VA’s Baker: Commercial software is often the best option

The Veterans Affairs Department will continue building out its software systems with commercial products and cloud services rather than trying to develop things in-house, VA CIO Roger Baker said in a keynote address at the Management of Change conference May 17.

"I'm not going to build the next application," he told the ACT/IAC conference in Hot Springs, Va. "I am convinced that the government cannot build a better Facebook or e-Bay" than the private sector can.

The VA could add proprietary software to its open-source systems if that meets the needs of the department, he added.

He said that as technology has matured, the government's needs have become, by and large, less unique and therefore less dependent on creating its own technology. When developing a solution, it’s increasingly common to find a commercial offering that can do almost everything the agency needs, at which point agencies usually can find ways to work around the rest – if they are willing, he said.

Baker recalled one incident when he found a commercial package that could meet 80 percent of the stated requirements for a project, but the manager in charge insisted the solution must meet all the requirements.

"I said, well that was your requirement last time and you got zero percent of your requirements over the past 10 years," Baker said. "Would you rather have zero percent or 80 percent?"

However, when accepting products from the private sector, Baker said it is a CIO's responsibility to ensure that they are secure and will keep sensitive information out of unauthorized hands.

"We don't go down the path of 'we want to look at all your code,'" he said, in response to an audience member's question. "We're interested more in where the data is going to be stored. When you store it, are you encrypting it."

Look at source code isn't effective, he said. "If you're a good hacker, you can bury a hack deep enough in the code that a cursory examination" won't find it.

About the Author

Technology journalist Michael Hardy is a former FCW editor.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Mon, Jan 21, 2013 Chris Northern California

Having helped SAIC win DoD CHCS-1 and worked for the VA at a hospital and a VA Office of Information doing VistA support for the VA, it is very clear that to try to fit the point of care into a centralized solution is a very real mistake. The people at the point of care have to have significant input to the enhancement of the software is critical for the staff to accept the package. If it is forced on them it will not be successful. The VA has a number of hard won pieces of wisdom, "When you have installed one hospital, you have installed one hospital." The next one will be different. They also have a saying, "Ready!, Fire!, Aim!", which points out that hindsight is 20/20. Until the attempt is tried, you can't help make it right. VistA was made to be enhanced, and this is why it is still here 35 years after the VA personnel have written it. The people at the point of care have new realities to deal with and it takes cooperation between the care personnel and the developers. How many commercial developers spend time in the hospitals where their software is being used. VA developers have to live with their users and that makes all of the difference. It is hard, but the results are unbeatable.

Wed, Jun 22, 2011 Anonymous

I disagree totally. Time has shown that the VA can produce quality software that is way ahead of commercial software. Only the VA knows how the VA does business. When the VA starts putting software into other hands, it ends up being a mish-mash of programs, none of which can communicate with the others and which have many problems, among which are security. That is why SSA, DOD and others cannot communicate. The problems with the VA are a result of people who have never been in the field making critical decisions.

Tue, May 24, 2011

I disagree with Jim's comments. In a military tactical environment, COTS medical system can easily adaptable to that environment. Documenting healthcare is the same everywhere. The only difference is that in a tactical you are working with restrictive communications infrastructure, regulatory requirements governing the use of wireless devices and astere conditions. The latter can be mitigated through "hardened" the devices used". Regulatory requirements should be reviewed and updated to incorporate the new capabilities the application provides.

Wed, May 18, 2011 TR Virginia

Bravo Mr. Baker. As an example, how can we justify development and upkeep for a GOTS FDCC/USGCB (SCAP) scanner? The commercial market offers tons of them and many are give-aways included with other products the government already owns or is buying.

Wed, May 18, 2011 Jim

Maybe this works in the VA, but it doesn't play so well in the DoD. I suspect there are a lot of commercial medical systems out there, but not so much for the military. In my experience in the DoD, COTS works well for standard desktop systems and the infrastructure, but when the requirements for military systems are laid on the table, well, finding COTS that met 80% of the requirements would be amazing. There is little choice but to build.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above