[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]


                    VA'S LONGSTANDING INFORMATION SECURITY 
                     WEAKNESSES CONTINUE TO ALLOW EXTENSIVE 
                     DATA MANIPULATION

=======================================================================

                                HEARING

                               BEFORE THE

                     COMMITTEE ON VETERANS' AFFAIRS
                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                       TUESDAY, NOVEMBER 18, 2014

                               __________

                           Serial No. 113-90

                               __________

       Printed for the use of the Committee on Veterans' Affairs
       
       
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]       


         Available via the World Wide Web: http://www.fdsys.gov
         
                                __________
                                
                       U.S. GOVERNMENT PUBLISHING OFFICE
96-133                      WASHINGTON : 2015                       
________________________________________________________________________________________                     
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, gpo@custhelp.com.  
                     
                     
                     
                     
                     COMMITTEE ON VETERANS' AFFAIRS

                     JEFF MILLER, Florida, Chairman

DOUG LAMBORN, Colorado               MICHAEL H. MICHAUD, Maine, Ranking 
GUS M. BILIRAKIS, Florida, Vice-         Minority Member
    Chairman                         CORRINE BROWN, Florida
DAVID P. ROE, Tennessee              MARK TAKANO, California
BILL FLORES, Texas                   JULIA BROWNLEY, California
JEFF DENHAM, California              DINA TITUS, Nevada
JON RUNYAN, New Jersey               ANN KIRKPATRICK, Arizona
DAN BENISHEK, Michigan               RAUL RUIZ, California
TIM HUELSKAMP, Kansas                GLORIA NEGRETE McLEOD, California
MIKE COFFMAN, Colorado               ANN M. KUSTER, New Hampshire
BRAD R. WENSTRUP, Ohio               BETO O'ROURKE, Texas
PAUL COOK, California                TIMOTHY J. WALZ, Minnesota
JACKIE WALORSKI, Indiana
DAVID JOLLY, Florida
                       Jon Towers, Staff Director
                 Nancy Dolan, Democratic Staff Director

Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public 
hearing records of the Committee on Veterans' Affairs are also 
published in electronic form. The printed hearing record remains the 
official version. Because electronic submissions are used to prepare 
both printed and electronic versions of the hearing record, the process 
of converting between various electronic formats may introduce 
unintentional errors or omissions. Such occurrences are inherent in the 
current publication process and should diminish as the process is 
further refined.
                            C O N T E N T S

                              ----------                              

                       Tuesday, November 18, 2014

                                                                   Page

VA's Longstanding Information Security Weaknesses Continue to 
  Allow Extensive Data Manipulation..............................     1

                           OPENING STATEMENTS

Gus M. Bilirakis, Vice Chairman..................................     1
Jeff Miller, Chairman
    Prepared Statement...........................................    43
Michael Michaud, Ranking Member..................................     2

                               WITNESSES

Mr. Stephen Warren, Executive in Charge and Chief Information 
  Officer, Office of Information ` Technology, Department of 
  Veterans Affairs...............................................     3
    Prepared Statement...........................................    44
    Accompanied by:
        Mr. Stan Lowe, Deputy Assistant Secretary, Office of 
            Information ` Technology, Office of Information 
            Security, Department of Veterans Affairs
    And
        Ms. Tina Burnette, Executive Director for Enterprise Risk 
            Management, Department of Veterans Affairs
Ms. Sondra McCauley, Deputy Assistant Inspector for Audits and 
  Evaluations, Office of Inspector General, Department of 
  Veterans Affairs...............................................     5
    Prepared Statement...........................................    47
    Accompanied by:
        Mr. Michael Bowman, Director, Information Technology and 
            Security Audit Office, Office of Inspector General, 
            Department of Veterans Affairs
Mr. Greg Wilshusen, Director of Information Security Issues, GAO.     6
    Prepared Statement...........................................    55

 
  VA'S LONGSTANDING INFORMATION SECURITY WEAKNESSES CONTINUE TO ALLOW 
                      EXTENSIVE DATA MANIPULATION

                              ----------                              


                       Tuesday, November 18, 2014

             U.S. House of Representatives,
                    Committee on Veterans' Affairs,
                                                   Washington, D.C.
    The committee met, pursuant to notice, at 1:41 p.m., in 
Room 334, Cannon House Office Building, Hon. Gus M. Bilirakis 
[vice chairman of the committee] presiding.
    Present:  Representatives Lamborn, Bilirakis, Roe, 
Benishek, Huelskamp, Coffman, Wenstrup, Cook, Walorski, Jolly, 
Michaud, Brown, Takano, Brownley, Kirkpatrick, Ruiz, Kuster, 
O'Rourke, and Walz.

      OPENING STATEMENT OF VICE CHAIRMAN GUS M. BILIRAKIS

    The Chairman. The committee will come to order. Good 
afternoon. I want to welcome you to today's full committee 
hearing. For at least the last 18 months this committee has 
held hearings, conducting briefings and participating in 
discussions in a bipartisan manner. I am sure you will agree 
with that. The committee is seeking corrective action on 
longstanding issues in the VA's Office of Information and 
Technology.
    On May 29th, 2014 the VA Office of the Inspector General 
noted that VA's information technology is still plagued by 
material weaknesses for the 16th straight year, unacceptable as 
far as I am concerned. Looking back nearly 18 months Mr. Warren 
testified to the committee that he had an 18-month plan to 
resolve the problems in VA's network. However, as GAO's report 
released yesterday tells us there are continued problems. Of 
great concern, VA could not provide supporting material for at 
least one of the serious problems it claimed to have resolved. 
The weaknesses in VA's network have contributed to the data 
manipulations related to the recent wait times scandal. Today 
we want to discuss these issues.
    As you probably noticed, Chairman Miller is attending 
another congressional, he has got congressional business on the 
steering committee. Therefore I would like to submit his 
written statement for the record. Hearing no objections, so 
ordered.

      OPENING STATEMENT OF RANKING MEMBER MICHAEL MICHAUD

    The Chairman. Thank you all once again for being here. With 
that, I will yield to the Ranking Member Mr. Michaud for as 
much time, at least five minutes, thank you.
    Mr. Michaud. Thank you very much, Mr. Chairman. As a 
committee we could have had a week of hearings to thoughtfully 
get to the bottom of the many issues that will be raised by the 
witnesses this afternoon. The Department of Veterans Affairs 
has many longstanding IT security problems, these problems that 
have been raised time and again by the Inspector General and 
the GAO. It is time that the VA address these issues quickly 
and effectively. Today we need to have a frank and open 
discussion about our expectation of VA's IT security and 
whether or not the VA has the resources, capabilities, and the 
leadership to meet these expectations. One of the biggest 
challenges we will discuss today is scheduling software used by 
the VHA. In their testimony VA indicated these problems of an 
antiquated scheduling system is recognized and being addressed. 
I look forward to hearing what VA is doing to address these 
problems and when we can discuss the solutions to be 
implemented.
    I would also like to hear from VA how they are ensuring 
that veterans' personal data and information is uncorrupted and 
protected. Federal IT security laws require a balance among 
security, mission, and cost. We must also keep in mind that IT 
is not the end, but rather the means by which VA accomplishes 
its missions. This recognition should not blind us to the real, 
very real, IT security issues facing the VA. It does not, is 
not an excuse of ongoing security problems that should have 
been addressed a long time ago, but recognizing the need for 
balance will better enable us to figure out what the VA needs 
to do today and down the road.
    In February the administration needs to submit a budget 
that gives the department all of the necessary resources to 
address these IT security issues once and for all. And I hope 
all of my colleagues here today will continue to fight to give 
VA those needed resources. And I hope that they will fight to 
ensure these resources are used properly as well. At the end of 
the day the American people must have confidence that VA's 
ability to keep veterans' data and information safe and secure 
and I am hopeful that today's hearing will begin that 
establishment of that credibility on some issues and show us 
that we are still able to work together.
    For a number of years there has been a growing level of 
frustration and distrust between the VA and Congress. Within 
that climate we sometimes lose sight of the need to work 
together to deliver the promises we made to our veterans. IT 
security is critical and we simply must do all that we can 
working together to ensure that veterans' personal information 
is protected and that data is credible and that the VA has the 
tools it needs to do its job.
    It is clear to me that our recent hearings and the change 
in VA leadership is having a positive effect. We have seen more 
open senior leader engagement and more responsiveness from the 
department and I want to thank you and appreciate all of that. 
I am hopeful that these changes can expand to VA and Congress 
working together to address IT security issues and that today's 
conversation is the first step of this process in this new 
environment. So I want to thank you all for coming here today. 
I look forward to your testimony. And I want to thank you, Mr. 
Chairman, for having this very important hearing. And with that 
I yield back the balance of my time.

    [The prepared statement of Michael H. Michaud appears in 
the Appendix]

    The Chairman. All right, very good. We will now begin with 
today's hearing with our first and only panel of witnesses who 
are already seated at the witness table. Joining us from the 
Department of Veterans Affairs is Mr. Stephen Warren, Executive 
in Charge and Chief Information Officer. Mr. Warren is 
accompanied by Mr. Stan Lowe, Deputy Assistant Secretary, 
Office of Information and Technology; and Ms. Tina Burnette, 
Executive Director for the Enterprise Risk Management. Joining 
us from the Department of Veterans Affairs Office of the 
Inspector General is Ms. Sondra McCauley, Deputy Assistant 
Inspector General for Audits and Evaluations. Ms. McCauley is 
accompanied by Mr. Michael Bowman, Director, Information 
Technology and Security Audit Office. Finally, joining us from 
the Government Accountability Office is Mr. Greg Wilshusen, who 
is the Director of Information Security Issues. Thank you all 
for attending today. And we will begin with our testimony and 
we will start with Mr. Warren. Please proceed with your 
testimony, thank you.

STATEMENTS OF MR. STEPHEN WARREN, EXECUTIVE IN CHARGE AND CHIEF 
INFORMATION OFFICER, OFFICE OF INFORMATION AND TECHNOLOGY, U.S. 
 DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY MR. STAN LOWE, 
     DEPUTY ASSISTANT SECRETARY, OFFICE OF INFORMATION AND 
TECHNOLOGY, OFFICE OF INFORMATION SECURITY, U.S. DEPARTMENT OF 
VETERANS AFFAIRS; AND MS. TINA BURNETTE, EXECUTIVE DIRECTOR FOR 
    ENTERPRISE RISK MANAGEMENT, U.S. DEPARTMENT OF VETERANS 
   AFFAIRS; MS. SONDRA MCCAULEY, DEPUTY ASSISTANT INSPECTOR 
    GENERAL FOR AUDITS AND EVALUATIONS, OFFICE OF INSPECTOR 
 GENERAL, U.S. DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY 
   MR. MICHAEL BOWMAN, DIRECTOR, INFORMATION TECHNOLOGY AND 
   SECURITY AUDIT OFFICE, OFFICE OF INSPECTOR GENERAL, U.S. 
  DEPARTMENT OF VETERANS AFFAIRS; AND MR. GREGORY WILSHUSEN, 
      DIRECTOR OF INFORMATION SECURITY ISSUES, GOVERNMENT 
                     ACCOUNTABILITY OFFICE

                  STATEMENT OF STEPHEN WARREN

    Mr. Warren. Thank you, Chairman Bilirakis, Ranking Member 
Michaud, and members of the committee. Thank you for the 
opportunity to appear before you today to discuss the 
Department of Veterans Affairs and how we endeavor to find the 
appropriate balance between information protection and the 
delivery of care, services, and benefits to our nation's 
veterans.
    Before proceeding I would like to recognize the valuable 
role of the Office of the Inspector General and the General 
Accountability Office for forming and offering insights that 
validate actions and efforts underway, or as important identify 
areas where we need to improve or redouble our efforts. Though 
there are times when we may not agree on specific findings, 
conclusions, or statements, that does not diminish the great 
weight I give to their contributions as we take on the 
difficult to deal with challenges of this organization.
    Securing veterans' data in an enterprise as large and as 
complex as VA is a dynamic and constantly involving process 
that includes contributions from the OIG and the GAO. I am 
disappointed that in spite of the significant efforts by our 
employees over the past year that the OIG maintained an IT 
material weakness. I am committed to redoubling our efforts to 
put in place the processes and disciplines to address these 
issues, building upon the extensive layered in depth strategy 
that we already have in place. To that end after receiving the 
findings from the OIG last week, I have directed an additional 
$60 million to be added to our information security efforts 
this year. This will provide additional resources to our 
facilities to implement configuration management as well as 
vulnerability remediation. In February we will reevaluate and 
if significant progress has not been made additional resources 
will be applied.
    We should not overlook that VA faces the same threats as 
departments and many businesses. We believe we are taking 
responsible actions to deal with these persistent threats. My 
written testimony contains information on the many actions 
completed and significant milestones achieved in the past year. 
But instead of repeating that material in my oral statement I 
would like to highlight four key points.
    First, it is important to make a distinction between issues 
relating to access to care and VA's information security 
efforts. I believe there is no causal relationship between 
alleged appointment manipulation and findings in the OIG's 
FISMA audit. To my knowledge there have been no indications 
that appointments were changed or canceled other than through 
the normal way that the software was designed to do, though in 
this case inappropriately.
    Second, there is no disagreement that the technology 
underlying the current appointment scheduling system is 
cumbersome and outdated. Since the scheduling software was 
originally deployed the focus has been to add more 
functionality as well as correct differences in how the 
software worked versus the scheduling process. In hindsight, 
more focus should have been given to improving the usability of 
the tool. In summary, VA should have driven harder and earlier 
to replace it.
    Third, it is also important to note resourcing 
recommendations for IT investments are made by each of the 
administrations based on business priorities and using those 
prioritized requirements we follow a consensus based process to 
not only develop our IT submission to the President's budget 
but also in developing our IT investment budget at the start of 
each year.
    Fourth, IT risk management is a process of assembling 
information upon which leadership can make judgments and 
decisions. The identification of hazards or weaknesses in an 
operating environment contribute to your risk profile and have 
impact on its ability to achieve business objectives, but these 
weaknesses are but one component of assessing risks. 
Fundamentally managing IT risk at VA is not just about 
assessing and quantifying all the things that could go wrong, 
but more importantly understanding all the things that need to 
go right for the VA to be successful. For me, finding and 
keeping that balance while delivering benefits and services to 
veterans is a personal obligation, one that motivates me to 
serve veterans.
    The veteran for me is my grandfather, William, who was 
wounded in the trenches in World War I, and went on to serve in 
the British channel and the Mediterranean in World War II. It 
is my father, Steve, my father-in-law Grengel, both deceased. 
My brother-in-law Ted, Navy Retired. My brother Alex, Army 
National Guard Separated. My nephews, Michael and Duncan, 
presently serving on active duty. My brother Chuck, Army 
National Guard, killed in action, Baghdad, 2005. His widow 
Carol, along with his two orphans, my nephew Jackson and my 
niece Maddy, a niece who will never meet her father. They as 
well as many of the friends I served with in the Air Force 
shape my decisions and actions as I endeavor to find that 
appropriate balance of risk between information protection and 
the delivery of care, services, and benefits to our nation's 
veterans.
    This concludes my oral statement. I would be happy to take 
your questions.

    [The prepared statement of Stephen Warren appears in the 
Appendix]

    The Chairman. Thank you, Mr. Warren. And now I will call on 
Ms. McCauley for your testimony. Please proceed.

