HOUSE COMMITTEE ON VETERANS’ AFFAIRS
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
MAY 19, 2010
STATEMENT OF THE HONORABLE ROGER W. BAKER
ASSISTANT SECRETARY FOR INFORMATION AND TECHNOLOGY,
U.S. DEPARTMENT OF VETERANS AFFAIRS
May 19, 2010
Good morning Chairman Mitchell, Ranking Member Roe, and members of the Subcommittee. Thank you for your invitation to discuss the current status of information security at the Department of Veterans Affair (VA) as well as VA’s compliance with the Federal Information Security Management Act (FISMA) of 2002. With me today are Mr. Jaren Doherty, Acting Deputy Assistant Secretary for Information Protection and Risk Management, Mr. Jan Frye, Deputy Assistant Secretary for Acquisition & Logistics, and Mr. Fred Downs, Chief Procurement and Clinical Logistics Officer for the Veterans Health Administration representing VA. We are focused on moving the Department to a much more secure posture than that which currently exists.
Information Security remains a critical challenge for both federal and private sector enterprises. While our ability to defend our networks and systems has increased, so too, has the sophistication of our attackers and the desire of those who use our systems for faster and broader access to the information and systems we protect.
Four years after the 2006 theft of a Veterans Affairs laptop containing information on millions of veterans, that incident still reverberates throughout the IT organization and the entire VA. Over the last four years, thanks to the support of this Committee, we have made significant changes, including the implementation of an Information Protection organization of over 500 people, and of course, the consolidation of all IT assets under the Assistant Secretary. Those changes have been accompanied by a vast improvement in the information protection processes across the entire VA. Our overall improvement on the Departments security posture is accompanied by actual improvements in the security of our information assets. FISMA is focused on making sure we have done the correct thinking about the risks our systems face and the levels of protection each requires, as well as implemented solutions that actually improve security. VA has put in place a plan to employ many of the successful approaches and technologies used by effective, large-scale private sector organizations to ensure that we have visibility into and control over every aspect of our electronic enterprise. This approach is described later in my testimony.
Our own challenges in information protection remain the scope and scale of the missions VA must accomplish. As we protect Veterans’ health information from unwanted access, we must balance that with the fact that the same information must be available immediately to the professionals who need it to serve the Veteran. As we seek to control and protect our Veterans’ information anywhere it exists within our extended supply chain (including private sector and federal sector partners), we must recognize the fact that the VA cannot perform its critical mission of caring for our Veterans without outside help and services. And while it is our desire to have already implemented a fully robust, comprehensive, audited, foolproof information security posture, our practical reality is that changing the infrastructure, policies, culture, and practices of the 850,000 people who show up every day across this nation to serve our Veterans is a massive undertaking. Over the last four years, we have made quantifiable progress. Over the next year, we will make greater strides. Am I satisfied with where we are? No. Our goal must be to be the best in federal government, and comparable with good private sector enterprises, on our information security practices. With your support, we will continue to work very hard at achieving that goal during my tenure as CIO at VA.
Even with all we have accomplished, we still experience security and privacy incidents–the large majority of them from paper-based incidents. Except for a few, these incidents usually involve the sensitive personal information on a small number of individuals. Nonetheless, we consider any data breach to be serious if Veterans’ or employees’ sensitive personal information is at risk – no matter the number. Many of these incidents are the result of human error and carelessness, which is why it is so important to establish a culture and a strong environment of awareness and individual responsibility. The training and education of our workforce is probably the single most important action. While it is impossible to predict or prevent every security or privacy incident, it is the primary goal of VA 's information protection program.
On September 18, 2007, VA completed the publication of VA Handbook 6500. This handbook outlines the standard for the VA Information Security program; and successfully sets the tone for cyber security procedural and operational requirements Department-wide to ensure compliance with FISMA and the Information Security provisions of title 38 of the US Code. It also provides for the security of VA information and information systems.
