[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] VA CYBERSECURITY AND IT OVERSIGHT ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON INFORMATION TECHNOLOGY OF THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS SECOND SESSION __________ MARCH 16, 2016 __________ Serial No. 114-133 __________ Printed for the use of the Committee on Oversight and Government Reform [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.fdsys.gov http://www.house.gov/reform ________ U.S. GOVERNMENT PUBLISHING OFFICE 25-503 PDF WASHINGTON : 2017 ____________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Publishing Office, Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800 Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001 COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM JASON CHAFFETZ, Utah, Chairman JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland, MICHAEL R. TURNER, Ohio Ranking Minority Member JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of TIM WALBERG, Michigan Columbia JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan RON DeSANTIS, Florida TED LIEU, California MICK, MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands MARK WALKER, North Carolina MARK DeSAULNIER, California ROD BLUM, Iowa BRENDAN F. BOYLE, Pennsylvania JODY B. HICE, Georgia PETER WELCH, Vermont STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico EARL L. ``BUDDY'' CARTER, Georgia GLENN GROTHMAN, Wisconsin WILL HURD, Texas GARY J. PALMER, Alabama Jennifer Hemingway, Staff Director Troy Stock, IT Subcommittee Staff Director Michael Flynn, Counsel Sharon Casey, Deputy Chief Clerk David Rapallo, Minority Staff Director ------ Subcommittee on Information Technology WILL HURD, Texas, Chairman BLAKE FARENTHOLD, Texas, Vice Chair ROBIN L. KELLY, Illinois, Ranking MARK WALKER, North Carolina Member ROD BLUM, Iowa GERALD E. CONNOLLY, Virginia PAUL A. GOSAR, Arizona TAMMY DUCKWORTH, Illinois TED LIEU, California C O N T E N T S ---------- Page Hearing held on March 16, 2016................................... 1 WITNESSES Ms. Laverne Council, Assistant Secretary for Information and Technology, Chief Information Officer, U.S. Department of Veterans Affairs, Accompanied by Brian Burns, Deputy Assistant Secretary for Information Security, Office of Information and Technology, U.S. Department of Veteran Affairs Oral Statement............................................... 4 Written Statement............................................ 7 Mr. Brent Arronte, Deputy Assistant Inspector General for Audits and Evaluations, U.S. Department of Veterans Affairs, Accompanied by Michael Bowman, Director of Information Technology and Security Audits Division, Office of Inspector General, U.S. Department of Veterans Affairs Oral Statement............................................... 23 Written Statement............................................ 25 APPENDIX Representative Connolly Statement for the Record................. 56 Representative McMorris Rodgers Statement for the Record......... 58 2016-03-16 Iraq and Afghanistan Statement for the Record......... 60 VA CYBERSECURITY AND IT OVERSIGHT ---------- Wednesday, March 16, 2016 House of Representatives, Subcommittee on Information Technology, Committee on Oversight and Government Reform, Washington, D.C. The subcommittee met, pursuant to call, at 2:00 p.m., in Room 2247, Rayburn House Office Building, Hon. William Hurd [chairman of the subcommittee] presiding. Present: Representatives Hurd, Farenthold, Kelly, and Connolly. Also Present: Representative Moulton. Mr. Hurd. The Subcommittee on Information Technology will come to order. Without objection, the chair is authorized to declare a recess at any time. Last June, in the first hearing on the data breach of the Office of Personnel Management, I told agencies that we would be watching to make sure they are taking their cybersecurity obligations seriously. We discussed how CIOs, CISOs, and agency heads need to take a hard look at their IG audits and GAO reports, and make sure they address the findings to make sure their cyber posture is meeting FISMA standards. The same is true when addressing the federal IT acquisition reforms. That is why this committee, in a bipartisan fashion, developed a scorecard to grade agencies on their implementation of FITARA. This committee will continue to hold agency heads responsible for the state of their agency information technology and cybersecurity posture, but much of this work starts in the office of the CIO. We are here today to continue that work, and nearly no other department is of such importance to get right as the second largest Federal agency whose mission it is to care for our Nation's veterans. We cannot afford and should not allow IT lapses to occur. While we are focusing on the technical details today, I hope each of us will also take time to recognize that there are real-world consequences and impacts of these decisions, and that they fall upon those who have already given so much for their country. We cannot forget that. Ms. Council, I am pleased to have you here today. I know this is your sixth hearing, I think, in the last 10 days, so I appreciate it. I think it is because you are so charming and you know what you are doing, so it is great to have you here. Truthfully, I am very encouraged. I am encouraged that you have a strategy in place to eliminate material weaknesses, material weaknesses that, in some cases, go back 17 years. The VA exceeded the OMB's target on 30-day the cybersecurity sprint and expanded strong authentication practices to 100 percent of its privileged users and 80 percent of its unprivileged users. This was demonstrated progress in the area of cybersecurity and a positive indicator that the VA is making progress in this area. But concerns remain. The goal you and your chief information security officer have set to eliminate the material weaknesses is by the end of 2017, 2 years to solve in some cases fairly basic cybersecurity best practices. We are talking about predictive scanning for vulnerabilities, implementing risk assessment, monitoring tools, and security training. Two years is too long, and I think we can do better. The VA received an overall grade on the committee's FITARA scorecard of a C. The agency received Fs in savings relating to data center consolidation and IT portfolio review. Again, I must highlight this is self-reported data. We will talk about that and the VA's plan to implement FITARA further. The modernization of the VA's legacy technology is a real concern that is affecting millions of veterans. Ms. Council, a few weeks ago, you testified before the House Appropriations Committee that you ``want to take a step back from the existing modernization plan of VistA. You cited changes in circumstances and issues such as women's health, the Internet of Things, and Care in the Community as instigating factors in taking a pause on the VistA Evolution plan developed in 2014. While I certainly appreciate big thinking, especially in government IT, I have to ask whether or not this is another example of the VA taking a U-turn on substantial IT investment. We have been down this road before with the effort to make electronic health records of the DOD and VA interoperable. Is VistA going to end up in a multiyear investment that never delivers the functionality that the VA's health care providers need? The meaningful exchange of health care data has been delayed for far too long. While the DOD and VA seem to have made progress recently with the Joint Legacy Viewer. I want to reiterate once again that the JLV is not true interoperability. The missed deadlines, cost overruns, and failures to deliver on expectations leave me with serious doubts about whether these two departments are able to work together toward effective, real-time sharing of veterans' health data. Turning to the issue of patient scheduling, what will a pause of VistA Evolution mean for the medical appointment scheduling system? Here again is a problem that needs an IT solution that has suffered repeated setbacks. This is not a new problem. The scheduling component of VistA dates back to 1984. With veterans coming home from the wars in Iraq and Afghanistan, this is a system that needs to be upgraded immediately. Fifty-thousand schedulers made 80 million appointments in fiscal year 2011 alone--80 million. The VA has recently put in place a 5-year contract to develop