Similarly, McClain stated in the second memo that the CIO had no authority at all under FISMA to enforce policies across the agency even though he had responsibility for ensuring information security.

Bruce Brody, who was the VA's CISO from 2001 to 2004, said in an interview this month that the memos were written after he asked McClain for opinions on security responsibilities at the agency. Brody contended that McClain's legal interpretations "fragmented security at the VA into little stovepipes and fiefdoms."

The agency's information security office was left with "no authority," Brody said. He noted that when the W32.Blaster worm struck in 2003, he had the power to patch only about 1,000 of the VA's 250,000 systems.

The VA's decentralized structure has been widely blamed as a contributing factor in its recent security breach, and Nicholson last month said he had issued a memo that more clearly delegated responsibility and authority for enforcing security policies and directives to the agency's CIO.