VA vendors warned to meet certification requirements

Veterans Affairs CIO Roger Baker issues letter to thousands of CEOs

There is a small chance that a recent warning letter sent to vendors who handle personal medical data at the Veterans Affairs Department could lead to higher costs for the VA, the department’s assistant secretary for information and technology said.

“It could come back in the cost rates,” Roger Baker, who also is the department's chief information officer, told reporters Nov. 17.

Baker sent a letter to the CEOs of the VA vendor firms Oct. 21, reminding them of their legal obligation to certify that they meet VA information security requirements for handling veterans’ sensitive medical data.

The certification requirements apply to VA vendors that have access to personal medical data, which Baker previously estimated was the case for approximately one-third of the department’s 22,000 vendors.

The letter states that sensitive personal records for 644 veterans recently were put at risk due to a VA vendor’s loss of an unencrypted laptop computer.

“The vendor had certified that it was complying with VA security policies, but was not,” Baker’s letter to the vendors states. “As a result of this, all of their contracts with VA are currently under review.”

The letter said VA teams are auditing all affected contracts, including visiting vendor facilities when necessary, and if the auditors determine that a current certification is not in compliance with VA policies, then “appropriate contractual remedies” will be applied, Baker said.

The letter applies to current contracts, he said.

Asked about the costs to vendors of conducting the reviews and certifying the compliance, Baker said the costs were minimal. But he said there is a small chance that vendors might raise their costs in future contracts as a result of additional work performed after the letter.

“I don’t have the view that this is costing a lot" for the vendors, Baker said. On the other hand, “it could come back in the cost rates.” In any case, the certifications of information security are a common practice and should be expected as a usual cost of doing business, he added.

Baker previously said he initiated the vendor audits because a survey found that 10 to 25 percent of vendors at some VA facilities were not in compliance with the certification requirement.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.