If the Senate confirms Kurt DelBene to be the new assistant secretary for information and technology and chief information officer for the Department of Veterans Affairs in the next few months, he will inherit an IT budget of more than $9 billion, parts of the struggling electronic health records modernization program and a brand new cybersecurity strategy.
President Joe Biden announced Nov. 3 that he plans to nominate DelBene to the role.
DelBene, who would come to VA after spending most of his career in the private sector with Microsoft and McKinsey & Company, isn’t a stranger to major transformations. He spent time on the Obama administration’s healthcare.gov SWAT team in 2013 and 2014.
Being the VA CIO, however, isn’t swooping in to fix some problems and then leaving. He would join a growing list of politically-appointed CIOs who are trying to make progress against long-standing challenges.
Since 2009, VA has had more acting CIOs than permanent ones. After the Senate confirmed Roger Baker in 2009, VA has had only two other permanent CIOs: LaVerne Council and James Grfrerer. The average tenure of an acting CIO is more than 10 months, including one who lasted almost two years, according to the research from the House Veterans Affairs Committee.
One of DelBene’s biggest challenges will be VA’s cybersecurity. The agency has struggled to fix long-standing issues ranging from patching to centralized management, to governance and risk management, to a lack of documentation and accounting to fix more than 15,000 plans of actions and milestones. The latest Federal Information Security Management Act (FISMA) report from VA’s inspector general found the Enterprise Cybersecurity Strategy Program (ECSP) is making progress to close gaps and fix problems.
“Issues remain with consistent application of security program and practices across VA’s portfolio of systems,” the report stated. “VA needs to ensure adequate control and risk management procedures applies to all of their systems and applications in order to fully address previously identified security weaknesses and IT material weaknesses reported as part of the Consolidated Financial Statement audit.”
“As we leverage technology for the betterment of VA’s service offerings, we must also bear the responsibility in protecting the department’s critical information resources,” the strategy stated. “The Veteran experience includes the safeguarding of their information and the protection of the systems that store, process, and transmit data. A compromise could lead to fraudulent activities, exposure of veteran’s personal information, or the corruption of critical data. More importantly, poor cybersecurity practices will erode the veteran’s confidence in VA.”
This is the first update to the department’s cyber strategy since 2016 when Council laid out eight domains with a focus on resolving material weaknesses first.
“I can tell you that material weakness is very important. We’re very interested in getting those resolved, making sure we’re getting a fair grade and being transparent when they come in and look,” said Paul Cunningham, VA’s chief information security officer, during a press briefing in September. “The secretary, [Acting VA CIO] Dr. Evans, my first meeting with both of them that was the topic of conversation was the material weakness and what is those bigger challenges that may not be as simple as remove and replace a piece of equipment.”
Enhance cybersecurity through partnerships and information sharing
Empower VA mission through cybersecurity risk management Office of Information and Technology
Each of the five areas have their own sets of goals to create the roadmap that fits into the department’s broader strategic plan. VA said the new strategy “takes into consideration existing and new federal cybersecurity requirements, technological advancements, innovations and world events that have evolved the way VA delivers services. It also factors in new and innovative ways to protect against today’s most sophisticated cybersecurity threats.”
Cunningham said VA is trying to take a different, maybe even stronger, risk management approach to cybersecurity.
“You can accept risk on face value. You can mitigate risk. You can deny the risk or not accept the risk, or you can transfer the risk, but the one risk you can’t do or one thing you can’t do with risk is ignore it. That’s where we saw especially during COVID, where we had to alter our protocols to meet the requirements,” he said. “We made sure all that was documented. We came up with review periods especially around some of the work we were doing with HHS, around video conferencing, risks that we didn’t normally take before we had to in order to make the mission work. We were looking at that risk acceptance and saying, ‘is it a change of a protocol now because we now understand the risk a little bit better, or is this something that we’re going to continue, but we need to figure out how we’re going to gracefully off ramp the acceptance of that risk during this critical point. So documentation is critical.”
Authority over all IT spending
The good news for DelBene is the VA CIO is empowered today more than ever. In late 2019, the Secretary gave the CIO oversight and authority over all IT spending.
This means DelBene will be able to use the strategy to drive spending priorities in a way previous technology executives couldn’t. VA’s cybersecurity budget for fiscal 2022 is expected to be around $450 million, according to the White House’s budget documents. According to the Congressional Research Service, VA spends 0.52% of its discretionary budget on cybersecurity, putting it on the low end of federal agencies’ proportional spending on IT security. By comparison, DoD allocates 1.38% of its budget toward cybersecurity. DHS spends 3.81%, and Treasury spends 3.61%.
Along with cybersecurity, DelBene also faces the ever-present IT modernization challenge. VA has made significant progress over the last few years, moving into a portfolio management approach and taking advantage of DevSecOps and cloud services.
VA also has moved 133 applications to the cloud and has another 82 in progress. It still has about 400 in-house developed apps, but the CIO’s office has worked to reduce the use of custom development from 57% in 2019 to 45% in 2021.