VA makes progress in cyber

Federal agencies increasingly face more sophisticated cyber threats, so it makes sense the Veterans Affairs Department remains committed to protecting veteran information. In September 2015, VA’s Office of Information and Technology sent to Congress its Enterprise Cybersecurity Strategy meant to further strengthen and protect the VA cyber environment. The plan was designed to answer the following questions:

  • What are the right things to achieve VA’s cybersecurity mission and vision?
  • How does VA know they are doing the right things?
  • Are they making decisions and investments that deliver cybersecurity mission and vision?
  • Are they aligning resources to deliver the plan?
  • Are they achieving intended outcomes?

On this episode of CyberChat, host Sean Kelley, former Environmental Protection Agency chief information security officer, is joined by Dominic Cussatt, VA’s CISO.

One of the most significant and impactful successes that the VA Cyber has experienced under Cussatt’s leadership has been accomplishing the goals of the Enterprise Cybersecurity Strategy Team (ECST) ahead of schedule.

Advertisement

“The VA built their 2015 Enterprise cyber security strategy and then created the ECST as the mechanism to implement the strategy. They devised 35 plans of action, which comprised of all the elements of this this new strategy, which further decomposed into 3,400 line items in an integrated master schedule,” Cussatt said.

The VA celebrated this success on Dec. 15, 2017, but that doesn’t mean VA is free of material weaknesses.

“The ECST served as the foundational start for all of this, now we are tasked with institutionalizing all of these great capabilities and new processes, policies, procedures, technical capabilities that we put in place over the past two years,” Cussatt said.

Cussatt goes on to say the harder part will be ensuring success throughout the agency — a process he believes everyone needs to play a part in.

VA’s establishment of continuous diagnostics and mitigation capabilities is another success.
Mandated by Congress, the CDM program enables agencies to constantly monitor networks for vulnerabilities, prioritize risks based upon potential impact, and enable cybersecurity personnel to mitigate the most significant problems first.

“[VA] saw a reduction in the total number of elevated privileges on our networks by 96 percent,” Cussatt said.

Through this reduction, only authorized personnel can install software, add user accounts or give individuals permissions to make changes to networks, which significantly reduces exposure to risk.
CDM is also helping the VA collect data to compile and conduct predictive analytics, which can help the agency prepare for future threats.

Cussatt credits VA alignment with the National Institutes of Standards and Technologies for its forward-thinking risk management approaches. When the cybersecurity executive order was signed by the president last May, “VA was well on our way because we had such a robust risk management framework already put in place.”

Top Takeaways:

  1. The ECST accomplished thirty-five plans of action and closed ahead of schedule.
  2. The ECST established the foundation to eliminate material weakness.
  3. VA saw a 96 percent reduction in elevated privileged users through the implementation of CDM.
  4. CMD is also helping VA collect data to conduct predictive analysis.
  5. VA has a robust risk management approach – completely in line with NIST.