VA may have bent the rules for iPads, iPhones

A new federal audit claims that Veterans Affairs Department Chief Information Officer Roger Baker may have bent information security rules in deploying iPhones and iPads at the VA in October 2011.

But the auditor concluded that Baker’s methods complied with federal information security requirements.

The May 15 audit was just published by Linda Halliday, assistant inspector general for audits and evaluations in the VA Office of Inspector General.

It was sparked by a confidential hotline complaint in September 2011 claiming that the VA was circumventing the Federal Information Security Management Act (FISMA) and other federal rules for information security with regard to Apple mobile devices approved for use on the VA network.

The inspector general also was asked by Sen. Jon Kyl, (R-Ariz.), to evaluate whether the VA’s approach regarding storage of sensitive data without “FIPS 140-2” hardware encryption would meet FISMA requirements.

The inspector general auditors “partially substantiated” the allegation that the VA was deploying Apple mobile devices without the FIPS 140-2 hardware encryption required under FISMA. However, Baker took “compensating” measures to protect the sensitive information, the report said.

As a result, the auditor concluded that Baker’s approach to information security met the FISMA requirements, although there were some deficiencies in inventory management and controls.

“VA deployed more than 200 Apple iPhones and iPads with encryption that was not FIPS 140-2 certified,” Halliday wrote. “Compliance with the FIPS 140-2 standard is mandatory when agencies specify they will use cryptographic-based security systems to protect sensitive or valuable data. As a compensating control, VA used a FIPS 140-2 certified security application named 'Good' from Good Technology to encrypt application data such as emails, calendars, and contacts residing on the mobile devices.”

Using the certified application was deemed a satisfactory solution, the report said.

“We determined that VA’s approach of allowing only FIPS 140-2 certified applications to access or store sensitive encrypted data on the mobile device met FISMA requirements for data protection,” Halliday wrote.

However, the report also noted that VA could improve its security controls and systems management by maintaining an accurate inventory, and by configuring devices consistently.

Halliday made two recommendations for change, and Baker agreed with both of them, the report said.



About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/Shutterstock.com)

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected