By Mary Mosquera
By the end of September, information security managers at the Department of Veterans Affairs will have the electronic tools in place that will let them see how vulnerable the one million computers and other devices connected to the VA network are.
For the last six months, VA has been deploying multiple software applications and data scanning tools "to get visibility on every device on our network," said Roger Baker, VA CIO.
The tools will enable the department to do a better job of protecting its network and veterans' sensitive data, reducing the potential for data breaches.
The sprawling, decentralized structure of VA has made it difficult to effectively apply information security across the organization and assure the security of computers and other devices. The VA has about 300,000 desktop computers, and there are printers, laptops and other devices that plug into the network, Baker said in a briefing with reporters Sept. 17.
"When we have that visibility in place by the end of this month, that will let us know if laptops exist on the network that are not encrypted," he said, adding that "the intent is for us to have a complete view of the vulnerabilities in our enterprise."
Most important, security operations managers will be able to monitor the status of hardware and software security patches on all department desktop and laptop computers, the level of security compliance and the identification of the administrative division that owns it, he said. Forensic software will examine systems on the network, obtain electronic evidence when there are intrusions, and be able to automatically fix compromises and vulnerabilities when needed.
The security does not come cheap, however. The cost this year has been about $50 million for the software and systems necessary to deploy this, Baker said.
VA has also stepped up enforcement of its contracts to make certain that companies that help the department provide healthcare and benefits meet information security requirements to protect veterans' sensitive data. VA has 22,000 supply chain partners, but not all of them handle veterans' information, he said.
VA has a clause in its contracts requiring information security safeguards, including encryption and policies limiting who can access personal data. However, a data breach earlier this year demonstrated to VA that it needed to verify that its contractors comply with its security policies. So, it's been auditing the contracts at VA medical facilities and has found that, so far, about 25 percent of the facilities have contracts that do not meet the information security requirement, Baker said.
His next step is to send a letter to the CEOs of every company doing business with VA to advise them that their company has responsibilities for information security.
He also said VA will make sure, if contractors are certifying to VA that they're applying the protections that it requires, that they are actually doing that. If they're not, he said that he will be adamant that VA "take all actions available to us under federal contracting law."
