Information Security
Veterans Affairs Needs to Resolve Long-Standing Weaknesses Gao ID: GAO-10-727T May 19, 2010Since 1997, GAO has identified information security as a governmentwide high-risk issue. This has been particularly true at the Department of Veterans Affairs (VA), where the department has been challenged in protecting the availability, confidentiality, and integrity of its information and systems. Since the 1990s, GAO has highlighted the challenges the department has faced, including the need to safeguard personal information. GAO was asked to testify on VA's progress in implementing information security and the department's compliance with the Federal Information Security Management Act of 2002 (FISMA), a comprehensive framework for securing federal information resources. In preparing this testimony, GAO analyzed prior GAO, Office of Management and Budget, VA Office of Inspector General, and VA reports related to the department's information security program.
VA has made limited progress in resolving long-standing deficiencies in securing its information and systems. In September 2007 and also March 2010, GAO reported that VA had begun or had continued work on several initiatives to strengthen information security practices, but that shortcomings in the implementation of those initiatives could limit their effectiveness. VA has also consistently had weaknesses in major information security control areas. VA was deficient in each of five major categories of information security controls as defined in the GAO Federal Information System Controls Audit Manual. Further, in VA's fiscal year 2009 performance and accountability report, the independent auditor stated that, while VA continued to make progress, IT security and control weaknesses remained pervasive and continued to place VA's program and financial data at risk. The independent auditor also noted that VA's controls over its financial systems constituted a material weakness (a significant deficiency that can result in an undetected material misstatement of the department's financial statements.) Since 2006, VA's progress in fully implementing the information security program required under FISMA has been mixed. For example, from 2006 to 2009, the department reported a dramatic increase in the percentage of systems for which a contingency plan was tested. However, during the same period, the department reported a decrease in the percentage of employees who had received security awareness training. Until VA fully and effectively implements a comprehensive information security program and mitigates known security vulnerabilities, its computer systems and sensitive information (including personal information of veterans and their beneficiaries) will remain exposed to an unnecessary and increased risk of unauthorized use, disclosure, tampering, theft, and destruction.
GAO-10-727T, Information Security: Veterans Affairs Needs to Resolve Long-Standing Weaknesses
This is the accessible text file for GAO report number GAO-10-727T
entitled 'Information Security: Veterans Affairs Needs to Resolve Long-
Standing Weaknesses' which was released on May 19, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Oversight and Investigations, Committee on
Veterans' Affairs, U.S. House of Representatives:
United States Government Accountability Office:
GAO:
For Release on Delivery:
Expected at 10:00 a.m. EDT:
Wednesday, May 19, 2010:
Information Security:
Veterans Affairs Needs to Resolve Long-Standing Weaknesses:
Statement of Gregory C. Wilshusen:
Director, Information Security Issues:
Valerie C. Melvin:
Director, Information Management and Human Capital Issues:
GAO-10-727T:
GAO Highlights:
Highlights of GAO-10-727T, a testimony before the Subcommittee on
Oversight and Investigations, Committee on Veterans' Affairs, U.S.
House of Representatives.
Why GAO Did This Study:
Since 1997, GAO has identified information security as a
governmentwide high-risk issue. This has been particularly true at the
Department of Veterans Affairs (VA), where the department has been
challenged in protecting the availability, confidentiality, and
integrity of its information and systems. Since the 1990s, GAO has
highlighted the challenges the department has faced, including the
need to safeguard personal information.
GAO was asked to testify on VA‘s progress in implementing information
security and the department‘s compliance with the Federal Information
Security Management Act of 2002 (FISMA), a comprehensive framework for
securing federal information resources. In preparing this testimony,
GAO analyzed prior GAO, Office of Management and Budget, VA Office of
Inspector General, and VA reports related to the department‘s
information security program.
What GAO Found:
VA has made limited progress in resolving long-standing deficiencies
in securing its information and systems. In September 2007 and also
March 2010, GAO reported that VA had begun or had continued work on
several initiatives to strengthen information security practices, but
that shortcomings in the implementation of those initiatives could
limit their effectiveness. VA has also consistently had weaknesses in
major information security control areas. As shown in the table below,
VA was deficient in each of five major categories of information
security controls as defined in the GAO Federal Information System
Controls Audit Manual.
