The Department of Veterans Affairs’ newly released cybersecurity strategy provides a foundation highlighting what VA considers when making cybersecurity decisions. It addresses safeguarding of data, information and information systems, incorporating new technologies to be responsive and agile in supporting the mission, and places importance on partnerships with other federal agencies.
In an interview with GovernmentCIO Media & Research, VA’s Deputy Assistant Secretary and Chief Information Security Officer Paul Cunningham discussed the main themes within the strategy around securing VA and veteran information, health records and electronic data exchanges. This will necessitate shifting how VA looks at cybersecurity as a business value supporting the VA mission.
Cybersecurity, Cunningham said, is an enabler to VA’s mission in an environment that is prioritizing digital and mobile access to benefits.
“That's why we're doing cybersecurity — not because it's a federal requirement, that's important, but we also need to know that it enriches the value of the benefits,” Cunningham said. “Most veterans want to be able to access VA data much like they do with their phone and their banking. They want to have that confidence that the numbers are right; it's a secure communication, and it's seamless. That’s where we need to be driving toward.”
VA’s cybersecurity strategy is a department-wide, five-year effort that aligns with federal cybersecurity requirements, supports new technology developments and adapts to a changing IT landscape.
“Cybersecurity is a team effort, especially given the rapid rate of technological advancements across VA,” VA Secretary Denis McDonough said in the full strategy document published early November. “That means all VA employees and contractors must do our parts to safeguard sensitive and private information, practice accountability and transparency, and remain hypervigilant of cyber threats.”
“What's great about the strategy is the interest by the secretary to be leading on that front,” said Cunningham.
The new strategy is supporting a resilient technology environment, with five priority goals:
- secure and protect agency and veteran information
- protect information systems and assets
- leverage innovation to strengthen cybersecurity
- enhance cybersecurity through partnerships and information sharing
- empower VA mission through cybersecurity risk management
Over the past year, VA has been ramping up various cybersecurity initiatives and is now working on further building out its zero trust architecture as a result of President Biden's May executive order.
“We had security principles in place, equipment in place, but the zero trust architecture really focuses on changing the way we look at cyber,” Cunningham said. "It's really about changing the mindset ... to start assuming that the adversary's already here, instead of saying, ‘Let's keep building a thicker gate to keep the adversary out.’”
VA is using the National Security Agency’s zero trust roadmap to inform development, implementation and areas of improvement. Cunningham said that VA currently has the proper equipment and technology in place to accelerate its cybersecurity posture, and the agency is working to integrate the zero trust architecture mindset.
Cunningham said VA also has fostered its relationship with the Cybersecurity and Infrastructure Security Agency (CISA) to better identify network vulnerabilities, where risks lie and areas of improvement.
“We rely heavily on that federated effect for us to be able to address that communication,” Cunningham said. "The more we can share, the harder it becomes for the adversary because they won't be able to replay that attack over and over again.”
A growing charge even outside of the agency is in incident reporting to better leverage shared resources and develop holistic and timely responses to threats. VA is looking to improve incident response through dashboards and by leveraging Continuous Diagnostics and Mitigation (CDM) capabilities.
“[The Department of Homeland Security] takes a lead role in helping us identify where it's been done successfully, so hopefully we can get [CDM] implemented without as much struggle," Cunningham said. “It's sharing of information. It goes beyond just alerts, but also what's good technology and how to use it.”
Moving forward amid widespread modernization and as VA grows its telehealth capabilities, Cunningham said the agency will continue providing secure access to vital services while also maintaining protection of critical data.
“At the end of the day, it's really that human element that is the trickiest part of protecting data,” Cunningham said. "It's no longer that we’re a small fish in a big pond. The pond is getting smaller and smaller, and we’re relying more and more on technology. We have to take ownership of that as we go forward at every level from the user to those that own the data, and the security teams that monitor and track to make sure that the data's being protected and used appropriately.”