The Department of Veterans Affairs (VA) is looking to implement a new risk assessment framework that will bring standardization and consistency to authorization decisions.
The move comes in response to a repeat recommendation from the VA Office of Inspector General (OIG). In the VA OIG’s Federal Information Security Modernization Act Audit for Fiscal Year 2022, the OIG made 26 recommendations for the VA to improve its information security program – the same number of recommendations from fiscal year (FY) 2021.
Despite the VA’s efforts to close the recommendations, the OIG said some have been repeated for multiple years.
Nevertheless, Kurt DelBene, VA’s chief information officer (CIO) and assistant secretary for information and technology, pledged his commitment to addressing these recommendations.
Specifically, the OIG recommended that DelBene consistently implement an improved continuous monitoring program in accordance with the National Institute of Standards and Technology (NIST) Risk Management Framework. The OIG called on the CIO to implement an independent security control assessment process to “evaluate the effectiveness of security controls prior to granting authorization decisions.”
“The assistant secretary reported that the Office of Information Security will implement a new assessment framework, which brings standardization and consistency to the Authorizing Official (AO) reviews and aligns with the NIST framework,” the report says. “To improve the tracking process further, the development of enterprise dashboards to bring visibility to executive leadership of those critical systems that are not meeting cyber security standards will continue.”
DelBene explained that the scale of VA systems is quite large – nearly 1,000 VA systems require an Authority to Operate (ATO), which he said would benefit from an independent control assessment.
However, the CIO noted that “the resources and costs to do so for all our systems are a barrier.”
“The varying risks for the more than 1,000 systems also suggests that we take a more balanced approach, leveraging internal resources for lower risk systems,” DelBene said. “VA OIT will implement specific policy changes that incorporate a prioritization model, based on risk, to assess information security controls in a prudent and rational way. Improving our capacity to conduct independent assessments for our highest risk systems will remain a high priority for OIT.”
The VA’s target completion date to complete this recommendation is Sept. 30.