VA’s Strategy to Advance Cybersecurity

The new cybersecurity strategy fits into the broader VA Strategic Plan for FY 2018 – FY 2024. In Secretary McDonough’s introductory message, he states that the new strategy will help the department serve veterans by “addressing the challenges of today and adapting to the technologies and threats of tomorrow. It will also make VA more agile and innovative…”

The VA relies heavily on technology to fulfill its mission of providing care and benefits for veterans.  The department also bears the responsibility to protect its information resources and systems, and safeguard veteran data. Cybersecurity is also critical to retaining veteran trust and confidence in the department.

Deltek’s analysis shows that VA’s FY 2022 cybersecurity budget request is $450M, down $22M (5%) compared to FY 2021. The budget provided no details to explain the funding request drop. However, telework due to the pandemic accelerated some cybersecurity efforts. Prior to the pandemic, VA was mostly an on-premise environment. The demands of sudden telework fostered investments and an integrated approach to cybersecurity.

The new cybersecurity strategy specifies five strategic goals:

• Secure and protect VA and veteran information
• Protect information systems and assets
• Leverage innovation to strengthen cybersecurity
• Enhance cybersecurity through partnerships and information sharing
• Empower VA mission through cybersecurity risk management

Each goal contains several underlying objectives as specified below:

Secure and protect VA and veteran information

• Identify and tag sensitive data - Identifying VA controlled data that requires protection from unauthorized use or access.
• Protect data at rest - Encrypting data stored on hardware and network assets.
• Protect data in transit - Securing the means, ports, and protocols used in data transmission.
• Prevent data loss - Detecting and preventing unauthorized access, spillage, or exfiltration of data through dataflow monitoring and management.

Protect information systems and assets

• Maintain full visibility and accountability of all hardware and software assets - Manage the configuration and provisioning of VA IT hardware and software assets.
• Maintain full visibility and accountability for all VA information systems - Ensure information systems are known and managed within their authorized environments.
• Enhance and safeguard authorized system access - Authenticate users and control their access based on assigned roles and responsibilities.
• Proactively secure VA networks - Apply standards and best practices to prevent unauthorized access and improve the detection of malicious activities.
• Promote resilience through effective response and recovery - Minimize impact to business operations and continuity in the event of a compromise, data loss, or breach.

Leverage innovation to strengthen cybersecurity

• Streamline processes through adopting innovative solutions and capabilities - Finding new technologies to address challenges and improve processes.
• Embed cybersecurity in systems engineering and acquisition processes - Ensure that IT application, system, and network solutions include cybersecurity in design, engineering and acquisition.
• Adopt innovative cybersecurity solutions - Leverage technology to enhance the Department’s cybersecurity capabilities.
• Empower VA workforce to integrate cybersecurity in daily operations - Recognizing that all VA employees play a role in cybersecurity and they are the Department’s first line of defense.

Enhance cybersecurity through partnerships and information sharing

• Elevate cybersecurity as a mission and business enabler - Bringing value to the mission and business.
• Remove barriers to sharing threat information - Understanding that information sharing elevates the cybersecurity posture of all.
• Enhance internal partnerships and cybersecurity coordination - Providing cybersecurity assistance and solutions that are actionable and with our partner’s interest in mind.
• Promote mutually beneficial external cybersecurity partnerships - Recognize and leverage partnerships with other federal agencies and the private sector for mutual support and cybersecurity awareness.

Empower VA mission through cybersecurity risk management

• Reduce exposure in high-risk areas - Address known vulnerabilities and risks that could have a major impact on the department’s mission.
• Strengthen trust in VA’s cybersecurity program - Refine and strengthen the department’s cybersecurity program through transparency and mission alignment.
• Promote informed cybersecurity risk management decisions - Foster a culture of risk-aware planning, thinking and decision-making.

Under the CIO, the VA Office of Information Security (OIS), oversees and manages VA’s Cybersecurity Program. OIS will be responsible for implementing the strategic goals of the cybersecurity strategy.

As VA implements this new cybersecurity strategy, contractors may find opportunities to assist VA in improving cybersecurity protections by aligning their solutions with the goals and objects of the new plan.