This is the accessible text file for GAO report number GAO-02-1054T 
entitled 'VA Information Technology: Management Making Important 
Progress in Addressing Key Challenges' which was released on September 
26, 2002. 

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States General Accounting Office: 
GAO: 

Testimony: 

Before the Subcommittee on Oversight and Investigations, Committee on 
Veterans’ Affairs, House Representatives: 

For Release on Delivery: 
Expected at 10 a.m. EDT: 
Thursday, September 26, 2002: 

VA Information Technology: 

Management Making Important Progress in Addressing Key Challenges: 

Statement of Joel C. Willemssen: 
Managing Director, Information Technology Issues: 

GAO-02-1054T: 

GAO Highlights: 

Highlights of GAO-02-1054T, testimony before the Subcommittee on 
Oversight and Investigations, Committee on Veterans' Affairs, House of 
Representatives. 

Why GAO Did This Study: 

In March of this year, GAO testified before the Subcommittee about the
Department of Veterans Affairs’ (VA) information technology (IT) 
program, and the strides that the Secretary had made in improving 
departmental leadership and management of this critical area–including 
the hiring of a chief information officer. 

At the Subcommittee’s request, GAO evaluated VA’s new IT organizational 
structure, and provided an update on VA’s progress in addressing other
specific areas of IT concern and our related recommendations pertaining 
to: 

* enterprise architecture; 

* information security; 

* the Veterans Benefits Administration’s replacement compensation and 
pension payment system and maintenance of the Benefits Delivery 
Network, and; 

* the government computer-based patient record initiative. 

What GAO Found: 

Since our March testimony, VA has made important progress in its 
overall management of information technology. For example, the 
Secretary’s decision to centralize IT functions, programs, and funding 
under the department-level CIO holds great promise for improving the 
accountability and management of IT spending–currently over $1 billion 
per year. But in this as well as the other areas of prior weakness, the 
strength of VA’s leadership and continued management commitment to 
achieving improvements will ultimately determine the department’s 
degree of success. As for its progress in other areas: 

* Enterprise architecture. The Secretary recently approved the initial, 
“as is” version of this blueprint for evolving its information systems, 
focused on defining the department’s current environment for selected 
business functions. VA still, however, needs to select a permanent 
chief architect and establish a program office to facilitate, manage, 
and advance this effort. 

* Information security. Steps have been taken that should help provide 
a more solid foundation for detecting, reporting, and responding to 
security incidents. Nonetheless, the department has not yet fully 
implemented a comprehensive computer security management program that 
includes a process for routinely monitoring and evaluating the 
effectiveness of security policies and controls, and acting to address 
identified vulnerabilities. 

* Compensation and pension payment system. While some actions have been 
taken, after more than 6 years, full implementation of this system is 
not envisioned before 2005; this means that the 3.5 million payments 
that VA makes each month will continue to depend on its present, aging 
system. 

* Government computer-based patient record initiative. VA and the 
Department of Defense have reported some progress in achieving the 
capability to share patient health care data under this program. Since 
March, the agencies have formally renamed the initiative the Federal 
Health Information Exchange and have begun implementing a more narrowly 
defined strategy involving a one-way information transfer from Defense 
to VA; a two-way exchange is planned by 2005. 

This is a test for developing highlights for a GAO report. The full 
testimony, including GAO's objectives, scope, methodology, and 
analysis, is available at [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-02-1054T]. For additional information about the 
testimony, contact Joel C. Willemssen (202-512-6253) or at 
willemssenj@gao.gov. To provide comments on this test highlights, 
contact Keith Fultz (202-512-3200) or email HighlightsTest@gao.gov. 

[End of section] 

Mr. Chairman and Members of the Subcommittee: 

Thank you for inviting us to take part in your discussion of the 
Department of Veterans Affairs’ (VA) information technology (IT) 
program. Information technology continues to play an integral and 
substantial role in helping VA effectively serve our nation’s veterans, 
with the department spending more than a billion dollars annually in 
support of its information technology operations. As you are well 
aware, however, the department has been challenged in its efforts to 
effectively manage its information technology to produce results and 
achieve optimal agency performance. 

Our testimony last March noted important strides by the Secretary of
Veterans Affairs to improve the department’s IT leadership and
management, including the hiring of a chief information officer (CIO) to
lead the program and a commitment to reform how the department uses
information technology. [Footnote 1] Since that time, the Secretary has 
taken additional steps toward achieving improvements in key areas of IT
performance, including recently announcing a realignment of the way in
which the department is organized to carry out its information 
technology mission. 

At your request, we will discuss today this new organizational structure
and resulting changes in the role of VA’s CIO. In addition we will 
provide an update of the department’s progress since March in 
addressing specific weaknesses in its overall information technology 
program, including the status of its actions to: 

* develop an enterprise architecture; 
* improve information security; 
* implement the Veterans Benefits Administration’s (VBA) veterans 
service network (VETSNET) replacement compensation and pension payment
system and maintain the existing Benefits Delivery Network, and; 
* implement jointly with the Department of Defense and Indian Health
Service the government computer-based patient record initiative. 

In conducting this work we analyzed relevant documentation and 
interviewed key agency officials to identify and assess VA’s decisions 
and actions since March to improve its information technology 
management. We reviewed available documentation discussing the 
department’s plans and strategies for realigning its information 
technology structure. We also examined its enterprise architecture 
strategy as well as steps being taken to strengthen computer security 
management departmentwide. Further, we conducted site visits at the 
Veterans Benefits Administration’s regional office in Salt Lake City to 
assess the current use of VETSNET in processing compensation and 
pension benefits claims; and at the VA medical center in Washington, 
D.C., to observe data retrieval capabilities of the Federal Health 
Information Exchange (formerly the government computer-based patient 
record initiative). We performed our work in accordance with generally 
accepted government auditing standards, in August and September of this 
year. 

Results in Brief: 

Over the past 6 months, VA has shown clear progress in addressing some
of the critical weaknesses that have plagued its management of 
information technology. The Secretary of Veterans Affairs and other top
agency leaders have continued to make important strides in improving key
areas of IT performance. Nonetheless, some aspects of the department’s
information technology environment continue to be particularly 
challenging and to require substantial management attention. As the
department proceeds, ensuring sound project management and oversight
will continue to be essential to advancing its efforts. 

Accountability for its information technology investments should be well
served by VA’s recently announced realignment of its information
technology structure. Although yet to be finalized, the Secretary’s 
decision to centralize information technology functions, programs, and 
funding under the department-level CIO shows promise for improving IT
accountability and enabling the department to implement its One VA
vision. [Footnote 2] The additional oversight afforded the CIO could 
have a significant impact on the department’s ability to more 
effectively capture and manage its IT spending. 

Beyond its actions to establish greater accountability in this area, the
department continues to make important progress in developing its
departmentwide enterprise architecture—the blueprint for evolving its
information systems and developing new systems that optimize their
mission value. The Secretary recently approved the initial version of 
VA’s enterprise architecture, focused on defining the department’s 
current, “as is” and desired, “to be” target environments for selected 
business functions. Nonetheless, VA must still accomplish critical 
actions to ensure successful completion of its architecture. For 
example, to achieve a sound program management structure, it needs to 
select a permanent chief architect and establish a program office to 
facilitate, manage, and advance this effort. 

In another critical area, the department continues to make progress in
strengthening its information security. It has taken actions that should
help provide a more solid foundation for detecting, reporting, and
responding to security incidents. Among these actions, it has 
contracted to expand departmentwide incident response and analysis 
capabilities, including enhancing security monitoring and detection. 
Nonetheless, the department has not yet fully implemented a 
comprehensive computer security management program that includes a 
process for routinely monitoring and evaluating the effectiveness of 
security policies and controls and addressing identified 
vulnerabilities. Further, VA’s offices self-report computer security 
weaknesses, and it lacks an independent component to ensure the 
accuracy of reporting and validation of corrective actions taken. 

Conversely, the department is not making as much progress in addressing
the challenges associated with implementing its VETSNET compensation
and pension replacement payment system. Specifically, after more than 6
years, the department still has significant work to accomplish, and 
could be several years from fully implementing the system. Complete
implementation is not anticipated until 2005, thus requiring continued
reliance on the aging Benefits Delivery Network to provide the more than
3.5 million payments that VA must make to veterans each month. 

Finally, VA and DOD have made some progress in achieving the capability
to share patient health care data begun under the government computer-
based patient record (GCPR) initiative. This progress was achieved as 
part of a substantially revised, scaled-down strategy. As part of this 
new strategy that the two agencies have now implemented, clinicians in 
VA medical facilities throughout the country have access to health
information on more than a million separated service personnel. 

IT Realignment Increases Authority and Oversight of VA’s Chief 
Information Officer: 

Successful implementation of VA’s information technology program
requires strong leadership and management to help define and guide the
department’s plans and actions. The Paperwork Reduction Act of 1980 and
the Clinger-Cohen Act of 1996 [Footnote 3] articulate the importance of 
CIOs in promoting improvements in their agencies’ work processes and 
making sound investment decisions that effectively align IT projects 
with the organization’s business planning and measurement processes. To 
be successful in this role, CIOs must build credible organizations and 
develop and organize information management capabilities to meet agency 
mission needs. 

