[Senate Hearing 109-772] [From the U.S. Government Publishing Office] S. Hrg. 109-772 NOMINATION OF ROBERT T. HOWARD TO BE ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY, DEPARTMENT OF VETERANS AFFAIRS ======================================================================= HEARING BEFORE THE COMMITTEE ON VETERANS' AFFAIRS UNITED STATES SENATE ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ SEPTEMBER 26, 2006 __________ Printed for the use of the Committee on Veterans' Affairs Available via the World Wide Web: http://www.access.gpo.gov/congress/ senate U.S. GOVERNMENT PRINTING OFFICE 32-202 PDF WASHINGTON : 2007 ------------------------------------------------------------------ For sale by Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250. Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON VETERANS' AFFAIRS Larry E. Craig, Idaho, Chairman Arlen Specter, Pennsylvania Daniel K. Akaka, Hawaii, Ranking Kay Bailey Hutchison, Texas Member Lindsey O. Graham, South Carolina John D. Rockefeller IV, West Richard M. Burr, North Carolina Virginia John Ensign, Nevada James M. Jeffords, (I) Vermont John Thune, South Dakota Patty Murray, Washington Johnny Isakson, Georgia Barack Obama, Illinois Ken Salazar, Colorado Lupe Wissel, Majority Staff Director Bill Brew, Minority Staff Director C O N T E N T S ---------- September 26, 2006 SENATORS Page Craig, Hon. Larry E., Chairman, U.S. Senator from Idaho.......... 1 Isakson, Hon. Johnny, U.S. Senator from Georgia.................. 3 Murray, Hon. Patty, U.S. Senator from Washington................. 3 Salazar, Hon. Ken, U.S. Senator from Colorado.................... 4 Prepared statement........................................... 5 WITNESSES Howard, General Robert T., Nominee to be Assistant Secretary for Information and Technology, Department of Veterans Affairs..... 6 Prepared statement........................................... 7 Questionnaire............................................... 9 NOMINATION OF ROBERT T. HOWARD TO BE ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY, DEPARTMENT OF VETERANS AFFAIRS ---------- TUESDAY, SEPTEMBER 26, 2006 U.S. Senate, Committee on Veterans' Affairs, Washington, DC. The Committee met, pursuant to notice, at 10 a.m., in room SR-418, Russell Senate Office Building, Hon. Larry E. Craig, Chairman of the Committee, presiding. Present: Senators Craig, Isakson, Murray, and Salazar. OPENING STATEMENT OF HON. LARRY E. CRAIG, CHAIRMAN, U.S. SENATOR FROM IDAHO Chairman Craig. Good morning, ladies and gentlemen, and welcome to the Senate Committee on Veterans' Affairs. The Committee meets this morning to consider the nomination of Robert Howard to serve as Assistant Secretary for Information and Technology at the Department of Veterans Affairs. Not long ago, I think if I had asked a group of veterans or Senators what the most important positions at the Department were, I would probably have heard Secretary, Under Secretary for Health and Benefits, and maybe Assistant Secretary for Financial Management. And while all of those positions are still of utmost importance to the operation of VA, I think all of us here today would concede that the job for which we are now considering this nominee has taken an increased significance. I am not just speaking of the high-profile lapses of IT security that may have made the news lately. They are important, too, and I will touch upon them in a moment. But, I am talking about the reality that VA would probably come to a grinding halt without all of the IT services that make it run every single day. Whether it is online application for health care services and benefits, electronic transfers of payments to our deserving beneficiaries, or the highly touted electronic health records system that has brought VA national acclaim. VA simply cannot live without IT every moment of every day. It is, as they say in management terms, an essential support function. Having said that, General Howard, if you are confirmed, you will be expected to lead VA in certain areas, not just support the agency's mission. Most importantly, you will be expected to bring VA up to the gold standard of Federal IT security that Secretary Nicholson has said he expects to achieve. The events of the past few months were disturbing to all of us. Employees carelessly putting sensitive information on portable hard drives and taking it home, VA contractors failing to adequately secure hardware containing VA's information, and laptop computers in the hands of thousands of employees still present us with daily challenges. All of this is happening while VA is undergoing a massive management restructuring in the IT department. I want to make it clear that I am not suggesting that VA's employees or contractors intentionally compromised VA data. But as you and I have discussed, General Howard, I think VA and the Federal Government as a whole need a wake-up call and a cultural change with respect to information security. We need to impress upon our employees and our contractors that information is not just power; it is a priceless commodity to many people. So we need to handle it, work with it, and guard it like the valuable commodity that it is. General Howard, today I hope to hear what your plan is to identify the shortcomings in VA's IT programs, what needs to be done to correct those deficiencies, and what is a responsible timeframe for accomplishing those goals and bringing VA up to that gold standard. I also hope to be reassured that restructuring and IT security challenges will not tie the hands of the 200,000 VA employees. I understand, as do many of my colleagues, that we could have perfect security by ensuring no one uses VA's data. But that, of course, would be unreasonable. We also need to allow access to data while ensuring that we know exactly where it is going, who is viewing it, and whether it is being misused. That is an incredible challenge. But I think you are up to the job. General Howard comes before the Committee with an impressive resume and a very distinguished record of Government service. He holds a master's degree in civil engineering, and is a highly decorated Vietnam veteran who rose to the level of Major General in the United States Army before retiring from active duty in 1996. He spent several years in the private sector after retiring from the Army. During this time, he worked with Eastern European countries to help them harness technology in order to emerge from communist hold and join the democratic capitalistic societies of the