Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The Department of Veterans Affairs is setting up cybersecurity check points before an application can get on the network.
The idea isn’t to replace the authority to operate (ATO) process, but it’s about becoming a great engineering organization like those in the private sector.
Kurt DelBene, the assistant secretary for the Office of Information and Technology and chief information officer at VA, said these new cyber gates is part of how VA is embracing a more well-rounded approach to their ATOs.
“What I found in VA so far is that we’re really good about doing the required procedures to get all the documentation together. But what we have an opportunity to do is have more of that last look of saying, if I look at everything in aggregate, do I feel good about the overall security of that system?” DelBene said in an interview with Federal News Network. “Or should I say ‘no, these are the three things that I actually don’t feel good about,’ and they can be three initiatives that we’ve got in terms of things like zero trust, for instance. As a result, we’re going to say, you’ve got to come back and a certain period of time, even if we grant the ATO now, it’s for a much shorter period of time, and we want these things remediated.”
At the same time, DelBene said, the application or system owners also must have the resources and time needed to fix the problems and get through the gate.
The goal is not to make the ATO process more arduous. Many federal cyber experts struggle with finding the balance between speed and rigor with ATOs, including VA, which faced accusations in 2012 and 2013 of shortcutting the process.
Other agencies, particularly in the Defense Department and intelligence community, have developed fast-track and continuous ATO processes to help reduce the burden that can come with low-impact systems.
Most critical systems first
DelBene, however, takes a slightly different view of the ATOs, saying cyber experts and mission owners should “love” the process.
“We’re starting to focus on the most critical systems we have at the VA. We’re starting to look at each of them and figuring out what it would mean to be more rigorous in that approval process,” he said. “We’re in the early days. I’ve been in the role for eight months now and this is a place where we’ve got a set of systems we’re looking at and we’re going to look at that ATO and say, ‘will the technical people say we feel good about it or not? And what remediations do we need?’”
Most systems typically have a plan of action and milestones (POA&M) to fix any outstanding issues, and DelBene said included in this new ATO approach is the need to define and act on these objectives so they are not a crutch to getting a full ATO.
DelBene added that the new process may mean granting a six-month ATO instead of a year-long one, and if the cyber threat is critical enough, VA may have to move funding to fix the issue immediately.
By embracing the ATO process and using this new gate approach, DelBene’s goal is to create a world-class engineering organization at VA.
“Like those commercial organizations, it starts with a vision, a great team and great products focused on what you are trying to accomplish for the end user,” DelBene said at the 930Gov conference on Aug. 23, sponsored by the Digital Government Institute. “What I tell the teams at the Veterans Benefits Administration or the Veterans Health Administration is if you don’t have a vision, stitch it together and work with us to refine it so it’s your vision. Then let us cascade what we do to help accomplish that vision.”
Making claims process more reliable
DelBene said this, of course, means working with the mission areas to figure out what their priorities are, embracing the path to accomplish those goals and ensuring there are resources available to modernize systems, applications and processes.
The PACT Act gives VA the resources it needs to staff up its health care workforce to treat approximately 3.5 million post-9/11 combat veterans exposed to toxic burn pits during their military service.
DelBene said VBA’s systems are not as reliable as they should be and the cloud can help.
DelBene said VA has been preparing for the passage of the PACT Act for some time from an IT perspective.
“The first one is when we bring on more agents, they have to have PCs and they have to have their PCs very quickly to be able to log on. That’s the more mundane aspect of it, but very hard to do,” he said. “The second thing is how do you make sure that when somebody goes to VA.gov, they know how to apply for benefits, and what are all the different ways that they would come into the system and want to be helped? The next thing is they’re going to get this onslaught of additional claims, we need to be able to process those faster. There’s an opportunity to do automation.”
DelBene said applying automation mean bringing together data from different systems so that claim adjudicators can make decisions more quickly.
“It’s about in more simple cases, where for instance, we fully automated things around hypertension, where the actual decision rule is quite simple, you basically can pull together the data, and in certain cases, you can make that decision automatically. We’re pushing to do more and more of those cases, but do it in a very mature and supportable way so you start with a simple cases,” he said. “The third thing we’re doing is if you think about the average claims application as having multiple elements, you need to be able to break that down into its pieces, and each one has data demands, but more of those individual elements can be automated, whereas the adjudicator has to pull those all together into a single package.”
DelBene said a few of these claim scenarios are automated today, but more are ripe for applying this technology to improve the process.