Lawmakers Grill VA Tech Officials Over Stalled Progress on Cybersecurity

Lawmakers pressed top tech officials at the Department of Veterans Affairs on Tuesday about the agency's failure to meet statutory information security targets amid resistance to proposed cyber legislation. 

"Allegations of gross misuse of funds and violating acquisition regulations began in March 2020 and they spiraled into recriminations and internal feuding for nearly two years," Rep. Jim Banks (R-Ind.) said during the hearing. "This turmoil was going on throughout the SolarWinds hack, and I can imagine how much better the VA could have performed with unified leadership."

Kurt DelBene, assistant secretary for information and technology and CIO of the VA who joined the agency late last year, told the House Committee on Veterans' Affairs that "significant progress" had been made in critical areas since a turnover in top cyber staff, but acknowledged the VA "should make faster progress" in meeting Federal Information Security Management Act (FISMA) requirements and an overall cybersecurity framework.

“There is still more work that we have to do. The complexity that we have drives some of that work,” he added, noting how the VA—the second largest federal agency by budget and number of employees—must continue to maintain outdated legacy software during its transition to the cloud and managed services.

The VA has failed to address dozens of FISMA audit recommendations to improve its information security program over the years: the agency successfully closed just three recommendations in 2019 after a report the year prior featured a total of 28 recommendations for improvement. 

However, VA officials told lawmakers they were opposed to bipartisan legislation seeking to strengthen the agency’s cybersecurity standards through independent auditing and assessments with a federally funded research and development center. 

“VA and Congress have the same goal when it comes to protecting veterans' data,” DelBene said, “however we believe that…. [the] Strengthening the VA cybersecurity Act is unnecessary because VA already conducts a very broad and detailed set of cybersecurity audits and evaluations using independent contractors that are equal to or go beyond the requirements of the legislation."

The Strengthening VA Cybersecurity Act would mandate an audit of the effectiveness of the agency's information security management system and provide the secretary with a detailed analysis of its ability to protect against persistent cybersecurity threats, including ransomware, phishing and threats due to remote access and telework activity. 

Rep. Frank Mrvan (D-Ind.), chair of the House Veterans Affairs subcommittee on technology modernization and the original sponsor of the cyber bill, said the committee remained concerned "that the same recommendations are made year after year seemingly without adequate progress in resolving them."

Sen. Jacky Rosen (D-Nev.), a co-sponsor of the bill who also testified on Tuesday, also said that the annual FISMA audit has become "just another check-the-box exercise” rather than an instrumental tool in advancing cybersecurity milestones across the federal government. 

The FISMA audit “fails to take the threat of cyberattacks seriously, and at the level we believe we need to," she said, adding that the legislation would require the VA to submit a report to Congress outlining how it would address vulnerabilities identified in an independent audit. 

The VA requested a $107 million increase to its cybersecurity budget in its fiscal year 2023 funding request.