world. General Howard, we welcome you to the Committee. After my colleagues have given any opening comments, I will ask you to rise and be sworn in, as is required under the rules of the Committee, and, of course, to introduce any family member that you have with you today. With that, there we go. Order of entry, I will turn to my colleague from Georgia, Senator Isakson. Johnny? STATEMENT OF HON. JOHNNY ISAKSON, U.S. SENATOR FROM GEORGIA Senator Isakson. Thank you, Mr. Chairman. I had the privilege of meeting with General Howard last week on Thursday, and had an in-depth discussion based on the experiences I have had in the technology area in running a department of our State government as well as in a private sector business. And I have to tell you, I was very impressed with his knowledge of software, the potential pitfalls in terms of that, and also very much impressed with his understanding that the reporting of failures in technology need to be with the same speed that technology itself delivers information. And that was very important to me because of the experience we had at VA with the lost computer and the tardiness with which the chain of command responded. I just wanted to say at the outset before the testimony that I was very impressed with the meeting. I am very impressed with the General, and I think he will make an outstanding contribution to the Veterans' Administration. Chairman Craig. Johnny, thank you very much. Now, let me turn to Senator Patty Murray of Washington. Patty? STATEMENT OF HON. PATTY MURRAY, U.S. SENATOR FROM WASHINGTON Senator Murray. Thank you, Mr. Chairman. I want to thank you and Ranking Member Akaka, for holding today's hearing. I know he is traveling back from Hawaii and wished he could have been here. General Howard, I want to thank you for coming before us today. I look forward to hearing about your plan to help build the IT system that our veterans need and deserve. But before I discuss your nomination, I wanted to mention to the Committee a recent article from the Associated Press that really should concern every one of us on this Committee. It suggests that the VA has no plan to deal with the influx of veterans from Iraq and Afghanistan. It states that, ``More than one-third of Iraq and Afghanistan veterans seeking medical treatment from the Veterans Health Administration report symptoms of stress or other mental disorders, a tenfold increase in the last 18 months, according to a VA study.'' The article says that veterans are facing ``long waits for doctor appointments, staffing shortages, and lack of equipment and medical centers run by the Veterans Affairs Department. It mentions in the article that a soldier from Virginia Beach, Virginia, who was having a hard time sleeping after he returned from Iraq was told he would have to wait 2\1/2\ months for an appointment at the VA facility. Now, here is a servicemember in need, and all the VA could say to him is, ``Get in line and wait 75 days.'' I find that pretty disgraceful. When you look at the numbers, you can really see a crisis in the making because just over half a million veterans have served in Iraq and Afghanistan and have separated from the military. Of those, 185,000 are currently seeking care at our VA medical centers; 150,000 of them are applying for benefits; and more than 100,000 have sought help at our Vet Centers. If the system is already straining, as the AP article told us, then the bulk of the trouble is still yet to come. We have nearly a million servicemembers who have served in Iraq and Afghanistan but have yet to separate. They are coming down the pipeline into a VA system that is already overwhelmed, and we have to figure out how we are going to serve those veterans. The numbers are really staggering. The doctors at Walter Reed have stated that 16 percent of all injured servicemembers have eye injuries. Many of them have come with traumatic brain injuries. And we have one-third that are seeking mental health care. According to the VA's own report, nearly 60,000 Iraq and Afghanistan vets have ill-defined conditions. And if you have been on this Committee long enough, you will know that some of those symptoms sound very familiar to what we later called the Gulf War syndrome in the first Gulf War. So, Mr. Chairman, I am very concerned. The numbers show that a crisis is coming, and so far we have not seen a plan from the VA on how we are going to deal with that. I hope that this Committee can bring Secretary Nicholson before us, find out what the plan is, and what help he needs from all of us to meet those needs. And I hope that we can have that hearing when we come back so that we can take steps that we need to meet our veterans' needs. General Howard, you and I had a chance to visit. I really appreciate that. As you know, I have some concerns under the new reorganization that the VA is not collaborating with the Health Administration, the Benefits Administration, and Memorial Affairs. And I am also concerned that we are not bringing in the best IT staff to fill some of our current openings. I am also concerned that the VA leadership in Washington, DC, from what I am hearing, is disconnected from field operations. I hope to hear how you can help us address those situations. I am sure you are aware of the article from GovEx.com, dated August 1st, that raises many concerns about VA operations. It outlines a world where everyone is pointing fingers, and it says what the VA really needs is a world where everyone is working together. I look forward to hearing from you today on how you can help make that world work together and not point fingers. Thank you, Mr. Chairman. Chairman Craig. Patty, thank you very much. Now, let me turn to Senator Ken Salazar of Colorado. Ken? STATEMENT OF HON. KEN SALAZAR, U.S. SENATOR FROM COLORADO Senator Salazar. Mr. Chairman, I have a statement that I will submit. Chairman Craig. Fine. Senator Salazar. I will just make two quick comments. First of all, General Howard, congratulations and I look forward to working with you as we deal with the information technology issues which have been so much at the forefront of what the VA has had to deal with in the last year. And, second of all, Mr. Chairman, I agree with Senator Murray that I think it would be a good thing for us, perhaps after the election, to get together with Secretary Nicholson and others from the VA so that we can look ahead to see what kinds of challenges we are going to be dealing with, with the influx of veterans coming home from both Iraq and