Cyber gets a boost in VA budget request

The Department of Veterans Affairs, which failed its most recent security audit, is seeking a 16 percent increase in its information security budget for fiscal 2016, as it looks to tighten up controls on the sensitive data of America's veterans.

The VA wants a boost in information security spending from $156 million in 2015 to $180.3 million. The information security budget includes network security, wireless and mobile security, security incident response, as well as related areas records management, privacy, and Freedom of Information Act request processing. It also includes the VA's Continuous Readiness in Information Security Program (CRISP), which is a centralized program to perform IT security updates, manage and configure devices, test applications, and provide training.

Some of these areas overlap with cybersecurity functions, but as a line item, cyber accounts for $53 million of the $180.3 million for information security. That's also a 16 percent increase over fiscal 2015. But even that doesn't get at the true cost of beefing up security at VA.

"Cybersecurity is a team sport," VA CIO Steph Warren said on a conference call with reporters. "We've got dollars identified in the budget that are new tools or new processes, but every single VA employee, and more importantly, the ones out at the medical centers, a large part of their job is doing cyber support and doing activities and actions that are necessary to secure the enterprise."

The Department of Homeland Security is also part of the team. DHS’s $480 million network security service -- including Einstein 3 -- sits outside the VA network, doing deep packet inspection on incoming and outgoing traffic, identifying intrusions, malware, and other attacks. VA is also part of an operations center run by the Department of Health and Human Services in Atlanta that monitors vulnerabilities on connected medical devices.

VA has had some bright spots in security of late. Despite failing the internal audit conducted by the inspector general, an executive summary of a report commissioned from Mandient found that VA was doing a good job of blocking malicious traffic. The VA's January security report indicated that departmental defenses blocked more than 14 million intrusion attempts, 76.4 million suspicious emails, and more than 670 million individual pieces of malware.

The cyber boost is a small piece of the VA's overall $4.1 billion IT budget request – a 6 percent increase over the $3.9 billion spent in fiscal 2015. The biggest chunk of that request -- $2.5 billion – goes to operations and maintenance. That includes replacing old hardware, and a major upgrade to the VA's phone system, which is being put on a cloud-based, Internet protocol platform as part of a 10-year plan that is in the pilot phase. The VA's $505 million proposed budget for new deployments includes $76 million for a new scheduling system, $160 million for the VISTA Evolution project to upgrade its electronic health record, and $20 million for mobile app development, including building a mobile video telehealth capacity.