With the hiring of a department-level CIO in August 2001, VA took a
significant step toward addressing critical and longstanding weaknesses 
in its management of information technology. Our prior work has 
highlighted some of the challenges that the CIO faced as a result of 
the way in which the department was organized to carry out its 
information technology mission. [Footnote 4] Among these challenges was 
that information systems and services were highly decentralized, with 
the VA administrations and staff offices controlling a majority of the 
department’s information technology budget. As illustrated in figure 1, 
out of the approximately $1.25 billion fiscal year 2002 information 
technology budget, the Veterans Health Administration (VHA) oversaw 
approximately $1.02 billion, VBA approximately $158.3 million, and the 
National Cemetery Administration (NCA) approximately $5.87 million. The 
remaining $60.2 million was controlled at the department level. 

Figure 1: Breakdown of VA’s $1.25 Billion Information Technology Budget 
(fiscal year 2002): 

[See PDF for image] 

This figure is a pie-chart depicting the following data: 

Breakdown of VA’s $1.25 Billion Information Technology Budget (fiscal 
year 2002)(Dollars in millions): 

VHA: $1,020; 
VBA: $158.3; 
Department level: $60.2; 
NCA: $5.87. 

Source: GAO analysis. 

[End of figure] 

In addition, our testimony in March noted that there was neither direct 
nor indirect reporting to VA’s cyber security officer—the department’s 
senior security official—thus raising questions about this person’s 
ability to enforce compliance with security policies and procedures and 
ensure accountability for actions taken throughout the department. The 
more than 600 information security officers in VA’s three 
administrations and its many medical facilities throughout the country 
were responsible for ensuring the department’s information security, 
although they reported only to their facility’s director or to the 
chief information officer of their administration. 

Given the large annual funding base and decentralized management 
structure, it is crucial that the CIO ensure that well-established and
integrated processes for leading, managing, and controlling investments 
are commonplace and followed throughout the department. The Secretary
has recognized weaknesses in accountability for the department’s
information technology resources and the consequent need to reorganize
how information technology is managed and financed. Accordingly, in a
memorandum dated August 6, 2002, he announced a realignment of the
department’s information technology operations. According to the 
memorandum, the realignment will centralize information technology 
functions, programs, workforce personnel, and funding into the office of
the department-level CIO. In particular, several significant changes are
being made: 

* The CIOs in each of the three administrations—VHA, VBA, and NCA—have 
been designated deputy CIOs and will report directly to the department-
level CIO. Previously, these officials served as component-level CIOs 
who reported only to their respective administrations’ 
undersecretaries. 

* All administration-level cyber security functions have been 
consolidated under the department’s cyber security office, and all 
monies earmarked for these functions have been placed under the 
authority of the cyber security officer. Information security officers 
previously assigned to VHA’s 21 veterans integrated service networks 
will now report directly to the cyber security officer, thus extending 
the responsibilities of the cyber security office to the field. 

* Beginning in fiscal year 2003, the department-level CIO will assume
executive authority over VA’s IT appropriations. 

The realignment had not been finalized at the conclusion of our review,
thus its full impact on VA’s mission and the CIO’s success in managing
information technology at the department level could not yet be 
measured. Nonetheless, in pursuing these reforms, the Secretary has 
demonstrated the significance of establishing an effective management 
structure for building credibility in the way information technology is 
used, and has taken a significant step toward achieving a “One VA” 
vision. 

The Secretary’s initiative also represents a bold and innovative step 
by the department, and is one that has been undertaken by few other 
federal agencies. For example, as part of our review, we sent surveys 
to the 23 other major federal agencies, seeking information on the 
organization and reporting relationships of their department- and 
component-level CIOs. Of the 17 agencies that responded, 8 reported 
having component-level CIOs, none of which reported to the department-
level CIO. Only one agency with component-level CIOs reported that its 
department-level CIO had authority over all IT funding. 

As the realignment proceeds, the CIO’s success in managing information
technology operations will hinge on effective collaboration with 
business counterparts to guide IT solutions that meet mission needs. 
Guidance that we issued in February 2001 on the effective use of CIOs 
in several leading private and public organizations provides insight 
into three key factors contributing to CIO successes: 

* First, senior executives embrace the central role of technology in
accomplishing mission objectives and include the CIO as a full 
participant in senior executive decision-making. 

* Second, effective CIOs have legitimate and influential roles in 
leading top managers to apply IT to business problems and needs. While 
placement of the CIO position at an executive management level in the 
organization is important, effective CIOs earn credibility and produce 
results by establishing effective working relationships with business 
unit heads. 

* Third, successful CIOs structure their organizations in ways that 
reflect a clear understanding of business and mission needs. Along with 
business processes, market trends, internal legacy structures, and 
available IT skills, this understanding is necessary to ensure that the 
CIO’s office is aligned to best serve the needs of the enterprise. 
[Footnote 5] 

VA’s new organizational structure holds promise for building a more 
solid foundation for investing in and improving the department’s 
accountability over information technology resources. Specifically, 
under the realignment the CIO assumes budget authority over all IT 
appropriations, including authority to veto proposals submitted from 
sub-department levels. This could have a significant effect on VA’s 
accountability for how components are spending money, as we have 
previously noted the department’s inability to adequately capture all 
of its IT costs. [Footnote 6] 

As the first step toward gaining accountability for information 
technology investments, the CIO is attempting to determine what 
expenditures have been incurred in fiscal year 2002. Since VA’s annual 
budget submissions to OMB have not included a specific line item for 
information technology operations, the CIO has asked each 
administration to provide accurate information identifying the costs 
incurred by each of them for this fiscal year. According to the CIO, 
preliminary results showed that certain non-IT costs, such as for 
users’ personnel, had been included in the total expenditures, while 
some IT costs, such as for IT personnel and telecommunications, had 
been excluded. The CIO’s goal is to compile cost data that accurately 
reflect the department’s information technology expenditures. 

In the absence of a budget line item, the CIO is requiring each 
facility to develop “spend plans” for fiscal year 2003 IT funding. 
These plans are expected to serve as a control mechanism for 
information technology expenditures during the year and will be 
administered by each facility, with the CIO retaining veto power over 
them. The plans have been designed to provide the CIO with investment 
cost details at a departmentwide level, allowing for a portfolio-based 
project selection process and lessening duplication of effort. Once the 
plans are implemented, the CIO anticipates being able to compare 
planned and actual expenditures and to uncover the details of specific 
projects. 

Progress Toward Developing an Enterprise Architecture Continues, but
Additional Work Needed: 

Developing and implementing an enterprise architecture [Footnote 7] to 
guide VA’s information technology activities continues to be an 
essential and challenging undertaking. VA and other federal agencies 
are required to develop and implement enterprise architectures to 
provide a framework for evolving or maintaining existing and planned 
IT, in accordance with OMB guidelines. [Footnote 8] In addition, 
guidance issued last year by the Federal CIO Council, [Footnote 9] in 
collaboration with us, further emphasizes the importance of enterprise 
architectures in evolving information systems, developing new systems, 
and inserting new technologies that optimize an organization’s mission 
value. Overall, effective implementation of an enterprise architecture 
can facilitate VA’s management by serving to inform, guide, and 
constrain the information technology investment decisions being made 
for the department, and subsequently decreasing the risk of buying and 
building systems that are duplicative, incompatible, and unnecessarily
costly to maintain and interface. 

As depicted in figure 2, the enterprise architecture is both dynamic and
iterative, changing the enterprise over time by incorporating new 
business processes, new technology, and new capabilities. Depending on 
the size of the agency’s operations and the complexity of its 
environment, enterprise architecture development and implementation 
require sustained attention to process management and agency action 
over an extended period of time. Once implemented, the enterprise 
architecture must be kept current through regular maintenance. 

Periodic reassessments are required to ensure that it remains aligned 
with the department’s strategic mission and priorities, changing 
business practices, funding profiles, and technology innovation. 

Figure 2: The Enterprise Architecture Process: 

[See PDF for image] 

This figure is an illustration of interrelated processes that work 
together to produce control and oversight. The following data is 
illustrated: 

Control and Oversight: Depend upon: 
* Obtain executive buy-in and support; 
* Establish management structure and control; 
* Define an architectural process and approach; 
* Develop baseline enterprise architecture; 
* Develop target enterprise architecture; 
* Develop the sequencing plan; 
* Use the enterprise architecture; 
* Maintain the enterprise architecture; 
* Continue the cycle: Obtain executive buy-in and support; etc. 

Source: A Practical Guide to Federal Enterprise Architecture, Version 
1.0, 2001. 

