Editor’s note: Story has been updated with a comment from the National Cemetery Administration.
An internal memo from Department of Veterans Affairs Chief Information Officer Stephen Warren, obtained exclusively by FedScoop, reveals the agency’s top cybersecurity priorities for 2014 based on what agency managers said are the areas in need of most attention.
In a Dec. 30 memo to all employees of the VA’s Office of Information and Technology, Warren urged the agency’s IT managers to “remain relentless” in their efforts to improve VA IT processes and data security. Beginning this month and running through April, Warren has asked OIT staff to focus on four key areas: system baseline practices and procedures; configuration management; patch management; and elevated privilege review.
According to the Warren memo, VA’s OIT in January will place “special emphasis” on reviewing system baseline practices and procedures “to ensure that they are consistently implemented across the enterprise.”
Configuration management will be the focus in February, according to the document. “We will highlight the importance of improving our baseline configuration and change control policies to guarantee that these policies are consistently followed,” Warren wrote.
These focus areas will be followed in March by a focus on improving patch management, and in April, to improve VA’s “ability to review and monitor user access in order to ensure password management is accomplished uniformly,” the memo states.
Rep. Jeff Miller, R-Fla., chairman of the House Committee on Veterans’ Affairs, told FedScoop the issues outlined in Warren’s memo are basic IT functions the committee has been pushing VA to focus on.
“The committee has been trying to convince VA to put more of an emphasis on IT fundamentals such as these for some time now, and we are pleased that VA may be starting to get the message,” Miller said. “Rest assured, the committee will be closely monitoring VA’s progress in these areas through 2014 and beyond to ensure the activities outlined in the memo are performed with speed and accuracy in order to make sure veterans’ private information is properly protected.”
The priority areas identified in the memo are very telling, given VA’s latest report to Congress on known data breaches. During the third quarter of fiscal 2013, VA informed 1,348 veterans their personal data, including in many cases detailed health information, had been subject to potential compromise. As a result of these privacy breaches, the agency issued 1,994 credit protection letters.
The incidents ranged from more than a dozen laptop and desktop computers being lost or stolen, dozens of lost BlackBerry smartphones, to a multitude of processing errors that resulted in unauthorized disclosures of veterans’ Social Security numbers, financial information and medical details, including prescriptions. In some cases, veterans reported receiving benefits letters and even medicines belonging to other veterans.
For the past two years, VA has also used the online fax service, MyFax, to communicate veteran’s burial orders, including service record summaries known as a DD-214.
“This service has several security concerns,” according to a VA incident report filed Aug. 30, 2013, and “does not meet VA security requirements including co-mingling of data collected and placed in a zip file which is on an unsecure site.”
The service was paid for with a government credit card using IT funds, and was approved in “a Risk Based Decision memo,” according to the VA incident report, which was placed in a “medium” risk category. However, VA acknowledged that no contract, statement of work or memorandum of understanding exists between VA, the National Cemetery Administration and MyFax.
According to VA, families of deceased veterans send the faxes to NCA using a toll-free 800 number provided by VA. That number connects to the MyFax service, which creates a file that is uploaded and stored on a MyFax server. NCA then runs a script to retrieve the faxes from the server.
In addition to co-mingling data on the MyFax servers, the incident report indicates VA had concerns about the service’s inability to sanitize media and remove data that has been uploaded, as called for by VA’s own internal guidelines.
According to VA’s policy on electronic media sanitization, “all electronic storage media used in non-VA leased or owned IT equipment used to store, process, or access VA sensitive information are required to have all VA sensitive information removed, cleared, sanitized, or destroyed … when the media are no longer used to access VA sensitive information, or when the media are disposed or removed from VA control.”
“If these are the requirements, we do not have any of these [government] certifications and have never offered services on a segregated platform,” MyFax responded, according to the report.