The Department of Veterans Affairs (VA) mitigated security threats and met security standards in most domains of mobile device management, according to a report from VA’s inspector general released October 22.
The audit found that VA’s mobile device management program meets most of the guidance from the National Institute of Standards and Technology (NIST), the Federal Information System Controls Audit Manual (FISCAM), and the VA’s own policies, with some areas for improvement.
“The audit team found OIT’s security practices for mobile devices generally mitigated security control weaknesses within VA’s network infrastructure,” the report states.
VA’s management met existing standards in security management, access controls, segregation of duties, and contingency planning, while needing some improvement on configuration management.
The vulnerabilities highlighted by the inspector general include the lack of blacklisting, the reliance on training without verification, and a lack of configuration management tools. On blacklisting, VA’s mobile security policy requires the department to prevent undesired applications from being downloaded, but the department found the burden of validating apps from the 2 million applications available. However, the department has implemented tools to assess the risks of any installed apps on VA devices.
On training, the report found that VA required annual training on mobile devices and on privacy and security, but did not validate that device holders completed this training, leaving it unclear.
Finally, the audit found that the department lacked configuration management tools to automate updates. VA officials noted that the associated workload would be too burdensome, as all devices would need to be in supervised mode. However, the audit found that leaving configuration management to users was ineffective, with 12,298 out of 50,618 mobile devices not using the latest OS update.
The report made recommendations for VA to fix the three identified flaws, all of which VA agreed with.