IT Security Proves Complex Challenge for VA

Published: November 06, 2013

CONGRESSCybersecurityIT WorkforceOMBVA

The ongoing investigation into unreported security breaches at VA highlights the disconnect between lawmakers’ oversight and departmental realities.

In the aftermath of a potentially disastrous breach in 2006, the VA began a concerted effort to transform how it handles privacy. The department formed a Data Breach Core Team (DBCT) responsible for investigating, cataloging, and reporting potential security incidents. These reviews leverage the VA’s Privacy Security Event Tracking System (PEST) to determine whether a breach has occurred. Since then, the department has continued to make other investments in information security. Collecting and analyzing contracted spending associated with a selection of security-centric terms yielded over $3 billion in awards since FY 2009.  Over the last five years, contracted spending reported by the VA for these various information security areas has followed an upward trend. 

This steady investment, however, has not resolved all of the department’s security challenges. More recently, in March 2013, the inspector general (IG) reported that an investigation substantiated allegations that the department failed to meet encryption requirements for transmitting sensitive data. In particular, personally identifiable information (PII) and internal network routing data were transmitted over an unencrypted carrier network. At the completion of its investigation, the IG recommended that VA implement configuration controls to ensure encryption of sensitive data and that information technology personnel receive specialized training regarding appropriate data protection practices and associated security risks.

Then, at a House Committee on Veteran’s Affairs hearing in June, compromises to the department’s computer network were confirmed. However, department representatives were unable to identify which systems were breached, attributing the issue to lagging adherence with the Federal Information Management Security Act of 2002 (FISMA). The failure to notify Congress of the security compromise was also called into question.

Recent reports regarding the department’s failure to comply with FISMA requirements should include the following note: As of FY 2012, none of the 24 major federal agencies achieved full compliance with all 8 of the FISMA components.

That’s right, none of them. Not one.

Further, the VA scored just above 80 percent for its overall FISMA compliance. With agency scores ranging from 34 percent compliance to barely shy of 100, this puts VA in toward the top of the middle tier - a rather unremarkable position of not being at (or even near) the bottom of the ranks but still needing some work to improve security implementation. 

According to IT security spending reported in the FISMA report (drawn from the Office of Management and Budget’s Exhibit 53B), the VA reported $111.9 million in investments for FY 2012.  While this figure does not capture any off books spending, considering how these funds are allocated sheds some light on where resources are focused. With nearly 90% of IT security spending tied up in personnel costs, funding for upgrades and development of security improvements are likely to rely heavily on non-security programs with embedded security requirements.

Meanwhile, the House Veterans Affairs Committee has directed a number of formal inquiries to VA’s Office of Information Technology. It’s unclear what the questions included in these inquiries aim to achieve. Responding to each question and sub-question amounts to an undertaking that will consume time and resources, pulling personnel away from other projects and tasks to meet the approaching deadline on November 14.  Once the committee reviews the feedback, it may issue recommendations or pose additional questions. In the event that major steps are necessary to correct internal issues, the reality of current resource limitations will be a hurdle.