputes Act

Transcription:

United States Government Accountability Office Washington, DC 20548 December 18, 2009 The Honorable Daniel K. Akaka Chairman The Honorable Richard Burr Ranking Member Committee on Veterans Affairs United States Senate The Honorable Bob Filner Chairman The Honorable Steve Buyer Ranking Member Committee on Veterans Affairs House of Representatives Subject: Department of Veterans Affairs Implementation of Information Security Education Assistance Program The Veterans Benefits, Health Care, and Information Technology Act of 2006 authorizes the Secretary of Veterans Affairs to establish an educational assistance program for information security. 1 The Information Security Education Assistance Program is envisioned as a means for the Department of Veterans Affairs (VA) to attract and retain individuals with advanced skills in information security. The legislation authorizes the agency to establish scholarships for qualified students who pursue doctoral degrees in computer science and electrical and computer engineering at accredited institutions and to offer educational debt reduction for VA employees who hold doctoral degrees in these fields. This letter responds to the act s requirement that we report on the scholarship and education debt reduction programs within 3 years of the act s December 22, 2006, enactment. 2 As agreed with your offices, our objective was to determine the status of VA s implementation of the program. To accomplish this objective, we analyzed section 903 of the act, the status of the draft regulations governing the program, and the agency s 1 Pub. L. No. 109-461, 903, 120 Stat. 3403, 3460 (Dec. 22, 2006), adding a new Chapter 79, Information Security Education Assistance Program, to Title 38 of the U.S. Code. This program is part of Title IX of the act known as the Department of Veterans Affairs Information Security Enhancement Act of 2006. 2 Pub. L. No. 109-461, 903(b), 120 Stat. 3464. Page 1

process for implementing the program. We interviewed officials in VA s Office of Information and Technology, Office of General Counsel, and Office of Congressional and Legislative Affairs and reviewed documents related to the implementation process. To gain an understanding of how the department manages other education programs, we also interviewed officials in the Veterans Health Administration. In addition, we met with officials in the Office of Inspector General and reviewed that office s reports on VA s Office of Information and Technology. We performed our work from April 2009 to December 2009 in accordance with generally accepted government auditing standards. These standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Results in Brief The Department of Veterans Affairs has not begun to award scholarships or offer and disburse loan repayments under the Information Security Education Assistance Program, although it has taken some steps to implement the program. Since 2006, VA has drafted governing regulations, which are now undergoing internal review, and has developed a budget impact analysis. After the department s internal review is completed, several additional steps are planned before the regulations are issued, including review by the Office of Management and Budget (OMB) and a public comment period. Department officials anticipate that the debt-reduction portion of the program will begin, and the first scholarship candidates will be selected, during 2011. Background The Veterans Benefits, Health Care, and Information Technology Act was enacted after a serious loss of data in 2006 revealed weaknesses in VA s handling of personally identifiable information. Specifically, in May 2006, an information security breach at the department occurred involving a stolen hard drive with personal data on millions of veterans and their dependents. The incident highlighted the seriousness of weaknesses in the department s information security. In testimony shortly after the breach, we noted that for many years, significant concerns had been raised about VA s information security particularly its lack of a robust information security program, which is vital to minimizing the risk of compromise of government information, including sensitive personal information. 3 3 GAO, Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues, GAO-06-866T, (Washington, D.C.: June 14, 2006). Page 2

One of the programs authorized by the Veterans Benefits, Health Care, and Information Technology Act in response to these concerns about VA s longstanding information security weaknesses and the data breach was the Information Security Education Assistance Program. Under the act, the Secretary of the Department of Veterans Affairs was authorized to establish an education assistance program for doctoral students in computer science and computer and electrical engineering to strengthen VA s ability to recruit and retain individuals who have necessary information security skills. The program is to have two parts: a debt-reduction program for VA employees who have recently earned doctoral degrees, and a scholarship program for qualified individuals who must agree to work for the agency on completion of their academic programs. The agency is authorized to repay up to $16,500 of student loan debt each year for qualified employees up to a total of 5 years and $82,500. Doctoral students may receive full tuition scholarships plus a monthly stipend for up to 5 years, not to exceed a total of $200,000. According to section 903(c) of the act, the scholarship program may only apply to financial assistance provided for an academic semester or term that begins on or after August 1, 2007. Authorization to make payments under the program expires on July 31, 2017. The act also requires VA to prescribe regulations for administering the program. The VA unit responsible for implementing the Information Security Education Assistance Program is the Office of Information and Technology (OI&T), which oversees the department s information technology (IT) assets and resources including information security and privacy. Within OI&T, two offices have managed the implementation efforts: the Office of Information Technology Resource Management, which is responsible for human capital and IT budgeting, and the Office of Information Protection and Risk Management, which is responsible for information security. VA s Office of General Counsel also has a role. General Counsel s Office of Regulation Policy and Management monitors and reviews proposed regulations, provides regulatory impact analyses, and is VA s regulatory liaison with OMB. VA Has Begun Implementing the Program but Considerable Work Remains Before Financial Assistance Can Begin VA is in the process of developing regulations for administering the program, as called for by the act. OI&T s Office of Information Technology Resource Management began work on the regulations and had a draft ready for internal review and concurrence by August 2007. Responsibility for managing the concurrence process and ensuring that other VA offices reviewed and concurred with the program regulations was assigned, on August 1, 2007, to the Office of Information Protection and Risk Management since, according to a senior OI&T official, this office would most benefit from the program. The status of the review and concurrence process was to be monitored by General Counsel s Office of Regulation Policy and Management. Page 3

