VA’s Baker: Commercial software is often the best option

The Veterans Affairs Department will continue building out its software systems with commercial products and cloud services rather than trying to develop things in-house, VA CIO Roger Baker said in a keynote address at the Management of Change conference May 17.

"I'm not going to build the next application," he told the ACT/IAC conference in Hot Springs, Va. "I am convinced that the government cannot build a better Facebook or e-Bay" than the private sector can.

The VA could add proprietary software to its open-source systems if that meets the needs of the department, he added.

He said that as technology has matured, the government's needs have become, by and large, less unique and therefore less dependent on creating its own technology. When developing a solution, it’s increasingly common to find a commercial offering that can do almost everything the agency needs, at which point agencies usually can find ways to work around the rest – if they are willing, he said.

Baker recalled one incident when he found a commercial package that could meet 80 percent of the stated requirements for a project, but the manager in charge insisted the solution must meet all the requirements.

"I said, well that was your requirement last time and you got zero percent of your requirements over the past 10 years," Baker said. "Would you rather have zero percent or 80 percent?"

However, when accepting products from the private sector, Baker said it is a CIO's responsibility to ensure that they are secure and will keep sensitive information out of unauthorized hands.

"We don't go down the path of 'we want to look at all your code,'" he said, in response to an audience member's question. "We're interested more in where the data is going to be stored. When you store it, are you encrypting it."

Look at source code isn't effective, he said. "If you're a good hacker, you can bury a hack deep enough in the code that a cursory examination" won't find it.

About the Author

Technology journalist Michael Hardy is a former FCW editor.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Mon, Jan 21, 2013 Chris Northern California

Having helped SAIC win DoD CHCS-1 and worked for the VA at a hospital and a VA Office of Information doing VistA support for the VA, it is very clear that to try to fit the point of care into a centralized solution is a very real mistake. The people at the point of care have to have significant input to the enhancement of the software is critical for the staff to accept the package. If it is forced on them it will not be successful. The VA has a number of hard won pieces of wisdom, "When you have installed one hospital, you have installed one hospital." The next one will be different. They also have a saying, "Ready!, Fire!, Aim!", which points out that hindsight is 20/20. Until the attempt is tried, you can't help make it right. VistA was made to be enhanced, and this is why it is still here 35 years after the VA personnel have written it. The people at the point of care have new realities to deal with and it takes cooperation between the care personnel and the developers. How many commercial developers spend time in the hospitals where their software is being used. VA developers have to live with their users and that makes all of the difference. It is hard, but the results are unbeatable.

Wed, Jun 22, 2011 Anonymous

I disagree totally. Time has shown that the VA can produce quality software that is way ahead of commercial software. Only the VA knows how the VA does business. When the VA starts putting software into other hands, it ends up being a mish-mash of programs, none of which can communicate with the others and which have many problems, among which are security. That is why SSA, DOD and others cannot communicate. The problems with the VA are a result of people who have never been in the field making critical decisions.

Tue, May 24, 2011

I disagree with Jim's comments. In a military tactical environment, COTS medical system can easily adaptable to that environment. Documenting healthcare is the same everywhere. The only difference is that in a tactical you are working with restrictive communications infrastructure, regulatory requirements governing the use of wireless devices and astere conditions. The latter can be mitigated through "hardened" the devices used". Regulatory requirements should be reviewed and updated to incorporate the new capabilities the application provides.

Wed, May 18, 2011 TR Virginia

Bravo Mr. Baker. As an example, how can we justify development and upkeep for a GOTS FDCC/USGCB (SCAP) scanner? The commercial market offers tons of them and many are give-aways included with other products the government already owns or is buying.

Wed, May 18, 2011 Jim

Maybe this works in the VA, but it doesn't play so well in the DoD. I suspect there are a lot of commercial medical systems out there, but not so much for the military. In my experience in the DoD, COTS works well for standard desktop systems and the infrastructure, but when the requirements for military systems are laid on the table, well, finding COTS that met 80% of the requirements would be amazing. There is little choice but to build.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above