In the two years since the Veterans Affairs Department announced its goal of closing all cybersecurity material weaknesses, the effortsdetailed in the latest audit report from the agencys inspector general seem to be making a difference.
While VA fell short of its ultimate objective of cybersecurity not being a material weakness in 2017the 18th year in a row auditors rated it that way the Office of Information and Technology (OI&T) said in its response to the IGs Federal Information Security Management Act (FISMA) report to Congress that it has made significant progress across all 33 recommendations, and is asking the IG to close 18 of them.
For example, the IG says VA continued to struggle with ensuring systems had an up-to-date authority to operate (ATO).
Specifically, process deficiencies allowed certain system authorizations to operate to expire and allowed other systems to be reauthorized by an official without the proper authority, the IG stated.
Sponsored Content - Download our Executive Briefing to learn how agency and industry experts are hoping to reduce insider threats.
But VAs chief information officers office says its Enterprise Cybersecurity Strategy Team (ECST) has updated its processes and is nowusing the ongoing authorizations approach as required by the Office of Management and Budget in the Circular A-130 update issued last fall.
By the end of calendar year 2016, systems requiring an ATO were updated to reflect the new AO, OI&Ts response stated. Updated assessment and authorization (A&A) policy and process to redefine roles and responsibilities of VAs authorizing officials (AO), and AO procedures, which will allow for oversight of systems throughout their full lifecycle. Office of Cyber Security Policy and Compliance (OCSPC) conducts routine, regularly scheduled briefings with the AO prior to issuance of ATOs on systems within their purview.
The system authorization process has been a problem at VA for some time. Back in 2013, former VA chief information security officer Jerry Davis claimed VA was rubber stamping ATOs in order to get them completed before they expired.
After several congressional hearings and the turnover of the CIO, VAs new leadership promised to fix the long-standing cyber problems. Former VA CIO Laverne Council said when she took over the role in 2015 that her intention was to get rid of the more than two dozen cyber weaknesses over the next two years.
She created a cyber strategy, the ECST and eight domains to address the biggest problem areas.
The cyber team is playing a major role in nearly every initiative to close the IGs recommendations.
Know what to do with your Thrift Savings Plan the next time the stock market crashes? Senior Correspondent Mike Causey tells you how to avoid buying high and selling low.
Deputy Inspector General Linda Halliday said in an email to Federal News Radio that her office will continue to review VAs progress in improving its cyber posture.
When the OIG receives evidence of appropriate corrective action, we will generally close that recommendation, Halliday said. As VA provides documentation to support the corrective actions taken on any recommendation, we will review it and make the determination on whether we can close that recommendation. Further, we continue to assess VAs progress in implementing corrective actions and their ability to sustain improvements impacting VA information security posture during our annual FISMA review in the following year.
One area where VA says it has made progress has been a long-time challenge around password management.
Over the past two years, the ECST has implemented technology to enforce password policies, mandated the use of smart identity cards and initiated single sign-on capabilities.
VA has enhanced password monitoring policies via credentialed, predictive scans and remediation processes on OI&T systems. Routine system scans are completed by the Network and Security Operations Center (NSOC). Enterprise Discovery Scans (EDS) are conducted on a quarterly basis to detect password vulnerabilities across the enterprise, OI&T told auditors. In order to improve organizationwide availability of security data, VA has enhanced the reporting of scan results and has published results with historical data on the Nessus Enterprise Web Tool (NEWT). VA is using NEWT dashboards to monitor password vulnerabilities and show trends based on the results of EDS scans. Scan results are shared with users in the enterprise who have been granted access to NEWT.
Another major problem the IG pointed out was the lack of visibility into their networks and therefore failure to identify numerous high-risk security incidents, including malware infections that were not remediated in a timely manner. Specifically, we noted these issues at three major data centers and two VA medical centers.
The CIOs office said it expects to complete the national deployment of an enterprisewide security incident and event management toolby June 30.
