Department of Veterans Affairs (VA) Chief Information Officer (CIO) Kurt DelBene told lawmakers on Wednesday that the agency’s cybersecurity capabilities are suffering from a shortage of skilled IT workers that stems from a slim budget to hire enough of them.
During a House VA Technology Modernization Oversight Subcommittee hearing on Nov. 20, lawmakers questioned DelBene on the VA’s “inadequate” and “unfocused” cybersecurity program – which has seen a 62 percent appropriations increase since fiscal year (FY) 2023 but remains at less than one percent of the department’s entire budget.
For FY 2025, the VA Office of Information and Technology (OIT) requested a $110 million increase in its cybersecurity budget, which would bring the total to $707 million. DelBene said the VA faces recurring cyber challenges, “including budget limitations and recruitment and retention of highly qualified personnel.”
“We have discussed our budgetary limitations in the past, recruiting and retaining individuals with high demand cybersecurity expertise is a top priority for IT and industry leaders alike,” the CIO said. “For such employees, government salaries are too low to be competitive, even when combined with compensation incentives and benefits.”
“To successfully hire and retain high-demand cyber professionals, the entire Federal government must take immediate steps to increase the salaries of [the IT] workforce,” DelBene said in his opening statement at the hearing.
DelBene provided lawmakers with a specific example of why he doesn’t believe the VA’s budget is adequate to meet its cyber challenges, noting that OIT has to rank its cyber risks from top to bottom and tackle the most important priorities first.
“We have a roll called information security officer. For the entire VA, we have approximately 360 people who do this job,” DelBene said. “These are the people that evaluate all of the systems in the VA – there are over 1,000 of them – all of the locations in the VA – there are approximately 2,000 locations – as well as 650,000 desktops. These are the people that are responsible for evaluating the security of those systems.”
He continued, “The model for staffing there would have us have over 600 people in those roles, but we don’t have the funding to do that.”
VA Cyber Assessment Shows Progress
Despite lawmakers’ dismay, the VA’s 62 percent cyber budget boost has proved helpful in some areas.
According to a recent independent cyber assessment conducted by MITRE and delivered to the VA in April, the department has remedied 93 percent of its cyber challenges the nonprofit identified as high-risk.
The Strengthening VA Cybersecurity Act of 2022 required the VA to obtain an independent cybersecurity assessment of its most critical information systems, as well as its cyber posture as a whole. The Executive Director of MITRE’s Center for Data-Driven Policy, David Powner, presented the report’s findings during the subcommittee hearing Wednesday.
For the assessment, MITRE selected five high-impact systems from VA’s list of Bedrock and Critical Systems, including the Integrated Financial and Acquisition Management System (iFAMS), Loan Guaranty (LGY), Health Care Claims Processing System (HCPS), MyHealtheVet (MHV), and VA Enterprise Cloud – Mobile Applications Platform (VAEC-MAP).
Powner told lawmakers that MITRE found 442 issues, including 29 that were marked as high-risk. Today, the VA has remediated 27 of the high-risk issues and 70 percent of the overall findings.
Despite this progress, Powner pointed to the “systemic and operational” cyber challenges the VA has had dating back more than a decade.
“These systemic findings call for improvements in cybersecurity risk management, continuous monitoring, medical device security, cloud security, reducing shadow IT, and improving detection and response in recovery activities,” Powner said. “We made 35 recommendations to improve VAs overall cybersecurity program. Priority recommendations included enhancement to VA’s risk management framework, developing baseline configurations for cloud environments, reducing shadow IT to mitigate cybersecurity risk, configuring endpoint detection and response solutions to block malicious software, and creating alerts based on audit logs to improve visibility of high impact events.”
