VA Significantly Improved Overall Cyber Posture in the Last 18 Months

Key Takeaways:

• VA significantly improved its cybersecurity posture over the last 18 months.
• The department’s networks and systems were not compromised during the SolarWinds attack.
• A new VA Cybersecurity Strategy is scheduled for completion in September 2021.

On May 20th, the House VA Subcommittee on Technology Modernization heard testimony from Cunningham, as well as VA’s OIG and the Congressional Research Service regarding ongoing challenges and future plans for cybersecurity and risk management at VA.

Cunningham stated that national and international events altered how the VA operates. At the same time, the “COVID-19 pandemic fueled adversaries,” testing VA’s cybersecurity response processes. However, by leveraging sound cybersecurity practices including physical, technical and administrative controls, VA was able to protect the confidentiality, integrity and availability of its information and information systems.

Cybersecurity protocols allowed VA to safely pivot to remote service offerings and remote work environments.  According to Cunningham, VA addressed unprecedented challenges and opportunities by “leveraging [its] core cybersecurity objectives as a sturdy framework.”  

 

VA’s cybersecurity program core objectives are:

• Secure and protect VA and Veteran information
• Secure and protect VA’s Information Technology (IT) infrastructure and systems
• Embed security in VA’s future IT investments
• Enhance VA information security through external partnerships and information sharing
• Drive down cybersecurity risk and resolve known weaknesses

VA was not compromised during the SolarWinds attack, according to Cunningham. “Like many other departments and agencies, VA downloaded and installed the vendor-verified patch for SolarWinds that contained malicious software,” Cunningham testified.  Within 12 hours of CISA’s emergency directive, VA suspended use of the SolarWinds Orion platform and deployed all available indicators of compromise (IOCs). VA detected no exploitation or compromise on its networks. VA also enlisted CISA, the intelligence community, and Microsoft to evaluate its systems and networks. None of the entities found a compromise. The SolarWinds event had no impact on VA’s mission-critical activities, according to Cunningham.

Moving forward, VA is in the process of developing a new Cybersecurity Strategy planned for completion in September 2021. VA is also looking at innovative approaches to improving VA network and information security, including new architectures, enhanced data protection, and reduced reliance on veteran social security numbers for information processing. Additionally, VA has begun work to improve visibility and monitoring of medical equipment, through testing and deployment of a specialized device asset management solution.

Deltek believes VA will continue to rely on contractor support for information security initiatives. Cybersecurity is a cornerstone for VA’s IT modernization and digital transformation efforts, providing a robust market area for federal IT contractors.