VA Gets Failing Grade in Cybersecurity…for 16th Year in Row

Wednesday, November 19, 2014
Stephen Warren (photo: Dept. of Veterans Affairs)

The Department of Veterans Affairs (VA) is nothing if not consistent when it comes to failure.


The VA has managed to not shore up its computer networks and to fully protect them from hackers for 16 years in a row.


This ignominious distinction was disclosed by the VA’s inspector general (IG), the details of which will be in included in its 2014 audit report that is scheduled to be released next year. The shortcomings mean the VA is not complying with the Federal Information Security Management Act (pdf) (FISMA).


The IG’s 2013 audit report revealed that the agency’s IT operations had 6,000 cybersecurity vulnerabilities that needed fixing. There were 35 recommendations for corrective actions to be taken, including configuration management, incident response, identity and access management, and ongoing monitoring.


Stephen Warren, VA’s chief information officer and executive in charge of the Office of Information and Technology, told Federal News Radio that the 6,000 vulnerabilities isn’t really that large of a number if viewed in the proper context. “If I’m running on a base of 1.2 to 1.4 million devices, and I'm running multiple services on each one of those, you're talking about 70-150 million different things that you're looking vulnerabilities on,” Warren said. “I’ve also got 1,000 enterprise systems we’ve built and deployed. When you talk about 6,000 vulnerabilities, we treat them all as important, but when you look at it on the scale you've got to put some balance in it.”


The IG’s latest admonition notwithstanding, Warren said he believes the VA has reduced the 6,000 vulnerabilities by 21% since they were first brought to light in the IG’s 2013 report.

-Noel Brinkerhoff


To Learn More:

VA Fails Cybersecurity Audit for 16th Straight Year (by Jared Serbu, Federal News Radio)

VA Buckles Down on Cyber Security, Program Management (by Henry Kenyon, Information Week)


Leave a comment