[End of figure] 

When we testified last March, VA had taken a number of promising steps
toward establishing some of the core elements of an enterprise
architecture. Among other actions, it had obtained executive commitment
from the Secretary, department-level CIO, and other senior executives 
and business teams that is crucial to raising awareness of and 
leveraging participation in developing the architecture. VA had also 
chosen a highly recognized framework to organize the structure of its 
enterprise architecture. [Footnote 10] Further, it had begun defining 
its current architecture, an important step for ensuring that future 
progress can be measured against such a baseline, and it was developing 
its future (target) telecommunications architecture. 

Nonetheless, at that time we noted that VA still faced many more 
critical tasks to successfully develop, implement, and manage its 
enterprise architecture. One of the key activities that required 
attention was the establishment of a program management office headed 
by a permanent chief architect to manage the development and 
maintenance of the enterprise architecture. In addition, the department 
needed to complete a program management plan delineating how it would 
develop, use, and maintain the architecture. Further, although VA had 
developed a baseline application inventory to describe its “as is” 
state, it had not completed validating the inventory or developing 
detailed application profiles for the inventory, including essential 
information such as business functions, information flows, and external 
interface descriptions. 

VA Has Expanded Its Initial Enterprise Architecture Development Work: 

Over the past 6 months, VA has made substantial strides toward 
instituting its enterprise architecture program. For example, in April 
it issued its fiscal year 2002 One VA enterprise architecture 
implementation plan, which will be used to align integrated technology 
solutions with the department’s business needs. And in July, the CIO 
issued a mandatory directive prescribing departmentwide policy for the 
establishment and implementation of an integrated One VA enterprise 
architecture and to guide the development and management of all of VA’s 
IT assets. [Footnote 11] VA also finalized its enterprise architecture 
communications plan that will be used to help business and IT 
management and staff develop a corporate model of customer service. 

More recently, on September 5, the Secretary approved the initial 
version of the department’s One VA enterprise architecture. VA 
officials describe the architecture as a top-down, business-focused 
document that provides a blueprint for systematically defining and 
documenting the department’s desired (target) environment. The document 
provides a high-level, overarching view of the department’s “as is” 
enterprise business functions and key enabling functions. [Footnote 12] 
VA’s work to develop the “as is” view revealed the complexities of its 
baseline information systems, work processes, and supporting 
infrastructure. For example, it identified over 30 independently 
designed and operated data networks, over 200 independent external 
network connections, over 1,000 remote access system modem connections, 
and a total of 7,224 office automation servers that are currently part 
of the baseline environment. 

The enterprise architecture document also incorporates high-level
versions of a sequencing plan, technical reference model, and standards
profile—all of which are critical to ensuring the complete development
and implementation of the architecture. A sequencing plan serves as a
systems migration roadmap to provide the agency with a step-by-step
process for moving from the baseline to the target architecture. The
technical reference model provides a knowledge base for a common
conceptual framework, defines a common vocabulary and set of services
and interfaces, and serves as a tool for the dissemination of technical
information across the department. The standards profile, used in
conjunction with the technical reference model, assists departmental
components in coordinating the acquisition, development, and
interoperability of systems to accomplish the department’s enterprise
architecture program goals. 

Further, VA has integrated security practices into the initial version 
of its enterprise architecture. These security practices provide a high-
level description of the baseline and target distributed systems 
architectures for major elements of the department’s cyber security 
infrastructure. 

Continued Commitment to Developing VA’s Enterprise Architecture Is 
Essential: 

Even with notable progress, VA must nonetheless complete a number of
additional actions to fully implement and effectively manage its 
enterprise architecture. With the Federal CIO Council’s guide as a 
basis for analysis, table 1 illustrates the progress that the 
department has made since March in accomplishing key enterprise 
architecture process steps, along with examples of the various critical 
actions still required to successfully implement and sustain its 
enterprise architecture program. 

Table 1: VA’s Progress in Developing, Implementing, and Using an 
Enterprise Architecture as of September 2002: 

Steps in the enterprise architecture (EA) process[A]: Obtain executive 
buy-in and support: Ensure agency head buy-in and support; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Obtain executive 
buy-in and support: Issue executive enterprise architecture policy; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Obtain executive 
buy-in and support: Obtain support from senior executive and business 
units; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Obtain executive 
buy-in and support: Establish management structure and control; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Establish 
technical review committee: Establish capital investment council; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Establish capital 
investment council; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: Drafted 
the Information Technology Integrated Management Guide, which lays out 
the integration of VA’s EA, capital planning, investment, and project 
management functions. Completed integration of its capital planning, 
investment, and project management functions, and uses it to evaluate 
IT projects.
Examples of key actions yet to be performed: Finalize and issue the
Information Technology Integrated Management Guide. 

Steps in the enterprise architecture (EA) process[A]: Establish EA 
executive steering committee; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 
 
Steps in the enterprise architecture (EA) process[A]: Appoint chief 
architect; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: Acting 
chief architect continues to fill position; Recruitment effort for 
permanent chief architect continues; position expected to be filled in 
early 2003; 
Examples of key actions yet to be performed: Hire a chief architect with
requisite core competencies. 

Steps in the enterprise architecture (EA) process[A]: Establish EA 
program management office; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: Filled 
five positions in EA program management office; Additional position 
advertisements being prepared, full staffing of office anticipated by 
the end of calendar year 2002; 
Examples of key actions yet to be performed: Fully staff the EA program
management office with experienced architects to manage, control, and
monitor development of the EA. 

Steps in the enterprise architecture (EA) process[A]: Appoint key 
personnel for risk management, configuration management and quality 
assurance (QA); 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: Risk 
manager and configuration manager positions have not been filled, and 
VA does not plan to fill them; The Enterprise Architecture Council will
perform risk and configuration management and the Information 
Technology Board will perform QA functions; 
Examples of key actions yet to be performed: Ensure that adequate
staffing occurs and functions are performed Establish an independent,
objective entity to perform QA. 

Steps in the enterprise architecture (EA) process[A]: Establish 
enterprise architecture core team; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Develop EA 
marketing strategy and communications plan; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Develop EA 
program management plan; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Develop and finalize a
plan that will delineate actions to develop, use, and maintain the EA,
including management control and oversight. 

Steps in the enterprise architecture (EA) process[A]: Initiate 
development of enterprise architecture; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Define 
architecture process and approach: Define intended use of architecture; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Define 
architecture process and approach: Define scope of architecture; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Define 
architecture process and approach: Determine depth of architecture; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Define 
architecture process and approach: Select appropriate EA products; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Define 
architecture process and approach: Select products that represent
business of enterprise; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Define 
architecture process and approach: Select products that represent
agency technical assets; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Define 
architecture process and approach: Evaluate and select framework; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Define 
architecture process and approach: Select EA tool set; 
Steps VA has completed as of September 2002: [Check]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Develop baseline 
enterprise architecture: Collect information that describes existing 
enterprise: 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: Version 
1.0 of VA’s EA includes high-level descriptions of its baseline
enterprise architecture business functions and key enabling functions
from the planners’ business owners’ designers’ and builders’ 
viewpoints; 
Examples of key actions yet to be performed: Continue development of
the enterprise architecture to fully describe and document all current
business functions and the technology infrastructure. 

Steps in the enterprise architecture (EA) process[A]: Develop baseline 
enterprise architecture: Generate products and populate EA 
repository[B]; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: 
Repository established on VA’s intranet Web site is populated with data 
on the planners’ and owners’ views of VA’s architecture; In FY 2003 VA 
plans to assess the need to develop a new repository and the contents 
of that repository; 
Examples of key actions yet to be performed: Complete population of the
EA repository with products that describe the relationships among
information elements and work products. 

Steps in the enterprise architecture (EA) process[A]: Develop baseline 
enterprise architecture: Review, validate, and refine models; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: 
Enterprise Architecture Council subject matter experts reviewed, 
validated, and refined models contained in version 1.0 of the 
enterprise architecture; Council membership included representatives 
from VA’s technical and business lines; 
Examples of key actions yet to be performed: Have subject matter 
experts continue to assess the enterprise architecture products for 
accuracy and completeness. 

Steps in the enterprise architecture (EA) process[A]: Develop target 
enterprise architecture: Collect information that defines future 
business operations and supporting technology: strategic business 
objectives; information needed to support business; applications to 
provide information; technology to support applications; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: Version 
1.0 of VA’s enterprise architecture contains high-level descriptions of 
VA’s enterprise business functions and key enabling functions from the 
planners’ and business owners’ views of the Zachman framework; 
Examples of key actions yet to be performed: Continue to decompose
and further define key elements of the target architecture. 

Steps in the enterprise architecture (EA) process[A]: Develop target 
enterprise architecture: Generate products and populate EA repository; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: 
Repository established on VA’s intranet Web site is populated with data 
on the planners’ and owners’ views of the VA architecture; In FY 2003 
VA plans to assess the need for another repository and the contents of
that repository; 
Examples of key actions yet to be performed: Complete population of the
EA repository with products that describe the relationships among
information elements and work products. 

