VA reports improvements, unfinished work on information security
VA's top IT official tells Congress that the legacy of a decentralized management structure still lingers, as the agency tries to promulgate security standards.
Stephen Warren, the Department of Veterans Affairs' CIO and executive in charge for the Office of Information and Technology
The Department of Veterans Affairs' top IT official told a House panel on Nov. 18 that he was putting $60 million in funding toward trying to get a clean information security audit from the VA's inspector general.
Stephen Warren, the agency's CIO and executive in charge for the Office of Information and Technology, said that those funds will go to hiring more than 325 staffers to work on outstanding information security issues, including a serious problem with applying patches to VA systems, mitigating vulnerabilities and removing unauthorized applications. Additionally, the funds will pay to improve processes for granting and removing access privileges to employees as they enter and depart the organization.
Information security is a long-standing issue for the VA. While the 2006 theft of a laptop containing information on more than 25 million veterans made headlines, more mundane issues such as password management, access to VA systems by former employees, and failure to patch systems with software updates have plagued the sprawling department for years. The VA's Office of Inspector General reported that it had identified IT security controls as a "material weakness" for the 15th consecutive year in fiscal 2014.
Sondra McCauley, deputy assistant IG at VA, noted in her testimony that the department was making improvements through its Continuous Readiness in Information Security Program, dubbed CRISP, which launched in 2012. These improvements included continuous monitoring for IT systems, security awareness training, testing of contingency plans, updating background checks on employees cleared for sensitive data, and compliance tools. Testing also revealed that the VA was relying on temporary authorizations to operate for systems that are not up to standards put out by the National Institute on Standards and Technology.
Despite some progress, McCauley's team did not accept the documentation from the Office of Information and Technology at VA as sufficient to remove the "material weakness" designation. For some context, VA is one of seven out of 24 CFO Act agencies that have failed audits required under the Federal Information Security Management Act.
McCauley noted that there are 30 outstanding recommendations for changes that were unaddressed from the fiscal 2013 report, and five from prior years, for a total of 35 OIG recommendations that Warren's team is responsible for addressing.
"While OIT has made some initial effort, it has not provided sufficient information to support closing the recommendation," McCauley said.
Warren told the committee that data on veterans was protected at the network perimeter by the Department of Homeland Security's Einstein 3 system, which scans network traffic for known threats, like phishing emails. The system, Warren said, blocked about 80 percent of emails going into the VA. The VA also tapped security consultant Mandiant to report on the security of VA's domain controllers, which authenticate traffic going in and out of agency networks.
Scheduling scandal reveals culture problems
The ostensible purpose of the hearing was to showcase links between mismanagement of IT policies and procedures, and the ability of some VA personnel to manipulate the scheduling system to keep veterans waiting for appointments while appearing to meet goals for lowering wait times.
Committee Chairman Jeff Miller (R-Fla.), who submitted a written statement because he had to attend to House Steering Committee votes to select committee chairs for the incoming Congress, stated that "it has become clear that a common thread in these scandals continues to be weaknesses within VA's Office of Information and Technology and the systems for which they are responsible."
Warren, however, asserted that VA software did not play a part in the manipulation of scheduling records in medical centers in Phoenix and elsewhere. "To my knowledge, there have been no indications that appointments were changed or canceled other than through the normal way that the software was designed to do," he told the committee -- noting that it was employees who altered schedules "inappropriately."
"If folks are using false accounts or false patients, I find that abhorrent," Warren said.
He also said that as a direct result of the scandal, orders were issued to require audit logs to be kept for scheduling systems at all VA locations nationwide.
"Not only did we turn it on -- it reflected our history as a decentralized program where every site controlled what was turned on or off -- we pulled the ability to turn off at local sites away from them," Warren said.
According to Warren, a few of the longstanding information security problems do reflect efforts by the VA to adjust to the centralized IT structure set down in 2009. But the overwhelming majority -- 98 percent -- of security exposure incidents at VA are due to loss or theft of paper documents with personally identifiable information, loss of secure ID cards, or lost devices. "Physical exposure of VA data is the most significant risk facing our information security posture," he said.
But Miller laid the problem at the feet of VA management and OIT. In a written statement submitted because he had to attend to House Steering Committee votes selecting committee chairs for the incoming Congress, Miller focused on Warren and other top department officials.
"Within the past decade, Congress has provided over 28 billion dollars to VA's Office of Information and Technology to ensure its goals and actions are aligned with and driving the strategic goals of the agency," Miller said. "Given the availability of resources, it is apparent that this office's lack of success and repeated underperformance is a leadership failure."
The VA plans to issue a request for proposals for a new scheduling system by the end of the week. Among other facets, that system will include an audit trail function that cannot be locally disabled, Warren said.