GAO: VA, other federal agencies, must address cybersecurity weaknesses

Much work remains at federal agencies, including the U.S. Department of Veterans Affairs, to shore up systems against persistent cyberthreats, according to the Government Accountability Office (GAO).

"Until agencies take actions to address these challenges--including the hundreds of recommendations made by GAO and inspectors general--their systems and information will be at increased risk of compromise from cyber-based attacks and other threats," Gregory C. Wilshusen, director of information security issues for the GAO, said in testimony before the House Committee on Oversight and Government Reform.

Among the problems cited in the report: Just this month, the Department of Veterans Affairs (VA) Office of Inspector General reported that two VA contractors had improperly accessed the VA network from foreign countries using personally owned equipment.

Challenges facing the government's approach to cybersecurity, include:

  • Implementing risk-based cybersecurity programs
  • Securing building and access control systems
  • Overseeing contractors
  • Improving incident response

For fiscal year 2014, 19 of the 24 federal agencies reported deficiencies in information security control in their financial reporting. Most of the agencies had weaknesses in five key security control categories: Access control, configuration management, segregation of duties, continuity of operations and security management.

In April 2014, the GAO reported that the 24 major agencies did not consistently demonstrate that they had been effectively responding to cyberincidents.

The VA just this month reported that number of veterans affected by data breaches fell by 65 percent in March compared to February.

The GAO criticized the VA in a November report, saying that while the agency had taken steps to address previously identified IT vulnerabilities, it has not done enough to prevent future problems.

The VA "continues to face long-standing challenges in ... implementing its information security program," Wilshusen told a Veterans' Affairs' subcommittee a year ago.

A study from The Brookings Institution in February termed the cybersecurity preparedness at Health and Human Services and other federal agencies "abysmal."

To learn more:
- read the testimony (.pdf)