The Department of Veterans Affairs’ top tech official says the agency has a plan to close long-ignored watchdog recommendations for improving information security — but it’ll take some time.
Testifying March 16 before the House Oversight and Government Reform Committee, VA Chief Information Officer LaVerne Council said her team plans to implement all recommendations identified by the agency’s inspector general — some of them going back years — by the end of 2017.
She aims to adopt about 30 percent of the recommendations by the yearend.
“We have made significant progress in improving our cybersecurity posture,” Council testified, pointing in part to increased budgets. “For the first time, our security efforts are fully funded and resourced.”
In its fiscal 2017 budget request, VA is seeking to nearly double its information security spending — from about $180 million to $370 million.
Council rolled out a new departmentwide cybersecurity strategy last fall. In addition, during the 30-day “cybersecurity sprint” initiated by the White House after the massive Office of Personnel Management breach, VA exceeded targets for reducing the number of privileged users and implementing multifactor authentication.
Still, in the latest version of an annual cybersecurity scorecard required by the Federal Information Security Management Act, the IG — for the 16th year in a row — cited IT security as a “material weakness.”
Rep. Will Hurd, R-Texas, who otherwise praised Council’s performance as CIO, suggested the timeline for implementing what he described as “fairly basic cybersecurity best practices” was too sluggish.
“Two years is too long,…