Recommendations

We recommended the Executive in Charge for Information and Technology fully develop policy to address Federal requirements and implement an agency-wide risk management governance structure, along with mechanisms to identify, monitor, and manage risks across the enterprise. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology implement mechanisms to ensure sufficient supporting documentation is captured in the central Governance Risk and Compliance tool to justify closure of Plans of Action and Milestones. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology implement clear roles, responsibilities, and accountability for developing, maintaining, completing, and reporting Plans of Action and Milestones. (This is a modified repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology implement mechanisms to ensure Plans of Action and Milestones are updated to accurately reflect current status information. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, including accurate system interconnections, boundary, and ownership information. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology implement improved processes for updating key security documents such as risk assessments, Privacy Impact Assessments, and security control assessments on an annual basis and ensure all required information accurately reflects the current environment. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology implement mechanisms to enforce VA password policies and standards on all operating systems, databases, applications, and network devices. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology implement periodic access reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology enable system audit logs and conduct centralized reviews of security violations on mission-critical systems. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology implement two-factor authentication for remote access throughout the agency. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology implement mechanisms to ensure all remote access computers have updated security patches and antivirus definitions prior to connecting to VA information systems. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA¿s network infrastructure, database platforms, and Web application servers. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA¿s Web applications, database platforms, network infrastructure, and work stations. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology implement improved processes for monitoring standard security configuration baselines for all VA operating systems, databases, applications, and network devices. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology implement improved network access controls to ensure medical devices and tenant networks are appropriately segregated from general networks and mission-critical systems. (This is a new recommendation)

We recommended the Executive in Charge for Information and Technology consolidate the security responsibilities for tenant networks present under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a new recommendation)

We recommended the Executive in Charge for Information and Technology implement procedures to enforce a standardized system development and change control framework that integrates information security throughout the life cycle of each system. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology implement processes to ensure information system contingency plans are updated with the required information. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology develop and implement a process for ensuring the encryption of backup data prior to transferring the data offsite for storage. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology implement more effective agency-wide incident response procedures to ensure timely resolution of computer security incidents in accordance with VA set standards. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology identify all external network interconnections and implement improved processes for monitoring VA networks, systems, and exchanges for unauthorized activity. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology implement and monitor incident response metrics to assist in tracking and remediating all cybersecurity events. (This is a new recommendation)

We recommended the Executive in Charge for Information and Technology develop a listing of approved software and implement continuous monitoring processes to identify and prevent the use of unauthorized application software, hardware, and system configurations on its networks. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology develop a comprehensive software inventory process to identify major and minor software applications used to support VA programs and operations. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology implement procedures for overseeing contractor-managed, cloud-based systems and ensuring information security controls adequately protect VA sensitive systems and data. (This is a modified repeat recommendation from last year.)

We recommended the Executive in Charge for Information and Technology implement mechanisms for updating the Federal Information Security Management Act systems inventory, including contractor-managed systems and interfaces, and annually review the systems inventory for accuracy. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology implement mechanisms to ensure all users with VA network access participate in and complete required VA-sponsored security awareness training. (This is a repeat recommendation from prior years.)

We recommended the Executive in Charge for Information and Technology develop guidance and procedures to integrate information security costs into the capital planning process while ensuring traceability of Plans of Action and Milestones remediation costs to appropriate capital planning budget documents.

We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure risk assessments accurately reflect the current control environment, compensating controls, and the characteristics of the relevant VA facilities.

We recommended the Assistant Secretary for Information and Technology update all applicable position descriptions to better describe position sensitivity levels, and improve documentation of employee/contractor personnel records of ¿Rules of Behavior¿ and annual privacy training certifications.

We recommended the Assistant Secretary for Information and Technology ensure appropriate levels of background investigations be completed for all applicable VA employees and contractors in a timely manner, implement processes to monitor and ensure timely reinvestigations on all applicable employees and contractors, and monitor the status of the requested investigations.

We recommended the Assistant Secretary for Information and Technology reduce wireless security vulnerabilities by ensuring sites have up-to-date mechanisms to protect against interception of wireless signals and unauthorized access to the network, and ensure the wireless network is segmented from the general network.

We recommended the Assistant Secretary for Information and Technology identify and deploy solutions to encrypt sensitive data and resolve clear text protocol vulnerabilities.