Among the cybersecurity challenges facing the VA is accurately identifying the work roles of its workforce positions that perform IT, cybersecurity, or cyber-related functions, GAO has said, calling that “a key step in identifying its critical cybersecurity staffing needs.”
In recent testimony before the House, the GAO noted that earlier this year it found that the VA had likely miscategorized the work roles of many of those positions in its personnel system—specifically, that it had reported that nearly half of the some 6,600 positions in the 2210 IT management occupational series, which most likely performed IT, cybersecurity, and cyber-related functions were not performing those functions.
In response, the VA said that it had begun to review the work roles but GAO said that “until VA completely and accurately categorizes the work roles of its workforce positions performing IT, cybersecurity, and cyber-related functions, the reliability of the information needed to improve workforce planning will be diminished and its ability to effectively identify critical staffing needs will be impaired.”
Other challenges facing the department, it said, include effectively implementing information security controls; mitigating known vulnerabilities; establishing elements of its cybersecurity risk management program; and managing IT supply chain risks.
It added that the reported information security incidents at the VA decreased in fiscal 2018 to 1,776, from 2,661 in 2017 and 2,808 in 2016. Of those, loss or theft of equipment accounted for 20 percent, email/phishing attacks another 20 percent, web-based attacks 13 percent, and improper usage by authorized personnel 4 percent. Almost all the rest did not fit any of those categories, a rate well above that of other agencies. GAO called that statistic “concerning,” saying that “a large percentage of these incidents may indicate a lack of agency awareness and ability to investigate and catalog incidents.”