The Department of Veterans Affairs will lock employees out of its networks if they fail to take the required yearly cybersecurity and privacy training on time – 365 days after their last refresher course.
VA CIO Roger Baker announced the policy last week to button down security and privacy on the VA’s internal and external internet sites that have been hit by security breaches and privacy violations – both internal and external – on a regular basis. An employee who doesn’t meet the yearly deadline will be blocked out on Day 366.
The trust veterans have in us as a department and as individuals depends on our ability to constantly and consistently protect their information from exposure and ever-increasing cyber risks.” – Roger Baker
Baker said there are 315,000 VA employees and a “fair number of contractors,” making a total of 450,000 people who have access to data housed in the VA’s system. The new policy is being implemented this year, and the clock has started ticking down for everyone.
Although there is a 95% compliance rate in taking the yearly refresher course right now, that number is not good enough. It still means that 18,000 VA employees are not complying and that could open up new vulnerabilities, Baker said.
“We’ve been focused for the last several months on a significant step-up in information security and information protection, and on closing the holes we’ve identified over last several years,” Baker told reporters on March 28 in his monthly conference call on security breaches at the agency.
VA Secretary Eric K. Shinseki has said protecting a veteran’s security is an essential duty.
“The trust veterans have in us as a department and as individuals depends on our ability to constantly and consistently protect their information from exposure and ever-increasing cyber risks,” he said.
The project outlined by Baker is called CRISP – the Continuous Readiness in Information Security Program, and it is designed to give VA employees and its contractors the information security training online and refreshed every year on their desktop or laptop.
“We’re really buzzing down our processes to make sure our network is really secure,” Baker said.
He called it a “people-oriented” program, giving VA personnel the tools to get the job done right and requiring their buy-in.
The one-hour online course, provided through the VA’s Talent Management System, is a web-based program accessible both within and outside the VA network on desktops or laptops. It addresses information security and privacy requirements that apply to all VA IT systems, according to VA spokeswoman Josephine Schuda.
The training session includes videos with vignettes about situations people may find themselves in as well as real life breaches that have recently occurred. Every VA employee will be given a test about the incidents at the end of the session and graded on how well they do. Once they finish the refresher course and pass the test, they are given a certificate and it’s noted on their record. Specific details about the course and the questions on the test aren’t publicly available.
“The web-based modality is the most cost-efficient method of delivering this mandated course to the entire VA workforce. Ensuring all staff and contractors are trained in INFOSEC and Privacy requirements has a significant benefit and impact to the overall VA Information Security program and ultimately the protection of veteran information,” Schuda said.
Conducting these regular sessions for the VA’s entire workforce every year is not cheap, but it is far less costly than risking any sort of breach, according to a top VA official who did not put a dollar amount on the training program.
“The cost of protecting veteran data and training our population to be a force multiplier in this effort is significant, but the cost of a data breach or malicious attack on VA is exponentially more costly,” David Bates, IT Workforce Development Supervisor, Office of Information & Technology, told Breaking Gov.
And he added, “By aggressively educating our staff and contractors, we are putting resources toward fortifying our defenses at the user level. The cost of this prevention strategy will be lower than having to react to a preventable incident.”
A highly secure internet is becoming more essential every day as the VA and the Department of Defense move forward developing a joint integrated electronic health record system (iEHRS). Long talked about and on the drawing board for a decade, it’s expected to take four to six years to be developed and cost billions, Baker told the conference call.
Up to date training is also becoming more important as the VA implements its mobile device roll out. It’s in the process of creating a mobile app that is going to be a “real driver” for better medical services for the vet, Baker said.