The Government Accountability Office (GAO), in summarized testimony prepared for a House Veterans Affairs Committee on July 1, said the Department of Veterans Affairs (VA) has made much progress in recent years to address GAO recommendations on improving cybersecurity, but still has a significant to-do list to tackle on the security front.
The GAO testimony covered many years’ worth of its evaluations of IT and security-related issues at VA and provided a catch-up as of June on recommendations for improvement that the agency still needs to work on.
Two instances of work needed on lingering GAO recommendations were prominent in the testimony.
In 2019, GAO reported that VA had met only one of five “foundational practices” for establishing a cybersecurity risk management program. In particular, VA was found to have not “fully”:
- Developed a cybersecurity risk management strategy that addressed key elements, such as risk tolerance and risk mitigation strategies;
- Documented risk-based policies that required the department to perform agency-wide risk assessments;
- Conducted an agency-wide cybersecurity risk assessment to identify, assess, and manage potential enterprise risks; or
- Established coordination between cybersecurity and enterprise risk management.
While VA concurred with GAO’s recommendations to address those points, each of them remained open and unresolved as of June 2021. “Until the department fully establishes a cybersecurity risk management program, its ability to convey acceptable limits regarding the selection and implementation of controls within the established organizational risk tolerance will be diminished,” GAO said.
Also, in 2016, GAO flagged deficiencies at VA for implementation of access controls, patch management, and contingency planning. GAO recommended 74 actions for the agency to take to improve its cybersecurity program and fix known deficiencies with high-impact systems.
GAO reported in its testimony this week that VA has since then implemented 70 of the 74 recommendations, but four recommendations still need action by the agency in the areas of access controls and configuration management.
“Until VA addresses these remaining shortcomings, it will continue to have limited assurance that its sensitive information and information systems are sufficiently safeguarded,” GAO said.