Virtually Simone

A masterpiece created by John Masserini applies the 2024 release of NIST CSF 2.0 and allows us mere mortals to take somewhat subjective cybersecurity scores and graphically display the overall policy and practice maturity level of an organization.

Today I want to begin a project using this tool to grade a federal agency. After conducting some light research I found one of the only federal agencies that deal with both HIPPAA and PCI DSS is the U.S. Department of Veterans Affairs.

The V.A. & its History with Healthcare IT Systems

The VA is the second largest federal agency in the U.S. and has been undergoing a grueling overextended timeline of migrating and digitizing their services. In the 2021 Congress hearing of the VA’s security posture Congressman Matthew Rosendale commented that even though the VA had expanded their services, the budget for the Office of Information and Technology (OIT)¹ had remained “flat for years” thereby resulting in–according to their Federal Information Security Modernization Act (FISMA) audit–the VA’s inability to keep up with their cybersecurity efforts.

Before we jump from 2021 to 2025’s current state of affairs, let’s take time to understand the VA’s history with IT systems. Historically the VA’s Health Portfolio² was patched together by outdated IT systems such as the Veterans Health Information System and Technology Architecture (VistA)³ and other various projects under the OIT’s Enterprise Portfolio Management Division (EPMD)⁴ Health Portfolio. These projects were usually specific solutions with limited scopes and varied in architecture, standards, and support. More importantly these IT systems lacked interoperability, especially with the Department of Defense (DoD) and other external health care providers.

VistA was the VA’s in-house developed electronic health record (EHR) system. Also, under the VA’s Health Portfolio existed the Enrollment Health Benefits Determination (EHBD)⁵ which worked independently from VistA and determined eligibility for VA benefits. Already we’re seeing how fragmented the VA healthcare IT system was. Why would the system for determining eligibility for health benefits be separate from the system that records patients’ medical records? If the goal was to move these healthcare systems to a more modern IT infrastructure, this fragmentation could only breed a slew of potential cybersecurity risks.

In an effort to provide oversight and governance for the plethora of VA Health Portfolio projects, the VA Office of Information and Technology (OIT) created a subdivision known as the Enterprise Portfolio Management Division (EPMD). This was a necessary move before beginning their extensive effort toward modernization.

History of Task Orders

Beginning in 2018 Liberty IT Solutions LLC (now acquired by Booz Allen Hamilton) was awarded the Enrollment Health Benefits Determination (EHBD) System Continued Modernization Task Order (TO) that sought to improve, sustain, and modernize the EHBD system. Liberty IT already had a substantial history developing federal healthcare IT systems, this time being no different. This TO asked Liberty to take on “system architecture design, development and integration services; governance; operations and maintenance support; and training for the EHBD systems” (Liberty IT Solutions, 2018).

Also during this time the VA announced they would begin to replace VistA with Cerner Milenium. Cerner Corporation (now known as Oracle Health) was the global healthcare technology company that developed Cerner Millennium which existed an an electronic health record (EHR) platform catering specifically to the VA and DoD’s needs. Cerner Milenium was able to integrate with the DoD’s MHS GENESIS Cerner platform to ultimately create a single longitudinal EHR system for all veterans and service members.

Again in 2019 Liberty secured the Health Integration and Modernization (HI&M) Task Order (TO) to consolidate legacy systems like the EHBD and the EPDM’s portfolio into the singular Cerner Milenium EHR system. Doing this created a System of Systems (SoS) to transition out of legacy systems without disruption and the bridge of all VA platforms under one Cerner system.

Then in 2020 the Office of Information Security (OIS)⁶ oversaw Liberty’s collaboration with Armavel, i4DM, and Northrup Grumman in strengthening the VA’s security posture with the Data Loss Prevention (DLP) Task Order (TO) (PRWeb, 2020). No longer was the main issue modernization, but rather protection. Technologies ranging from mobile devices, medical devices, the VA Enterprise Cloud, and software defined networks were all outlined under Liberty IT’s list of responsibilities (PRWeb, 2020).

