For the last 18 years, the Veterans Affairs Department has flunked its cybersecurity examine. The agency’s inspector general, for 18 years, has found cybersecurity as a material weakness.
And for the last 18 years, the assorted chief information officers, at least 10 during this time, have promised they would be the one finally to fix these long-standing issues.
Despite 18 years of failure, the light at the end of the tunnel is getting brighter. The most recent evidence came Dec. 7, during the latest congressional committee to seek answers and assurances from VA.
Scott Blackburn, the executive in charge for information and technology and acting CIO in the Office of Information Technology at VA, brought some good news to members of the House Oversight and Government Reform Subcommittee on IT, which held a hearing on Dec. 7.
Blackburn held up a note from acting Federal CIO Margie Graves telling VA it had fixed 11 troubled areas highlighted by the CyberStat process.
“A lot of the 11 areas were sort of lingering issues for VA. We have a lot of lingering issues that have gone on for years and years. Back in 2015, we established an enterprise cybersecurity strategy to look at these lingering issues and try and put them to bed once and for all,” said Dominic Cussatt, VA’s chief information security officer, in an interview with Federal News Radio after the hearing. “We did institute 35 plans of actions to get all of those things accounted for and get some capabilities on board to address those issues systematically. We’re happy to say by Dec. 15, we will have all 35 of those closed. There were about 3,000 line items in that integrated master schedule.”
Cussatt said among those 11 areas under the CyberStat process that were removed included continuous diagnostics and mitigation, identity management, network defense and access control.
All of which were long-term problems for VA. For instance in June, the IG reported for 2016 that VA had security weaknesses that were not remediated from prior years, including ineffective enforcement of its agencywide information security risk management program and ineffective communication from senior management to individual field offices.
“The use of weak passwords is a well-known security vulnerability that allows malicious users to easily gain unauthorized access into mission-critical systems,” the IG stated.
VA doubled down on many of these long-standing cyber problems in 2015 when former CIO LaVerne Councilcreated a new enterprise cybersecurity strategy with a specific focus on ending the agency’s run of cyber being a material weakness.
Council, who left in January 2017 and recently joined Grant Thornton, should be credited with putting together many of the initiatives to address the IG’s annual report that included 30-plus recommendations. She also changed VA’s culture, which had hit a low-point in 2013 when former CISO Jerry Davis went public with accusations that the agency was “rubber stamping” IT system authorities to operate (ATOs) in order to get them completed before they expired.
Cussatt said another one of the CyberStat issues that OMB said is now resolved is around the ATOs of systems. When Cussatt arrived at VA in May 2016 from the Defense Department, he said the agency had a “relative large” number of systems without a valid ATO. Now, all systems are certified and accredited to operate on the network.
“We’re already starting to see the benefits of these [cyber] efforts,” Cussatt said. “We’ve seen an improvement in our FISMA audit scores. The IG when they recently briefed our secretary on the outcome of our annual FISMA audit that just concluded at the end of the summer, they noted they’ve seen a measurable improvement to our posture. There are still some issues to resolve, but they made a point to note that they have seen a lot of progress.”
Cussatt said VA still may face a 19th straight year in which cyber is a material weakness. The IG wants to see beyond an issue being resolved once, and instead see a long-term trend that VA has turned the corner.
“I think we are on that path to get that trend in place that we need to resolve it,” he said.
And current VA executives, including Blackburn and Cussatt, are continuing the improvements, which includes transitioning to a new risk management approach called the enterprise cybersecurity strategy program.
“With the issuance of the president’s cybersecurity executive order in May, where we were asked to align ourselves with the NIST cybersecurity framework, we are looking to take the cybersecurity framework to heart, use it with our existing NIST risk management framework program that we have implemented within VA and use that as our mechanism to move from this tactical approach of setting up this integrated master schedule with these short-term plan of actions to a more proactive, security control lifecycle risk management, risk assessment approach to keep track of all the things we put in place and make sure they are keeping up to speed with the threats and vulnerabilities and bringing new capabilities to bear,” Cussatt said.
There is little doubt that VA is a different place today than five years ago when it comes to cybersecurity. The executives recognize problems exist and seem to be giving them the proper attention, and therefore are getting the results.
While a 19th year of material weakness seems likely, that may be the last one, which would be good news for veterans, especially as VA launches its the new electronic health record system.