VA's IT centralization could slow security fixes
Lawmakers, auditors uneasy over lack of standardized controls
'The true test is whether VA can implement the policies over the long term,' said Gregory Wilshusen, director of GAO's information security team.
Lawmakers and oversight authorities are expressing doubts that the way the Veterans Affairs Department is centralizing its IT organization will ensure that security is marbled throughout its agencies.
Representatives of VA's inspector general and the Government Accountability Office told lawmakers at a hearing earlier this month that it was necessary to centralize IT authority, including data security and enforcement, under the department CIO so VA can apply and enforce security departmentwide. Last year, the IG made 16 recommendations that remain open to fix major weaknesses in security controls.
'The 16 recommendations speak to the issue of standardization, and they can only be accomplished if the three administrations [the Veterans Benefits, Veterans Health and National Cemetery administrations] work collectively to address them as one voice,' said Michael Staley, VA's assistant inspector general for auditing.
As a result of its decentralized nature, both GAO and the IG have reported, VA has made IT security improvements in specific locations but not across the department.
'This piecemeal approach of providing security is not an effective way of doing business,' said Rep. Shelley Berkley (D-Nev.), ranking member of the House Veterans Affairs Subcommittee on Disability Assistance and Memorial Affairs.
VA, however, has chosen a federated model of centralization under which the department CIO will have authority over IT operations and management and related personnel, while VA's administrations will retain authority over IT development and those employees.
Lawmakers and auditors are concerned because security needs to be a part of the entire lifecycle of a system from planning through operation and maintenance. Officials said allowing that job to be handled by different parts of the department leaves too much room for error.
VA still needs to develop policy to coordinate security across the department and ensure authority and independence for security officers, said Gregory Wilshusen, director of GAO's information security issues.
VA recently took steps to strengthen IT security after reporting the theft of sensitive data, tightening and filling in gaps in data security policies and procedures.
Wilshusen said he has had one meeting with the Veterans Benefits Administration since the data theft about changes in policies, and officials seemed very concerned.
'They will have to execute them, and it will take time and effort. The true test is whether VA can implement the policies over the long term,' he said.
'I think that it will require ... strong communication about the security requirements, because it's imperative that security considerations and requirements be considered during the development of these systems so they can be put into it rather than after the fact,' Wilshusen said.
To emphasize data security among employees, VA this week inaugurated Security Awareness Week.