The Government Accountability Office (GAO) report indicated VA failed to address underlying security vulnerabilities that allowed multiple high-profile breaches recently. These breaches resulted in exposure of personal information of thousands of veterans.
The report warns, “Until VA fully addresses previously identified security weaknesses, its information is at heightened risk of unauthorized access, modification, and disclosure, and its systems at risk of disruption.”
During the investigation, GAO learned VA would not produced its forensic analysis or digital evidence to help evaluators assess whether or not any corrective measures were effective that it implemented following the breaches. Federal guidance indicates agencies are required to keep all evidence, but VA policy deviates from this.
The report continued:
“The NSOC identified vulnerabilities in these applications through testing conducted as part of the system authorization process, but VA did not develop plans of action and milestones for correcting the vulnerabilities, resulting in less assurance that these weaknesses would be corrected in a timely and effective manner,” according to the GAO.
These are not the only security failures taking place at the VA.
Security weaknesses were found in VA’s workstation, which include laptop computers. These issues “had not been corrected” at the time of the GAO’s investigation, despite solutions being available in some cases.
“Specifically, 10 critical software patches had been available for periods ranging from 4 to 31 months without being applied to workstations, even though VA policy requires critical patches to be applied within 30 days,” according to the GAO.
“There were multiple occurrences of each missing patch, ranging from about 9,200 to 286,700, and each patch was to address an average of 30 security vulnerabilities,” the report found. “VA decided not to apply 3 of the 10 patches until it could test their impact on its applications; however, it did not document compensating controls or plans to migrate to systems that support up-to-date security features.”