In a case of closing the barn door after the cows have all gotten out, the Veterans Administration took steps to get its information security in order Friday, a half decade after security alerts were first issued and nearly two months after the largest personal data breach in U.S. history.

The House Government Reform Committee, chaired by Rep. Thomas M. Davis III (R-Va.), began releasing its annual federal computer security report card (PDF) five years ago, which each year awarded the VA a failing grade, the only exception being 2003 when the VA got to choose its own C grade. The report card measures compliance with the 2002 Federal Information Security Management Act, which requires agencies to test their systems, develop cyber-security plans and report on their progress.

“To the best of my knowledge, the loss of 26 million records by VA is the largest by a federal agency to date,” said Davis of the most recent security fiasco. “Perhaps if the department improved its compliance with the existing information protection laws, this breach would not have happened. There seem to be two problems here: a department that’s inadequately protected, and an employee who acted incredibly irresponsibly.”

Security at the VA is a well-worn joke: In 2003, tests by staff members in the VA Inspector General’s office demonstrated that a hacker could gain access to veterans’ protected medical information from outside the VA network. Last year, internal reviews found that access controls were not consistently applied at dozens of data centers, medical centers and regional offices. Recommendations included ensuring that background checks are performed on VA and contract workers, restricting off-duty workers’ access to sensitive information and providing annual security awareness training for employees.

“We identified significant information security vulnerabilities that place VA at considerable risk of . . . unauthorized access to sensitive data and improper disclosure of sensitive data,” acting Inspector General Jon A. Wooditch wrote.

Awoken jarringly from his slumber, Secretary of Veterans Affairs Jim Nicholson now attempts to play a game of retroactive CYA by ordering a complete restructuring of information security. Nicholson announced (PDF) during congressional hearings that during the week of June 26-30, “VA facilities across the country — every hospital, CBOC, regional office, national cemetery, field office and VA’s Central Office — will ’stand down’ for Security Awareness Week. Managers throughout VA will review information security and reinforce privacy obligations and responsibilities with their staff.”

“I have also ordered that every laptop in VA undergo a security review to ensure that all security and virus software is current. The review will include removal of any unauthorized information or software,” Nicholson continued. “Importantly, I have ordered that no personal laptop or computer equipment be allowed access to VA’s Virtual Private Network (VPN) or be used for official business. VPN settings will be changed every 30 days, forcing laptop users to return the laptop to VA for updating and security screening. We are in the process of conducting an inventory of all positions in VA with access to VPN or to any sensitive information.”

In military terms, a “stand-down” is an order given to military units, ranging from a single military command to the entire Defense Department, to cease all but the most basic of duties and focus all attention and training on the special task given them.

Steve Kennebeck, 46, an Army sergeant who retired in 1997, is familiar with another military term. After he called a special VA toll-free number but was unable to learn whether he was among affected veterans, Kennebeck said, “I’m angry. . . . If we had done something like that in the military, we’d be punished by courts-martial. We protect America, and do they protect our personal information? No. It’s galling. Somebody’s head should roll.”