For the 16th consecutive year, the Department of Veterans Affairs failed its annual cybersecurity audit after auditors determined the agency did not meet the standards of the Federal Information Security Management Act, according to a Washington Post report.
In the VA's 2013 cybersecurity audit, the inspector general identified 6,000 specific security risks and offered 35 actions to address the issues. The VA has implemented 18 of those recommendations, according to the report.
In a Federal News Radio report, VA CIO Stephen Warren said while that 6,000 figure seems outstanding, one has to put it in context. "If I'm running on a base of 1.2 million to 1.4 million devices, and I'm running multiple services on each one of those, you're talking about 70-150 million different things that you're looking vulnerabilities on," he said. "I've also got 1,000 enterprise systems we've built and deployed. When you talk about 6,000 vulnerabilities, we treat them all as important, but when you look at it on the scale you've got to put some balance in it."
The inspector general said in the audit report that the VA has made some progress in addressing cybersecurity issues, but significant concerns remain, according to a different Federal News Radio report.
Additionally, the Government Accountability Office determined the VA has not yet addressed network vulnerabilities attributed to the eight security intrusions the agency has suffered over the past few years, according to the report.
"Despite progress made, the Office of Information and Technology was not fully effective in addressing systemic weaknesses or eliminating the material weakness identified in VA's information security program for fiscal 2014," wrote Sondra McCauley, the deputy assistant IG for audits and evaluations at VA, in her testimony before the House Veterans Affairs Committee members, according to the report. "We continue to see repeat information security deficiencies in type and risk level to our reported findings in prior years and an overall inconsistent implementation of the security program."
Mr. Warren said he would direct an additional $60 million toward cybersecurity efforts this year, which would be a 38 percent increase in funds directed to cybersecurity over last year's $180 million, according to the report.
"I'm disappointed that in spite of the significant effort by our employees over the past year, the OIG maintained a material weakness," Mr. Warren said. "I'm committed to redoubling our efforts to put in place the processes and disciplines to address these issues, building upon the extensive layered, in-depth strategy we already have in place.
More articles on cybersecurity:
The role of contractors, hackers and regulators in cybersecurity
FDA issues cybersecurity guidance for medical device makers
Medical records 10x more valuable to hackers than credit card information