VAs OI&T said it is currently receiving logs from across the enterprise to include centralized logging from devices owned and managed by field operations to include Windows and Linux servers, and network infrastructure devices (routers/switches). Other log sources such as domain controllers, Domain Name Services (DNS), and ePolicy Orchestrator (ePO) systems are now also included in the centralized logging repository, which helps to enrich the data lake and enhance data available for event monitoring, correlation processes and incident response. Currently, only failed logon events are being collected for infrastructure devices.
VA OI&T also expects to complete a related effort by June 30 to track and make sure patches and vulnerabilities are closed in a timely manner.
VA has an enterprise-wide scanning program performed by the NSOC on a scheduled and ad-hoc basis (when needed or requested). Results of the scans are rolled into NEWT for analysis and reporting. The analysis tool provides an enterprise view to the terminal device level (specific Internet Protocol), the offices response stated. NEWT coverage has been expanded to include Cisco and Red Hat Enterprise Linux scan results as well as trending and historical remediation efforts. VA implemented DbProtect, a database scanning tool, to gain enterprise level access and insight to the many databases that exist in the organization.
VA told the IG it expects to close eight of the remaining recommendations no later than Sept. 30 and then five more by Dec. 31.
Read the original here:
VA fails cyber audit for 18th straight year, but progress is evident - FederalNewsRadio.com
- Progress Lighting - Home - December 22nd, 2016 [December 22nd, 2016]
- Home - Progress Lighting Outlet - Authorized Progress Dealer - January 13th, 2017 [January 13th, 2017]
- What does progress mean? - Definitions.net - January 13th, 2017 [January 13th, 2017]
- Progress Fire Company Harrisburg, PA - January 13th, 2017 [January 13th, 2017]
- Homepage Center for American Progress - January 13th, 2017 [January 13th, 2017]
- Progress being made on possible grocery store co-op in Winston-Salem - myfox8.com - February 7th, 2017 [February 7th, 2017]
- Nioh Review-in-Progress: FromSoftware's Formula Evolved - Shacknews - February 7th, 2017 [February 7th, 2017]
- Deutsche Bundesbank Cites Progress With Blockchain-Based Settlement - CryptoCoinsNews - February 7th, 2017 [February 7th, 2017]
- IMF: Greece's debts are still unsustainable despite progress - The Seattle Times - February 7th, 2017 [February 7th, 2017]
- Think Progress Editor Mocks Audi for Equal Pay Super Bowl Ad - Breitbart News - February 7th, 2017 [February 7th, 2017]
- Progress apparent on defense - Pittsburgh Steelers - Steelers.com - February 7th, 2017 [February 7th, 2017]
- IMF: Greece's Debts are Still Unsustainable, Despite Progress - Voice of America - February 7th, 2017 [February 7th, 2017]
- Can US disrupter-in-chief trigger some progress? - Jerusalem Post Israel News - February 7th, 2017 [February 7th, 2017]
- The Cost of Progress - Slate Magazine - February 7th, 2017 [February 7th, 2017]
- Cavaliers' pitching rotation a work in progress | Cavalier Insider ... - The Daily Progress - February 8th, 2017 [February 8th, 2017]
- High schoolers create 'zines for progress' with WolfsonianFIU - FIU News - February 8th, 2017 [February 8th, 2017]
- Cries of 'dictator' show Pope Francis is making progress - Crux: Covering all things Catholic - February 8th, 2017 [February 8th, 2017]
- Officials: City is making progress in effort to address opioid crisis - The Union Leader - February 8th, 2017 [February 8th, 2017]
- IN OUR VIEW: Work Ready in Progress for Carter - The Independent - February 8th, 2017 [February 8th, 2017]
