Fiscal Year 2005 Performance and Accountability Report Published November 15, 2005
Back to Table of Contents
VA information technology (IT) security and systems continue to be a high-risk area and a significant management challenge. In recent years, VA has not made adequate progress improving its information security posture. System development initiatives have experienced cost overruns, technical difficulties, and schedule delays. VA has not been able to effectively address its significant information security vulnerabilities and reverse the impact of its historically decentralized management approach. While VA has accelerated efforts to improve Federal information security, more needs to be done to put security improvements in place that effectively eliminate the risks and vulnerabilities of unauthorized access and misuse of sensitive information.
Recent OIG reviews addressing information security and system development underscore the need for continued improvements in addressing security weaknesses. The OIG has reported VA information security controls as a material weakness and as an instance of noncompliance with the Federal financial management systems requirements under FFMIA in its annual CFS audits since 1997. VA has also disclosed information security controls as a material weakness as part of its Federal Managers' Financial Integrity Act submission since 1998. Further, a computer network vulnerability assessment performed as part of the 2004 CFS audit found that, because of problems in interconnectivity of the Veterans Integrated Service Network's (VISN) architecture, weaknesses occurred that placed an entire VISN at risk to unauthorized access and misuse.
In our March 2005 report, Audit of the Department of Veterans Affairs Information Security Program (Report No. 04-00772-122), we identified significant information security vulnerabilities that place VA at considerable risk of denial of service attacks, disruption of mission-critical systems, fraudulent benefits payments, fraudulent receipt of health care benefits, unauthorized access to sensitive data, and improper disclosure of sensitive data. The magnitude of these risks is impeding VA from carrying out its mission of providing health care and delivering benefits to our Nation's veterans. All 16 recommendations for improvement remain unimplemented.
Our August 2004 report on Bay Pines/CoreFLS indicated that the CoreFLS project team did not initiate security background investigations for contract employees until 4 years into the project. When they did initiate the investigations, they established sensitivity levels that were lower than required by VA directives. We made three recommendations to the Office of Security and Law Enforcement to strengthen internal controls over the process of determining sensitivity designations for non-VA employees. We are currently evaluating a response to our recommendations, which remain open.
We determined that many information system security vulnerabilities reported in national audits from 2001 through 2004 remain unresolved. VA's action to implement OIG recommendations in previous audits is helping to address some vulnerabilities and security weaknesses. However, OIG CAP reviews conducted from October 2003 through August 2005 continue to identify information security weaknesses. We have reported security weaknesses and vulnerabilities at 45 of 60 VA health care facilities and 11 of 21 VA regional offices where security issues were reviewed. We continue to make recommendations to improve security and contingency plans, control access to information systems, conduct background investigations, conduct annual security awareness training, and improve IT physical security.
VA's Program Response to OIG5A:
VA is recommending closure of two recommendations contained in the OIG's March 2005 audit report and several issues contained in other recommendations for which corrective action has been implemented. Actions which have been taken or are planned include the following:
Certification and Accreditation (C&A). As of August 31, 2005, the Department reported completing C&A activities for 585 systems and major applications, representing all VA systems currently in operation. The Administrations, staff offices, and the VA Office of Cyber and Information Security will continue to work collaboratively on continuous monitoring efforts, which occur between tri-annual certification activities, to ensure that facilities are in compliance with VA and federal policies and standards and that security controls are implemented and tested for effectiveness to ensure the confidentiality, integrity, and availability of data and adequate protection of VA systems.
Patch Management and Vulnerability Assessment. With the deployment of an enterprise vulnerability assessment tool and an automated patch deployment system, VA has taken a major leap forward by addressing the need for an enterprise patch management program. The long-term solution for VA's patch management will include the implementation of an enterprise security framework, which will be piloted in 2006.
Technology to Protect the VA Wired Network from Wireless Devices. VA has selected and installed Fortress Technologies AirFortress Wireless Security Gateway as the solution to protect the VA wired network from wireless devices. All wireless data traffic is routed through the Gateway before it is transmitted on the VA network. The Gateway not only provides FIPS 140-1 certified encryption of data between the wireless client and the Gateway (thereby eliminating the need for activation/use of Wired Equivalent Privacy encryption), it also provides firewall functionality, which limits access to the VA network to only authorized devices and users.
