[ISN] Bill would transform VA cybersecurity

From: InfoSec News (alerts@private)
Date: Tue Jul 18 2006 - 22:20:33 PDT


By Mary Mosquera
GCN Staff 

The House Veterans Affairs Committee has drafted legislation to accelerate 
improvements in information security at the beleaguered Veterans Affairs 
Department following the loss of sensitive data belonging to millions of 
veterans, reservists and active-duty service members.

The committee will mark up the proposed Veterans Identity and Credit 
Protection Act of 2006 on Thursday, with plans to send it to the House 
floor next week, said committee chairman Steve Buyer (R-Ind.).

The legislation would incorporate many of the changes in VA IT security 
that federal overseers and industry have recommended in several recent 
hearings following the data loss in May. The FBI and local law enforcement 
have since recovered the notebook PC and external hard drive and have 
indicated to VA that no data was accessed.

At the same time, the General Services Administration told the committee 
it has initiated a blanket purchase agreement specifically for credit 
monitoring services for federal agencies so they can respond to potential 
data compromise quickly and effectively.

GSA last week invited 21 contractors from its Financial and Business 
Services Schedule to compete for multiple blanket purchase agreements to 
provide three levels of credit monitoring depending upon the risk, said 
Jim Williams, commissioner for GSAs Federal Acquisition Service. Ordering 
agencies will be able to select the most appropriate level of credit 
monitoring services.

Federal agencies do not have the luxury of time to embark upon a prolonged 
procurement process of their own, he said.

Responses to the BPA request are due Monday. Besides credit monitoring, 
GSA expects contractors will provide applications to detect early signs of 
fraudulent activity and identity theft, services for reporting lost or 
stolen Social Security numbers to the three national credit bureaus, and 
for requests for fraud alerts and statements on all credit files.

GSA plans to make awards in August and expect several agencies to begin 
placing orders immediately, Williams said.

Lawmakers hope the legislation could be implemented quickly to prevent 
some of the situations that would require those credit monitoring 
services. VA should be able to implement the provisions of the bill within 
six months, said John Gauss, a former VA CIO and currently president of 
FGM Inc. of Reston, Va.

You could use this as a model and move it out to other agencies as quickly 
as possible, he told the committee.

When Gauss was CIO, he convinced the secretary to centralize the IT 
environment but it got dragged down in the department concurrence process, 
he said.

I am an advocate of change, even if there is collateral damage in the 
beginning. Otherwise, the advocates of no change will drag this out. Its 
time to strike and strike fast, Gauss said.

Among the VA cybersecurity bill proposals, it would make the department 
CIO also the undesecretary of information services, which would give the 
position a seat at the executive table with the other undersecretaries who 
lead VAs health, benefits and burial administrations.

The bill would also create the Office of the Undersecretary for 
Information Security, which would contain three deputy undersecretaries 
for operation and management, policy and planning, and security. The last 
undersecretary would also serve as the departments senior information 
security officer. It also details response to data breaches, risk analysis 
and notification and credit monitoring services for those affected.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue Jul 18 2006 - 22:30:25 PDT