                  STATEMENT OF SONDRA MCCAULEY

    Ms. McCauley. Mr. Chairman and Members of the Committee, 
thank you for the opportunity to discuss the OIG's work 
regarding VA's management of its IT security program. With me 
today is Mr. Michael Bowman, Director of the OIG's IT and 
Security Audits Division.
    Secure IT systems and networks are critical to support VA's 
missions of providing medical care, benefits, and services to 
veterans. However, for over a dozen consecutive years our 
independent auditors have identified VA's IT security as a 
material weakness. In March, 2012 VA instituted the Continuous 
Readiness in Information Security Program, CRISP, to ensure 
year-round IT monitoring and work to resolve the IT material 
weakness. Our fiscal year 2014 audit identified more focused VA 
efforts to standardize IT security controls, such as 
implementing predictive scanning and an IT tool for assessing, 
authorizing, and monitoring VA security. However, as in prior 
years we continue to see systemic deficiencies in four key 
areas.
    Configuration management, we found critical systems were 
not timely patched and securely configured to mitigate known 
vulnerabilities. Access controls, we identified default 
passwords, weak passwords, and vulnerable third party 
applications providing well-known attack points from malicious 
users. Security management, we noted instances of outdated 
security management documentation, background reinvestigations 
not performed timely, and plans of action and milestones 
updated or closed without written justification. Contingency 
planning, we found backup tapes that were not encrypted prior 
to storage and contingency plans that did not reflect the 
current operating environment. We continue to find these 
control activities were not well designed or operating 
effectively.
    We also disclosed significant technical weaknesses in 
databases, servers, and network devices for transmitting 
sensitive information among VA medical centers, data centers, 
and VA central office. Particularly disconcerting were the 
significant number of critical and high-severity 
vulnerabilities at data centers more than five years old.
    Moving forward VA must fully implement an enterprise 
information security program and improve monitoring to ensure 
security controls are operating as intended at all facilities. 
Consistent and proactive enforcement of established policies 
and procedures is critical to remediate IT security 
deficiencies across VA's dispersed portfolio of legacy 
applications and newly implemented systems. Effective 
communication between VA management and field offices is also 
needed to notify the appropriate personnel of identified 
security deficiencies so that they can timely implement 
corrective actions.
    Our fiscal year 2014 FISMA report discussing these IT 
security challenges is anticipated for release in Spring, 2015. 
We expect that most of the 35 outstanding recommendations will 
remain open. However, this year VA must also address concerns 
not previously highlighted. These include systemic deficiencies 
with temporary authorizations to operate systems based on 
incomplete security reviews, ineffective protections for 
medical devices containing sensitive patient data, foreign 
hackers on the VA network, sensitive VA data transmitted over 
unsecure internet connections, and the need for an effective 
patient scheduling system to minimize veteran delays and ensure 
accurate wait time data.
    In conclusion, VA has made improvements in its IT security 
but more remains to be done. Until a proven process is in place 
to ensure control enterprise-wide, the IT material weakness 
will stand and VA's systems and sensitive veterans' data will 
remain at risk. IT weaknesses and vulnerabilities can expose 
millions of veterans to potential loss of privacy, identity 
theft, and other financial crimes. Mr. Chairman, this concludes 
my statement. We would be happy to answer any questions you or 
other members of the committee may have.

    [The prepared statement of Sondra McCauley appears in the 
Appendix]

    The Chairman. Thank you, Ms. McCauley. Now we will 
recognize Mr. Greg Wilshusen to proceed with his testimony. 
Thank you. You are recognized, sir.

                  STATEMENT OF GREG WILSHUSEN

    Mr. Wilshusen. Mr. Chairman, Mr. Ranking Member, and 
members of the committee, thank you for the opportunity to 
testify at today's hearing on information security at the 
Department of Veterans Affairs. Securing its information and 
computing systems is vital because VA collects and maintains a 
large volume of sensitive personal information in performing 
its mission of promoting the health, welfare, and dignity of 
our nation's veterans. As you know, VA has faced longstanding 
challenges in its efforts to secure its information and 
information systems. My statement today summarizes the key 
findings and recommendations from the report we released 
yesterday on VA's efforts to address previously identified 
security vulnerabilities. The weaknesses we reviewed pertained 
to the department's incident response efforts, two key web 
applications, and devices connected to its network.
    Before I begin, Mr. Chairman, if I may, I would like to 
recognize several individuals who were instrumental in 
performing the audit work that underpins my testimony. With me 
today are Jennifer Franks, Tyler Mountjoy, Hal Lewis, and Chris 
Warweg. I would also like to recognize Jeff Knott, Naba 
Barkakati, Lon Chin, and Lee McCracken, who are back at the 
office.
    Mr. Chairman, while VA has taken actions to mitigate the 
vulnerabilities we reviewed they were insufficient to ensure 
that the weaknesses were fully addressed. Although the 
department acted to contain and eradicate an incident detected 
in 2012 involving the intrusion of its network, it could not 
demonstrate that these actions were effective. For example, VA 
officials could not locate a forensic analysis report and did 
not retain digital evidence after 30 days, contrary to federal 
guidelines which call for the agencies to maintain records 
associated with security incidents for three years. VA also had 
not implemented at the time of our review a solution intended 
to address an underlying vulnerability that contributed to the 
incident. It had taken other limited actions but these were not 
sufficient to prevent recurrence of a similar incident. In 
addition the department's Network and Security Operations 
Center, or NSOC, did not have sufficient visibility into 
computer networks across the department. As a result NSOC can 
not be assured that the incident was fully contained and 
eradicated. NSOC has initiatives underway to further improve 
its incident response capabilities. However, it has not yet 
established a time frame for completing these actions.
    Regarding the two key applications we reviewed as of June, 
2014, VA resolved six of nine vulnerabilities that NSOC 
identified, including a critical vulnerability which VA 
corrected within one week of discovery. However, VA had not 
developed plans of actions and milestones for the three 
remaining high risk vulnerabilities, thereby diminishing 
assurance that it will correct these weaknesses in a timely and 
effective manner.
    VA also has not conducted software source code scans for 
one of the two applications. This type of analysis can help 
developers identify and reduce or eliminate potential flaws. At 
the time of our review VA officials stated that they had 
drafted a policy requiring the use of these tools but it had 
not yet been approved.
    Regarding devices on its network, VA has not always applied 
critical software patches within 30 days in accordance with 
this policy. For example as of May, 2014 VA had not implemented 
ten critical patches which had been available for periods 
ranging from four to 31 months. The patches were intended to 
resolve a total of 301 vulnerabilities and each one was missing 
on numerous devices or instances, ranging from about 9,200 
instances to about 286,000 instances. In addition, VA scans for 
non-Windows based systems were not comprehensive because they 
were not performed in an authenticated mode. As a result, 
increased risk exists that VA will not detect vulnerabilities 
and take steps to mitigate them.
    While the department has established an organization to 
improve its remediation efforts it has not yet identified the 
specific actions, priorities, and milestones for accomplishing 
these tasks thereby limiting its effectiveness. In our report 
we made eight recommendations to assist VA in addressing these 
matters. The department agreed with our recommendations and 
stated that it had already taken actions to address six of the 
eight recommendations and plans to address the other two. We 
have not yet verified these actions to determine whether they 
effectively addressed the issues raised in our report. But we 
intend to do so as part of our normal follow up procedures.
    Mr. Chairman, Mr. Ranking Member, this concludes my 
statement. I would be happy to answer your questions.

    [The prepared statement of Gregory Wilshusen appears in the 
Appendix]

