VA fails cybersecurity audit for 16th straight year

The U.S. Department of Veterans Affairs, which failed its Federal Information Security Management Act Audit for Fiscal Year 2014, is taking major steps to fix its cybersecurity in the wake of increasing scrutiny over vulnerabilities and cyberdeficiencies at the agency, according to an article at Federal News Radio.

This marks the 16th consecutive year the VA has failed the cybersecurity audit, according to the article. While the audit found that the agency has made progress in creating security policies and procedures, it also determined that problems remain in implementing its security risk management program.

"Weaknesses in access and configuration management controls resulted from VA not fully implementing security standards on all servers, databases, and network devices," the report reads. "VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, database, and server platforms VA-wide."

The Government Accountability Office also recently criticized government agencies for their lax security--including the VA. Among the problems cited in a report in April: The VA's Office of Inspector General reported that two VA contractors had improperly accessed the VA network from foreign countries using personally owned equipment.

That's in addition to a report GAO previously had released in November saying that while the VA had taken action to address previously identified IT vulnerabilities, it did not do enough to prevent future problems.

VA CIO Stephen Warren told Federal News Radio that despite the agency's recent work to shore up its security, "there were areas where the intensity wasn't where it needed to be."

Warren added that the VA has transitioned Dan Galick into the role of operation security manager to oversee info security officers at VA facilities as well as the security operations center.

Reaching out to VA hospitals and regional offices to keep security at the forefront will be an everyday activity, Galick told FNR.

In February, the VA asked for $180 million in its fiscal 2016 budget request to boost its cybersecurity efforts; about $24 million more than it has previously requested.

One recent silver lining for the VA: The number of veterans impacted by data breaches fell by 65 percent in March compared to February.

To learn more:
- check out the FISMA report (.pdf)
- read the Federal News Radio article