Cybersecurity at VA Still Needs Improvement

The VA Office of Inspector General (OIG) contracted with an independent public accounting firm to assess VA’s security program in accordance with the Federal Information Security Modernization Act (FISMA) for FY 2017. The FISMA law requires agency CIOs, program officials, and Inspectors General to review agency’s information security programs annually and report findings to DHS.

Auditors conducted evaluations on controls that back 44 major applications and support systems at 24 VA facilities. According to their findings, “VA continues to face significant challenges in complying with the requirements of FISMA due to the nature and maturity of its information security program.”  

For FY 2017, auditors identified deficiencies in eight areas:

• Agency-Wide Security Management Program
• Identity Management and Access Controls
• Configuration Management Controls
• System Development/Change Management Controls
• Contingency Planning
• Incident Response and Monitoring
• Continuous Monitoring
• Contractor Systems Oversight

The 61-page report offers 29 recommendations over the eight areas of deficiency. Recommendations include:

• Fully implement an agency-wide risk management governance structure
• Enforce VA password policies and standards on all operating systems, databases, applications, and network devices
• Implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers
• Implement a more effective patch and vulnerability management program
• Enforce a standardized system development and change control framework that integrates information security throughout the life cycle of each system
• Implement improved processes for the testing of contingency plans and failover capabilities for critical systems
• Identify all external network interconnections and implement improved processes for monitoring VA networks, systems, and connections for unauthorized activity
• Implement more effective agency-wide incident response procedures
• Fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of unauthorized software on agency devices
• Implement improved procedures for overseeing contractor-managed cloud-based systems and ensure information security controls adequately protect VA sensitive systems and data

In contrast to this recent report, VA’s CISO, Dominic Cussatt appeared on Federal News Radio’s CyberChat in February to tout VA’s progress in achieving its Enterprise Cybersecurity Strategy.  Cussatt stated that one of the most significant and impactful successes that the VA has achieved since the strategy’s implementation in 2015 is accomplishing the goals of the Enterprise Cybersecurity Strategy Team (ECST) ahead of schedule. VA created the ECST to implement the cyber strategy. The team created an integrated master schedule composed of 35 plans of action which broke down into 3,400 specific action items. Cussatt said they declared success in December 2017, but admitted that VA is still not free of information security material weaknesses.

“The ECST served as the foundational start for all of this, now we are tasked with institutionalizing all of these great capabilities and new processes, policies, procedures, technical capabilities that we put in place over the past two years,” Cussatt said on the show.

The audit acknowledged progress made by the ECST, but stated in the report that,”…the aforementioned controls require time to mature and demonstrate evidence of their effectiveness. Accordingly, we continue to see information system security deficiencies similar in type and risk level to our findings in prior years and an overall inconsistent implementation of the security program.”

The report states that the executive in charge for the VA Office of Information and Technology (OI&T) generally agreed with the audit’s findings and recommendations. According to auditors, VA’s corrective action plans are responsive to their recommendations and provide sufficient plans and targeted completion dates.