FISMA noncompliance leaves VA vulnerable

An inspector general audit has revealed that the Veterans Affairs Department’s failure to fully comply with the Federal Information Security Management Act has resulted in more than 15,000 outstanding security risks.

The fiscal year 2011 performance audit examined the extent to which VA’s information security program complied with FISMA requirements and applicable National Institute for Standards and Technology guidelines. Although VA has made progress in creating policies and procedures, certain practices fail to meet FISMA requirements.

Substantial inadequacies were discovered in areas related to access controls, configuration management controls, continuous monitoring, and services continuity practices. Also, VA hasn’t effectively implemented procedures to identify and remediate system security flaws on network devices, and database and server platforms and web applications.

Deficiencies were also found in VA’s reporting, managing, and closing plans of action and milestones (POA&M). More than 15,000 outstanding POA&M actions must be taken to remediate risks and beef up the agency’s information security posture, the IG said, or VA won’t be able to ensure the protection of its systems throughout their life cycle.

The IG report accentuated what has materialized as a larger compliance issue governmentwide. A March 7 review by the Office of Management and Budget showed that only seven out of 24 agencies are more than 90 percent compliant with FISMA directives.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Wed, Apr 18, 2012 Security Compass DC

Regarding the referenced Continuous Monitoring score for VA, all that report shows is that assets are being scanned and managed in an automated fashion. Unfortunately, it does not show the whole picture; for example, the number of high vulnerabilities, how long those vulnerabilities have existed, the risk score of each of the vulnerabilities, etc. As a whole, once the government gets to this level of reporting, then we'll have good Continuous Monitoring metrics.

Thu, Apr 12, 2012 Jeff Lowder (@agilesecurity)

I think the word "risk" is being misused here. I'm sure there are 15,000 audit findings, gaps, items of non-compliance, etc. But to call each of those items 'risks' assumes that each 'risk' has been explicitly linked to a business consequence or impact. I could be wrong, but I doubt that anyone has done that for 15,000 items.

For a related point, please see https://www.societyinforisk.org/content/ESCRMM-feedback where I point out a similar misuse of the word "risk" by the DOE.

Mon, Apr 9, 2012 OccupyIT

VA IT is like the 16th century Vatican. I've seen more faith-based decision making than anywhere else in the USG. Political decisions, turf battles, and a** covering drive everything. Feed the favorites and squash overacheivers because it makes everyone else uncomfortable... It's like OPM but with way more money to waste.

Mon, Apr 9, 2012 Jack

But hey, VA rocked a 100% on it's continuous monitoring score so we should ignore the rest of this silliness... right? http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/fy11_fisma.pdf VA's IG must be one of those that "don't get it" unless of course there is some value in the "paperwork" exercises like POAMs.

Sat, Apr 7, 2012 Just curious

Any one know what vendor supports the VA A&A requirements?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group