Congress still awaiting IT security answers from VA

A month after responses were due to Congress from the Department of Veterans Affairs regarding more than 100 questions on IT security practices, the House Veterans' Affairs Committee still hasn’t received satisfactory answers.

Beginning Oct. 22, the committee delivered a series of inquiries to VA's Office of Information and Technology after conflicting testimony from high-level VA officials and concerns about at least nine state-sponsored data breaches. The lawmakers' request included questions about how VA safeguards more than 20 million veterans' personally identifiable information.

To meet the tight deadline, VA officials directed a small segment of the 8,000 OIT employees to answer the inquiries while banking on additional help from VA's Office of Inspector General.

On Nov. 8, VA Secretary Eric Shinseki informed Rep. Mike Coffman (R-Colo.), chairman of the Oversight and Investigations Subcommittee, that he had asked the IG's office to expand its 2013 Federal Information Security Management Act (FISMA) audit to include the questions. Four days later, the IG's office said it could not do so because the audit had already been completed, and expanding its 2014 audit would require modifying its audit contract.

Capitol Hill officials with knowledge of the inquiries told FCW that the committee has received only one response. Those answers and documentation came Nov. 22 from VA CIO Stephen Warren to Coffman.

In his response, Warren states, "VA will continue to work to provide information that is responsive to the subcommittee's requests." He included a general outline of VA's policies and practices regarding security vulnerabilities and Web applications and added that VA had complied with FISMA despite skepticism from Congress and critical reports from oversight bodies.

In addition, Warren countered Coffman's categorization of VA as a "compromised environment" after it became known that multiple actors had penetrated VA networks since March 2010.

"VA followed its established standard operating policies and procedures to maintain system integrity," Warren said. "All known computers possibly subject to the incidents were removed from the network and cleaned. Usernames and passwords were reset for all suspected affected users."

Warren's response alerted Congress that VA OIT's security posture had been raised to "elevated" effective Nov. 21 after "an increased number of incidents reported to VA from [the U.S. Computer Emergency Readiness Team], the annual security risks that accompany the holiday season and the public's recent interest in VA's information security posture."

OIT's security posture is assessed under the Information Operations Condition (InfoCon) system. It works like an alerting system, with higher threat levels calling for a higher level of vigilance.

VA's current designation of "elevated" means systems are at greater risk than those at "guarded" or "normal" levels but less than those at "severe" or "critical" levels. Elevated security postures result from a significant number of network probes, scans or activities that indicate patterned reconnaissance; incidents that affect enterprise systems; or intelligence that suggests an imminent attack against senior management units.

It is unclear how long VA will remain at the elevated threat level, but Warren wrote that top officials will consult with VA's Network Security Operations Center to make InfoCon determinations going forward.

A VA spokesperson said VA will continue to provide information to the committee while it awaits the results of an independent audit.