Steps in the enterprise architecture (EA) process[A]: Review, validate, 
and refine models; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: Subject 
matter expert review of version 1.0 of the enterprise architecture 
carried out by members of the Enterprise Architecture Council from VA’s 
technical and business lines; 
Examples of key actions yet to be performed: Have subject matter 
experts continue to assess the enterprise architecture products for 
accuracy and completeness. 

Steps in the enterprise architecture (EA) process[A]: Develop 
sequencing plan; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Identify gaps; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: July 8, 
2002 sequencing plan contained in version 1.0 of EA provides a high-
level overview of how VA will migrate from the current to the target 
architecture; 
Examples of key actions yet to be performed: Future version of the
sequencing plan should identify gaps to assess the state of legacy 
systems, technology maturity, acquisition opportunities, and fiscal 
reality of the transition. 

Steps in the enterprise architecture (EA) process[A]: Define and 
differentiate among legacy, migration, and new systems; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all activities in 
this step. 

Steps in the enterprise architecture (EA) process[A]: Plan migration; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all activities in 
this step. 

Steps in the enterprise architecture (EA) process[A]: Approve, publish, 
and disseminate EA products; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all activities in 
this step. 

Steps in the enterprise architecture (EA) process[A]: Use enterprise 
architecture; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Integrate EA with 
capital planning and investment control and systems life cycle 
processes; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: Drafted 
the Information Technology Integrated Management Guide, which lays out 
the integration of VA’s EA, capital planning, investment, and project 
management functions; Implemented the integrated capital planning, 
investment, and project management functions, and uses then to evaluate 
IT projects; 
Examples of key actions yet to be performed: Finalize and issue the
Information Technology Integrated Management Guide. 

Steps in the enterprise architecture (EA) process[A]: Train personnel; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: 
Developing a project manager training curriculum; Used the annual 
department CIO conference to conduct an overview of the department’s EA 
effort; 
Examples of key actions yet to be performed: Ensure that members of all
EA decision-making bodies are trained in the EA process, the 
relationship of the EA to the capital planning and investment control 
process, and the system life cycle; EA training should also be provided 
to current and future IT project managers. 

Steps in the enterprise architecture (EA) process[A]: Establish 
enforcement processes and procedures; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: Published 
the following documents, which relate to enforcement of EA processes 
and procedures: VA Directive 6051; VA EA Strategy, Governance, & 
Implementation; One-VA EA Implementation Plan: FY 2002; One-VA 
Enterprise Architecture (version 1.0); 
Examples of key actions yet to be performed: Develop precise definitions
and criteria for compliance as well as different levels of compliance. 

Steps in the enterprise architecture (EA) process[A]: Define compliance 
criteria and consequences; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all activities in 
this step. 

Steps in the enterprise architecture (EA) process[A]: Set up integrated 
reviews; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all activities in 
this step. 

Steps in the enterprise architecture (EA) process[A]: Execute 
integrated process; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all activities in 
this step. 

Steps in the enterprise architecture (EA) process[A]: Initiate new and 
follow-up projects; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all activities in 
this step. 

Steps in the enterprise architecture (EA) process[A]: Prepare proposal; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Align project to 
EA; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Make investment 
decision; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Execute projects; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all activities in 
this step. 

Steps in the enterprise architecture (EA) process[A]: Manage and 
perform project development; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Evolve EA with 
program/project; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Assess progress; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Complete project; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all activities in 
this step. 

Steps in the enterprise architecture (EA) process[A]: Deliver product; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Assess 
architecture; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Evaluate results; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Consider other 
uses of EA; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Maintain 
enterprise architecture; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: Address all detailed
activities in this step. 

Steps in the enterprise architecture (EA) process[A]: Maintain EA as 
enterprise evolves; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Reassess EA 
periodically; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Manage projects 
to reflect reality; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Ensure business 
direction and processes reflect operations; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Ensure current 
architecture reflects system evolution; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Evaluate legacy 
system maintenance requirements against sequencing plan; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Maintain 
sequencing plan as integrated program plan; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

Steps in the enterprise architecture (EA) process[A]: Continue to 
consider proposals for EA modifications; 
Steps VA has completed as of September 2002: [Empty]; 
Examples of actions VA has taken or planned since March 2002: [Empty]; 
Examples of key actions yet to be performed: [Empty]. 

[A] Chief Information Officer Council. 

[B] A repository is an information system used to store and access 
architectural information, relationships among the information 
elements, and work products. 

Source: GAO analysis. 

[End of table] 

As the table indicates, immediate attention still needs to be focused on
acquiring a permanent chief architect to manage the development and
maintenance of the enterprise architecture. Currently, the chief
technology officer serves as the acting chief architect while the
department recruits someone to fill the position on a permanent basis.
According to the acting chief architect, VA anticipates filling the 
position in early 2003. The enterprise architecture program management 
office likewise needs to be fully staffed. As of September 6, 5 of the 
office’s 16 positions had been filled. Officials expect this office to 
be fully staffed by the end of this year. Instituting a permanent chief 
architect with the requisite core competencies to lead the enterprise 
architecture development and fully staffing the enterprise architecture 
program office to support the effort, will provide vital components of 
management and oversight necessary for a successful enterprise 
architecture program. 

Two quality assurance roles—those of risk manager and configuration
manager—also still need to be filled. At the conclusion of our review, 
VA’s Enterprise Architecture Council was performing risk and 
configuration management and its Information Technology Board was 
performing quality assurance functions. However, Federal CIO Council 
guidance recommends that the CIO make risk and configuration management 
the explicit responsibilities of individuals designated for those 
roles. The guide further recommends that the CIO establish an 
independent quality assurance function to evaluate the enterprise 
architecture. 

VA must also still develop a program management plan to delineate how it
will develop, use, and maintain the enterprise architecture. Such a 
plan is integral to providing definitive guidance for effectively 
managing the enterprise architecture program. 

Beyond these actions, VA must continue to enhance the enterprise
architecture that it has begun instituting. For example, additional 
work is needed to fully develop the baseline and target architectures 
to encompass all of the department’s business functions, identify 
common areas of business, and eliminate duplication of processes across 
the organization through business process reengineering. As the initial 
version of the enterprise architecture notes, significant process 
duplication exists across the department. For example, VA identified 
eight different ways in which registration and eligibility are 
determined in the “as-is” (baseline) architecture. Nonetheless, 
although VA recognized opportunities for integrating and consolidating 
the department’s duplicate processes and functions, its initial 
enterprise architecture document lacked any specific guidance on how 
and when consolidation and integration will take place. 

Also, important to the success of an enterprise architecture effort is a
fully-developed enterprise architecture repository. [Footnote 13] Such 
a system serves to highlight information interdependencies and improves 
the understandability of information across an organization. It also 
helps to significantly streamline change control by establishing 
linkages among the information, facilitating impact analyses, and 
providing for ready evaluations of change proposals. Although VA’s 
enterprise architecture repository contains information reflecting the 
views of its business planners and owners, the department still needs 
to completely populate the repository with data that describe the 
interrelationships among all information elements and work products. 
The acting chief architect stated that, in fiscal year 2003, the 
department will assess its need for a different system to serve as the 
EA repository. 

As establishment of the enterprise architecture proceeds, VA also will
need to further refine its sequencing plan to identify differences 
between baseline and target architectures and gaps in the process, and 
to assess the state of legacy, migration, and new systems, and budget 
priorities and constraints. In addition, the acting chief architect 
noted that the current version of the technical reference model is 
generic and will require further development. Such customization is 
important in order to provide VA with consistent sets of service areas 
and interface categories and relationships used to address 
interoperability and open systems issues and serve as a basis for 
identifying, comparing, and selecting existing and emerging standards 
and their relationships. Such a document can also be used to organize 
infrastructure documentation. 

According to VA officials, actions to refine and build upon the 
enterprise architecture are ongoing, and the department plans to issue 
an interim revision to the initial document within 4 to 6 months, and a 
completely new version by July 2003. The Enterprise Architecture 
Council will be responsible for developing these products. As the 
enterprise architecture management program moves forward, the 
department must ensure that it continues to sufficiently address and 
complete all critical process steps outlined in the federal CIO 
guidance within reasonable time frames. With enhanced management 
capabilities provided by an enterprise architecture framework, VA 
should be able to (1) better focus on the strategic use of emerging 
technologies to manage its information, (2) achieve economies of scale 
by providing mechanisms for sharing services across the department, and 
(3) expedite the integration of legacy, migration and new systems. 

Information Security Continues to Require Top Management Attention: 

VA’s information security continues to be an area of significant 
concern. The department relies extensively on computer systems and
telecommunications networks to meet its mission of providing health care
and benefits to veterans. VA’s systems support many users, its networks
are highly interconnected, and it is moving increasingly to more
interactive, Web-based services to better meet the needs of its 
customers. Effectively securing these systems and networks is critical 
to the department’s ability to safeguard its assets, maintain the 
confidentiality of sensitive medical information, and ensure the 
reliability of its financial data. 

