Mansfield pointed to the ongoing centralization of the VA's IT organization and the establishment of a security operations center as examples of the changes being made by the agency. He also noted that at an off-site meeting of senior managers on Feb. 21, VA Secretary R. James Nicholson reiterated his order that all supervisors take responsibility for protecting information.

But progress at the VA has been slow because of the enormous scope of the work involved, Mansfield said. "We still have out there a largely decentralized system," he said. "It is nonstandardized. So there are no simple fixes."

Robert Howard, the VA's assistant secretary for information and technology, said the agency is on track to complete the centralization of all IT operations by July 2008. All software development programs will be shifted to the central IT unit by the start of next month, according to Howard.

Meanwhile, the search is on again to find a chief information security officer, a position that has been vacant since the former CISO resigned last June. Mansfield said the hiring process has been delayed because a candidate who had been chosen for the job accepted another offer at the last minute.