The audit comes as good news for the department, which historically has struggled to manage its technology systems.
Mobile devices are creating new cybersecurity risks for agencies across government, but the Veterans Affairs Department is doing a good job protecting the thousands of devices in its ecosystem, according to an internal watchdog.
Today, the department is responsible for managing more than 50,000 mobile devices, many of which contain sensitive personal information on veterans. As such, the consequences of an intrusion could be devastating. But a recent VA Inspector General audit found the agency had largely succeeded in closing security gaps within its mobile network.
The Office of Information Technology’s “security practices for mobile devices generally mitigated security control weaknesses associated with mobile devices used in VA’s network infrastructure,” auditors said in a report published Tuesday.
According to the IG, the agency’s security practices met the federal requirements for four of the five categories the Government Accountability Office uses to assess IT security: security management, access controls, segregation of duties and contingency planning. They found the department still had room for improvement in the fifth category, configuration management.
By relying on a single vendor—Apple—to provide all the department’s devices, officials avoided many of the vulnerabilities that come with managing a more diverse mobile ecosystem, auditors said. The agency also relies on a single mobile device management platform, which lets them easily control the security protocols and access credentials on each of those devices, they said.
While the feedback was generally positive, auditors highlighted a few gaps in the agency’s configuration management practices.
Today, IT personnel have no way to enforce bans on mobile applications that contain malware or other vulnerabilities, the IG said, and they don’t have tools to automatically update devices when new software is released. This lack of configuration management tools could “lead to premature or late updates, unusable applications or lingering security vulnerabilities,” auditors said.
The department also doesn’t certify that employees complete annual security awareness training.
The IG advised the agency to take steps to prevent illicit application downloads, adopt tools to allow for automated software updates and verify employees complete security training. VA officials agreed with all three recommendations.