Today, with the strong support of this committee, a centralized and strengthened information protection program has been established to ensure safeguarding of all VA sensitive data and to fulfill our mission to:
“Serve our Veterans, their beneficiaries, employees and all VA stakeholders by ensuring the confidentiality, integrity, and availability of VA sensitive information and information systems.”
Our vision at OIT and within our Office of Information Protection and Risk Management is to provide world class information security and privacy for VA, Veteran information and all information systems operated by VA. We are making great strides towards this vision and achieving our information protection program goals which are to:
Protect the overall VA information security and privacy posture to ensure confidentiality, integrity, and availability of information
Integrate risk and performance management into information security and privacy governance processes
Enable the VA mission through integration of standardized information security and privacy processes
Promote an environment where every employee’s and contractor’s action reflect the importance of information security
Office of Information Technology Oversight Compliance (ITOC)
The Office of Information Technology Oversight and Compliance (ITOC) was established in 2007 and made an immediate impact VA-wide. ITOC used innovative assessment tools and created comprehensive checklists to establish review standards in nearly every aspect of IT operations. ITOC is a highly effective organization that provides critical information to the VA Chief Information Officer.
Today, ITOC has 128 full-time employees, who have successfully completed 1332 assessments at VA facilities to include Medical Centers, Community Based Outreach Centers (CBOCs), Vet Centers, and Regional Offices; ITOC is also helping to effect real change to improve VA's FISMA compliance efforts, and continues to work with each VA Administration and staff office to mentor, train, and coach personnel to ensure a proactive organizational environment to protect sensitive information entrusted to us.
ITOC efforts have had a measurable effect on improving VA 's FISMA compliance efforts. ITOC performs the continuous monitoring phase of the Certification and Accreditation (NIST 800-37) of VA systems for IT security controls in an ever evolving environment with continual emerging threats against network security controls. In addition, ITOC assessments document known shortcomings or risks to VA’s network and IT infrastructure through creation of Plan of Action and Milestones (POA&Ms). These POA&Ms are created in VA’s Security Management and Reporting Tool (SMART) database which directly tracks and ensures there is proper resourcing for correction.
Currently, ITOC works in collaboration with the Office of Information Protection Risk Management (IPRM) to conduct VA’s Security Control Assessments (SCA). This combined endeavor maximizes our experience as well as technical knowledge to better ensure compliance.
Information Security and Risk Management Office
After the 2006 laptop theft, VA promised to make protecting Veterans’ data a priority. In response, VA quickly established IPRM to provide frontline defense of Veteran’s sensitive data on a 365 day-a-year, 24/7 basis for one of the nation’s largest Federal government agencies and the largest health care provider in the country. IPRM’s information security staff includes over 700 dedicated staff supporting over 300 VA facilities, almost 300,000 employees, and 333,000 computers. IPRM’s vanguard staff includes the Information Security Officers (ISOs), a facility-based staff whose primary role is to ensure end users are protecting sensitive data. Like ISO’s, Privacy Officers are facility-based to ensure the use of personally identifiable information (PII) related to Veterans that is collected by VA is limited to the information that is legally authorized and necessary.
IPRM’s Network Security Operations Center (VA-NSOC) provides continuous round-the-clock monitoring of VA’s network protecting, responding to, and reporting threats. These personnel are responsible for deterring, detecting, and defeating anything that might adversely affect VA networks and systems. On an average day, VA-NSOC monitors over 1.29 billion web requests per week and prevents over 1.7 million viruses a year frominfecting the VA network. VA-NSOC monitors23 million emails received by VA a week. From this total over 16.4 million emails are blocked due to their potential for cyber crime from bad reputation servers or because they are SPAM.
Investments Have Transformed An Agency’s Performance
To provide some historical context, in 2006VA identified several weaknesses which included:
Limited ability to scan our systems very limited Network Security Operations Center capabilities
No investigative procedures for malicious software and forensics
No visibility of routing architecture beyond the core VA Wide Area Network
Limited Deployment of Network Intrusion Protection Systems (40 nationwide)
No centralized patch reporting and validation process
No visibility of the desktops within VA
No disaster back-up site for the Security Operations Center
No Change Management or Configuration Control mechanisms
VA’s security program has been almost completely re-invented since 2006. Significant investments in centralization and infrastructure, staff, training, and VA-wide end user education have transformed VA’s information security and privacy outcomes and FISMA performance. A metrics-based, customer-centric, performance-based approach, has enabled our security program to turn around its performance in three years—a remarkable achievement by any standard.
