IG concludes VA's systems, data remain at risk

Friday - 5/30/2014, 4:11am EDT

The Veterans Affairs Department's struggle to secure its networks and systems continues to a great degree, and while there is progress in some areas, its computers, databases, servers and nearly all other IT remain at risk.

These are the findings from VA inspector general in its latest Federal Information Security Management Act (FISMA) report to Congress.

Among the IG's findings are 6,000 system cyber risks from previous audits listed in their plans of actions and milestones (POA&Ms) and continued weaknesses in access and configuration management controls because the agency hasn't fully implemented standards on all servers and network devices.

"We remain concerned that continuing delays in implementing effective corrective actions by estimated completion dates to address these open recommendations can potentially contribute to reporting an IT material weakness from this year's audit of VA's Consolidated Financial Statements," the IG wrote in the report. "VA continues to face significant challenges in complying with the requirements of FISMA, due to the nature and maturity of its information security program."

In December, the VA's independent auditor CliftonLarsonAllen gave the agency a failing grade for the 15th year in a row, with regard to security controls, in its consolidated financial statement audit.

Reports show continued problems

In the 2013 FISMA report, the IG made 35 recommendations across 10 areas, including incident response, continuous monitoring, configuration management, identity management and access controls and many other major cyber functions.

"It's the same problem. That is, security is disjointed. It is not fully integrated across the OIT lines of business, i.e. Product Development, Service Delivery and Engineering, Enterprise Architecture etc.," said a government official with knowledge of VA cybersecurity. "The auditors look for consistency in the implementation. They can tell whether the fix has been done just to satisfy the audit or if it's actually the result of a comprehensive security program. Each time they come back, something that was decent has gotten worse over the past year. That is because the program is not integrated and they are not trying to integrate it. Each VA OIT organization is working in a stove pipe."

And it's not just the IG that has concerns about VA's cyber. The Office of Management and Budget reported in its annual FISMA report to Congress that VA had consolidated about 40 percent of its network traffic through a Trusted Internet Connection and implemented just over 80 percent of the TIC capabilities. OMB also found VA required only 4 percent of all employees to access to its computer network using their smart identity cards under Homeland Security Presidential Directive-12 (HSPD-12), one of the lowest percentage among all agencies.

OMB said VA was making more progress in implementing continuous monitoring, including reaching 100 percent for configuration management and under the domain name security where nearly 90 percent of all its websites use DNSSEC.

Stephen Warren, the executive in charge and chief information officer, concurred with all of the IG's recommendations and offered steps the agency is taking to fix new and previous years' cyber shortcomings.

For example, the IG found VA continues not to have an agency-wide risk management program.

Warren said VA has implemented the governance, risk and compliance (GRC) tool as a major element of employing an agency-wide risk management governance structure.

"The GRC tool is VA's robust repository capable of tracking the real-time security posture of the VA's IT systems The tool is used in concert with existing IT monitoring and tracking tools, such as IBM End-Point Manager (IEM), SolarWinds, NESSUS, to extract, in real-time, up to 54 NIST controls, while capturing the remaining controls via automated workflows," he wrote. "The Risk Vision GRC tool automatically ties risk assessments to POA&Ms and system security plans, resulting. In a more comprehensive understanding of VA's security posture, far exceeding any past capabilities. The workflow process of entering information into the GRC tool ensures that only the most current risk information is retained. This is also true of the System Security Plan and FIPS assessments. The CIO has greater visibility/oversight with the Risk Vision database for Authority to Operate (ATO) decisions."

Another two-year-old recommendation from the IG is to implement automated mechanisms to continuously identify and remediate security deficiencies on VA's network infrastructure, database platform and Web application servers.

New sets of tools on their way

Warren said the agency implemented an enterprise-wide vulnerability management program using scanning tools to identify security deficiencies.

"Priority attention is placed on installing the required patches to remediate the identified deficiencies," Warren wrote to the IG. "Automated monitoring and assessment tools have also been deployed in the VA enterprise to every laptop, desktop, server and network device. VA will continue to enhance the vulnerability management program by making use of the security and information event management (SIEM) technology, which currently is in place at the Enterprise Operations (EO) data centers. The SIEM solution will collect audit logs and alerts and facilitate the continuous identification of vulnerabilities that require priority corrective actions."