The Veterans Affairs Department is splitting up its chief information officer’s position for at least the short term.
Veterans Affairs Secretary Eric Shinseki today removed the acting title from Stephen Warren and named him the agency’s full-time chief information officer. But Warren has not been nominated to be the assistant secretary in the Office of Information and Technology, which is a Senate-confirmed position. An email sent to VA senior executives and obtained by Federal News Radio said, “Effective immediately, and until further notice, Stephen Warren will serve as Executive in Charge, Office of Information and Technology and Chief Information Officer.”
A VA spokeswoman said Warren has served for the maximum 210 days as the acting assistant secretary. The Federal Vacancies Reform Act of 1998 limits how long anyone can serve in an acting position without being nominated for the position to the Senate.
“That time limit expired earlier this month and Mr. Warren’s title changed from acting assistant secretary to executive in charge,” the spokeswoman said. “As the executive in charge of OIT, Mr. Warren meets these requirements and may carry out the duties and responsibilities of the CIO prescribed by law.”
Warren took over as acting assistant secretary for OIT and CIO in March when Roger Baker resigned after four years.
The assistant secretary position now is considered vacant.
Government and industry sources say there could be several other benefits for why the secretary decided to make Warren the permanent CIO. One could be to backfill his position as deputy assistant secretary for OIT and principal deputy CIO.
House committee turns up investigative pressure
Another reason could be to help Warren respond to ongoing investigations from Capitol Hill.
In fact, the House Veterans Affairs Committee confirmed it is continuing its investigation into VA’s cybersecurity practices.
A committee staff member said in an email that Rep. Jeff Miller (R-Fla.), the chairman of the committee, is posing a series of predominantly “yes or no” questions about the department’s cybersecurity practices.
“The questions concern routine IT security practices that are mandated by current federal law, standards and/or guidance,” said the staff member, who requested anonymity so they could talk more freely about the investigation. “VA should already be conducting all of these IT security practices on a regular basis, and the committee is simply asking for verification that the department is indeed doing so. Therefore, responding to the committee’s questions should be relatively easy for the department.”
In one example provided by the committee, lawmakers are asking VA to respond to 27 questions, including whether the agency’s contractors were responsible for any data breaches, and if not the contractors, who was responsible for the data breaches, including nine attacks from foreign entities?
The committee also wants information on who had access to the systems breached by foreign entities and whether the contractors, if responsible, were assessed liquidated damages by VA. Lawmakers also asked whether Shinseki received immediate notification from the CIO about breaches from foreign entities.
Additionally, the committee asked VA whether they sent quarterly reports to lawmakers and included information about the nine foreign system breaches.
VA has come under fire at several hearings and meetings for what lawmakers call poor cybersecurity practices.
In June, the committee made public that VA’s network has been infiltrated by nation-state actors multiple times.
That hearing followed an investigation by Federal News Radio where VA’s former chief information security officer, Jerry Davis, alleged the agency took shortcuts with system security and is putting the data of millions of veterans at risk.
Additionally, in August a report surfaced that shows veterans are at more risk of identity theft than the average population. VA officials also had difficulty meeting the committee’s satisfaction in answering questions about how they are securing their systems.
An email to VA asking for response to the committee’s letters was not immediately returned.