VA security still in recovery mode

Department officials emphasize progress in enforcing their IT security policies

New PCs to regulate policies

The Veterans Affairs Department is replacing employees’ aging desktop PCs with Dell computers and is participating in the Microsoft Technology Adoption Program for System Center Configuration Manager to increase security.

The standard desktop PCs are equipped with Intel’s vPro technology, which lets VA remotely manage the desktops through the Microsoft System Center even when the PCs are powered down, said Charles De Sanno, executive director of VA’s Enterprise Infrastructure Engineering and Northeast Operations.

“The predictable device and standardization is the first major step in securing the enterprise,” De Sanno said.

The desktop PCs have VA’s standard image, which will evolve to include all standard desktop applications and system settings and comply with the Office of Management and Budget’s Federal Desktop Core Configuration and the industry-standard and Electronic Product Environmental Assessment Tool.

— Mary Mosquera

In February, when someone stole a laptop PC belonging to the Veterans Affairs Department, the consequences were negligible because the department had revamped its information security policies and technologies after a widely publicized laptop theft in 2006.

VA has made measurable progress in strengthening its information security policies, procedures and applications, but advances have come slowly because of VA’s decentralized organization, said Robert Howard, VA’s chief information officer. VA remains in the public eye because of the 2006 laptop incident.

The theft exposed VA to criticism from the public and the Government Accountability Office. GAO, in a September 2007 report, sharply criticized the VA for making only partial progress in adhering to recommendations that GAO and the VA inspector general issued after the theft. That report identified “sustained management commitment and oversight” as a critical need.

Howard said that since the theft, VA has created a comprehensive plan of 400 actions, 40 percent of which the department has performed so far. The actions include establishing policies and directives, procuring more secure software and hardware, and instituting better training. And despite not reaching all the milestones Howard would like the department to achieve, the CIO’s office has direct oversight of about 7,000 IT employees.      

“Clearly, [increasing] the centralization of information and information technology within VA has had a positive impact on the protection of sensitive information,” Howard said at a recent event sponsored by AFCEA International’s Washington chapter.

VA has introduced stronger security controls as part of its plan to improve security and comply with directives from the Office of Management and Budget to protect personally identifiable information. The department has encrypted data on all its laptops and required physicians and other partners and contractors who use their personal computers to handle sensitive VA data to encrypt it.

VA published a new handbook, which describes for all managers and employees its information protection policies, processes and procedures to comply with the Federal Information Security Management Act (FISMA) and other federal laws. The handbook includes the National Rules of Behavior, a document that employees must read and sign before they receive access to VA’s systems and sensitive data.

Although the department performed poorly in the latest survey of compliance with FISMA, Howard said he expects that to change this year.

VA’s IG assessed the department’s certification and accreditation of systems security as poor in fiscal 2007.

By Sept. 30, VA plans to finish redesigning its certification and accreditation process to assess the security of its systems, Howard said. The department will switch from a checklist approach to  continuous monitoring and security-controls testing.

VA will assess all 600 of its major systems this year. Starting in 2009, VA will certify and accredit one-third of its systems each year, said Adair Martinez, VA’s deputy assistant secretary for information protection and risk management. “That will make certification and accreditation more operational,” she said, adding that VA has put together a team to focus on C&A.  

The department also is prioritizing its plan of action and milestones to fix FISMA weaknesses, and it is producing daily reports on the status of its remediation actions.  “We have intense efforts going on to turn around personal accountability, but it will take time,” Howard said.

More than 90 percent of VA employees have received security and privacy awareness training, Howard said. By the end of September, the department will complete a departmentwide deployment of the Learning Management System provided under the Office of Personnel Management’s Human Resources Line of Business to track which VA employees and contractors have received security training.

In addition to online training, VA promotes security awareness during an annual computer security week, Martinez said.

VA is also installing new technology that will help employees follow the department’s security policies and procedures. In June, the department will finish installing Microsoft’s rights management system, a complement to its public-key infrastructure, to secure e-mail and documents, said Charles De Sanno, executive director of VA’s Enterprise Infrastructure Engineering and Northeast Operations in New York.

De Sanno’s region has also tested port and device control software, which VA will deploy in all its regions by September. Improvements in secure remote access, including checks for security policy compliance at the department’s Internet gateways, will be completed in July, De Sanno said. And by the end of September, VA expects to deploy Microsoft System Center to create a standardized infrastructure for patch management. 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above