- BP's Earnings Keep Showing Progress, Even if the Headline Results Don't Say So - Motley Fool - February 8th, 2017 [February 8th, 2017]
- Women's Progress in the Boardroom Took a Hit in 2016 - Inc.com - February 9th, 2017 [February 9th, 2017]
- Blight Elimination Progress, Uplifting - MyWabashValley - February 9th, 2017 [February 9th, 2017]
- Rauner 'heartened' by progress in Springfield - Bloomington Pantagraph - February 9th, 2017 [February 9th, 2017]
- David Johnson showed off the insane progress he's making in rehab from his knee injury - USA TODAY - February 9th, 2017 [February 9th, 2017]
- Through the looking glass: Tower view showcases progress on Amazon's unique biospheres - GeekWire - February 9th, 2017 [February 9th, 2017]
- Britney Spears Says Niece Maddie Is 'Making Progress' After ATV Accident: 'Let's All Keep Praying' - PEOPLE.com - February 9th, 2017 [February 9th, 2017]
- Progress on vet's Mustang to be unveiled - Indianapolis Star - February 9th, 2017 [February 9th, 2017]
- Evgeni Malkin making 'progress,' could return Saturday in Arizona - Pittsburgh Post-Gazette - February 9th, 2017 [February 9th, 2017]
- Forecasters See Slow Progress in Labor-Market Measures Favored by Trump Administration - Wall Street Journal - February 9th, 2017 [February 9th, 2017]
- 'Paper boys' were the lifeblood of The Daily Progress - The Daily Progress - February 10th, 2017 [February 10th, 2017]
- Cliffs Natural Resources Is Showing a Lot of Progress on Its Return to Profitability - Motley Fool - February 10th, 2017 [February 10th, 2017]
- ATA says states' telemedicine progress a mixed bag ... - FierceHealthcare - February 10th, 2017 [February 10th, 2017]
- Seltzer's Notebook | Colangelo Encouraged by Sixers' Progress - Sixers.com - February 10th, 2017 [February 10th, 2017]
- The Trump administration can't entirely roll back progress on climate change here's why - Washington Post - February 10th, 2017 [February 10th, 2017]
- Colts position review: OL showed legit progress, but work remains - Indianapolis Star - February 10th, 2017 [February 10th, 2017]
- Egyptian Economy Making Slow, Tentative Progress - Voice of America - February 10th, 2017 [February 10th, 2017]
- ATA: States show mixed progress with telemedicine | Healthcare Dive - Healthcare Dive - February 11th, 2017 [February 11th, 2017]
- Louisville City notes: McCabe making progress - The Courier-Journal - February 11th, 2017 [February 11th, 2017]
- Jeremy Lin: Progress but no timetable - NetsDaily - February 11th, 2017 [February 11th, 2017]
- Marginal progress for Turkish-backed forces in north Syria - LA Daily News - February 11th, 2017 [February 11th, 2017]
- Jimmy Cheek: UT chancellor appreciative of hard work, progress on journey - Knoxville News Sentinel - February 12th, 2017 [February 12th, 2017]
- Syria Regional Crisis 2016 Emergency Appeal - Progress Report - Reliefweb - February 12th, 2017 [February 12th, 2017]
- CWLP officials: Bailout repayment would set back progress - The State Journal-Register - February 12th, 2017 [February 12th, 2017]
- Pistons' Johnson making halting but definite progress - The Detroit News - February 12th, 2017 [February 12th, 2017]
- Clairton works: Real progress is coming to the former steel town - Pittsburgh Post-Gazette - February 12th, 2017 [February 12th, 2017]
- The Democrats' Strategy: Hindering Progress For Partisan Politics - Daily Caller - February 13th, 2017 [February 13th, 2017]
- The surprising progress stoppers on the Dallas Cowboys defensive line - Cowboys Wire - February 13th, 2017 [February 13th, 2017]
- Gender Progress in Ballet - Huffington Post - February 13th, 2017 [February 13th, 2017]
- Foyt pleased with progress, regrets lack of time - Motorsport.com, Edition: Global - February 13th, 2017 [February 13th, 2017]
