In addition, of the 24 agencies covered under the Federal Information Security Management Act, the VA is the only one that didn't submit a report for 2006 on its compliance with FISMA to the White House Office of Management and Budget, Wilshusen said.

Maureen Regan, counselor for the VA's inspector general, said at the hearing that there now is a greater awareness of the need for change within the agency. But there is still a lack of effective internal controls and accountability, she added.

An ongoing audit of the VA's FISMA compliance has shown that none of the 17 security recommendations made in previous reports has been implemented thus far, Regan said. She also said that the inspector general's office expects to cite "several new high-risk areas," including remote access and the ability of non-employees to gain access to sensitive data.

Ten months after the laptop was the home of a VA employee, the agency has yet to determine how many of its employees and contractors are using personally owned systems to access VA networks and data, said Regan.

The agency also doesn't have any way of knowing what data is being downloaded and stored on such devices, she said. In addition, much of the agency's sensitive data remains unencrypted, as do many e-mail transmissions.