Jason Miller | April 17, 2015 5:03 pm
The Veterans Affairs Department is putting its systems and the data of tens of millions of veterans in jeopardy because of a lack of institutional control over its cybersecurity evaluation and approval process, according to a former high- ranking VA computer security official and multiple other current and former agency officials.
Jerry Davis, the former deputy assistant secretary for information security (DAS IS) in VA’s Office of Information and Technology, alleges in documents obtained by Federal News Radio that he was coerced into rubber stamping 250 security certifications for agency IT systems.
In a letter to Congress, Davis said he was reluctant to sign the documents because he felt the systems had not gone through the proper oversight process. He said VA officials wanted him to sign off on more than 500 security documents in total as a condition of his release from VA to become the CIO of NASA Ames in Moffett Field, Calif.
“I attest that as the DAS IS, there is a clear and present danger and risk of exposure and compromise of sensitive data for perhaps hundreds of thousands to millions of veteran[s]; all facilitated by coercion, intimidation and an improper process executed to assess system security,” Davis wrote on Jan. 28 to VA’s designated approving authority for IT systems, which can be anyone from the agency chief information officer to the program manager who is known as the official system owner.
The documents that Davis said the agency wanted him to sign are called accreditations and authorizations (A&A), which previously were known as certifications and accreditations (C&A). Every agency must demonstrate its IT systems meet cyber policy and regulations through these A&As, which are required as part of the Federal Information Security Management Act (FISMA). Each system needs an authority to operate (ATO) before it can be brought online and agencies must renew the ATO every time there is a major change to it.
Rush to get ATOs signed
Multiple current and former VA officials also say agency management continues to “blanket” sign these security documents, including the final few dozen in preparation for Tuesday’s hearing on IT security before the House Veterans Affairs Committee.
A VA spokesman disputes the claim that agency systems and data are at risk.
But multiple sources, all of whom requested anonymity for fear of retribution and because of the sensitive nature of the issue, corroborated Davis’ allegations and said the process hasn’t improved since Davis left in early February.
“To me, it seems like all they did was reprint the [authority to operate] letters without going through the proper checks,” said one VA source. “There isn’t enough time to do each ATO. I think they have been doing a batch at a time. I’ve seen folders come trickle in and I don’t believe they have many more left. They are still being signed today. I know what [management] are saying. They have a procedure in place before the ATO is signed where the local level does the checks and then the security official signs it. I think it’s just a CYA to say they only sign ATOs when the process is done. Are they following the process? It’s hard to say. But it seems like nothing has changed since Jerry left.”
In fact, internal emails obtained by Federal News Radio show a scramble to sign the final 16 security certifications before the House hearing.
“You are being requested to take immediate action to resolve the ATO discrepancy and produce a completed package by 31 May, as all systems must have a current ATO prior to Mr. [Stephen] Warren’s 4 Jun congressional hearing,” wrote Gary Stevens, director of VA’s cybersecurity office, in an email to agency information security officers responsible for finalizing the ATOs, which was obtained by Federal News Radio. “Non-receipt of the required information will result in the issuance of a Denial of Authority to Operate (DATO) by the respective date.”
A spreadsheet, also obtained by Federal News Radio, listed the 16 critical systems and what they were missing. All needed either the finalized FISMA checklist and/or signatures from the system owner. This may seem like a minor oversight, but according to the checklist, system owners must confirm they have reviewed “the System Security Plan, Risk Assessment, Contingency Plan tests, security control test results, and the Plan of Action and Milestones that summarize deficiencies for remediation.”
It also requires the owner to “assert that operating this system in the VA enterprise poses an acceptable level of risk to agency operations and assets.”
Possible, but improbable
A former government official with an expertise in cybersecurity and FISMA said VA, or any other agency for that matter, could get more than 500 ATOs signed off in a matter of weeks if they had a well-managed cybersecurity oversight and documentation process.
But the former official, who requested anonymity because they still work for the government as a contractor, said VA’s history as well as reports from its inspector general and the Office of Management and Budget show the department’s processes are insufficient.
Davis expressed those same concerns in memos to VA senior officials after signing 250 ATOs. He added “with reservations” after his signature on each document.
