Skip to main content

Eliminating Our Material Weaknesses

Protecting Veteran data is a top IT priority, and effective cybersecurity practices are critical to its success.

VA not only successfully remediated our material weaknesses, we also took the lessons learned from that exercise to enhance our cybersecurity posture. VA aligned our policies and practices with industry guidelines, building a robust cybersecurity ecosystem that proactively assesses risk.

Securing VA's IT Infrastructure in 2017

MALWARE

Blocked 5.1 billion malware attempts since 2015, including WannaCry and Petya, two of 2017’s high-profile, worldwide ransomware events.

PIV ENFORCEMENT

Increased Personal Identity Verification (PIV) enforcement from 11 percent in 2015 to 99.8 percent, exceeding the Office of Management and Budget’s (OMB) target for VA.

TWO-FACTOR  AUTHENTICATION

Achieved 100 percent enforcement of two-factor authentication for privileged users.

SOFTWARE

Reduced use of unadjudicated software by 94 percent since January 2016.

MEDICAL DEVICES

Secured 92 percent of medical devices with vulnerabilities.

EMAIL

Monitored more than 45 million emails daily in 2017 and blocked 75 billion malware attempts on VA systems.

Return to the top

A New Approach to the OIG FISMA Audit

In 2015 and 2016, the Office of the Inspector General (OIG) Federal Information Security Modernization Act (FISMA) audit findings highlighted material weaknesses that threatened the security of Veteran data. In 2017, we changed the way we approached  cybersecurity  and established policies to protect VA systems and infrastructure and ensure VA’s cyberspace ecosystem is resilient to threats.

We mapped the 2017 OIG findings to National  Institute  of Standards and Technology (NIST) security and privacy standards to identify the controls (countermeasures) that were commonly aligned to findings within the audit. This allows us to use the controls that require more attention to prioritize future projects. In preparation for  future  audit cycles, we will develop detailed implementation guidance for high-risk controls, providing the field with the knowledge base they will need to successfully protect Veteran data.

As VA develops its control implementation guidance, we will incorporate it into the VA Risk Management Framework Knowledge Service as the single authoritative source of VA control policy and implementation guidance. Our approach to remediation will be better documented and we will have the tools we need to quickly remediate findings and work toward eliminating material weaknesses.

Return to the top

Enterprise Cybersecurity Strategy (ECSS)

In response to emerging data threats and the evolving cybersecurity landscape, OIT collaborated with stakeholders, subject matter experts, and contracting partners to update VA’s Enterprise Cybersecurity Strategy (ECSS). With the establishment of the Enterprise Cybersecurity Strategy Program (ECSP), we are embarking on a change in mindset of how to manage cyber risks to prioritize cybersecurity projects and create an integrated, transparent program. The ECSS helps VA identify and articulate the requirements, standards, and opportunities for transformative cybersecurity improvements. The updated strategy refreshes VA’s direction and objectives when it comes to assessing and managing threats to VA’s cybersecurity.

The ECSS promotes collaboration and enables us to protect Veteran information from a broad spectrum of threats through the following five strategic cybersecurity goals:

  • Data Protection: Protecting Veteran information and VA data is our top priority. Ensuring the safety of their critical data allows us to build and maintain their trust.
  • Threat Resilient Cyberspace Ecosystem: Early detection of cyber threats and intrusions is critical to developing a resilient ecosystem. Responses to those present and future threats must be effective and timely.
  • Protected Information Systems and Infrastructure: Ensuring the safety of our cyber infrastructure is important. We can’t do our jobs without secure IT systems, so we must make sure these systems are modern, efficient, and effective.
  • Secure Operational Environment: In an effective environment, our operations should be transparent, accountable, and seamless so we can continue to deliver the best service possible to our Veterans, their families, and our employees.
  • Talented Cybersecurity and Privacy Workforce: By recruiting, developing, and retaining a strong cybersecurity workforce, we’ll have a united defense against future cyberthreats.
Return to the top

Creating a Culture of Cybersecurity at VA

Over the summer, the Network Security Operations Center (NSOC) conducted routine phishing assessments in various organizations throughout VA. The results found that a staggering 40 percent of users clicked  on a malicious link when presented with a fake  phishing email. The message was clear: we urgently needed to educate staff about cybersecurity. Employees are the frontline of VA’s  defenses.

2017 National Cybersecurity Awareness Month

We focused on educating our employees by leveraging blog posts, video messages, posters, and a cybersecurity toolkit, and we will continue to ingrain cybersecurity as part of the everyday culture and operations at VA. In October, VA observed National Cybersecurity Awareness Month by launching a monthly Office of Information and Security (OIS) video series featuring OIS experts discussing a broad range of topics from social media safety to preventing cybersecurity holes in web applications.

Return to the top

Risk Management Framework (RMF)

VA’s RMF is another step forward in VA’s commitment to safeguarding Veteran information and VA data within a complex environment. It establishes the strategic direction for managing risk and is the next phase in improving VA’s security posture. VA’s RMF positions VA to take a proactive approach to mitigating IT security risk and drives alignment with federal statutory and regulatory priorities to protect Veteran information.

Our strategy establishes an ambitious and carefully crafted approach to cybersecurity and privacy protections. This approach helps VA to execute its mission to provide quality health care, benefits, and services to Veterans while fulfilling our responsibility to keep Veteran information and VA data safe and secure.

Enterprise Risk Identification Survey Key Portal is Now Live

Leveraging OIT’s Enterprise Risk Management (ERM) Framework, the Risk Management Division (RMD) developed the Enterprise Risk Identification Survey Key Portal (E-RISK). E-RISK helps field employees understand how to report potential risks to the OIT enterprise, fosters proactive risk management, and emphasizes the importance of shared ownership, responsibility, and teamwork when identifying and reporting enterprise risks.

screenshot of website

Official VA seal

About VA Accessibility Privacy and policies Disclaimers FOIA USA.gov
Page content was last updated: Thursday, January 25, 2018