IG Identifies Deficiencies in VA ITAuditor Worries Some Fixes May Not Be Achieved till Sept. 2014
Significant flaws involving access, configuration-management and continuous-monitoring controls, as well as practices designed to protect mission-critical systems from unauthorized access or damage, have been identified in a new audit of the Department of Veterans Affairs' IT systems.
The fiscal year 2012 annual Federal Information Security and Management Act audit conducted by the VA Office of Inspector General reveals:
- Weaknesses in access and configuration-management controls that resulted from the VA not fully implementing security-control standards on all servers and network devices;
- Failure to implement effectively procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms as well as Web applications;
- Failure to remediate some 4,000 outstanding system security risks in its corresponding plans of action and milestones to improve its overall cybersecurity posture.
"By failing to fully remediate significant system security risks in the near term, VA management cannot ensure that information security controls will protect VA systems throughout their life cycles," Linda Halliday, VA assistant inspector general for audits and evaluations, writes in the 50-page report dated June 27.
The fact that deficiencies exist with VA IT isn't surprising. Halliday previewed the IG's findings during a June 4 hearing before the House Veterans Affairs Subcommittee on Oversight and Investigation [see IG Identifies VA's IT Security Deficiencies].
VA Concurs with IG Findings, Recommendations
Acting VA Chief Information Officer Stephen Warren, in a written response to the IG, concurs with the 10 findings and 32 recommendations, saying the VA has embarked on a cultural transformation with implementation of the Continuous Readiness in Information Security Program, known as CRISP, a new operating model the VA contends will protect veterans' privacy and sensitive information.
Halliday says CRISP resulted in some improvements in areas such as training, testing contingency, reducing the number of outstanding plans for action and milestones, developing initial baseline configurations, shrinking the number of individuals with outdated background investigations and improving data center web application security.
Still, Halliday says she remains concerned that several of the VA action plans are not expected to be in place until September 2014 for new and prior recommendations. "Moving forward," she says, "VA needs to ensure a proven process is in place to sustain the improvements achieved thus far."
Auditors identified specific deficiencies in 10 areas: agency-wide risk management program, identity management and access controls, configuration management controls, system development/change management controls, contingency planning, incident response, continuous monitoring, security capital planning, contractor systems oversight and security awareness training.