From: FederalNewsRadio.com 1500AM
By Jason Miller
The Veterans Affairs Department is putting its systems and the data of tens of millions of veterans in jeopardy because of a lack of institutional control over its cybersecurity evaluation and approval process, according to a former high-ranking VA computer security official and multiple other current and former agency officials.
Jerry Davis, the former deputy assistant secretary for information security (DAS IS) in VA’s Office of Information and Technology, alleges in documents obtained by Federal News Radio that he was coerced into rubber stamping 250 security certifications for agency IT systems.
In a letter to Congress, Davis said he was reluctant to sign the documents because he felt the systems had not gone through the proper oversight process.
He said VA officials wanted him to sign off on more than 500 security documents in total as a condition of his release from VA to become the CIO of NASA Ames in Moffett Field, Calif.
“I attest that as the DAS IS, there is a clear and present danger and risk of exposure and compromise of sensitive data for perhaps hundreds of thousands to millions of veteran[s] ; all facilitated by coercion, intimidation and an improper process executed to assess system security,” Davis wrote on Jan. 28 to VA’s designated approving authority for IT systems, which can be anyone from the agency chief information officer to the program manager who is known as the official system owner.
The documents that Davis said the agency wanted him to sign are called accreditations and authorizations (A&A), which previously were known as certifications and accreditations (C&A). Every agency must demonstrate its IT systems meet cyber policy and regulations through these A&As, which are required as part of the Federal Information Security Management Act (FISMA). Each system needs an authority to operate (ATO) before it can be brought online and agencies must renew the ATO every time there is a major change to it.
Rush to get ATOs signed
Multiple current and former VA officials also say current agency management continue to “blanket” sign these security documents, including the final few dozen in preparation for Tuesday’s hearing on IT security before the House Veterans Affairs Committee.
A VA spokesman disputes the claim that agency systems and data are at risk.
But multiple sources, all of whom requested anonymity for fear of retribution and because of the sensitive nature of the issue, corroborated Davis’ allegations and said the process hasn’t improved since Davis left in early February.
“To me, it seems like all they did was reprint the [authority to operate] letters without going through the proper checks,” said one VA source. “There isn’t enough time to do each ATO. I think they have been doing a batch at a time. I’ve seen folders come trickle in and I don’t believe they have many more left. They are still being signed today. I know what [management] are saying. They have a procedure in place before the ATO is signed where the local level does the checks and then the security official signs it. I think it’s just a CYA to say they only sign ATOs when the process is done. Are they following the process? It’s hard to say. But it seems like nothing has changed since Jerry left.”
In fact, internal emails obtained by Federal News Radio show a scramble to sign the final 16 security certifications before the House hearing.
“You are being requested to take immediate action to resolve the ATO discrepancy and produce a completed package by 31 May, as all systems must have a current ATO prior to Mr. [Stephen] Warren’s 4 Jun congressional hearing,” wrote Gary Stevens, director of VA’s cybersecurity office, in an email to agency information security officers responsible for finalizing the ATOs, which was obtained by Federal News Radio. “Non-receipt of the required information will result in the issuance of a Denial of Authority to Operate (DATO) by the respective date.”
A spreadsheet, also obtained by Federal News Radio, listed the 16 critical systems and what they were missing. All needed either the finalized FISMA checklist and/or signatures from the system owner. This may seem like a minor oversight, but according to the checklist, system owners must confirm they have reviewed “the System Security Plan, Risk Assessment, Contingency Plan tests, security control test results, and the Plan of Action and Milestones that summarize deficiencies for remediation.”
It also requires the owner to “assert that operating this system in the VA enterprise poses an acceptable level of risk to agency operations and assets.”
Leave a Reply