VA probes employee access to sensitive data

Measure is one of several to prevent future data losses

Top officials at the Department of Veterans Affairs recently completed an inventory of all employees who have access to the department’s sensitive data and are analyzing the results. VA Secretary Jim Nicholson ordered the inventory after the May 3 theft of a department laptop PC that contained about 26.5 million records on veterans and active-duty members of the military.

The internal inventory assessed employees’ need for sensitive data and how they accessed the information, such as through paper files, electronic databases or virtual private networks. Nicholson did not say how he plans to use the inventory, but the department will likely winnow the number of VA employees who are authorized to access sensitive data.

Nicholson discussed the VA’s reforms for tightening information security and consolidating information technology programs during a House Veterans’ Affairs Committee hearing. At the June 29 hearing, he announced the recovery of the stolen laptop.

Nicholson has ordered a thorough security review of all VA laptops, including the removal of unauthorized data and a review to determine whether encryption programs are necessary. He asked for recommendations on protecting sensitive data.

“I am convinced that, coming out of a very bad situation, we can make the VA a model for data security in the government and in the country,” Nicholson told the committee.

Despite lawsuits by several veterans groups and grievances filed by labor unions, he said, the VA is moving ahead with steps to tighten internal security, centralize the IT programs of the department’s three administrations and help veterans affected by the data theft. The critics say the VA’s proposed IT centralization plan violates collective bargaining agreements.

Last month, Nicholson established the VA information security program, which will establish standards for accessing VA information systems and require officials to report compliance failures or policy violations immediately. He also ordered annual cybersecurity and privacy awareness training for all VA employees.

Nicholson told the committee that the department has hired an independent special adviser for information security, Richard Romley, a former Maricopa County, Ariz., district attorney.

He also announced that retired Adm. Patrick Dunne is working at the VA as a consultant while awaiting Senate confirmation to become assistant secretary of the Office of Policy, Planning and Preparedness.

The staff shakeup included the resignation of Pedro Cadenas Jr., who was acting deputy assistant secretary for IT. Acting Assistant Secretary Dennis Duffy, who was placed on administrative leave after the data theft, has retired. And the unnamed official whose laptop was stolen from his suburban Maryland home remains on administrative leave, VA spokesman Matthew Burns said.

Alan Paller, director of research at the SANS Institute, said providing the VA CIO with greater authority is very important. But Paller added that Nicholson is between a rock and a hard place because “he’ll never have enough resources to meet the unmeetable [security] requirements” set by Congress and secure the VA’s IT systems.

Meanwhile, the VA’s plan to provide free credit monitoring to veterans affected by the laptop theft, at a projected cost of $160.5 million, is on hold. The department “will make a determination about the proposal once it receives information on the results of the FBI’s more thorough forensic examination of the recovered computer equipment,” Burns said.

About the Author

David Hubler is the former print managing editor for GCN and senior editor for Washington Technology. He is freelance writer living in Annandale, Va.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.