Baker tells VA vendors they must meet certification requirements

22,000 vendors will get a letter notifying them of cyber guidance

The Veterans Affairs Department is contacting the chief executives of the department’s 22,000 vendors to remind them to certify that they are meeting the VA’s requirements for protecting sensitive medical information, Roger Baker, assistant secretary for information and technology, said today.

Baker said he decided to send the letter because of initial findings of a VA audit that determined that 10 to 25 percent of vendors at some VA facilities are not in compliance with the certification requirement.

“The main intent is that everyone gets the message,” Baker said. “If they are not certifying, we will take action.”

Those certification requirements apply only to VA vendors that have access to personal medical data, which Baker estimated was the case for approximately one-third of the 22,000 vendors.

The audit is not yet complete, and the letter is intended to help vendors meet those requirements as quickly as possible, Baker said in a conference call with reporters.

So far, the audit has found that many VA facilities are fully in compliance, and for those that are not, the noncompliance rate is 10 to 25 percent, he said.

“A lot of this is education about which companies have to have" the certification, Baker said. “Guidance has gone out a number of times, and yet we still have facilities that have not fully addressed it.”

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Mon, Sep 20, 2010 Fernie

This article was of limited value. You spoke to the certification requirements but as one of the possible vendors I would like to know which certification is being required. Is it HIPPA or NIAP or DITSCAP/DODIIS, or STIG or what? Please consider that the Government has MANY certifications which really stress out the vendor community. Some of these certifications are for software and are done by thrid parties. They cost about $300K per product and can take a year to complete. The resultant "certified" product is then one year old and headed to obsolensence to be replaced with the latest version so the Government end user gets to implement a product which is about a year old. Anyway, please consider including more details in the future. These comments are my own and don't represent official comments by the company I work for.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.