A Government Accountability Office (GAO) official said on Sept. 16 that the Department of Veterans Affairs (VA) is taking action on several major IT modernization and cybersecurity issues that GAO has flagged in recent years, but that the agency still has a lot of work to do to address many of them.
Carol Harris, Director of Information Technology Management Issues at GAO, offered her organization’s assessment of VA’s progress on those issues in testimony prepared for a hearing of the House Veterans Affairs Committee’s subcommittees on Economic Opportunity and Technology Modernization.
Harris recapped GAO findings delivered to VA over the past several years on efforts to modernize its VistA electronic health records system, a system for the agency’s Family Caregiver Program, and the Veterans Benefits Management System (VBMS) that collects and stores data to process disability benefit claims. She also reviewed prior GAO findings on VA implementation of FITARA (Federal Information Technology Acquisition Reform Act), and on cybersecurity issues.
Noting that GAO has provided VA with numerous recommendations for improvement in each of those areas, Harris’ report concludes that “VA has generally agreed with the recommendations and has begun to address them.”
But a detailed break-out in the report on each of those areas sheds light on how much farther VA has to go in each of those areas.
Providing updates on each of the major IT projects, Harris reported:
- “VA recently deployed a new scheduling system as part of its fourth effort to modernize VistA and the next deployment of the system, including additional capabilities, is planned in October 2020”;
- Regarding the Family Caregiver Program, VA as of late 2019 had not yet implemented a new supporting IT system, and had not fully committed to a date by which it would certify that the new IT systems supports the program; and
- In the case of VBMS, as of September 2020 VA had only implemented one of the five recommendations GAO made to complete development and implementation of the system.
On the FITARA front, Harris called VA’s progress “uneven.” She said the agency has made progress on improving software licensing and data center closures, but only limited progress on addressing IT investment risk management and CIO authority enhancement. “Until the department implements the act’s provisions, Congress’ ability to effectively monitor VA’s program and hold it fully accountable for reducing duplication and achieving cost savings will be hindered,” she said.
Finally, Harris said in her testimony that GAO since 2016 has reported that VA faces challenges for implementing the Federal approach and strategy for securing information systems, implementing security controls and establishing elements of its cybersecurity risk management program.
“GAO’s work stressed the need for VA to address these challenges as well as manage IT supply chain risks,” she said. “As VA continues to pursue modernization efforts, it is critical that the department take steps adequately secure its systems,” she said.