Share this article on:
GAO assessed the security controls at the VA to determine whether they met the requirements of the National Institute of Science and Technology (NIST) Cybersecurity Framework. GAO determined that the VA had failed to meet all requirements of NIST Cybersecurity Framework and was deficient in five areas: Security management, access control, configuration management, contingency planning, and segregation of duties. The VA had reported that it had only met 6 of the 10 cybersecurity performance targets set by the Trump administration and had not yet met the targets for software asset management, hardware asset management, authorization management, and automated access management. The security failures identified by GAO were similar to those at 18 other government agencies.
As with the other government agencies, modernizing and securing information systems has been a major challenge. Security practices have been implemented, but those practices have not been implemented consistently across the entire agency and many vulnerabilities remain unaddressed. The VA was found not to have consistently mitigated vulnerabilities, has not fully established a cybersecurity risk management program, was not identifying critical cybersecurity staffing needs, and was not effectively managing IT supply chain risks.
In 2016, GAO had recommended 74 actions that the VA needed to take to improve its cybersecurity program and address deficiencies. As of October 2019, only 42 of those recommendations had been addressed. The latest review also added a further 4 recommendations for its cybersecurity risk management program, along with one additional recommendation to accurately identify IT/cybersecurity workforce positions. The VA concurred with the GAO recommendations and will implement the additional recommendations as soon as possible.
Another report was recently published by VA OIG following a review of the Veterans Benefits Administration’s (VBA) Records Management Center (RMC). The review was conducted to determine whether staff were disclosing third-party, sensitive personally identifiable information (PII).
The decision to stop redacting third-party PII has meant that requests can be processed much faster, but it has also placed many individuals at risk of identity theft. Since those individuals are unaware that their PII is being disclosed, they would not know to take steps to reduce risk.
A sample of 30 Privacy Act responses out of a total of 65,600 requests processed between April 1, 2018 and September 30, 2018 were reviewed. 18 of those 30 requests contained the names and Social Security numbers of unrelated third parties. In some cases, the requests included the PII of more than 100 third parties, including the PII of physicians and other people involved the care of a veteran.