| 01 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions.
|
| 02 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documentation, including Security Control Assessments, Risk Assessments, and Privacy Impact Assessments as needed. Such updates will ensure all required information is included and accurately reflects the current environment, new security risks, and applicable federal standards.
|
| 03 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure System Security Plans reflect the status of security control implementations and risks are accurately reported to support a comprehensive risk management program across the organization.
|
| 04 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system owners and Information System Security Officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones (POA&Ms) for all known risks and weaknesses including those identified during security control assessments.
|
| 05 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement measures to ensure that system stewards and other officials responsible for system level POA&Ms are closing items with relevant support that shows sufficient remediation of the identified weakness.
|
| 06 |
No |
$0 |
$0 |
|
|
We recommended the VA Office of Personnel Security, Human Resources, and Contract Offices strengthen processes to ensure appropriate levels of background investigations are performed timely and completed for applicable VA employees and contractors.
|
| 07 |
No |
$0 |
$0 |
|
|
We recommended the Office of Personnel Security, Human Resources, and Contract Offices implement improved processes for establishing and maintaining accurate investigation data within VA systems used for background investigations.
|
| 08 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology ensure contingency plans for all systems and applications are updated and tested in accordance with VA requirements.
|
| 09 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement improved procedures to ensure that system outages are resolved within stated recovery time objectives.
|
| 10 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology ensure system owners consistently implement processes for periodic reviews of user account access. Remove unnecessary and inactive accounts on systems and networks.
|
| 11 |
No |
$0 |
$0 |
|
|
We recommend the Assistant Secretary for Information and Technology coordinate with system owners and local system management to ensure the consistent monitoring and reviewing of privileged accounts, service accounts, and accounts for individuals with access to source code repositories are performed across VA systems and platforms.
|
| 12 |
No |
$0 |
$0 |
|
|
We recommend the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security configuration baselines on domain controllers, operating systems, databases, application, and network devices.
|
| 13 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology ensure established change control procedures are consistently followed for testing and approval of system changes for VA applications and networks.
|
| 14 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement and consistently enforce established procedures for preventing and detecting potential unauthorized changes across all platforms and applications in the environment.
|
| 15 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology ensure that all systems and platforms are monitored for compliance with documented VA standards for baseline configurations. Ensure that system owners consistently implement and monitor their configurations.
|
| 16 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement automated software management processes on all agency platforms to identify and prevent the use of unauthorized software on agency devices.
|
| 17 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement improved procedures for establishing, documenting, and monitoring an accurate software and logical hardware inventory for system boundaries across the enterprise.
|
| 18 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement improved processes for monitoring and analyzing significant system audit events for unauthorized or unusual activities across all systems and platforms in accordance with VA policy. Ensure privileged activity is monitored on all systems and applications.
|
| 19 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise.
|
| 20 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to continuously identify and remediate security deficiencies on VAs network infrastructure, database platforms, and Web application servers in accordance with established policy timeframes. If patches cannot be applied or are unavailable, other protections or mitigations should be documented and implemented to address the specific risks.
|
| 21 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology continue to implement improved segmentation controls that restrict vulnerable medical devices from unnecessary access from the general network.
|
| 22 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology implement improved processes to require system owners and management to provide adequate credentials to ensure security scans are authenticated to end devices where feasible and the subsequent vulnerabilities are remediated in a timely manner.
|
| 23 |
No |
$0 |
$0 |
|
|
We recommended the Assistant Secretary for Information and Technology improve the process for tracking and resolving vulnerabilities that cannot be addressed by enterprise processes within policy timeframes. Implement mitigations for identified security deficiencies by applying security patches, system software updates, or configuration changes to reduce applicable security risks.
|
