VA security still in recovery mode

Department officials emphasize progress in enforcing their IT security policies

New PCs to regulate policies

The Veterans Affairs Department is replacing employees’ aging desktop PCs with Dell computers and is participating in the Microsoft Technology Adoption Program for System Center Configuration Manager to increase security.

The standard desktop PCs are equipped with Intel’s vPro technology, which lets VA remotely manage the desktops through the Microsoft System Center even when the PCs are powered down, said Charles De Sanno, executive director of VA’s Enterprise Infrastructure Engineering and Northeast Operations.

“The predictable device and standardization is the first major step in securing the enterprise,” De Sanno said.

The desktop PCs have VA’s standard image, which will evolve to include all standard desktop applications and system settings and comply with the Office of Management and Budget’s Federal Desktop Core Configuration and the industry-standard and Electronic Product Environmental Assessment Tool.

— Mary Mosquera

In February, when someone stole a laptop PC belonging to the Veterans Affairs Department, the consequences were negligible because the department had revamped its information security policies and technologies after a widely publicized laptop theft in 2006.

VA has made measurable progress in strengthening its information security policies, procedures and applications, but advances have come slowly because of VA’s decentralized organization, said Robert Howard, VA’s chief information officer. VA remains in the public eye because of the 2006 laptop incident.

The theft exposed VA to criticism from the public and the Government Accountability Office. GAO, in a September 2007 report, sharply criticized the VA for making only partial progress in adhering to recommendations that GAO and the VA inspector general issued after the theft. That report identified “sustained management commitment and oversight” as a critical need.

Howard said that since the theft, VA has created a comprehensive plan of 400 actions, 40 percent of which the department has performed so far. The actions include establishing policies and directives, procuring more secure software and hardware, and instituting better training. And despite not reaching all the milestones Howard would like the department to achieve, the CIO’s office has direct oversight of about 7,000 IT employees.      

“Clearly, [increasing] the centralization of information and information technology within VA has had a positive impact on the protection of sensitive information,” Howard said at a recent event sponsored by AFCEA International’s Washington chapter.

VA has introduced stronger security controls as part of its plan to improve security and comply with directives from the Office of Management and Budget to protect personally identifiable information. The department has encrypted data on all its laptops and required physicians and other partners and contractors who use their personal computers to handle sensitive VA data to encrypt it.

VA published a new handbook, which describes for all managers and employees its information protection policies, processes and procedures to comply with the Federal Information Security Management Act (FISMA) and other federal laws. The handbook includes the National Rules of Behavior, a document that employees must read and sign before they receive access to VA’s systems and sensitive data.

Although the department performed poorly in the latest survey of compliance with FISMA, Howard said he expects that to change this year.

VA’s IG assessed the department’s certification and accreditation of systems security as poor in fiscal 2007.

By Sept. 30, VA plans to finish redesigning its certification and accreditation process to assess the security of its systems, Howard said. The department will switch from a checklist approach to  continuous monitoring and security-controls testing.

VA will assess all 600 of its major systems this year. Starting in 2009, VA will certify and accredit one-third of its systems each year, said Adair Martinez, VA’s deputy assistant secretary for information protection and risk management. “That will make certification and accreditation more operational,” she said, adding that VA has put together a team to focus on C&A.  

The department also is prioritizing its plan of action and milestones to fix FISMA weaknesses, and it is producing daily reports on the status of its remediation actions.  “We have intense efforts going on to turn around personal accountability, but it will take time,” Howard said.

More than 90 percent of VA employees have received security and privacy awareness training, Howard said. By the end of September, the department will complete a departmentwide deployment of the Learning Management System provided under the Office of Personnel Management’s Human Resources Line of Business to track which VA employees and contractors have received security training.

In addition to online training, VA promotes security awareness during an annual computer security week, Martinez said.

VA is also installing new technology that will help employees follow the department’s security policies and procedures. In June, the department will finish installing Microsoft’s rights management system, a complement to its public-key infrastructure, to secure e-mail and documents, said Charles De Sanno, executive director of VA’s Enterprise Infrastructure Engineering and Northeast Operations in New York.

De Sanno’s region has also tested port and device control software, which VA will deploy in all its regions by September. Improvements in secure remote access, including checks for security policy compliance at the department’s Internet gateways, will be completed in July, De Sanno said. And by the end of September, VA expects to deploy Microsoft System Center to create a standardized infrastructure for patch management. 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group