Table: Control Weaknesses for Fiscal Years 2006-2009:
Security Control Category: Access control;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Security Control Category: Configuration management;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Security Control Category: Segregation of duties;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Security Control Category: Contingency planning;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Security Control Category: Security management;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Source: GAO analysis based on VA and Inspector General reports.
[End of table]
Further, in VA‘s fiscal year 2009 performance and accountability
report, the independent auditor stated that, while VA continued to
make progress, IT security and control weaknesses remained pervasive
and continued to place VA‘s program and financial data at risk. The
independent auditor also noted that VA‘s controls over its financial
systems constituted a material weakness (a significant deficiency that
can result in an undetected material misstatement of the department‘s
financial statements.)
Since 2006, VA‘s progress in fully implementing the information
security program required under FISMA has been mixed. For example,
from 2006 to 2009, the department reported a dramatic increase in the
percentage of systems for which a contingency plan was tested.
However, during the same period, the department reported a decrease in
the percentage of employees who had received security awareness
training.
Until VA fully and effectively implements a comprehensive information
security program and mitigates known security vulnerabilities, its
computer systems and sensitive information (including personal
information of veterans and their beneficiaries) will remain exposed
to an unnecessary and increased risk of unauthorized use, disclosure,
tampering, theft, and destruction.
What GAO Recommends:
In previous reports over the past several years, GAO has made numerous
recommendations to VA aimed at improving the effectiveness of the
department‘s efforts to strengthen information security practices and
to ensure that security issues are adequately addressed.
View [hyperlink, http://www.gao.gov/products/GAO-10-727T] or key
components. For more information, contact Gregory C. Wilshusen at
(202) 512-6244 or wilshuseng@gao.gov or Valerie C. Melvin at (202) 512-
6304 or melvinv@gao.gov.
[End of section]
Mr. Chairman and Members of the Subcommittee:
Thank you for inviting us to participate in today's hearing on
information security at the Department of Veterans Affairs (VA). Since
1997, we have identified information security as a governmentwide high-
risk issue and emphasized its importance in protecting the
availability, confidentiality, and integrity of the information
residing on federal information systems.[Footnote 1] Since the 1990s,
we have highlighted challenges the department has faced, including the
need to safeguard personal information.
In our testimony today, we will discuss VA's progress in implementing
information security and the department's compliance with the Federal
Information Security Management Act of 2002 (FISMA).[Footnote 2] In
preparing this testimony, we analyzed prior GAO, Office of Management
and Budget (OMB), VA Office of Inspector General (OIG), and VA reports
related to the department's information security program for fiscal
years 2006 through 2009. We conducted our review from April to May
2010 in the Washington, D.C., area in accordance with generally
accepted government auditing standards. Those standards require that
we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings based on our
audit objectives. We believe that the evidence obtained provides a
reasonable basis for our findings based on our audit objectives.
Background:
VA's mission is to promote the health, welfare, and dignity of all
veterans in recognition of their service to the nation by ensuring
that they receive medical care, benefits, social support, and
memorials. According to recent information from the Department of
Veterans Affairs, its employees maintain the largest integrated health
care system in the nation for more than 5.6 million patients, provide
compensation and pension benefits for nearly 4 million veterans and
beneficiaries, and maintain nearly 3 million gravesites at 163
properties. The use of IT is crucial to the department's ability to
provide these benefits and services, but without adequate protections,
VA's systems and information are vulnerable to those with malicious
intentions who wish to exploit the information.
To help protect against threats to federal systems, FISMA sets forth a
comprehensive framework for ensuring the effectiveness of information
security controls over information resources that support federal
operations and assets. The framework creates a cycle of risk
management activities necessary for an effective security program. In
order to ensure the implementation of this framework, FISMA assigns
responsibilities to OMB that include developing and overseeing the
implementation of policies, principles, standards, and guidelines on
information security and reviewing and approving or disapproving
agency information security programs, at least annually. It also
assigns specific responsibilities to agency heads, chief information
officers, inspectors general, and the National Institute of Standards
and Technology (NIST), in particular requiring chief information
officers and inspectors general to submit annual reports to OMB.