As this subcommittee is well aware, VA has faced long-standing 
challenges in achieving effective computer security across the 
department. Since 1998 we have reported on wide-ranging deficiencies in 
the department’s computer security controls. [Footnote 14] Among the 
weaknesses highlighted was that VA had not established effective 
controls to prevent individuals from gaining unauthorized access to its 
systems and sensitive data. In addition, the department had not 
provided adequate physical security for its computer facilities, 
assigned duties in a manner that segregated incompatible functions, 
controlled changes to its operating systems, or updated and tested its 
disaster recovery plans. Similar weaknesses have been confirmed by VA’s 
inspector general, as well as through the department’s own assessments 
of its computer security controls in response to government information 
reform legislation. [Footnote 15] As evidence, since September 2001, VA 
has self-reported approximately 27,000 control weaknesses related to 
physical and logical access, segregation of duties, system and 
application controls, and continuity of operations. As of August 31, 
2002, according to VA, about half (14,000) of these weaknesses remained 
unresolved. 

Contributing significantly to VA’s computer security problems has been 
its lack of a fully implemented, comprehensive computer security
management program—essential to managing risks to business operations
that rely on its automated and highly interconnected systems. Our 1998
report on effective security management practices used by several 
leading public and private organizations [Footnote 16] and a companion 
report on risk-based security approaches in 1999 [Footnote 17] 
identified key principles that can be used to establish a management 
framework for more effective information security programs. This 
framework, depicted in figure 3, points to five key areas of effective 
computer security program management—central security management, 
security policies and procedures, risk-based assessments, security 
awareness, and monitoring and evaluation. Leading organizations we 
examined applied these key principles to ensure that information 
security addressed risks on an ongoing basis. Further, these principles 
have been cited as useful guidelines for agencies by the Federal CIO 
Council and incorporated into the council’s information security 
assessment framework, [Footnote 18] intended for agency self-
assessments. 

Figure 3: Information Security Risk Management Framework: 

[See PDF for image] 

This figure is an illustration of the Information Security Risk 
Management Framework. The following information is depicted: 

Risk management cycle: 
* Assess risk and determine needs; 
* Implement policies and controls; 
* Promote awareness; 
* Monitor and evaluate; 
* Repeat the cycle. 

There is a Central focal point that interacts with each step in the 
cycle. 

Source: GA)/AIMD-98-68. 

[End of figure] 

When we testified before the subcommittee in March, VA had begun a 
number of actions to strengthen its overall computer security management
posture. For example, the Secretary had instituted information security 
standards for members of the department’s senior executive service to
provide greater management accountability for information security. In
addition, VA’s cyber security officer had organized his office to focus 
more directly on the critical elements of information security control 
that are defined in our information systems controls audit methodology. 
[Footnote 19] The cyber security officer also had updated the 
department’s security management plan, outlining actions for developing 
risk-based security assessments, improving the monitoring and testing 
of systems controls, and implementing departmentwide virus-detection 
software and intrusion-detection systems. The plan placed increased 
emphasis on centralizing key security functions that were previously 
decentralized or nonexistent, including virus detection, systems 
certification and accreditation, network management, configuration 
management, and incident and audit analysis. 

Nonetheless, while VA had completed a number of important steps, its
security management program continued to lack essential elements 
required for protecting the department’s computer systems and networks
from unnecessary exposure to vulnerabilities and risks. For example,
while the department had begun to develop an inventory of known 
security weaknesses, it had not instituted a comprehensive, centrally
managed process that would enable it to identify, track, and analyze all
computer security weaknesses. Further, the updated security management
plan did not articulate critical actions that VA would need to take to
correct specific control weaknesses or time frames for completing key
actions. 

Progress Continues, but Actions Still Needed to Achieve a Comprehensive
Security Management Program: 

Since March, the department has taken important steps to further 
strengthen its computer security management program. For example, the
cyber security officer has updated and expanded the department’s 
information security policies and procedures, placing increased emphasis
on better securing and overseeing the department’s computer 
environment. More recently, as discussed earlier, VA’s realignment of 
its information technology resources placed administration and field 
office security functions more directly under the oversight of the 
department’s CIO. 

VA has also acted to help provide a more solid foundation for detecting,
reporting, and responding to security incidents. For example, it has
contracted to acquire an expanded departmentwide incident response and
analysis capability, to include enhanced security monitoring and 
detection. Further, it has enhanced its computer virus detection 
program by providing technical training to operational staff and 
distributing antivirus patches for known viruses to affected systems. 
In addition, VA has initiated a multiyear project intended to 
consolidate, protect, and centrally manage external connections to its 
critical financial, medical, and benefits systems. This project, with 
full implementation planned for September 2004, is expected to reduce 
the approximately 200 external computer network connections that the 
department now relies on to about 10. By reducing these connections, VA 
should be better positioned to effectively reduce its risk of 
unauthorized access to its critical systems. 

As was the case last March, however, VA’s actions have not yet been 
sufficient to fully implement all of the key elements of a comprehensive
computer security management program. In assessing the department’s
recent corrective actions relative to our information security risk 
management framework, VA still needs to accomplish a number of critical
tasks that are essential to successfully achieving a comprehensive and
effective computer security management program. Table 2 summarizes the
steps that VA still needs to accomplish in order to fully implement a
comprehensive program. 

Table 2: Actions Needed to Ensure a Comprehensive Computer Security 
Management Program: 

Important elements of a computer security management program[A]: 
Central security management function to guide and oversee compliance 
with established policies and procedures and review effectiveness of the
security environment; 
Actions needed as of March 2002: Ensure that full-time security 
officers or staff with primary duty for security are assigned to
information security officer (ISO) positions and clearly define their
roles and responsibilities; Develop guidance to ensure authority and 
independence of security officers; Develop policies and procedures
to ensure departmentwide coordination of security functions; 
Actions VA has taken since March 2002: Established a tracking mechanism 
to identify security officers and the systems under their respective 
purview at each location; VA Secretary centralized the department’s IT
program, including authority, personnel, and funding, in the Office of 
the Chief Information Officer; 
Actions still needed: Ensure that full-time security officers or staff 
with primary duty for security are assigned to all ISO positions and 
clearly define their roles and responsibilities In conjunction with VA’s
centralization of the IT program, develop policy and guidance to ensure 
(1) authority and independence for security officers and (2) 
departmentwide coordination of security functions. 

Important elements of a computer security management program[A]: 
Security policies and procedures that govern a complete computer 
security program and integrate all security aspects of an 
organization’s environment, including local area networks, wide area 
networks, and mainframe security; 
Actions needed as of March 2002: Refocus department policy to address 
security from an interconnected VA systems environment perspective in
addition to that of individual systems; Develop and implement technical
security standards for mainframe and other systems and security 
software; 
Actions VA has taken since March 2002: Developed policies to address 
external connections and standards for public key infrastructure
authentication; 
Actions still needed: Develop specific policy to address security 
interconnectivity of all internal and external VA systems; Develop and 
implement technical security standards for mainframe and other systems 
and security software. 

Important elements of a computer security management program[A]: 
Periodic risk assessments to assist management in making decisions on 
necessary controls to help ensure that security resources are 
effectively distributed to minimize potential loss; 
Actions needed as of March 2002: Include best minimum standards or 
guidance for performing risk assessments in methodology; Develop 
guidance for determining when an event is a significant change and 
explaining the level of risk assessment required for these system 
changes; 
Actions VA has taken since March 2002: [Empty]; 
Actions still needed: Include best minimum standards or guidance for 
performing risk assessments in methodology Develop guidance for
determining when an event is a significant change and explaining
the level of risk assessment required for these system changes. 

Important elements of a computer security management program[A]: 
Security awareness to educate users about current information security 
risks, policies, and procedures; 
Actions needed as of March 2002: Establish a process to ensure program 
compliance; 
Actions VA has taken since March 2002: [Empty]; 
Actions still needed: Establish a process to ensure program compliance. 

Important elements of a computer security management program[A]: 
Monitoring and evaluating computer controls to ensure their 
effectiveness, improve them, and oversee compliance; 
Actions needed as of March 2002: Develop specific requirements for
conducting a compliance review program; Develop an ongoing program for
testing controls to include assessments of both internal and external 
access to VA systems; expand current tests to identify unauthorized or 
vulnerable external connections to VA’s network; Establish a process 
for tracking the status of security weaknesses, corrective actions 
taken, and independent validation of the corrective actions; Develop a 
process for routinely analyzing the results of computer security 
reviews to identify trends and vulnerabilities and apply appropriate 
countermeasures to improve security; Develop a proactive security 
incident response program to monitor user access for unusual or 
suspicious activity; 
Actions VA has taken since March 2002: Initiated a multiyear project
to consolidate, protect, and centrally manage external connections to 
VA systems; Developed a process for tracking the status of computer 
security weaknesses and corrective actions taken; Developed an ad hoc
approach for identifying computer control weaknesses for review; 
Awarded contract for an expanded security incident response and analysis
program to include security monitoring and detection capability for 
external user access activities; Enhanced computer virus detection 
program by providing technical training to operational staff and
distributing antivirus patches; 
Actions still needed: Develop specific requirements for conducting a 
compliance review program; Develop an ongoing program for testing 
controls to include assessments of both internal and external access to 
VA systems; expand current tests to identify unauthorized or vulnerable
external connections to VA’s network; Develop a process to 
independently validate corrective actions taken Develop a process that
emphasizes routinely analyzing the results of computer security reviews 
to identify trends and vulnerabilities and apply appropriate 
countermeasures to improve security; Develop a proactive security 
incident response program to provide for both internal and external 
monitoring of user access to identify unusual or suspicious activities. 

