Two watchdog agencies told lawmakers Thursday that the Veterans Affairs Department continues to struggle with cybersecurity issues, despite recent improvements.
Audits have identified numerous information security vulnerabilities—and insufficient attempts to remedy them—at the VA, leaders from the Government Accountability Office and the VA Office of Inspector General said during a hearing with the House Veterans' Affairs Committee's Technology Modernization Subcommittee.
Those challenges aren't unique to the VA, said Greg Wilshusen, the GAO's director of information technology and cybersecurity.
"Where (the VA is) with its information security program is consistent in many ways with many federal agencies," Wilshusen said. "But I also think, in a couple of areas, it may be a bit beneath the others—particularly when it comes to looking at the length of time it has consistently reported a material weakness."
The VA was one of 18 federal agencies that had ineffective information security programs in fiscal 2018, according to a report the GAO released this summer. The report assessed 24 agencies, including HHS and the VA, for compliance with the Federal Information Security Modernization Act, a 2014 law focused on information security in federal agencies.
Fiscal year 2018 marked the 17th consecutive year that the VA had reported severe information security weaknesses, according to Wilshusen. Those weaknesses were particularly pronounced in the agency's security controls for financial systems, including deficiencies in security management, access controls and contingency planning.
"Few agencies, I believe, meet that longevity of that particular weakness," he said.
The OIG offered a similar sentiment.
An audit by the VA Office of Inspector General in March outlined 28 recommendations for the VA to bring its IT safeguards in compliance with FISMA, such as installing timely security patches, system upgrades and system configurations, as well as improving password management for its databases.
"Most of these recommendations are repeated from previous FISMA audits, as VA has yet to adequately address them," said Nick Dahl, deputy assistant inspector general for audits and evaluations at the OIG. "To the extent that VA does not properly manage and secure their IT investments, they can become increasingly vulnerable to misuse."
"The OIG recognizes and appreciates that this is a complex undertaking," he said.
While information security and privacy are challenges across the federal government, they're of particular concern for the VA, as the Veterans Health Administration is one of the nation's largest healthcare systems at more than 1,200 facilities.
"The protection of VA technology and data is not a hypothetical issue or something that occurs in a vacuum," Susie Lee (D-Nev.) said. "As we encourage veterans to use VA resources … VA must show that it is secure, it can be trusted, and that it has the tools, policies and the leadership to protect veterans' health data and personal information."
The VA's chief information security officer and deputy assistant secretary, Paul Cunningham, joined the agency in January after serving as CISO for the Energy Department.
The VA has struggled to maintain stable IT leadership in recent years, with 10 CIOs since 2004—representing an average tenure of less than two years. That has posed a challenge for some of the VA's technology modernization and innovation efforts.
"I did notice that there was what looked like remains of silos that may have been there in the past," Cunningham said of his thoughts when he joined the VA this year. "There's still some legacy issues that I've noted, particularly around the FISMA reports in FY18 or some of the findings from IG, but I also saw some clever ideas."
One of those ideas involved establishing a risk officer within a new office of quality, process and risk at the VA, who reports on cybersecurity risk to the CIO and the secretary of information, among other tasks.
While acknowledging cybersecurity is challenging, Wilshusen said a particular concern for him is the VA's trouble validating whether it has corrected a vulnerability.
The VA has completed less than half of a set of 74 recommendations the GAO provided the agency with in 2016, with a total of 42 remaining unresolved. While the VA has submitted information reporting that it had completed 39 of those 42 unresolved actions, the implementations weren't up to the GAO's standards.
"When we went in and looked at the evidence provided, it wasn't sufficient enough for us to confirm the implementation of that recommendation," Wilshusen said. "Often, it doesn't seem like (the VA) is validating the effectiveness of its corrective actions."
He suggested the VA designate an independent person within the agency to review corrective actions, and confirm whether a vulnerability has been addressed before reporting it to the GAO.