VA promotes teamwork on cybersecurity

The Veterans Affairs Department is improving data security by bringing VA organizations together to share information, Adair Martinez, VA’s deputy assistant secretary for information protection and risk management, has said.

The National Incident Response Core Team acts as a mechanism for enabling business lines to work together on information technology issues, she said June 5 at a meeting of the Information Security and Privacy Advisory Board, which advises the National Institute of Standards and Technology, the Commerce Department and the Office of Management and Budget on information security and privacy issues.

The team includes representatives from the Veterans Health, Veterans Benefits and National Cemetery administrations; the IT division; and VA’s general counsel.

“You can’t do security in pockets,” Martinez said. “You have to do it across the enterprise.”

She has help getting VA organizations to participate. In response to the theft in 2006 of a laptop PC that contained sensitive information about millions of veterans, VA centralized its IT authority and development under the department’s chief information officer, who also has authority to enforce information security policy.

Furthermore, Martinez said, VA is the only department that has its own law governing information security and privacy breaches — the Veterans Benefits, Healthcare and IT Act of 2006, which requires the department to send quarterly report to Congress detailing its information security progress.

The CIO’s office receives daily reports on any incidents that come through its security operations center. The inspector general’s office also has access to the incident database, Martinez said, adding that her team removes personally identifiable information from the incident information before analyzing it and generating weekly reports.

The team meets weekly to review the reports and discuss trends and the potential impact on VA and its individual business lines. The team members then deliver the analysis to their managers, she said.

“We have to get educated together when you look at trends,” she said. “It helps to change culture.”

VA’s information security law and its centralized environment are unlike the experience at most other large agencies, said Ed Meagher, deputy CIO at the Interior Department and formerly VA’s deputy CIO. Agencies typically don’t have a command-and-control environment in which the secretary can mandate activities related to information security, he added.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/Shutterstock.com)

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected