Congress has given the Department of Veterans Affairs until Nov. 6 to answer more than two dozen questions about the agency’s IT security posture and plans, as part of a continuing investigation into massive, state-sponsored data breaches that may have put at risk the private information of millions of veterans and their family members.
The House Committee on Veterans Affairs on Oct. 23 sent a detailed list of 27 questions to VA demanding a mix of simple yes or no answers to questions about the agency’s IT security protections, as well as supporting documentation. The list of questions, obtained by FedScoop, also outline statutory requirements and National Institute of Standards and Technology guidelines under which the agency is either required or expected to ensure certain levels of security protections.
In the cover letter accompanying the questions, addressed to VA Secretary Eric Shinseki, Rep. Mike Coffman, R-Colo., the chairman of the Subcommittee on Oversight and Investigations, characterized the inquiry as a formal investigation that “will require the highest priority and accelerated responses from the VA.”
But FedScoop has learned VA’s Office of Information Technology, an organization of some 8,000 employees, is having anything but an easy time collecting the information and the answers for Congress. A source close to the situation at VA’s OIT characterized the response to the congressional inquiry as a “lockdown,” implying that other important work has taken a back seat to answering Congress’ questions.
A senior official at VA, who spoke to FedScoop on condition of anonymity, said the IT office was dealing with a massive number of inquiries. “It’s more like 500 questions,” the source said. “It’s a lot more than 27.”
A source close to the investigation on Capitol Hill said the impetus behind the questions relates to known network intrusions by as many as nine state-sponsored hacker organizations in early 2010 and the inability of senior IT leaders at the agency, including Stephen Warren, acting assistant secretary for the Office of Information and Technology, to answer basic questions about the incidents and what the agency was doing about the vulnerabilities during a June 4 hearing. Shinseki today appointed Warren the new full-time CIO at the agency.
“The questions concern routine IT security practices that are mandated by current federal law, standards or guidance,” said the source on Capitol Hill, who spoke to FedScoop on condition of anonymity because they were not authorized to discuss the matter publicly. “This is all stuff they should be doing anyway per federal law, and the committee is simply asking for verification that the department is indeed doing so. These questions are not unwarranted and they’re not out of the blue,” the source added. “Because there’s a history of problems with what VA is telling Congress on IT security. Responding to the committee’s questions should be relatively easy for the department.”
Previous reports had indicated there had been eight foreign breaches of the VA network since January 2010. But documents obtained by FedScoop show there have been at least nine.