“The Veterans Affairs Department has come a long way implementing Government Accountability Office recommendations for protecting its information systems but still doesn’t have appropriate access control measures in place, according to congressional testimony from a GAO official.”
“As of June 2021, VA had implemented 70 out of 74 recommendations for information security, Carol Harris, GAO’s director of information technology management issues told the House Veteran’s Affairs Committee’s panel on technology modernization during a hearing Thursday.”
“’However,’ she said in her prepared report and testimony, ‘The four remaining recommendations relate to weaknesses in access controls and configuration management. Until VA addresses these remaining shortcomings, it will continue to have limited assurance that its sensitive information and information systems are sufficiently safeguarded.'”
“Setting privileges for controlling who gets to access various parts of an organization’s information technology systems is core to the concept of zero trust. Federal officials are stressing the importance of such zero-trust practices in the wake of high-profile cyberattacks. In the the SolarWinds campaign, for example, hackers leveraged unauthorized access to the IT management firm to distribute malware to scores of private-sector entities and federal agencies.”
“Harris mentioned the SolarWinds hack in noting that VA is also among the majority of agencies that have not implemented its recommendations for securing the supply chain of information and communications technology. She connected the cybersecurity issues to ongoing management challenges at VA and shared concerns about investments in cybersecurity in relation to broader information technology spending…” Read the full article here.
Source: VA’s Cybersecurity Still Missing Critical Zero-Trust Element, Watchdog Says – By Mariam Baksh, July 7, 2021. Nextgov.
