As VA Fails Yet Another Audit, Their Only Hope For Cybersecurity May Lie In The Cloud
By Christine Kern, contributing writer
This is the 16th consecutive year the VA has failed their security audit.
According to a report from the VA Office of the Inspector General, the VA still suffers serious challenges to information security that threaten its operations. The audit found that, while the VA has made some progress in creating policies and procedures, serious challenges still remain in “implementing components of its agency-wide information security continuous monitoring and risk management program to meet FISMA requirements.” The audit also identified “significant deficiencies” in regard to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems.
That means the VA was giving a failing grade, yet again. The report was conducted by auditing firm CliftonLarsonAllen LLP, and found approximately 9,500 unresolved system security risks that had been previously identified. The report also outlined 35 recommendations to improve the VA’s handling of information security, six of which were new, Next.gov reported.
Among the deficits noted by the report is that the VA is not monitoring all of its external network interconnections and internal network segments for malicious traffic or unauthorized access attempts, according to Meritalk. Additionally, the audit found the agency cannot detect unauthorized scans of internal networks. Significantly, during a single field audit, teams created a User Datagram Protocol — Virtual Private Network tunnel that managed to exfiltrate 54 megabytes of data from both the Network Security Operations Center and a medical center.
One agency source, who wished to remain anonymous, told Meritalk the majority of the agency’s cybersecurity weaknesses are a direct result of the decision to centralize VA’s IT management and security oversight at its Washington, D.C. headquarters. One VA insider told Meritalk that the centralization effort was not supported by the agency’s frontline IT staff. “IT should be a service that is plugged into, and that has not happened yet. IT should never have been separated from the businesses,” the source said, referring to the agency’s medical centers and field offices. One solution would be for the agency to move to the cloud faster in the midst of its current cybersecurity challenges, making it more able to reassert positive control over its many disparate networks and centers, the source added.
“In the last 20 years, they have been moving the data centers from hospitals to ‘area’ data centers, and people got higher paying jobs because they were no longer just managing one hospital or [Veterans Integrated Service Network-VISN], they were becoming area managers, so VA was creating its own ‘cloud’ outside of the hospital settings,” an agency source said. But those clouds have not been playing by the same rules. “If VA can move more of its services to a centrally-managed cloud infrastructure, security should improve.”
This shift to the cloud has been resisted by many agencies. As Business Solutions Magazine reported last year, only 41 percent of Federal agencies were considering Cloud as part of their overall IT strategy, revealing that despite the potential savings and heightened cybersecurity of cloud offerings, federal agencies are dragging their feet in the migration to cloud services.