Afghanistan. Thank you, Mr. Chairman. [The prepared statement of Senator Salazar follows:] Prepared Statement of Hon. Ken Salazar, U.S. Senator from Colorado Thank you, Chairman Craig and Senator Akaka, for holding today's hearing. I also want to acknowledge Mr. Robert Howard, the President's nominee to be Assistant Secretary for Information and Technology in the Department of Veterans Affairs. Thank you, Mr. Howard, for coming before this Committee today to discuss several critical issues that directly impact veterans in Colorado and across the Nation. We have heard a lot about the VA's handling of information and technology this year both about the greater opportunities it presents to us and the greater responsibility it demands from us. I look forward to hearing directly from the President's nominee to be the Department's Chief Information Officer about how the VA can better manage these opportunities and responsibilities. Specifically, we need to know what the Office of Information and Technology can do to help safeguard our veterans' personal information. In addition to hearing about the steps OIT has taken in response to this spring's data theft, I would like to know what impact the recent reorganization of the Office of Information and Technology will have on the ability of the Department to provide information security. I understand that this reorganization will involve consolidating many of the Department's IT professionals under the OIT, increasing the number of personnel operating under your office from 350 to nearly 6,000. This is a huge increase, and I am interested in hearing about both the potential benefits and potential drawbacks of such a dramatic overhaul. Finally, I would like to discuss how the information and technology resources that OIT has at its disposal can be used to better serve veterans who are living in rural or geographically remote areas. With the technological advances we have seen over the past ten to twenty years, including the growth of the Internet, there is enormous potential for government to use technology to improve the way we provide services to our citizens. I believe we have only begun to scratch the surface of that potential. While I understand that VA's Office of Information and Technology is only one piece of the puzzle, I would like to hear Mr. Howard's ideas on how we can use technology to bridge the physical gap that exists between veterans living in rural communities and the VA facilities that are in some cases located hundreds of miles away. These tools have already begun to change the way the Americans interact with their government, and I am excited at the vast opportunities they present for the future. Again, I would like to thank Chairman Craig and Senator Akaka for holding this hearing, and to thank Mr. Howard for sharing his views with the Committee today. I look forward to discussing these and other issues that are important to our Nation's veterans. Chairman Craig. Well, thank you. I appreciate those suggestions from both of you. General Howard, Senator Akaka, our Ranking Member, is not with us today. As Patty mentioned, he is returning from a successful primary election in the State of Hawaii and will join us later on in the day. I want the Committee to know that I intend to convene the Committee off the floor this afternoon to vote to report the nominee to the full Senate. I do not think any of us, I would hope, would want to hold back getting this man on board and at work on an issue that all of us have opined about in our comments this morning as it relates to building a strong IT system within the VA. That is assuming that all goes well in the balance of the hearing, of course, and I would hope we could do that sometime today or, if we have a vote, around the noon hour. With that, General, if you will please rise. Do you swear or affirm that the testimony you are about to give to this Committee will be the truth, the whole truth, and nothing but the truth, so help you God? General Howard. I do. Chairman Craig. Thank you. Please proceed, and as I mentioned in my opening comment, if you have family with you, please introduce them to the Committee. General Howard. Sir, I have a statement. Do I have time to read that? Chairman Craig. You do have time to read that. STATEMENT OF ROBERT T. HOWARD, NOMINEE TO BE ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY, DEPARTMENT OF VETERANS AFFAIRS General Howard. Mr. Chairman and Members of the Committee, good morning, and thank you for the opportunity to testify today. It is indeed an honor to be nominated by President Bush to be the Assistant Secretary for Information and Technology at the Department of Veterans Affairs and to appear before you today. I would like to thank the President for nominating me, and Secretary Nicholson for expressing confidence in my abilities by supporting this nomination. My dedication to the United States military is marked by a history of service and commitment. In 1963, I left Everett, Massachusetts, and entered the U.S. Army to embark upon a career spanning 33 years. During my time of service, I developed a deep respect and appreciation for those who serve in our Armed Forces--and their families. Personal sacrifice and devotion to duty is routine among members of the military, so they deserve our unwavering support both while wearing the uniform and when they transition into the community of veterans. I am privileged to work for them and support that critically important mission stated many years ago by President Lincoln: ``To care for him who shall have borne the battle and for his widow and orphan.'' For me, time has come full circle-- from a long career in active military service to now assisting our Nation's veterans through public service. As you know, I have been the supervisor of the Office of Information and Technology within the VA since early May 2006, so I am very familiar with all the work that must be accomplished to form a new, significantly expanded organization and to also remedy the deficiencies that exist within the area of data security. I am confident that my experience in the U.S. Army and in the private sector with the Cubic Corporation, has helped hone the skills required to lead the organization effectively and contribute to the successful accomplishment of a wide variety of important tasks. The reorganization of IT within the VA is a major event that will result in more standard processes and better interoperability across the Department. I am totally committed to its successful