The Department of Veterans Affairs needs to do more to strengthen cybersecurity, for example by identifying and addressing areas of greatest risk, the Government Accountability Office has found. Although VA has implemented many GAO recommendations, risks to sensitive information remain.
The Department of Veterans Affairs (VA) has faced long-standing challenges in its efforts to deploy information technology (IT) initiatives in two critical areas requiring modernization: Vue); and the outdated and unintegrated VA financial management and procurement systems requiring complex manual work processes which contributed to the department flagging the functionality of the financial management system as a significant weakness. Specifically,
- GAO reported on the challenges the department has faced in its three previous failed attempts to modernize VistA over the past 20 years. In February 2021, GAO reported that VA had made progress in implementing its fourth effort, a modernized electronic health records system. However, GAO stressed that the department needs to process all critical severity test results (which may lead to system failure) and high severity test results (which may lead to system failure, but have acceptable workarounds. ) before deploying the system to future locations.
- In March 2021, GAO reported on the transformation of the ministry’s financial management activities, a program to modernize financial and procurement systems. GAO found that VA generally adhered to best practices in the areas of program governance, project management, and testing. However, the department had not fully followed best practices for developing and managing cost and schedule estimates. The GAO recommended that VA follow such practices to help minimize the risk of cost overruns and schedule delays.
GAO also reported that VA has struggled to secure information systems and associated data; implement information security controls and mitigate known security gaps; establish the key elements of a cybersecurity risk management program; and identify, assess and mitigate risks in information and communications technology supply chains. The GAO made numerous recommendations to VA to address these areas. Many of these recommendations have been taken into account, but others have not been fully implemented.
VA has had mixed results in implementing key provisions of the Federal Information Technology Acquisition Reform Act (commonly referred to as FITARA). Specifically, VA has made substantial progress in improving its software licensing, leading it to identify $ 65 million in cost savings. In addition, it has made progress in consolidating its data centers and in achieving savings and cost avoidance. However, it has made limited progress in meeting the demands of managing IT investment risk and strengthening the authority of its CIO. Full implementation of the provisions of the act would allow the department to provide better service to our veterans through modern and secure technology.
GAO has made numerous recommendations in recent years aimed at improving efforts to modernize VA’s computer system, the cybersecurity program, and the implementation of key FITARA provisions. While VA generally agrees with these, it has yet to implement many of the recommendations.
Read the GAO report
(Visited 1 times, 1 visits today)