As our world becomes increasingly connected, protecting sensitive information is more important now than ever before. VA has an obligation to safeguard the data we hold on Veterans, and we take that obligation seriously by making information security and privacy a top priority. VA employs progressive security measures to protect data and secure the VA network and its information technology (IT) systems through a “defense in depth” approach. This strategy provides layers of administrative, technical, and physical security controls to ensure that even if one control fails or otherwise becomes vulnerable, there are other controls in place to keep data secure.
VA was one of the first federal agencies to employ a continuous monitoring capability across its systems. This capability takes the process of monitoring and evaluating the security of VA’s IT systems, once a manual process, and allows it to be constant and automated. With this capability, VA is able detect vulnerabilities early and rapidly respond to threats in near real-time.
Additionally, VA became the first federal department to utilize Einstein 3, an automated intrusion detection system run by the Department of Homeland Security, which has blocked hundreds of intrusion attempts since its implementation. VA was also one of the first agencies to implement Trusted Internal Connections, a program that improves the department’s ability to monitor external connections and identify potentially malicious traffic by reducing and consolidating external connections. In the past year, VA has also rolled out a two-factor authentication requirement for remote access, and prohibits all remote access from high-risk, non-NATO countries.
Device and Application Integrity
With over 750,000 devices and 45,000 applications connected to our network, VA must maintain the ability to view, measure, and secure all IT assets. Fully implemented in 2012, VA’s Enterprise Visibility initiative provides us with real-time visibility to ensure all devices connected to the network meet our high security standards and are free of vulnerabilities. We test every application for vulnerabilities prior to clearing them for operation on the network through various testing methods to simulate real-world hacking techniques. If vulnerabilities are found, we work closely with application developers to ensure that the issues are remediated before an application is cleared to operate on our network.
Creating a Culture of Security
The importance of VA employees in cybersecurity cannot be overstated. VA has established a permanent project team devoted to VA’s Continuous Readiness in Information Security Program (CRISP). Through employee training, awareness campaigns, and educational programs, the CRISP effort is working to create a culture of security that extends to every VA employee. Employees learn about the latest in cybersecurity and are trained to follow VA’s robust incident response plan to ensure that risks are always minimized.
Every day, VA monitors more than 4.5 million emails and safeguards 750,000 connected network devices, tracking and defending against over four million intrusion attempts alone during February 2015. Through this “defense in depth” approach, almost one billion malware attacks were blocked or contained within the same time period, and no Veteran data was affected. With these strategies and the support of VA’s information security professionals, more than half of whom are Veterans themselves, we will continue to serve Veterans and their families and ensure the safety of Veteran information.