VA may have bent the rules for iPads, iPhones

A new federal audit claims that Veterans Affairs Department Chief Information Officer Roger Baker may have bent information security rules in deploying iPhones and iPads at the VA in October 2011.

But the auditor concluded that Baker’s methods complied with federal information security requirements.

The May 15 audit was just published by Linda Halliday, assistant inspector general for audits and evaluations in the VA Office of Inspector General.

It was sparked by a confidential hotline complaint in September 2011 claiming that the VA was circumventing the Federal Information Security Management Act (FISMA) and other federal rules for information security with regard to Apple mobile devices approved for use on the VA network.

The inspector general also was asked by Sen. Jon Kyl, (R-Ariz.), to evaluate whether the VA’s approach regarding storage of sensitive data without “FIPS 140-2” hardware encryption would meet FISMA requirements.

The inspector general auditors “partially substantiated” the allegation that the VA was deploying Apple mobile devices without the FIPS 140-2 hardware encryption required under FISMA. However, Baker took “compensating” measures to protect the sensitive information, the report said.

As a result, the auditor concluded that Baker’s approach to information security met the FISMA requirements, although there were some deficiencies in inventory management and controls.

“VA deployed more than 200 Apple iPhones and iPads with encryption that was not FIPS 140-2 certified,” Halliday wrote. “Compliance with the FIPS 140-2 standard is mandatory when agencies specify they will use cryptographic-based security systems to protect sensitive or valuable data. As a compensating control, VA used a FIPS 140-2 certified security application named 'Good' from Good Technology to encrypt application data such as emails, calendars, and contacts residing on the mobile devices.”

Using the certified application was deemed a satisfactory solution, the report said.

“We determined that VA’s approach of allowing only FIPS 140-2 certified applications to access or store sensitive encrypted data on the mobile device met FISMA requirements for data protection,” Halliday wrote.

However, the report also noted that VA could improve its security controls and systems management by maintaining an accurate inventory, and by configuring devices consistently.

Halliday made two recommendations for change, and Baker agreed with both of them, the report said.



About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader comments

Wed, Oct 24, 2012 Charles Washington, Dc

Good has not yet received FIPS 140-2 validation for their Apple iOS or Android products. Their validations are only for Palm, Symbian, eCOS and WinCE.

Wed, May 30, 2012 Al

Kinda missed a big point: NONE of the Apple devices are TAA compliant, they are ALL made in China. These products should never have been purchased under a Federal acquisition in any event.....

Wed, May 30, 2012 SecurityGuy USA

The issue with the mobile devices is a non-issue. The more important issue, which was essentially glossed over by VAOIG (maybe because they were no longer independent after being given free iPads), is that VA is not compliant with FIPS 200, and now does not intend to be compliant, thus they never have achieved--and never will--the minimum standards of "adequate" information security established by law (FISMA). They are using the premise of "continuous monitoring" as an excuse to avoid securing their systems. As VAOIG stated, "...organizations may choose to eliminate system authorization termination dates if their continuous monitoring programs are sufficiently robust to ensure that continued operations are acceptable based on identified risks..." VA doesn't have a robust continuous monitoring program - they essentially have the same tools they've had for years (antivirus, vulnerability scanning, etc.). Simply having those tools doesn't provide adequate security, as the last 15 years of VAOIG and GAO audits can attest. So now VA creates a new program called "CRISP" and all is good in VAOIG's eyes? Instead, VA is now simply ignoring all of the other security controls and accepting all risk. These risks aren't just to VA's IT leadership - they are borne by all veterans and other VA clients, business partners, etc. VAOIG needs to return the iPads and take a closer look.

Tue, May 29, 2012 JB

Although I agree that the use of Good for Government is a viable solution, I respectfully disagree that unmitigated kudos are deserved. The IG report clearly states that there is no enterprise-wide standard deployment. Furthermore, of the three devices given to the IG for testing, two were in default mode and one did not have encryption engaged for archived data-at-rest. A critical aspect of FIPS 140-2 is the automatic and/or remotely-triggered destruction of compromised data. Leaving devices in default mode without the 140-2 application encryption activated obviously eliminates this protection. That's simply unacceptable in a truly secure environment. To be fair to Good Technology, those are OPSEC issues, not APPSEC issues -- which means they are entirely the fault of VA OIT. An all-too-common problem in IT is the over-reliance on hardware to resolve human errors. That's why FISMA mostly deals with documentation and process, not components.

Tue, May 29, 2012

With GOOD enterprise the device does not actually "store" the data itself. The data is available over a network connection, essentially GOOD acts as a remote connection. The encryption should not be a problem at all however I'm not sure what they'd say about whether GOOD was meeting the two factor authentication requirement for remote connections.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above