The House Veterans’ Affairs Subcommittee on Oversight and Investigations on Thursday examined software waste and data privacy risks at the Department of Veterans Affairs (VA), as lawmakers considered two bills aimed at tightening oversight of IT assets and contractor data practices.
Those bills are the Veterans Affairs Management and Oversight of Software Assets (VAMOSA) Act and the Veteran Data Accountability for Third-party Actors (DATA) Act.
Lawmakers and witnesses agreed the issues are urgent, but diverged on whether new legislation is necessary or duplicative of existing policy.
VAMOSA Act
The VAMOSA Act, introduced by Rep. Nancy Mace, R-S.C., in December, would require the VA to inventory and track its software and digital services.
“This bill would address the VA’s lack of a comprehensive inventory of its software licenses, leading to duplicate purchases, unused licenses, and a significant amount of waste,” Mace said during Thursday’s hearing. “This is money the VA could be spending to better care for our veterans.”
“In the VA’s prepared testimony today, they essentially say, ‘Don’t worry, Congress, we have it covered. We don’t need you to make us fix our messes.’ Actually, I think we do,” Mace added.
The congresswoman pointed to a report the Government Accountability Office (GAO) submitted to the subcommittee this week, which reaffirmed that the VA has not yet taken steps to effectively track its current software licenses.
According to GAO, “Until VA adequately assesses the appropriate number of licenses, it cannot determine whether it is purchasing too many licenses or too few.”
Supporting that concern, Cole Lyle, the director of the Veterans Affairs and Rehabilitation Division at the American Legion, pointed to the scale of the issue: “VA spent roughly $21 billion on software licenses and systems between [fiscal years] ‘22 and ‘24, yet a recent GAO report found the department still cannot accurately track how many licenses it uses.”
Lyle said the bill would take “a practical step towards” addressing the problem by requiring a comprehensive inventory, centralized oversight, and annual reporting.
Notably, GAO said that VA officials plan to implement initial functionality for a centralized software license inventory in late March 2026. “If successful, this could be a critical first step in improving the department’s ability to track and analyze licenses across the department,” GAO said.
Veteran DATA Act
The Veteran DATA Act, introduced in January by Reps. Nikki Budzinski, D-Ill., and Tom Barrett, R-Mich., aims to address growing concerns about how contractors handle veterans’ personal data.
“[The] Veteran DATA Act will prevent the VA from entering into a contract with a third-party vendor that permits them to sell or otherwise monetize veterans’ data,” Budzinski said on Thursday. “It gives the secretary one year to ensure that all of the VA’s relevant contracts have been modified to ensure [contractors] are prevented from selling or otherwise monetizing veterans’ personal information.”
Witnesses broadly supported the stronger data protections, but Lyle said the American Legion recommends amendments “to avoid unnecessary renegotiation of contracts that may already contain adequate protections.”
Similarly, VA officials expressed support for the bill’s goals but argued that existing rules may already cover much of its intent.
Jeffrey Neil, associate executive director of the VA’s Technology Acquisition Center, said data concerns are “pretty comprehensively addressed in existing law and regulation,” including Federal Acquisition Regulation requirements and VA policies governing contractor data use.
Still, questions remain about enforcement and visibility into contract terms. Lyle said he has not seen “the specifics of those contracts,” adding that the legislation is “an important step to ensure that those protections, in fact, exist.”