    The Chairman. Thank you very much. We appreciate it very 
much. Thank you all for your testimony. And I will recognize 
myself now for five minutes to ask questions.
    We will start with Mr. Warren. As confirmed by the OIG and 
the recent wait times report, fake patient appointments called 
the ZZ test appointments were used to secure appointment times. 
The fake appointments made it appear as though the provider had 
a full appointment schedule and it prevented veterans from 
obtaining timely appointments. According to the emails obtained 
by the committee investigators there are hundreds of 
appointments being taken by ZZ test patients just in one VA 
facility alone in Portland, Oregon. To me it seems that some VA 
employees were deliberately and knowingly withholding care from 
our veterans. Inexcusable. Can you explain how the VA network 
allowed for this to happen?
    Mr. Warren. Sir, I am not aware of the incident you are 
referring to in terms of using I think you said ZZ patient as a 
category. Glad to take that back to the team to understand it. 
If folks are using false accounts or false patients to block 
veterans getting appointments, I find that as abhorrent as you 
do, sir. So we will, I will gladly take that back.
    The Chairman. You are not, you are not aware of that?
    Mr. Warren. I am not aware of that, sir.
    The Chairman. You are not aware of that by another title, 
other than ZZ patients?
    Mr. Warren. I am not aware of that but I will definitely 
take that back and get back to you with what we find, sir.
    The Chairman. Well please get back to us as soon as 
possible.
    Mr. Warren. Yes, sir.
    The Chairman. Thank you. Anyone else want to comment on 
this particular subject in the panel? Okay. Next question for 
Ms. McCauley. In its Phoenix report OIG explained that the 
VistA system audit trail was not on. The lack of audit trails 
limits and in some cases blocks review efforts looking for data 
manipulation and destruction. Did your work identify this 
concern in other systems and other sites?
    Ms. McCauley. Yes. As part of the consolidated financial 
statement review as well as the FISMA work that we do every 
year we found that event logs were not turned on consistently. 
And this does pose a problem when we as auditors try to go in 
and do an independent assessment of a system to see the 
activity on the system. We need the historic data to see 
whether or not there was abuse of the system or any malicious 
intent by any users.
    The Chairman. Which locations? Would you, can you tell me 
which locations?
    Ms. McCauley. I do not have that information but I could 
take that for the record.
    The Chairman. Can you get back to us on that? I appreciate 
that. All right. Ms. McCauley, how effective has the Continuous 
Readiness and Information Security Program, CRISP, been in 
improving VA's information security posture?
    Ms. McCauley. Every year as part of our FISMA work we have 
seen improvements in VA's IT security. With the inception of 
CRISP in 2012 we have seen the institution of continuous 
monitoring. We have seen predictive scanning of VA networks; 
role-based and security awareness training for users to ensure 
that they understand the policies and regulations; contingency 
planning testing; fewer outdated background investigations; 
more consistent compliance with U.S. government baseline 
standards; as well as use of a governance, risk, and compliance 
tool to monitor and assess VA's IT posture. However, we are 
still looking at these improvements because many of them take 
time to mature and demonstrate their effectiveness.
    The Chairman. Thank you very much. Next question is for Mr. 
Wilshusen. Based on the previous identified vulnerabilities 
that continue to exist at VA, what impact could these 
vulnerabilities have on allowing data manipulation of veterans' 
sensitive information?
    Mr. Wilshusen. Well sir, I think they could have. They 
increase unnecessarily the risk that such information could be 
compromised. For example, the patches that had not been 
installed could potentially lead to increased risk that a 
veteran's information, including his personal information, 
could be affected----
    The Chairman. Okay. Give us an example of some of the 
information that could be manipulated.
    Mr. Wilshusen. Well this would be information that may be 
stored on various different work stations throughout the 
organization. And it could be any type of particularly 
sensitive information that may be maintained relative to the 
veterans.
    The Chairman. All right, next question for Mr. Warren. Are 
you aware that because audit controls are sometimes inactive VA 
employees are able to have unauthorized access to modify or 
delete patient records? Are you aware of this, Mr. Warren?
    Mr. Warren. Sir, I am not aware that folks have gone in and 
changed records. And in fact when the audit team raised the 
issue to us that auditing was not turned on for the scheduling 
systems we turned it on. And not only did we turn it on but it 
reflected our history of a decentralized program where every 
site controlled what was turned on or off. We pulled the 
ability to turn it off at the local sites away from them.
    The Chairman. I understand this is only for the scheduling 
system and not the other part of the network?
    Mr. Warren. This is for, for the scheduling system. And 
based upon which system you are speaking with, different 
systems have different levels of monitoring on them in terms of 
records changed or not, and different levels of logging of 
events that are taking place. Based upon what the GAO 
identified for us, we have gone back and we have raised, or if 
you will extended the time of how long we keep logs. Because 
they flagged for me a concern that we did not have material 
that you could see if you needed to come back and check. So we 
have used that input for us to improve what we are doing.
    The Chairman. Okay. Does OIG want to testify on that 
particular subject? I would appreciate it if somebody would 
speak up on this.
    Ms. McCauley. No, I do not have much to add on that. Yet as 
we conducted the Phoenix wait times review we did alert OI&T 
that the logs were not on and they did turn them on. We also 
asked OI&T to discontinue removing the names of former 
employees from the, system and putting them rather in a 
disabled state so that we can do our work, our investigative 
work.
    The Chairman. Okay, thank you. I now yield to Ranking 
Member Michaud. You are recognized for five minutes or so.
    Mr. Michaud. Thank you very much, Mr. Chairman. The IG, you 
testified that you expect that most of the 35 recommendations 
to remain open in the next year's report. In this year's report 
the VA recommended that most of the recommendations be closed. 
I guess the question for the IG is can you speak to this 
apparent disconnect between what you are recommending and what 
the VA is saying?
    Ms. McCauley. Yes. As I stated previously, for more than a 
dozen years we have identified IT as a security weakness. And 
in our reports we have continued to find pervasive problems 
with information security control deficiencies across the 
agency. We have issued recommendations with our reports year 
after year and most of those recommendations have carried 
forth. Some of the recommendations are over five years old. In 
terms of the vulnerabilities we are finding that, and will be 
reporting for this year's FISMA report, that for the last three 
years the number of vulnerabilities at the critical and high 
severity level, they have remained pretty much constant. And so 
because of these as well as other control deficiencies, 
including access controls, configuration management controls, 
security management issues, and contingency planning issues, 
our independent auditors have determined that the IT material 
weakness will continue to stand until they are addressed. The 
OI&T has provided some information for us to close the 
recommendations. But based on the results of our testing and 
our FISMA look, we have determined that the actions are not 
adequate to close the material weakness.
    Mr. Michaud. Thank you. Mr. Warren, would you address that 
as well? Why is there, appears to be a disconnect between what 
the VA is recommending and what the Inspector General has 
stated?
    Mr. Warren. Thank you, Ranking Member Michaud. We delivered 
evidentiary material to the audit team for 18 of 35 of the 
FISMA findings and seven of the 21 FISCAM findings. The 
feedback we received from the audit team was that there was not 
enough evidentiary material to support that so we are going 
back to understand what additional documentation is necessary 
to support those specific findings.
    We recognize, I recognize, and it is one of the reasons I 
applied more resources and I push on the team very, very hard, 
this is just the down payment, if you will, of the things that 
we need to do and the things that we have been doing. We are 
still overcoming our legacy of a large decentralized 
organization in terms of making sure at those 1,300 facilities 
everybody is complying with the standards and that we are 
implementing the changes that are necessary and appropriate at 
that time.
    Mr. Michaud. Thank you. Can you also, Mr. Warren, tell me a 
little bit about the RFP process for the new scheduling 
software? What are the key requirements? Is there a provision 
for self-scheduling capabilities within that?
    Mr. Warren. Yes, sir. The RFP to replace the existing 
scheduling software, and again it is one of three parallel 
paths but let me just talk about the replacement. That RFP is 
supposed to be on the street this Friday. I got a note from the 
acquisition community guaranteeing that, or promising that this 
morning everything is on track that we will be on the street 
with that this coming Friday. Key aspects of this acquisition 
is we are buying a commercial product, recognition that 
capability to do scheduling exists today. So key point, 
commercial product. Second key point is we did full and open. 
So instead of just doing, having vendors who have a 
relationship with the federal government being able to compete, 
we opened it up for all vendors. Anybody who has provided that 
type of capability, we wanted them to come to the table. Also 
key is we are running a two-step process. We are asking for 
folks to bid, a written response to the things being asked in 
terms of capabilities. We will down select and then we will go 
to a demo period in terms of having the vendor show the 
capability. And the evaluators will include schedulers from the 
sites because we want to make sure the tool will meet their 
need. So once that comes in, we expect to award that contract 
end of March, no later than end of March. And then we are going 
to be on six-month cycles dropping capability out to the sites 
as we bring on what is needed.
    With respect to veteran self-scheduling, we have a parallel 
path for that to bring online an app that will allow veterans 
first to request an appointment and then build on it such that 
they actually can schedule an appointment. And we are making 
sure we synchronize that mobile app with whatever that final 
commercial product is.
    Mr. Michaud. And does that address security issues and 
would deter improper data manipulation as well?
    Mr. Warren. Sir, we have built into the requirement that 
logging needs to be there. But by definition a scheduling piece 
of software allows the changing and cancelling of appointments. 
So making sure the logging is on, the audit trail is on, will 
allow teams to look for unusual patterns of cancellations or 
changes. So that is built into the requirement, to have that 
type of auditing and logging on it so if that type of behavior 
happens folks can see it and take the appropriate action.
    Mr. Michaud. Thank you, Mr. Chairman.
    The Chairman. Thank you. Now I will recognize Mr. Lamborn 
for five minutes.
    Mr. Lamborn. Thank you, Mr. Chairman. Mr. Warren, one of 
the concerns I have with the VA's ability to safeguard our 
veterans' personal information is the fact that there are no 
user based restrictions in place in VistA that would ensure 
that employees only have access to the information that their 
job positions call for. Now given reports of unauthorized 
access and zeroing out of appointments, do current systems 
create an auditable log that shows who accessed specific data 
or made a scheduling change? I know we already touched on that 
some but I want a full answer on that.
    Mr. Warren. Sir, there is, there are two categories of 
applications that are in use within the VistA constellation or 
universe today. The majority of them actually log if, when a 
person accesses a particular thing or makes a change. There is 
a second class of tools that started to be introduced in 2006 
that we are slowly transferring out that actually do not carry 
the appropriate log on it. So the majority of cases it is 
flagged and it is logged. But there are certain pieces of 
software where those logging and control does not take place.
    Mr. Lamborn. How soon will you be at the point where only 
the system administrator can turn off the logging aspect?
    Mr. Warren. So for logging, which is running on a parallel 
track, we have actually pulled back the ability for folks 
locally to change logging. So now you cannot do it locally. It 
has to be done nationally based upon the observations that the 
audit team gave us that was specific to scheduling. I will go 
back and confirm for the other modules if we have done the same 
thing in terms of pulling that authority back. But I will bring 
that back for the record, sir.
    Mr. Lamborn. Yes, and if you could bring that back for the 
record, thank you.
    Mr. Warren. Yes, sir.
    Mr. Lamborn. Mr. Wilshusen, you state in your report that 
the VA said that they were doing six of the eight 
recommendations but there were two that were not satisfactorily 
addressed. Which two were those?
    Mr. Wilshusen. Well those were actually two recommendations 
that they still plan to address. It is not that they disagreed 
with our recommendations----
    Mr. Lamborn. Okay.
    Mr. Wilshusen [continuing]. But they still plan to do 
those.
    Mr. Lamborn. And which two are those?
    Mr. Wilshusen. Those particular recommendations, let me 
just check first.
    Mr. Lamborn. And I am looking at page five and six of the 
latest GAO report.
    Mr. Wilshusen. Right. The----
    Mr. Lamborn. Or Mr. Warren, could you----
    Mr. Wilshusen. Yes, I will have to get back----
    Mr. Lamborn [continuing]. Can you jump in on this, Mr. 
Warren?
    Mr. Warren. Yes, sir. The two areas where we did not ask 
for closure because more work needed to be done is on the time 
frames for completing initiatives to improve an incident 
response capability. It actually is a follow up from another 
GAO report, where we are putting in the notifications as well 
as the follow up actions that are required not only for the 
incident teams at the NSOC but as we cascaded down into the 
sites. The second area, which is a harder challenge for us from 
a technical standpoint, was referred to in the opening remarks 
and it deals with scanning non-Windows based systems. Because 
of the way those systems are designed it is not easily able to 
scan them from a central location. So we have reached out to 
our vendors who provide those systems and asked them how can we 
roll the accounts up into a centralized area such that we can 
do the types of scans being asked for us. So those two are open 
because we still have work to do on those.
    Mr. Wilshusen. And that is correct.
    Mr. Lamborn. And Mr. Wilshusen, what is your response to 
their stated intention on those two unresolved areas?
    Mr. Wilshusen. Well if they address the areas and implement 
those actions effectively then that could address the intent of 
our recommendation and hopefully will mitigate part of the 
weakness. It is something we will follow up on as part of our 
audit follow up process, to determine the effectiveness of 
their actions once taken.
    Mr. Lamborn. Okay, thank you all for your answers and for 
being here. Mr. Chairman, I yield back.
    The Chairman. Thank you. I appreciate it. Now we will 
recognize Mr. Takano for five minutes.
    Mr. Takano. Thank you, Mr. Chairman. Mr. Warren, the 
Inspector General found that the, ``VA specific guidance for 
integrating security into the budgeting process does not 
exist.'' In light of this, does the VA have a clear picture of 
what the ultimate costs are for the scheduling software and 
VistA modernization efforts? And whether or not security is 
being properly integrated into the budgeting process for these 
efforts?
    Mr. Warren. Thank you for that question, Congressman 
Takano. There is actually three pieces, if I can hit those.
    Mr. Takano. Okay.
    Mr. Warren. The first one deals with how do we lay out the 
guidance and instructions to the organization to plan for 
security as part of any investments or operating costs? That 
change was implemented as part of the fiscal year 2015 
execution budget and the 2016 planning budget, the budget that 
Mr. Chairman referred to showing up in February. So put it in 
place, build it into how we do that. With respect to VistA 
evolution, one of the key aspects of VistA evolution, part of 
the architectural change in referring to Mr. Lamborn's question 
earlier, that architectural change to make sure all components 
within the VistA constellation actually audit appropriately are 
part of VistA evolution. So we have built in security into the 
architecture. We have also just moved out and we have reached 
to a third party to come in and do an architectural review of 
VistA evolution and we are also reaching out to the open source 
community to have them look at what our designs are going 
forward to make sure we have not missed anything. The third one 
I believe was on VBMS, unless I missed that piece, sir. That is 
actually built into the original design and there are very, 
very stringent access controls within VBMS because it is a new 
software and we were able to build it in from the start. 
Security was key in today's era, security was key in the last 
five years. More than five years ago, security was not 
necessarily a key design criteria when we were delivering a new 
product. And the whole industry is actually dealing with that 
change, sir.
    Mr. Takano. So I just want to repeat, do we have a clear 
understanding of what the ultimate costs are going to be?
    Mr. Warren. For information protection, I have a budget 
that is laid out for 2015. Intent had been to clear the 
material weakness, 2014. We fell short. Again, why I applied 
more resources on top of what was already budgeted for 2015. We 
identified areas where we needed to do more, we needed to do 
different. So brought in more resources to take that on. We 
have that as a base program going through into 2017 and 2018. 
So we expect to continue that same level of resourcing. It is 
sitting at about $160 million to $180 million. But that does 
not include the staffing. So again, if you look at my workforce 
I have approximately 5,500 employees who are out in the field. 
Security is half of their job, day to day. So that is an 
additional $300 million a year in salary costs on top of that. 
So I have a pretty good sense of what the costs are to deal 
with the issues identified. But recognizing that the threat 
keeps evolving and we are going to keep adjusting what we need 
to bring in in case there are surprises that come out or, 
again, as the, our partners the auditors identify, you missed 
it here and you may think something at headquarters is 
happening right. But out in the field it is not, you need to go 
in and redouble your efforts in those areas.
    Mr. Takano. Can you, can you elaborate a little bit more on 
this open source community? And how that may, is or is not an 
advantage of the VistA system, which I understand is owned by 
the VA?
    Mr. Warren. The VistA system is a government owned product. 
It was developed with tax dollars. What we recognized about 
three years ago is there was actually a community of medical 
centers and organizations that were using VistA as part of care 
delivery outside of the VA. In fact, Indian Health Service is 
based upon a VistA variant.
    Mr. Takano. So these are entities outside the VA?
    Mr. Warren. Outside of the VA and----
    Mr. Takano. How extensive is this, are these entities? I 
mean, just I want to get a sense of the size of these 
communities.
    Mr. Warren. It is worldwide. I believe the country of 
Norway uses VistA as their healthcare delivery system.
    Mr. Takano. Oh, really?
    Mr. Warren. We have engagement with Jordan, where they are 
actually converting to VistA as their primary system. We will 
gladly get you back for the record a map and a list of all of 
the local communities----
    Mr. Takano. I would like to get a clear picture. Because I, 
it is one of the things that we are----
    Mr. Warren. Glad to.
    Mr. Takano [continuing]. Of course this integration with 
DoD and even future integration with non-VA providers, 
understanding VistA and its, and its advantages and 
shortcomings is really going to be important to me as far as, 
since it is a wholly owned piece of property by the federal 
government.
    Mr. Warren. And we have actually placed it out there. 
Because the challenge we had in the past was for individuals to 
use VistA code they had to do a Freedom of Information Act 
Request.
    Mr. Takano. Yes.
    Mr. Warren. So all kinds of process you had to go through. 
So the reason we established and supported that open source 
