Data breaches

Congress still awaiting IT security answers from VA

Placeholder Image for Article Template

CIO Stephen Warren is the only VA official who has responded to a series of inquiries from Congress seeking insight into the agency's IT security.

A month after responses were due to Congress from the Department of Veterans Affairs regarding more than 100 questions on IT security practices, the House Veterans' Affairs Committee still hasn’t received satisfactory answers.

Beginning Oct. 22, the committee delivered a series of inquiries to VA's Office of Information and Technology after conflicting testimony from high-level VA officials and concerns about at least nine state-sponsored data breaches. The lawmakers' request included questions about how VA safeguards more than 20 million veterans' personally identifiable information.

To meet the tight deadline, VA officials directed a small segment of the 8,000 OIT employees to answer the inquiries while banking on additional help from VA's Office of Inspector General.

On Nov. 8, VA Secretary Eric Shinseki informed Rep. Mike Coffman (R-Colo.), chairman of the Oversight and Investigations Subcommittee, that he had asked the IG's office to expand its 2013 Federal Information Security Management Act (FISMA) audit to include the questions. Four days later, the IG's office said it could not do so because the audit had already been completed, and expanding its 2014 audit would require modifying its audit contract.

Capitol Hill officials with knowledge of the inquiries told FCW that the committee has received only one response. Those answers and documentation came Nov. 22 from VA CIO Stephen Warren to Coffman.

In his response, Warren states, "VA will continue to work to provide information that is responsive to the subcommittee's requests." He included a general outline of VA's policies and practices regarding security vulnerabilities and Web applications and added that VA had complied with FISMA despite skepticism from Congress and critical reports from oversight bodies.

In addition, Warren countered Coffman's categorization of VA as a "compromised environment" after it became known that multiple actors had penetrated VA networks since March 2010.

"VA followed its established standard operating policies and procedures to maintain system integrity," Warren said. "All known computers possibly subject to the incidents were removed from the network and cleaned. Usernames and passwords were reset for all suspected affected users."

Warren's response alerted Congress that VA OIT's security posture had been raised to "elevated" effective Nov. 21 after "an increased number of incidents reported to VA from [the U.S. Computer Emergency Readiness Team], the annual security risks that accompany the holiday season and the public's recent interest in VA's information security posture."

OIT's security posture is assessed under the Information Operations Condition (InfoCon) system. It works like an alerting system, with higher threat levels calling for a higher level of vigilance.

VA's current designation of "elevated" means systems are at greater risk than those at "guarded" or "normal" levels but less than those at "severe" or "critical" levels. Elevated security postures result from a significant number of network probes, scans or activities that indicate patterned reconnaissance; incidents that affect enterprise systems; or intelligence that suggests an imminent attack against senior management units.

It is unclear how long VA will remain at the elevated threat level, but Warren wrote that top officials will consult with VA's Network Security Operations Center to make InfoCon determinations going forward.

A VA spokesperson said VA will continue to provide information to the committee while it awaits the results of an independent audit.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Wed, Dec 11, 2013

Any update on this? I sure would love it if Frank could confirm that the VA is still dragging their feet.

Mon, Dec 9, 2013

I am no fan of oversight committees and their know it all staff and members. However, the VA and particularly Steph Warren have a history of blowing off anyone who questions their operation. I predict they will provide the same runaround they always have and pretend everything is okay.

Sat, Dec 7, 2013

You must be kidding congress. As long as you deal with Warren, you're dealing with a man who has no intent to answer anything you ask! OIT hasn't done a thing differently to be more vigilant, trust me this is a joke (on you). Like the SECVA, Warren has his next gig lined-up and they're here to take the blows on their way out. Wake up, these folks have been on their way out the door for a long time, so your requests mean nothing to them. They're just stalling! Look at how the SECVA couldn't find somebody to be the VACIO. Put the puzzle together, you need to ramp up the pressure on these two frauds if you want answers. And while you're at it, please rid the VA of the rest of the recent SES frauds they've hired into IT positions. Those people have no clue what the VA does, or what VA's IT does to support VHA's mission, so they are as useless as Warren. Please force them out.

Sat, Dec 7, 2013 JimS North Carolina

The Only Government Branch, the Executive and it's entire Cabinet, federal and states, consistently not only doing for us Vets but the Military personal and their Families, Finally, from day one, started even before, and the first oath to office!!! The Country, through their representatives certainly aren't, the long underfunded, decades now and especially the past decade plus: RM: "We got a huge round of tax cuts in this country a few weeks before9/11. Once 9/11 happened and we invaded Afghanistan, we kept the tax cuts anyway. How did we think we were going to pay for that war? Did we think it was free? Then, when we started a second simultaneous war in another country, we gave ourselves a second huge round of tax cuts. After that second war started. The wars, I guess, we thought would be free, don`t worry about it, civilians. Go about your business." 23 May 2013 "If military action is worth our troops’ blood, it should be worth our treasure, too" "not just in the abstract, but in the form of a specific ante by every American." -Andrew Rosenthal 10 Feb. 2013 "12 years also is a long time. We now have a lifetime responsibility to a generation of service members, veterans and their families." Dr. Jonathan Woodson 11 Sep. 2013: With 9/11 Came Lifetime Responsibility As those hawks and oh so patriotic supporters loves their wars for free, especially the decades of results from!! USN All Shore '67-'71 GMG3 Vietnam In Country '70-'71

Sat, Dec 7, 2013 Concerned Citizen

Just a thought - does the VA have anyone in charge of Configuration Management? I don't think so. If CM were a top priority, you would greatly reduce current and future anomalies.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above