GAO: VA needs to up its game with cybersecurity training

Echoing previous calls for federal agencies to improve their cyber incident response practices, a new Government Accountability Office report calls for consistent role-based training. Of the six agencies studied, only Veterans Affairs did not address that issue at all, according to the report.

It looks at the preparedness of six agencies--the VA, Energy, Justice, Housing and Urban Development, Transportation, and NASA--and the assistance provided them by the Department of Homeland Security and the U.S. Computer Emergency Readiness Team (US-CERT).

Though the agencies had developed some aspects of an incident response plan, their policies, procedures and plans were not comprehensive or fully consistent with federal requirements, according to the report.

The VA had only partially defined roles, responsibilities and levels of authority for incident response teams. It had not established performance measures or tested its incidence-response plan.

"If staff do not receive training on their incident response roles, they may not have the knowledge or skills to ensure they are prepared to effectively respond to cyber incidents affecting their agency," the report states.

A previous GAO report warned that the VA is vulnerable to cyber attacks. Yet another report dinged the VA and Centers for Medicare & Medicaid Services for failing to consistently document both an assigned risk level and how that level was determined for breach incidents involving personally identifiable information.

The White House recently announced, however, that Health and Human Services' cybersecurity regulations are sufficient for the task, letting that agency off the hook for adding more.

Meanwhile, a recent White House report warned that more privacy protections may be needed for PII in the electronic age.

To learn more:
- find the report (.pdf)