a new medical appointment scheduling system at the cost of $624 million. I have to ask the questions: Could this have been done cheaper with commercial off-the-shelf technology? Will the latest attempt work? Will this contract fix the scheduling problems at the VA? I have said it time and again, the problems the agencies face in IT and cybersecurity are not in the availability or accessibility of technology. The tools already exist. The challenge the Federal agencies face, and we have seen at OPM and the Department of Education, is having the leaders in place, leaders who have vision and a commitment to staying at their agency to see the vision through. And, Ms. Council, I am excited because I think you are the right person for the job. I thank the panel for attending today's hearing, and I look forward to today's discussion. Now it is my pleasure and honor to recognize the gentlelady from Illinois, my friend and ranking member of the subcommittee, Ms. Kelly, for her opening remarks. Ms. Kelly. Thank you, Mr. Chairman. Information technology is critical to improving the service and performance of the Federal Government, especially the Department of Veterans Affairs, one of the largest integrated health care systems in the United States, serving millions of veterans and families. Today's hearing provides the VA an opportunity to demonstrate their commitment to improving the delivery of health care and benefits to our veterans, while safeguarding the veteran information and VA data that exists within its environment. This committee plays an important oversight role that can increase transparency and accountability of agency efforts to implement important legislation such as the FITARA and FISMA. In response to various internal challenges and external pressures, VA rolled out a new strategy to transform the Office of Information and Technology into a world-class IT organization that supports the delivery of excellent health care and benefits to veterans. Transforming an IT organization of 8,000 employees with a budget of more than $4 billion is no simple task. The VA chief information officer, Ms. Council, joined VA in July 2015, inheriting an IT environment with thousands of outstanding security risks and failed or mismanaged IT projects. However, Ms. Council's written testimony to this subcommittee in October stated, and I quote, ``The opportunity is now, because we have the key components for success. We have executive-level support from the Secretary and Deputy Secretary, and the CIO role at VA is empowered with unique flexibility. I've been impressed to find that we have a hard- working, mission-oriented staff that cares deeply about creating a better experience for the veteran. Through congressional action, we have a centralized IT and sufficient resources. Finally, we have the ability to deliver for our business partners when they need us the most.'' I look forward to hearing more on the progress at VA and recognizing the Office of Information and Technology to better manage the IT portfolio and enhance CIO authority and accountability as required by the FITARA. Given the recent breaches in both the public and private sector, we are all aware of the evolving nature of threats facing information systems. It is important that we ensure that the VA responds to these threats with efforts to fully address information security weaknesses and enhance its information security posture. These efforts to improve VA operations and information security are essential to regaining the trust and confidence of the American public that the VA is taking care of our Nation's vets. Thank you, Mr. Chairman. Mr. Hurd. Thank you. Now I will hold the record open for 5 legislative days for any members who would like to submit a written statement. Mr. Hurd. We will now recognize our panel of witnesses. I am pleased to welcome the Honorable LaVerne Council, Assistant Secretary for Information and Technology and chief information officer at the Office of Information and Technology of the U.S. Department of Veterans Affairs. Ms. Council is accompanied by Brian Burns, Deputy Assistant Secretary for Information Security at the Office of Information and Technology at the U.S. Department of Veterans Affairs, whose expertise may be needed during questioning. Next, I would like to welcome Brent Arronte, Deputy Assistant Inspector General for Audits and Evaluations with the Office of Inspector General at the U.S. Department of Veterans Affairs. Mr. Arronte is also accompanied by Mr. Michael Bowman, director of the Information Technology and Security Audits Division at the Office of the Inspector General, whose expertise may be needed during questioning as well. Welcome to you all. Pursuant to committee rules, all witnesses will be sworn in before they testify. We will also swear in Mr. Burns and Mr. Bowman. So please rise and raise your right hands. Do you solemnly swear or affirm the testimony you are about to give will be the truth, the whole truth, and nothing but the truth? Thank you. Please be seated. Let the record reflect that the witnesses answered in the affirmative. In order to allow time for discussion, please limit your testimony to 5 minutes. Your entire written statement will be made part of the record. Ms. Council, we will start with you, and you are recognized for 5 minutes. WITNESS STATEMENTS STATEMENT OF LAVERNE COUNCIL Ms. Council. Thank you, Chairman Hurd, Ranking Member Kelly, and distinguished subcommittee members. Thank you for the opportunity to discuss the progress we are making towards serving our Nation's veterans. In October, I shared with you our plan to transform the Office of Information and Technology, or OI&T, into a world- class organization by implementing a new enterprise strategy. Our mission is to collaborate with our business partners to create the best experience for all veterans. We are becoming a principles-based organization, one centered on transparency, accountability, innovation, and teamwork. Our team is transforming. We are infusing a new perspectives and skills by hiring new talent. We have added five senior leaders and will add an additional 11 in the next 90 days. This team will carry the torch for relentless execution. When our veterans interact with VA, they are making the choice to entrust us with their personal information. The delivery of VA's enterprise cybersecurity strategy in September 2015 was the first reinforcement of our commitment to safeguard their information with tools, technology, and the people of the highest caliber. We have made significant progress in improving our cybersecurity posture. For the first time, our security efforts are fully funded and resourced at $370 million in fiscal years 2016 and 2017. This investment will make the implementation of our plan a reality. OI&T can no longer be considered a material weakness for VA. We are addressing all key FISMA findings. By the end of 2016, we will close 30 percent of the IG's recommendations, and we will close 100 percent by the end of 2017. We have reduced elevated privileges by 95 percent, and we will technically enforce personal identity verification, or PIV, to achieve our 80 percent goal by September. But the highest level of security does not rest with IT alone. We are providing comprehensive education to ensure that all VA employees remain vigilant. We have updated our national rules of behavior and our annual security training, and we are emphasizing continuous engagement with our employees. Information security poses constant challenges, and it is only through continuous reinforcement that our employees can support us in this battle. We have achieved several significant goals in implementation of our Enterprise Program Management Office, or EPMO. The EPMO began operating on February 1 and is now our control tower, mapping out an agile path for all IT efforts. We replaced the Program Management Accountability System, or PMAS, with our new Veteran-focused Integration Progress, or VIP. VIP reduced our overhead obligation by 88 percent. Our most important projects, including VistA Evolution or VistA 4, the Enterprise Health Management Platform, VBMS, and our interoperability processes are already transitioned to VIP. For the first time, OI&T will have an integrated 18-month portfolio, a single change and a single release calendar. We will also include a 90-day post-release warranty on all efforts to ensure the highest levels