WASHINGTON—While VA is moving swiftly forward with a number of major technology projects, including a new electronic health records system, the agency’s advancements in cybersecurity are progressing at a glacial rate, according to reports from VA watchdogs. This has legislators worrying that, while technological advancement is near the top of VA’s agenda, cybersecurity is much farther down the list.
“Too often, strong leadership in risk management and information security becomes an afterthought or a paperwork exercise done once a year for the FISMA audit,” Rep. Susie Lee (D-NV), chair of the House Veterans Affairs Subcommittee on Technology Modernization, declared at a hearing last month.
FISMA—the Federal Information Security Modernization Act—was signed into law in 2002 and defines a comprehensive framework to protect government information systems from manmade threats. Since then, yearly FISMA audits have been conducted on government agencies by their respective Inspector General offices. Each year, VA’s audit has cited numerous deficiencies in VA’s management of critical systems, access controls and its agencywide security management program.
Maturity Level Ratings for the Cybersecurity Framework Core Security Functions for 24 Major Agencies, including the Department of Veterans Affairs (VA), for Fiscal Year 2018
The last audit conducted by the VA OIG made 28 recommendations, most of which were repeats from previous FISMA audits, VA Deputy Assistant Inspector General Nick Dahl told subcommittee members. Examples of problems found at the agency include not keeping security patches up to date, thereby making VA’s systems vulnerable, and a failure to implement password standards.
“OIG has seen many examples of default passwords and user names or easily guessed passwords,” Dahl explained. This makes it easy for malicious users to gain access to VA systems.
Continue Reading this Article: Particularly Pervasive
