VA may have bent the rules for iPads, iPhones

A new federal audit claims that Veterans Affairs Department Chief Information Officer Roger Baker may have bent information security rules in deploying iPhones and iPads at the VA in October 2011.

But the auditor concluded that Baker’s methods complied with federal information security requirements.

The May 15 audit was just published by Linda Halliday, assistant inspector general for audits and evaluations in the VA Office of Inspector General.

It was sparked by a confidential hotline complaint in September 2011 claiming that the VA was circumventing the Federal Information Security Management Act (FISMA) and other federal rules for information security with regard to Apple mobile devices approved for use on the VA network.

The inspector general also was asked by Sen. Jon Kyl, (R-Ariz.), to evaluate whether the VA’s approach regarding storage of sensitive data without “FIPS 140-2” hardware encryption would meet FISMA requirements.

The inspector general auditors “partially substantiated” the allegation that the VA was deploying Apple mobile devices without the FIPS 140-2 hardware encryption required under FISMA. However, Baker took “compensating” measures to protect the sensitive information, the report said.

As a result, the auditor concluded that Baker’s approach to information security met the FISMA requirements, although there were some deficiencies in inventory management and controls.

“VA deployed more than 200 Apple iPhones and iPads with encryption that was not FIPS 140-2 certified,” Halliday wrote. “Compliance with the FIPS 140-2 standard is mandatory when agencies specify they will use cryptographic-based security systems to protect sensitive or valuable data. As a compensating control, VA used a FIPS 140-2 certified security application named 'Good' from Good Technology to encrypt application data such as emails, calendars, and contacts residing on the mobile devices.”

Using the certified application was deemed a satisfactory solution, the report said.

“We determined that VA’s approach of allowing only FIPS 140-2 certified applications to access or store sensitive encrypted data on the mobile device met FISMA requirements for data protection,” Halliday wrote.

However, the report also noted that VA could improve its security controls and systems management by maintaining an accurate inventory, and by configuring devices consistently.

Halliday made two recommendations for change, and Baker agreed with both of them, the report said.