Having failed its cybersecurity audit for the 16th year in a row, the Veterans Affairs Department is attacking its problems at their roots.
The department is taking several steps to address long-standing cyber deficiencies to quicken its path toward a better grade under the Federal Information Security Management Act (FISMA), and most importantly, give more assurance to veterans, lawmakers and other stakeholders that their systems and data are as secure as possible.
Stephen Warren, the VA chief information officer, said the FISMA audit highlights continued implementation issues across the department, but the tone of the report makes it clear that the agency is making progress.
“This is not ‘hey let’s get ready for something that happens once a year.’ We are constantly adding on to it and improving it,” Warren said in an exclusive interview with Federal News Radio. “In spite of the work that we had done, there were areas where the intensity wasn’t where it needed to be. That’s why we asked Dan [Galick] to step into the role and basically synthesize across the organization. I think too often folks count on technical controls and other controls to do what they need to do. It’s why we have such as strong education program. It’s why we make sure we reinforce so it’s easy not to have to think about it.”
He said the department recognizes a need to do more, to synthesize across the policy side and information security operational side, across the day-to-day operational side into the organizational side. As that happens, everything has to work together.
Galick, the associate deputy assistant secretary for security operations, has stepped into the role as the operational security manager, overseeing the information security officers around the country at VA facilities, the security operations center and running a team under the Continuous Readiness in Information Security Program (CRISP) to work directly with field offices on operational security challenges.
“We will be going out to each of the sites, each of the hospitals, regional offices and really giving them the key things we need to be measuring, the key things we need to be pulling out and keeping this on their front burner all the time,” Galick said. “Over the course of this year…we will have to ramp up as auditors start to come in. This is really an everyday activity for me and this group to ensure that this readiness is right at the top of the stack.”
Reducing the cyber backlog
Bringing Galick to headquarters from the field is one of several steps Warren has taken over the last six months to “increase the intensity” of VA’s cybersecurity programs.
The “intensity” effort started in November when VA moved $60 million into its cybersecurity accounts to better deal with long-standing issues. That’s about at 38 percent increase over its $160 million non-personnel-related cybersecurity budget.
Warren said the additional funding, VA hired ASM Research, which is part of Accenture Federal Services, under a $300 million contract to provide cybersecurity services at VA facilities nationwide. VA says it’s a multi-year contract.
“We know have at least one contractor at every site basically doing the backlog of patching, doing the backlog of work,” he said. “What is forgotten at times is everyday things are happening and our IT workforce is there supporting the delivery of services to veterans. Our challenge has been the backlog of things that needed to be patched. So [the contract] is allowing the day-to-day operational staff to continue to do their job, and doing the day-to-day hygiene to do with where they are today, and bringing the vendors in to take care of the backlog.”
Warren said the contractors have addressed 67 percent of all the backlogged vulnerabilities since November.
Warren said VA’s IT workforce’s number one goal is to service veterans in a secure way, but at the same time, they need to fix issues that necessarily haven’t been done well in the past.
For the 16th straight year, the VA inspector general released its annual FISMA report and found significant deficiencies across nine major areas, including configuration management, security standards for servers, databases and network devices, and remediation processes to fix vulnerable systems and devices. Auditors also say VA continues to have “9,000 outstanding system security risks in its corresponding Plans of Action and Milestones to improve its information security posture.”
In all, the IG made 33 recommendations, 30 of which it made in previous years in one form or another. Auditors say VA closed five old recommendations and showed progress in improving its overall cybersecurity posture.
“I think it’s clear the emperor is wearing no clothes. VA has failed its FISMA audit 16 years in a row, yet the department’s assessments of its cybersecurity capabilities are continually rosy,” said Rep. Jeff Miller (R-Fla.), chairman of the Committee on Veterans’ Affairs, in an emailed statement. “You would think that at some point VA would hold someone accountable for these repeated failures and institute a plan to address them. But instead of tackling the problem head on, VA seems to be more interested in putting a positive spin on bad news and patting itself on the back. Meanwhile the problems outlined in the inspector general’s audit remain unsolved.”
Warren said the communication with Capitol Hill could be a lot better and has tasked Stan Lowe, VA’s chief information security officer, and Art Gonzalez, VA’s deputy CIO, with handling briefings to lawmakers and staff members.
“We’ve set up a couple of meetings and I believe a couple of more are coming,” Warren said. “We are sitting down with staffers, sitting down with members and actually talking through what we’ve done and some of the things we have moved out on and made strides on, but other areas where we will continue to be doing work because it’s a long-term commitment to doing this right.”
Another one of those things VA has progressed on is ensuring each facility CIO has visibility into all their systems and vulnerabilities. He said his office put this methodology in place to annotate the systems, the problems, how they were fixed.
This year, Warren said the VA is using a tool called NEWT to pull all those scans into a single view.
“Now they will iterate on that tool such that the CIO who has span of control can see what’s there, understand what the high risks are, figure out what they need to be doing and have the contractor pick off the rest,” he said. “It’s basically added positive control into how we do things. That was a key one to show maturation.”
Increased focus on audit findings
Two other initiatives to deal with vulnerabilities highlighted by the IG are reducing the number of duplicative software titles VA is using, and blocking websites that are “uncategorized,” meaning they don’t belong to a specific grouping on the Web.
“Why do we need five or seven pieces of software that do the same thing? Let’s start collapsing it down because the diversity of software and the extensive software you have increases your liability from a patching standpoint,” Warren said. “The other place the team has gone through is they actually do targeted scans of outward facing systems, and basically the security team comes in and does penetration testing on an application, We run it through and if something is found, based upon whether it’s mission support, can we put compensating controls on it and keep running it, or do we actually need to take it offline, make the code changes, make the patch changes and bring it back online again. It’s a very deliberate walk across the enterprise.”
Warren said all of these efforts are part of an increasing level of effort to improve the agency’s cybersecurity posture.
“It’s important with all the other things that we are doing and trying to work through the risk balance, it’s not ‘hey should I do this single thing?’ It’s how do I do this single thing in conjunction with the policy piece, the operational piece and the delivery piece so getting that team together that is actually running things to ground and identifying where there are so we can take them on,” he said. “But it’s more than just that. One of the things we have been doing is every Thursday, we have been sitting down and going through where are we on the plan. It’s a leadership meeting of my deputies.”
Now, every Tuesday Warren said the full senior executive team will work through the plans of action for each of the audit findings to ensure they are making progress and focus on continued improvement and intensity.