I will highlight some of the outcomes to show what VA has accomplished in the past 3 years:
VA established a 24x7 monitoring and defense of VA enterprise network core
There is 100 percent visibility and 24x7 monitoring of anti-virus consoles
There is 100 percent visibility and 24x7 monitoring of host based intrusion prevention system consoles
VA established 24x7 monitoring of 160 network intrusion prevention systems deployed Nationwide
There are two geographically dispersed operations centers with full redundancy and fail over capabilities
There is monitoring and management of 84 Terabytes of data a week routed over core Infrastructure
There is monitoring and management of 41 Terabytes of data a week routed through internet gateways
VA has established a fully mature change control process
Major Initiatives Will Position VA’s Information Protection Program
Two key investment programs for OI&T and IPRM in 2010 are achieving visibility to the desktop and complete medical device isolation architecture for VA medical devices. Both OI&T and IPRM have committed all available resources to accomplishing these top two priorities. These priorities are absolutely essential to creating a 21st century, world class security program.
VA Visibility to the Desktop Initiative
Ongoing attacks against VA systems, coupled with pressure to use Web 2.0 technology, compelled VA to augment desktop visibility in order to provide adequate enterprise protection, and ultimately, safeguard the personal information of our Nation’s Veterans.
Our most important initiative to date is to mandate that the VA-NSOC has visibility into all devices connected to the VA network by September 30, 2010. “Visibility to the Desktop” is defined as the ability to, at any given time, look at the status of all machines in the network from a central location at the enterprise level. This includes the hardware, software, patch level, level of security compliance, and membership of the administrative group. This is a huge security tool for us, and it means that VA can review and run reports on any of the 333,000 machines on our network. This also gives VA the ability to apply patches which will greatly improve the security of the network.
Challenges to achieving this goal over the next four months will be trying to get consistent implementation and configuration of VA-approved scanning and management tools across such a large field organization, as well as standardizing facility participation in VA-wide reporting requirements. Again, I want to emphasize the entire OI&T operation is committed to this effort. Without full visibility, we cannot have an effective information security program – we must be able to see what is out there on our networks, identify the problems and risks, and provide the field with resources needed to tackle emerging issues.
We have put together 30, 60 and 90 day plans to fix these inconsistencies while simultaneously leveraging all available resources in order to accomplish this vital task. VA leadership and field personnel met at an offsite retreat in Washington, DC, in March 2010, to determine the vision, priorities, and next steps to achieve this goal. VA has launched Phase 1 of the initiative which involves inventory, antivirus, host-based intrusion prevention system, patch management, and scanning and vulnerability management with the primary goal of protecting the VA network.
Visibility to the Desktop Initiative will be achieved by providing agent-based, multi-dimensional automation with the following critical operational components:
Installation and implementation of an enterprise tool that provides data scanning in real time for asset discovery, missing patches, remediation, identification of local administrators, operating, hardware and security system status, custom reports and identification of installed applications.
Installation of an enterprise-wide forensic tool deployed to examine live systems on the network, provide E-Discovery, instantly capture volatile data in memory, remediate compromised systems and be able to search multiple machines for malware.
Protecting VA Medical Devices through Isolation Architecture
VA faces a critical challenge in securing our medical devices from cyber threats—and securing them is among the highest priorities for VA. VA is the largest medical care provider in the federal government with over 50,000 networked medical devices. VA defines a medical device as any device that is used in patient healthcare for diagnoses, treatment, monitoring, or has gone through the Food and Drug Administration’s (FDA) premarket review process. (Note: This usage is not necessarily the same as the use of the term 'device' in the Federal Food, Drug, and Cosmetic Act.)"