implementation and improving our performance, not only in the area of operations and maintenance, but in developmental programs as well. The reorganization will assist us in many ways, including the area of data security where the most difficult work resides--work that is especially important to our veterans. Secretary Nicholson has clearly stated that he wants the Department of Veterans Affairs to become the gold standard for all of Government in the area of information security. Achievement of that goal involves many activities of the Department, but it must involve the completion of all actions associated with the Data Security-Assessment and Strengthening of Controls Program. This is VA's high-priority program designed to remedy the many security deficiencies that have been uncovered. Because of its importance, I have provided the Committee staff copies of the action plan associated with this program. This is a living document that will guide our work. Its successful execution is, without question, my highest priority. In VA we want to create an environment where veteran and VA employee information is treated with respect and is protected with a high degree of rigor. I realize the position of Assistant Secretary for Information and Technology will involve very difficult work. I am fully prepared for this since I know I have the full support of the VA leadership. I also know that you are committed to helping us in any way you can. If confirmed, I will strive to position VA's Office of Information and Technology to be the leader among Federal IT organizations in providing secure, high-quality, and responsive service to supported organizations in meeting business needs by leveraging state-of-the-art technologies and building a high-performing workforce dedicated to the success of those they serve. I will continue to remain thoroughly familiar with the issues facing the Department and give my very best effort to work diligently and to faithfully advise the Secretary and the Deputy Secretary and to keep you informed of progress on a timely basis. With me today are my wife, Ciretta, originally from Revere, Massachusetts, and my youngest daughter, Laura Glaub, from Woodbridge, Virginia. I am very grateful for their constant love and support and to many other family members and friends whose support has been steadfast for many years. Also present today is Deputy Secretary Mansfield, whose strong support is greatly appreciated. Thank you again, Mr. Chairman and Members of the Committee, for your consideration of my nomination. I would be happy to answer any questions you may have. [The prepared statement of General Howard follows:] Prepared Statement of Robert T. Howard, Nominee to be Assistant Secretary for Information and Technology, Department of Veterans Affairs Mr. Chairman, Senator Akaka, and Members of the Committee, good morning, and thank you for the opportunity to testify today. It is indeed an honor to be nominated by President Bush to be the Assistant Secretary for Information and Technology at the Department of Veterans Affairs and to appear before you today. I would like to thank the President for nominating me, and Secretary Nicholson for expressing confidence in my abilities by supporting this nomination. My dedication to the United States military is marked by a history of service and commitment. In 1963, I left Everett, Massachusetts, and entered the U.S. Army to embark upon a career spanning 33 years. During my time of service, I developed a deep respect and appreciation for those who serve in our Armed Forces--and their families. Personal sacrifice and devotion to duty is routine among members of the military, so they deserve our unwavering support both while wearing the uniform and when they transition into the community of veterans. I am privileged to work for them and support that critically important mission stated many years ago by President Lincoln: ``To care for him who shall have borne the battle and for his widow and orphan.'' For me, time has come full circle-- from a long career in active military service to now assisting our Nation's veterans through public service. I have been the supervisor of the Office of Information and Technology within the VA since early May 2006, so I am very familiar with all the work that must be accomplished to form a new, significantly expanded organization and to also remedy the deficiencies that exist within the area of data security. I am confident that my experience in the U.S. Army and in the private sector with the Cubic Corporation, has helped hone the skills required to lead the organization effectively and contribute to the successful accomplishment of a wide variety of important tasks. The reorganization of IT within the VA is a major event that will result in more standard processes and better interoperability across the Department. I am totally committed to its successful implementation and improving our performance, not only in the area of operations and maintenance, but in developmental programs as well. The reorganization will assist us in many ways,including the area of data security where the most difficult work resides--work that is especially important to our veterans. Secretary Nicholson has clearly stated that he wants the Department of Veterans Affairs to become the gold standard for all of Government in the area of information security. Achievement of that goal involves many activities of the Department, but it must involve the completion of all actions associated with the Data Security-Assessment and Strengthening of Controls Program (DS-ASC). This is VA's high-priority program designed to remedy the many security deficiencies that have been uncovered. Because of its importance, I have provided the Committee staff copies of the action plan associated with this program-- this is a living document that will guide our work. Its successful execution is, without question, my highest priority. In VA we want to create an environment where veteran and VA employee information is treated with respect and is protected with a high degree of rigor. I realize the position of Assistant Secretary for Information and Technology will involve very difficult work. I am fully prepared for this since I know I have the full support of the VA leadership. I also know that you are committed to helping us in any way you can. If confirmed, I will strive to position VA's Office of Information and Technology to be the leader among Federal IT organizations in providing secure, high-quality, and responsive