The document discusses information security standards that influence the Department of Veterans Affairs security program, including FISMA, NIST, and FIPS. It provides findings from an audit including incomplete encryption of data, password management issues, and a lack of continuous monitoring. Recommendations include fully encrypting data, enforcing password policies, implementing access reviews, and establishing continuous monitoring processes to inventory hardware and software. The conclusion states the agency has failed to meet many compliance mandates and an agency-wide security program is needed to address issues and protect veterans' private information according to standards.

1. Department of Veterans Affairs Information Security Posture and
Recommendations
CSIA 412
David Bustin
March 10, 2013

2. Agenda
• Discuss the impact of legislation on the Department of Veterans Affairs information
security program.
• Describe information security standards that influence the information security
program.
• Provide a summary of findings on specific topics for the Department of Veterans
Affairs cyber security profile.
• Recommend improvements for the cyber security profile.

3. Legislative Influence on Information Security
• Federal Information Security Management Act of 2002 (FISMA)
• National Institute of Standards and Technology (NIST)
• Office of Management and Budget (OMB)
(Circular A-130)

4. Federal Information Processing Standard
(FIPS)
- FIPS 140-2 (Security Requirements for Cryptographic Modules)
- FIPS 199 (Standards for Security Categorization of Federal Information and
Information Systems)
- FIPS 200 (Minimum Security Requirements for Federal Information and
Information Systems)

5. Personally Identifiable Information
Health Insurance Portability and
Accountability Act (HIPPA)
The Privacy Act of 1974

6. VA Risk Management Framework

7. NIST SP 800-53 Security Requirements
• Access Control (AC)
• Awareness & Training (AT)
• Audit & Accountability (AU)
• Certification, Accreditation, &
Security Assessments (CA)
• Configuration Management
(CM)
• Contingency Planning (CP)
• Identification &
Authentication
(IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Physical & Environmental
Protection (PE)
• Planning (PL)
• Maintenance (MA)
• Media Protection (MP)
• Physical & Environmental
Protection (PE)
• Planning (PL)
• Personnel Security (PS)
• Risk Assessment (RA)
• System & Services Acquisition
(SA)
• System & Communication
Protection (SC)
• System & Information Integrity
(SI)

8. FIPS 199/200
FIPS 199
The purpose of FIPS 199 is to categorize
information for the potential loss of
confidentiality, integrity, and availability.
The categories are high, moderate, and
low.
FIPS 200
The purpose of FIPS 200 is to list the 17
minimum security requirements, known
as family controls in NIST SP 800-53.

9. Cyber Security Audit
• Remote Enterprise Security
Compliance. Update environment of
user migration is only 30% complete.
• Laptop and thumb drive encryption
have been integrated.
• Tape encryption is currently being
tested at four VA sites.
Recommendations
• Encrypt data that is stored or
transmitted by use of standards in
FIPS 140-2.
• Complete resolution of the remaining
70% clear text vulnerabilities that
were identified in the 2010 FISMA
audit.

10. Identity Management and Access Controls
Findings
Significant information security control
weaknesses
• Password Management
• Access Management
• Audit and Accountability
• Remote Access
• Virtual Local Area Network
Recommendations
• Enforce password policies
• Implement periodic access reviews to
ensure roles are compatible with users
• Enable system audit logs
• Conduct centralized reviews of
security violations

11. Incident Response
Findings
• VA failed to monitor all external
interconnections in accordance with
FISMA section 3544.
• VA has not integrated security
information and event management
technology to perform effective
correlation analysis.
Recommendations
• Implement security monitoring tools
for all interconnections and network
segments.
• Identify all external network
connections & ensure Interconnection
Security Agreements & Memoranda
of Understanding are added.

12. Continuous Monitoring
Findings
• There is no continuous monitoring
process to identify hardware &
software inventory as mandated in
NIST SP 800-53.
Recommendations
• Implement continuous monitoring
processes to identify & prevent the
use of unauthorized software &
hardware.

13. Conclusion
In a final report on the FISMA assessment conducted by Ernst & Young and
Clifton Gunderson LLP, the Department of Veterans Affairs continue to fail in
meeting compliance mandates. Only eight of the 40 recommendations from the
previous inspection have been corrected. These findings are unsatisfactory and
must be addressed for the security of millions of veterans. Subsequent years of
failing to meet compliance with FISMA standards indicates a dereliction of
responsibility. An agency-wide security program will enable the Department of
Veterans Affairs to resolve many of the issues they currently face. Compliance
across the agency is crucial to protecting the privacy of personally identifiable
information in regards to HIPPA and The Privacy Act of 1974, as well as, the
minimum security requirements in FIPS 200.

14. References
http://csrc.nist.gov/groups/SMA/fasp/documents/security_ate/FAS
forNIST_CSP_Ver2.pdf
http://www.va.gov/vapubs/viewPublication.asp?Pub_ID=638&FTy
pe=2
http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
http://www.va.gov/oig/52/reports/2011/VAOIG-10-01916-165.pdf