community was to remove that burden from people taking VistA 
and using it. So it is out there and folks are using the code 
and maturing the code as they go forward.
    Mr. Takano. My time has run out but I would like to explore 
more about this open source nature of this, of this software.
    Mr. Warren. Glad to, sir.
    Mr. Takano. Mr. Chairman, I yield back.
    The Chairman. Thank you, Mr. Takano. And what we will do is 
maybe after this first round if anyone else has any additional 
questions----
    Mr. Takano. Sure. Thank you.
    The Chairman [continuing]. I will give you the opportunity.
    Mr. Takano. I appreciate that.
    The Chairman. Thank you. Dr. Roe, you are recognized for 
five minutes.
    Dr. Roe. I thank the chairman. And if you would indulge me 
for just a minute, I do not know whether this will be the last 
time I have an opportunity to serve with the Ranking Member 
Mike Michaud. But Mike and I have served on this committee 
together for six years, and my entire time in Congress. I have 
gone to Afghanistan with Mike. I think he truly has the 
veterans' best interest at heart. He has worked in a very 
bipartisan way. And I would just like to take this opportunity 
personally, Mike, to thank you for your service.
    [Applause.]
    Dr. Roe. I sincerely mean that. And it will be a real loss 
to our committee and I look forward to continuing our 
friendship once you leave the U.S. Congress. And again, thank 
you for your service. And Mr. Warren, thank you and your family 
for your service to the country. And my heart goes out to you 
for your loss. I share that as a fellow veteran and I want to 
thank you for your, your family is a true patriotic family so 
thank you for your service to our country.
    You know, I have a hard enough time turning on a PDA, okay? 
So some of this is going over my head, past my head, or 
whatever. Just for a simple technologically challenged fellow 
like myself, could you tell me what a material weakness is? And 
the reason I bring that up is because if you look in a 
hospital, where I practiced, and a nurse gives somebody one 
Tylenol instead of two, that is a drug, a medication error. It 
goes down as a medication error but it really does not hurt 
anything. Are these things significant that you talk about in 
material weakness? And would it cause a significant problem or 
glitch if this were to not be addressed? And anybody can touch 
base on that.
    Mr. Warren. Sir, if I could it is--why don't you go ahead 
since it comes out of the audit community, and if I could 
follow up.
    Ms. McCauley. Yes. The IG declared information security a 
material weakness as part of its consolidated financial 
statement audits. Annually we are required to review the 
consolidated financial statements for their accuracy as well as 
to examine the financial systems that support them to make sure 
that there is no material misstatement in the statements. And 
as part of that we found out that there were the weaknesses in 
the systems that support the financial transactions of the 
department. There are several levels or categories of weakness, 
or we say risk, and the material weakness is the highest of 
them. There are also significant deficiencies. And there is a 
dollar threshold associated with that material weakness as 
well. And so based on the pervasive problems across the 
department we have ascribed material weakness to information 
security because there are so many risks involved.
    Dr. Roe. So if it is not addressed a significant occurrence 
could happen? A breach could occur?
    Ms. McCauley. Exactly. We are looking at it from a risk 
standpoint.
    Dr. Roe. Risk standpoint. I think the question, Mr. Warren, 
for you, and when you begin to get the scheduling system. And I 
can assure you, I hope the scheduling system works better than 
the one they have now because it is terrible now. I get 
complaints about it all the time and I hope that it is not 
punch one, two, three, four, and then you start all over again. 
The airlines do it very well right now. Quite frankly you can 
book an airline flight and your seat on the airplane and so 
forth. Once this gets started, how long will it take to ramp it 
up where it is actually functional?
    Mr. Warren. So two items, if I may. The first one to deal 
with the difficulty in accessing the screen. So instead of just 
waiting for the replacement of the software we actually put on 
contract in August, we get the first delivery coming in in 
December, January, which is to take in the existing system all 
of those separate screens and pull them into a single screen so 
it is easy for them to use. So we wanted to make sure we did 
the replacement right but we also wanted to get relief to the 
scheduler. So there would be reason not to get that scheduler 
done right and no reason not to make sure those right items are 
there. So relief on the way for the schedulers to make sure 
they have that usability to deal with the difficulty of it.
    With respect to the replacement for the existing system, 
right now the, again we are laying a timeline with some 
assumptions about the number of bidders. We are expecting to go 
through the two-step process and award by March. So end of 
March, no later than. So we are pushing very, very aggressive 
on this for something that is an open competition. So a lot 
folks are, not cutting corners, but streamlining every darn 
thing we can.
    We are, we have laid out notionally, we are saying we want 
six-month deliveries. So four deliveries so we can make sure as 
soon as we can we are using that commercial product. So we are 
not asking for somebody to build us a new scheduling----
    Dr. Roe. So by the end of 2015 maybe it is ramped up?
    Mr. Warren. We are expecting to get capability online in 
2015, starting it, and then basically rolling it out in phases 
across the complex as well as adding capability to it over that 
two-year period.
    Dr. Roe. Okay. So a couple of years. Okay. That makes 
sense. And one other thing. We go to many classified briefings 
and some of those I think concern veterans' records and the 
amount of foreign entities that may be hacking those records. 
Are you able to identify that when that is happening? Is the 
system secure enough to keep a foreign entity from putting 
malware on something that is then backdooring into another 
system?
    Mr. Warren. Sir, we actually do not care where it comes 
from. If somebody is trying to come after veterans' records, 
that is what we are interested in. And the way the system is 
set up, and we start from the outside with Homeland Security. 
They have Einstein 3 which basically covers our back and 
maintains the perimeter. So scanning on their end. We also work 
our way inward in terms of at our boundaries and multiple 
locations. One of the things that the IG identified for us as 
part of the audit, there were a couple of areas where we had 
blind spots. And so we are moving out and filling those blind 
spots. But we track all traffic coming in and all traffic going 
out through four key points. So all traffic is gated and then 
monitored as it is coming in and leaving the perimeter. So we 
believe we have pretty good visibility. Because we know malware 
will end up on desktops. Right? Folks click on the stupidest 
emails, that human condition, whatever it is, that causes you 
to want to see some picture or some thing--sir, please do not, 
it is not good. But we know that is going to happen. So the 
protections that are in place and the multilayers that are in 
place is to deal with folks doing bad things. Because I cannot 
stop them from going to the internet because it is pervasive in 
how we do our business.
    Dr. Roe. I thank you and I yield back.
    The Chairman. Thank you. Now Ms. Brownley, you are 
recognized for five minutes.
    Ms. Brownley. Thank you, Mr. Chairman. Mr. Warren, I just 
wanted to follow up again on, I am glad to hear that your, the 
RFP is going out for this new system, and you seem to be on 
track with that. You mentioned the self-scheduling solution. 
And is that going to be part of this RFP that you are speaking 
of that is going to happen this Friday, I think I heard you 
say?
    Mr. Warren. Ma'am, we actually are running parallel--I am 
going to lean over so I can----
    Ms. Brownley. I know, we have to look across.
    Mr. Warren. We are actually running on parallel tracks. So 
it is one of the options that is on the commercial product we 
are asking for. The second piece is we actually doing 
development for an app in terms of figuring out can we provide 
that and we would do it in as a two-step. The first step would 
be for veterans to ask for an appointment, so it does not have 
that deep connection in and make the changes. I do not know if 
we have briefed the complexity of it. We actually pull 
information from 71 systems when you actually try to schedule 
and then you have to send information back out to another 41. 
So basically two-phased. First phase to allow it to ask for an 
appointment. So it would get to a scheduler and they would work 
it. And then phase two is to make the connections so they 
actually could see what the availability was and start doing 
that negotiation online. And that is, that is probably a year 
and a bit out to get that full functionality. Because it is not 
a trivial thing to do and we want to make sure we do it right.
    Ms. Brownley. Okay. It seems to me that it is, and again 
like Dr. Roe I am not a master of IT issues at all. But it 
seems to me that, I mean there are apps out there in the 
private industry now for self-scheduling. It seems to me like 
it would be rather simple, particularly when we have the issues 
of canceled appointments, etcetera, and being able to, you 
know, use every single day efficiently and making sure that 
each one of those appointments are full, that it seems like it 
is a pretty easy process as opposed to a complex one.
    Mr. Warren. So the fact that the marketplace has matured to 
the point where folks can do schedulings online and those tools 
are out there is what drove us to buying a commercial product. 
So many years ago when this was tried before it was there was 
nothing out there, the market was not mature, we had to build 
it ourselves. The recognition and the America COMPETES Act that 
we did two years ago, the competition, again validated yes 
there were commercial products that were ready to be done. And 
we were also able to validate how you test it and prove it. 
Because the challenge for us is not that commercial product but 
how do we make sure when it connects into all of the existing 
capabilities that it does it right? Because when we schedule it 
is more than just the patient available, the veteran, it is the 
clinician, it is the room, it is the equipment, it is the 
assistance, it is the consumable products that need to be used. 
So we want to make sure we do that right. But we are building, 
if you will, we are counting on the fact that yes, that 
capability exists out there today and you are able to do those. 
Now we have to do the hard part as the vendor bring it in and 
the connections and making sure those connections work 
correctly.
    Ms. Brownley. And so when is the timeframe for completion 
of all of that?
    Mr. Warren. So the RFP for the replacement of the system 
goes out by this Friday.
    Ms. Brownley. Yes.
    Mr. Warren. We were trying to pull it in a little bit 
earlier but this Friday is a guaranteed it will be out.
    Ms. Brownley. Yes.
    Mr. Warren. We expect it, because it is a two-step, making 
sure that we have schedulers as part of the evaluation process, 
award of the contract by the end of March. And then what we are 
asking for is four six-month deliveries of capability. So in 
other words, all the things you need to do to schedule are 
many. It is more than just an appointment. We also want to 
figure out how we bring in televideo scheduling into it.
    Ms. Brownley. Yes, I am just talking about the, you know, 
the potential of having an app, a veteran on their phone, have 
an app, and be able to make their own appointment.
    Mr. Warren. So the app for a veteran to ask for an 
appointment is supposed to come out in 2015.
    Ms. Brownley. In 2015?
    Mr. Warren. So that is what is laid out. And that is 
separate from the replacement of the existing scheduling 
system. But glad to, for the record, lay out the schedule of 
those critical components. We have come up and briefed the 
staff with the detail but glad to bring another copy up with an 
update, ma'am.
    Ms. Brownley. Thank you very much. And I might not have 
time but I will at least get the question out. It seems to me 
in reviewing the total number of security incidents as reported 
across all federal agencies, the total number of security 
incidents reported at the VA is less. It is clear that the VA 
has a greater problem with non-cyber incidences. And so I guess 
my question really is, you know, what is the VA doing around 
non-cyber? You know, paper flow, paper information, hard 
copies, and so forth with regards to security training programs 
and, and other mitigations to address that?
    Mr. Warren. Mr. Chairman, can I answer?
    The Chairman. Yes.
    Mr. Warren. So if I could I would like to use this as an 
opportunity, something that we have been doing is we have been 
doing a monthly report. It has been in tabular form so this is 
everything that happens in a month. But what we did this past 
month is it is so hard to read this table we actually turned it 
into a chart. And to your point, ma'am, our incidents where we 
have fallen short have been in people and process steps, where 
folks did the wrong thing. They sent the wrong paper to the 
wrong person, or they downloaded the information and lost 
control of it. What we do with those incidences, it is part of 
our data breach core team. Anytime where there is the potential 
that a veteran's information was put at risk, and in the past 
month it was 536 times in October, we fell short of our 
responsibilities. Each of those veterans received credit 
monitoring. We also went back into the leadership chain to the 
organization where the failure took place and we identify was 
it a process failure? Was it a people failure? Was it an 
organizational failure? And we leave it to their chain to make 
the appropriate corrective actions. We build it into our annual 
training, so we look at what happened in the prior year. And 
every employee and contractor working with the VA is required 
to take security training before they can use systems. And we 
refresh that to point out do not do this, do not do that, look 
out for this, be aware of that.
    Ms. Brownley. Thank you. And thank you, Mr. Chairman, for 
your indulgence.
    The Chairman. How long has this been in place?
    Mr. Warren. Sir, the actual tabular reporting has been out 
there for at least three years, if not four. But the, it has 
been hard to understand. And so as part of our transparency is 
how do we put it into an info graphic so it really lays out 
what is the threat and where have we fallen short? Because we 
think it is important for that to be visible and folks to be 
aware.
    The Chairman. Thank you. Dr. Benishek, you are recognized 
for five minutes.
    Dr. Benishek. All right, thank you, Mr. Chairman. I have a 
question concerning the VistA program and your answer to Mr. 
Lamborn. As I understand it there is audits. You are not sure 
if the audits are taking place in all areas of VistA?
    Mr. Warren. So what I asked was to be able to go back and 
confirm for which systems what auditing is turned on at what 
level. For scheduling I know it is turned on.
    Dr. Benishek. Well why, do you not know, do you not know 
that answer?
    Mr. Warren. Sir, I did not come prepared with that answer 
at my fingertips but I will be glad----
    Dr. Benishek. Well how many different parts of VistA are 
there?
    Mr. Warren. I believe the reports vary between 86 to 128 
different modules or applications.
    Dr. Benishek. So like the patient, but it is all patient 
data, right?
    Mr. Warren. Patient data and where the data is held is 
actually a very small component of VistA.
    Dr. Benishek. Well I guess I do not understand why these 
audits are not in place. Why can somebody get access to a 
record without a record of them accessing it? Any case?
    Mr. Warren. So for the majority of applications that 
individuals use to access veterans' data or to do actions that 
result in veterans' data, the majority of those there is 
logging of who accessed the data and what they did and what 
data was changed. For a couple of applications starting in 2006 
a particular tool was used to deploy that software. It does not 
have the appropriate auditing in place. We are working through 
to actually replace all of that software.
    Dr. Benishek. All right. As I understand it there was like 
eight major areas that were addressed by the GAO and the IG and 
you have addressed six of the eight but the other two areas 
were not addressed. Is that right, Mr. Wilshusen? Is that the 
testimony?
    Mr. Wilshusen. No, it is not that they were not addressed. 
VA responded that it concurred with all eight of our 
recommendations and that it had already taken actions to 
implement six of those recommendations and that it plans to 
perform actions to complete the other two recommendations.
    Dr. Benishek. And how long has it been now since that came 
out?
    Mr. Wilshusen. Well the report just came out, was issued on 
November 13th and we released it yesterday. But we had briefed 
VA on our recommended actions and activities before then.
    Dr. Benishek. So there is a plan, then, Mr. Warren to 
respond?
    Mr. Warren. Yes, sir. For the eight items identified, six 
of those actions either underway or actions we needed to 
change. Two of them it took more work, so we are not able to 
come in and say we believe we have things underway to ask for 
closure. Two of them took more work and will take more work, 
one of which needs time, the other one trying to deal with the 
technical challenge in terms of how do we do what the audit, 
what GAO asked us to do.
    Dr. Benishek. All right. I still am somewhat concerned 
about this, this access to data issue. You know, I worked at 
the VA and I have seen data change in the system without 
adequate explanation why it occurred. And you know, that is a 
very concern to me especially in view of the fact that there is 
risk of foreign entities accessing the data. Is that not 
occurring today? Has that patch been done?
    Mr. Warren. Sir, if you have a specific instance where data 
changed, and it was somebody you were seeing, and you have a 
question about why it changed, definitely ask. Because we can--
--
    Dr. Benishek. Well no, I did that at the time but I did not 
get an answer.
    Mr. Warren. And when was that, sir?
    Dr. Benishek. That was before I came here. It would have 
been prior to 2011. But you know, a chart changed. And there 
was no, there was no, I mean it was a pathology report that 
initially was benign and then came back malignant with no 
evidence of anybody changing it except for the fact that I had 
told the patient that the path report was benign, and then when 
it came back the next time I had to tell him that the path 
report was malignant because it, and I did not have a piece of 
paper to document the fact that it was benign before. So it 
made me look bad.
    Mr. Warren. Sir, I would----
    Dr. Benishek. Do you understand what I am saying?
    Mr. Warren. Yes, sir. I would----
    Dr. Benishek. And that is the kind of stuff that I am 
concerned about, especially if there is foreign access. Now the 
IG and the GAO, is there a possibility for foreign access to 
the VA system at this time?
    Mr. Wilshusen. Well with respect to foreign access let me 
just say in terms of external access----
    Dr. Benishek. Okay.
    Mr. Wilshusen [continuing]. Regardless of the source, the 
findings that we identified are vulnerabilities in VA systems 
that have not yet been----
    Dr. Benishek. At this time.
    Mr. Wilshusen [continuing]. Corrected including ten 
critical patches that address up to 301 vulnerabilities. So the 
risk, is unnecessarily increased that unauthorized access could 
occur.
    Dr. Benishek. Is it still present today?
    Mr. Wilshusen. Yes. As far as when we did our review in, as 
of June, 2014, those vulnerabilities had not been addressed.
    Dr. Benishek. All right. Mr. Warren, do you have any answer 
to that? What are we going to do about that with the 5,500 
employees that you have?
    Mr. Warren. So managing vulnerabilities and particular 
patching of software. So that is one of the most dynamic parts 
of the job. If I can set aside the group that the IG identified 
for us that our financial system is out of date and the 
software actually cannot be patched. So that software cannot be 
patched, will not be patched, without breaking the finance 
systems at the VA. So we have compensating controls around that 
to put increased protections in place while we do it. For 
systems that exist outside of that pool, if I can. We have a 
very active if you will prioritization in terms of what we 
patch when and why. We count a lot on the fact that we have 
multiple layers of defenses on top of it. There is a balance 
between patching something, testing something before you patch 
it, because we have had instances in the past where the 
manufacturer sends us the patch, we push it out to the site, 
and we bring the site down. Because the software that runs on 
top of those work stations or servers run differently than how 
the vendor expected them to act. So we are always working a 