[A] GAO/AIMD-98-68. 

Source: GAO. 

[End of table] 

The department’s critical remaining actions include routinely monitoring
and evaluating the effectiveness of security policies and controls and
acting to address identified weaknesses. These tasks aid organizations 
in cost effectively managing their information security risks rather 
than reacting to individual problems after a violation has been 
detected. We have previously recommended that VA establish a program 
involving ongoing monitoring and evaluation to ensure the effectiveness 
of its computer control environment. An effective program framework 
would include a description of the scope and level of testing to be 
performed, specific control areas to be tested, the frequency of 
testing, and the identity of responsible VA units. In addition, testing 
and evaluation would include penetration tests and reviews of the 
computer network, as well as compliance reviews of all computer control 
areas, including logical and physical access controls; service 
continuity tests; and system and application integrity and change 
controls performed on a scheduled basis. 

VA has begun placing greater emphasis on controlling its security risks;
however, its current framework does not yet include some of the 
essential elements required to achieve a formal program for monitoring 
and evaluating computer controls. For example, while the department has
conducted some tests of its control environment, including penetration
tests and reviews of its computer network, this effort has largely been
performed in an ad hoc manner, rather than as part of a formal, ongoing
program. Further, while VA has established a departmental process for
assessing computer controls, the process relies on VA’s offices to self-
report computer control weaknesses, with no independent validation
component to ensure the accuracy of reporting. 

Similarly, an effective computer security management program should
include a process for ensuring that remedial action is taken to address
significant deficiencies and that it provides steps to analyze 
weaknesses reported for identifiable trends and vulnerabilities, and to 
apply appropriate countermeasures as needed. Although VA has 
established a system for tracking corrective actions, it has not 
developed a process for independently validating or reviewing the 
appropriateness of the corrective actions taken. Further, the 
department currently lacks a process to routinely analyze the 
weaknesses reported, limiting its effectiveness at identifying systemic 
problems that could adversely affect critical veterans information 
systems departmentwide. 

Finally, although VA has developed a framework for addressing 
departmentwide computer security, it has not yet established a mechanism
for collecting and tracking performance data, ensuring management 
review when appropriate, or providing for independent validation of
program deliverables. Until it addresses all key elements of a
comprehensive computer security management program and develops a
process for managing the department’s security plan, VA will not have 
full assurance that its financial information and sensitive medical 
records are adequately protected from unauthorized disclosure, misuse, 
or destruction. 

VBA Remains Far from Full Implementation of the VETSNET Compensation and
Pension Replacement System: 

Mr. Chairman, we continue to be concerned about the slow progress that
VBA is making in implementing the VETSNET compensation and pension
replacement system. As you know, VBA currently relies on its aging
Benefits Delivery Network to deliver over 3.5 million benefits payments 
to veterans and their dependents each month. [Footnote 20] The 
compensation and pension replacement effort grew out of an initiative 
that VBA undertook in 1986 to replace its outdated BDN and modernize 
its compensation and pension, education, and vocational rehabilitation 
benefits payment systems. After several false starts and approximately 
$300 million spent on the overall modernization, the administration 
revised its strategy in 1996 and began focusing on modernizing the 
compensation and pension (C&P) payment system. 

VBA has now been working on the C&P replacement initiative for more
than 6 years, but continues to be far from full implementation of the 
new payment system. As we reported last March, long-standing, 
fundamental deficiencies in VBA’s management of the project hindered 
successful development and implementation of the system. For example, 
the initiative was proceeding without a project manager, and VBA had not
obtained essential field office support for the new software being
developed. In addition, users’ requirements for the new system had not 
yet been assessed or validated to ensure that VETSNET would meet 
business needs; and testing of the system’s functional business 
capability, as well as end-to-end testing to ensure that accurate 
payments would be delivered, still needed to be completed. Finally, VBA 
had not developed an integrated project plan to guide its transition 
from BDN to the new system. 

This past June, we recommended that, before approving any new funding
for the replacement system, the Secretary should ensure that actions are
taken to address our long-standing concerns about VBA’s development and 
implementation of the system. These recommended actions included (1) 
appointing a project manager to direct the development of an action 
plan for, and oversee the complete analysis of, the current system 
replacement effort; (2) finalizing and approving a revised C&P 
replacement strategy based on results of the analysis and implementing 
an integrated project plan; (3) developing an action plan to move VBA 
from the current to the replacement system; and (4) developing an 
action plan to ensure that BDN will be available to continue accurately 
processing benefits payments until the new system is deployed. 
[Footnote 21] The department concurred with our recommendations, and 
stated that actions were either under way or planned to implement them. 

Actions Taken in Recent Months: 

Since our March testimony and subsequent recommendations, VBA has acted 
to further its development and implementation of the C&P replacement 
system. Among these actions VBA began recruiting a full-time project 
manager in June, and, according to the deputy CIO for VBA, expects to 
fill this position by the end of this month. In addition, to obtain 
field office and program support, in late March VBA formalized an 
implementation charter that established a VETSNET executive board and
a project control board. [Footnote 22] These entities are expected to 
provide decision support and oversee progress on the implementation. 
VBA has also begun revalidating functional business requirements for 
the new system. Its July 10, 2002 status report called for validating 
the majority of its requirements by the end of this month, and to 
complete all requirements validation by January 2003. The report also 
identified actions needed to transition VBA from the current to the 
replacement system. Further, in July VBA hired a contractor to obtain 
support for testing the VETSNET system applications. The contractor has 
been tasked with conducting functional, integration, and linkage 
testing, as well as software quality assurance for each release of the 
system applications. 

Much Work Remains: 

Nonetheless, VBA still has significant work to accomplish, and 
completing its implementation of the new system could take several 
years. All but one of the software applications comprising the new 
system still need to be fully deployed or developed, and VBA is 
currently processing only nine benefits claims using its new software 
products. [Footnote 23] As described in VA’s August 2002 Compensation 
and Pension Replacement System Capital Asset Plan, the C&P replacement 
strategy incorporates six software applications: (1) Share, (2) Modern 
Award Processing - Development, (3) Rating Board Automation 2000, (4) 
Award Processing, (5) Finance and Accounting System, and (6) 
Correspondence. These applications are being designed to support the 
processing of initial benefits claims for service-connected 
disabilities, as shown in table 3. 

Table 3: C&P Replacement System’s Support of Initial Disability Claims 
Processing: 

C&P replacement system software application: Share (establishment); 
Initial disability claims processing and benefit payment functions: 
Establish the claim—regional office enters basic information provided 
by the veteran into a computer system and sets up a claim file folder. 

C&P replacement system software application: Modern Award Processing – 
Development (MAP-D); 
Initial disability claims processing and benefit payment functions: 
Develop the claim—regional office reviews the claim file folder for 
military service and medical information, requests and obtains missing 
information, and assesses information to determine basic eligibility. 

C&P replacement system software application: Rating Board Automation 
2000 (RBA 2000)[A]; 
Initial disability claims processing and benefit payment functions: 
Rate the claim—regional office analyzes the veteran’s service records 
and service and private medical records and determines the veteran’s 
level of disability. 

C&P replacement system software application: Award Processing (AWARD); 
Initial disability claims processing and benefit payment functions: 
Authorize the claim—regional office reviews previous work on the claim, 
approves the initiation of benefit payments, and notifies the veteran 
of the decision. 

C&P replacement system software application: Finance and Accounting 
System (FAS); 
Initial disability claims processing and benefit payment functions: Pay 
beneficiary—regional office enters data into computer system to 
generate and make payment to veterans. 

C&P replacement system software application: Correspondence; 
Initial disability claims processing and benefit payment functions: 
Notify veteran—regional office sends letters informing veterans of the 
status of actions to process their claims. 

[A] The Search and Participant Profile application is used in 
conjunction with RBA 2000 and pulls information from the corporate 
database when reopened claims are rated and is transparent to the
user. Until recently, this application had been counted separately. 

Source: GAO analysis. 

[End of table] 

VBA still has numerous tasks to accomplish before these software
applications can be fully implemented. Although, last year, the
administration implemented its rating board automation tool (RBA 2000),
it will not require all of its regional offices to use this software 
until July 2003. In addition, our recent follow-up work determined that 
two of the software products continue to be in various stages of 
deployment. Specifically, among the 57 regional offices that are 
expected to benefit from the replacement system, only 6 are currently 
using Share to establish a claim; VBA still needs to implement the tool 
in the 51 other regional offices. In addition, only two regional 
offices—Salt Lake and Little Rock—have pilot-tested and are currently 
using MAP-D to assist in the development of most compensation claims. 
VBA still needs to implement this tool in 55 other regional offices. 
Full implementation is currently estimated for October 2003. 

