LaVerne Council is on a mission to change the tone and tenor of the Veterans Affairs Department’s struggle with cybersecurity.
First, the VA chief information officer since July ordered a review and analysis of why the edepartment has struggled for so long with cybersecurity. And then, Council, who spent her career in the private sector, created a plan to address current weaknesses and new threats.
Council delivered that plan to Congress on Sept. 28 and now is moving out on implementing it.
My colleague Nicole Ogryskodetailed Council’s plan in her story from Oct. 16. It includes eight cyber domain areas, including risk management, security architecture and medical cybersecurity.
But maybe the biggest difference is Council is trying to repair VA’s relationship with the House and Senate oversight committees and the agency’s inspector general.
It’s no secret the House Veterans Affairs Committee and former CIO Stephen Warren didn’t get along. From what I’ve seen and covered over the last two-plus years, the blame can be shared for the poor relationship. But at the same time, when your boss tells you they are concerned about something, you usually respond by changing or fixing the problem. And whether Warren or other senior ranking VA officials agreed with lawmakers and auditors or not, the long-standing material weaknesses should’ve been their top priority. VA failed its Federal Information Security Management Act audit for 16 straight years. The fiscal 2015 FISMA audit is due out in the next month or two.
And that’s the difference with Council. She said at the Government IT Executive Council event on Oct. 15 that her new strategic framework focuses on five broad areas, and within the execution section is eliminating material weaknesses.
“If that’s how our inspector general and auditors look at it, then I said to my staff, ‘let’s just get it done,’” she said. “We can’t be successful without an integrated security program, so that was job one for me at VA. The strategy is focused on defense in-depth and has detailed and clear plans that are based on a strong set of goals. What we have to do within those [eight] domains are defined and achievable.”
That new viewpoint isn’t lost on the congressional oversight.
A House Veterans Affairs Committee staff member said lawmakers have been impressed with Council so far.
“She has acknowledged a litany of VA IT problems her predecessors simply denied or attempted to downplay, and she seems genuine in her desire to solve them,” the staff member said in an email to Federal News Radio. “Her challenge will be accomplishing these goals in a limited amount of time within the confines of a historically intransigent bureaucracy with a long and well-documented aversion to accountability.”
Sources say she’s already briefed VA’s oversight committees several times and is trying to repair the relationship by building up trust.
As for the cyber strategy, Council isn’t rolling out new programs or technologies, but focusing on the basics whether its host intrusion and prevention systems or antivirus or the Homeland Security Department’s initiatives such as EINSTEIN 3A or continuous diagnostics and mitigation (CDM).
With about 15 months left at VA, Council is taking a multi-level approach to cyber, addressing short, medium and long term goals, and through it all, putting the veterans’ needs at the center of all she does.