VA CIO DelBene makes cyber doors a little taller, fuller

The Department of Veterans Affairs implements cybersecurity checkpoints before an application can access the network.

The idea is not to replace the Authorization to Operate (ATO) process, but to become a large engineering organization like those in the private sector.

Kurt DelBene, assistant secretary of the Office of Information and Technology and chief information officer at VA, said these new cyber gates are part of how VA is embracing a…

READ MORE

The Department of Veterans Affairs implements cybersecurity checkpoints before an application can access the network.

The idea is not to replace the Authorization to Operate (ATO) process, but to become a large engineering organization like those in the private sector.

Kurt DelBene, assistant secretary of the Office of Information and Technology and chief information officer at VA, said these new cyber gates are part of how VA is taking a more comprehensive approach to its ATOs.

Kurt DelBene is the VA Assistant Secretary for Information and Technology and Chief Information Officer.

“What I have found in VA so far is that we are really good at doing the procedures required to gather all the documentation. But what we have the opportunity to do is to have more than that last look to say, if I look at everything as a whole, do I feel good about the overall security of this system?” DelBene said in an interview with Federal News Network. “Or should I say, ‘no, those are the three things I don’t feel good about,’ and those can be three initiatives that we have in terms of things like zero trust, for example. As a result, we’re going to say, you have to come back and a certain period of time, even though we’re granting the ATO now, it’s for a much shorter period of time, and we want those things fixed.

At the same time, DelBene said, application or system owners also need to have the resources and time to troubleshoot issues and get through the door.

The goal is not to make the ATO process more difficult. Many federal cyber experts struggle to balance speed and thoroughness with ATOs, including VA, which was accused in 2012 and 2013 of shortening the process.

Other agencies, particularly within the Department of Defense and the intelligence community, have developed expedited and continuous ATO processes to help reduce the burden that can accompany low impact systems.

Most critical systems first

DelBene, however, takes a slightly different view of ATOs, saying cyber experts and mission owners should “love” the process.

“We’re starting to focus on the most critical systems we have in AV. We are starting to look at each of them and figure out what it would mean to be more rigorous in this approval process, he said. “We are in the early days. I’ve been in this position for eight months now and it’s a place where we have a set of systems that we’re looking at and we’re going to look at this ATO and say, ‘will the techs say we feel good or not? And what repairs do we need? »

Most systems typically have a plan of action and milestones (POA&M) to address any outstanding issues, and DelBene said this new ATO approach includes the need to set and act on those goals so that they are not a crutch to get a full ATO.

DelBene added that the new process may mean granting an ATO for six months instead of a year, and if the cyber threat is critical enough, VA may have to move funds to address the issue immediately.

By adopting the ATO process and using this new gate approach, DelBene’s goal is to create a world-class engineering organization at VA.

“Like those business organizations, it starts with a vision, a great team, and great products focused on what you’re trying to accomplish for the end user,” DelBene said at the Aug. 23 930Gov conference, sponsored by the Digital Government Institute. “What I say to the Veterans Benefits Administration or Veterans Health Administration teams is if you don’t have a vision, put it together and work with us to refine it so it’s your vision. So let us cascade what we are doing to help accomplish this vision. »

Make the complaints process more reliable

DelBene said that, of course, means working with mission areas to determine what their priorities are, charting a course to achieve those goals, and ensuring resources are available to modernize systems, applications and processes.

An example at VBA is its benefit claim system which will be tested with the passage and enactment of the law. Sergeant First Class Heath Robinson Act Honoring Our Promise To Combat Toxic Substances Comprehensive (Honoring Our PACT) August 10.

The PACT Act gives VA the resources it needs to staff its healthcare personnel to treat an estimated 3.5 million post-9/11 veterans exposed to toxic combustion fireplaces during their military service.

DelBene said VBA systems aren’t as reliable as they should be, and the cloud can help.

DelBene said VA has been preparing for PACT passage from an IT perspective for some time.

“The first is that when we hire more agents, they have to have PCs and they have to have their PCs very quickly to be able to log on. It’s the most mundane aspect, but it’s very difficult to do,” he said. “The second thing is how do you make sure that when someone goes to VA.gov, they know how to apply for benefits, and what are all the different ways they would get into the system and want help? The next thing is that they’re going to get this onslaught of additional requests, we need to be able to process them faster. There’s an opportunity for automation.

DelBene said applying automation means bringing together data from different systems so that claims adjudicators can make decisions faster.

“It’s about simpler cases, where for example, we’ve fully automated things around hypertension, where the actual decision rule is pretty simple, you can basically pull the data together, and in some cases you can make this decision automatically. We are trying to deal with more and more of these cases, but do it in a very mature and bearable way so that you start with simple cases, “he said. “The third thing what we’re doing is if you think the average claim application has multiple pieces, you need to be able to break it down into multiple pieces, and each has data requests, but many of those individual pieces can be automated, so that the arbiter must combine them into a single package. »

DelBene said a few of these claim scenarios are automated today, but others are ripe for applying this technology to improve the process.

Comments are closed.