“I attest that any document, artifact and other legal instruments from the date of January 25, 2013, and heretofore that bears my signature as the DAS IS used to validate that VA information systems, processing, storing or transmitting sensitive veteran information were signed by myself under duress,” Davis wrote in the Jan. 28 memo. “I attest that as the DAS IS I have no confidence or trust in the processes that were executed by any employee or contractor of the Department of Veterans Affairs is [sic] effective or provides reasonable assurances that veteran data is adequately secure.”
The VA spokesman said even though veteran data and IT systems are not at risk, the expiration of the ATOs drove a sense of urgency to ensure a check of all management controls had taken place.
“An ATO constitutes VA’s approval for a system to operate within its IT environment. This approval is mandated by several regulatory requirements, and is a largely paper-based process that validates that an IT system has the proper system documentation and an analysis of the system’s technical, managerial, and operational security controls,” the spokesman said in an email response to questions. “Federal agencies, including VA, are moving away from the paper-based ATO process toward a more real-time approach based on ‘continuous monitoring.’ Key aspects of the continuous monitoring approach have been in place for some time, including the ability to see all devices on the network dating back to the early part of fiscal year 2011.”
The spokesman said VA has 593 ATOs under review, and as of May 29, 560 ATOs, or 94 percent, have been completed.
“VA engages in continual assessment and authorization processes that ensure systems are secure and compliant with federal law and VA policy,” the spokesman said. “Despite the fact that ATOs are generally awarded for three years, security documentation is updated and reviewed no less than annually.”
But a security report obtained by Federal News Radio shows more than 2,500 open plans of action and milestones (POAMs).
The former government official said having so many open POAMs could mean the risk is higher to the systems because the goal of the POAMs is to close down vulnerabilities.
“What they seem to be measuring here is documents, so it looks like they are doing documents for document sake and not closing actual vulnerabilities,” the former official said after viewing the security document. “They are measuring the checklists, but it’s hard to say whether they are closing the actual problems. That’s a lot of actions that are open and it should make you a little nervous.”
ATOs’ expiration comes as no surprise
The fact that the ATOs were going to expire in December wasn’t a surprise to VA.
Davis suspended certifications and accreditations for 16 months in an August 2011 memo in preparation for the agency’s move to continuous monitoring. The goal of continuous monitoring is to give agencies real-time views of the health of their computer networks. ATOs still would be required under continuous monitoring, but they would be updated almost in real time.
In May 2012, VA’s IG approved of the move to suspend ATOs.
“We determined that VA’s continuous monitoring approach complied with FISMA requirements and supported OMB and NIST guidance,” the IG wrote in its report on allegations that the agency was not following FISMA. “However, this continuous monitoring approach did not relieve VA from also ensuring the implementation of adequate controls to secure its mission critical systems. We will continue to evaluate the effectiveness of VA’s continuous monitoring program and information security controls as part of our annual FISMA assessments.” Additionally, Roger Baker, the assistant secretary in the Office of Information and Technology and chief information officer at the time, said in a letter responding to that IG report that OIT “concurs with the findings” and submitted comments regarding recommendations that centered on the security of VA’s mobile computing efforts.
But when the continuous monitoring program fell behind schedule and wasn’t going to be fully implemented by December 2012, Davis said in a Jan. 14 memo to Baker that “it was recommended to the principal deputy assistant secretary of OIT [Stephen Warren] that all 545 system ATOs be extended until Aug. 31, 2013, which will allow sufficient time to deploy the new [continuous monitoring] tool and populate the tool with system information for near real-time diagnostics and remediation. This would allow VA to focus on meeting the metrics established by OMB and DHS for continuous diagnostics and provide a much better assurance of system security posture.”
Warren now is the acting CIO.
Documents show Davis alerted Baker in the Jan. 14 memo about his concerns about the veracity of the security documents. He also warned Warren three other times about his apprehensions to sign the ATOs, according to documents Davis sent to Congress.
ATO process is trustworthy
When asked about this in an email, the VA spokesman again disputed Davis’ allegations that the ATO process was problematic. He said the agency trusts the ATO validation process and the work of its systems security officers.
“We are unsure as to why the CISO [Davis], who owned system security and security processes, never in his two years at the agency alerted leadership to concerns about the process until he had announced that he was leaving the agency and would be leaving the ATO certification work unfinished,” the spokesman said.
The spokesman said it was Davis, not Baker or current VA CISO Stan Lowe, who wanted to “blanket” sign the ATOs.