of performance. Access to accurate veteran information is one of our core responsibilities. We will jointly be certifying interoperability with DOD, as mandated by the 2014 NDAA, within the next month and ahead of the 2016 deadline. We are outpacing our projection for our interoperability tool, the Joint Legacy Viewer, which has over 44,000 users and grows by over 3,000 weekly. But we must do more. We are evaluating our electronic health record modernization plans to ensure we have the right strategy in place for the next 25 years, well beyond what will be achieved in 2018 by VistA 4. This is not about the software. This is about supporting the veteran anytime, anywhere. We must strive for continuous innovation, not just for NEHR, but for a digital health platform. We owe it to our veterans to evaluate their needs and meet each veteran where she is. I am proud of our recent accomplishments. But transformation requires a relentless focus on outcome, outcomes that matter, outcomes that support the veterans who have supported us. Mr. Chairman, members of the subcommittee, thank you again for the opportunity to discuss our progress with you. I am happy to take your questions at this time. [Prepared statement of Ms. Council follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, Ms. Council. Now I would like to recognize Mr. Arronte for 5 minutes. STATEMENT OF BRENT ARRONTE Mr. Arronte. Mr. Chairman and members of the subcommittee, thank you for the opportunity to discuss the Office of Inspector General's work regarding the VA's management of information technology and information security. As previously indicated, I am accompanied by Mr. Michael Bowman, OIG's director of Information Technology and Security Audit Division. VA continues to face challenges in developing IT systems it needs to support its current goals and overall mission. For 16 consecutive years, information security has been reported as a material weakness in VA's consolidated financial statement audit. Our audits have shown that IT system development and management at VA is a longstanding, high-risk challenge. Despite some advances, our reports indicate VA IT programs are still often susceptible to cost overruns, schedule slippages, and performance problems. Over the past 3 years, the OIG has made 69 recommendations to improve IT systems management and security. As of February 2016, 57 of those recommendations remain open. Of those 57, 17 are repeat recommendations and 13 are modified repeat recommendations. For fiscal year 2016, the VA estimates a total IT investment of about $4.1 billion to fund information system security, system development initiatives, and systems operation and maintenance. If not properly planned and managed, these to IT investments can become costly, risky, and counterproductive. In March 2012, the VA instituted the Continuous Readiness and Information Security Program, also known as CRISP. The purpose of CRISP is to ensure continuous, year-round monitoring and to establish a team responsible for resolving IT material weaknesses. While VA implemented some standardized information security controls, these improvements require time to be fully implemented and to show if they are effective. Our limited review indicates the CRISP initiative has not been fully effective in addressing systemic weaknesses or eliminating material weaknesses found in VA's information security program for fiscal year 2015. Examples of some of these weaknesses are financial management systems using outdated technology, password standards not consistently implemented, and systems not securely configured to mitigate known and unknown information security vulnerabilities. In April 2015, our administrative investigative staff found that certain OI&T employees failed to follow VA information security policy and contract security requirements. Specifically, OI&T staff improperly approved VA contractors to work remotely and access VA's network from foreign countries such as China and India. We identified that one contractor used his personally owned laptop to access VA's network from China. This contractor had administrative rights as well. Upon completion of his work, he left the laptop in China. As of this date, the laptop has not been recovered. We also found that other VA contractor employees improperly connected to the VA's network from other foreign locations. We determined VA information security officials and the former executive in charge for OI&T failed to quickly and effectively respond to determine if there was a compromise as a result of VA contractors accessing VA networks internationally. VA is also challenged in developing IT systems needed to support mission goals. Recent OIG reports disclose that some progress has been made in timely deploying system functionality because of the agile system development method. Despite these advances, VA continues to struggle with cost overruns and performance shortfalls. VA's mechanism for overseeing IT program management has improved but has not been fully effective in controlling these IT investments. Our work has demonstrated that VA continues to struggle with its IT investments. Some improvements in information security have become evident with the inception of CRISP. However, more work remains to be done, and VA needs to remain focused on addressing OIG recommendations in the security and development of IT systems. Until a proven process is in place to ensure controls across the enterprise, the IT material weakness may stand and VA's mission-critical systems and sensitive veterans data may remain at risk of attack or compromise. Mr. Chairman, this concludes my statement. We would be happy to answer any questions you or other members of the subcommittee may have. [Prepared statement of Mr. Arronte follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, sir. I now would like to recognize the gentleman from Texas, Mr. Farenthold, for 5 minutes for questioning. Mr. Farenthold. Thank you very much, Mr. Chairman. Ms. Council, you talked a little bit about upgrading your medical records system. If your electronic medical records system was in the private sector, would it be compliant with all the laws applicable to the private sector, HIPAA laws and all the other new requirements under the Affordable Care Act? Ms. Council. Not all the new laws. That is one of the reasons that we are developing a new strategy that we need to go forward with for the next 25 years. So, no, it would not, not all the ACA. Mr. Farenthold. And it is also my understanding that a lot of both your hardware and software is grossly out of date. I was down in the Rio Grande Valley and the Secretary of the VA mentioned to the group some of the financial systems are actually running computer language called COBOL, which was actually around probably before I was born, and I am in my 50s. Is it a problem to maintain and update this code and find employees to do that? Ms. Council. The current state of the financial systems is that we are looking for a shared platform with our financial organization. They are looking at Treasury as a Federal opportunity to engage a partner. So you are right, the systems are older. As a person in her 50s as well, and COBOL being a language that I know quite well, it is old, and we do need to upgrade. Mr. Farenthold. What sort of effect is this out-of-date software having on delivering service to our veterans and making sure that the physicians who provide service either under the voucher system or Veterans Choice are paid in a timely fashion? Ms. Council. I think you have touched on the main issue as to why we are looking at a digital health platform, sir. The reality is when you are on old platforms, old hardware, old software, you cannot take advantage of the new opportunities to share data, as well as upgrade our information with those providers and pay them quicker. That is really our focus, to ensure that we are prepared for the future. Mr. Farenthold. And it is not just the software that is out-of-date or your custom software. It is even some of the stuff you buy off-the-shelf. It is my understanding you all have not yet completely migrated off Windows XP, which is no longer supported by Microsoft. Ms. Council. There are 834 custom applications within the VA. The most customs that I have ever seen in my career. We also do have XP in the environment, much of that leveraged by medical cyber and medical equipment. As