list of criticals, to highs, to mediums.
    Dr. Benishek. But--all right.
    Mr. Warren. And again, we run a punch list. We deal with 
the highs, I am sorry, we deal with the criticals and then we 
work--I am sorry, sir.
    Dr. Benishek. Sorry, my time is up.
    The Chairman. No, that is okay. Thank you, doctor. Yes, I 
want to ask OIG, Ms. McCauley, do foreign entities have the 
ability to enter the network?
    Ms. McCauley. We certainly continue to have concerns in 
that regard. I would like to ask Mr. Bowman to address that 
question, if I may?
    The Chairman. You are recognized, sir.
    Mr. Bowman. Every year we identify access control issues, 
configuration management issues, well known vulnerabilities. 
And these are all attack points by foreign nation states. So 
that possibility, that threat still exists. And once inside the 
VA network, such as the case where domain control was 
infiltrated, they can use that as a pivot point to laterally 
move throughout the VA network. So that threat still exists and 
we continue to identify vulnerabilities that need to be 
addressed.
    The Chairman. Thank you. I would like to recognize Ms. 
Kirkpatrick for five minutes.
    Ms. Kirkpatrick. Thank you, Mr. Chairman.
    The Chairman. Thank you.
    Ms. Kirkpatrick. Let me first add to Dr. Roe's comments and 
thank our Ranking Member Mr. Michaud for your leadership. You 
have been a dedicated public servant, committed to our 
veterans, and it has just been an absolute pleasure serving 
under your leadership. And I really appreciate the bipartisan 
way that you have worked with the chairman and with the 
committee, making this one of the most productive committees in 
Congress. So thank you for that, and I wish you the very best 
in your future endeavors. And I hope you will stay in touch, so 
thank you.
    The Chairman. I will second that.
    Ms. Kirkpatrick. Thank you.
    The Chairman. We will not count that time against you, 
either.
    Ms. Kirkpatrick. Oh, okay. Well I will be brief, Mr. 
Chairman. I am glad to hear that you are looking at a 
commercial off the shelf version of the scheduling software. 
But did you do a cost benefit analysis between the cost and 
benefit of doing that versus continuing to invest in the VistA 
program and patch that and reform that VistA program?
    Mr. Warren. Looking at what the projected costs were for 
building inside versus outside was something that was 
evaluated. And when we looked at it there was a recognition 
that we could get to a solution faster, which was one of our 
driving goals, instead of us having to try and build it in 
house. And just to revisit history, and again it is an ugly 
history for us, from 1999 to 2009 the department tried for ten 
years to build a scheduling software package. In 2009 we killed 
that program. I was part of the team that said stop wasting the 
dollars, kill this program. That was a serious contribution to 
when we sat down and asked do we want to try this again and try 
and build something? Or do we use what already exists in the 
marketplace? And what drove us to it was it is there, it works, 
it is viable. Let us build on that instead of trying to do 
something that we have proven we could not do, specifically 
with scheduling.
    Ms. Kirkpatrick. How close are we to having VistA be 
interoperable with the Department of Defense system and with 
this new off the shelf scheduling system? Will they be 
interoperable?
    Mr. Warren. So if I could I would like to offer in for the 
record, I brought in a four-slide deck and a copy for the 
ranking member and the chairman and yourself, if you would 
like. Glad to hand it up. I do not know how to do that. It 
actually walks through how interoperability is happening. So I 
believe we have--we do not have copies. I will give you my 
copy, glad to give you my copy. And what it does is it lays out 
how data is flowing today. And too often we talk about 
interoperability as something that requires VA and DoD to use 
the same system. I do not know how we do this. Glad to give you 
that, ma'am, and we will get other copies up for the record.
    Ms. Kirkpatrick. Thank you.
    Mr. Warren. And what it does it lays out how data is 
flowing in four areas. The first one is between VA and DoD. And 
we actually move it first bidirectional. So if we have veterans 
or servicemembers that are seeing care between the two 
locations, we are moving that data back and forth today, 
irrespective of what system we use. For servicemembers who 
separate their medical record transfers over within 30 days and 
it comes into the VA system and it is available if a veteran 
ex-servicemember presents himself for care. Otherwise, we do 
not see it. It is there. The third area is polytrauma. As soon 
as a servicemember transfers to us the whole record comes over. 
That is how we move data back and forth in the existing system. 
Hard to see, it is in a panel somewhere else. JANUS, we have 
talked about this integrated viewer. We now see this data in a 
single view. Not just VA and DoD data, but all of the VA data. 
In the past when a veteran went to three medical centers you 
had to look at three places. Today you see it together in one 
place. The third area covered in that deck lays out the 
interoperability with third party providers. A lot of DoD care 
is done out in the private sector. With the Veterans Access to 
Care and Accountability Act, $10 billion of care is going to 
happen over the next couple of years. What record we use or DoD 
use has no effect on that data coming in. So laying out where, 
exchanges where we have got relationships, I believe it is 28 
organizations where we move data back and forth between the 
two. And then also where they do not have the ability to view 
back and forth, the secure transfer of data. We have nine 
relationships with those and again that is in that four-page 
deck. And the last one, it was a key commitment we made which 
was break the medical record free from the institution, the 
personal health record that a veteran can download and use. And 
it lays out all of the downloads and all of the capabilities 
that we put out there for veterans to take their record and go 
with it if they want to do it physically, or how through My 
HealtheVet they can see their information, how they can ask for 
renewals of medications, and how they can do secure messaging 
with their clinician, with their care provider if they have any 
questions.
    Ms. Kirkpatrick. And are you saying that capability is 
available now?
    Mr. Warren. That capability is there. And hopefully, I am 
not sure where those four slides went, it lays out, we have 
been working very hard on how do we clearly lay that out? We 
have had a difficulty in saying this is how we do it. And 
hopefully that information of use and glad to sit down with any 
member and go through it, whether yourselves, with the staff, 
to talk about the great progress I think we have made in moving 
that data between not only us and DoD but also with those third 
party providers. That is where the key risk for us in the 
future is.
    Ms. Kirkpatrick. Yes.
    Mr. Warren. Because we are moving that care out. So how do 
we get the data back and make sure it is used as part of the 
care?
    Ms. Kirkpatrick. Right. Well I look forward to the slides. 
And let me just conclude saying I would like to get the, a copy 
of the map that you were talking with Mr. Takano about----
    Mr. Warren. Yes, ma'am.
    Ms. Kirkpatrick [continuing]. That shows the different 
places that VistA is used.
    Mr. Warren. I will be glad to submit it for the record with 
not just in the U.S. but worldwide where VistA is used.
    Ms. Kirkpatrick. Thank you.
    Mr. Warren. Yes, ma'am.
    Ms. Kirkpatrick. Thank you. I yield back.
    The Chairman. Thank you. Mr. Huelskamp, you are recognized 
for five minutes.
    Dr. Huelskamp. Thank you, Mr. Chairman. I just want to 
follow up and clarify something with Mr. Warren. If I 
understand it correctly publicly you just said that no data has 
been exfiltrated as a result of attacks from the VA network?
    Mr. Warren. Let me go back and be very clear to your 
question, sir. We have two instances that the team has 
identified going back to 2010, 2010 and 2012. It was the point 
of the hearing that we had 18 months ago. In those instances 
what the forensics team has identified for us is user name and 
password files were pulled from the enterprise. So that data 
came out, not veteran data. As soon as that was identified we 
went in, we cleaned the systems, and we reset the passwords. On 
Friday, and because this question comes up and it is a concern 
not just external but internal, we actually asked an 
organization called Mandiant, I think you have probably heard 
of them. We asked them to come in and look at those domain 
controllers. Because if there is a question we want to make 
sure it is more than just my team saying they are clean. Friday 
they briefed us and said they are not seeing anything on those 
domain controllers. Preliminary report, they will have a final 
report by December. We will bring that report up and brief 
yourself, the staff, the members, and have Mandiant there to do 
it, which basically says ``they are clean''.
    Dr. Huelskamp. So within the timeframe since 2010 you have 
no knowledge that data has been exfiltrated out of the VA 
network?
    Mr. Warren. Sir, I have been briefed by my team of two 
instances where specific data was removed, usernames and 
passwords.
    Dr. Huelskamp. And that happened when?
    Mr. Warren. 2010 and 2012. We briefed the staff, glad to 
come up and do that again, sir.
    Dr. Huelskamp. And according to, I mean you make reference 
to the committee hearing, a subcommittee hearing, numerous I 
thought very reliable whistleblowers, they said the information 
removed from the network was encrypted. So and I thought the VA 
agreed they did not know what data was taken outside the 
network. But now you do know what data was exfiltrated out of 
the network?
    Mr. Warren. What the team did is, and because there are 
always unknowns, they looked at patterns and signatures in 
terms of what did it look like. And what the team gave back and 
briefed me, and we asked again and again, was they had 
reasonable confidence that the information that was removed 
from the VA was a file, the type of file that looks like what 
you----
    Dr. Huelskamp. So let me interrupt because I want to go 
inside the network. So it was not encrypted? Or it was?
    Mr. Warren. No sir, it was encrypted.
    Dr. Huelskamp. It was encrypted, and you broke the 
encryption so you know what the data was? You did not?
    Mr. Warren. No, the team identified how the file looked and 
what it looked like and where it came from, and said ``it has 
the shape and characteristics of that particular type of 
material.''
    Dr. Huelskamp. Which allowed access throughout the network 
then, as I understand from the OIG?
    Mr. Warren. Again, it is an area where there is a serious 
disagreement with the IG, which is why we asked Mandiant to 
come in and have a look at it.
    Dr. Huelskamp. Okay.
    Mr. Warren. When we became aware of it we basically changed 
those passwords. We also reimaged----
    Dr. Huelskamp. I understand what you did afterwards. I am 
still trying to figure out what you knew that you really knew, 
and when it was encrypted you did not break the encryption. I 
want, now I want to go into within the network. Mr. Warren, how 
would you know if someone manipulated data within the network?
    Mr. Warren. Depending on which system you are referring to, 
and what type of data, the triggers or the characteristics 
would be different. So it is part of the monitoring that either 
is built into systems where we are dealing with personnel 
information, or it deals with monitoring that our NSOC does in 
terms of----
    Dr. Huelskamp. Well I understand the variance. But would 
you not have to have audit controls in place and turned on in 
order to know whether someone actually manipulated data?
    Mr. Warren. Sir, we have audit controls turned on in many 
places. And again----
    Dr. Huelskamp. Are they always turned on? Are they always 
on, the audit controls?
    Mr. Warren. The audit team has identified for us where they 
were not turned on in the past. And so we have gone in and 
turned those on. Also again for the record we will bring back 
are there any other places where those controls are not turned 
on.
    Dr. Huelskamp. Why would they have been turned off?
    Mr. Warren. Again, dealing with our history where we ran in 
a decentralized world, where every single location made their 
own decisions, just basically overcoming that past where they 
did not feel either auditing was important, or they did not 
have the size or scope for it, or somebody turned it off by 
mistake.
    Dr. Huelskamp. But as of today you are confident that all 
audit controls are turned on within the network? Because if 
they are turned off, I mean, we agree you are vulnerable. And 
you would not even know if you are vulnerable, and you would 
not even know if anybody is manipulating data. And the OIG has 
talked about this for years. I mean, this is just not an 
occurrence, a few times. It is over the past plus decade, audit 
controls are not always on for whatever reason. So but as of 
today, what would happen if someone turned off an audit 
control?
    Mr. Warren. It would depend on which system we are speaking 
to. I mean, one of the things that we have deployed in our data 
centers is a way of measuring the configuration of a server so 
that before a change takes place you can actually go back and 
ask ``did that server get changed?'' So all of our servers and 
data systems, we actually take a measurement of them. It is a 
particular unique number that you use. And if somebody changes 
something in the system, the number changes and it tells us, 
``hey, something changed there.'' And it is a control that we 
use in terms of managing configuration, but also as part of our 
strengthening reliability of systems.
    Dr. Huelskamp. So you are confident that they are all 
turned on today?
    Mr. Warren. For the record, I was going to come back where 
we did not have them turned on, sir.
    Dr. Huelskamp. Okay. I am looking forward. I just want to 
make sure that every employee understands, you cannot turn 
those off. Or else the system is vulnerable, so----
    Mr. Warren. Sir, I believe we have been clear. And this 
hearing, I actually sent a message out to all of my employees 
that this was an important hearing to watch. So let me speak to 
them. If you are an OI&T employee, or a contractor supporting 
the VA, it is not your responsibility or obligation or right to 
mess with audit controls.
    Dr. Huelskamp. Period. And they will lose their job, why do 
you not say that, too? Well, no. We cannot say that. I am 
sorry.
    Mr. Warren. Appropriate disciplinary action----
    Dr. Huelskamp. It is not permitted. I yield back, Mr. 
Chairman.
    The Chairman. Thank you. Ms. Kuster, you are recognized for 
five minutes.
    Ms. Kuster. Thank you very much, Mr. Chairman.
    And thank you, Mr. Warren. And I too want to add to the 
accolades for my colleague and good friend from the neighboring 
state, Mr. Michaud. Thank you for being a mentor to me in my 
first term, I truly appreciate it. And I also want to thank you 
and your family for your service to our country, and I am sorry 
for your loss.
    I would like to focus in on the scheduling. I want to not 
ignore what has happened here, but get past that to what we can 
look forward to. I was very interested when I tried to learn 
more about this to have conversations with private vendors 
about what is possible, what is available. And in particular, I 
am looking at the highest and best and most frugal use of our 
tax dollars for making sure that we are scheduling our 
resources, our people, our physicians and caregivers, as well 
as our physical plant most effectively, expeditiously.
    And one of the things I learned about was the algorithms 
now that are available. All across private sector, all 
healthcare providers have a drop-off rate. Obviously, there are 
people who miss appointments. But it turns out that they have 
been able to do profiling to find out what type of patients are 
more likely to miss appointments and what type of patients are 
less likely. And then they are able to use these algorithms to 
schedule in the morning the most reliable patients and then 
double-book in the afternoon, later in the day, knowing that 
the less reliable patients would miss out. And I just wanted to 
get your thoughts.
    I understand the complexity and having this work with 
VistA, but can we look down the road to a place where we are 
using tax dollars and federal resources more efficiently in 
providing high-quality care, which is ultimately all of our 
goal? A bipartisan goal, by the way.
    Mr. Warren. Yes, ma'am. Thank you for that question. I will 
actually take that back. I don't know if those particular 
algorithms are built into the acquisition, but it is a great 
idea.
    Ms. Kuster. Yes.
    Mr. Warren. And I am sure Dr. Tushman, who I think has come 
up here before, who focuses on these types of things, would 
also have an interest in terms of how do we effectively manage 
and schedule those appointments and the critical resources. But 
I will go back and I will ask that question.
    Ms. Kuster. It was very impressive. And luckily I am not 
trying to influence your decision, because I don't remember the 
name of which of the vendors I spoke to. But it was just a very 
interesting notion, something as simple as figuring out who is 
likely to show up, using the time wisely, and then of course 
getting to the place where you can have self-scheduling I think 
is ultimately an important goal.
    On the second issue, I just wanted to explore a little bit 
more about the issue of the security based upon authorizations. 
And I believe Ms. McCauley mentioned even people who had left 
the VA continuing to have authorization. I know just in a small 
law firm this was complex, people come and go and they still 
have their passwords. But what steps have you taken both with 
regard to access authorization, and secondly, the issue around 
the missing laptop, have you taken steps to--about property and 
how have you communicated those throughout the VA?
    Mr. Warren. Yes, ma'am, great question. And it actually 
allows me to talk about information protection as more than an 
IT thing, because the question you are asking about is how do 
we make sure when an employee leaves or a contractor leaves 
that their access is removed. And we count on our HR systems, 
our HR processes, to do that. And it is an area that has been 
identified as a place where the systems are not connected. So 
one of the things that we implemented this year was we actually 
asked the HR community, ``hey, why don't you send us the list 
of people at each site who left the place. While we figure out 
the system stuff, how do we get the HR employees to actually 
tell us who left, so we can go back in and remove their 
access.''
    So it is a combination of how do we get the process to 
work, because too often folks leave and you don't know, with a 
lot of the residents and a lot of the term appointments coming 
in and out. And with the new HR system that the VA is rolling 
across the complex, it is peaking up that management of people, 
but until that comes into place we put in a manual safeguard, 
which is tell us when they leave. Give us that report you 
generate every two weeks and we will use that as part of us 
removing from.
    With respect to laptops, all of our laptops are now 
encrypted, as well as our desktops. So we went to a Windows 7 
conversion, the upgrade, it actually built in encryption to all 
of the hard drives. So the issue we have had in the past where 
a laptop or a desktop went awry, there was concerns about data 
on it. In most cases, veteran information is actually not 
stored on a desktop, it is actually stored back in servers and 
main systems, which allows us some of those controls.
    We are still wrestling with medical devices in terms of 
they are not encrypted, because most medical devices there are 
concerns about how the care delivery as part of the tool does 
or does not work. And what we go through, it is a very arduous 
and labor-intensive process, medical device or medical 
application by each one actually go and encrypt. BCMA, which 
was a bar code medication, it was not encrypted, it was one of 
our biggest risks. But we spent many years working with the 
medical community to show them and prove to them encrypting the 
devices would not impact care, and now we are rolling out that 
out across the complex. But many, many more years of work on 
the medical device side to get them up to the same standard of 
the devices I am responsible for.
    Ms. Kuster. Great. Well, thank you, Mr. Warren. My time is 
up. But I also appreciate--I understand from the materials that 
you took a courageous stand in your just recent background and 
I appreciate that. So thank you very much.
    I yield back, Mr. Chairman.
    The Chairman. Thank you.
    Dr. Wenstrup, you are recognized for five minutes.
    Dr. Wenstrup. Thank you, Mr. Chairman.
    Ms. Burnette, I do not want you to feel left out today and 
I notice no one has asked you any questions. But I would--I am 
curious to know the actual role of the Enterprise Risk 
Management Program. If you could tell me what role you play in 
protecting the confidentiality and integrity of our veterans' 
records.
    Ms. Burnette. The Office of Enterprise Risk Management is 
relatively new to OI&T and recently, about a year after we set 
