OIG finds 85 percent of VA encryption licenses lay dormant

Tools

The Veterans Affairs Department has failed to make good on a hard drive encryption policy, finds the VA office of inspector general.

In a report (.pdf) dated Oct. 11, the OIG says the department has installed and activated only 65,000 of the Guardian Edge encryption licenses it bought since a massive data breach in 2006 involving records of 26.5 million active duty troops, veterans. and their family members.

That amounts to just 16.25 percent of licenses procured, auditors say. The VA initially purchased 300,000 encryption licenses in 2006 and bought another 100,000 licenses in 2011, spending about $5.9 million total in license fees and maintenance agreements, according to the report.

The remaining 335,000 licenses have generated "about $5.1 million in questioned costs" and their inactive status means "veterans' personally identifiable information remains at risk of inadvertent or fraudulent access," says the report.

The VA office of information technology "could not provide us reasonable assurance that it would install and activate the remaining encryption software licenses," it adds.

The 65,000 number represents how many computers had logged in to the Guardian Edge/Symantec server over a three month period earlier this year, but the OIG says this number may include duplicate counts from some computers.

This large-scale failure is "due to inadequate planning and management" specifically by OIT forgetting to include time to test software for compatibility with VA computers, not maintaining a sufficient workforce to install the encryption, and inadequately monitoring its systems to verify that encryption was present on VA laptops and desktops.

OIT officials told auditors the main reason for the lack of protection is incompatibility issues between different VA computers and the encryption software. "OIT discontinued installation of the encryption software until OIT could upgrade and standardize VA's computer equipment," says the OIG.

As of Aug. 2012, the OIT was still assessing if the software is compatible with existing operating systems.

The VA's requirement for full disk laptop encryption stems from the 2006 theft of an unencrypted laptop hard drive from a VA employee's home in suburban Maryland. The theft put at risk the personal information of 26.5 million individuals; the department ended up settling a class action suit filed as a result for $20 million in 2009. 

The OIG recommends the VA chief information officer perform an assessment of the encryption software project to see if the software is still compatible with VA systems and meets its needs. The OIT should then develop a plan to install and activate the remaining licenses, accounting for workforce needs and monitoring procedures.

For more:
- download the OIG report (.pdf)

Related articles:
Auditors find ongoing FISMA weaknesses at VA