Despite what Veterans Affairs leaders said was progress toward shoring up their IT security processes, the department will receive a failing grade on a key annual cybersecurity audit — the 16th consecutive year in which it’s fallen short.
The VA inspector general won’t publish the full details of the 2014 audit results until next year, but last week, the IG formally notified the department that it concluded, once again, that VA has significant material weaknesses with its compliance with the Federal Information Security Management Act, (FISMA).
Stephen Warren, VA’s chief information officer and executive in charge of the Office of Information and Technology, disclosed the audit result to reporters in advance of a Tuesday House Veterans Affairs Committee hearing that will scrutinize cybersecurity challenges within VA.
“I was disappointed and I know the team was disappointed given the significant time and effort we applied this year,” Warren said. “But we are going to continue to drive on this. We are going to continue to push so that we move forward on the rigorous, disciplined plan the team has put together so that when the audit team shows up next year they will continue to see the constant improvement they recognized even this past audit season.”
In its 2013 audit, the IG identified some 6,000 specific cybersecurity vulnerabilities and made 35 separate recommendations to close weaknesses. The corrective actions the IG has been recommending run the gamut of common IT functions, including identity and access management, incident response, configuration management and continuous monitoring.
Warren was not able to immediately provide details on how many of the IG’s recommendations remain unresolved, since the latest round of suggestions won’t be finalized until the office issues its final 2014 FISMA report.
But another VA official, who requested anonymity because the 2014 results aren’t yet final, said the department will argue that it has met the standards necessary to close the books on at least 18 of the 35 issues the IG identified last year.
Warren said auditors acknowledged to department leaders that they had made noticeable progress toward the FISMA requirements over the past year. The IG told the department that the list of 6,000 vulnerabilities it identified in 2013 has been cut by 21 percent.
“But they want us to work harder in four major areas,” Warren said. “They want us to work harder in terms of how we manage the configurations of our million-plus systems and make sure we’re doing it in a standardized, consistent way, and that the folks out at the sites doing the work are consistently implementing the standards. Also, on the access controls:
We need to make sure that as people come in and go out that our HR system is linked up to our IT system in terms of who has access and why. On security management, we need to fully implement — from an auditor’s perspective — our move from one-point-in-time accreditation to continuous monitoring of our systems. They pointed out a couple areas where we need to do more. The last one is on the contingency management side. We need to make sure we have better controls in that area.”
Warren said VA already has a detailed plan that it used to improve its cybersecurity posture during the 2014 audit season, and started modifying the plan to address the IG’s updated set of concerns.
But he also argued that some perspective is needed when gauging the significance of figures like the 6,000 security issues the IG initially pointed out. He said while that sounds like a big number, it can be misleading given the scale of VA’s IT enterprise.
“If I’m running on a base of 1.2 to 1.4 million devices, and I’m running multiple services on each one of those, you’re talking about 70-150 million different things that you’re looking vulnerabilities on,” he said. “I’ve also got 1,000 enterprise systems we’ve built and deployed. When you talk about 6,000 vulnerabilities, we treat them all as important, but when you look at it on the scale you’ve got to put some balance in it.”
CRISP bridging the gap
Warren told reporters he believes veterans’ data is secure from cyber intrusions even if the department is not living up to the auditors’ and standards bodies’ interpretations of FISMA.
He pointed to the department’s monthly reports to Congress — noting that they routinely show that when veterans’ information is improperly disclosed, it’s generally because the wrong piece of paper was mailed to the wrong person, an employee failed to follow established policies or a piece of computer hardware was stolen, not because of a an cybersecurity shortcoming per se.
A VA initiative called the Continuous Readiness in Information Security Program (CRISP) is meant to help bridge that gap between IT policy and execution.
“Security is not a one-time deal. The standards and industry practices change all the time. So one of the reasons we put CRISP into place is to get the organization — not just IT — to recognize that this is something we need to work at every day,” he said. “As the threat changes, our defensive posture needs to change and we need to be proactive. CRISP is making sure that VA as an organization, not just the office of information and technology, recognizes that the practices that are used in day-to-day behavior is critical to protecting veterans data. We keep educating employees about what this means for you, and that it’s not a tradeoff between services for veterans and risk, it’s a balance between the two.”
The balance is a struggle for VA, and Warren freely acknowledged that in some cases the department is making calculated decisions to accept more cyber risk so that doesn’t jeopardize its day-to-day mission responsibilities.
“How do I get to that balance between folks having to do their job and the information protection risks? Our standards say that certain behaviors are bad, but unfortunately, some of those behaviors are necessary if you’re going to be delivering benefits,” he said. “One example we use is that we have triggers that block pornographic websites. We also have folks that do reconstructive surgery. They need to go and look at websites that show body parts to do their job, but many of them have been wrongly flagged as pornographic sites. We work with them to get them access to what they need, and on the surface, that’s a bad thing. But in reality our clinicians need that to deliver services to veterans. That may be an extreme example, but there are many like that where we have to do the balance between service delivery and making sure we secure the enterprise.”