The regulations have not yet been issued. During 2007 and 2008, the Office of Regulation Policy and Management sent multiple status inquiries to Information Protection and Risk Management. In April 2008, Regulation Policy and Management noted that it had received no status updates in about a year. In the summer of 2008, OI&T s Office of Information Technology Resource Management learned, according to a senior official within the office, that the draft regulations were still in Information Protection and Risk Management and no apparent action had been taken. At that point, Resource Management took responsibility for ensuring that the draft regulations were sent forward for review and concurrence. Subsequently, in January 2009, the draft regulations were sent to VA s Office of General Counsel for review. In September 2009, the Office of General Counsel provided initial comments on the draft regulations. VA plans several other actions before issuing the regulations and has outlined a project plan for issuing the regulations that includes the remaining steps and milestones. Specifically, after final concurrence by the Office of General Counsel and concurrence by the other departmental offices, the draft regulations must be approved by the Secretary of Veterans Affairs. The department will then submit the draft regulations for review by OMB and then for comment from the public. VA officials estimate that, after the department addresses these comments and OMB performs another review, the final regulations could be issued in January 2011. VA Plans to Begin Program Activities in January 2011 VA officials anticipate that, if funds are available, the agency will announce the program and begin seeking candidates in January 2011 for both the debt reduction and scholarship components of the program. More time will elapse before any scholarship candidates receive doctoral degrees and are able to apply that educational experience to VA s information security needs. 4 VA has drafted an impact analysis that estimates the costs for the program and has identified two current staff members who may be eligible for debt repayments. In its impact analysis, VA estimates that the program will cost at least $217,000 by 2015, based on a survey which suggests that the department will have one candidate for the scholarship program and three candidates for the debt reduction program within the next 5 years. According to VA officials, no funds were allocated to the program in the department s fiscal year 2010 budget. 4 The earliest date to hire a doctoral program graduate who receives a scholarship might be around January 2012. This date assumes that VA selects a graduate at the program s start in January 2011 who is in the last year of doctoral study. A candidate just starting a doctoral program might take considerably longer. For example, Carnegie Mellon University suggests it may take 6 years to complete a Ph.D. in computer science and the University of Texas, Austin, estimates 3 to 5 years. Page 4

Figure 1 summarizes VA s actions and planned actions, from enactment of the authorizing legislation through program implementation. Figure 1: Completed and Planned Actions for the Information Security Education Assistance Program In comments provided via e-mail on a draft of this correspondence, the GAO liaison, VA Office of Congressional and Legislative Affairs, stated that the department had reviewed the draft report and had no comments to offer at this time. - - - - - - - - - - We are sending a copy of this letter to the Secretary of Veterans Affairs. In addition, the document will be available at no charge on GAO s Web site at http://www.gao.gov. If you have any questions regarding this letter, please contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, or Valerie C. Melvin at (202) 512-6304 or melvinv@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Page 5

GAO staff who made major contributions to this letter are Charles Vrabel (Assistant Director), Monica Perez Anatalio, Neil Doherty, Nancy Glover, Mary Marshall, Lee McCracken, Kate Nielsen, Sylvia Shanks, Glenn Spiegel, and Adam Vodraska. Gregory C. Wilshusen Director, Information Security Issues Valerie C. Melvin Director, Information Management and Human Capital Issues (311024) Page 6

This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

GAO s Mission Obtaining Copies of GAO Reports and Testimony The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO s Web site (www.gao.gov). Each weekday afternoon, GAO posts on its Web site newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to www.gao.gov and select E-mail Updates. Order by Phone The price of each GAO publication reflects GAO s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO s Web site, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Contact: To Report Fraud, Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400 Congressional U.S. Government Accountability Office, 441 G Street NW, Room 7125 Relations Washington, DC 20548 Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information