VA's Brody recommends centralized approach to security
Connecting state and local government leaders
Bruce Brody, CIO of the Veterans Affairs Department, had some advice today for agencies working to improve the security of their networks. <br>
Bruce Brody, CIO of the Veterans Affairs Department, had some advice today for agencies working to improve the security of their networks.
"Trust me, centralization is the only way to get it done," he said.
Brody offered his advice at the GOVSEC security conference in Washington while outlining his department's progress since he took on the task in March 2001. VA is the first cabinet-level department to establish central cybersecurity technology and operational controls at the department level, he said.
When he became associate deputy assistant secretary for cyber and information security, VA had been given an F in former Rep. Steve Horn's cybersecurity report card. The agency's widely distributed operations'163 medical centers, more than 800 clinics, 57 regional benefits offices and 206 outreach centers'had collected a hodge-podge of 30 networks, each independent and cobbled together.
"Lots of unauthorized connections to the Internet," Brody said. "A real mess. Implementing security in an environment like this was just not feasible."
Brody centralized security oversight and used the requirements of the Government Information Security Reform Act (now the Federal Information Security Management Act) as the framework for implementing security. This year, more than 200 gateways are being reduced to four, with centralized management of firewalls and other security. A Central Incident Response Capability has been launched that Brody called the best in government, and a network security operations center was opened this year in Martinsburg, W.Va. A second NSOC is scheduled to open next year in Chicago.
The VA CIRC, operated by a small business consortium called VAST (for VA Security Team) LLC, is the mandatory source for many security services for VA agencies. Multiple blanket procurement awards have been made to EDS Corp., IBM Corp., Maximus Inc. of Reston., Va., RS Information Systems Inc. of McLean, Va., and Science Applications International Corp. of San Diego as mandatory sources for other security services and products. A second round of BPAs is expected to be made late this summer.
The department also is making its security staff more professional, Brody said. There are more than 600 security practitioners "of uneven quality" in the department, he said. He has established qualifications and training programs and all will undergo certification testing next month. Certification will be a condition of employment and security employees will have to be recertified every three years. They also will have background checks done and receive at least secret level clearances.
The department's security is not perfect. Brody said he hopes to receive a C- in the next round of congressional report cards. The department is not as far along in the Office of Management and Budget's Federal IT Security Assessment Framework as it should be.
"We want to get to FITSAF Level 4," he said. "We are supposed to be there now. We hope to get there in the next year and a half."
VA is now at FITSAF Level 3, which Brody said is the primary reason for the department's failing grade from Congress. He said the reason for the low level is a lack of money, and laid the blame for that on Congress.
"We spent our appropriation," he said. "Give us more money, and we'll be at Level 4. What Congress could do to help would be appropriating more money for security. Part of that F belongs to them."