Mixed messages for VA IT
A report from Mandiant offers an upbeat assessment, but an IG report is critical of IT project management.
A five-month independent review found no major threats to the Department of Veterans Affairs’ computer servers, and no evidence of theft of VA data. The positive review is welcome news to a department that has previously come under fire for its vulnerabilities in cyberspace.
VA hired cybersecurity firm Mandiant to analyze its domain controllers, which are servers on a Microsoft Windows or Windows NT network, and to scour network traffic via a dozen sensors. The Mandiant assessment looked for “targeted threat groups,” which the firm defined as an organized group capable of operating in “the full spectrum of computer network intrusion,” among other criteria.
The assessment gave domain controllers high marks but found that one non-VA desktop computer connected to the VA network had potentially been compromised by an unknown threat group. VA has since disconnected the computer from the network and is investigating how the unauthorized computer was connected to the VA network, according to the Mandiant report, whose executive summary VA shared with reporters Jan. 23.
The positive review of VA systems comes in the shadow of the agency failing its fiscal 2014 IT audit, and as VA Secretary Robert McDonald’s shake up of the agency could further centralize IT procurement.
IG report critical of IT project management
While the news from Mandiant was good, problems in management and oversight remain five years after launching the Project Management Accountability System in the Officer of Information Technology, according to a report from the agency's Office of Inspector General.
The VA's $495 million roster of IT development projects is, "potentially being managed at an unnecessarily high risk," as a result, according to the report. This is the third audit report released by the VA's OIG covering implementation of PMAS, the incremental, agile delivery system that has become the hallmark of IT development at the agency.
In this report, OIG noted that the omission of planning and compliance reviews required under PMAS could lead to increased risk of failure or waste. The PMAS Dashboard was not capturing necessary data, according to the report. The report also cited significant vacancies in the PMAS business office were being staffed by contractors, and argued that the work would be better accomplished by full time federal employees.
The OIG's recommendations include making sure that required PMAS reviews of IT projects were conducted, that cost data on the PMAS dashboard be validated, hire for vacant full-time slots, and that OI&T cease using an existing PMAS staffing task order to hire contractors.
VA CIO Stephen Warren objected to the OIG recommendation regarding the existing PMAS business office task order, noting in his comments that the workload continues to grow for the PMAS business office, and that contractor support was needed.
NEXT STORY: CIS gearing up for deferred action