In addition, Congress enacted the Veterans Benefits, Health Care, and
Information Technology Act of 2006,[Footnote 3] after a serious loss
of data earlier that year revealed weaknesses in VA's handling of
personal information. Under the act, VA's Chief Information Officer is
responsible for establishing, maintaining, and monitoring
departmentwide information security policies, procedures, control
techniques, training, and inspection requirements as elements of the
department's information security program. It also reinforced the need
for VA to establish and carry out the responsibilities outlined in
FISMA, and included provisions to further protect veterans and service
members from the misuse of their sensitive personal information and to
inform Congress regarding security incidents involving the loss of
that information.
VA Has Made Limited Progress in Addressing Information Security
Weaknesses:
For over a decade, VA has faced long-standing information security
weaknesses as identified by GAO, the VA's OIG, and by the department
itself. These weaknesses have left VA vulnerable to disruptions in
critical operations, theft, fraud, and inappropriate disclosure of
sensitive information. VA's efforts to address these deficiencies have
had limited progress to date.
In September 2007, we reported that VA had begun or had continued
several initiatives to strengthen information security practices
within the department, but that shortcomings with the implementation
of those initiatives could limit their effectiveness.[Footnote 4] At
that time, we made 17 recommendations for improving the department's
information security practices. We verified that VA had implemented
five of those recommendations, including developing guidance for the
information security program and documenting related responsibilities.
VA has efforts under way to address 11 of the remaining 12
recommendations. These efforts include ensuring remedial action items
are completed in an effective and timely manner, implementing guidance
on encryption, and developing and documenting procedures to obtain
contact information for individuals whose personal information has
been compromised in a security breach. We plan to assess whether the
department's actions substantially implement these 11 recommendations,
and whether VA is now taking action on the twelfth recommendation to
maintain an accurate inventory of all IT equipment that has encryption
installed.
In March 2010, we reported[Footnote 5] that federal agencies,
including VA, had made limited progress in implementing the Federal
Desktop Core Configuration (FDCC) initiative to standardize settings
on workstations.[Footnote 6] We determined that VA had implemented
certain requirements of the initiative, such as documenting deviations
from the standardized set of configuration settings for Windows
workstations and putting a policy in place to officially approve these
deviations. However, VA had not fully implemented several key
requirements. For example, the department had not included language in
contracts to ensure that new acquisitions address the settings and
that products of IT providers operate effectively using them.
Additionally, VA had not obtained a NIST-validated tool to monitor
implementation of standardized workstation configuration settings. To
improve the department's implementation of the initiative, we made
four recommendations: (1) complete implementation of VA's baseline set
of configuration settings, (2) acquire and deploy a tool to monitor
compliance with FDCC, (3) develop, document, and implement a policy to
monitor compliance, and (4) ensure that FDCC settings are included in
new acquisitions and that products operate effectively using these
settings. VA concurred with all of our recommendations and indicated
that it plans to implement them by September 2010.
VA Continues to Report Significant Information Security Shortcomings:
Information security remains a long-standing challenge for the
department. In 2009, for the 13th year in a row, VA's independent
auditor reported that inadequate information system controls over
financial systems constituted a material weakness.[Footnote 7] Among
24 major federal agencies, VA was one of six agencies in fiscal year
2009 to report such a material weakness.
VA's independent auditor stated that while the department continued to
make steady progress, IT security and control weaknesses remained
pervasive and placed VA's program and financial data at risk. The
auditor noted the following weaknesses:
* Passwords for key VA network domains and financial applications were
not consistently configured to comply with agency policy.
* Testing of contingency plans for financial management systems at
selected facilities was not routinely performed and documented to meet
the requirements of VA policy.
* Many IT security control deficiencies were not analyzed and
remediated across the agency and a large backlog of deficiencies
remained in the VA plan of action and milestones system. In addition,
previous plans of action and milestones were closed without sufficient
and documented support for the closure.
In addition, VA has consistently had weaknesses in major information
security control areas. As shown in table 1, for fiscal years 2006
through 2009, deficiencies were reported in each of the five major
categories of information security controls[Footnote 8] as defined in
our Federal Information System Controls Audit Manual.[Footnote 9]
Table 1: Control Weaknesses for Fiscal Years 2006-2009:
Security Control Category: Access control;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Security Control Category: Configuration management;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Security Control Category: Segregation of duties;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Security Control Category: Contingency planning;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Security Control Category: Security management;
2006: [Check];
2007: [Check];
2008: [Check];
2009: [Check].
