VA vendors warned to meet certification requirements

Veterans Affairs CIO Roger Baker issues letter to thousands of CEOs

There is a small chance that a recent warning letter sent to vendors who handle personal medical data at the Veterans Affairs Department could lead to higher costs for the VA, the department’s assistant secretary for information and technology said.

“It could come back in the cost rates,” Roger Baker, who also is the department's chief information officer, told reporters Nov. 17.

Baker sent a letter to the CEOs of the VA vendor firms Oct. 21, reminding them of their legal obligation to certify that they meet VA information security requirements for handling veterans’ sensitive medical data.

The certification requirements apply to VA vendors that have access to personal medical data, which Baker previously estimated was the case for approximately one-third of the department’s 22,000 vendors.

The letter states that sensitive personal records for 644 veterans recently were put at risk due to a VA vendor’s loss of an unencrypted laptop computer.

“The vendor had certified that it was complying with VA security policies, but was not,” Baker’s letter to the vendors states. “As a result of this, all of their contracts with VA are currently under review.”

The letter said VA teams are auditing all affected contracts, including visiting vendor facilities when necessary, and if the auditors determine that a current certification is not in compliance with VA policies, then “appropriate contractual remedies” will be applied, Baker said.

The letter applies to current contracts, he said.

Asked about the costs to vendors of conducting the reviews and certifying the compliance, Baker said the costs were minimal. But he said there is a small chance that vendors might raise their costs in future contracts as a result of additional work performed after the letter.

“I don’t have the view that this is costing a lot" for the vendors, Baker said. On the other hand, “it could come back in the cost rates.” In any case, the certifications of information security are a common practice and should be expected as a usual cost of doing business, he added.

Baker previously said he initiated the vendor audits because a survey found that 10 to 25 percent of vendors at some VA facilities were not in compliance with the certification requirement.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More

  • PROJECT 38 PODCAST

    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.