service to supported organizations in meeting business needs by leveraging state-of-the-art technologies and building a high- performing workforce dedicated to the success of those they serve. I will continue to remain thoroughly familiar with the issues facing the Department and give my very best effort to work diligently and to faithfully advise the Secretary and Deputy Secretary and to keep you informed of progress on a timely basis. With me today are my wife, Ciretta, originally from Revere, Massachusetts, and my youngest daughter, Laura Glaub, from Woodbridge, Virginia. I am very grateful for their constant love and support and to many other family members and friends whose support has been steadfast for many years. Thank you again, Mr. Chairman and Members of the Committee, for your consideration of my nomination. I would be happy to answer any questions you may have. [GRAPHIC] [TIFF OMITTED] 32202.001 [GRAPHIC] [TIFF OMITTED] 32202.002 [GRAPHIC] [TIFF OMITTED] 32202.003 [GRAPHIC] [TIFF OMITTED] 32202.004 [GRAPHIC] [TIFF OMITTED] 32202.005 [GRAPHIC] [TIFF OMITTED] 32202.006 Chairman Craig. General, thank you very much for that testimony. Let us get to the questions because I think all of us are, as we have expressed, very concerned about the task at hand and before you. You have made available this printout that I find is fascinating. I wish I understood it. [Laughter.] Chairman Craig. Because I am not quite sure of the 322 tasks by number, where we are, and what it will mean when we get there. But I suspect you do, and maybe you will be able to tell us a bit about that. Certainly, your leadership credentials are not at question at this point at all. However, can you talk to us a bit about your technical qualifications for the position, what experiences do you have in the management of IT programs that will help us ensure VA's Office of Information and Technology's success, and what all of this means? General Howard. Yes, sir. Sir, actually, as an engineer, of course, I am very comfortable in the technical arena. But I have had a number of assignments over the years which directly relate to information technology and the production of computer-based products. One in particular was as a brigadier out at Fort Leavenworth, Kansas, where I led an organization called TRADOC Analysis Command. What we did there, we were responsible for the cost and operational effectiveness analysis for the U.S. Army dealing with modernization of weapons systems, and also assisting in the training area as well. What we did is we built computer models that were used to evaluate future weapons systems based against existing platforms. There were a number of types of these, and we not only wrote the code, we developed the mathematical algorithms in order to define the particular activity of the weapons system. And I had quite a few folks working for me out there, a large group, in fact, down at White Sands Missile Range, a number of them computer coders, and the systems engineers. So those 2 years out at Fort Leavenworth were very helpful in that regard in terms of the production of computer-based products. We also built training simulations and, again, this was in the late 1980s. In that time training simulations had really begun to be used by the military and it is routine today. We built a number of those simulations to include production of the scenarios, the scripting of the particular documentation that needed to be coded, and then go through the coding process to produce the various training products that were then used by field commanders to train their commanders and staffs. Most recently, with the Cubic Corporation, my division was involved in the production of educational and training technologies, computer-based products that we used, interactive products, Web-based products that were designed for both training and education in a number of areas. The other aspect of my division at Cubic, as you mentioned, was helping countries in Eastern and Central Europe become more Westernized and improve their systems in the military. A number of them were heavily involved in introduction of information technology systems. In particular, three countries--Czech Republic, Slovak Republic, and Hungary--we directly assisted them in bringing on more modern IT systems to support them in a number of areas, from personnel to logistics, force design, and a number of other areas as well. So that briefly is some background relating to information technology and the production of computer-based products. Sir, with respect to the plan itself, I have my copy. I do not have one under my pillow, but I probably should. Sir, quite frankly, as you have seen this---- Chairman Craig. Let's cut to the chase. Some are arguing out there in the field that the 322 so designated tasks here are simply a rearranging of the deck chairs on the deck of the Titanic. General Howard. Sir, that is absolutely not the case. Chairman Craig. OK. General Howard. As you see, believe it not, they are actually 100 percent indicated by some of these. This program began shortly after the breach in May. It was directed by the Deputy Secretary, and we began putting together a list of actions that needed to be taken, actions that needed to be completed. And more than anything else, that is what this is. At least we know what needs to be done. We began to lay down timelines, as you can see. Some of them, obviously, continue to be adjusted as we know more about what we are dealing with. But with respect to the completion of these, one of the most important facets of this was the first phase, the assessment phase. We began very early on, as the dates indicate, by assessment briefings from all the administrations and the staff sections within the VA. These briefings were chaired by the Deputy Secretary, and they had to be given by the principal in charge. There were some minor cases where deputies gave the presentation, but we insisted on senior officials standing up and telling us what were the conditions regarding information security within their organization. This was very revealing. We went through all of that, as you can see on the front page, and what we are into now is doing the same thing with all the administrations and staff agencies, staff sections, with non-VA organizations. For example, we have contractors working for us. What are the conditions under which they operate? Do they work with sensitive information? Is it properly protected? We are in the process of having these briefings right now. In fact, just