A new bill would require the Department of Veterans Affairs to hire an outside contractor to assess its cybersecurity operations. ("Department of Veterans Affairs" by Christopher Neugebauer is licensed under CC BY-SA 2.0)

A new bill would require the Department of Veterans Affairs to hire an outside contractor to assess its cybersecurity operations.

The Strengthening VA Cybersecurity Act, introduced by Sens. Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn., would give the secretary of Veterans Affairs two months to contract with a federally funded research and development center to perform an independent cybersecurity assessment of between three to 10 high-impact information systems at the VA. That could include on-premise systems, remote or cloud-based systems or mobile applications used by the department to further its mission.

In a statement, Rosen cited potential hacking threats from Russia as the U.S. continues to levy sanctions on the country, while Blackburn noted that the VA, which services the medical and health needs for millions of U.S. veterans and active members of the military, has the second-highest IT budget in the federal government but the fifth-lowest cybersecurity budget.

“The Department of Veterans Affairs is the largest integrated health care network in the United States, yet it spends less as a percentage of its overall budget on cybersecurity relative to other government agencies,” Rosen said. “This bipartisan bill would help us understand the VA’s cyber vulnerabilities and ensure we protect our veterans’ personal information from malicious cyberattacks.”

The center would also be responsible for conducting a broader assessment of the department’s IT security management and an analysis of its ability to defend against a broad range of hacking threats, such as advanced persistent threat groups (APTs), ransomware, denial of service attacks, insider threats, attacks that target the supply chain of the department and more recent threats targeting weaknesses in the remote telework infrastructure that has become more common during the coronavirus pandemic.  

Such an assessment would be charged with analyzing what’s known as “shadow IT” at the department, or devices and assets that are connected to the network but aren’t being tracked, accounted for or regularly patched. The contractor would be charged with performing “an evaluation of the use of information technology systems, devices, and services by employees and contractors of the Department who do so without the elements of the Department that are responsible for information technology…knowing or approving of such use.”

Such hidden IT tends to plague nearly every large organization, and the Department of Homeland Security has a program, called Continuous Diagnostics and Mitigation, that was designed in part to help departments and agencies conduct asset inventory and identify all devices and users accessing their network.

Within six months of receiving the assessment, the VA secretary will need to submit a written plan to Congress for addressing any deficiencies that were found, as well as a cost estimate and timeline for implementing the plan. That process in turn would be subject to a review from the U.S. comptroller general.

A press aide for Rosen told SC Media that Rep. Frank Mrvan, D-Ind., plans to introduce a companion bill in the House.