Further, three software applications—AWARD, FAS, and 
Correspondence—continue to require development. According to VBA
officials, when implemented, AWARD will record award decisions and
generate, authorize, and validate on-line awards for veterans and 
interface with Correspondence to develop the notification letter for 
the veteran. FAS will provide the accounting benefits payments 
functions and will include an interface with the Department of the 
Treasury. 

VBA expects to complete software coding for AWARD and FAS by March
2003. Based on its most recent estimates, it expects to begin nationwide
deployment of the two systems in April 2004. Once these activities are
accomplished, VBA plans to begin its conversion to the new system, with 
a completion date currently set for December 2004. Figure 4 depicts 
VBA’s current time line for the full implementation of the system. 

Figure 4: VBA’s Time Line for Completing and Implementing the 
Compensation & Pension Replacement Payment System (as of July 2002): 

[See PDF for image] 

The following information is depicted in the timeline: 

Date: January 2003; 
Begin nationwide MAP-D deployment. 

Date: March 2003; 
AWARD and FAS coded interface coded. 

Date: July 2003; 
RBA 2000 mandated nationwide. 

Date: October 2003; 
MAP-D deployment complete. 

Date: April 2004; 
Nationwide AWARD and FAS deployment; Conversion to new system begins. 

Date: December 2004; 
System conversion and deployment completed. 

Source: Veterans Benefits Administration. 

[End of figure] 

Maintaining Benefits Delivery Network Operations Is Critical to 
Ensuring Continued Payments to Veterans: 

Given its current schedule for implementing the C&P replacement system,
VBA will have to continue relying on BDN to deliver compensation and
pension benefits payments until at least the beginning of 2005. However,
with parts of this system nearing 40 years old, without additional
maintenance, BDN’s capability to continue accurately processing benefits
payments is uncertain. Our concerns have been substantiated by the VA
claims processing task force, which in its October 2001 report warned 
that the system’s operations and support were approaching a critical 
stage and that its performance could potentially degrade and eventually 
cease.[Footnote 24] 

Since March, VBA has taken steps to help ensure that BDN can be 
sustained and remains capable of making prompt, uninterrupted payments
to veterans. For example, VBA has (1) completed an upgrade of BDN
hardware, (2) hired 11 new staff members dedicated to BDN operations,
and (3) successfully tested a contingency plan. Further, according to
VBA’s deputy CIO, the administration has developed an action plan
outlining strategies for keeping BDN operational until the replacement
system is implemented. Nonetheless, the risks associated with continual
reliance on BDN remain—one of the system’s software applications 
(database monitor software) is no longer supported by the vendor, nor 
is it used by any other customer. 

Government Computer-Based Patient Record Initiative Has Changed Name,
Goals, Strategy: 

Finally, Mr. Chairman, I would like to provide updated information on 
VA’s progress, in conjunction with the Department of Defense (DOD) and 
the Indian Health Service (IHS), in achieving the ability to share 
patient health care data as part of the government computer-based 
patient record (GCPR) initiative. As you know, the GCPR project was 
developed in 1998 out of VA and DOD discussions about ways to share 
data in their health information systems and from efforts to create 
electronic records for active duty personnel and veterans. IHS became 
involved because of its experience in population-based research and its 
long-standing relationship with VA in caring for the Indian veteran 
population, as well as its desire to improve the exchange of 
information among its facilities. 

GCPR was originally envisioned to serve as an electronic interface that
would allow physicians and other authorized users at VA, DOD, and IHS
health facilities to access data from any of the other agencies’ health
facilities by serving as an electronic interface among their health
information systems. The interface was expected to compile requested
patient information in a temporary, “virtual” record that could be
displayed on a user’s computer screen. 

Last March we expressed concerns about the progress that VA, DOD, and
IHS had made toward implementing GCPR. We testified that the project
continued to operate without clear lines of authority or a lead entity
responsible for final decision-making. The project also continued to 
move forward without comprehensive and coordinated plans, including an
agreed-upon mission and clear goals, objectives, and performance 
measures. These concerns were originally reported in April 2001, 
[Footnote 25] when we recommended that the participating agencies (1) 
designate a lead entity with final decision-making authority and 
establish a clear line of authority for the GCPR project, and (2) 
create comprehensive and coordinated plans that included an agreed-upon 
mission and clear goals, objectives, and performance measures, to 
ensure that the agencies can share comprehensive, meaningful, accurate, 
and secure patient health care data. VA, DOD, and IHS all agreed with 
our findings and recommendations. 

Our March testimony also noted that the scope of the GCPR initiative had
been narrowed from its original objectives and that the participating
agencies had announced a revised strategy that was considerably less
encompassing than the project was originally intended to be. 
Specifically, rather than serve as an interface to allow data sharing 
across the three agencies’ disparate systems, as originally envisioned, 
a first (near-term) phase of the revised strategy had called only for a 
one-way transfer of data from DOD’s current health care information 
system to a separate database that VA hospitals could access. 

Subsequent phases of the effort that were to further expand GCPR’s
capabilities had also been revised. A second phase that would have 
enabled information exchange among all three agencies had been rescoped
to enable only a bilateral read-only exchange of data between VA and 
IHS. Plans for a third phase involving the expansion of GCPR’s 
capabilities to public and private national health information standards
groups were no longer being considered for the project, and there were 
no plans for DOD to receive data from VA. 

GCPR Is Proceeding under a New Name and Strategy: 

In May, VA and DOD proceeded with implementing the revised strategy. It
finalized a memorandum of agreement that designated VA as the lead
entity in implementing the project and formally renamed the project the
Federal Health Information Exchange (FHIE) Program. According to
program officials, FHIE is now a joint effort between DOD and VA that 
will enable the exchange of health care information in two phases. The 
first phase, or near-term solution, is to enable the one-way transfer 
of data from DOD’s existing health care information system to a 
separate database that VA hospitals can access. Nationwide deployment 
and implementation of the first phase began in late May of this year, 
and was completed in mid-July. 

FHIE was built to interface with VA’s and DOD’s existing systems.
Specifically, electronic data from separated service members contained 
in
DOD’s Military Health System Composite Health Care System are
transmitted to VA’s FHIE repository, which can then be accessed through
the Computerized Patient Record System (CPRS) in VA’s Veterans Health
Information Systems and Technology Architecture (VISTA). Clinicians are
able to access and display the data through CPRS remote data views. 
[Footnote 26] The data currently available for transfer include 
demographic [Footnote 27] and certain clinical information, such as 
laboratory results, outpatient pharmacy data, and radiology reports on 
service members that have separated from DOD. 

The final phase of the near-term solution is anticipated to begin this
October. According to VA and DOD officials, this phase is intended to
broaden the base of health information available to VA clinicians 
through the transfer of additional health information on separated 
service members. This additional information is expected to consist of 
discharge summaries; [Footnote 28] allergy information; admissions, 
disposition, and transfer information; and consultation results that 
include referring physicians and physical findings. Completion of this 
final phase of FHIE is scheduled for September 2003. VA and DOD have 
budgeted $12 million in fiscal year 2003 ($6 million for each agency) 
to cover completion and maintenance of the near-term effort. 

VA and DOD Report Success in Implementing the First Phase of FHIE: 

FHIE is currently available to all VA medical centers, and according to
program officials, is showing positive results. The officials stated 
that, presently, the FHIE repository contains data on almost 2 million 
unique patients. This includes clinical data on over 1 million service 
personnel who separated between 1987 and 2001. The data consist of over 
14 million lab messages, almost 14 million pharmacy messages, and over 
2 million radiology messages. 

Program officials stated that the quick retrieval and readability of 
data contained in the FHIE repository has begun providing valuable 
support to VA clinicians. They stated that FHIE is capable of 
accommodating up to 800 queries per hour, with an average response rate 
of 14 seconds per query. For the week beginning July 29, 2002, VA 
clinicians made 287 authorized queries to the database. In addition, 
when a clinician at a VA medical facility retrieves the data 
transmitted from DOD, the data appear in the same format as the data 
captured in CPRS, further facilitating its use. During a demonstration 
of the data retrieval capability, a clinician at VA’s Washington, D.C., 
medical center told us that the information provided through FHIE has 
proven particularly valuable for treating emergency room and first-time 
patients. He added that additional data anticipated from the second 
phase of FHIE should prove to be even more valuable. 

