2 Images of VA IT Security Emerge at HearingAuditors: VA IT Vulnerable to Fraud, Sensitive Data Disclosures
VA Chief Information Officer Roger Baker highlighted improvements the department has made in addressing IT security concerns. But auditors from the Government Accountability Office and the VA's inspector general gave grim assessments.
The hearing of the House Veterans Affairs Subcommittee on Oversight and Investigations largely focused on IT systems development and collaboration with the Department of Defense on efforts to meet common health system needs. Still, at times and in prepared testimony, the hearing dealt with IT security.
"Our achievements on visibility to the desktop and our medical device isolation architecture put us well ahead of most federal organizations, and on par with well managed private sector organizations," Baker said in his prepared testimony. "Our ability to provide immediate response to vulnerabilities and threats within our enterprise, as well as enacting a proactive approach to centralized monitoring, reporting, compliance validation and providing maximum service availability, is quickly establishing VA as a model of excellence for the rest of the federal government."
In his testimony, Joel Willemssen, the GAO's managing director for information technology, sounded a bit exasperated with VA's IT security efforts, saying that for more than a decade, VA has faced long-standing information security weaknesses as identified by GAO, VA's Office of the Inspector General, VA's independent auditor and the department itself. "The department continues to face challenges in maintaining its information security controls over its systems and in fully implementing the information security program required under the Federal Information Security Management Act of 2002," he said. "These weaknesses have left VA vulnerable to disruptions in critical operations, theft, fraud and inappropriate disclosure of sensitive information."
Subcommittee Chairman Bill Johnson, R-Ohio, asked the auditors to identify the biggest obstacle VA faced in getting IT security in order. Belinda Finn, VA assistant inspector general for audits and evaluations, responded: VA's centralized IT organization. "You still need to have consistent implementation and discipline out at many facilities," she said. "Your security is only as good as each individual location, and is really a cumbersome process to identify all of the issues, and have the command and control structure needed from Washington to make sure that all of the fixes are made and updated, because information is a daily requirement. You have to keep the patches, you have to keep the passwords ... the fact that you have to keep up with it everyday, in that environment."
Johnson also asked the auditors about VA's cloud computing initiatives.
Willemssen reminded the panel that GAO last year issued a report that raised concerns about federal cloud computing plans that lacked guidance regarding security, though he said the Office of Management and Budget has since disseminated some guidance on cloud security. Still, he expressed reservations about securing VA data in the cloud. "For an organization that has much sensitive data, (VA) will have to make that move very carefully, and a lot of controls in place with the provider of the service."
Witnesses gave their testimony in two separate panels: the first one spotlighted Baker and the second one featured Willemssen and Finn, so Baker didn't get to respond to the auditors' observations.
In his testimony, Baker contended VA is ahead of the curve in cloud computing. "We expect to increase efficiency through secure remote access to files and programs," he said, citing a large-scale, successful cloud program in the Post 9/11 GI Bill, with another starting development for the veterans benefits management system.