part of our enterprise cybersecurity strategy, we have put in processes to eliminate and drive out that lifecycle problem. Mr. Farenthold. Are we also looking in the VA at moving away from the extraordinary number of custom systems? There is a lot of off-the-shelf stuff that you ought to be able to adopt. Is that not a reasonable question? Ms. Council. It is a very reasonable question, sir. There are five new functions we are adding as part of the strategy. One of those new functions is strategic sourcing, which is all about putting us in a situation where we buy versus build, so that we look for off-the-shelf software that can meet our needs first. We validate that there is not something that is already built that could meet our needs, and then we make those calls based on what best fits the process. Mr. Farenthold. I can understand that there is some legacy stuff that was designed to run on Windows XP and may not run on other stuff. Our research shows that you all are still on Exchange Server 2003 that had an end-of-life-support cycle in 2014. Do you think the outdated software that is not getting current security patches might be a cybersecurity opening or vulnerability? Ms. Council. We actually use the same assessing process that the IG uses and patch aggressively against each of those issues, as well as taking those software out. One of the big opportunities that we have and we are deploying within the next month a contract to start moving much of this to the cloud using Email as a Service, moving much of that storage out into the cloud in a secure manner working with the IG. It gives us an opportunity to eliminate some of the hardware issues that we have, but also put ourselves in a new place, as far as transformation. Mr. Farenthold. I want to direct this final question to anybody on the panel that would like to answer. Is there anything that Congress is not doing that it should be doing to help you through this IT crisis and get you to where you can better deliver services to our veterans? Obviously, the answer is to give us more money, but maybe we can do a little better than just that. Ms. Council. I always say this because it still continues to be the issue. When you are hiring for information technology, the kinds of architects we need, the kinds of security people we need, we are competing against private resources. And it takes a while to get into the Federal Government, and the requirements are not those that those same resources and highly valued resources would face in private industry. We need those resources, and even as we get access and opportunities to meet those people to talk with them, we take a long time to get them in the door. So any help that can be given there will be the most important help you can give us. Mr. Farenthold. And if you can get us some specifics on that, we want you to be able to compete with Google for the good people. Ms. Council. I appreciate it. I have three or four resumes I will get to you. Mr. Farenthold. Did anyone else want to answer that? All right. I will yield back the remainder of my time. Mr. Hurd. Thank you, Mr. Farenthold. Now I would like to recognize the ranking member for her 5 minutes of questioning. Ms. Kelly. Thank you again. Ms. Council, as chief information officer, you oversee the activities of VA's $4 billion IT budget and over 8,000 IT employees in support of the VA's mission. Information technology at the VA includes a wide variety of tools and systems that support VA's mission to care for our Nation's vets. Your testimony highlights the creation of the Enterprise Program Management Office, which will host VA's biggest IT programs and help VA meet FITARA requirements. When will of the EPMO be fully functional? And how will you ensure the office achieves its desired results? Ms. Council. The EPMO actually came on February 1, which means that we stood the team up. We are building the program management. We are talking to union about some of the new roles. All those things around people should be fully completed by April 1, as far as the union. But that means we have already started working. We have hired in, out of the Department of Commerce, the head for all of our pillars. As I mentioned, our top four projects are all under VIP. There are 12 core projects in which we are validating every step of the process. By the end of September, every single project will be working under VIP, which will move us to true agile development. The PMAS process, which people knew about, really was one that focused on waterfall. This will be true agile, and it will reduce our overhead by over 88 percent and increase our ability to deliver by only requiring seven core necessary documents and available to operate at the beginning of the process. All these things should move us into a situation where we deliver every quarter versus every 6 months. Ms. Kelly. Okay. Information security weaknesses have consistently been found at the VA for several years. FISMA compliance helps ensure Congress and the public that the VA is committed to safeguarding veterans' information and VA data. What are the some of the challenges to addressing weaknesses and improving VA's information security programs and practices to comply with FISMA? Ms. Council. One of the things, as was mentioned by Mr. Arronte, is the length of some of these repeatable issues. The fact is, we had to put a core process in place. We had to talk about the accountability. We wanted to make sure we were fully sourced, resourced, and that we were also fully funded. In addition to not only having a team that is out there remediating, we have put a process in place to ensure that these issues stay fixed. I think that is really important. You can't just have it fixed one time and then when auditors come in, they see the same issues. So what we have done, one of the other new areas that we have added is quality and compliance. Our quality and compliance includes our risk management. The risk management team will get out in front of all of these issues and actually evaluate have we addressed what we said we would address, do the remediation, be engaged with the IG, and make sure that we are hearing what we need to hear in opening, and that our teams are responding properly. At the end of an audit, we are now also coming back in after we get the audit findings and coming right back into that same organization. Leaders are being held accountable for any repeatable processes. And in addition, I meet weekly on all security issues with the security top-level pillars to ensure that we continue to make progress. Since my arrival, we have had five reports open. We had 21 total recommendations. We have closed 95 percent of those already for the OIG. For GAO, we had six reports with 12 total recommendations. Fifty-eight percent of those recommendations are closed or requesting closure. Twenty-five percent of them are on target for closure. It is a different level of ownership. It is a different level of accountability. We have stressed that every employee is responsible for security. Since that was the key first thing that I committed to do when we arrived, we have set upon a new way of looking at how we do what we do and how we own it. So our field operations, our information security team, as well as our quality and compliance team, all engage in ensuring that we do not see these material processes continue. Ms. Kelly. Thank you. My colleague asked about building the work force and what you needed. Once you get them in, how hard is it to keep people because of the competition? Ms. Council. I've only been there for 8 months, but I haven't lost anybody. That's a good thing. I will tell you that there were a number of people that were leaving the organization and they stayed, and I appreciated that, because they really want to make this change. This is a mission-driven organization. It is all about the veteran. They know that I am here as an appointee because I want to get this right for the veteran. Fifty-six percent of our employees are vets. They get it. They know the value. So everyone wants to sort of roll their sleeves up and get it right. We just have to make sure we have all the key skills that we need to hold all of our contractors accountable as to what they are delivering. Ms. Kelly. Okay, thank you so much. My time is up. Mr. Hurd. I will recognize myself for a couple minutes. Ms. Council, questions to you. In 