The major challenge with securing medical devices is that, because their operation must be certified, the application of operating system patches and malware protection updates is tightly restricted. This inherent vulnerability can increase the potential for cyber attacks on the VA trusted network by creating risk to patient safety. When medical devices are not adequately protected, they can and have been compromised at VA. Over 122 medical devices have been compromised by malware over the last 14 months. These infections have the potential to greatly affect the world-class patient care that is expected by our customers. In addition to compromising data and the system, these incidents are also extremely costly to the VA in terms of time and money spent cleansing infected medical devices.
In 2009, VA mandated that all medical devices at VHA facilities connected to the VA network implement a medical device isolation architecture (MDIA) using a virtual local area network (VLAN) structure. To accomplish this, IPRM has initiated a medical device protection program (MDPP). This program ensures there are pre-procurement assessments for medical devices and outlines a comprehensive protection strategy that encompasses communications, training, validation, scanning, remediation, and patching for the medical devices.
OIT and IPRM have committed to securing all VA medical devices through isolation architecture by December 31, 2010. Major baselines for the project have been established, and the VA’s more than 50,000 medical devices will all have isolation architecture established by the end of this year.
In addition to the visibility to the desktop initiative and medical device isolation architecture, other VA IPRM security and FISMA priorities for 2010 are:
Remediating unresolved Plan of Action and Milestones (POA&M) while focusing efforts on addressing high risk system security deficiencies and vulnerabilities
Implementing control mechanisms to ensure sufficient supporting documentation is captured in the SMART database to justify POA&M closure
Employing mechanisms to ensure VA password complexity standards are enforced on all systems across the enterprise
Initiating periodic reviews of user accounts to identify and eliminate incompatible system functions, system permissions in excess of required functional responsibilities, and unauthorized system user accounts
Implementing VLAN controls to appropriately restrict access to sensitive network subnets at VA medical centers (VAMCs)
Identifying external network connections and ensuring appropriate Interconnection Security Agreements and Memorandums of Understanding are in place
Applying automated mechanisms to periodically identify and remediate system security weaknesses on VA’s network infrastructure, database platforms, and web application servers across the enterprise
Executing procedures to ensure VA contracts contain information security compliance clauses consistent with the FISMA
Implementing remediation plans to address system security weaknesses found during vulnerability assessments of VA systems
Initiating periodic reviews of security violations and enabling system audit logs on VA financial management systems
Establishing a system development and change control framework that will integrate information security throughout the lifecycle of each system
Applying technological solutions to monitor security for all systems and network segments supporting VA programs and operations
Developing and testing an integrated continuity of operations plan in accordance with VA Directive and Handbook 0320, Comprehensive Emergency Management Program
Implement effective continuous monitoring process that will incorporate consistent test methods, test procedures, and other testing elements to more accurately measure security control effectiveness
Creating mechanisms for updating key elements in system security plans to include inventory of systems such as hardware, software, database platforms, and system interconnections
Developing a comprehensive system inventory listing and expanding data calls for identifying minor applications to include all VA lines of business
In closing, protecting Veteran information is crucial to VA’s mission. A breach in security can hinder our ability to perform critical operations, put Veterans at risk, and ultimately result in a loss of public trust. VA is making significant progress in creating a solid environment of vigilance and awareness regarding individual responsibility in the area of information protection - the centerpiece of our overall program.
Moving forward, VA will continue to combat security threats through critical initiatives including Security Improvement Program, visibility to the desktop, medical device protection program, and our ongoing efforts to educate our VA end users. We will continue to take proactive steps to meet the daunting challenges of new technology, such as evolving social media, cloud computing, mobile media, and advanced interconnectivity. We will meet our milestones as outlined in this testimony, to build one of the top security programs in the federal government.
I remain personally committed to continually working toward establishing a world class security environment wherein we can fully safeguard the sensitive and private information of our Veterans and employees-and all sensitive information entrusted to us.
U.S. Department of Veterans Affairs - 810 Vermont Avenue, NW - Washington, DC 20420
Reviewed/Updated Date: August 18, 2010