WASHINGTON, DC — For the past four years, the annual Federal Information Security and Modernization Act (FISMA) audit has warned that the VA has lingering deficiencies across a wide range of cybersecurity areas, from agency wide security management programs to incident reporting and identity management.
In April, the same recommendations were made for VA improvement. That these weaknesses in VA’s cybersecurity have gone uncorrected for so long has legislators wondering what the delay is and whether congressional prodding is necessary.
“VA has the second-largest IT footprint in the federal government,” noted Rep. Frank Mrvan (D-IN) at a hearing of the House Subcommittee on Technology Modernization last month. “The subcommittee remains concerned that VA has not done enough to assess risk and develop a long-term information security strategy. We’re especially concerned that the same recommendations are made year after year, seemingly without adequate progress in resolving them.”
Many of the cybersecurity issues are human-driven weaknesses—the kind that can be found at any technology-dependent organization. Michael Bowman, OIG’s director of IT and Security Audits Division, testified to finding unnecessary system privileges given to employees who didn’t need them, devices still having their default usernames, and employees relying on weak passwords—all well-known security vulnerabilities.
However, those human-driven weaknesses are allowed to exist because of weaknesses in the larger system, the audit explains.
For example, VA has developed baselines for agency wide security configuration to ensure that everyone using its major information systems is adopting the best security practices. However, those standards were not consistently implemented or monitored, resulting in “default network services, excessive permissions, weak administrator passwords or outdated versions of system software.”
Because of the lingering cybersecurity issue, the OIG has increased its oversight of IT security projects, including a series of IT inspections focusing on VA facilities that were not evaluated under the FISMA audit.
“To date, four IT security inspection reports [on individual facilities] have published 24 recommendations for improving security controls,” Bowan told the committee. “Of those, VA has successfully remediated 12 [of them] demonstrating that VA has the capability to make timely improvements.”
“We believe VA’s successful implementation of our FISMA and IT security implementation program recommendations is vital,” he added.
Kurt Delbene, VA’s chief information officer, talked up VA’s successes, but admitted that “there’s still more work we have to do.”
He noted that while things like employees using simple passwords and default usernames might seem like a simple fix, it becomes exceptionally more daunting when you consider the number of employees and devices in the VA system.
“In an environment where there are 1.5 million devices, we have to require advanced security across all of the folks at VA to accomplish deep security,” he explained. “We’ve had this view of the long term, where there’s automation across everything we do at VA. But in the near-term, especially with the issues the OIG had identified, we can use old-fashioned shoe-leather to get involved in particular systems.”
Asked how Congress can help, Delbene brought up the lack of competitive salaries for security personnel.
“We compete every day for people who can make higher salaries outside the federal government. We need to figure out pay scales that are commensurate with what competitive offerings look like,” Delbene explained.
In the previous week, VA had lost two high-level potential hires to the private sector because of pay imbalance, he added. “They went to private industry and got higher pay. And it’s not small differences. It’s substantial.”
“Another place where you can move the ball forward is on on-call pay,” Delbene said. “There are times when people are asked to sacrifice their personal time and be on call. We had [on-call pay] when OIT members were part of VHA. That’s something that was lost when we consolidated. We’re working through proposals to bring on-call pay back.”
A specific area where Delbene believes more hiring is needed is with the project managers who are tasked with overseeing IT contractors. Currently, the employees working on VA’s IT projects are about 85% outside contractors, Delbene told legislators.
“We do not have enough managers over those contracting teams to get deeper into the technology and set direction,” he admitted. “If you’ve got one person managing six contracts, much of what they’re going to do with most of their day is fight fires. We need a better process for how we work with contractors, so there’s a deep integration of the direction they want to take things and our understanding of what VA needs.”
One way that Delbene wishes Congress would not help is with the Strengthening VA Cybersecurity (SVAC) Act of 2022, which was introduced in March and is co-sponsored by Mrvan. The bill would require VA to obtain an independent cybersecurity assessment from federally-funded research and development centers and then submit a plan to Congress to address whatever security weaknesses are discovered.
According to Delbene, the bill would only duplicate the work of the OIG, which would almost certainly do a better job than whatever new agency was contracted.
“[The OIG] has the longevity of multiple years that they’ve been doing this,” Delbene declared. “They can drill down into areas that are a reflection of where they’ve been in the past and where they want to go in the future because of how deeply they know us. We just really need to ramp up the number of people we have working in the space inside of VA.”