2009, again, I know this preceded you, the VA abandoned the scheduling improvements it had been working on since 2000 and started over. August 2015, the VA announced it contracted with two companies for a medical appointment scheduling system, the MASS system. And it appears this is like the third try in 15 years at addressing scheduling issues in the VA. Again, I recognize that of that 15 years, you have only been there for 8 months. What is the current status of the MASS project? Ms. Council. There were two parallel processes going on for scheduling. MASS was one, and then there was also a mobile product being developed called VAR, and also updates to VistA called VSE. VSE and VAR will start rolling out next month in April nationally. They have been piloted. They basically allow the ability to change our scheduling processes. The current scheduling system is something from--you mentioned COBOL. This is probably from the 1960s. If you could look at it, you will see that it shows the green screen and then also you'll see that it's an old dot-matrix screen that also doesn't allow people to really know what they are leading to. The VAR and the VSE addresses this. So far, 95 percent of the users like the new product. And the idea was that if these could not deliver, that we would have through MASS, which was an IDIQ contract, an ability to move forward. MASS has been put on hold until the Deputy Secretary looks at these new products. Right now, if these new products roll out fine, we will stay with those new products. The $624 million aligned with MASS. It was never to spend up to that level. Since it is an IDIQ, it is a task order kind of contract. So it was there to support, if these did not work. But we will be rolling out in April with both of those products, one mobile and one into the system. Mr. Hurd. So if VSE and VAR work, we are not going to MASS? Ms. Council. They are working today, and if they fully meet our needs--and I think there is also the misnomer on MASS. MASS also includes a workflow and a scheduling capability of room, so it was a much broader look. We wanted something for scheduling right away. And right now, VSE and VAR seem to meet the needs. Mr. Hurd. So are Epic and systems made simple? Are they involved in the VAR and VSE? Or were they to be involved in MASS? Ms. Council. They actually are part of the MASS contract. Mr. Hurd. So the folks that are implementing VSE and VAR, are any of them involved in the previous attempts by the VA to do scheduling? Ms. Council. Based on the information that we have, no, that would not be the case. Mr. Hurd. I find that a very good thing. If VSE and VAR are ultimately working, we are going to keep that and it is not potentially going to be grounded by any commercial off-the-shelf systems, correct? Ms. Council. Not at this time. That is part of the reason why we are looking for a digital health platform. The fact is, as you mentioned in your opening remarks, our need to really understand where we need to go for the next 25 years means we really need to make a hard decision and start to think about what we have to do for Care in the Community, what we have to do for ACA, what we have to do for the number of women veterans and make it much more fluid. Dr. Shulkin, who heads up the VHA, and myself are really just not affecting what we're doing with VistA because VistA 4 is scheduled and it is working, and it is going to roll out as planned into 2018. But to really say, what's the next level of platform? Who should we partner with? How do we make this happen? We are looking at the work with the DOD to see what they've learned and taking that information and also leveraging it. And we're meeting with industry experts to ensure that what we have in place, what we leave behind when we move on, the next set of leaders can take and move forward with. Mr. Hurd. My last question before we get to Mr. Connolly, how many clinics are currently in this test program using VSE and VAR, rough estimate? Ms. Council. This is my account manager at VHA, a new function. This is rolling out to 10 core as the pilot, and then based on those pilot feedback, it will be going out to the Nation. Mr. Hurd. I would love to know the 10 places it is going, because I would be interested in hearing how it is going from them. With that, I would like to recognize the distinguished gentleman from the great State of Virginia, Mr. Connolly, for his 5 minutes of questions. Mr. Connolly. I thank the chairman from the great State of Texas. Welcome to the panel. Ms. Council, the VA earned a C rating in the initial scorecard for compliance for FITARA, which actually was one of the higher grades. I would be interested in hearing from you why you think you got, relatively speaking, such a good grade as the baseline. But within that grade were other categories. In data center consolidation, for example, you got an F. So I wonder if you would, A, just talk a little bit about what your view being relatively new on compliance with FITARA and how FITARA is hopefully a benefit from your point of view, and then secondly, what are you doing about that F in data center consolidation? Ms. Council. The FITARA process, at this point, we have put in key processes with the EPMO that I mentioned to you as well as we are doing quality compliance, how we are going about many of the new abilities in data management, which will move us by the end of the year to close to 100 percent on the FITARA. We are excited about it. I use it as a guidepost. It allows us to really take ownership and hold ourselves accountable for the capabilities that have been put in our hands by having this legislation. The data center consolidation that you mentioned, we actually reviewed our plan yesterday that, by 2019, we will have eliminated 70 data centers. The other data centers will be eliminated through the use of the cloud, through consolidation of various data processes, and elimination of certain legacy systems. So that is in process. We are excited because if we can hit everything that we plan on in 2016, we will be the premier governmental agency in FITARA. Mr. Connolly. Wonderful. Your aide held up a chart a little while ago on scheduling appointments. Did I understand your answer to the chairman's question was that we are actually still using systems that go back to the 1960s to make scheduling appointments in the VA? Ms. Council. I think it is more the late 1970s. Mr. Connolly. Late 1970s. The Mary Tyler Moore era. Ms. Council. Yes. Mr. Connolly. All right. As opposed to the earlier Dick Van Dyke era. Ms. Council. Exactly. Mr. Connolly. Got it. How vulnerable are those systems to cyberattacks? Ms. Council. Last year, I think we blocked something like a 160 million malware attacks in our department. Mr. Connolly. Wow, 160 million. Ms. Council. Yes, sir. We continue to have a defense in- depth capability that we now have reinforced. We are partnered with DHS in a number of key areas and have been very aggressive with moving into some new capabilities. One of the things that we are always concerned about are any kind of breaches or any concerns with that. What we find is that even in those cases, most of our situations are mailings, information that goes out that shouldn't have gone out to someone in the wrong way. We also report all of those into the IG. We are aggressive about that, and we will continue to be vigilant. You must be in this kind of space. Mr. Connolly. I was looking at my own opening statement for today's hearing. In just the last 3 years, the cost to operate and maintain your top four mission-critical legacy IT systems jumped by more than 100 percent for one system and 50 percent for the other three. Is that correct? Ms. Council. We will come back to you on that number. I don't know it exactly. Mr. Connolly. Anyone on the panel that can corroborate those? I'm obviously not Donald Trump. I didn't make that up. [Laughter.] Mr. Connolly. Oops. Sorry, Mr. Chairman. Okay, well, please corroborate. But the reason I cite it is it is indicative of the plight you all have. It is not just trying to maintain legacy systems. It is spending about 80 percent of what we have doing that. It is that the costs get higher every year. And some of these systems cannot be encrypted and are extremely vulnerable. Now, some of them apparently are in the beyond-encryption period, and the Chinese don't know how to hack into them. I am told COBOL is one of those