yesterday, we had two more, and the day before, we had VBA. There are just a couple left. We left VHA for last because they have got a huge amount of contracts, a very difficult situation, so we let them have as much time as they could to prepare for that. We are moving through the assessment phase, but we are also moving into other areas as well. You will notice the second phase of this program is the strengthening of controls portion, and that is broken down into three sections:Management activities, like, for example, updating our directives, and we have got several of those complete and a number already in draft form, and we will share those with you as they get completed. That is in the management area. In the technical area, we have a number of activities going on, particularly in the area of encryption and understanding additional actions that can be taken to better control the communications and the passing of sensitive information within the VA, but do that in a way that we do not shut down the operation. Sir, you mentioned that yourself as a key concern, and you are exactly right. That is a difficult balance. We need to tighten up, but at the same time we have got things we have got to accomplish. And we recognize that. The laptop encryption is just about complete. In fact, we have encrypted almost 15,000 laptops over the last couple of weeks. There is a small number that we were not able to encrypt, less than a hundred, and one of the reasons for that, particular computers were not able to accept the Guardian Edge software. We are working both with the manufacturer of the computer--Micron and Guardian Edge--trying to solve that. But in the meantime, those laptops are secure. They are not being used. These are VA laptops. As you know, we have non-VA laptops that are being used, and our objective there ultimately is to replace those with Government-furnished equipment. That is going to take a while. It is a task on this plan for fiscal year 2007. The reason it is in 2007 is we know that would cost us money, but we also need to think through how we actually want to do that. So that is the goal, but those individuals using personal laptops already know that they are required to protect sensitive information that passes through those laptops. That is per a directive that we have already published, Directive 6504, which in fact, prescribes that. There are a number of other activities further down the list that we are already working on. A big area that we are thinking through is additional technologies to bring into the VA to further protect computers and the infrastructure, techniques that are already out there. We have been talking to a number of companies. We have not put out any RFPs yet. But there are technologies available that you do not even know they are there, that help us visualize what is happening with respect to the passing of information. But these are technologies that we must understand to be sure we go forward and ask for any additional support. So that is important. There are also abilities to shut down USB ports. In fact, that is already going on at various facilities throughout the VA where you can control the use of USB devices simply by shutting down the port. People are not able to plug in a thumb drive and pull out the information. Now, again, you have got to be careful with that because people have to operate, and you cannot shut the hospital down by just turning off all the access that physicians and other staff members might need. So, sir, that is kind of a summary of what this is all about. Chairman Craig. Thank you very much. Let me turn to Senator Isakson. Johnny? Senator Isakson. Thank you, Mr. Chairman. The breach that came to our attention earlier this year was the physical transfer of a hard drive or a laptop off the VA premises to a home. That is not an electronic transfer. That is a physical transfer. I assume the control has been put in place to no longer allow that to take place within the VA. Is that correct? General Howard. Sir, that is not allowed unless you have specific permission, for example, if we are transferring files from one hospital to another and, in fact, that does happen. You are actually physically moving media, whether they are CDs or back-up tapes or whatever. But it must be approved, and it must be done under certain circumstances. Those are now spelled out in Directive 6504, which I mentioned. We have a lot of directives we need to clean up and to publish. Directive 6504 was one of the first ones right after the breach that we put in place as quick as we could. And, we may need to adjust it in some ways, but, quite frankly, it is a very good directive, and the folks in the field are paying attention to it. Senator Isakson. If I remember correctly, it was 21 or 22 days from the time the laptop was lost and the time Secretary Nicholson was advised of the breach. What has been put in place in terms of the chain of command to ensure that lapses or breaches like that quickly rise to the level they should in terms of the administration? General Howard. Sir, right now we have a much improved reporting process. Quite frankly, at the time there really was not a very good reporting process at all. It was haphazard. There was no structure to it. Since that time, we have established a very good process for reporting incidents. In fact, our guidance to the field is when in doubt, report it. No matter how small it is, no matter how insignificant, get it reported and then we will deal with it. We have also insisted that security incidents and privacy incidents get reported to one place, and that is the Security Operations Center, which produces daily reports. These daily reports go all the way to the Secretary and the Deputy Secretary and a number of other senior officials each day. There are certain mandates in place, like, for example, we must report incidents to the US-CERT within 1 hour, and we meet that. We might miss it every now and then, but that is an objective that we have. So with this reporting mechanism, we believe we do have visibility over activities that are taking place that should not be. Quite frankly, as I have talked with a number of your staff, there is always the concern about what do you do in terms of follow-up and punishment and that sort of thing. We have, in fact, taken action in some cases, but we have also got to be very careful about that because we do not want to shut down and make people too concerned about reporting things. That is a balance issue. We have to