Intrusion Detection. Intrusion detection system installation has been completed. The Critical Infrastructure Protection Service is in the final stages of obtaining contractor support (award of this contract is anticipated to occur before the end of the current fiscal year) that will provide management and monitoring of security devices (intrusion detection systems) VA-wide. The services provided will include both host and network intrusion protection.
External Connections. Completion of the necessary actions regarding external connections is scheduled for early 2006.
Configuration Management. Progress has been made regarding configuration management of VA systems. The VHA Office of Information has developed a detailed configuration management plan, change control process, and maintenance procedures that support the system development life cycle for its VistA application and local area networks. In addition, configuration guidelines have been published on the VA Intranet to help protect the confidentiality, integrity, and availability of sensitive VA data.
Physical Security. VA's centralized approach to C&A of systems also includes a section in the site documentation addressing physical security controls as required by National Institute of Standards and Technology Special Publication 800-53. Specifically, facilities and staff offices must control all physical access points (including designated entry/exit points) to facilities containing information systems and verify individual access authorizations before granting access to the facilities.
Electronic Transmission of Sensitive Data. VA's Office of Information and Technology has established a working group to identify a practical, cost-effective solution. The working group will develop the strategy and action plan to implement the identified solution to protect the Department's sensitive data until the networks are fully secured against unauthorized access. In the interim, the VHA Office of Information has directed field facilities to continue to exchange data in the most secure methods available so that delivery of benefits to the veteran population is not halted or unnecessarily delayed as a result of changes to current data exchange processes and operations.
Critical Infrastructure Protection. The Critical Infrastructure Protection Program has implemented a project plan to identify critical infrastructure and assets that focus on the availability of assets in time of crisis for VA. Infrastructure protection is considered for three areas: human, physical, and cyber security. The critical infrastructure systems and assets have been identified. Threat profiles and the strategic plan are in progress.
In April 2005 the Chief Information Officer sent a memorandum to the OIG requesting that the remaining recommendations regarding previous plans for implementation of a new integrated financial management system be closed since the Department was still evaluating what course of action would be most prudent for development and implementation of this type of system. VA has now initiated a 4-year remediation program to eliminate the existing material weakness-Lack of an Integrated Financial Management System. This new program will be referred to as VA's Financial and Logistics Integrated Technology Enterprise (FLITE)-the goal of which is to correct financial and logistics deficiencies throughout the Department. For FY 2006 and 2007, the work associated with FLITE will be primarily "functional" in nature, that is, oriented on planning and the standardization of financial and logistics processes and data. This effort will be led by the Assistant Secretary for Management and will be very labor intensive involving both contractors and Government personnel. During those fiscal years, a detailed review and analysis of software options will also occur and will include "pilot programs" as needed.
VA's Chief Information Officer advises and assists Department personnel in understanding and implementing security requirements and in monitoring their compliance with these requirements. This monitoring is accomplished through the Office of Cyber and Information Security (OCIS) Review and Inspection Division, the certification and accreditation program, Management Act reporting, Security Configuration and Management Program, and VA Computer Incident Response Capability. VHA works closely with the Department to implement VA security requirements and assists with compliance monitoring and reporting as requested. VHA and OCIS are directing resources to address VA's goal to have all VA systems certified and accredited by August 31, 2005.
VBA regional offices continue to develop contingency plans in accordance with VBA policy and the National Institute of Standards and Technology guidance. By March 2006, these plans will fully address the seven areas outlined in the draft 2005 VBA Certification and Accreditation Plan of Action and Milestone documents.
In addressing access to information systems, a VBA letter will be distributed in November 2005 providing policy on restricting access to the LAN during non-duty hours. To reduce the likelihood of compromising weak passwords, VBA has installed Password Policy Enforcer software on servers and workstations.
VBA's Office of Human Resources issues the appropriate position sensitivity designation for all positions in compliance with VA Directive and VA Handbook 0710. VBA continues to process background investigation requests in accordance with VBA policy. VBA requires annual certification of security awareness training by all VBA employees, contractors, veterans service organizations, students, and volunteers.
