The Department of Veterans Affairs has made progress in meeting Federal Information Security Modernization Act (FISMA) requirements, but still needs to work on most of the recommendations from previous years, a new FISMA audit released last week found.
The audit includes 28 recommendations, all of which are pulled from previous years’ recommendations, or modified to reflect VA’s progress. VA managed to close one recommendation from its 2017 audit, and make progress on nine of the open recommendations. However, the audit noted that VA had not crossed the finish line yet.
“We continue to see information system security deficiencies similar in type and risk level to our findings in prior years and an overall inconsistent implementation of the security program,” the audit from CliftonLarsonAllen notes.
The audit highlighted that VA improved in the areas of security documentation, centralized audit and log collection, predictive scanning processes, and maturation of an IT governance, risk, and compliance tools.
VA also made progress on implementing its risk management framework, but still needed more consistency, according to the audit. However, the VA Office of Information Technology (VA OIT) disagreed, saying that it had aligned the cybersecurity and risk management framework to provide visibility and make risk-based determinations on Authority to Operate (ATO). The VA Inspector General sided with the auditor, and pledged to monitor VA’s progress on the risk management framework.
VA OIT also disputed two other recommendations related to contingency planning. OIT argued that it did not need to improve processes on securing backup data, as all legacy tapes have been securely stored and will not be transported offsite. The IT department also argued that minor network outages identified in the report did not warrant contingency planning. The Inspector General again sided with the audit, and said it planned to monitor VA’s progress.