US gov't exec: VA ignored security warnings

The Government Accountability Office gave VA officials several specific warnings about the agency's information security program before the massive data breach there last month, according to Linda Koontz, director of information management issues at the GAO. But the VA failed to act on the warnings, Koontz said last week at a hearing held by the House Committee on Veterans' Affairs. She spoke with Computerworldafterward about data security problems at federal agencies. Excerpts from the interview follow:

What went wrong at the VA? The inspector general has both an administrative and a criminal investigation going on, so I can't talk specifically about that. But one of the points we tried to make is that the VA has really failed to establish a comprehensive integrated information security program.

In your testimony, you blamed the leadership at the VA. Why? Part of it has to do with the fact that the problems at the VA are very long-standing, and although [agency officials] have done something to address them, their actions have not been sufficient. I think it's natural for us to believe that they are going to need leadership from the top to break the logjam here.

Does the Federal Information Security Management Act need to be revised? What's the incentive for agencies to comply now? The fallout from a disclosure is certainly enough to make any agency head think about what they are doing in this area. The thing about FISMA is that there may be some things you need to do to tweak it, but probably one of the bigger issues is making sure that agencies comply with what is required right now.