VA Cybersecurity Woes Continue, 16 Consecutive Audit Fails

The VA once again failed its annual cybersecurity audit.

For the 16^th consecutive year, the Department of Veterans Affairs failed its annual cybersecurity audit. The investigation sought to find out if the agency was in compliance with the Federal Information Security Management Act, (FISMA).

The VA inspector general (IG) will not release the full audit details until next year, according to Federal News Radio. However, VA Chief Information Officer Stephen Warren presented the audit results at a House Veterans Affairs Committee hearing.

“I was disappointed and I know the team was disappointed given the significant time and effort we applied this year,” Warren told the press prior to the hearing. “But we are going to continue to drive on this. We are going to continue to push so that we move forward on the rigorous, disciplined plan the team has put together so that when the audit team shows up next year they will continue to see the constant improvement they recognized even this past audit season.”

However, Warren added that auditors did tell VA leaders that noticeable progress had been made from the year before. In 2013, the IG found 6,000 specific cybersecurity vulnerabilities and made 35 separate recommendations to close weaknesses. This year, the IG said the list of vulnerabilities had been cut by 21 percent.

It is necessary for the VA to work harder in four specific areas, according to Warren.

“[The IG] want us to work harder in terms of how we manage the configurations of our million-plus systems and make sure we’re doing it in a standardized, consistent way, and that the folks out at the sites doing the work are consistently implementing the standards,” he told the news source, adding that the VA was told to work on access controls as well.

Moreover, the VA was told to work on its security management, and that from an auditor’s perspective, it needs to move from one-point-in-time accreditation to continuous monitoring of our systems. Lastly, the department needs to implement better controls in its contingency management, Warren said.

Even if the VA is not living up to auditors’ and standard interpretations of FISMA, Warren said that he believes veterans’ personal data is protected from cybersecurity intrusions. For example, the VA’s monthly reports to Congress typically show that when veterans’ information – including PHI – is improperly disclosed, it’s due to incorrect mailings or from an employee failing to follow established policies, he said.

While the monthly reports are seemingly showing incremental improvements, the US Government Accountability Office (GAO) found that there are numerous cybersecurity vulnerabilities that the VA must still address. Specifically, the GAO stated in its report that by not keeping sufficient records of its incident response activities, the VA lacks assurance that incidents have been effectively addressed and may be less able to effectively respond to future incidents.

Additionally, the report said that the VA’s networks and devices are susceptible to cybersecurity risks because the agency has not fully implemented an effective program that identifies and mitigates vulnerabilities in workstations and other network devices. The VA was told it should apply security patches, perform an appropriate level of scanning, and identify compensating controls and mitigation plans.