VA Needs to Address Information Security Shortcomings

Published: March 26, 2014

CybersecurityVA

The number of cyber incidents reported by VA to US-CERT has more than doubled over the past six years, according to GAO, topping out at 11,382 incidents in 2013.

GAO’s Gregory Wilshusen, Director of Information Security Issues, testified Tuesday before the House Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs which is considering draft legislation to improve VA’s security posture.

Information technology is crucial to fulfilling VA’s mission of providing medical care, benefits, social support and memorials to the nation’s veterans.  However, VA’s IT systems have exhibited ongoing security vulnerabilities which could compromise veteran personal information and pose a material weakness for the department.  According to GAO, VA’s systems have shown weaknesses in key information security control areas for the last six years:  access control, configuration management, segregation of duties, contingency planning, and security management.   VA’s inspector general has reported that development of an effective information security program and system security controls is a major VA management challenge.

VA requested a 5%, $180 million, increase in IT spending as part of its FY 2015 budget request.  $156 million of that would be allotted to the Corporate IT Support Enterprise Cybersecurity and Privacy investment line item, which equates to a 17% increase (+$33 million) in funding over FY 2014 enacted levels. 

During a March 13th budget hearing before the House Veterans Affairs Committee, Indiana Republican Rep. Jackie Walorski asked, “Will that amount finally assist VA in addressing numerous deficiencies we’ve brought to VA’s attention?” VA Secretary Eric Shinseki handed the question off to Stephen Warren, CIO who said that it would, but offered no details.

Draft legislation under consideration would require VA to improve and ensure security of veteran health information, as well as web applications and IT infrastructure.  The legislation would also aim to improve information security governance, transparency and coordination in the department.  According to GAO, much of the legislation is founded on sound cybersecurity practices and follows federal guidelines. If implemented on a “risk-based basis,” VA would be afforded flexibility to adapt to the evolution of technology and business practices over time.  Wilshusen backed the draft legislation being considered by the house panel.