IG: VA Network Susceptible to AttackProgress Made, but More Must Be Done to Meet FISMA Provisions
The Department of Veterans Affairs, despite progress, faces challenges implementing elements of its information risk management program to meet the requirements of the Federal Information Security Management Act, the law that governs IT security in the federal government.
"VA's internal network remains susceptible to attack from malicious users who could exploit vulnerabilities and gain unauthorized access to VA information systems," Linda Halliday, VA assistant inspector general for audits and evaluations, wrote in a 38-page report dated April 6.
The FISMA assessment for fiscal year 2011, which ended Sept. 30, identified significant deficiencies related to access, configuration management and continuous monitoring controls as well as service continuity practices aimed to safeguard mission-critical systems from unauthorized access, alteration or destruction.
VA didn't fully implement security control standards, including complex password policies on all servers and network devices, the auditor said. The IG identified weak or default user account credentials on critical systems. VA failed to implement procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms and Web applications throughout the department, the audit said.
More than 15,000 outstanding system security risk and corresponding plan of action and milestones to improve its overall IT security posture have yet to be remediated, according to the audit.
The IG presented 31 recommendations to improve VA's information security program and recommended that the department's CIO implement comprehensive procedures to mitigate security vulnerabilities affecting its mission-critical systems.
VA Assistant Secretary for Information and Technology Roger Baker, the department's CIO, concurred with the IG findings, saying Veterans Affairs treats the protection of veteran data very seriously. "VA has embarked on a cultural transformation with the implementation of the Continuous Readiness in Information Security Program." Baker said in a written response to the audit, referring to a new operating model aimed to protect veterans' private and sensitive information.
CRISP takes an integrated approach to protecting sensitive information from inappropriate exposure or loss, Baker said. "Securing information is everyone's responsibility and that cohesive theme will become interwoven into the normal fabric of operations across VA," he said. "CRISP is a secretarial priority to achieve and sustain continuous readiness in information security department-wide."