up at OI&T, we now have an office VA-wide that has a risk 
registry that supports the secretary.
    The idea is, it is our number-one goal is to figure out how 
can we forecast and get in front of those things that could 
potentially preclude us from being successful in helping a 
veteran have the experience that he should have trusting 
reliability.
    Dr. Wenstrup. So what type of background does somebody have 
for say your job. What puts you in that position and what are 
some of the things that you are forecasting or are trying to 
look for in trying to be risk averse?
    Ms. Burnette. We have about 55 risks currently on the risk 
registry, 27 of them we are mitigating. And they range anywhere 
from human capital competencies, do we have the right people 
doing the right job, to our ability to move to the cloud in a 
very efficient manner, to operational stability, does our 
infrastructure have the stability. Again, all of these things 
are based on forecasts, so that we can get in front of those 
problems that we might encounter.
    Dr. Wenstrup. So are there any things that you have 
uncovered? Are there any thing that you identified as a 
potential risk, and found it and eliminated it?
    Ms. Burnette. Yes. As a matter of fact, IT-sensitive 
equipment was a risk. It was written up in the GAO and the OIG 
report about three years ago and we have come up with about 27 
mitigating strategies. It used to be--or the GAO reported that 
we were at 55-percent accuracy of knowing where that sensitive 
equipment is and we are now at 90 percent as a result of those 
mitigating strategies. Our goal is 95 percent. So we are still 
working on those, but we are making great progress.
    Dr. Wenstrup. I mean, do you look at everything from 
staffing weaknesses----
    Ms. Burnette. Yes.
    Dr. Wenstrup [continuing]. You know, people within the 
system that could be doing harm? How do you find those types of 
things, how do you look at that?
    Ms. Burnette. I don't know about looking in the system for 
people that are doing harm, but we definitely look at what 
kinds of technologies are on the horizon and do we have the 
right competencies in our workforce, and what kind of training 
modules do we need to develop to support those.
    Dr. Wenstrup. How many people in your department, if you 
will, in your section?
    Ms. Burnette. I have about 20 people that do risk 
management planning. So they go out and they look at the OIG 
and the GAO reports, they work with risk champions, they look 
at what's happening in the IT arena. And then we have about--we 
have a total of 100, so the remaining 80 actually support 
mitigating strategies. So they go out and do security-control 
assessments. Many of the NIST controls that the OIG had 
mentioned, we also support those.
    It is the actual assessment process. So you need to go out 
and we need to validate that, yeah, this is a forecasted risk 
and start developing mitigating strategies, and we do that in 
conjunction with the subject matter experts from the different 
parts of the organization.
    Dr. Wenstrup. I am just curious what type of background 
someone has in this role. I mean, is there a degree in this? 
Where does it come from?
    Ms. Burnette. It is actually very new to the Federal 
Government, Enterprise Risk Management. Like I said, my 
organization, who does a phenomenal job, is only about two 
years old. And OMB has recently issued----
    Dr. Wenstrup. So there is no like--there is no specific 
background to this?
    Ms. Burnette. Well, I think we deal with risk every single 
day. I mean, I have spent 20 years in the federal sector and I 
have worked managing large-scale program management offices 
that do weather site modernization and all the risks that are 
associated with that, to managing large-scale acquisitions 
for----
    Dr. Wenstrup. Well, we are all in favor, I would say, of 
preemptive action on things----
    Ms. Burnette. Exactly.
    Dr. Wenstrup [continuing]. Of course, and that sounds like 
that is the role. How do we measure if we are getting the bang 
for our buck?
    Ms. Burnette. Well, I mean, I think one of the ways we 
measure it is through the ITS, and inventory would be a good 
example. I mean, certainly understanding where our equipment is 
and ensuring that there is accuracy associated with that and 
making sure that it is disposed of properly. All of those 
things----
    Dr. Wenstrup. Shouldn't those things be within their own 
departments, though? Quality assurance, if you will? There is 
accountability within each department? I am just trying to 
figure out this role. I mean, I don't know if you are going 
around patting people on the back, saying you are doing a great 
job, keep it up, or what are we really--what are we really 
getting from this entity? I am just curious, because I am not 
familiar with it.
    Mr. Warren. Congressman Wenstrup----
    Dr. Wenstrup. Yes.
    Mr. Warren [continuing]. Mr. Chairman, if I could?
    Dr. Wenstrup. Sure.
    Mr. Warren. Ms. Burnette's organization and her team I look 
to, and we look to, to look over our horizon. Too often my day 
and my leaders are all about operational delivery of 
capabilities. We do fixate and focus to the now and the near. 
We probably have a six-month to a nine-month time horizon where 
this thing is due, where are you on that. Too often, because 
you are looking down, you can't see something that is coming at 
you. So we look at her team to actually broaden the view and 
ask, okay, what is it that we are not seeing? What is it that 
we are not dealing with right now? But if we don't do 
something, we need to.
    And so we count on the team and it is a two-part team. One 
part is look over the horizon and use the reports from the 
auditors, from outside folks, from other organizations what 
they have seen. The other pieces we use for internal controls, 
we actually send them out and do the checks. Because the IT 
organization is so large, I actually make sure there are things 
that we look at. As an example, we look at the top ten 
travelers every year. Why did those people travel? Should they 
be traveling that much? We also go out and look at, as Ms. 
Burnette talked about, inventory. It was a big issue for us, 
folks not tracking and managing their inventory.
    And so we moved away based upon her team's counsel from a 
once-a-year audit or inventory to right now every month ten 
percent of the inventory is assessed. So you are not all of a 
sudden at the end of the year going, oh, my gosh, we have lost 
it all, but how do I look at ten percent at a time. And that we 
embrace as a result of her team saying, you know, if you don't 
get your arms around this, you have got a serious problem. You 
have got a serious problem from an asset value, but also the 
information protection side, things will be leaving.
    So, again, over the horizon, but also a part of it is 
looking to make sure are we doing the day-to-day things and 
from an internal accountability standpoint, internal controls.
    Dr. Wenstrup. Thank you.
    Mr. Warren. Hopefully that helps, sir.
    Dr. Wenstrup. It was very helpful. Thank you, I appreciate 
it.
    The Chairman. Okay. Why don't we go with now Mr. O'Rourke. 
You are recognized for five minutes. Thank you.
    Mr. O'Rourke. Thank you, Mr. Chair.
    A question for the GAO, Mr. Wilshusen, and then also for 
Ms. McCauley. Some of the deficiencies that we have talked 
about today, how bad are they relative to other federal 
agencies or departments, you know, the 12 years of material 
weakness in IT security? Do you see that in those who manage 
Medicaid, Medicare, Social Security records, for example? Is 
there a comparable we can look at, and if so, how does the VA 
do against that comparable?
    Mr. Wilshusen. Let me start off before Ms. McCauley may 
speak.
    One is, as Ms. McCauley mentioned, VA has a material 
weakness in its information security controls. Within the 24 
CFO Act agencies, those agencies covered by the Chief Financial 
Officers Act, and include the major departments and agencies 
within the Federal Government, and there are 24 of them, seven 
of the 24 also reported a material weakness in fiscal year 
2013. We don't have the information yet for 2014, but for 2013, 
seven. So VA was one of seven agencies out of 24 that had a 
material weakness in its information security program.
    At the same time, there were 11 other agencies that had 
significant deficiencies in their information security 
controls. GAO has been identifying information security as a 
government-wide high-risk area since 1997. So it is a problem 
that extends beyond VA and touches upon many of the federal 
agencies within the Federal Government.
    Mr. O'Rourke. How about--so you have the data for those two 
years, do you have--and the government has been tracking it 
since `97--do you have any that since 2002 have had this 
problem sustained over that period of time?
    Mr. Wilshusen. Right. That would be relatively few of the 
agencies, the exact number I can get to you, I don't have that 
right now. But I do know as an example, the Internal Revenue 
Service was one agency for which we have conducted the audit on 
an annual basis and identified it having a material weakness 
for a number of years. But over the last couple years, it made 
strides in improving security to where we were able to upgrade 
it to a significant deficiency.
    Mr. O'Rourke. Great. And, Ms. McCauley, I don't know if you 
have anything to add. I guess I am trying to find some context 
to understand how VA is doing relative to other large agencies 
or departments that may have had similar problems. Are they 
reacting as quickly, more quickly, more slowly? How are they 
doing?
    Ms. McCauley. I really can't comment on that. In the OIG we 
have purview of just the Department of Veterans' Affairs, their 
information security program, and we haven't taken the 
comparative look and really--the GAO is in a better position to 
do that because they do the work government-wide.
    Mr. O'Rourke. Right. So maybe from the GAO it would be 
great to get----
    Mr. Wilshusen. Sure. And just as another metric, if you 
will. For fiscal year 2013, 21 out of the 24 agencies had their 
Office of Inspectors General designate that agency as having a 
major management challenge in information security. So it is an 
issue that extends to most of the federal agencies within the 
Federal Government.
    Mr. O'Rourke. And for the two of you, the title of today's 
hearing is VA's Longstanding Information Security Weaknesses 
are Increasing Patient Wait Times and Allowing Extensive Data 
Manipulation; is that a fact?
    Mr. Wilshusen. We did not look at the patient wait issue. 
As far as that is concerned, it relates primarily to VistA and 
we didn't look at that as part of our review.
    Mr. O'Rourke. Okay. Did the IG look at that?
    Ms. McCauley. We looked at the VistA system just as part of 
the wait times review. And the issues that we found were mainly 
related to the data integrity because of the use of unofficial 
wait lists, and also the issue of the audit logs turned off. 
But apart from that, we have not taken the look that would be 
needed to identify any kind of other information security 
deficiencies.
    Mr. O'Rourke. And based on Mr. Warren's responses today to 
your findings and to questions from the committee, do you have 
any ongoing concerns about the level of urgency and attention 
that VA is giving to the concerns that you have raised, the 
deficiencies that you have outlined?
    Ms. McCauley. The deficiencies with regard to the material 
weakness?
    Mr. O'Rourke. Correct. From his answers today and responses 
taken so far, do you have any ongoing concerns?
    Ms. McCauley. Well, the ongoing concern is that from year 
to year we continue to issue recommendations for improvement 
and many of these recommendations just continue to carry 
forward. Of the 35 recommendations from last year, most again 
will carry forward into the report for fiscal year 2014, and we 
continue to see the deficiencies across all of the control 
area. So, yes, we have a concern in not seeing the numbers go 
down as a result of our scanning.
    Mr. Wilshusen. And if I may just add with respect to our 
report? As I mentioned earlier, we had eight recommendations, 
to which VA agreed with all eight. But in their responses to 
two of our recommendations they did not seem to directly 
address the actions that we had recommended. One was to apply 
missing security patches. In its response to that 
recommendation, VA talked about its monthly scans, which are of 
course a critical control. But the bottom line is once they 
identify those patches, they need to apply them.
    And then our other recommendation with respect to 
identifying the actions, priorities and milestones for tasks 
related to improving their vulnerability remediation process, 
they really didn't address the priorities that they were to 
establish.
    Mr. O'Rourke. So unfortunately, and returning the time back 
to the Chair, it sounds like we may be here next year talking 
about these same issues.
    I yield back.
    The Chairman. Well, why aren't we implementing these 
recommendations, sir? And quickly, just very brief, because I 
want to get to Ms. Walorski.
    Mr. Warren. We are--and, again, we are implementing the 
recommendations. It is a question of whether the auditor 
believes that we have made enough progress over enough time for 
us to receive, if you will, credit for the work done. One of 
the challenges--and we have a very good relationship and the 
very good relationship is we have honest dialogue, what the 
auditor has seen and what we are doing, what fits, what doesn't 
fit.
    The Chairman. Okay, very good.
    You are recognized, Ms. Walorski, for five minutes.
    Ms. Walorski. Thank you, Mr. Chairman.
    I just think it is clear after almost two hours of 
testimony that the findings presented here just continue to 
reinforce the fact, and I guess Mr. O'Rourke's fact as well, 
that the personal information of millions of veterans still 
remains at risk. And to associate myself with your comment as 
well, I would like to encourage my colleagues to support my 
bill, H.R. 4370, that we have talked about in here before. The 
bill is based on a federal industry best practices that 
establishes an explicit plan of action to resolve VA's numerous 
IT security weaknesses.
    With that, Mr. Warren, phishing represented almost 70 
percent of the total incidents reported to the U.S. Computer 
Emergency Readiness Team in fiscal year 2013, but the VA 
reported only one phishing incident throughout the entire year 
and yet there were almost 1600 malicious code incidents 
reported. That appears to be a striking imbalance. Given that 
the goal of phishing is to deliver malware to the recipient, is 
this where the high number of--high volume of malicious codes 
are coming from?
    Mr. Warren. I can't speak to other organizations. I will go 
back and confirm that number just to make sure that what is 
reported is correct. So I will come back with the actual number 
for 2013.
    But there are two things that the VA is different with 
respect to the other organizations reported. We are the first 
department that turned on Einstein 3, and Einstein 3 is the 
latest that Homeland Security has brought to the table, and it 
blocks most of those phishing and other malicious attempts out 
of the email stream before it even gets to us. So there is a 
lot of work that takes place outside.
    We also have very complex systems at our boundary as well, 
where we are picking those out and we are stopping them. We 
stop more than 80 percent of the emails that come to our 
boundary before they even get to a desktop.
    So there is a lot of things that we have put in place as 
part of our continuous monitoring, as part of our defense in 
depth, that tries to stop those things from getting to us, so 
the individual doesn't make that mistake of clicking on a link.
    Ms. Walorski. Can you elaborate on a question that was 
asked earlier about moving forward on this issue of encryption 
on medical devices?
    Mr. Warren. The encryption on medical devices, it is a hard 
challenge for us and it starts with how the FDA certifies 
medical devices. And a lot of, I believe, new rule making took 
place in the last year, where prior to that rule making most 
vendors believed that when their medical device was certified 
or licensed no changes could be made to it, no encryption, no 
patching, nothing. And so we have had to actually move those 
devices into an isolation architecture. One of the things that 
the audit team has pointed out for us, we need to do better 
there, and there is a major effort this coming year to tighten 
it up.
    So we actually now work with manufacturers. There is 
actually a command center in Atlanta that HHS runs where we 
have our employees embedded with HHS and the Defense Health 
service dealing with medical devices. How can you secure them? 
Because it is an area of concern for the medical industry.
    Ms. Walorski. And it has been pretty well--I think it has 
been pretty well documented today by both the OIG and the GAO 
representatives being here to a question that was asked earlier 
about this issue of foreign entities potentially having access 
to our domain controller. How long would you estimate, Mr. 
Warren, it will take to put the patches and the different types 
of security links into the system that will prohibit a foreign 
entity from being able to access the system, how long will it 
take?
    Mr. Warren. So every day I get a new list of things to 
patch. So----
    Ms. Walorski. But how long will it be based upon----
    Mr. Warren. We will never be patched, we will never be 
patched. As an example, on Tuesday Microsoft released a patch 
for something that has been in existence for 20 years. So every 
day industry is finding new ways that things can be exploited.
    Ms. Walorski. If we will never be patched, how will we ever 
secure and have a vulnerable system to protect our veterans' 
personal information, and how will we ever connect to a DoD 
computer system if ours on the VA side is so vulnerable that we 
would suddenly have a tunnel of potential foreign entities 
right into the DoD system?
    Mr. Warren. So patching, ma'am, is one part of a complex 
set of tools.
    Ms. Walorski. But you just said we will never be secure.
    Mr. Warren. So patching is one piece, so patching is one 
piece of defending systems.
    Ms. Walorski. I understand, but you are the expert. You 
patch, you siphon, you do all these things, how long is it 
going to take to have the security of knowing that these domain 
controllers cannot be attacked and infiltrated by a foreign 
entity?
    Mr. Warren. I believe----
    Ms. Walorski. Because that opens the door to will we ever 
connect with DoD.
    Mr. Warren. Yes, ma'am. I believe, based upon what the team 
has briefed me on and the third-party Mandiant that has come in 
and looked at our domain controllers, that has happened today 
and prior to today. Those domain controllers are secured, and 
we continue to secure them and we continue to monitor them.
    Ms. Walorski. So back to your comment that we will never be 
secure. What will we never be secure on, our veterans' 
information?
    Mr. Warren. If I could clarify, ma'am?
    Ms. Walorski. Sure.
    Mr. Warren. I said things would not always be patched, 
because patching of vulnerabilities is one part of a spectrum 
of things that we need to do.
    Ms. Walorski. So in your opinion today, you are really 
disagreeing with these two here. You are basically saying, you 
just said, that the domain controllers are safe and they cannot 
be encrypted, they cannot be corrupted by a foreign entity?
    Mr. Warren. The report we have received, and we brought in 
a third party to look at it and we will bring that report up to 
the committee and the staff, is they are seeing nothing on the 
domain controllers that causes them to believe that they are 
compromised. So I believe we have got that locked down.
    With respect to patching, with respect to information 
protection, there is a whole host of things that you do to try 
and protect the enterprise; not just technical stuff, but 
also----
    Ms. Walorski. Are the veterans' personal information in my 
district safe and secure today? 57,000 in the State of Indiana, 
are they secure?
    Mr. Warren. Ma'am, my data is in there. I will take the----
    Ms. Walorski. You are not in my district. Are the 57,000 
veterans in my district secure today?
    Mr. Warren. I believe it is, ma'am, I believe it is. I 
believe----
    Ms. Walorski. Thank you.
    I am sorry, Mr. Chairman, I yield back.
    The Chairman. Mr. Walz, you are recognized for five 
minutes.
    Mr. Walz. Thank you, Mr. Chairman.
    I too would like to thank the ranking member for his 
service, not just as a member of this committee and as a leader 
and a mentor, but as a veteran. I feel I was well served by his 
leadership. So thank you, Mr. Michaud.
    I am really interested, I am going to go with Ms. Burnette 
in this over the horizon. I want to thank all of you for your 
service, but the one thing I would say--and I was one of those, 
as I said here, I was one of those 20 million veterans back in 
May, 2006 in the data breach when the laptop was lost, you came 
here. And then I still remember the day, it was a beautiful 
fall day, it was September 26th, 2007. Mr. Wilshusen, you were 
sitting right in that seat and I was sitting right in this 
seat, so this is deja vu.
    And I made the comment to Ms. Melvin, your associate, and I 
