Best listening experience is on Chrome, Firefox or Safari. Subscribe to Ask the CIO’s audio interviews on Apple Podcasts or PodcastOne.
The Veterans Affairs Department’s cybersecurity has been deemed a material weakness longer than the Federal Information Security Management Act and its predecessor the Government Information Security Reform Act (GISRA) have been in existence.
And for the 19th straight year, VA’s inspector general determined the agency’s progress was not enough to bring it off the bad list.
But Dominic Cussatt, VA’s chief information security officer, and former VA acting CIO Scott Blackburn say 2018 may be their year that its FISMA audit finds no material weaknesses.
“It’s a testament to the work VA has done since we published our 2015 cybersecurity strategy and established our Enterprise Cybersecurity Team, which executed against an integrated master schedule of over 3,000 line items to deliver over 35 different plans of actions to support cybersecurity activities and noted deficiencies,” Cussatt said on Ask the CIO. “What we got out of that enterprise cybersecurity strategy team was a lot of that foundational stuff that was missing. Now in 2017, we updated our strategy to set the next wave of activities. What you will see in that strategy is a lot more work in terms of institutionalizing these foundational capabilities into the culture and into the bedrock that is under all of our IT systems and these innovative technologies that we are building. So 2018 will be a very busy year trying to take advantage of everything we’ve done over the past couple of years.”
Cussatt said the IG’s comments that it’s clear VA is making progress and fixing longstanding problems is the first time in many years auditors took notice of real improvements.
“I’m very optimistic that if we don’t recover from the material weakness for this year’s audits, we will see, again, a notation from our IG that they’ve seen significant improvement. We’ve been told by our IG that they need to see a trend, not only that we’ve fixed some of these persistent problems, but they will stay fixed,” he said. “I’m very cautiously optimistic. I think we have very well addressed the findings from last year. We were very careful to map everything they found to our NIST security controls and come up with plans of actions to address them. I’m optimistic if not in 2018, then certainly in 2019 we will see this material weakness lifted from the VA.”
The IG reported on April 11 that VA continues to struggle across nine broad areas, including having an agencywide security management program, identity management and access controls, configuration management controls and contractor systems oversight. Auditors reported VA closed four recommendations from the 2016 audit and made 29 recommendations based on its findings in 2017.
“Moving forward, VA needs to ensure a proven process is in place across the agency. VA also needs to continue to address deficiencies that exist within access and configuration management controls across all facilities,” the audit states. “VA has continued to mature the process related to its Risk Vision Governance Risk and Compliance (GRC) tool for the purpose of enterprise wide risk and security management. However, we continue to identify deficiencies related to overall governance to include risk management processes, plans of actions and milestones, and system security documentation. Each of these processes is essential for protecting VA’s mission-critical systems through appropriate risk mitigation strategies and is discussed in the following sections.”
Blackburn, who resigned as VA’s acting CIO on April 15, said in March that over the past year the agency built up its talent and skillsets, while also working closely with the Defense Department to implement their best practices.
He said Cussatt and his cyber staff are creating systems and processes that are the basis for the continued improvements.
Cussatt said one area where VA made the biggest improvement over the past year is around implementing two-factor authentication under Homeland Security Presidential Directive-12. A year ago, VA was stuck at about 12 percent of the non-privileged workforce using smart cards to log into the computer network. By the end of 2017, Cussatt said VA’s compliance is over 90 percent of a workforce of more than 300,000.
At the same time, VA reduced the number of employees with elevated network privileges, commonly known as privileged users. Cussatt said VA had a huge number of people who had elevated privileges who didn’t need them and now the percentage of privileged users is down by 96 percent.
He said enterprise risk management was another shortcoming highlighted by auditors that the agency improved.
“When I arrived at VA a couple of years ago, we had many, many systems that were out of tolerance in terms of their systems authorizations, or authorities to operate (ATO) as NIST refers to them,” Cussatt said. “We’ve since updated that process, improved our automated process for the workflows for that process and created greater accountability back to the system owners for those systems to ensure they are securing those systems and authorizing them in a timely way. We are in a state where we are more persistently at 100 percent ATO issuance for all of our systems across the network.”
VA’s ATO process was at the center of a controversy in 2013 when a former CISO alleged the agency was “rubber stamping” approvals.
But since then, Cussatt, who arrived at VA in 2016 and became its CISO in 2017, helped turn around the ATO process and addressed several other longstanding challenges.
“Everything we do in cybersecurity is affected and revolves around our implementation of the NIST risk management framework,” he said. “All the steps that are required to identify your security requirements, implement the security controls, assess them and then authorize the system for connection to the network and then perform continuous monitoring. We keep that at the heart of everything that we do and we try to relate back all security related activities to that process and to our security control baseline. Rather than, in the past, we’ve had these little stovepiped cybersecurity activities that were very hard to keep track of and not related back to any central cyber effort. Now everything that we do we refer back to what step or phase of the risk management framework they are in.”
Cussatt added VA published an updated cyber strategy last October, which further oriented its plans around the NIST cyber framework.
“We’ve turned the discussion from a discussion of a checklist of cyber controls you have to do or you don’t get on the network to this is really risk management. Your baseline of security controls is your reference list, but it doesn’t necessarily mean you implement all the controls in that baseline exactly the way they are described and exactly the way the implementation procedures tell you,” he said. “It’s about being aware of everything that is on that list and making sure you accounted for all the risks those controls mitigate, and if you didn’t do a control or couldn’t do one of the controls because of your environment, you’ve looked at it and made sure you have compensating controls or measures in place to account for that. This is a new discussion where as everybody used to be very frightened by the fact that we didn’t have fully executed checklist and instead it’s a more productive discussion about the fact that we from cybersecurity are here to empower your mission and help you meet your mission objective.”