It’s a bit of common knowledge inside federal IT circles: The Veterans Affairs Department has consistently been unable to meet cybersecurity requirements.
For the 18th year in a row, the VA could not avoid having cybersecurity designated a material weakness, but a recent inspector general’s report details how the department has made clear and significant progress on improving its security posture.
Cybersecurity was one factor in VA Secretary David Shulkin’s decision in June to shift from the Veterans Information Systems and Technology Architecture (VistA) toward a commercial off-the-shelf electronic health records system. “We intend to leverage the architecture, tools and processes that have already been put in place to protect DOD data, to include both physical and virtual separation from commercial clients,” he said at the time.
Yet the VA is making strides. “VA has made progress developing policies and procedures but still faces challenges implementing components of its agencywide information security continuous monitoring and risk management program to meet” the requirements of the Federal Information Security Modernization Act (FISMA) of 2014, the report from the VA’s Office of Inspector General states.
The report, released in June, contains 33 specific recommendations. The VA says it has made progress on all of the recommendations and is asking the IG’s office to close 18 of them, Federal News Radio reports.
VA’s Cyber Plan Yields Results
Following criticism from Congress and a large amount of turnover, former VA CIO Laverne Council vowed when she took over the role in 2015 that she would eliminate more than two dozen cybersecurity weaknesses over the next two years, Federal News Radio notes. Part of that effort involved the creation of a cybersecurity plan and the Enterprise Cybersecurity Strategy Team (ECST) to address cybersecurity weaknesses.
The plan was aimed at helping VA “achieve transparency and accountability while securing veteran information through teamwork and innovation,” the report notes. ESCT focused on managing existing cybersecurity efforts as well as the development and review of VA’s operational requirements — from desktops to software and network protection.
Since then, the ECST has launched 31 “Plans of Action” to address previously identified security weaknesses and material IT weaknesses, and has also reported progress to the CIO’s office on a weekly basis to ensure corrective actions are tracked and monitored.
The report noted that, as a result of ECST’s efforts, there are a reduced number of individuals with outdated background investigations, and that the use of two-factor authentication to access network resources has improved.
Additionally, the VA has continued to put in place IT governance, risk, and compliance tools to improve processes for assessing, authorizing, and monitoring the security posture of VA systems. The agency has also put in place an enhanced audit log collection and analysis tool, the report notes.
“However, these controls require time to mature and demonstrate evidence of their effectiveness,” the report notes. “Accordingly, we continue to see information system security deficiencies similar in type and risk level to our findings in prior years and an overall inconsistent implementation of the security program.”
Moving forward, the IG report says, “VA needs to ensure a proven process is in place across the agency. VA also needs to continue to address deficiencies that exist within access and configuration management controls across all facilities.”
More Security Progress Is Needed at VA
Despite the progress, the report still found “continuing significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems.”
VA has not fully put in place security standards on all servers, databases, and network devices, resulting in weaknesses in access and configuration management controls, the report found.
Additionally, the department “has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, databases, and server platforms VA-wide.”
The VA CIO’s office said in response that by June 30, it would set up a patch and vulnerability management program, and that, also by that date, it would fully enact a new firewall policy to cover new technologies in coordination with the VA’s Office of Cyber Security.
The ECST also said it would, by June 30, put in place application protocol whitelisting at Trusted Internet Connection gateways, as well as a next-generation application firewall solution for SSL decryption, data filtering and sandboxing analysis at those gateways.
VA Deputy Inspector General Linda Halliday told Federal News Radio that her office will continue to review the department’s progress in improving its cybersecurity.
“When the OIG receives evidence of appropriate corrective action, we will generally close that recommendation,” she said. “As VA provides documentation to support the corrective actions taken on any recommendation, we will review it and make the determination on whether we can close that recommendation. Further, we continue to assess VA’s progress in implementing corrective actions and their ability to sustain improvements impacting VA information security posture during our annual FISMA review in the following year.”