said, ``I feel that the issue here is more about culture of the 
VA and I am convinced that it is central before we can move 
forward to really understand the IT implications.''
    Ms. Melvin said, ``I would agree with you, definitely key 
to this is cultural transformation that's necessary, along with 
the actual implementation of new processes.''
    I'm reading from the transcript of that day in this 
hearing, in this room.
    Mr. Wilshusen, you came forward then and said, ``And I 
would just add that from an information security perspective 
that the tone at the top has increased significantly with 
regard to taking corrective actions to implement effective 
security controls since that May 2006 data breach. I think it 
was a watershed event, which really caused and highlighted the 
need for strong information security that is coming.''
    And at the end of mine I said, ``Great, I look forward to 
that. And I yield back.''
    Seven years and here we are. Was it still a watershed 
event?
    Mr. Wilshusen. In terms of recognition and awareness of the 
need to detect and report on security incidents that have been 
detected, I would say yes.
    At that time, just to give you an example, the number of 
incidents that were reported to U.S. CERT in fiscal year 2005-
2006 was about I think 5,500 or so. This past year, it was over 
70,000. And so the number of incidents that have been reported 
by agencies has increased significantly. Now, that can be for a 
number of reasons. One, better reporting, better detection on 
the part of agencies, the understanding of the need to report--
--
    Mr. Walz. When I go through this whole transcript, some of 
those fundamental issues have still not been corrected even 
though they were pointed out on that day.
    Mr. Wilshusen. Right, I would agree with that. But in terms 
of being----
    Mr. Walz. How do you explain that, Mr. Warren? That 
suggestions were made, the OIG was here, Ms. Melvin was here, 
Mr. Wilshusen was here, they suggested some of these, they 
still have not been implemented.
    Mr. Warren. So the cultural changes or the technical 
changes?
    Mr. Walz. Some of the technical, and I would argue the 
cultural is certainly somewhat more subjective, but it gets 
back to my central goal. You brought up a great point and I 
think you are right, Mr. Warren, we can't limp from incident to 
incident to incident, it has got to be the over-the-horizon 
vision on this. I am still looking how this is all going to fit 
in a longitudinal transformational plan, because at that time 
what you were here for too was asking for more money, which you 
yourself said on that day in 2007, ``We cancelled that program 
that we were asking money for in 2009.''
    Mr. Warren. So to the cultural question, the change started 
as a watershed event. The fact that at that point when it 
happened, IT was something that was buried in all the programs. 
And with the help of this committee, we moved away from 
something in the shadows to a single organization. It took 
until 2009 where we actually moved out on the centralization. 
We are recognizing that you have got to manage this as a 
business enabler, which includes protecting the veterans' 
information.
    From there, we have moved to the point when we talked about 
CRISP, this Continuous Readiness and Information Protection, 
was that next level, which is it is not an IT thing. Too often 
we say, yeah, the IT folks have got it. It is about how people 
think about the data, how they manage the data and how they 
protect the data. Over 90 percent of our incidents deal with 
people, they deal with folks doing bad things. Taking stuff out 
of systems, leaving it on paper----
    Mr. Walz. That is cultural.
    Mr. Warren [continuing]. Or throwing it away. That is 
cultural and we focus on that. And what has really been key 
with CRISP, that is another major step for us, leadership. Not 
IT leadership, but the deputy secretary, the secretary, the 
under secretaries all heard, and it was said from the 
leadership down, this is key to us. And so this communication 
about what it is and why it is.
    This report that I talked about that comes out monthly, 
that is a daily report that goes out to all of the VA 
leadership of every incident where veterans' data was put at 
risk. They have membership on this data breach team. So this it 
happens out there and we don't worry about it has gone away. 
Folks are aware of it and they understand what we need to do 
about it.
    Mr. Walz. How different will this hearing be in 2021 on 
this issue?
    Mr. Warren. I will tell you, sir----
    Mr. Walz. Competent.
    Mr. Warren [continuing]. I drive hard and one of the 
things, I drag my folks through a knothole starting in April, 
four nights a week. Where are we on? And when I say night, 6 
o'clock every night. And we shut it down in the end August, as 
we are waiting for the audit results, we are starting that back 
up again as we get prepared for the audit team. And it is 
constant attention, constant reinforcement, as well as you all 
support from a resourcing standpoint and the mouthpiece of this 
is important, because it is your data, it is my data, it is our 
family's data, and it is key to getting quality----
    Mr. Walz. I couldn't agree more. I just think it becomes 
harder and harder and harder, especially on the resourcing, to 
make the case. I think you understand that----
    Mr. Warren. Yes, sir.
    Mr. Walz [continuing]. And that is going to be the 
challenge.
    I yield back.
    The Chairman. Thank you.
    Ms. Brown, you are recognized for five minutes.
    Ms. Brown. Thank you. Thank you, Mr. Chairman, and also 
ranking member. I want to thank you for your leadership and 
keeping this committee bipartisan, what has been the 22 years I 
have been here.
    And I also want to say that when I came to this committee 
the main worry veterans was having was how to reconstruct their 
files for benefits, because much of it was lost in St. Louis 
fire. When we had Katrina, many of the veterans had real 
problems trying to get their records, because it was in a 
region and they could not access to other regions.
    So my question, as we move forward we need to make sure 
that, whether it is manmade or whether it is outside sources, 
that we are able to get that information for the veterans as we 
balance security and information.
    Mr. Warren, thank you for your service, and can you tell me 
how we are integrating that into the system?
    Mr. Warren. Yes, ma'am. And to make a connection, my 
father's records were lost in that St. Louis fire. So before I 
even came to the VA, I was aware of how dramatic and traumatic 
that event was for many, many veterans.
    But with respect to bringing the information over so we can 
make those benefits determinations, we look at that as two 
major components. The first one, we have talked about this 
before in terms of VBMS, moving away from a paper manual 
process to an automated tool that is delivering and the 
organization is using to meet the commitment we have made for 
2015. We have moved from piles of paper to 95 percent, over 95 
percent of those records are in electrons.
    Ms. Brown. Just one quick question. But with Katrina, we 
could not get those records.
    Mr. Warren. So with Katrina, on the benefits side, you are 
correct. But what was interesting on the health side, within 24 
hours those medical records in VistA were available for the 
folks who left the area when they came to other medical 
locations. VistA was up, their data was there, and they were 
able to get care based upon that.
    So we have been applying that knowledge into how do we do 
it on the benefits side. The first part is, get the tool in 
place that allows us to move away from paper. The second piece 
is the partnership with DoD in terms of moving that single 
treatment record over. Traumatic, dramatic, the fact that as of 
1 January, any service member who left service as of 1 January, 
the DoD is sending over that single treatment record with the 
certification on top of it. It allows us to move forward and 
rate those claims. We are working with them to move back to get 
the folks who left prior to 1 January. That is going to be a 
heavy lift, the challenge is in the reserve component and the 
guard component where the data is not in one place.
    So it is an area we focused on. I know Under Secretary 
Hickey spends a lot of time there. I know the deputy and the 
secretary also are very interested in making sure we get what 
is due to our veterans and part of that benefits piece is a key 
one.
    Ms. Brown. We had several meetings, not just with VA, but 
with the banking community, because the question keeps coming 
up about the foreign attacking the system, they have attacked 
the banking system. I got a call from my bank saying someone 
was charging my card in China. So it is clearly a problem. What 
are we doing as we coordinate these efforts? It is not just the 
VA, it is the entire system.
    Mr. Warren. Great question, ma'am. And one of the things--
and I would limit, because I am focused on how do I protect the 
veterans' data, and that is my fisc (?) in terms of--and my 
team's--is how do we protect inward. But we also, with our 
partnership with Homeland Security, we share with them all our 
data feeds. All right? So what we see, what gets through their 
defenses, how we respond to them, that gets to them. They also 
send the same to us. But teaming in terms of how do we protect 
the homeland, I would say that is probably the next area, 
beyond my scope and charge, but my hope is somebody is going to 
take that on.
    Ms. Brown. I think that is pretty much all of my questions, 
most of them was answered prior to. But I want to again thank 
you for your service. And I think you have been in this 
position since 2007?
    Mr. Warren. Yes, ma'am.
    Ms. Brown. It is refreshing.
    Mr. Warren. I am here to stay the course, I have got a 
commitment.
    Ms. Brown. Last thing. People keep talking, my colleagues, 
about the recommendations. And recommendations are very 
important and I guess you have to prioritize those 
recommendations. My question pertains to you all have made a 
lot of progress and I don't know whether or not you all have 
emphasized--some of those issues are going to be reoccurring, 
but emphasized the improvement that has been made in the VA 
system, and I would like for you all to give them a shout out 
for what they are doing for the people back home just 
listening.
    Mr. Warren. Ma'am, I really appreciate the opportunity to 
talk about the great work that my employees, that our employees 
are doing. We are the first department that has continuous 
monitoring in place and it is as a result of what they have 
done. We are the first department that brought Einstein on 
board in terms of those perimeters. The audit team has 
recognized where we have done improvements. But with that and 
with their dedication, and not just on the security side but 
making sure we are enabling that delivery of benefits and 
services, we know we have more to do. And we are committed to 
doing that, because 56 percent of my employees are in the same 
place I am, they are veterans. It is their data that they are 
protecting, it is their benefits and services that they are 
delivering to the buddies, their colleagues.
    And so I appreciate their commitment and dedication every 
day, and I am honored to serve as their leader. Thank you.
    Ms. Brown. Thank you.
    Can the IG answer that question also?
    The Chairman. Yeah, absolutely.
    Ms. Brown. All right. Would you, please?
    Ms. McCauley. Could you repeat the question again?
    Ms. Brown. Would you discuss the improvements that the VA 
has made? And, you know, you have talked about some of the 
issues will be back next year. Well, we have the same issues 
every year on every committee, whether it is--so can you give a 
shout out for the people that is listening to show the 
improvements that the VA have made over this period?
    Ms. McCauley. Certainly. Yes, as we conduct our FISMA 
assessments every year, we do see incremental improvement, and 
especially with the inception of CRISP in 2012. And as I 
mentioned earlier, we are seeing the continuous monitoring and 
the predictive scanning, and the improved training and testing 
of contingency plans and what have you. We know that the teams 
are working hard and we are continuing the dialogue with the 
OI&T and the IT professionals to ensure that they understand 
what requirements, the criteria that we are using to measure 
their progress by. And we had that discussion just the other 
day to ensure that we continue to talk about that and make sure 
we are all clear in terms of the demonstrated progress, but 
also the substantiating documentation that is needed.
    Ms. Brown. It seems to me that a lot of the problems 
pertain to training and I hope in your request you are asking 
for the money for training, Mr. Warren, because a lot of the 
problems, people taking things home, leaving information out, 
is just--like you say, you constantly have to remind them----
    Mr. Warren. Yes, ma'am.
    Ms. Brown [continuing]. Of their responsibilities.
    Mr. Warren. It is a key component of making sure that 
veterans' data is protected and we meet our stewardship 
obligations.
    Ms. Brown. Thank you, Mr. Chairman. I yield back the 
balance of my time.
    The Chairman. Thank you very much.
    With the consent of the ranking member and myself, counsel 
is permitted to ask questions. So, without objection, so 
ordered.
    We are going to start with the majority counsel. You are 
recognized, sir.
    Mr. Hannel. Thank you, Chairman.
    Mr. Warren, as you have been testifying in the last 20 
minutes, one of those outstanding IT employees of yours has 
emailed me as a whistleblower, and he has provided a number of 
emails. And in his emails it shows where he has been trying to 
get a problem addressed and his supervisors have basically shut 
him down. This is not speculation, I have looked at the emails.
    My question to you is this. Based on what he is sharing 
with us, with me, he has said that he recently mitigated 72,000 
accounts that were not picked up by VA's audit tool. Of course, 
these 72,000 accounts were for employees who have left the VA. 
These accounts were never closed, locked out, secured, nothing, 
they remained open. So these 72,000 former VA employees could 
access VA's network for an extensive period of time. So my 
question is how do you address this? How do you stop this? And 
because he has been trying to deal with this issue and he has 
been shut down by his supervisors, how do you deal with that?
    Mr. Warren. So the first thing. For the employee, thank you 
for coming forward. And if they are willing--all employees who 
come forward with issues like that, so I take it outside of the 
leadership chain, so they feel that they are getting the 
support they need, I send them to my chief of staff, because 
she is not in the chain for any of them. And we normally do 
fact finding or AIBs, if it raises to that level. So if he is 
willing to bring that information forward. I find it 
problematic that he has been trying to solve something and his 
chain did not support him. So if he is willing to do that or if 
you are willing to share--again, if the employee is 
uncomfortable--want to take that, want to take the appropriate 
action. It is inappropriate for anybody in the chain not to 
support individuals doing the right thing. And so if the 
employee is willing to come forward, send me an email, 
stephen.warren@va.gov, and I will personally take that on.
    Mr. Hannel. I will work with him and I will also--Mr. 
Wilshusen, I saw you were curious of those emails, I will share 
those with you as well.
    Mr. Wilshusen. Thank you.
    The Chairman. Thank you.
    Now I would like to recognize the minority counsel to ask 
questions.
    Mr. Tucker. Thank you, Mr. Chairman. I have no further 
questions.
    The Chairman. All right, very good.
    I have one question and Ms. Brown, do you have any other 
questions?
    Ms. Brown. No.
    The Chairman. Mr. Walz, do you have questions?
    Mr. Walz. No, thank you.
    The Chairman. Okay.
    Ms. Brown. I would like to see the email also----
    The Chairman. Absolutely.
    Ms. Brown [continuing]. Because----
    Mr. Wilshusen. Since it has been referenced.
    Ms. Brown. Yeah, since it has been referenced, I would like 
to see it.
    The Chairman. Absolutely, absolutely.
    One question. And it appears that almost--and, Mr. Walz, if 
you want to follow up with this, please don't hesitate. It 
appears that almost half of the cyber incidents reported came 
from just two government agencies, the VA and HHS. VA had the 
highest number of incidents reported overall and the highest 
number of malware incidents reported. It is apparent that the 
healthcare data has become and it has become a significant 
target of attackers. Healthcare data is 10 to 20 times more 
valuable now on the black market than credit card data. 
Unbelievable.
    So again I want to ask the question, but again we don't 
want to be here next year discussing the same topics, and I 
know Mr. Walz might want to add something. The question is what 
is VA doing to lower these numbers systematically? And I will 
ask Mr. Warren first.
    Mr. Warren. Thank you for that question, because it 
actually allows me to do a shout out to the VA employees, 
because they do report. And we have seen when we look 
comparatively for the rest of the Federal Government, given 
that we are under the same threats, that if you do the 
calculation of per head we report within the one hour. In fact, 
U.S. CERT has said, stop telling us, you are reporting too 
much, because we make sure we follow the letter of the law with 
reporting.
    The other big change that we are seeing is when we 
converted to PIV cards, our increase in reporting as a result 
of PIV cards, that is actually a security incident. And so our 
year-to-year increase has been a result of since everybody has 
gone to a PIV card, 360,000 of them, and we lose about a 
hundred of them a month, and when you start adding those up, 
that is a lot of incidents that are being reported.
    So lots of good reporting. But with those numbers, one of 
the things that I have high confidence in because of the things 
that the team has put in place is that we are able to report 
them, and we are able to report them because we are seeing 
them, because we are containing them, and because we are 
eradicating them.
    The Chairman. What are we going to do about the numbers, 
the incidents?
    Mr. Warren. Sir, the numbers will continue to go up. The 
threat environment, not just to the VA, but other departments, 
keeps increasing. No department can stop the threat coming from 
the outside. So what we have to do is make sure we have defense 
in depth, to make sure we have teamed with Homeland Security 
and they are using the signatures from the classified world to 
help protect us.
    The Chairman. If there are no further questions--do you 
have anything to add, Ms. Brown?
    Ms. Brown. No, I just want him----
    The Chairman. Please, thank you.
    Ms. Brown. He mentioned the Homeland Security program that 
you have in place, can you go through that again quickly?
    Mr. Warren. Yes, ma'am. There is a program called Einstein 
3, it is actually--it has been over multiple years as they have 
brought new protections on. And what it does, it is a two-part 
process. The first piece is departments move all of your 
traffic into control points. We have four control points. And 
at the control points, they use very technical and specialized 
equipment to look at all the traffic coming over the boundary. 
So we count on them, if you will, to have our back, because 
they have got our outer perimeter, and they are able to use 
stuff out of the defense world and the classified world that we 
would never see to help protect us. It is an area where they 
are able to add all of their knowledge in to make sure that we 
don't have to deal with that. That is where the strength in 
numbers is really working for us and we really appreciate their 
support.
    Ms. Brown. And so you stop over 80 percent of the--before 
it gets to the VA?
    Mr. Warren. Yes, ma'am. Over 80 percent of our emails never 
make it to an employee's desktop. And if I just do the numbers, 
is we stopped last month 82 million emails, we stopped them at 
the perimeter, because there was something suspicious about 
them. We stopped 206 million pieces of malware, 206 million 
pieces of malware in the month of October, before it even got 
to our employees' desktop.
    The Chairman. Okay. I would like to recognize the ranking--
actually, the majority counsel for a question.
    Mr. Hannel. One last question, Ms. McCauley. Einstein only 
identifies known profiles; is that correct?
    Ms. McCauley. I cannot address that question, I would like 
to state that for the record.
    Mr. Hannel. Mr. Wilshusen, do you know?
    Mr. Wilshusen. That would be correct. We are actually 
conducting an audit of Einstein at this point, our work is 
still ongoing. But just for Einstein itself, it needs to know, 
it identifies specific information that is known. If there is 
malicious software that is not yet known, such as zero days, it 
is likely that Einstein may not include it.
    Mr. Hannel. Thank you.
    The Chairman. Thank you, thank you very much.
    If there are no further questions. Again, I thank the 
witnesses and the audience for your patience, and thanks for 
this conversation today. And what I will do is I will adjourn 
the hearing. Thank you.
    (Whereupon, at 3:45 p.m., the committee was adjourned.)

