GAO: VA deficient in security controls, information at risk
The Department of Veterans Affairs (VA) needs to resolve long-standing deficiencies in securing its information and systems, according to a report from the Government Accountability Office (GAO).

Asked to testify on VA's progress in implementing information security and the department's compliance with the Federal Information Security Management Act of 2002 (FISMA), the office analyzed prior GAO reports, as well as reports from the Office of Management and Budget, the VA's Office of Inspector General and the VA related to the department's information security program from 2006 through 2009.

In September 2007, GAO reported that VA had begun or had continued several initiatives to strengthen information security practices within the department, but that shortcomings with the implementation of those initiatives could limit their effectiveness. Seventeen recommendations were made for improving the department’s information security practices.

“We verified that VA had implemented five of those recommendations, including developing guidance for the information security program and documenting related responsibilities,” GAO reported. “VA has efforts under way to address 11 of the remaining 12 recommendations."

According to the GAO, the VA was deficient in five categories of information security controls: access control; configuration management; segregation of duties; contingency planning; and security management.

Furthermore, the GAO cited that in VA's fiscal year 2009 performance and accountability report, the independent auditor stated the department continued to make progress although IT security and control weaknesses remained pervasive and continued to place VA's program and financial data at risk. The auditor noted the following weaknesses:
  • Passwords for key VA network domains and financial applications were not consistently configured to comply with agency policy;
  • Testing of contingency plans for financial management systems at selected facilities was not routinely performed and documented to meet the requirements of VA policy; and
  • Many IT security control deficiencies were not analyzed and remediated across the agency and a large backlog of deficiencies remained in the VA plan of action and milestones system.

“The need to implement effective security is clear given the history of security incidents at the department,” stated the report. “VA has reported an increasing number of security incidents and events over the last few years. Each year during fiscal years 2007 through 2009, the department reported a higher number of incidents and the highest number of incidents in comparison to 23 other major federal agencies.”

Since 2006, VA's progress in implementing the information security program required under FISMA has been mixed, according to the office's report. From 2006 to 2009, the department reported a dramatic increase in the percentage of systems for which a contingency plan was tested. However, during the same period, the department reported a decrease in the percentage of employees who had received security awareness training.

"Until VA fully and effectively implements a comprehensive information security program and mitigates known security vulnerabilities," concluded GAO, "its computer systems and sensitive information will remain exposed to an unnecessary and increased risk of unauthorized use, disclosure, tampering, theft and destruction."