A recent cloud security audit by the Department of Veterans Affairs Office of Inspector General (OIG) found a few weaknesses in the oversight of the management of security and privacy controls as well as in VA’s process for monitoring cloud service performance levels.
The Veterans Affairs Enterprise Cloud (VAEC), which is built on contracts with two major vendors, must follow the National Institute of Standards and Technology (NIST) risk management framework.
The Enterprise Cloud Solutions Office (ECSO) within the Office of Information and Technology (OIT) developed and operates the VAEC on the rented vendors’ infrastructure. The VAEC hosts more than 200 systems that employees, veterans, and contractors use to support the delivery of healthcare, compensation benefits, and home loan guarantees for veterans. It also helps expand cloud-based telework, telehealth, and storage capabilities across VA.
Once a cloud system is established, users purchase “cloud service provider credits” to gain access to the services.
The OIG conducted the audit to determine if VA is effectively assessing and monitoring security and privacy controls for cloud computing in accordance with federal guidance.
The audit team did not identify deficiencies in how VA completed the first six steps of the NIST risk management framework: preparing, categorizing, selecting, implementing, assessing, and authorizing controls. However, the team said it found deficiencies related to monitoring in step seven.
Notably, VA has not yet updated its guidance on security and privacy controls following a September 2020 change to NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Although OIT staff informed the audit team that they are working on updating the related policy, procedures, and directives, the team found systems were not compliant with the revised guidance as of June 2023. According to OIT, the anticipated policy adoption date is December 2023.
The audit team made two determinations related to weaknesses in the oversight and monitoring of its VAEC systems. This was due in part to OIT not effectively overseeing the management of security and privacy controls to make sure the systems and the information they contain are protected commensurate with the risk associated with their misuse or unauthorized disclosure.
The OIG examined the six infrastructure systems and a sample of seven of the systems hosted on that infrastructure. For those 13 VAEC systems reviewed, the team found sufficient controls for 18 of the 20 security and privacy control families. The two control families in which deficiencies were found were in the areas of securing personally identifiable information and supply chain management. Further, because required documentation was not always uploaded, the audit team could not verify that ongoing monitoring was occurring. Although no incursions or other impacts were identified in the course of this audit, VA will continue to lack assurance that VAEC controls are working as designed until it finishes updating its guidance and improves active monitoring of these systems.
The OIG also found that VA may be missing opportunities to recoup service credits when vendors do not meet their performance requirements, such as when incidents attributed to the vendor result in outages that exceed agreed-upon acceptable durations. According to the cloud service provider agreements, if the provider does not achieve and maintain agreed-upon service levels, then VA could be eligible for a credit toward future monthly service fees. Between June 2019 and December 2022 there were 10 cloud service outages eligible for claims for service credits due to outages attributed to the vendors. The audit team found VA did not request recoupment for nine of the 10 outages. This occurred because VA had not identified who is responsible for submitting the recoupment requests to the cloud service providers.
After meeting with the audit team, ECSO staff submitted one claim and created a process for requesting recoupment of service credits. However, ECSO did not develop a policy sufficient to identify, document, and submit cloud service incidents for potential recoupment of service credits and assign roles and responsibilities for doing so. Until VA finishes refining its newly established standard operating procedure, it remains at risk of not receiving service credits to which it is entitled. While VA recouped about $114,000 from one outage, the team was unable to determine how the amount was calculated; according to an ECSO official, the cloud service providers make that determination.
The OIG recommended the assistant secretary for information and technology develop a timeline for updating the security and privacy guidance to reflect the revisions to NIST Special Publication 800-53 and address identified weaknesses with personally identifiable information and supply chain management.
The audit team also said the assistant secretary should also establish a mechanism to ensure continuous monitoring of the VAEC systems to include having and testing plans (such as contingency, incident response, and disaster recovery plans) and conducting scanning as required. The team added that VA Directive 6517 and its accompanying handbook should also be updated to reflect the revised NIST requirements. The OIG further recommended that the assistant secretary continue to improve criteria and its processes for submitting claims to recoup service credits and assign roles and responsibilities for submitting claims and monitoring outcomes.
The assistant secretary for information and technology and chief information officer concurred with all five recommendations and submitted responsive action plans.