categories, Mr. Chairman. So it may have a redeeming unintended consequence. But the costs are very high. I assume that in your IT budget, most of it is probably spent not on new investments to upgrade services and move to the cloud while at the same time protecting yourself from cyberattacks, 160 million a year, but it is to maintain these legacy systems. Ms. Council. To your point, that is one of the reasons that we are looking to move much of the older legacy processes outside of the data center into a cloud process, as well as eliminate them. So the way you eliminate them is by having a real software development lifecycle and really going aggressively after getting those legacies out. We have in our budget about $18 million this year on getting some of these out. We are also putting in a CMDB. A CMDB is a configuration management database. When you can't see it, and you don't know who owns it, and you don't know how much of it you have, the conversations are very hard to have. This is going to allow the team to be able to have the conversations and say all of this redline can get out, we don't need it anymore, or we have another strategy on how we can aggressively address it. It is a great opportunity for the team. We are going after that, and we hope we will have the CMDB in place by the end of this year. Mr. Connolly. Mr. Chairman, my time is up, but something you and I talked about, which is we want to find, on a bipartisan basis, ways to incentivize agencies to be able to reinvest in themselves when they identify these savings, and I look forward to as a follow-up to this hearing and others to try to be able to do that. And, of course, Ranking Member Kelly as well. Thank you. Mr. Hurd. Thank you. The chair notes the presence today of Congressman Seth Moulton of Massachusetts. We appreciate your interest in this topic and welcome your participation. I ask unanimous consent that Congressman Moulton be permitted to fully participate in today's hearing. Without objection, so ordered. And now I recognize the gentleman from Massachusetts for 5 minutes. Mr. Moulton. Thank you, Chairman Hurd, for inviting me to this important hearing. This is important because I think our veterans have earned the best health care in the world, and that should be the standard that we are trying to meet. I get my health care from the VA as a Member of Congress, and I can tell you that I have seen the good and the bad. I have gotten some fantastic doctors. I had to have surgery back in January and the anesthesiologist and the surgeon who took care of me were incredibly talented. They didn't have to be at the VA. They were there because they wanted to take care of veterans. I felt very comfortable in their care. And then the pharmacy sent me home without the right medications. There is a veteran in my office named Dennis who gets his care at the VA as well. And he was trying to make an appointment a few weeks ago and couldn't get through on the phone system. Someone else in my office said, you know, you should take a video of this, and the video went viral on Facebook. Here are some of the comments that we have received on my Facebook page about this video from veterans across the country. This one from Walcott, Arkansas: ``I can tell you this is for real. It happens every time I call. I usually give up and drive to the clinic 18 or 20 miles away so I can talk to a person face-to-face.'' From El Paso, Texas: ``This is exactly what happens every time you try to call for an appointment or even general information about an existing appointment. This is exactly why lots of us vets end up giving up on the system.'' From Colorado Springs: ``Finally, a video that shows the frustrations of this process.'' And from Philadelphia, Pennsylvania: ``The longest I have been on hold with the VA was an hour and 45 minutes before I gave up.'' Finally, from Faribault, Minnesota: ``I can't count the times this has happened to me. It's enough to make you want to throw the phone through the wall.'' So while many have said that they get excellent care once they get into the system, as has been my experience as well, sometimes simply getting access to the system is a real problem. I know the VA is making progress. I met with the Secretary earlier this week, and I am inspired by his leadership, by the private sector innovation that he is bringing to the organization. But I don't think we have gone far enough. And it doesn't make sense to me that when people in the private health care system can have access to better scheduling applications, they are not available to veterans. If our standard is that veterans deserve the best health care in the world, because that is what they've earned, then they should have access to these systems as well. So that is why, Mr. Chairman, I have introduced the Faster Care for Veterans Act with my colleague and friend, Representative Cathy McMorris Rodgers of Washington. This bill would create a pilot program for the VA to try some of these private sector scheduling programs, currently available technology, and give access to that technology to veterans. That is the kind of care that I think all of us who use the VA system deserve. And while it seems that the VA is focused on developing their own solutions at great costs and taking enormous amounts of time, it is frustrating to us that we see our friends and colleagues in the private sector using these applications and systems available today. So with that, I would like to ask Chairman Hurd if I can submit a few questions for the record, and I thank you for inviting me here today. Mr. Hurd. I would like to now recognize Mr. Farenthold from Texas, again for 5 more minutes. Mr. Farenthold. Thank you very much. Mr. Moulton hits on an issue. Mr. Hurd. I'm sorry, Mr. Farenthold. Will you yield for one second? I would like to submit for the record two statements, one from the Iraq and Afghanistan Veterans of America, the other one from the American Legion, to illustrate some of the points that Mr. Moulton made. Without objection, I ask unanimous consent to introduce them into the record. Without objection, so ordered. Mr. Hurd. Thank you, sir. Mr. Farenthold. Thank you, Mr. chairman. Ms. Council, as CIO, the difference between a computer and telephone is basically vanishing today. Does the telephone system fall under your jurisdiction or your leadership as well? Ms. Council. Currently, we provide the network capability, but we do not manage the phone contact centers or the contracts of those contact centers. The issues that are mentioned there, however, we are aggressively working with the new leadership. We have a new leader who put the 311 process in Philadelphia together, who is now coming in. We are making sure that we have the best capability. I also know that in that particular circumstance that was raised, that vendor who had voicemail now has had the contract updated and there is no voicemail in that process any longer. So we support it. We are working with them directly. I actually meet with that contact center so that we can ensure that we have the best infrastructure to move us forward more aggressively. Mr. Farenthold. I understand. This is a call center issue. This is not rocket science. This is technology every company of any size has complete with the ability for overflow calls to potentially go to people's homes or cell phones. We talked about the case of scheduling appointments. There are also tragedies associated with calls being dropped or being sent to a voicemail system that some people didn't even know existed on a suicide prevention hotline. I would encourage you to work closely with those vendors because, again, I think the line between the IT system and the telephone system really isn't a line anymore, and we ought to be able to use the technology to make sure that no veteran calling for help with suicide has to wait on hold or have their call lost in voicemail. I'm going to shift gears a little bit. I spend a lot of time in casework. About 70 percent of the casework I do in the district offices that I have in Texas is VA related. Of all the entire government, 70 percent of our complaints and problems are with the VA. Some folks in the VA need to be kind of hanging their head in shame on that one, I think. We are spending a lot of time in our office trying to get doctors to work with the VA, see veteran patients under the voucher system or Veterans Choice, and we