Federal Information Processing Standards Publication 201 (FIPS 201) was issued in February 2005. It mandates that all federal agencies and departments be able to implement identity proofing and issuance process by October 2005 and begin issuing Personal Identification Verification (PIV) cards by October 2006. Furthermore, OMB has requested that a national rollout be completed by September 30, 2008.
It is anticipated that VA's implementation of FIPS 201 requirements will correct concerns about background checks and contract employees as presented in the OIG report. However, this issue has not been finalized by OMB. OMB is requesting comments to a proposed background check requirement by October 11, 2005. VA's Office of Human Resources and Administration (HR&A), which is responsible for development and implementation of FIPS 201 compliant architecture and processes, is working closely with the Office of Security and Law Enforcement, Office of Cyber and Information Security, and other VA offices to respond to OMB's proposal.
In addition, HR&A is planning to launch a process deployment phase in January 2006 that will lead to accreditation of the processes for the successful implementation of FIPS 201 requirements. Initiation of the deployment phase will thus depend upon OMB's finalizing the requirements for background investigations and VA's issuing related policies. HR&A will continue to inform senior VA managers on the project's progress.
From April 2004 through March 2005, we issued 42 reports and management letters that cited the need to improve information security, application controls in financial systems, and general controls over access to the VA data centers and operations. Our reports and management letters also cited major issues with VA's information systems development and deployment processes.
Our August 2004 report on Bay Pines/CoreFLS indicated that the deployment of CoreFLS encountered multiple system development problems. In fact, CoreFLS was deployed at the Bay Pines facility without resolving numerous OIG-reported risks, including inadequate training and concerns about not using a parallel processing system during deployment. Failure to run a parallel system resulted in unnecessary risk to patient care and contributed to the inability to monitor fiscal and acquisition operations. Also, the effect of transferring inaccurate data (some legacy systems that CoreFLS was designed to interface with did not contain accurate data) interrupted patient care and the medical center operations. In response to our report, the VA Secretary tasked a contractor to review and determine the validity of the CoreFLS software package to accomplish expected goals. Currently, there are eight recommendations under the responsibility of the Assistant Secretary for Information and Technology that remain unimplemented.
In March 2005, we also reported on VA's implementation of the Zegato Electronic E-Travel Service, disclosing that VA's initial efforts to test and implement the service failed to meet VA's requirements and user needs, and project managers were not effectively managing its implementation. Early in the project initiative, VA had to grant about 60 facilities waivers from using the E-Travel service before it could proceed with nationwide implementation plans. We reported that lapses in project management contributed to a failed implementation, schedule delays, cost escalation, and substantial user frustration. As reported under issue 3E, while VA has completed many actions, all 10 recommendations remain open.
VA's management challenge with regard to IT systems development and deployment is to develop and implement future information systems that meet expected requirements and are secure, fully functional, and compatible with existing systems while following a sound systems development methodology.
VA's Program Response to OIG5B:
In April 2005 the Chief Information Officer sent a memorandum to the OIG requesting that the remaining recommendations regarding previous plans for implementation of a new integrated financial management system be closed since the Department was still evaluating what course of action would be most prudent for development and implementation of this type of system. VA has now initiated a 4-year remediation program to eliminate the existing material weakness-Lack of an Integrated Financial Management System. This new program will be referred to as VA's Financial and Logistics Integrated Technology Enterprise (FLITE)-the goal of which is to correct financial and logistics deficiencies throughout the Department. For FY 2006 and 2007, the work associated with FLITE will be primarily "functional" in nature, that is, oriented on planning and the standardization of financial and logistics processes and data. This effort will be led by the Assistant Secretary for Management and will be very labor intensive involving both contractors and Government personnel. During those fiscal years, a detailed review and analysis of software options will also occur and will include "pilot programs" as needed.
In January 2005 VA selected Electronic Data Systems (EDS) from GSA's e-Travel Service (eTS) master contract to provide eTS to VA. Shortly after awarding the task order, VA conducted "sandbox testing" to review the functionality of FedTraveler.com to ensure all items in the "request for quotes" were met. A gap analysis document was provided to EDS, listing all items found deficient by VA. All items are required to be completed before VA will implement FedTraveler.com.
|