Source: GAO analysis based on VA and Inspector General reports.
[End of table]
In fiscal year 2009, for the 10th year in a row, the VA OIG designated
VA's information security program and system security controls as a
major management challenge for the department. Of 24 major federal
agencies, the department was 1 of 20 to have information security
designated as a major management challenge. The OIG noted that the
department had made progress in implementing components of an
agencywide information security program, but nevertheless continued to
identify major IT security deficiencies in the annual information
security program audits. To assist the department in improving its
information security, the OIG made recommendations for strengthening
access controls, configuration management, change management, and
service continuity. Effective implementation of these recommendations
could help VA to prevent, limit, and detect unauthorized access to
computerized networks and systems and help ensure that only authorized
individuals can read, alter, or delete data.
The need to implement effective security is clear given the history of
security incidents at the department. VA has reported an increasing
number of security incidents and events over the last few years. Each
year during fiscal years 2007 through 2009, the department reported a
higher number of incidents and the highest number of incidents in
comparison to 23 other major federal agencies.
VA's Uneven Implementation of FISMA Limits the Effectiveness of
Security Efforts:
FISMA requires each agency, including agencies with national security
systems, to develop, document, and implement an agencywide information
security program to provide security for the information and
information systems that support the operations and assets of the
agency, including those provided or managed by another agency,
contractor, or other source. As part of its oversight
responsibilities, OMB requires agencies to report on specific
performance measures, including the percentage of:
* employees and contractors receiving IT security awareness training,
and those who have significant security responsibilities and have
received specialized security training,
* systems whose controls were tested and evaluated, have tested
contingency plans, and are certified and accredited.[Footnote 10]
Since fiscal year 2006, VA's progress in fully implementing the
information security program required under FISMA and following the
policies issued by OMB has been mixed. For example, from 2006 to 2009,
the department has reported a dramatic increase in the percentage of
systems for which a contingency plan was tested in accordance with OMB
policy. However, during the same period, it reported decreases in both
the percentage of employees who had received security awareness
training and the percentage of employees with significant security
responsibilities who had received specialized security training (see
figure 1). These decreases in the percentage of individuals who had
received information security training could limit the ability of VA
to effectively implement security measures.
Figure 1: VA Key Performance Measures for Fiscal Years 2006-2009:
[Refer to PDF for image: multiple vertical bar graph]
Selected performance measure: Security awareness training;
FY 2006: 99%;
FY 2007: 95%;
FY 2008: 84%;
FY 2009: 67%.
Selected performance measure: Specialized security training;
FY 2006: 100%;
FY 2007: 100%;
FY 2008: 89%;
FY 2009: 84%.
Selected performance measure: Periodic testing and evaluation;
FY 2006: 100%;
FY 2007: 100%;
FY 2008: 96%;
FY 2009: 96%.
Selected performance measure: Tested contingency plans;
FY 2006: 36%;
FY 2007: 25%;
FY 2008: 82%;
FY 2009: 93%.
Selected performance measure: Certification and accreditation;
FY 2006: 100%;
FY 2007: 97%;
FY 2008: 100%;
FY 2009: 94%.
Source: GAO analysis of agency data.
[End of figure]
For fiscal year 2009, in comparison to 23 other major federal
agencies, VA's efforts to implement these information security control
activities were equal to or higher in some areas and lower in others.
For example, VA reported equal or higher percentages than other
federal agencies in the number of systems for which security controls
had been tested and reviewed in the past year, the number of systems
for which contingency plans had been tested in accordance with OMB
policy, and the number of systems that had been certified and
accredited. However, VA reported lower percentages of individuals who
received security awareness training and lower percentages of
individuals with significant security responsibilities who received
specialized security training (see figure 2).
Figure 2: Comparison VA to Governmentwide Performance for Fiscal Year
2009:
[Refer to PDF for image: multiple vertical bar graph]
Selected performance measure: Security awareness training;
VA: 67%;
23 major federal agencies: 91%.
