By Mary Mosquera
The House Veterans Affairs Committee has drafted legislation to accelerate
improvements in information security at the beleaguered Veterans Affairs
Department following the loss of sensitive data belonging to millions of
veterans, reservists and active-duty service members.
The committee will mark up the proposed Veterans Identity and Credit
Protection Act of 2006 on Thursday, with plans to send it to the House
floor next week, said committee chairman Steve Buyer (R-Ind.).
The legislation would incorporate many of the changes in VA IT security
that federal overseers and industry have recommended in several recent
hearings following the data loss in May. The FBI and local law enforcement
have since recovered the notebook PC and external hard drive and have
indicated to VA that no data was accessed.
At the same time, the General Services Administration told the committee
it has initiated a blanket purchase agreement specifically for credit
monitoring services for federal agencies so they can respond to potential
data compromise quickly and effectively.
GSA last week invited 21 contractors from its Financial and Business
Services Schedule to compete for multiple blanket purchase agreements to
provide three levels of credit monitoring depending upon the risk, said
Jim Williams, commissioner for GSAs Federal Acquisition Service. Ordering
agencies will be able to select the most appropriate level of credit
Federal agencies do not have the luxury of time to embark upon a prolonged
procurement process of their own, he said.
Responses to the BPA request are due Monday. Besides credit monitoring,
GSA expects contractors will provide applications to detect early signs of
fraudulent activity and identity theft, services for reporting lost or
stolen Social Security numbers to the three national credit bureaus, and
for requests for fraud alerts and statements on all credit files.
GSA plans to make awards in August and expect several agencies to begin
placing orders immediately, Williams said.
Lawmakers hope the legislation could be implemented quickly to prevent
some of the situations that would require those credit monitoring
services. VA should be able to implement the provisions of the bill within
six months, said John Gauss, a former VA CIO and currently president of
FGM Inc. of Reston, Va.
You could use this as a model and move it out to other agencies as quickly
as possible, he told the committee.
When Gauss was CIO, he convinced the secretary to centralize the IT
environment but it got dragged down in the department concurrence process,
I am an advocate of change, even if there is collateral damage in the
beginning. Otherwise, the advocates of no change will drag this out. Its
time to strike and strike fast, Gauss said.
Among the VA cybersecurity bill proposals, it would make the department
CIO also the undesecretary of information services, which would give the
position a seat at the executive table with the other undersecretaries who
lead VAs health, benefits and burial administrations.
The bill would also create the Office of the Undersecretary for
Information Security, which would contain three deputy undersecretaries
for operation and management, policy and planning, and security. The last
undersecretary would also serve as the departments senior information
security officer. It also details response to data breaches, risk analysis
and notification and credit monitoring services for those affected.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.