The Veterans Affairs Department’s struggle to secure its networks and systems continues to a great degree, and while there is progress in some areas, its computers, databases, servers and nearly all other IT remain at risk.
Among the IG’s findings are 6,000 system cyber risks from previous audits listed in their plans of actions and milestones (POA&Ms) and continued weaknesses in access and configuration management controls because the agency hasn’t fully implemented standards on all servers and network devices.
“We remain concerned that continuing delays in implementing effective corrective actions by estimated completion dates to address these open recommendations can potentially contribute to reporting an IT material weakness from this year’s audit of VA’s Consolidated Financial Statements,” the IG wrote in the report. “VA continues to face significant challenges in complying with the requirements of FISMA, due to the nature and maturity of its information security program.”
In December, the VA’s independent auditor CliftonLarsonAllen gave the agency a failing grade for the 15th year in a row, with regard to security controls, in its consolidated financial statement audit.
Reports show continued problems
In the 2013 FISMA report, the IG made 35 recommendations across 10 areas, including incident response, continuous monitoring, configuration management, identity management and access controls and many other major cyber functions.
“It’s the same problem. That is, security is disjointed. It is not fully integrated across the OIT lines of business, i.e. Product Development, Service Delivery and Engineering, Enterprise Architecture etc.,” said a government official with knowledge of VA cybersecurity. “The auditors look for consistency in the implementation. They can tell whether the fix has been done just to satisfy the audit or if it’s actually the result of a comprehensive security program. Each time they come back, something that was decent has gotten worse over the past year. That is because the program is not integrated and they are not trying to integrate it. Each VA OIT organization is working in a stove pipe.”
And it’s not just the IG that has concerns about VA’s cyber. The Office of Management and Budget reported in its annual FISMA report to Congress that VA had consolidated about 40 percent of its network traffic through a Trusted Internet Connection and implemented just over 80 percent of the TIC capabilities. OMB also found VA required only 4 percent of all employees to access to its computer network using their smart identity cards under Homeland Security Presidential Directive-12 (HSPD-12), one of the lowest percentage among all agencies.
OMB said VA was making more progress in implementing continuous monitoring, including reaching 100 percent for configuration management and under the domain name security where nearly 90 percent of all its websites use DNSSEC.
Stephen Warren, the executive in charge and chief information officer, concurred with all of the IG’s recommendations and offered steps the agency is taking to fix new and previous years’ cyber shortcomings.
For example, the IG found VA continues not to have an agency-wide risk management program.
Warren said VA has implemented the governance, risk and compliance (GRC) tool as a major element of employing an agency-wide risk management governance structure.
“The GRC tool is VA’s robust repository capable of tracking the real-time security posture of the VA’s IT systems The tool is used in concert with existing IT monitoring and tracking tools, such as IBM End-Point Manager (IEM), SolarWinds, NESSUS, to extract, in real-time, up to 54 NIST controls, while capturing the remaining controls via automated workflows,” he wrote. “The Risk Vision GRC tool automatically ties risk assessments to POA&Ms and system security plans, resulting. In a more comprehensive understanding of VA’s security posture, far exceeding any past capabilities. The workflow process of entering information into the GRC tool ensures that only the most current risk information is retained. This is also true of the System Security Plan and FIPS assessments. The CIO has greater visibility/oversight with the Risk Vision database for Authority to Operate (ATO) decisions.”
Another two-year-old recommendation from the IG is to implement automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platform and Web application servers.
New sets of tools on their way
Warren said the agency implemented an enterprise-wide vulnerability management program using scanning tools to identify security deficiencies.
“Priority attention is placed on installing the required patches to remediate the identified deficiencies,” Warren wrote to the IG. “Automated monitoring and assessment tools have also been deployed in the VA enterprise to every laptop, desktop, server and network device. VA will continue to enhance the vulnerability management program by making use of the security and information event management (SIEM) technology, which currently is in place at the Enterprise Operations (EO) data centers. The SIEM solution will collect audit logs and alerts and facilitate the continuous identification of vulnerabilities that require priority corrective actions.”
Warren said VA will add the tools to the Internet gateways and network backbone, and the network security operations center by September, and then to regional data center systems by September 2015.
But adding the SIEM capability to the network security operations center is delayed, as VA will have to go through a second request for proposals (RFP) process because the first one didn’t produce the results it was looking for. Warren said they expect to award the contract and implement the technology by Dec. 31.
Warren detailed several other short-term goals to implement cyber capabilities, including testing the department’s incident response capability by Dec. 31 and creating a white list for approved software and a black for unauthorized software by Sept. 30.
The IG’s audit adds another layer of doubts about VA’s ability to secure its network, data of millions of veterans and overall systems.
Linda Halliday, the assistant inspector general for audits and evaluations, said, at the time, VA had a broad range of security concerns, including risk assessments and outdated system security plans that didn’t accurately reflect the current system environment or federal standards. She said VA, at one point, had more than 4,000 open vulnerabilities under the plans of actions and milestones (POAM) process.
“OIT has plenty of money for security. What they lack is holistic planning. They focus too much on tools and not enough managing risk,” said the government official. “They try to brute force their way to a better posture, and by throwing money and people at the problem. But without a realistic plan and without competent leadership, they will continue to fail.”