FEDweek IT

The VA has taken actions to mitigate previously identified information security vulnerabilities but has not fully addressed them, GAO has found.

For example, it said that the department took actions to contain a significant incident detected in 2012 involving a network intrusion, but that those actions were not fully effective. The department’s Network and Security Operations Center – NSOC, analyzed the incident and documented actions taken in response, but the VA could not produce a report of its forensic analysis of the incident or the digital evidence collected during this analysis to show that the response had been effective, according to GAO-15-117.

Further, it said the VA’s policies did not provide the NSOC with sufficient authority to access activity logs on VA’s networks, hindering its ability to determine if incidents have been adequately addressed.

VA’s actions to address vulnerabilities identified in two key web applications also were insufficient (they were found to be lacking plans of action and milestones), and vulnerabilities identified with VA’s workstations (including laptops) had not been corrected.

Specifically, 10 critical software patches had been available for periods ranging from 4 to 31 months without being applied to workstations, even though VA policy requires critical patches to be applied within 30 days, GAO said.