The VA 6500 Directive

In 2021 the VA published the VA Handbook 6500: Risk Management Framework for VA Information Systems in response to the VA 6500 Cybersecurity Directive. This directive was built on several previously published standards such as:

• 38 United States Code (U.S.C.) §§ 5721-5728
• Federal Information Security Modernization Act (FISMA), 44 U.S.C. §§3551-3558
• Office of Management and Budget (OMB) Circular A-130
• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53

Following the theft of a VA data analyst’s laptop that resulted in over 26 million veterans personally identifiable information (PII) being breached in 2006, 38 U.S. Code § 5721 was enacted as part of the Department of Veterans Affairs Information Security Act of 2006, and codified in Public Law 109–461. This legislation established a formal information security program within the Department of Veterans Affairs (VA) to protect its information systems and sensitive data. Finalizing this ensured the specificity of VA compliance to broader federal cybersecurity requirements like Federal Information Security Modernization Act (FISMA).

Speaking of, FISMA 44 U.S.C. §§ 3551–3558 was passed in 2002 in response to the lack of federal IT security policies and a rise in cyber threats. During the late 90s and early 2000s many federal agencies were digitizing operations and the Government Accountability Office (GAO) consistently reported widespread vulnerabilities and a lack of accountability to fixing these issues. After cyber incidents such as the Moonlight Maze (1998)⁷ and the Code Red⁸ and Nimda⁹ worms (2001), the FISMA Act drew from NIST standards to require federal agencies to conduct annual audits, implement risk-based security programs, and report on compliance and incident response. In FISMA, the Office of Management and Budget (OMB) was assigned to policy leadership and the Department of Homeland Security (DHS) was assigned for operational support and incident response coordination.

The OMB’s involvement with federal IT regulation dates back to the pre-Internet era in the 1980s. After the Paperwork Reduction Act (PRA) was passed in 1980, federal agencies began storing records electronically, rather than physically. In it, the OMB was made responsible for information management across federal agencies. In 1985 the OMB Circular A-130 was created as a direct implementation of the PRA in order to establish minimum security standards for these new automated systems. It incorporated privacy compliance requirements that drew from the Privacy Act of 1974 and created a government-wide information architecture policy.

The National Institute of Standards and Technology (NIST) was founded in 1901 and is a non-regulatory federal agency within the U.S. Department of Commerce. Historically their focus has been on standardizing technologies to support national needs. With the creation of computers in the 1970s, NIST began work in cryptographic standards (like DES in 1977), data interoperability, and computer security best practices. After a history of publishing foundational computer security documents, in 2002 FISMA designated NIST as its official body for developing federal cybersecurity standards. Since then NIST’s work became mission-critical and developed the Risk Management Framework (RMF) and maintained and updated the SP 800-series of security and privacy publications.

In 2014 NIST released the NIST Cybersecurity Framework (CSF) in response to Executive Order 13636¹⁰ on improving cybersecurity for critical infrastructure. It has been widely adopted in both public and private sectors. Most recently NIST has released NIST CSF 2.0, expanding guidance beyond critical infrastructure to all sectors. This is the framework we will be using to evaluate the 2025 VA’s cybersecurity posture with Masserini’s tool. Theoretically since FISMA is based on NIST standards, and the VA 6500 is based on both FISMA and NIST standards, the VA’s reports should show information in order to accurately grade them.

Grading the VA

If you search online for anything similar to the tool Masserini created, you will likely find the FITARA Dashboard. This is a graphical display published by the OMB that tracks federal agency-wide IT performance, not just cybersecurity. Beginning in 2015 the House Committee on Oversight and Government Reform (OGR) created the Federal Information Technology Acquisition Reform Act (FITARA) Scorecard to grade federal agencies on their IT performance. For instance, FITARA tracks 7 key metrics:

• Agency CIO Authority Enhancements (Incremental Development)
• Transparency and Risk Management (OMB’s IT Dashboard)
• Portfolio Review (PortfolioStat)
• Data Center Optimization Initiative (DCOI)
• Software Licensing (FITARA and MEGABYTE)
• Modernizing Government Technology (MGT Act)
• Cyber (FISMA)

While the VA 6500 does not directly fall under the FITARA’s grading structures, it should come as no surprise that a strong implementation of the 6500 will have a positive impact on their FITARA score.