look at every case. But clearly, in cases where it was not just a careless act but a deliberately negligent act, that they knew they should not do, in that case we have taken action. Senator Isakson. One last question. The physical transfer of information which we have been addressing is one way to lose it. The electronic transfer is another way, and that can happen in two ways--either from within the agency to the outside or a hacker coming into the inside. Just briefly, are you monitoring the internal operations to catch any transfer out? And do we have a security system in terms of the hacking incident? General Howard. Sir, we do not have a system where you have 100 percent visibility over every single thing that goes on in transfer of information from computers. That is a very difficult environment to put in place. Do we have total control over someone being able to go into a sensitive database, pull information out, put it on a piece of media or a thumb drive or whatever and walk out the door? That can happen. There are directives in place, though, that prohibit that. As I mentioned to you, in some cases we have begun to shut down USB ports and things like that to better control. But, quite frankly, sir, the best way to really achieve 100 percent compliance to ensure the situation where that does not occur, is through making sure every single employee understands and lives up to their responsibilities. This is a people issue. It really is. We can go nuts with technical solutions, but the bottom line is the people involved. And some of them are pretty clever. They will figure out a way to get at it unless we make sure we continue to communicate to them. And they understand how important it is, and my feeling right now throughout the VA there is heightened awareness. There is no question about that. We see it in some of the reports coming in and, in fact, the actions that are being taken. So 100 percent, probably impossible. But we do need to do all we can to prevent that from happening. Senator Isakson. Well, my time is up, but I think you are saying what I was trying to--100 percent is impossible for practical reasons. However, random monitoring is not, and it is important that the people within the agency understand that random monitoring is going on, just to protect the integrity of the system. And I assume you are doing that. General Howard. Sir, you are exactly right. In fact, we are actually doing random cyber penetration as well. So those activities do go on, but it is sporadic. Senator Isakson. Thank you. Chairman Craig. Thank you very much, Senator Isakson. Senator Murray? Senator Murray. Thank you. General Howard, I understand that there was recently an incident in the VA system that put eight of our VA medical centers in the Northwest network at risk. Apparently, there was some untested software that was added to the system, and as a result, it broke many of the VA applications, including the VA's health data repository. From what I understand, that still has not been fixed. Could you tell the Committee what happened, why it has not been fixed, and what we are doing to ensure it will not happen again? General Howard. Ma'am, I am not familiar with that in great detail. I believe I know the situation you are talking about, though, where a patch was put in place on the network which caused some problems with CPRS. I believe that has been fixed, but I cannot be sure. I will get back with you on that, if you do not mind. Senator Murray. My understanding is that it has not been fixed yet, so if you could get back to me and let me know why and, more importantly, how can we make sure that does not happen again. General Howard. Right. Senator Murray. I understand that the new model of reorganization that you are talking about can create quite a divide between the IT folks at headquarters and people who work out in the field. How are you going to ensure that our veterans who are counting on getting services get seamless, uninterrupted service? General Howard. Ma'am, first of all, there is a strong communication effort going on right now with respect to making sure the folks understand what is about to happen, and to reassure those who need the IT support that the IT individuals who supported them in the past are not going anywhere. They are still there. They are dedicated to the support of the mission, that is, whether it is health or benefits or actually the core missions of the Department. We have communicated that to the IT individuals who, at least up to now, have been detailed to us and come October 1 the permanent transfer will take place. Continuous communication, both through the IT community and through the three administrations and staff sections is very, very important. But the fact of the matter is it is going to boil down to performance. We can talk and explain all we want, but the physicians out there, they want support, they want performance, and we understand that. And I am committed to make sure that they get the support, the same response, and hopefully, better response than they got before. Senator Murray. Since you are going to have a more centralized model, how are you going to ensure that some of the field-level CIOs and directors are going to have input? General Howard. We are already in communication--again, they have been detailed to me already, so we have dialogue going on. We have broken the country into four regions. We have regional directors for each of those locations. They, in turn, supervise CIOs, who were formerly VISN CIOs or RO CIOs. And those individuals have further connectivity down into the facilities. So there is an organization already in place that will become permanent on October 1 to help organize that. We have set things up so we have a reasonable span of control. For example, there are four regions, and in each of those regions we have a number of CIOs reporting to that regional director. Senator Murray. I hope as you implement it you keep that in mind and make sure that those lines of communication are open. General Howard. Extremely important. You are absolutely right, and believe me, I understand that and am committed to that. Senator Murray. Are you bringing in the best of the best when it comes to IT and IT management? General Howard. We are in the hiring process right now. As part of the IT realignment, I have been provided over 500 FTE empty spaces that we are now in the process of filling. Finding quality people, of course, is always difficult, but we have several that are moving and