VA and DOD Developing Interoperable Health Systems: 

Beyond FHIE, VA and DOD have envisioned a long-term strategy involving
the two-way exchange of clinical information. This initiative has been
termed HealthePeople (Federal). According to VHA’s CIO and the Military
Health System CIO, VA and DOD are jointly implementing a plan that will
result in computerized health record systems that ensure 
interoperability between DOD’s Composite Health Care System II and VA’s 
HealtheVet VISTA to achieve the sharing of secure health data required 
by their health care providers. [Footnote 29] In order to accomplish 
this objective, the two agencies intend to standardize health and 
related data, communications, security, and software applications where 
appropriate. As part of HealthePeople (Federal), IHS is also expected 
to be actively involved in helping to develop national standards and 
compatible software applications to further the standardization of 
data, communications, and security for health information systems. When 
our review concluded, VA and DOD had just begun this initiative, with a 
focus on addressing the standardization issue. At that time, they 
anticipated implementing this exchange of clinical information by the 
end of 2005. 

In summary, Mr. Chairman, VA continues to make important progress
toward improving its management of information technology, with the
attention and support of its executive leadership contributing 
significantly to ongoing actions to improve key areas of IT 
performance. The restructuring of responsibility and accountability 
directly to the CIO is a particularly important step—one that could set 
the stage for VA truly achieving its One-VA vision. In addition, 
actions aimed at further developing the department’s enterprise 
architecture and improving computer security management continue to 
help solidify the IT foundation necessary to guide VA’s development and 
protection of critical information systems and data that are vital to 
its mission. Finally, although under a revised, scaled-down initiative, 
VA and DOD have made some progress in achieving the capability to share 
health care data on military personnel and veterans. Yet, challenges 
remain. Ensuring that the enterprise architecture will be fully 
implemented and sustained beyond the current leadership necessitates 
that the department establish a program management structure to guide 
and oversee this critical initiative. Completing its comprehensive 
computer security management program is also essential to ensure that 
the department can effectively safeguard its assets and sensitive 
medical information. Further, the urgency that VA faces in replacing 
its aging BDN continues to grow, while much must be accomplished before 
full implementation of the compensation and pension replacement system. 
Instituting the necessary processes and controls to guide VA’s 
information technology programs and investments will be vital to 
ensuring that the department does not fall short of its goals of 
enhancing operational efficiency and, ultimately, improving service
delivery to our nation’s veterans. 

Mr. Chairman, this concludes my statement. I would be pleased to respond
to any questions that you or other members of the subcommittee may have
at this time. 

Contacts and Acknowledgments: 

For information about this testimony, please contact me at (202) 512-
6253 or by e-mail at willemssenj@gao.gov. Individuals making key 
contributions to this testimony include Nabajyoti Barkakati, Nicole 
Carpenter, Kristi Dorsey, David W. Irvin, Min S. Lee, Valerie C. 
Melvin, Barbara S. Oliver, J. Michael Resser, and Charles M. Vrabel. 

[End of section] 

Footnotes: 

[1] U.S. General Accounting Office, VA Information Technology: Progress 
Made, but Continued Management Attention Is Key to Achieving Results, 
GAO-02-369T (Washington, D.C.: Mar. 13, 2002). 

[2] According to the department, the “One VA” vision describes how it 
will use information technology in versatile new ways to improve 
services and enable VA employees to help customers more quickly and 
effectively. It stems from the recognition that veterans think of VA as 
a single entity, but often encounter a confusing, bureaucratic maze of
uncoordinated programs that put them through repetitive and frustrating 
administrative procedures and delays. 

[3] 44 U.S.C. 3506 and P.L. 104-106, Section 5125, respectively. 

[4] U.S. General Accounting Office, VA Information Technology: 
Important Initiatives Begun, Yet Serious Vulnerabilities Persist, GAO-
01-550T (Washington, D.C.: Apr. 4, 2001) and GAO-02-369T. 

[5] U.S. General Accounting Office, Maximizing the Success of Chief 
Information Officers: Learning From Leading Organizations, GAO-01-376G 
(Washington, D.C.: February 2001). 

[6] U.S. General Accounting Office, VA Information Technology: Progress 
Continues Although Vulnerabilities Remain, GAO/T-AIMD-00-321 
(Washington, D.C.: Sept. 21, 2000). 

[7[ An enterprise architecture is a blueprint for systematically and 
completely defining an organization’s current (baseline) operational 
and technology environment, and a roadmap toward the desired (target) 
state. It is an essential tool for effectively and efficiently 
engineering business processes and for implementing their supporting 
systems and helping them evolve. 

[8] OMB, Management of Federal Information Resources, Circular A-130 
(Washington, D.C.: Nov. 30, 2000). 

[9] Chief Information Officer Council, A Practical Guide to Federal 
Enterprise Architecture, Version 1.0 (Washington, D. C.: February 
2001). 

[10] Among the experts that VA consulted was John Zachman, author of “A 
Framework for Information Systems Architecture,” referred to as the 
Zachman framework (IBM Systems Journal, vol. 26(3), 1987). This 
framework provides a common context for understanding a complex 
structure and enables communication among those involved in developing 
or changing the structure. 

[11] Department of Veterans Affairs, Department of Veterans Affairs 
(VA) Enterprise Architecture (EA), VA Directive 6051 (Washington, D.C.: 
July 12, 2002). 

[12] Enterprise business functions are externally focused functions 
involving direct interactions with veterans across the enterprise, such 
as providing medical care benefits, vocational rehabilitation, and 
employment benefits. Key enabling functions are those necessary to 
support the enterprise business functions, such as eligibility and 
registration, and enable smooth operation of the overall enterprise 
both internally and externally. 

[13] A repository is an information system used to store and access 
architecture information, relationships among the information elements, 
and work products. 

[14] U.S. General Accounting Office, Information Systems: VA Computer 
Control Weaknesses Increase Risk of Fraud, Misuse, and Improper 
Disclosure, GAO/AIMD-98-175 (Washington, D.C.: Sept. 23, 1998) and GAO-
02-369T. 

[15] The government information security reform provisions of the 
fiscal year 2001 Defense Authorization Act (P.L. 106-398) require 
annual agency program reviews and annual independent evaluations for 
both non-national security and national security information systems. 

[16] U.S. General Accounting Office, Information Security Management: 
Learning From Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: 
May 1998). 

[17] U. S. General Accounting Office, Information Security Risk 
Assessment: Practices of Leading Organizations, GAO/AIMD-00-33 
(Washington, D. C.: November 1999). 

[18] Chief Information Officers Council, Federal Information Technology 
Security Assessment Framework (Washington, D.C.: Nov. 28, 2000). 

[19] U.S. General Accounting Office, Federal Information System 
Controls Audit Manual, GAO/AIMD-12.19.6 (Washington, D.C.: January 
1999). 

[20] Parts of the Benefits Delivery Network were developed in the 
1960s. 

[21] U.S. General Accounting Office, Veterans Affairs: Sustained 
Management Attention Is Key to Achieving Information Technology 
Results, GAO-02-703 (Washington, D.C.: June 12, 2002). 

[22] The executive board meets monthly and consists of VBA’s chief 
financial officer, deputy chief information officer, director of 
compensation and pension service, and director of field operations. The 
project control board meets weekly and comprises representatives from 
the Office of Information Management, Compensation and Pension Service, 
Office of Resource Management, Field Operations, and the Program 
Analysis and Integrity Office. It is codirected by a business project 
manager and a technical project manager. 

[23] As part of a pilot test in February 2001, VBA began processing ten 
original benefits claims using its new software. However, according to 
VBA, one veteran included in the pilot moved to West Virginia, and his 
payment is now being delivered by the BDN. 

[24] The claims processing task force was formed in May 2001, when the 
Secretary of Veterans Affairs asked a group of individuals with 
significant experience to assess and critique VBA’s compensation and 
pension organization, management, and processes, and to develop 
recommendations to significantly improve VBA’s ability to process 
veterans’ claims for disability compensation and pensions. 

[25] U.S. General Accounting Office, Computer-Based Patient Records: 
Better Planning and Oversight by VA, DOD, and IHS Would Enhance Health 
Data Sharing, GAO-01-459 (Washington, D.C.: Apr. 30, 2001). 

[26] The CPRS remote data views is an application that allows 
authorized users to access patient health care data from any VA medical 
facility. 

[27] The demographic information consists of patient name, DOD 
eligibility category, Social Security number, address, date of birth, 
religion, primary language, sex, race, and marital status. 

[28] Discharge summaries will include inpatient histories, diagnoses, 
and procedures. 

[29] Both of these systems are currently under development. 

[End of section] 

GAO’s Mission: 

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO’s commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO’s Web site [hyperlink, 
http://www.gao.gov] contains abstracts and fulltext files of current 
reports and testimony and an expanding archive of older products. The 
Web site features a search engine to help you locate documents using 
key words and phrases. You can print these documents in their entirety, 
including charts and other graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as “Today’s Reports,” on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
[hyperlink, http://www.gao.gov] and select “Subscribe to daily E-mail 
alert for newly released products” under the GAO Reports heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 

Orders should be sent to: 

U.S. General Accounting Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 

E-mail: fraudnet@gao.gov: 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 
Jeff Nelligan, managing director, NelliganJ@gao.gov: 
(202) 512-4800: 
U.S. General Accounting Office: 
441 G Street NW, Room 7149:
Washington, D.C. 20548: