VA Fails Cyber Audit Again

The Department of Veterans Affairs is still too slow to respond to cyberincidents, does not consistently review security logs for mission-critical systems and is plagued by weak passwords.

A March 15 report from the VA Office of the Inspector General concluded information security at VA remains a “material weakness” -- essentially a failing grade.

Overall, the report -- conducted by auditing firm CliftonLarsonAllen LLP under a contract with the IG -- tallied up some 9,500 previously identified system security risks VA had still not resolved.

Despite improvements in recent years, auditors said the agency is still burdened with “significant deficiencies” surrounding basic security practices designed to protect mission-critical systems.

The report contains 35 recommendations for improving VA’s handling of information security, including six new ones.

VA Chief Information Officer LaVerne Council, who joined the agency last summer, concurred with the IG’s findings.

VA, according to its fiscal 2017 budget request, also wants to more than double its budget for information security next year -- from $180 million to $370 million -- in part to support a new cybersecurity plan Council rolled out last fall.

Both Council and Deputy Assistant IG for Audit and Evaluations Brent Arronte are slated to appear before the House Oversight and Government Reform Committee today for a hearing on VA’s handling of IT management and cybersecurity.

Among the weaknesses identified by the IG report:

Incident Response: “Our audit continued to identify numerous high-risk cyber security incidents, including malware infections that were not remedied in a timely manner,” the report stated. That included some malware infections that took VA more than 30 days to fix.

That’s actually an improvement from the previous year, the IG said but noted the processing for tracking “higher-risk tickets remained inefficient” for most of the last fiscal year and some cyberincidents were not remedied.

Lack of logs: "VA did not consistently review security violations and audit logs supporting mission-critical systems,” the report noted.

Most VA facilities did not have systems properly configured to track activity, which is crucial for detecting intruders and “reconstructing” security incidents.”

Identity and access management: The IG continued to turn up weak passwords on major databases, applications and devices at most VA facilities, according to the report.

In addition, VA still lacks a consistent process for managing remote access to VA networks because multifactor authentication has still not been fully rolled out across the department, the IG noted.

This is the 16th year in a row that VA’s handling of information security has been cited by the IG as a “material weakness.”

The department’s cyber woes went into overdrive in the summer of 2013 when it was revealed during congressional testimony that foreign state actors had repeatedly breached VA networks going back to at least 2010. A six-month independent audit by private cyber firm Mandiant later concluded no data theft had taken place.