The Department of Veterans Affairs (VA) Office of Inspector General (OIG) is calling on the agency to address its slow progress in improving its cybersecurity posture, but the VA said a lack of funding causes the agency to lose high-quality IT personnel.
At a House Committee on Veterans’ Affairs Subcommittee on Technology Modernization hearing on June 7, Michael Bowman, director of the IT and security audits division at the VA OIG’s Office of Audits and Evaluations, explained that the VA’s fiscal year (FY) 2021 Federal Information Security Modernization Act (FISMA) audit showed “limited progress.”
The FY2021 audit included 26 of the same recommendations from the FY2020 audit, and 23 of those have been included in every FISMA report dating back to 2018, according to Bowman.
“Our annual FISMA audit and other IG reports demonstrate VA has considerable work in order to achieve better IT security outcomes,” Bowman said during the hearing. “The number of persistent problems, such as weak access controls and deficient configuration management controls, underscores VA’s incremental progress towards improving its security program.”
However, Bowman did note that VA’s remaining FISMA recommendations are “more institutional findings and recommendations,” which he said, “are more difficult to resolve in a year’s time or maybe even five years’ time.” VA has remediated the newer findings quickly, Bowman said, and the institutional ones will “probably remain on the books for several years to come.”
VA’s Cyber Approach, Ongoing Challenges
VA’s new Chief Information Officer Kurt DelBene acknowledged VA can improve in certain areas such as manual processes, as opposed to only focusing on a longer-term approach.
“What I’ve found since I’ve joined the VA is we need to do a better job in terms of the manual processes we do to remediate vulnerabilities,” DelBene said.
“I think we’ve had this view of the long term where there’s automation across everything we do in order to secure the VA – and it turns out because of the complexity we have, that’s absolutely critical – but in the near term, especially with the issues that FISMA, that the OIG has identified, we can use old fashioned shoe leather to really just get involved in the particular systems,” he said.
Lynette Sherrill, VA’s acting chief information security officer echoed DelBene’s shoe leather vision, and said the agency is currently doing a “deep dive” into each of the 26 recommendations to “move these remediations forward on the most critical systems.”
However, at the same time, DelBene noted the VA faces ongoing challenges to improve its cybersecurity posture, such as a lack of funding to recruit and retain high-quality cybersecurity personnel.
“As you know, cybersecurity is an incredibly hot area in industry, and we compete every day with people that can earn higher salaries outside of the Federal government,” DelBene said.
“Just this past couple of weeks, we lost two people that we made offers to at the SES [Senior Executive Service] level, because they went to industry and got higher pay,” he added. “And it’s not small increases in pay – it’s actually substantial differences between what we’re able to pay and what industry will pay people right now.”
One possible solution, DelBene said, is to implement special salary rates for IT specialists. Another, he said, is reimplementing “on-call pay,” when an IT specialist is asked to sacrifice their personal time to be on-call for work.
A strong IT workforce is critical to building a strong cybersecurity posture. While the VA has a mission that energizes many employees, DelBene also said the agency needs Congress’ help to “augment that with pay that’s much more commensurate with where it is in the market.”