VA's 'compensating' encryption on iPhones, iPads deemed OK

When the Department of Veterans Affairs' introduced iPhones and iPads to its workforce, it sidestepped specific federal security guidelines--but did meet acceptable encryption standards, according to a new federal audit.

Linda Halliday, assistant inspector general for audits and evaluations in the VA Office of the Inspector General, conducted the audit, which stemmed from a confidential hotline complaint in September 2011 that the VA was circumventing the Federal Information Security Management Act (FISMA) and other federal rules for information security in deploying the devices.

Sen. Jon Kyl (R-Ariz.) also asked the inspector general to evaluate whether the VA's practice of storing sensitive data without hardware encryption meeting the federal standard FIPS 140-2 meets FISMA requirements, Federal Computer Week reports.

Last fall, the VA began a small pilot program with iPads and iPhones--a switch from BlackBerries--among personnel in Washington, D.C. At the time, Roger Baker, CIO of the VA, told Federal Times, "We're being careful not to increase our information breach exposure." He said the Apple devices would have the same level of encryption as other mobile devices used at the VA.

The pilot, which began with 100 Apple devices, has since been ramped up to 1,000 or more devices, according to Government Computer News. In October, just after the pilot began, Baker announced plans to buy as many as 100,000 iPads.

Yet, in 2006, the agency was roiled when a laptop and external hard disk were lost, putting at risk the personal information on 26.5 million veterans and active-duty military personnel. That led to a sweeping overhaul of IT staff and security procedures within the agency, but has been just the largest of various breaches within the VA.

Halliday found that the VA deployed 200 Apple iPhones and iPads with encryption that was not FIPS 140-2 certified, which is mandatory. But she also found that to compensate, the VA used the FIPS 140-2-certified security application "Good" from Good Technology to encrypt data such as emails, calendars, and contact lists. Halliday found that to be an acceptable solution.

She made two suggestions that Baker accepted: To improve security controls by configuring devices consistently and to maintain an accurate inventory.

To learn more:
- read the audit report
- here's the Federal Times article
- check out the Government Computer News article
- read the Federal Computer Week article