Since the first time the Department of Veterans Affairs (VA) lost my identity, e.g., the unencrypted hard drive incident, I have monitored the VA’s data security practices. Let’s say I have a vested interest in data security, having lost thousands of dollars to identity thieves and having been bankrupted twice! Thus, imagine my surprise when today, the Department of Veterans Affairs – Office of Inspector General (VA-OIG) released the annual audit results of the VA’s information security practices as required by the “Federal Information Security Modernization Act (FISMA)” and saw the VA remains out of compliance! Not just a little out of compliance, but so far out of compliance that they have aged issues that are almost old enough to drink.
The annual audit is conducted by a third-party, “CliftonLarsonAllen LLP,” who audited 48 major applications and general support systems hosted at 24 VA sites that support the VBA, VHA, and National Cemetery administrations. The VA-OIG reports the following:
“The firm concluded that VA continues to face significant challenges meeting FISMA requirements and made 26 recommendations for improving VA’s information security program. Specifically, VA should address security-related issues that contributed to the information technology material weakness reported in the FY 2020 audit of VA’s consolidated financial statements, improve deployment of security patches, system upgrades, and system configurations that will mitigate significant security vulnerabilities and enforce a consistent process across all field offices. The firm also recommended VA improve performance monitoring to ensure controls are operating as intended at all facilities and communicate identified security deficiencies so the appropriate personnel can mitigate significant risks” [emphasis mine].
Is the connection between application and administration clear? The security deficiencies cannot even get assigned to the right people because organizational communication is ineffective, unclear, and atrociously designed to create designed incompetence or a ready-made excuse for failure! Material weaknesses have been carried forward from one fiscal year (FY) to another since the first breach of data security, e.g., the unencrypted hard drive episode. The administration has a second built-in designed incompetence issue, material deficiencies, even though since 1995, the VA has been “upgrading its IT infrastructure to meet the needs of today’s veterans!” The VA has bragged about how technically up to date they are, but the audit continues to find material weaknesses leading to data insecurity!
While the VA deserves congratulations on closing two antique audit items, they were expected to close ALL aged items during the 2020 FY. Yet, the administrators were still able to skate responsibility, skirt accountability, and act like Sonja Henie at Oslo. Tell me, if your boss expected you to complete a bunch of items, gave you a full year to complete these items, would you be fired for only completing two items? I know I would! As a project manager, if I didn’t have a plan in writing, showing completion dates, inter-relationships, and explicit action items set up within 30-days of being assigned the tasks, I would have been fired! Yet, somehow these VA Administrators, hired to perform these functions by the Government, cannot even communicate, let alone accomplish tasks assigned! Who were the project managers, contract officers, and program managers, and their respective administration officials, line them up and fire them!
The VA-OIG reports, “Despite VA’s commitment that the recommendations would be closed, some of them have been repeated for multiple years [emphasis mine].” Is the connection between the administration officials, their assigned workers, and the failures and designed incompetence clearly observed? I ask because the VA-OIG closed this report with the most useless conclusion I have seen in years of reading these reports! “The VA-OIG remains concerned that continuing delays in effectively addressing the recommendations could contribute to reporting a material weakness in VA’s information technology security controls during the FY 2021 audit of the department’s consolidated financial statements [emphasis mine].”
Of course, the continued foot-dragging, skating, and designed incompetence will lead to problems in information security, cost veterans their identities and thousands of dollars individually, and continue to make the veterans victims of identity theft! How could you think this would not happen? “Hello!!! McFly, is anyone home?”
That the VA administrators continue to hinder improvement at the VA should be grounds for immediate dismissal! Yet, these administrators are allowed to retire with full benefits, cushy benefits packages, and the veteran is left with nothing! Where is Congress in enacting legislation that enables the Government to reduce, remove, or refuse a retirement package for administration employees who cannot or will not act in a manner that reflects competence and ability in following congressional demands and meeting operational standards? Where is Congress working with the VA Secretary on productivity problems caused by administrators who actively hinder improvements at the VA? Why is designed incompetence even allowed as an excuse for failure?
© 2021 M. Dave Salisbury
All Rights Reserved
The images used herein were obtained in the public domain; this author holds no copyright to the images displayed.