OIG: VA Must Address InfoSec Weaknesses

Governance , Incident Response , Risk Management

CIO Responds to Audit Findings at Congressional Hearing OIG: VA Must Address InfoSec Weaknesses

A watchdog agency's audit of the Department of Veterans Affairs makes nearly three dozen recommendations for how the VA should address "material weakness" in its information security program, ranging from issues concerning identity and access management to incident response.

See Also: Rethinking Endpoint Security

The VA, the nation's largest healthcare provider, plans to address a portion of the audit findings by the end of 2016 and the remainder by the end of 2017, VA CIO LaVerne Council testified during a March 16 hearing of the House Oversight and Government Reform Committee's subcommittee on IT.

The VA has been making progress recently in addressing cybersecurity issues, including "expanding strong authentication practices to 100 percent of privileged users and 80 percent of unprivileged users," noted subcommittee chair William Hurd, R-Texas, in his opening comments.

"This is ... a positive indicator that the VA is making progress in cybersecurity. But concerns remain," he said. "The goal you and your CISO have set to eliminate material weaknesses by the end of 2017 is two years [from the time of the most recent OIG audit]. Two years is too long, and I think we can do better. ... The bad guys are moving at the speed of light, and we've moving at the speed of bureaucracy, and if we can fix that, it will go a long way in trying to serve those who have put themselves in harm's way in order to keep us safe at night."

List of Shortcomings

A March 15 report from the VA Office of Inspector General outlined findings from a fiscal 2015 audit of the VA's compliance with the Federal Information Security Modernization Act.

The audit found shortcomings in the VA's:

Agencywide security management program; Identity management and access controls; Configuration management controls; System development/change management controls; Contingency planning; Incident response and monitoring; Continuous monitoring; and Contractor systems oversight.

The report includes 31 recommendations for improving the VA's information security program and highlights four unresolved recommendations from prior years' assessments.

"VA continues to face significant challenges in complying with the requirements of FISMA because of the nature and maturity of its information security program," the OIG report notes.

Action Items

To address it security weaknesses and "better achieve FISMA outcomes," OIG says the VA needs to focus on several key areas, including:

Addressing security-related issues that contributed to the information technology material weakness reported in the fiscal year 2015 audit; Successfully correcting high-risk system security issues identified within the VA's "plans of action and milestones"; Establishing effective processes for evaluating information security controls via continuous monitoring and security vulnerability assessments; Implementing effective automated mechanisms to continuously identify and remediate security deficiencies on the VA's network infrastructure, database platforms, and Web application servers; Instituting procedures to oversee contractor management of cloud-based systems, ensure OIG access to those systems and ensure information security controls are adequate; and Conducting periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities and excessive or unauthorized accounts.

Hearing Testimony

In written testimony submitted for the subcommittee hearing, Brent Arronte, deputy assistant inspector general at VA OIG, noted that the audit completed in November 2015 marked "the 16th consecutive year the OIG's independent contractors that perform the annual audit of VA's consolidated financial statements have identified IT security controls as a material weakness."

Council, who joined the VA as CIO in July 2015, said in her written testimony that the VA is acting upon the OIG's latest recommendations and expects to implement about 30 percent of them by end of 2016, and the remainder by the end of 2017.

"Information security is a constant challenge," Council said. She noted that the VA in September 2015 delivered to Congress "an actionable, far-reaching, cybersecurity strategy and implementation plan for VA."

imageLaVerne Council, VA CIO, testifying before the House Oversight Committee's subcommittee on IT.

The VA's Office of IT "is committed to protecting all veteran information and VA data and limiting access to only those with the proper authority," she testified. "This commitment requires us to think enterprise-wide about security holistically. We have dual responsibility to store and protect veterans' records, and our strategy addresses both privacy and security. We designed our strategy to counter the spectrum of threat profiles through a multilayered, in-depth defense model" that includes VA collaboration with the Department of Defense, she noted.

Bigger InfoSec Budget Sought

The VA is seeking to nearly double its cybersecurity budget in fiscal 2017 to $370 million. That funding would be used to carry out OIG's recommendations as well as address legacy concerns, Council noted. "As part of our Continuous Readiness in Information Security Program, our enterprise cybersecurity strategy team has created a detailed material weakness plan and is on track to eliminate our material weaknesses by the end of 2017," she testified.

The VA has many older information systems running custom applications, including some software built in the 1960s using the now-outdated COBOL programming language, Council noted. "We have 834 custom apps at the VA."

Another ongoing challenge, she said, are medical devices running outdated operating systems no longer supported by vendors, making those products difficult to patch and update. Council said the VA still has medical equipment running Windows XP, for example, "but we're put in a process to drive out that lifecycle problem" by replacing devices when possible.

The VA also is looking to migrate off many of its custom applications in favor of off-the shelf applications whenever possible, as well as move some systems "out to the cloud," including using email-as-a-service, she said. "This helps eliminate hardware issues we have, plus opens up new opportunities."

The department is also attempting to fortify its technology workforce to keep up with evolving IT and cybersecurity challenges, Council testified. But that's a challenge, too, she said. "We are competing against private-sector [technology employers], and it takes longer to get into the government [workforce]," she testified. "We take a long time getting then through the door."