Currently the VA has scored a B for their overall FITARA score with Cloud Computing and Cyber being their lowest scores.

The Cloud Computing criteria is based on OMB’s Federal Cloud Computing Strategy and aims to accelerate cloud adoption into federal agencies. It uses 5 key requirements for successful cloud adoption. This is outlined in detail in the GAO-24-106137.

The Cyber criteria is calculated by taking the previous year’s Fiscal year IG assessments with a denominator of Level 4 maturing and the Agency Federal Cybersecurity Progress Report (FCPR) score.

The next step in the process will be data collection. For the next week I will be scouring the internet far and wide for every source I can get my hands on and start compiling all the data I will need to use in Masserini’s NIST CSF 2.0 Tool.

Talk soon!

Sources:

EPIC. (2006, May). Spotlight on Surveillance: Veterans Administration and Data Security. Electronic Privacy Information Center (EPIC). https://archive.epic.org/privacy/surveillance/spotlight/0506/default.html

MeriTalk. (n.d.). FITARA Dashboard: Department of Veterans Affairs. https://fitara.meritalk.com/view/va

U.S. Department of Veterans Affairs. (n.d.). VA Handbook 6500 Updates. https://www.va.gov/vapubs/Search_action.cfm?formno=&tkey=&dType=5&SortBy=issue&sort=desc

PRWeb. (2018, October 29). Liberty IT Solutions Awarded $88MM Contract to Modernize VA’s Enrollment Health Benefits System. https://www.prweb.com/releases/liberty_it_solutions_awarded_88mm_contract_to_modernize_va_s_enrollment_health_benefits_system/prweb15426065.htm

Health IT Outcomes. (n.d.). Liberty IT Solutions Awarded Health Integration and Modernization Task Order. https://www.healthitoutcomes.com/doc/liberty-it-solutions-awarded-health-integration-and-modernization-task-order-0001

PRWeb. (2020, January 8). Liberty IT Solutions Awarded $48M Cybersecurity Data Loss Prevention Program Task Order. https://www.prweb.com/releases/Liberty_IT_Solutions_Awarded_48M_Cybersecurity_Data_Loss_Prevention_Program_Task_Order/prweb16817735.htm

GovConWire. (2020, January 6). Liberty IT Solutions to Help Update VA Health Revenue Management Platform Under $95M Task Order. https://www.govconwire.com/2020/01/liberty-it-solutions-to-help-update-va-health-revenue-mgmt-platform-under-95m-task-order/

Masserini, J. (n.d.). John Masserini – Cybersecurity Strategy and Leadership Insights. https://johnmasserini.com/

1. The OIT is a subdivision of the VA. This department manages and oversees the internal VA IT infrastructure. ↩︎
2. The Health Portfolio refers to the collection of IT systems pertaining to the VA. ↩︎
3. VistA is the VA’s in-house electronic health record system dating back to the 1970s/80s that was made in M programming language. ↩︎
4. The EPMD is a subdivision of the OIT developed in the mid 2010s to help manage IT projects under the VA’s Health Portfolio. ↩︎
5. OIS is a subdivision of the OIT that manages adherence to cybersecurity policies, risk management, and compliance. ↩︎
6. Moonlight Maze (1998) was one of the first major state-sponsored attacks (likely from Russia), involving data exfiltration from the DoD, NASA, and national labs. ↩︎
7. The Code Red worm exploited a vulnerability in Microsoft’s IIS web server, allowing it to deface websites and launch denial-of-service (DoS) attacks, including one targeting the White House. ↩︎
8. The Nimda worm emerged after Code Red, spreading even faster by using multiple vectors (email, open network shares, and compromised web servers). ↩︎