Author: Phil Goldstein / Source: FedTech
It’s a bit of common knowledge inside federal IT circles: The Veterans Affairs Department has consistently been unable to meet cybersecurity requirements.
For the 18th year in a row, the VA could not avoid having cybersecurity designated a material weakness, but a recent inspector general’s report details how the department has made clear and significant progress on improving its security posture.
Cybersecurity was one factor in VA Secretary David Shulkin’s decision in June to shift from the Veterans Information Systems and Technology Architecture (VistA) toward a commercial off-the-shelf electronic health records system. “We intend to leverage the architecture, tools and processes that have already been put in place to protect DOD data, to include both physical and virtual separation from commercial clients,” he said at the time.
Yet the VA is making strides. “VA has made progress developing policies and procedures but still faces challenges implementing components of its agencywide information security continuous monitoring and risk management program to meet” the requirements of the Federal Information Security Modernization Act (FISMA) of 2014, the report from the VA’s Office of Inspector General states.
The report, released in June, contains 33 specific recommendations. The VA says it has made progress on all of the recommendations and is asking the IG’s office to close 18 of them, Federal News Radio reports.
VA’s Cyber Plan Yields Results
Following criticism from Congress and a large amount of turnover, former VA CIO Laverne Council vowed when she took over the role in 2015 that she would eliminate more than two dozen cybersecurity weaknesses over the next two years, Federal News Radio notes. Part of that effort involved the creation of a cybersecurity plan and the Enterprise Cybersecurity Strategy Team (ECST) to address cybersecurity weaknesses.
The plan was aimed at helping VA “achieve transparency and accountability while securing veteran information through teamwork and innovation,” the report notes. ESCT focused on managing existing cybersecurity efforts as well as…
Click here to read more