“In late 2012, Mr. Davis informed the former Assistant Secretary for Information and Technology [Baker] that the goal of instituting continuous monitoring by the end of the year would not be met, and that 593 ATOs would expire on Dec. 31, 2012. He then suggested that one blanket waiver be signed for all IT systems,” the spokesman said. “This suggestion was rejected by the assistant secretary precisely because we felt it important that he complete his task of ensuring that each of VA’s IT systems are properly validated, and that those responsible for the systems take ownership of system security and document this ownership via a certification. Instead, the department has been working to assure that the requirements for each system ATO is properly conducted and documented.”
But Davis stated his opposition to blanket signing the ATOs in his Jan. 14 letter to Baker and in other documents sent to Congress.
“Attempting to prosecute these activities using an expedited process is extremely risky,” he wrote. “There undoubtedly will be errors and omissions in process and procedures in the rush to complete these activities. I cannot and will not sign as the DAS IS any artifact attesting positively to a process that does not add value, is not needed, is wasteful, unnecessarily uses up resources and jeopardizes the integrity of the information security program.”
He added that the current process will further set VA behind in reaching the goals of continuous monitoring.
Three-steps to secure systems
Davis also detailed a three-step plan to deal with the expiring ATOs in the letter to Baker.
He recommended to Baker that VA should “establish a memorandum for the file which stipulates as system ATOs expire, those systems will be rolled into the [continuous monitoring] program as quickly and as soundly as possible. This is consistent with the direction required by both OMB and the Homeland Security Department for managing systems security in a proactive and near real-time fashion.”
Additionally, he said “another extension is unnecessary and does not provide any measurable value nor do they increase system security.”
Davis told the Hill that Baker never responded to his concerns.
Baker, who left VA in April and now is chief strategy officer for Agilex, declined to comment through a company spokesman.
Additionally, Davis said in the Jan. 14 memo that Warren would not release him to his new job as NASA Ames CIO until he signed the more than 500 ATOs by Jan. 25, which happened to be Davis’ last scheduled day at VA.
Davis, who filed a complaint with the Equal Employment Opportunity Commission against Warren for prohibited personnel practices, said in a letter to VA oversight committees that he had several conversations with Warren about the “improper” process in renewing the ATOs. Davis also told Warren that he wouldn’t “jeopardize the personal information of veterans, information that we are entrusted to protect and that we had a duty to protect” by blanket signing the security certification documents.
Davis said in his letter to Congress that the VA general counsel in February instructed John Gingrich, the agency’s chief of staff at the time, to grant Davis his release to NASA.
Circumvent the processes?
Multiple current and former VA officials say Davis never promised to get the more than 500 ATOs done at a certain time, and it was Warren who was pushing to get them signed.
One former VA official said Warren wanted to get the ATOs signed and then circle back around to complete the actual security steps.
A current VA official said it was clear that Warren wanted Davis to circumvent the FISMA and ATO process.
“Information security and compliance with FISMA is all about ensuring proper procedures and policies are in place and we are managing the IT security function in the best way possible for the department,” the current VA official said. “You have to go through the ATO process so you find any critical vulnerability, which has happened before. We found an unencrypted point-to-point connection that we were transmitting data through. We didn’t get hacked or we didn’t lose any data that we know of, but the ATO helped us find that hole. You don’t want to be in the position of having to explain why you have that vulnerability because you didn’t properly do the ATO.”
All current and former VA officials talked to for this article as well as other current and former government officials attested to Davis’ skills as a cybersecurity professional and honesty as a person.
There are, however, several unanswered questions about Davis’ allegations:
NASA Ames would not make Davis available for an interview.
A history of cybersecurity shortcomings at VA detailed by the IG and GAO is part of what led Davis to pause and not just rubber stamp the security documents before he left VA. Davis, a retired Marine and CIA analyst, said the defective security certification processes are putting veterans’ data “at serious risk of compromise or misuse.”
IG, GAO report long-standing problems
VA’s IG wrote in the both the fiscal 2010 and fiscal 2011 FISMA audits that the agency didn’t do a good enough job to fix specific cyber issues and didn’t follow the standard approach to identify and track those problems.
The IG said VA’s process to implement cyber recommendations through its POAMs was deficient, and said VA needs to improve how it evaluates information security controls through its continuous monitoring program.
