VA probes employee access to sensitive data

Measure is one of several to prevent future data losses

Top officials at the Department of Veterans Affairs recently completed an inventory of all employees who have access to the department’s sensitive data and are analyzing the results. VA Secretary Jim Nicholson ordered the inventory after the May 3 theft of a department laptop PC that contained about 26.5 million records on veterans and active-duty members of the military.

The internal inventory assessed employees’ need for sensitive data and how they accessed the information, such as through paper files, electronic databases or virtual private networks. Nicholson did not say how he plans to use the inventory, but the department will likely winnow the number of VA employees who are authorized to access sensitive data.

Nicholson discussed the VA’s reforms for tightening information security and consolidating information technology programs during a House Veterans’ Affairs Committee hearing. At the June 29 hearing, he announced the recovery of the stolen laptop.

Nicholson has ordered a thorough security review of all VA laptops, including the removal of unauthorized data and a review to determine whether encryption programs are necessary. He asked for recommendations on protecting sensitive data.

“I am convinced that, coming out of a very bad situation, we can make the VA a model for data security in the government and in the country,” Nicholson told the committee.

Despite lawsuits by several veterans groups and grievances filed by labor unions, he said, the VA is moving ahead with steps to tighten internal security, centralize the IT programs of the department’s three administrations and help veterans affected by the data theft. The critics say the VA’s proposed IT centralization plan violates collective bargaining agreements.

Last month, Nicholson established the VA information security program, which will establish standards for accessing VA information systems and require officials to report compliance failures or policy violations immediately. He also ordered annual cybersecurity and privacy awareness training for all VA employees.

Nicholson told the committee that the department has hired an independent special adviser for information security, Richard Romley, a former Maricopa County, Ariz., district attorney.

He also announced that retired Adm. Patrick Dunne is working at the VA as a consultant while awaiting Senate confirmation to become assistant secretary of the Office of Policy, Planning and Preparedness.

The staff shakeup included the resignation of Pedro Cadenas Jr., who was acting deputy assistant secretary for IT. Acting Assistant Secretary Dennis Duffy, who was placed on administrative leave after the data theft, has retired. And the unnamed official whose laptop was stolen from his suburban Maryland home remains on administrative leave, VA spokesman Matthew Burns said.

Alan Paller, director of research at the SANS Institute, said providing the VA CIO with greater authority is very important. But Paller added that Nicholson is between a rock and a hard place because “he’ll never have enough resources to meet the unmeetable [security] requirements” set by Congress and secure the VA’s IT systems.

Meanwhile, the VA’s plan to provide free credit monitoring to veterans affected by the laptop theft, at a projected cost of $160.5 million, is on hold. The department “will make a determination about the proposal once it receives information on the results of the FBI’s more thorough forensic examination of the recovered computer equipment,” Burns said.

About the Author

David Hubler is the former print managing editor for GCN and senior editor for Washington Technology. He is freelance writer living in Annandale, Va.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group