CyberEye

Blog archive
Decorated veteran in a parade

Making IT security a priority at VA

If a demonstration is needed that security is a process, not a product, and that it depends on management, not technology, the Veterans Affairs Department provides it.

The Government Accountability Office recently recited to a House panel a litany of weaknesses in the sprawling department’s struggling IT security program. The VA inspector general has identified development of an info security program as a “major management challenge,” and auditors have flagged inadequate security controls in financial systems as a material weakness for 12 years. GAO warnings date back to 1998, and it has reported consistent weaknesses in security control areas at VA since 2007.

“The persistence of similar weaknesses over 16 years later indicates the need for stronger, more focused management attention and action to ensure that VA fully implements a robust security program,” Gregory Wilshusen, GAO’s director of information security issues, told a House VA oversight subcommittee on March 25.

In an effort to refocus management attention, Rep. Jackie Walorski, (R-Ind.) on April 2 introduced a bill, H.R. 4370, to “improve the transparency and the governance of the information security program of the department.” The contents of the bill are not yet available, but Walorski said in a statement that it would provide “a clear roadmap for immediately securing its system.”

The department’s security shortcomings have been so consistent for so long that they merit attention. The size of the department and the scope of its mission make it one of the greatest IT security challenges in government. VA operates the nation’s largest healthcare system, providing healthcare for about 6 million veterans, administers financial benefits for millions more and manages veterans’ graves all across the country.

In June last year, the House VA Oversight and Investigations Subcommittee recommended designating the VA network a “compromised environment,” and said that VA should establish controls to reclaim it, “from nation state sponsored organizations.”

Department CIO Stephen W. Warren in a November 2013 letter to subcommittee Chairman Rep. Mike Coffman, responded that “VA has in place a strong, multi-layered defense to combat evolving cybersecurity threats, including monitoring by external partners and active scanning of Web applications and source code.”

But from January 2010 through October 2013, more than 29,000 possible data breaches were reported by VA. In his letter, Warren noted that “virtually all of VA’s data breaches are paper-based, equipment loss or unencrypted e-mailing of sensitive information.”

VA is addressing the equipment loss issue by encrypting laptops and desktops, which began last year in conjunction with the department’s upgrade to the Windows 7 OS. Warren reported that as of Oct. 29, 87 percent of the computers, more than 330,000 systems, were running Windows 7 and most of the rest were expected to be upgraded by the end of January 2014. He noted, however, that some pockets were likely to remain due to what he called “blocker” applications, “applications that are not compatible with Windows 7 and have not yet been replaced.”

Whether Congress will be able to significantly improve VA’s cybersecurity with new legislation remains an open question. Wilshusen, in last month’s testimony to the subcommittee, said that “many of the actions and activities specified in the bill are sound information security practices and consistent with federal guidelines. If implemented on a risk-based basis, they could prompt VA to refocus its efforts on steps needed to improve the security of its systems and information.”

But he cautioned that security should be risk-based and not based on technology requirements that could quickly become outdated.

Posted by William Jackson on Apr 04, 2014 at 9:26 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.