talked in the first round of questions questioning that you all are working at modernizing that payment system. But what can we do now? I mean, is there anything that can be done now to get the doctors paid quicker so they will see our veterans again? The local VA can say, here is help in filling out the forms. Here is how you fill them out right. If it takes too long, call us and we will try to push it through. But you shouldn't have to call a senior person in the VA or call my office to have my red tape cutter call the VA. First off, when will it be fixed? And until then, is there anything we can do to improve the situation? Ms. Council. I actually will be happy to get some information to you. One of the things about IT, if we really want to be good, we have to know what our business partners are doing. So I know that Dr. Shulkin and Dr. Bally are working very strongly to figure out ways that we can pre-pay for certain things, that we can expedite this process. It is all part of out access process that we need. We are also looking at proof of concepts around doing some things in the cloud with urgent care and telehealth with urgent care so we can see people the same day, in many cases. So I will be happy to get some information back to you exactly what they're doing. But I know we are aggressively making some decisions and prepaying in some cases, so that this is not the problem. Mr. Farenthold. We worked really hard in Congress to get the Veterans Choice program implemented and provide quick care for veterans. But if you guys can't deliver on paying the doctors, then they don't want to see them. Obviously, a lot of that is contracted out. You have different contractors, but we have to find a way to get this done because there is no point fixing these laws, if you guys can't execute them and do that. So I definitely encourage you to do that. Finally, we talked a little bit about some of the older systems, your email system, some Windows XP. Do you have a dollar figure on how much it is costing to contract for beyond- lifecycle support on that? Ms. Council. I do not, but I can get you that information. Mr. Farenthold. All right. It would be interesting to look at comparing how much we are paying for that extended support versus how much it would cost to have somebody come in and upgrade an off-the-shelf product that pretty much any decent system integrator in the country ought to be able to put in. So I see my time is up. I appreciate your commitment. I wish I saw the successes that I hear in your voice reflected at the local level. I am waiting expectantly for that to trickle down, so our veterans don't have to wait for the care that they need. Thank you. Mr. Hurd. Mr. Arronte, do you have any insight on that last question Mr. Farenthold asked about the percentage of how much it costs? Mr. Arronte. No, sir. We don't. Mr. Hurd. Okay, thank you. I would like to recognize Ms. Kelly for an additional 5 minutes. Ms. Kelly. How do the projects and programs developed by 18F USDS integrate with other VA systems? Ms. Council. The GSA 18F group is I think what you're referring to. We have a digital team that works with us. We actually have one that is doing vets.gov as well as our case appeals modernization. We are actually meeting with Assistant Secretary Duncan at the EPA and their digital service person to find out how they are using 18F to see if we also have some opportunities where we can leverage them as well. Ms. Kelly. What steps are taken to ensure that conflict of interest protocols are in place before work by 18F and USDS employees begin at the VA? Ms. Council. At this point, I will come back to you on that. Most of those people are hired as Schedule A on the digital services team. We do not have any 18F people at this point, but we do have digital service folks who come in on schedule A, which is about a 2-year, maybe 3, but mostly 2-year expectation. I will come back to you and let you know if there are any conflict of interest forms. Ms. Kelly. And how are the activities of 18F and USDS audited by the VA? Ms. Council. The digital service teams are part of the IT team. We manage their work just like any other employee. Their processes, their systems, they have to adhere to every single process that any other employee has to adhere to. They are not set separate. Ms. Kelly. Do you have any comments about that? Mr. Arronte. No, ma'am. Ms. Kelly. Okay. I yield back the balance of my time. Thank you. Mr. Hurd. Thank you. I am going to recognize myself for 5 minutes. Mr. Arronte, what are your thoughts on the decision to pursue VAR and VSE and put MASS on hold? Mr. Arronte. I'm going to turn it over to the subject matter expert to discuss. Mr. Hurd. Mr. Bowman? Mr. Bowman. Obviously, VA has had some history of trouble with their scheduling systems, so changes need to be made. I think the question is whether or not they're worthwhile investments and whether or not they're going to have an immediate impact to help with the scheduling. So pursuing these makes a lot of sense, but whether or not you're going to see an immediate impact, that is really the question. Mr. Hurd. Ms. Council, what immediate impact do you think you are going to see with the deployment of VSE and VAR? Ms. Council. The usability of the systems is just so much better than what is currently available. We will make sure we send you the depiction. When you see what is currently available, you will get it right away. I think once I saw that, I understood the difficulty in having to move from screen to screen to check on things to schedule an appointment. Mr. Hurd. So I am still trying to wrap my head around all this. Why pursue this versus trying to get something off-the- shelf that you could possibly deploy a little sooner, especially if we had $624 million available for that? Am I not understanding this correctly? Ms. Council. I won't speak on behalf of the Deputy Secretary, but the way it was explained to me was they wanted to make sure that we were going to do something with scheduling, and we didn't want to necessarily believe that if we created it here, we couldn't leverage a piece of software-- which by the way, MASS is Epic software. So the real question is, we were going to do one or the other, and I think what we found is that if we just needed pure scheduling and we needed a mobile capability, we were able to create that and integrate it into VistA very simply. But the team had to try it, make it work, and I think they had an heir and a spare and really wanted to make sure we did the right thing on behalf of the veteran in getting this access dealt with. But I do not want to put words in the mouth of the Deputy Secretary, but that is how it was explained. Mr. Hurd. So this was the decision by the Deputy Secretary to pursue VSE and VAR over MASS or some other commercial, off- the-shelf technology? Ms. Council. It was actually with, and then to run a pilot, and then based on the experiential relationship between that software and this one, which one was really best. But when Dr. Shulkin came in, when I came in, we really wanted to move fast. We wanted to get this access going, and we wanted to go with the fastest solution possible. As I mentioned, one of the key things that we have to really take a hard look at is the overall digital health platform, not just DHR, not just continuing to put more money into VistA, but really say we have VistA 4, it is delivering on the things it needs to, it is keeping us in the regulatory responsibility that we have, but what is the new new? What is the thing that we must do to enable the veteran anywhere at any time? That is probably a platform that is newer, a platform that is based on a COTS type of opportunity. But at this point, by June, Dr. Shulkin and his team would have assessed what we have laid out as a technical opportunity and come back when we have a solution. Mr. Hurd. So is Dr. Shulkin the one responsible for the policies and procedures and workflow and how they handle a call and handle an appointment? Ms. Council. Yes, sir. Mr. Hurd. Because ultimately, you are not responsible for scheduling. You are responsible for providing a platform in which other elements of the VA handle this, correct? Ms. Council. Yes, sir. Mr. Hurd. Because, again, I think part of the problem is the processes that are in place and you are delivering a system. And if it's not being used properly, we are going to have