The Department of Veterans Affairs awarded a $50 million contract this month to support its Continuous Readiness in Information Security Program and named a veteran federal chief information security officer to lead a new CRISP program management office, FedScoop has learned.
News of the contract and the appointment of Dan Galik as VA’s senior executive in charge of all CRISP activities comes as the department begins preparing for its annual security audit under the Federal Information Security Management Act, or FISMA. Despite what officials have characterized as significant time and effort dedicated to shoring up the agency’s IT security weaknesses, the department has failed the annual FISMA audit for the past 16 consecutive years.
But VA Chief Information Officer Steph Warren seems determined to change that record this year, charging Galik to define the focus areas of the new program office and to oversee a surge of expertise and technical support under a $50 million CRISP Support Services contract with Fairfax, Virginia-based ASM Research, a wholly owned subsidiary of Accenture Federal Services.
The CRISP program management office remains in the early stages of development, with only a handful of staff detailed to Galik from throughout the Office of Information and Technology. Galik, who oversees the VA Network and Security Operations Center and works directly for VA CISO Stan Lowe, will report directly to Warren on all CRISP initiatives. And while officials are still defining what issues the new office will focus on, the first order of business remains preparing VA for the annual FISMA audit.
“That’s directly to support cybersecurity mitigation and remediation,” Galik said in an interview with FedScoop.
One of the first things Galik is going to work on is developing a dashboard, or a scorecard, for each of the 150 VA medical centers and 59 Veterans Benefits Administration regional offices. The dashboard will contain a set of security metrics that will measure the security readiness of every major facility. Galik is taking a lesson from the State Department, which established a similar scorecard for its embassies.
“The challenge for me is that what went into the scorecard at the State Department was understandable by the embassy leadership. I’ve got to do the same thing here,” he said. “I have to make this complex area understandable. It has its own language and acronyms, it has a lot of various security technologies. I have to define the parameters of what goes into that scorecard. We’re still working on what the elements will be that will determine how you get an ‘A’ grade or a green status,” he said.
“When you get into the FISMA audit cycle you tend to ramp up site by site as the auditors work their way through the cycle. And then there’s a natural tendency to relax a little bit,” Galik said. “This program is basically intended to keep us at that high state of readiness throughout the year. I should be able to go to any site at any point in the year and they should essentially be ready for an audit.”
Galik brings decades of experience to one of the VA’s most pressing, high-profile challenges. A former acquisition program manager in the Navy, Galik has also recently served stints as the chief information security officer at the Nuclear Regulatory Commission, the IRS, and the Department of Health and Human Services.
“One of my goals also is to instill a sense of urgency,” he said, referring specifically to the VA’s security processes, such as patching systems for vulnerabilities. This latest effort under the CRISP program, which officially launched in 2012, is considered a follow-on stage to the continuous monitoring services that the Department of Homeland Security provides. “We want to move from the awareness that comes from continuous monitoring to action … mitigation and remediation,” Galik said.
One of the program’s goals is to be able to give local security managers enough insight into their security posture that they are able to answer questions from senior agency officials. “How would you answer if the medical director at a hospital asked you, ‘How are we on security today?’ What would you base your answer on? These are some of the things that we’re trying to crystalize,” Galik said.
Galik is keenly aware, however, of the balance he must strike between the desire to lock down the enterprise for security and the need to provide effective and flexible patient care. “We don’t want to lock things down too much to a degree where they impact patient safety and patient care. So we always have to have a proper risk management trade-off,” he said.
VA needs to get to the point where “we know what’s on the network, we’re accounting for everything on the network, we see suspicious activity on the network we jump on it, we contain it and we react,” Galik said. “Total and full accountability.”
VA’s security crisis
VA blocked more than a billion pieces of malicious software and nearly 358 million network intrusion attempts in March — a massive increase in the volume of attacks targeting VA that could eventually overwhelm the agency’s ability to effectively defend itself.
The volume of malware reported in VA’s Information Security Monthly Activity Report for March represents an 83 percent increase over the last six months. Likewise, the number of intrusion attempts recorded in March represents a 29-fold increase from six months ago. In October 2014, the agency reported slightly more than 206 million instances of malicious code and about 12 million intrusion attempts.
In congressional hearings late last year, Warren told lawmakers that VA could never be fully patched and secure given the sheer size and complexity of the organization. However difficult that might have been for members of Congress to understand, the situation has become significantly worse since then.
In his latest monthly call with reporters, Warren said if the volume of attacks continues to increase at their current rate, the agency could eventually be overwhelmed. “If you plot that chart out … we’re on an exponential growth rate,” Warren said. “At some point, if we’re not able to knock this back … I think any agency will run into the point where we may get overwhelmed.”