Effective information risk management requires active involvement of an organization's top leader. The resignation of Eric Shinseki as secretary of Veterans Affairs means that the VA likely will continue to struggle to comply with federal requirements for IT security.
President Obama accepted Shinseki's resignation on May 30 because of growing evidence of widespread mismanagement and misconduct at VA's medical facilities, which, in some cases, led to long delays in treatment for vets. A day earlier, the VA inspector general issued its fiscal 2013 FISMA audit that concludes material weaknesses still exist in VA's information security programs.
VA's history of long-standing challenges in implementing an effective information security program has continued.
Some lawmakers suggest that Shinseki might have not been very engaged in department efforts to secure its IT. In a letter last June, the chairman and ranking member of the House Veterans Affairs Committee asked Shinseki if the secretary was informed of the risks to VA networks, including multiple breaches since 2010 revealed at a June 4 hearing (see Was VA Secretary Misled About Breaches?). Prior to the hearing, Shinseki wrote to a committee member saying, "To be clear, VA's security posture was never at risk."
When a new secretary is named, that person will have their hands full cleaning up the mess with VA medical facilities. Although some of the problems managing those facilities involve IT, they may have little to do with keeping department information systems secure as required by the Federal Information Security Management Act, the law that governs federal IT security. So it remains to be seen if the new secretary will devote much time to the issue of improving FISMA compliance.
At a press conference announcing Shinseki's resignation, Obama said some broader issues beyond fixing the problems at the medical facilities, including IT, must be tackled. "The information systems inside the VHA, those are probably going to have to be changed," Obama said. "That will cost some money, that will take some time and it will have to be implemented."
Linda Halliday, assistant IG for audits and evaluations, says in the FISMA audit that weaknesses were found in configuration and access management controls that resulted from the VA not fully implementing security control standards on all servers and network devices. The VA also failed to implement effectively procedures to identify and remediate system security vulnerabilities on network devices, databases and servers as well as Web applications, the audit shows.
Control Weaknesses for Fiscal Years 2007 - 2013
The department also failed to remediate some 6,000 outstanding system security risks in its corresponding Plans of Action and Milestones to improve its overall information security posture. That's up from 4,000 in fiscal 2012. POA&Ms identify which actions must be taken to remediate system security risks and improve VA's information security posture.
Gregory Wilshusen, director of information security issues at the Government Accountability Office, who saw a preliminary copy of the IG findings, wasn't surprised that auditors found weaknesses in the department's information security programs.
"VA's history of long-standing challenges in implementing an effective information security program has continued, with the department exhibiting weaknesses in all major categories of security controls in fiscal year 2013," Wilshusen testified before a House panel in March (see Report: VA Needs to Improve InfoSec). "These challenges have been further highlighted by recent determinations that weaknesses in information security have contributed to a material weakness in VA's internal controls over financial reporting and continue to constitute a major management challenge for the department."
The IG made 30 recommendations to remediate problems with the security of VA's IT, and VA Chief Information Officer Stephen Warren concurred with each one. Remember, the audit reflects the situation between Oct. 1, 2012, and Sept. 30, 2013. And, Appendix D of the report shows that the VA has either resolved specific problems or is in the process of doing so. In fact, the IG acknowledges that 14 of the recommendations have been met.
VA Information Security Incidents Reported to US-CERT
Fiscal Years 2007 - 2013
The actions the VA is taking are encouraging and, perhaps, the VA has turned a corner in implementing IT security practices. And, Halliday points out that the VA has made progress developing policies and procedures. Still, she says, challenges remain for the VA to institute FISMA information security risk management programs.
Complying with FISMA rules isn't easy, and it's likely that not all weaknesses identified in the fiscal 2013 audit will be addressed to the satisfaction of IG examiners next year. It's rare that auditors give agencies a completely clear bill of health.
The House Veterans Affairs Committee is mulling legislation to spur the department to do more to secure its IT, a measure that Wilshusen says has value. "While the draft legislation being considered by the subcommittee may prod VA into taking needed corrective actions," he says, "emphasizing that these should be taken based on risk can provide the flexibility needed to respond to an ever-changing technology and business environment."
The VA can use all the help it can to get its IT security house in order, especially because its new leader will be attending to more pressing challenges in the months to come.