- Progress Made, but Threat Lingers at California's Oroville Dam - Wall Street Journal - February 13th, 2017 [February 13th, 2017]
- Adele, Beyonc, and the Grammys' Fear of Progress - The Atlantic - February 13th, 2017 [February 13th, 2017]
- North Korea Claims Progress on Long-Range Goal With Missile Test - New York Times - February 13th, 2017 [February 13th, 2017]
- How Travel Bans Can Impede America's Progress - Forbes - Forbes - February 13th, 2017 [February 13th, 2017]
- Jeff Sessions' appointment threatens decades of civil rights progress - The Hill (blog) - February 14th, 2017 [February 14th, 2017]
- Ionis Earns $75M Milestone from Bayer for Progress of Antisense Drug Program - Genetic Engineering & Biotechnology News (press release) - February 14th, 2017 [February 14th, 2017]
- Guilford Schools annual report shows mixed results on progress - Greensboro News & Record (blog) - February 14th, 2017 [February 14th, 2017]
- Sniper Elite 4 review in progress - PC Gamer - February 14th, 2017 [February 14th, 2017]
- For Honor Review In Progress - GameSpot - February 14th, 2017 [February 14th, 2017]
- China's military progress challenges Western dominance, says IISS - Deutsche Welle - February 15th, 2017 [February 15th, 2017]
- PFW in Progress Recap 2/14: Patriots Offseason Outlook | New ... - Patriots.com - February 15th, 2017 [February 15th, 2017]
- Daily Progress, chamber establish regional business Hall of Fame - The Daily Progress - February 15th, 2017 [February 15th, 2017]
- Huntsville-based Progress Bank to acquire Birmingham's First Partners Bank - Birmingham Business Journal - February 15th, 2017 [February 15th, 2017]
- City, UF sign partnership for progress - Gainesville Sun - February 15th, 2017 [February 15th, 2017]
- California officials lift evacuation order for 200000 threatened by damaged dam - CBS News - February 15th, 2017 [February 15th, 2017]
- 5G progress at Ericsson could help enterprises work worldwide - Computerworld - February 16th, 2017 [February 16th, 2017]
- Officials making 'great progress' on California dam repairs, remind residents to stay vigilant - Fox News - February 16th, 2017 [February 16th, 2017]
- Halo Wars 2 Review in Progress - IGN - February 16th, 2017 [February 16th, 2017]
- CUGNON: Forward progress - Yale Daily News (blog) - February 16th, 2017 [February 16th, 2017]
- F-35 Program Makes Significant, Solid Progress, Official Says - Department of Defense - February 16th, 2017 [February 16th, 2017]
- Lenovo's data center ambitions remain work in progress following Q3 results - ZDNet - February 16th, 2017 [February 16th, 2017]
- PFW in Progress Recap 2/16: Free Agency and Potential Patriots - Patriots.com - February 16th, 2017 [February 16th, 2017]
- S&P 500: 'Blow-off' Phase in Progress - DailyFX - February 16th, 2017 [February 16th, 2017]
- Combine invites are another sign of progress at Michigan - Big Ten ... - ESPN (blog) - February 16th, 2017 [February 16th, 2017]
- Halo Wars 2 review in progress - PC Gamer - February 17th, 2017 [February 17th, 2017]
- 'Hero' film produced just for Charlottesville featured the mayor, The Daily Progress - The Daily Progress - February 17th, 2017 [February 17th, 2017]
- Republicans' health care overhaul still a work in progress - Press Herald - February 17th, 2017 [February 17th, 2017]
- Trump Boasts Of 'Incredible Progress' In 4 Weeks Of Presidency - NPR - February 17th, 2017 [February 17th, 2017]
- Donald Trump touts promise progress at press conference - PolitiFact - February 17th, 2017 [February 17th, 2017]
- Mild winter helping crews make significant progress on East End Connector - WRAL.com - February 18th, 2017 [February 18th, 2017]
- Committee updates Legislature on precinct consolidation progress - Chicago Tribune - February 18th, 2017 [February 18th, 2017]