Department of Veterans Affairs CIO Roger Baker may have circumvented around some federal protocols in deploying iPhones and iPads to VA personnel, but he did not violate strict security standards, according to an audit by the department’s Office of Inspector General.
In rolling out mobile devices to physicians and other VA personnel last year, the department knew that neither Apple iOS nor the Android operating system supported Federal Information Processing Standards (FIPS) 140-2 encryption, so Baker employed software work-arounds to assure that any sensitive data met government requirements for security. More than 200 Apple devices were distributed at VA facilities in Washington, D.C., Albany, N.Y., Chillicothe, Ohio, and Battle Creek, Mich., before a tipster reported the issue in confidence to a VA hotline in September 2011.
Sen. Jon Kyl (R-Ariz.) subsequently asked the OIG to investigate the practice and evaluate whether Baker violated any rules.
“Based on our results and in response to Senator Kyl’s additional request, we determined that VA’s approach of allowing only FIPS 140-2 certified applications to access or store sensitive encrypted data on the mobile device met [Federal Information Security Management Act] requirements for data protection,” a new report by Linda A. Halliday, the VA’s assistant inspector general for audits and evaluations, states. Halliday says that the 256-bit hardware encryption resident in Apple mobile devices “further minimized the risk of unauthorized disclosure of sensitive data” while federal officials test the Apple technology for FIPS 140-2 compliance.
However, the report found that the VA did not keep an accurate inventory of mobile devices using the enterprise’s network; two of the three iPads that the IT department supplied to OIG investigators did not have a federally certified security application installed, and the third was not configured properly, according to Halliday.
“We recommended that the Assistant Secretary for Information Technology [Baker] implement minimally acceptable baseline security configuration requirements for VA mobile devices in accordance with FISMA. We also recommended that the Assistant Secretary centrally manage the distribution of VA mobile devices will ensure that they are accurately inventoried and configured in accordance with minimum-security standards,” the report says.
The VA has agreed to have these plans in place by June, Halliday reports.