                                 

                                APPENDIX

               Prepared Statement of Chairman Jeff Miller

    The Committee will come to order.
    Good afternoon everybody. I want to welcome you to today's Full 
Committee hearing.
    As our hearings this summer revealed, data manipulation had become 
an accepted practice at many facilities within VA. Moving forward with 
our investigation, it has become clear that a common thread in these 
scandals continues to be weaknesses within VA's Office of Information & 
Technology (OIT) and the systems for which they are responsible.
    For example, Committee investigators discovered VA briefing 
documents that reveal VA's medical information system, VISTA, allows 
for data manipulation. This internal briefing, given in April 2013 to 
senior VA officials, including VA's Chief Information Officer, 
described threats posed by anonymous user access to VISTA-- the 
automated system that supports the day-to-day functions of VA's network 
of hospitals.
    We continue to receive evidence from credible whistleblowers that 
at some sites there are no restrictions imposed on users and because 
their audit controls are not turned `on', VA cannot determine who or 
when someone had access to patients' data within VISTA. Further, we 
have found that most VA facilities do not have audit policy settings 
configured and no one is assigned to monitor the audit logs necessary 
for determining individual accountability, reconstructing security 
events, and detecting intruders. To date, these issues remain 
unresolved in VA's network and according to GAO, VA's Network Security 
Operations Center, who provide continuous, around-the-clock monitoring 
of VA's network, did not have access to the system logs at VA's data 
centers which inhibited its visibility across VA networks and ability 
to confirm whether a security incident was fully contained and 
eradicated.
    Because these audit controls are oftentimes inactive, employees and 
leadership are accessing veteran patient records against regulations 
and current law, including medical privacy rights under HIPAA. In 
addition, VA whistleblowers have confirmed that unauthorized access to 
employees' files is a common occurrence, but the office of information 
and technology has yet to prevent unauthorized access to employee 
files. Furthermore, these deficiencies could allow for the creation of 
bogus claims that authorize fraudulent payments to non-existing 
veterans as we showed VA during a member's brief last year.
    In addition, during the phoenix wait time scandal, veterans who had 
been identified as ``deceased'' on the electronic wait list were 
resurrected to appear as though they were ``alive''. When this practice 
was revealed by us to the OIG, we were told that it was common because 
a death certificate had not been filed; therefore, the veteran had to 
be listed as ``alive'' until proven deceased. However, as 
whistleblowers described, the death certificate requirement was a newer 
policy that began December 17th, 2013, only after this matter was 
reported to VA's inspector general.
    Other whistleblowers have reported that VA's system provides 
unauthorized access and modification of patient data because of the 
lack of a date and time stamp that would indicate when a record was 
modified and by whom.
    VA's inspector general has already substantiated that VA employees 
were manipulating data by ``zeroing out'' the number of days for 
awaiting appointments. In truth, according to our evidence, the current 
it system is easy to manipulate and anyone can make a patient's wait 
time zero at any given moment to hide scheduling and patient backlog 
issues. The ability for such manipulation in the system requires 
immediate attention, but the Office of Information and Technology has 
yet to address it.
    I should add that VA's Technology Office has greatly contributed to 
the problems of data manipulation by not addressing the long standing 
issues we have repeatedly brought to their attention, and these 
problems--and more--according to the Inspector General, have remained a 
material weakness for the 16th consecutive year.
    These failures are not because of a lack of resources, as some VA 
senior officials want us to believe. Within the past decade, congress 
has provided over 28 billion dollars to VA's Office of Information and 
Technology to ensure its goals and actions are aligned with and driving 
the strategic goals of the agency. Given the availability of resources, 
it is apparent that this office's lack of success and repeated 
underperformance is a leadership failure.
    Let me be clear, the failures aren't just a VA problem--they are a 
veterans problem. If a veteran cannot get access to healthcare because 
his or her eligibility claim is stuck--or because his or her claim is 
altered--or because the appointment has been altered, the veteran is 
prevented from obtaining healthcare and their hard earned benefits. 
Regrettably, I am concerned that VA lacks the technological foundation 
necessary to prevent these actions from reoccurring.
    I thank you all once again for being here this afternoon.
    With that, I now yield to Ranking Member Michaud for any opening 
remarks he may have.


                                 

                Prepared Statement of Mr. Stephen Warren

Introduction

    Chairman Miller, Ranking Member Michaud, and Members of the 
Committee, thank you for the opportunity to appear before you today to 
discuss the Department of Veterans Affairs (VA) Information Security.

Scheduling

    Before discussing how VA's information security posture has 
improved over the past year, it is important to make a distinction 
between access to care and VA's information technology (IT) security 
efforts.
    To my knowledge, there have been no indications that unauthorized 
individuals accessed the software; rather, some authorized users 
allegedly made inappropriate changes. Thus, there is no causal 
relationship between alleged internal data manipulation by certain VA 
employees and findings in VA's Office of Inspector General (OIG) 
Federal Information Security Management Act (FISMA) audit. As recently 
pointed out in OIG's recent report the limitations of the software 
underlying the scheduling system is secondary to the need for 
additional resources to actually schedule--doctors, nurses, and other 
health professionals; physical space; and appropriately trained 
administrative support personnel.
    The limitations of the scheduling system and associated practices 
are being addressed. Resourcing recommendations for IT investments are 
made by each of the Administrations (Veterans Health Administration 
(VHA), Veterans Benefits Administration, and the National Cemetery 
Administration) based on business priorities. VHA and the Office of 
Information and Technology (OIT) are working together to overhaul the 
outdated scheduling system and to bring an innovative scheduling 
program into VA's current electronic health record system--VistA. 
Empowering employees with the most useful and effective technology is 
key to transforming VHA. In the coming weeks, VA will release a Request 
For Proposal for acquiring new scheduling software, since the existing 
software was outdated and difficult to use. VA expects an interim 
milestone towards this acquisition in spring 2015. Through this 
process, VA held an Industry Day and engaged with VSOs for their input 
on what kind of a system would be best for Veterans.
    The technology underlying the current scheduling system used by VA 
medical facilities is cumbersome and outdated. In addition, there is no 
audit capability in the scheduling application that will indicate 
whether users are manipulating data to meet wait time expectations 
versus making legitimate changes to appointment information. On May 12, 
2014, as part of its investigation, the Office of the Inspector General 
(OIG) asked VA to enable audit controls on four Veterans Health 
Information Systems and Technology Architecture (VistA) files related 
to waiting lists. Once this request was received, VA immediately turned 
the auditing on for the requested items.
    VA's current electronic health record, VistA, already has access 
and audit capabilities. VA is evolving its existing VistA system to 
meet or exceed all Federal information assurance requirements including 
the Federal Information Security Management Act (FISMA), the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA) Security 
Rule, applicable National Institute of Standards and Technology special 
publications, and Federal Identity, Access and Credential Management 
policies.

Progress Made in Information Security

    VA employs an extensive, layered, defense-in-depth strategy to 
protect the security and confidentiality of VA information and 
information systems and we continue to make great strides to keep up 
with ever-evolving threats. We have established appropriate technical, 
physical, and administrative safeguards to help ensure the security and 
confidentiality of Veteran records. Since the June 4, 2013, hearing 
before the House Veterans Affairs Committee's subcommittee for 
Oversight and Investigations, we have acquired new monitoring 
capabilities, increased desktop security, and enhanced our speed in 
detecting and combating challenges.
    Before we activate systems within our network, and before any 
Veteran's information is put into those systems, we take steps that 
ensure the information is protected to the best of our ability. The 
process for issuing formal approval to operate systems on VA's 
network--known as ``Authorities to Operate (ATO)''--has greatly 
improved in the last year. We have migrated from a manual, point-in-
time, paper process to an electronic, automated, continuous monitoring 
capability with the help of the newly implemented Governance, Risk, and 
Compliance (GRC) tool, which went live in August 2013. We are the first 
(and the largest) cabinet level government agency to have moved to 
continuous monitoring. This new capability allows VA to detect 
vulnerabilities early and respond to threats rapidly.
    The GRC tool is not the only new addition to VA's security 
infrastructure. VA has brought another more refined and powerful 
security tool into its enterprise. Working with our Federal partners, 
such as the Department of Homeland Security, we were the first cabinet 
level agency to implement Einstein 3, as well as the Office of 
Management and Budget's Trusted Internet Connection initiative. 
Numerous industry-standard scanning tools, firewalls, network and host 
intrusion prevention systems, and non-medical desktop and laptop 
encryption and anti-virus services protect the confidentiality, 
integrity, and availability of our data.
    As an organization of more than 300,000 employees, however, our 
biggest vulnerability is not technical. Physical exposure of VA data is 
the most significant risk facing our information security posture. Over 
98 percent of the sensitive data exposure at VA is due to paper or 
human error-based incidents. Network and system safeguards are not 
technical absolutes--we must constantly remain vigilant in preventing 
human error-such as an employee clicking a phishing link, mis-mailing a 
sensitive record, or losing an electronic device.
    VA is addressing its ongoing challenge of protecting Veteran 
information on paper by focusing on our employees. Because VA employees 
are the first line of defense when it comes to information protection, 
VA is working to improve employee awareness of information protection 
through training and other measures. VA promotes an environment where 
all employee's and contractor's actions reflect the importance of 
information security accountability.
    In addition, every VA employee, contractor, and volunteer is 
required to sign a ``Rules of Behavior'' statement that sets 
expectations and makes clear that users are accountable for the 
protection of sensitive information. Every employee, contractor, and 
volunteer is also required to take an annual Information Security and 
Privacy Training. System access is terminated if individuals are 
delinquent. If a security or privacy incident occurs involving an 
employee or group of employees, VA employs recovery activities that 
include re-training of those involved. In addition, VA runs an annual 
Information Security and Privacy Awareness Week and sends out monthly 
messages reminding employees about security and privacy best practices. 
Educating our workforce is an ongoing process that VA takes very 
seriously.
    The Department has established a rigorous data breach notification 
process. Once a reported incident is evaluated by the Incident 
Resolution Team, it is forwarded to the Data Breach Core Team (DBCT). 
The DBCT performs a risk analysis on all reported data breach incidents 
and when they determine a potential breach may have occurred and may 
pose a reasonable risk of harm to the affected individuals, they 
recommend that those individuals be notified and, if appropriate, 
offered free enrollment in a credit monitoring service to mitigate any 
risk of identity theft or improper use of their information. This 
robust review process is complemented by the monthly posting on VA's 
Web site of notifications of any data breaches, and this material is 
also provided to Congress through VA's quarterly data breach reports.

FISMA

    FISMA provides a comprehensive framework for ensuring the 
effectiveness of information security controls over information 
resources that support Federal operations and assets. OIG conducts 
annual FISMA audits of the agency's information security program. VA 
appreciates OIG's time and effort conducting its annual FISMA report, 
and appreciates that OIG finds VA's comments and corrective action 
plans as responsive to its recommendations. Although much work remains, 
VA has made significant improvements in the last few years and strives 
to meet the highest standards in protecting sensitive information. We 
are constantly and continuously improving our information security 
posture so that we may be the best possible stewards of Veteran 
information.

Federal Information System Controls Audit Manual (FISCAM)

    The Government Accountability Office FISCAM is designated to be 
used during financial and performance audits and may result in the 
identification of material weaknesses. The most recent FISCAM audit 
review reflects that we have closed out many of the observations from 
prior years, and are making considerable improvements each year. In a 
constantly changing threat landscape, we continue to evolve.
    The number of FISCAM findings has decreased 29 percent since fiscal 
year 2011. Highlights of VA's accomplishments in this area include:
         VA has resolved its findings on contingency planning, 
        as well as segregation of duties.
         VA reduced the amount of time needed to complete a 
        scan of the entire enterprise from approximately 1 year to 
        approximately 1 month.
         VA completed two-factor authentication for system 
        administrators.
         VA strengthened passwords critical to accessing 
        systems.

    OIG noted our compliance in the above areas, and now looks to us to 
maintain consistency across the enterprise. VA leadership remains 
engaged in order to remediate the recommendations made by OIG.

Conclusion

    Over the past year, VA has made demonstrable progress improving 
upon its defense-in-depth strategy to protect Veteran information and 
VA systems. VA has made progress in FISMA audits, in the tools we use 
to combat evolving cybersecurity threats, and in securing the systems 
our clinicians and employees use to serve Veterans. We continue to work 
to address the challenges we face, including continued work to close 
FISMA recommendations and better educating employees on handling 
sensitive information on paper. We will continue to ensure our IT 
systems, which are crucial to supporting our Veterans, are secure and 
our employees are responsible as we protect the information of the 
Veterans we serve.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 

                                 [all]