The Situation Report: Is This The New Federal CISO?

Federal CISO Decision Imminent

The Situation Report has picked up strong signals from the Old Executive Office Building that Federal Chief Information Officer Tony Scott has made his final decision on who will be the first Federal chief information security officer and plans to Brian Burnsmake an announcement as early as next week.

If our intelligence is correct, that would place Scott’s public announcement within about 48 hours of Brian Burnslast day as CISO at the Department of Veterans Affairs. It was also unusual for Veterans Affairs CIO LaVerne Council to announce Burns’ resignation only from his role as deputy director of the Interagency Program Office (IPO).  One would think that if your CISO is moving to another government agency, you might address the fact that you are soon to be without a CISO.

While there is one other viable candidate known to The Situation Report to have been on Scott’s short list, Burns certainly has the chops and the background to be a serious contender.

Burns first entered Federal service in 1997, after a 13-year stint in commercial IT. But his government resume is impressive: He’s held senior IT positions at the Department of Defense, Department of the Air Force, Department of the Navy, Department of Education, Department of the Interior, Department of Health and Human Services, Department of Treasury, and the Internal Revenue Service.

Will Burns be the first Federal CISO? I think there’s a better than 50-50 chance he’s the chosen one.

Veterans Data Breach Report

A VA lawn maintenance worker in Bay Pines, Fla., recently came upon a small pile of documents sitting on the lawn outside the VA facility where he worked. Turns out the papers were a Housing and Urban Development Veterans Affairs Supportive Housing (HUD VASH) Veteran contact list.

The employee responsible for leaving the documents on the lawn has been disciplined, according to the VA report on the incident. However, a privacy violation memo was issued and 103 veterans were notified that their personal information was involved.

Veterans’ personal data seems to be in constant danger at VA, from the lawns in front of facilities to even the highways. Last month, the VA’s Data Breach Core Team opened an investigation into a VA employee who left an envelope full of unapproved claims, billing documents, and tort claims information on the top of a car. The employee then drove off and went home.

The documents were found by an unknown citizen spilled across a section of highway nowhere near the VA facility. The VA sent 28 veterans an offer of free credit protection services.

Of course, things could be worse. A VA facility in Hampton, Va., lost three encrypted hard drives in April. As of the latest security incident report, they remain unaccounted for. VA is not concerned about the drives because they were encrypted. In addition, there were two other similar incidents that took place during the same reporting period, but VA left them out of the report “because of repetition.”

Shadow Cloud

Should Burns get the nod for the Federal CISO post, he will have his hands full when it comes to gaining control of unauthorized government cloud services.

One of my remote Silicon Valley listening posts recently detected a serious disturbance in the Federal cloud computing force. A recent assessment of a major government agency “with very strict cloud usage policies” uncovered more than 3,000 “unique, unsanctioned cloud services” that were being accessed routinely over a three-week period. Some of the things discovered included private storage devices that were used for backing up data, and “hundreds of risky data sharing, collaboration, and social media sites.”

  1. Anonymous | - Reply
    Burns was only the CISO at VA for 5 months. He took the job from Dan Galik who was acting as Dan's background is more Security rather than a CISO. Galik same from Security at HHS, not an IT position. Appears as the VA has some serious issues retaining people in this position. Burns has held 8 different positions in 13 years. Sounds kind of odd don't you think? Tony Scott on the other hand comes from a very impressive background. However Scott's position is political so the CIO slot will be vacant come Jan 2017. Basically the CIO lame duck slot and nothing more than a reference for a resume . Mr. Scott led the global information technology group at VMware Inc., a position he had held since 2013. Prior to joining VMware Inc., Mr. Scott served as Chief Information Officer (CIO) at Microsoft from 2008 to 2013. Previously, he was the CIO at The Walt Disney Company from 2005 to 2008. From 1999 to 2005, Mr. Scott served as the Chief Technology Officer of Information Systems & Services at General Motors Corporation.
  2. Anonymous | - Reply
    If Tony Scott made this decision then the man has lost his ever friggin' mind. Stop and think about why Burns as such a long list of agencies where he has worked - he's always left them with a foot up his backside. Council did not mention his tenure as CISO because she had to relieve him of those duties because the place was in freefall - 150+ expired ATOs with no immediate plan for remediation - only to have everything taken care of by 2018! In fact, this is a new OIG finding for VA! Steph Warren may have been Saddam Hussein, Burns is ISIS. Tony - if you are reading this and this is your choice, for the sake of the country please reconsider!!! Burns will screw up somehow and it will be in spectacular fashion.
  3. Anonymous | - Reply
    No one should be shocked if this happens. The Federal Government has a history of assigning non-Cybersecurity professionals to senior Cyberecurity roles and then acting shocked when they are unable to perform? Definition of insanity?: Doing the same thing over and over and expecting different results. D.W. Stender
    1. Anonymous | - Reply
      If this is true, then Scott did not do his homework. Dig into Burns' time at Education and you will see the Deputy Secretary at the time pushed he and the CIO off to Navy due to their gross incompetence. This is akin to electing Trump President - a recipe for disaster.
  4. Anonymous | - Reply
    today is June 3rd - not April 1st! Tony - please say this is a joke!!!
  5. Anonymous | - Reply
  6. Anonymous | - Reply
    Back in the 2000/2001 time frame, Burns was CIO of the Bureau of Indian Affairs (BIA). Security was so bad under his management that he was court ordered to disconnect BIA from the Internet. This was all tied to the Corbell v. Salazar case ( and the Indian Trust Fund data lawsuit. BIA, along with several other bureaus within Interior were off the Internet for nearly 8 years! Just Google Brian Burns, Bureau of Indian Affairs, Corbell v Norton. Around 2006 Burns made his way to the Department of Education as Deputy CIO, hired by his buddy and former IRS colleague Bill Vajda. At this point Burns was I believe in the middle of MSPB hearings relative to his performance (or lack thereof) and Vajda threw him a lifeline and pulled him into ED. Because of his massive failure in putting together the Education Enterprise IT Services Contract (EDUCATE) In 2007 he was removed from the Deputy CIO position and put in Special Projects by Education COO, Hudson LaForce (Former Dell Computers Executive). In late 2007 or early 2008, LaForce detailed Vajda to OMB and Burns to Navy. Danny Harris, who was the Deputy CFO was installed as acting CIO. Vajda was later detailed to ODNI and where he was eventually sent back to Education. He resigned upon his return and moved back to Michigan and became City Manager for Marquette (he has since resigned from that job and is now working for an ice machine manufacturer). Burns was booted from Navy and made his way back to Education where he was put in an office by himself and basically told to color. He finally made his way to VA was put in the DoD/VA Integrated Program Office (IPO). He managed to talk his way into the CISO position at VA but after 5 months, was moved back to the IPO...and here we are. He has made claims that he was the Education CISO (Not true) and has made similar claims about other his professional experience that are also not remotely accurate. Other than a few months as CISO at VA, he has no security experience. He is known as a bully, lacks integrity (completely bankrupt), and is grossly disingenuous. He has a history of bouncing (running) from agency to agency, is extremely disruptive and certainly unprofessional. He has been at IRS, HHS, VA, Education, and Interior. His tenure with each organization ended almost always due to sub par performance or some professional misstep. Why the government keeps people around like this is beyond disturbing.
    1. Anonymous | - Reply
      Correct - Brian Burns was "acting" CISO for 5 months - removed in early April. The author of the article has his facts wrong. Ron Thompson is the acting CISO for VA as of mid-April. Therefore, the VA is NOT losing its CISO!

Leave a Reply