Selected performance measure: Specialized security training;
VA: 84%;
23 major federal agencies: 90%.
Selected performance measure: Periodic testing and evaluation;
VA: 96%;
23 major federal agencies: 89%.
Selected performance measure: Tested contingency plans;
VA: 93%;
23 major federal agencies: 86%.
Selected performance measure: Certification and accreditation;
VA: 94%;
23 major federal agencies: 94%.
Source: GAO analysis of agency data.
[End of figure]
In summary, effective information security controls are essential to
securing the information systems and information on which VA depends
to carry out its mission. The department continues to face challenges
in resolving long-standing weaknesses in its information security
controls and in fully implementing the information security program
required under FISMA. Overcoming these challenges will require
sustained leadership, management commitment, and effective oversight.
Until VA fully and effectively implements a comprehensive information
security program and mitigates known security vulnerabilities, its
computer systems and sensitive information (including personal
information of veterans and their beneficiaries) will remain exposed
to an unnecessary and increased risk of unauthorized use, disclosure,
tampering, theft, and destruction.
Mr. Chairman, this concludes our statement today. We would be happy to
answer any questions you or other members of the subcommittee may have.
Contacts and Acknowledgments:
If you have any questions concerning this statement, please contact
Gregory C. Wilshusen, Director, Information Security Issues, at (202)
512-6244, wilshuseng@gao.gov, or Valerie C. Melvin, Director,
Information Management and Human Capital Issues, at (202) 512-6304,
melvinv@gao.gov. Other individuals who made key contributions include
Charles Vrabel and Anjalique Lawrence (assistant directors), Nancy
Glover, Mary Marshall, and Jayne Wilson.
[End of section]
Footnotes:
[1] GAO, High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January
2009) and Information Security: Agencies Continue to Report Progress,
but Need to Mitigate Persistent Weaknesses, [hyperlink,
http://www.gao.gov/products/GAO-09-546] (Washington, D.C.: July 17,
2009).
[2] FISMA was enacted as title III, E-Government Act of 2002, Pub. L.
No.107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002).
[3] Veterans Benefits, Health Care, and Information Technology Act of
2006, Pub. L. No. 109-461, 120 Stat. 3403, 3450 (Dec. 22, 2006).
[4] GAO, Information Security: Sustained Management Commitment and
Oversight Are Vital to Resolving Long-standing Weaknesses at the
Department of Veterans Affairs, [hyperlink,
http://www.gao.gov/products/GAO-07-1019] (Washington, D.C.: Sep. 7,
2007).
[5] GAO, Information Security: Agencies Need to Implement Federal
Desktop Core Configuration Requirements, [hyperlink,
http://www.gao.gov/products/GAO-10-202] (Washington, D.C.: March 12,
2010).
[6] In March 2007 the Office of Management and Budget (OMB) launched
the Federal Desktop Core Configuration initiative to standardize and
strengthen information security at federal agencies. Under the
initiative agencies were to implement a standardized set of
configuration settings on workstations with Microsoft Windows XP or
Vista operating systems. OMB intended that by implementing the
initiative, agencies would establish a baseline level of information
security, reduce threats and vulnerabilities, and improve protection
of information and related assets.
[7] A material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote
likelihood that a material misstatement of the financial statements
will not be prevented or detected by the entity's internal control.
[8] Access controls ensure that only authorized individuals can read,
alter, or delete data; configuration management controls provide
assurance that only authorized software programs are implemented;
segregation of duties reduces the risk that one individual can
independently perform inappropriate actions without detection;
continuity of operations planning provides for the prevention of
significant disruptions of computer-dependent operations; and an
agencywide information security program provides the framework for
ensuring that risks are understood and that effective controls are
selected and properly implemented.
[9] GAO, Federal Information System Controls Audit Manual (FISCAM),
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington,
D.C.: Feb. 2009).
[10] Certification is a comprehensive assessment of management,
operational, and technical security controls in an information system,
made in support of security accreditation, to determine the extent to
which the controls are implemented correctly, operating as intended,
and producing the desired outcome with respect to meeting the security
requirements for the system. Accreditation is the official management
decision to authorize operation of an information system and to
explicitly accept the risk to agency operations based on
implementation of controls.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
