VA locks onto a series of security efforts

The Department of Veterans Affairs will consolidate its external access points from more than 1,000 to about 20.

'Bruce Brody

(GCN Photo by Ricky Carioti)

Just over a year ago, Bruce Brody took over as the associate deputy assistant secretary for cybersecurity at the Veterans Affairs Department, a newly created position and the first of its kind in the federal government.

The department wanted to overcome its security problems, which had drawn severe criticism from its inspector general, the General Accounting Office and Congress. The department has since launched a number of security initiatives that are making headway, Brody said.

VA has completed a departmentwide implementation of ePolicy Orchestrator antivirus software from Network Associates Inc. of Santa Clara, Calif., for 220,000 PCs, Brody said.

Largest in government

The implementation, conducted by Network Associates, was the largest in the government and the third largest in the world, he said.

VA also recently received high marks from the Office of Management and Budget on its Government Information Security Reform Act report. GISRA requires federal agencies to conduct security assessments every three months.

The report noted that VA reviewed 922 systems for security, the largest number of any single agency. OMB applauded VA's use of a security assessment process developed by the National Institute of Standards and Technology and noted that the department's adoption of metrics to measure security efforts showed more progress than have most federal agencies.

The report also indicated VA had made significant progress it its security training, information sharing and planning.

And the department has launched what it calls the Enterprise Security Infrastructure initiative to reduce to about 20 the number of external connections through which users access the VA network.

'We have an unmanageable number of external connections, more than a thousand that allow access to the VA network,' Brody said.

The connections include links via virtual private networks, remote access servers and modems.

'This is a vulnerability to the VA environment,' Brody said.

The gateway consolidation project is in the planning stage, and the department will seek a contractor's help to implement it, he said.

The project will be launched at VA's Austin Automation Center in Texas late this summer.

To maintain control, VA uses a certification and accreditation program through which project managers take inventories of VA systems and certify that they meet security requirements. VA's Office of Cybersecurity and the Office of the Chief Information Officer must approve the certifications.

Cultural hurdles

Brody said he is confident the bolstered security efforts will be successful, even though they face cultural hurdles.

For years, VA's three main agencies'the Veterans Benefits Administration, Veterans Health Administration and National Cemetery Administration'have worked as independent units, he said.

To get them to cooperate on security, the department is setting up a joint program office in Martinsburg, W.Va., which will be run by representatives from each organization and VA central offices.

'We will work together on future security initiatives such as public-key infrastructure implementation,' he said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.