In the two years since the Veterans Affairs Department announced its goal of closing all cybersecurity material weaknesses, the efforts detailed in the latest audit report from the agency’s inspector general seem to be making a difference.
While VA fell short of its ultimate objective of cybersecurity not being a material weakness in 2017—the 18th year in a row auditors rated it that way — the Office of Information and Technology (OI&T) said in its response to the IG’s Federal Information Security Management Act (FISMA) report to Congress that it has made significant progress across all 33 recommendations, and is asking the IG to close 18 of them.
For example, the IG says VA continued to struggle with ensuring systems had an up-to-date authority to operate (ATO).
“Specifically, process deficiencies allowed certain system authorizations to operate to expire and allowed other systems to be reauthorized by an official without the proper authority,” the IG stated.
But VA’s chief information officer’s office says its Enterprise Cybersecurity Strategy Team (ECST) has updated its processes and is now using the ongoing authorizations approach as required by the Office of Management and Budget in the Circular A-130 update issued last fall.
“By the end of calendar year 2016, systems requiring an ATO were updated to reflect the new AO,” OI&T’s response stated. “Updated assessment and authorization (A&A) policy and process to redefine roles and responsibilities of VA’s authorizing officials (AO), and AO procedures, which will allow for oversight of systems throughout their full lifecycle. Office of Cyber Security Policy and Compliance (OCSPC) conducts routine, regularly scheduled briefings with the AO prior to issuance of ATOs on systems within their purview.”
The system authorization process has been a problem at VA for some time. Back in 2013, former VA chief information security officer Jerry Davis claimed VA was “rubber stamping” ATOs in order to get them completed before they expired.
After several congressional hearings and the turnover of the CIO, VA’s new leadership promised to fix the long-standing cyber problems. Former VA CIO Laverne Council said when she took over the role in 2015 that her intention was to get rid of the more than two dozen cyber weaknesses over the next two years.
“When the OIG receives evidence of appropriate corrective action, we will generally close that recommendation,” Halliday said. “As VA provides documentation to support the corrective actions taken on any recommendation, we will review it and make the determination on whether we can close that recommendation. Further, we continue to assess VA’s progress in implementing corrective actions and their ability to sustain improvements impacting VA information security posture during our annual FISMA review in the following year.”
One area where VA says it has made progress has been a long-time challenge around password management.
Over the past two years, the ECST has implemented technology to enforce password policies, mandated the use of smart identity cards and initiated single sign-on capabilities.
“VA has enhanced password monitoring policies via credentialed, predictive scans and remediation processes on OI&T systems. Routine system scans are completed by the Network and Security Operations Center (NSOC). Enterprise Discovery Scans (EDS) are conducted on a quarterly basis to detect password vulnerabilities across the enterprise,” OI&T told auditors. “In order to improve organizationwide availability of security data, VA has enhanced the reporting of scan results and has published results with historical data on the Nessus Enterprise Web Tool (NEWT). VA is using NEWT dashboards to monitor password vulnerabilities and show trends based on the results of EDS scans. Scan results are shared with users in the enterprise who have been granted access to NEWT.”
Another major problem the IG pointed out was the lack of visibility into their networks and therefore failure “to identify numerous high-risk security incidents, including malware infections that were not remediated in a timely manner. Specifically, we noted these issues at three major data centers and two VA medical centers.”
The CIO’s office said it expects to complete the national deployment of an enterprisewide security incident and event management tool by June 30.
VA’s OI&T said it is currently “receiving logs from across the enterprise to include centralized logging from devices owned and managed by field operations to include Windows and Linux servers, and network infrastructure devices (routers/switches). Other log sources such as domain controllers, Domain Name Services (DNS), and ePolicy Orchestrator (ePO) systems are now also included in the centralized logging repository, which helps to enrich the data lake and enhance data available for event monitoring, correlation processes and incident response. Currently, only failed logon events are being collected for infrastructure devices.”
VA OI&T also expects to complete a related effort by June 30 to track and make sure patches and vulnerabilities are closed in a timely manner.
“VA has an enterprise-wide scanning program performed by the NSOC on a scheduled and ad-hoc basis (when needed or requested). Results of the scans are rolled into NEWT for analysis and reporting. The analysis tool provides an enterprise view to the terminal device level (specific Internet Protocol),” the office’s response stated. “NEWT coverage has been expanded to include Cisco and Red Hat Enterprise Linux scan results as well as trending and historical remediation efforts. VA implemented DbProtect, a database scanning tool, to gain enterprise level access and insight to the many databases that exist in the organization.”
VA told the IG it expects to close eight of the remaining recommendations no later than Sept. 30 and then five more by Dec. 31.