FISMA noncompliance leaves VA vulnerable

An inspector general audit has revealed that the Veterans Affairs Department’s failure to fully comply with the Federal Information Security Management Act has resulted in more than 15,000 outstanding security risks.

The fiscal year 2011 performance audit examined the extent to which VA’s information security program complied with FISMA requirements and applicable National Institute for Standards and Technology guidelines. Although VA has made progress in creating policies and procedures, certain practices fail to meet FISMA requirements.

Substantial inadequacies were discovered in areas related to access controls, configuration management controls, continuous monitoring, and services continuity practices. Also, VA hasn’t effectively implemented procedures to identify and remediate system security flaws on network devices, and database and server platforms and web applications.

Deficiencies were also found in VA’s reporting, managing, and closing plans of action and milestones (POA&M). More than 15,000 outstanding POA&M actions must be taken to remediate risks and beef up the agency’s information security posture, the IG said, or VA won’t be able to ensure the protection of its systems throughout their life cycle.

The IG report accentuated what has materialized as a larger compliance issue governmentwide. A March 7 review by the Office of Management and Budget showed that only seven out of 24 agencies are more than 90 percent compliant with FISMA directives.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.