VA CIO advances ambitious timeline for change, new cyber strategy

Nicole Ogrysko: VA CIO advances ambitious timeline for change, new cyber strategy

The Veterans Affairs Department’s IT shop is pushing an aggressive timeline to make several overarching changes to the way it does business with veterans, industry and its own employees.

laverne_council
LaVerne Council

The VA Office of Information Technology is focusing first on projects it can start now and finish in the next six months, then changes it can make in the near future — within six to 18 months — and finally initiatives for the future, or 18-36 months down the road.

“People will say with government it’s going to be slow, you can’t make change, things take forever. And I said really, why is that? The reality is, is that truth or is that a vision we’ve walked into?” asked LaVerne Council, VA chief information officer and assistant secretary for information and technology, during a GITEC speech Oct. 15 in Washington. It was her first public speech since she started the job in July.

From growing cyber threats to shifting demographics within the veteran population, several factors are pressuring the department to transform now, Council said.

Advertisement

“The external forces and the internal complexity demand change,” she said. “It is not an option. When you have that many things changing on the outside, that many things changing and needing change on the inside, we have to transform.”

One of Council’s first jobs when she arrived was creating an enterprise integrated security strategy, which she said her team delivered Sept. 28 to Congress.

“You get a strong sense that security takes a point of view of not just being about security but being about the organization,” Council said.

The strategy encompasses eight domains, which break down major focus areas within the VA and also address the cybersecurity directives Federal CIO Tony Scott ordered in the wake of the OPM cyber breaches, said Susan McHugh-Polley, executive director of enterprise field operations and program manager for the VA’s Enterprise Cybersecurity Strategy Team.

Those eight domains cover:

  1. Medical cyber
  2. Privacy
  3. Security architecture
  4. Access and control
  5. ID and authentication
  6. Enabling effective operations
  7. Governance
  8. Risk program management

When Council was first appointed, she said different people advised her to focus on one or two major projects she could accomplish. But Council said it was difficult for her accept that advice.

“That would have required me to have my blinders on, to say I only want to do something that has to do with the biggest projects, that way I can wave and say, see what I’ve done.”

An emphasis on buy-first

Institutionalizing a “buy-first” strategy rather than a “make-first” one is a key point for Council and the VA’s future, even as some of her deputies seemed surprised when she announced the direction.

“Buy-first, because business cases defining which direction we go has got to become a critical part of our DNA,” she said. “We’ve got to ask ourselves critical questions with the finite resources we have, how best to go forward, and what is the lifecycle that will enable the veteran experience to meet the needs that we have for the future.”

McHugh-Polley said she’s looking for industries specifically around two coverage areas in the Enterprise Cybersecurity Strategy — medical cyber and privacy.

The VA is also looking to change its agile development process, which Rob Thomas, assistant deputy chief information officer for integration at the VA, said will focus on doing instead of documenting.

In the past, rolling out new software at the VA was a long and laborious process. Thomas said his team often needed as many as 57 artifacts to prove a piece of software’s merit.

Thomas said he’s working on an agile scrum process, where project managers will take on and learn from daily, weekly or biweekly scrums.

“VA is looking at all of its processes to determine how we can best align them with our themes to stabilize and streamline core processes and platforms, eliminate material weaknesses and institutionalize a new set of capabilities to drive improved outcomes,” Thomas said in a statement to Federal News Radio. “Our focus will be on doing instead of documenting while maintaining all mandated IT and security requirements.”