are being hired. But we have a great deal more to do in that area. Senator Murray. One last question. I think this whole unfortunate data loss system really showed us that the VA lacks some strong policies and directives regarding information technology acquisition and usage. How is this reorganization that you are talking about going to solve problems like the lack of strong IT architecture and cyber security concerns and the ability to invest soundly in IT? General Howard. Ma'am, no question that the IT reorganization is going to help a lot. I control the network now--at least come effective October 1. The network, the activities are not permitted to plug into the network without our authorization. There is no doubt--in fact, I have seen already some of the impact that we are going to feel in the months and years to come. A good example is the laptop encryption. In the last several weeks, we have encrypted almost 15,000 laptops. That went smooth as can be. We had a great deal of cooperation from facility IT people, the VISN CIOs, all of the folks that we were just talking about. There were teams put together, tremendous dialogue back and forth, e-mails flying all over the place, a great deal of cooperation and organization that permitted us to do that. Now, I do not know for sure, but my guess is if we had not had this organization in place, even from a detailed standpoint, we would have had a much difficult job. We have much better control and are making sure encryption is put in place where it is needed, patches are put in place; they cannot resist because we control the network. Senator Murray. Thank you, Mr. Chairman. Chairman Craig. Thank you, Senator Murray. General, most of the attention VA's IT program has received lately has been centered around IT security and its development. However, the issue of VA-DOD information sharing and exchange still remains, to my understanding, an unsolved problem. Are we ever going to see the day when VA's records and DOD's records can be freely exchanged from one system to another in a secure manner? And from your perspective, why have we not accomplished that goal yet? General Howard. Sir, I believe that is possible. I am not intimately familiar with the DOD system, ALDA. I am familiar with HealtheVet, the system in the VA. Those two systems are not interoperable, but there is a great deal of interaction going on with DOD. We have the JEC Committee and a number of other committees in place where there is a good deal of dialogue regarding that particular issue. Why hasn't it been done? We probably have not put enough emphasis on it. We probably have not really focused on a particular subset. In the case of HealtheVet, there are a number of sub-applications that we can perhaps focus on and really get a success story there, working with DOD. Hopefully, we will be able to do that. To the degree I can influence that, I will, and to demonstrate that we really can produce an electronic health record that is interoperable, where data can be exchanged. I believe it is possible, but not without a lot of hard work. I think you know that in the case of VA, our system is based on an older code that we want to bring into a more modernized environment and work with DOD as we move forward in that respect. The President's Executive Order is a pretty clear mandate with respect to interoperability. So to speak, the burner has been turned up on making things more interoperable. Chairman Craig. I think if we really want to claim seamless transition, part of the fabric in that seam, if you will, is this ability to move records and not duplicate and have them applicable. It simply makes an awful lot of sense to me, and I am quite sure it does to the active member/veteran in their transition. I know the FBI recovered the stolen laptop and all of the data we originally feared might be lost, and the FBI is confident the information was not accessed or compromised. Still, some veterans out there are worried that their personal information will be used to steal their money, their ID, and their privacy. What do you say to those veterans who come to you with that concern? General Howard. Sir, in that particular case, I, too, have a very high degree of confidence that the information was not disturbed. I do not think they have to worry about that at all. Chairman Craig. Well, there are other questions I could ask you, but in general, I think you have covered the waterfront of the issue in response to either me or my colleagues. So let me ask you two remaining questions. Do you have any conflicts of interest that you have not fully disclosed to the Committee? General Howard. None, sir. Chairman Craig. Do you know of any other matters which, if known to the Committee, might affect the Committee's recommendations to the Senate with respect to your nomination? General Howard. None, sir. Chairman Craig. Do you agree to appear before the Committee at such times and concerning such matters as the Committee might request for as long as you serve in the position for which you seek nomination? General Howard. Yes, I do, sir. Chairman Craig. Well, I thank you very much for your openness and your frankness. It appears that you are living up to your reputation of understanding not only what has been accomplished, but what is to be accomplished over the next while, because I, too, agree with the Secretary. We want to make the IT of VA a gold standard for our Government to follow. We are proud of the success with our electronic medical records. They represent to the health care systems of this country a leadership position, a role, and it is now recognized that through those, quality health care has been dramatically enhanced. We want to be able to turn to the veterans in very short order and say that we have transformed the culture and the systems of the VA, and to assure them that their information that is held by VA is safe and secure, usable, accessible, and all of the other values for its presence. So we thank you very much again for your attendance this morning, and as I said in my opening comments, we will attempt over the course of the day to move expeditiously so that your nomination can be considered by the whole Senate before we recess. Again, General Howard, thank you very much, and to your wife and daughter, we are pleased that they were able to attend your confirmation hearing. General Howard. Thank you, Mr. Chairman. Chairman Craig. Thank you. The Committee will stand adjourned. [Whereupon, at 10:55 a.m., the Committee was adjourned.]