VA fails cybersecurity audit 16 years in a row

Nov 26, 2014

This month the Department of Veterans Affairs underwent its annual cybersecurity audit, and for the 16th time in a row, it failed. The audits are conducted in order to ensure that agencies are meeting the standards set forth in the Federal Information Security Management Act.

The last cybersecurity audit found the VA was facing more than 6,000 security risks. The inspector general purposed 35 actions the department should take to remediate the issues. Officials from the agency believe that 18 of those recommendations have been met, Federal News Radio reported.

While the news of poor security at the VA is troubling on its own, the fact that it comes just after a stream of federal cyber intrusions is especially worrying. Last year it was revealed by Congress that the VA itself has fallen victim to at least eight significant data breaches in the last few years.

“I was disappointed, and I know the team was disappointed given the significant time and effort we applied this year,” said VA CIO Stephen Warren in an interview with Federal News Radio. “But we are going to continue to drive on this. We are going to continue to push so that we move forward on the rigorous, disciplined plan the team has put together so that when the audit team shows up next year, they will continue to see the constant improvement they recognized even this past audit season.”

Working toward a safer agency
While the VA did not pass the audit, the inspector general informed the agency that its vulnerabilities have been reduced by 21 percent, The Washington Post reported. Warren said that the department is creating a plan to help address the remaining issues covered in the most recent audit report. According to Warren, the agency is working on improvements in four key areas: configuration management, access controls, security management and contingency management.

However, officials with the Government Accountability Office have said that there is no proof that the VA made any improvements to its networks since the last audit because there are no records that changes were made or had any effect, according to Federal News Radio.

In an interview with the Post, Warren noted that the VA not only faces a large amount of cyber threats just as any other federal agency does, but also those that would target a healthcare organizations, adding to the number of intrusions that must be stopped on a daily basis. The department is planning to increase its budget for security for 2015, adding $60 million for a total cyber budget of $220 million.

Category: Cybersecurity