problems. Mr. Arronte, do you have any opinions on the implementation of this software and how the other elements of the VA would be able to put the processes in place to ensure they are using this new tool properly? Mr. Arronte. Sir, I think our concern right now is this is new, and so as some of this is still being piloted, we have not conducted any reviews. We plan to, and I'm going to have Mr. Bowman speak about some past experiences. But what is kind of long standing that we have seen with VA, with IT, they are trying to centralize at the headquarters level. I think the field is not always acceptable of that centralization. So sometimes what we see in some of our previous work is, there is a good plan and it looks good on paper, but getting out of the gate and getting it implemented seems to be some of the issues historically. Mr. Bowman. Anytime VA is involved with software development, it seems to be a high-risk venture. Some of the projects that we have looked at, VA tends to go over budget on cost. They seem to not deliver the intended functionality. So I think oversight of this project is essential, especially as it impacts veteran scheduling. VA just does not have a good history of delivering systems on time and within budget. Mr. Hurd. How long, Mr. Bowman, have you been part of the IG apparatus looking at the VA? Mr. Bowman. I have been with the IG for over 8 years. Mr. Hurd. So looking back at some of those failures, what would you say were some of the key reasons that those projects failed, with hindsight as a benefit? Mr. Bowman. A theme that comes through is ever-changing requirements. You have the business owners that can't quite decide on what the functionality should be. So there are a lot of changing system requirements, functionality requirements, and that impacts the development time. It encourages rework, systems under development. But until you stabilize those requirements, you are really unable to meet any milestones or stay within project cost constraints. Mr. Hurd. Mr. Arronte, do you have any opinion? Ms. Council, do you have an opinion on what was just stated? Ms. Council. Yes, sir. I think Mr. Bowman is correct when you talk about waterfall. As we moved to agile processing and using ITIL as our processes, you will see a marked difference in how we manage and work with our projects. So for instance, we have implemented what has been called a best practice within the VA around projects and visibility and transparency. All projects on the breakthrough 12, which you might've heard Secretary McDonald speak about, we actually have a governance committee that tracks against those, against resources, schedule, budget, as well as ATO or security. We see them every week. I see them every week. And we also, if an issue was open, be it a business issue or a resource that we have and it goes longer than 10 days, we call a tech stat, which means they come and I'm there, as well as the head of the application area, as well as our CFO, and we make a decision. We are no longer waiting until we get the right requirements and keeping these things going. If it is the kind of work that needs to get done, we have asked the businesses to be prepared to do it. With agile, it is a side-by-side, working real-time relationship in the development of the solution. We are looking for a new transformation, and I would not attest to anything that the gentleman mentioned in the past. What I will be excited about is what they see in the future. Mr. Hurd. Amen to that. Mr. Arronte, some of the FISMA violations dating back to 2006: unsecured wireless networks in VA, lack of encryption on sensitive data. Are those two issues that you found that are still problematic? Mr. Arronte. Yes, sir. We have repeat findings and recommendations. Password protection or credentialing, for the last 3 years, they have clearly been repeat findings. VA's enterprise infrastructure is huge, but some of these recommendations, and I think Ms. Council has addressed that, some of them I think are fairly simple to fix. Mr. Hurd. Yes. For example, Ms. Council, unsecured wireless networks in VA sites, how do you go about fixing that and getting compliant with that in the next few months? Talk me through the process on why something like that takes a while to do. Ms. Council. I think at times it probably took longer than it should have. We now have the same assessing software that the IG has, so that we are looking at things in the same way. We make sure that we remediate early and often. We are tracking to those metrics, and we are actually going to grab all those metrics and make sure that we can also depict them out into the organization. One thing that was just mentioned was the field. In this transformation, we are also reorganizing for the first time what we do in the field. We are putting in a new help desk. We are reassessing and putting in service-level agreements with all of our customers. We also will have customer relationship managers out in the field that will actually go across all the businesses to understand, is IT doing what it needs to do, and do we have situations where our business partners might need some opportunity in helping them understand how to have a more secure environment? We are, in addition, laying out a very different way on how we look at how we do services and what people are held accountable for. In addition, every goal that relates to our strategy is being cascaded into the leader's goals and expectations for the year. So for us, we recognize exactly what we are hearing is not acceptable. We know now that 95 percent of the things that we used to be in what we call our tick are now covered. Those 5 percent are more linkages between the VA and maybe university and third partners, but even that we need to provide some solutions to. And Brian and his team are doing that. Mr. Hurd. So I think this is my final question. Moving the Email as a Service, why hasn't that been done before? I ask that question really to leverage your experience and vision as a tool to work with some of your peers in other departments. It seems so simple. It seems so basic. Why hasn't it been done before? Ms. Council. I appreciate the question, because my new Principal Deputy, Ron Thompson, who came from HHS is actually spearheading that new contract. Email as a Service will be our first move, and that should happen in the next 60 days or so, the finalization of that. We are working with GSA and really trying to get in the FedRAMP kind of environment. We feel that if VBA can participate, we can actually make it good for everyone because of our size, but also leveraging the solutions that are already out there. So we are looking at those vehicles and moving into them, and the first one is Email as a Service. Mr. Hurd. Great. You mentioned earlier enterprise cybersecurity strategy. We would like love to have a copy of that, if possible. Ms. Council. No problem. Mr. Hurd. The committee would love to have that. As Congressman Farenthold mentioned, all of us in Congress are dealing with veterans' issues and the lack of service and their frustrations. I think you recognize the importance of your role, because you and your team and OI&T can really be the units that transform how the VA delivers a service. I appreciate your vision. I hope we have you around long enough in order to see that vision come through. And know, on the employees and making sure you can hire and retain good employees, we are trying to work on ways to make that more flexible. We are trying to work on ways on how IT procurement can be streamlined so you can move quicker. My friend Colonel McSally, Congresswoman McSally, always says the bad guys are moving at the speed of light, and we are moving at the speed of bureaucracy. If we can fix that, it will go a long way in order to serve those folks that have been willing to put themselves in harm's way in order to keep us safe at night. So I want to thank you all for being here today. I would also like to thank the ranking member for always indulging my going over time and for her willingness to work together on such an important issue. And thank you for taking the time to appear before us today. If there is no further business, without objection, the subcommittee stands adjourned. [Whereupon, at 3:14 p.m., the subcommittee was adjourned.] APPENDIX ---------- Material Submitted for the Hearing Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]