VA Buckles Down On Cyber Security, Program Management

Agency refocuses IT priorities on data protection, on-time project delivery to overcome past poor performance.

October 30, 2014

4 Min Read

5 Early Cloud Adopters In Federal Government

5 Early Cloud Adopters In Federal Government

5 Early Cloud Adopters In Federal Government (Click image for larger view and slideshow.)

The Department of Veterans Affairs has a checkered history successfully delivering major IT programs. But in recent years, VA officials claim it has taken major steps to keep technology efforts on time and within budget. These steps are important because of the department's mission to support veterans' healthcare and the need to provide efficient services despite ongoing technical challenges facing the agency.

To more effectively run and manage its IT programs, the VA has revamped how it delivers services and refocused its priorities, explained Stephen Warren, executive in charge and CIO of the VA's Office of Information Technology, at a recent briefing.

Warren noted that the VA's major IT priorities are protecting veterans' information, providing quality customer service, delivering IT products on time, reporting operational metrics, and managing financial resources. Above all, the department aims to be a "good steward" of veterans' data, he maintained. To do this, the VA has developed a structured defense-in-depth system to protect its data.

Continuous monitoring is one example. In 2013, the VA was the first government department to deploy the Einstein 3 continuous monitoring system to defend its networks, Warren said. The system, which is being deployed across the federal government, allows the VA to constantly keep track of activity on its networks, alerting administrators of an intrusion or other unusual activity in near-real-time. The VA has also installed additional systems to defend individual servers, desktops, and other systems within its enterprise, he said.

Stephen Warren

[Learn about another agency looking for new ways to protect resources. See Homeland Security Funds Software Security Initiative.]

Another major focus is on IT products and software. In 2009, the VA radically changed how it set up and ran software development programs, Warren said. If a project cannot be completed and ready within six months, the VA will not run it. This radically changed how the VA delivers products. Since this policy change, about 96% of all VA IT products are delivered on time, with a 4% loss rate, he said.

VA IT projects go through a series of milestones to keep on track. One major part of this process is that due dates are not flexible. "If the date slips, we don't change the [due] date -- that's what we hold folks to," Warren said.

As an example of how the VA sticks to this process, Warren noted that for 2014, the VA's on-time delivery rate was only 73% due to 2013's government shutdown. If the shutdown had not occurred, the project success rate would have been about 82%, he said.

One of the major lessons learned from this IT process is that if an organization allows project due dates to float, it lowers the probability of a team or contractor ever meeting its project goals, Warren said. "Time is the biggest enemy," he noted. Time is one reason the VA set its project delivery deadlines at six months or less. Program managers must declare before the six months are up whether they will meet or miss the delivery date. He emphasized that meeting deadline dates "is sacred to us."

But while the department has made progress in defending its data and streamlining how it manages IT programs, more needs to be done, Warren said. Part of this comes from the past legacy of embarrassing data breaches that had marred the VA's IT efforts in the past. To distance itself from that history, the VA is continuously evolving how it defends and manages its data.

There must be a consideration of the threat space and how progressive attacks are becoming more sophisticated, Warren explained. Although there have been intrusions into the VA's networks over the last year, he noted that these attempts did not succeed in pulling any data out. "As a large institution, we're always under threat."

There is also the need to meet and comply with the Federal Information Security Management Act and other security standards. But Warren cautioned it is important to understand that while complying with standards is very important, the department must be able to deliver benefits to veterans where and when they need them.

InformationWeek's new Must Reads is a compendium of our best recent coverage of project management. Learn why enterprises must adapt to the Agile approach, how to handle project members who aren't performing up to expectations, whether project management offices are worthwhile, and more. Get the new Project Management Must Reads issue today. (Free registration required.)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights