The Veterans Affairs Department has a plan to finally get rid of more than two dozen long-standing cybersecurity weaknesses throughout the next 18 months.
LaVerne Council, the assistant secretary of the Office of Information and Technology and chief information officer at VA, said the new enterprise cybersecurity team has a strategy to fix all 30 material weaknesses highlighted annually by auditors for much of the last 17 years.
“By having this strategy in place, and now the leadership in security — our new CISO is Brian Burns, who is leading the organization to complete and eliminate all of the items and recommendations that we needed to no longer be a material weakness by the end of 2017,” she said. “So having that clean roadmap, a clear understanding of all the various tasks that go into adjusting such a large enterprise as the VA, is critical and I feel very good that we are now on the right path.”
VA’s inspector general highlighted material weaknesses in the agency’s cybersecurity for a 16th straight year in 2014. The IG hasn’t yet released its results for 2015.
Additionally, VA’s cyber struggles have caught the attention of Congress, which has turned up the heat in recent years because it believes the agency has not acted quickly enough to better protect the data of veterans.
In her seven months on the job, Council has focused on fixing both challenges.
She sent her enterprise integrated security strategy to Congress in September and created the enterprise team soon after coming on board.
She said the team set the priorities for which material weaknesses to address first.
“That was a 3-4 month effort because you have to get it right and everything has to drop in the right order because if you do something first, you may be redoing it because you did it too early,” Council said. “In the case of cyber in particular, you always are in a cycle of continuous assessment, always looking for what you need to change and always saying, ‘That was a great idea yesterday, but knowing what I know today, I’m going to do something different tomorrow.’ So what we really did was build that kind of process that it was ever looking at itself, ever questioning itself, leveraging risk management smartly and assessing ourselves as we go, to make sure just because we thought that was the case in December 2015, it may no longer be the case in December 2016.”
Council said she is seeing real progress, starting with having a road map. Second, she said VA has cleaned up who has elevated system privileges across the department, and implemented two-factor authentication.
“By doing this process, even though it was a heavy lift for a short period of time, it has created the kind of awareness that you need throughout the organization versus just within the security team,” she said. “This is an organization awareness and something that everyone in the organization knows we have to address. We really have all hands on deck.”
On Capitol Hill, Council continues to try to mend fences. She said VA has been meeting with the House and Senate committees on veterans affairs every six weeks. She also said VA met with the House and Senate appropriations committees.
One sign of the relationship getting better is Congress fully funded VA’s request for more than $300 million for cybersecurity in fiscal 2016.
“I think it’s very important that they understand what we are doing. What’s our approach, what’s our framework. We’ve leveraged and set out our work that is now, near and future, and I explained to them why and how it will help us execute,” she said. “One of the key commitments I [made] when accepting this role, I would leave this organization they can leverage in its entirety long after I’m out of this office.”
She said the focus on continuity isn’t just about cybersecurity, but it permeates nearly every one of her priorities.
For example with cybersecurity, Council said she has plenty of money but not enough skills in the workforce.
“We’ve got to figure out smart ways to get people to come and take on these opportunities in government and help us to really make sure we are staying abreast of, what I call the new: New by driving real technology in support of our veterans,” she said.
The workforce challenges extend beyond cybersecurity. VA has reorganized the Office of Information and Technology and added five new functions:
Enterprise Program Management Office
Quality and compliance
Council also is filling those roles with expertise from outside of VA, for instance Ron Thompson is the new principal deputy CIO, coming over from the Department of Health and Human Services, and Rob Thomas who runs the EMPO, and came over from FEMA about a year ago.
She also plans on hiring experts to run the data management, quality and compliance, and strategic sourcing offices in the coming year.
“As most people know they tell presidential appointees to pick one or two things to get done, but I just couldn’t do it,” Council said. “When I looked at what the organization needed and the importance of the mission, it was more important that we put a platform for success in place and that also meant we needed new leadership and go after it. It is a heavy lift, but the challenge is worth it.”
Council’s long-term view also includes operational improvements such as implementing the IT Infrastructure Library (ITIL) methodology, moving to an enterprise approach to agile development and a new program and project management, called veterans-focused integration process (VIP), which replaces the Project Management Accountability System (PMAS).
VA also is considering a pilot using commercial software for a new scheduling system. The agency is waiting for leadership approval before moving out with the test case.
“The real question is can we get what we need to get as quickly as we need to make sure the veteran has access,” Council said.
VA awarded Systems Made Simple, a subsidiary of Lockheed Martin, a $624 million contract in August to develop a new medical appointment scheduling system.