“You could get someone to sign off on the ATOs, but if you are really managing the process appropriately you’d go back and make sure you are closing the problems and the IG reports show VA has a terrible POAM process,” said the former government official, who is an expert in cybersecurity. “ATOs are just a byproduct of an agency understanding its systems and risks.”
A spokeswoman for VA’s IG office said the inspector general still is finalizing the 2012 FISMA report.
With so many open POAMs, the former government official questioned the quality of any ATO.
“If you have 50 percent or more open, that means you are at risk because you are supposed to be closing them down,” the former official said. “If these are moderate to high risk systems, or contain personal information or patient data, it could mean the risk has increased because what’s the likelihood of them being brought to a resolution in a satisfactory way? It’s one thing to have ATO, but it’s another to have that many open POAMs.”
Additionally, the Government Accountability Office testified in May 2010 that VA made limited progress in resolving long-standing deficiencies in securing its information and systems.
“Even if they are implementing continuous monitoring only on some systems, that’s considered a major change so the ATOs wouldn’t be valid anymore,” the former official said. “Given all the evidence out there, it’s improbable that VA could sign off on ATOs for all 500 systems and understand the risk and how to mitigate the risks in such a short amount of time. It’s possible for an agency with a mature process, but VA doesn’t seem to have one.”
The VA spokesman said key aspects of the agency’s continuous monitoring program have been in place since early 2011.
“To date, VA has implemented tools that provide aspects of continuous monitoring, such as reporting when computers are not compliant with VA security policies, Federal Desktop Core Configuration compliance, U.S. Government Configuration Baseline compliance with vendor patching policy, deep dive analysis of malware indicators, local file storage analysis, continuous gateway scanning and continuous scanning at all facilities,” he said.
OMB’s report to Congress on FISMA for 2012 shows VA has implemented continuous monitoring, but only on a subset of its systems.
Congress weighs in
Davis’ letters to the House and Senate Veterans Affairs committees have raised concerns and questions about differing stories of who wanted to blanket sign the ATOs.
A Senate Veterans Affairs Committee staff member said Baker briefed the committee in January about Davis’ allegations.
“We were told about the situation with Jerry Davis and told Jerry wanted to have a blanket waiver signed,” the staff member said. “The committee is concerned about what’s going on with IT. There is a lot of information that is lacking and needs to be provided to us. And what’s being told to us is now being contradicted to what’s in these documents [provided by Davis].” The staff member said the committee met with Warren in March and asked about the signing of ATOs. The staff member said Warren assured the committee there was a process for the ATOs to be signed.
Another Senate staff member with knowledge of VA said agency officials in meetings with Hill staff about IT said Davis was responsible for completing the ATOs and that he didn’t keep those promises.
“VA told us they have been dedicating staff to getting the ATOs completed,” the second staff member said. “We’ve asked for more information, but haven’t received it yet. We are looking at it, but not sure what’s going on.”
The House is holding a hearing Tuesday that will address this ATO signing issue as well as other cybersecurity concerns at the agency.
“The committee takes these allegations very seriously, which is why our Subcommittee on Oversight and Investigations is having a hearing on the matter June 4,” said a spokesman for the majority side of the House Veterans Affairs Committee.
Rep. Mike Michaud (D-Maine), ranking member of the Veterans Affairs Committee, said in an emailed statement that recent IG reports, which found problems with VA’s cybersecurity, are concerning.
“Whether it’s transmitting sensitive veterans’ information over the Internet or ‘authority to operate’ lapses, these practices are unacceptable and shouldn’t have happened in the first place. I’m hopeful these incidents are isolated and not just the tip of the iceberg,” he said. “The importance of sound IT fundamentals for VA cannot be overstated. They are critical to providing veterans the care they’ve earned as well as breaking the unacceptably large VA claims backlog. In fact, the VA’s new computer system is the centerpiece of their transformation plan to break the backlog by 2015. VA’s IT efforts are centralized in policy, resources and execution. If it is not run well, it seriously damages the whole department’s ability to achieve its mission. It’s critical that VA’s IT security is second to none, and I know our committee is committed to getting to the bottom of all this during the June 4 hearing.”
Editor’s Note: Davis’ documents and the VA provided different totals for how many ATOs needed to be signed.
A daily update of important moments in the history of the U.S. government.