VA Needs to Address Persistent IT Modernization and Cybersecurity Challenges
GAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
This testimony discusses our work on information technology challenges at the Department of Veterans Affairs.
Despite spending over $4 billion annually on IT:
VA still doesn't have IT systems that fully support critical services—e.g., veterans health care, the Family Caregiver Program, and disability benefits.
Some VA IT management processes do not effectively implement federal IT acquisition law, making congressional oversight of IT acquisitions more difficult.
Cybersecurity management has weaknesses, which increase vulnerability to cyber threats.
VA health care and federal IT acquisitions are also on our High Risk List.
What GAO Found
The Department of Veterans Affairs (VA) has faced challenges in its efforts to accomplish three critical information technology (IT) modernization initiatives: the department's health information system, known as the Veterans Health Information Systems and Technology Architecture (VistA); a system for the Family Caregiver Program, which is to support family caregivers of seriously injured post-9/11 veterans; and the Veterans Benefits Management System (VBMS) that collects and stores information and is used for processing disability benefit claims. Specifically,
GAO has reported on the challenges in the department's three previous unsuccessful attempts to modernize VistA over the past 20 years. However, VA has recently deployed a new scheduling system as part of its fourth effort to modernize VistA and the next deployment of the system, including additional capabilities, is planned in October 2020.
VA had taken steps to address GAO's recommendations from its 2014 report to implement a replacement system for the Family Caregiver Program. However, in September 2019, GAO reported that VA had yet to implement a new IT system that fully supports the Family Caregiver Program and that it had not yet fully committed to a date by which it will certify that the new IT system fully supports the program.
In September 2015, GAO reported that VA had made progress in developing and implementing VBMS, but also noted that additional actions could improve efforts to develop and use the system. For example, VBMS was not able to fully support disability and pension claims, as well as appeals processing. GAO made five recommendations aimed at improving VA's efforts to effectively complete the development and implementation of VBMS; however, as of September 2020, VA implemented only one recommendation.
VA's progress in implementing key provisions of the Federal Information Technology Acquisition Reform Act (commonly referred to as FITARA) has been uneven. Specifically, VA has made progress toward improving its licensing of software and achieving its goals for closing unneeded data centers. However, the department has made limited progress toward addressing requirements related to IT investment risk management and Chief Information Officer authority enhancement. Until the department implements the act's provisions, Congress' ability to effectively monitor VA's progress and hold it fully accountable for reducing duplication and achieving cost savings will be hindered.
In addition, since fiscal year 2016, GAO has reported that VA faces challenges related to effectively implementing the federal approach to, and strategy for, securing information systems; effectively implementing information security controls and mitigating known security deficiencies; and establishing elements of its cybersecurity risk management program. GAO's work stressed the need for VA to address these challenges as well as manage IT supply chain risks. As VA continues to pursue modernization efforts, it is critical that the department take steps to adequately secure its systems.
Why GAO Did This Study
The use of IT is crucial to helping VA effectively serve the nation's veterans. The department annually spends billions of dollars on its information systems and assets—VA's budget for IT now exceeds $4 billion annually. However, over many years, VA has experienced challenges in managing its IT projects and programs, which could jeopardize its ability to effectively support key programs such as the Forever GI Bill. GAO has previously reported on these IT management challenges at VA.
GAO was asked to testify on its prior IT work at VA. Specifically, this testimony summarizes results and recommendations from GAO's issued reports that examined VA's efforts in (1) modernizing VistA, a system for the Family Caregiver Program, and VBMS; (2) implementing FITARA; and (3) addressing cybersecurity issues. In developing this testimony, GAO reviewed its recently issued reports that addressed IT management issues at VA and GAO's biannual high-risk series. GAO also incorporated information on the department's actions in response to recommendations.
What GAO Recommends
GAO has made numerous recommendations in recent years aimed at improving VA's IT system modernization efforts, implementation of key FITARA provisions, and cybersecurity program. VA has generally agreed with the recommendations and has begun to address them.
For more information, contact Carol C. Harris at (202) 512-4456 or email@example.com.