VA promotes teamwork on cybersecurity

The Veterans Affairs Department is improving data security by bringing VA organizations together to share information, Adair Martinez, VA’s deputy assistant secretary for information protection and risk management, has said.

The National Incident Response Core Team acts as a mechanism for enabling business lines to work together on information technology issues, she said June 5 at a meeting of the Information Security and Privacy Advisory Board, which advises the National Institute of Standards and Technology, the Commerce Department and the Office of Management and Budget on information security and privacy issues.

The team includes representatives from the Veterans Health, Veterans Benefits and National Cemetery administrations; the IT division; and VA’s general counsel.

“You can’t do security in pockets,” Martinez said. “You have to do it across the enterprise.”

She has help getting VA organizations to participate. In response to the theft in 2006 of a laptop PC that contained sensitive information about millions of veterans, VA centralized its IT authority and development under the department’s chief information officer, who also has authority to enforce information security policy.

Furthermore, Martinez said, VA is the only department that has its own law governing information security and privacy breaches — the Veterans Benefits, Healthcare and IT Act of 2006, which requires the department to send quarterly report to Congress detailing its information security progress.

The CIO’s office receives daily reports on any incidents that come through its security operations center. The inspector general’s office also has access to the incident database, Martinez said, adding that her team removes personally identifiable information from the incident information before analyzing it and generating weekly reports.

The team meets weekly to review the reports and discuss trends and the potential impact on VA and its individual business lines. The team members then deliver the analysis to their managers, she said.

“We have to get educated together when you look at trends,” she said. “It helps to change culture.”

VA’s information security law and its centralized environment are unlike the experience at most other large agencies, said Ed Meagher, deputy CIO at the Interior Department and formerly VA’s deputy CIO. Agencies typically don’t have a command-and-control environment in which the secretary can mandate activities related to information security, he added.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected