VA’s IT centralization could slow security fixes

Featured eBooks
Space Tech
Read Now

Cyber Workforce

Read Now

AI in the Workplace

Read Now
Insights & Reports
2024 NA Federal Industry Trends Survey
Presented By Cellebrite
Download Now
Zero Trust: Understanding the Identity maturity model
Presented By Okta
Download Now
By GCN Staff

By GCN Staff

|

Lawmakers and oversight authorities are expressing doubts that the way the Veterans Affairs Department is centralizing its IT organization will ensure that security is marbled throughout its agencies.<@SM>

Lawmakers and oversight authorities are expressing doubts that the way the Veterans Affairs Department is centralizing its IT organization will ensure that security is marbled throughout its agencies.Representatives of VA’s inspector general and the Government Accountability Office told lawmakers at a hearing earlier this month that it was necessary to centralize IT authority, including data security and enforcement, under the department CIO so VA can apply and enforce security departmentwide. Last year, the IG made 16 recommendations that remain open to fix major weaknesses in security controls.“The 16 recommendations speak to the issue of standardization, and they can only be accomplished if the three administrations [the Veterans Benefits, Veterans Health and National Cemetery administrations] work collectively to address them as one voice,” said Michael Staley, VA’s assistant inspector general for auditing.As a result of its decentralized nature, both GAO and the IG have reported, VA has made IT security improvements in specific locations but not across the department.“This piecemeal approach of providing security is not an effective way of doing business,” said Rep. Shelley Berkley (D-Nev.), ranking member of the House Veterans Affairs Subcommittee on Disability Assistance and Memorial Affairs.VA, however, has chosen a federated model of centralization under which the department CIO will have authority over IT operations and management and related personnel, while VA’s administrations will retain authority over IT development and those employees.Lawmakers and auditors are concerned because security needs to be a part of the entire lifecycle of a system from planning through operation and maintenance. Officials said allowing that job to be handled by different parts of the department leaves too much room for error.VA still needs to develop policy to coordinate security across the department and ensure authority and independence for security officers, said Gregory Wilshusen, director of GAO’s information security issues.VA recently took steps to strengthen IT security after reporting the theft of sensitive data, tightening and filling in gaps in data security policies and procedures.Wilshusen said he has had one meeting with the Veterans Benefits Administration since the data theft about changes in policies, and officials seemed very concerned.“They will have to execute them, and it will take time and effort. The true test is whether VA can implement the policies over the long term,” he said.“I think that it will require ... strong communication about the security requirements, because it’s imperative that security considerations and requirements be considered during the development of these systems so they can be put into it rather than after the fact,” Wilshusen said.To emphasize data security among employees, VA this week inaugurated Security Awareness Week.
























NEXT STORY: DHS Special Report | Authentication, ID are in the cards