Data breaches

Congress still awaiting IT security answers from VA

Placeholder Image for Article Template

CIO Stephen Warren is the only VA official who has responded to a series of inquiries from Congress seeking insight into the agency's IT security.

A month after responses were due to Congress from the Department of Veterans Affairs regarding more than 100 questions on IT security practices, the House Veterans' Affairs Committee still hasn’t received satisfactory answers.

Beginning Oct. 22, the committee delivered a series of inquiries to VA's Office of Information and Technology after conflicting testimony from high-level VA officials and concerns about at least nine state-sponsored data breaches. The lawmakers' request included questions about how VA safeguards more than 20 million veterans' personally identifiable information.

To meet the tight deadline, VA officials directed a small segment of the 8,000 OIT employees to answer the inquiries while banking on additional help from VA's Office of Inspector General.

On Nov. 8, VA Secretary Eric Shinseki informed Rep. Mike Coffman (R-Colo.), chairman of the Oversight and Investigations Subcommittee, that he had asked the IG's office to expand its 2013 Federal Information Security Management Act (FISMA) audit to include the questions. Four days later, the IG's office said it could not do so because the audit had already been completed, and expanding its 2014 audit would require modifying its audit contract.

Capitol Hill officials with knowledge of the inquiries told FCW that the committee has received only one response. Those answers and documentation came Nov. 22 from VA CIO Stephen Warren to Coffman.

In his response, Warren states, "VA will continue to work to provide information that is responsive to the subcommittee's requests." He included a general outline of VA's policies and practices regarding security vulnerabilities and Web applications and added that VA had complied with FISMA despite skepticism from Congress and critical reports from oversight bodies.

In addition, Warren countered Coffman's categorization of VA as a "compromised environment" after it became known that multiple actors had penetrated VA networks since March 2010.

"VA followed its established standard operating policies and procedures to maintain system integrity," Warren said. "All known computers possibly subject to the incidents were removed from the network and cleaned. Usernames and passwords were reset for all suspected affected users."

Warren's response alerted Congress that VA OIT's security posture had been raised to "elevated" effective Nov. 21 after "an increased number of incidents reported to VA from [the U.S. Computer Emergency Readiness Team], the annual security risks that accompany the holiday season and the public's recent interest in VA's information security posture."

OIT's security posture is assessed under the Information Operations Condition (InfoCon) system. It works like an alerting system, with higher threat levels calling for a higher level of vigilance.

VA's current designation of "elevated" means systems are at greater risk than those at "guarded" or "normal" levels but less than those at "severe" or "critical" levels. Elevated security postures result from a significant number of network probes, scans or activities that indicate patterned reconnaissance; incidents that affect enterprise systems; or intelligence that suggests an imminent attack against senior management units.

It is unclear how long VA will remain at the elevated threat level, but Warren wrote that top officials will consult with VA's Network Security Operations Center to make InfoCon determinations going forward.

A VA spokesperson said VA will continue to provide information to the committee while it awaits the results of an independent audit.

About the Author

Frank Konkel is a former staff writer for FCW.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.