The Department of Veterans Affairs failed its annual cybersecurity audit this year, marking the 16th consecutive time that the agency did not pass muster with the review, according to its top technology officer.

VA Chief Information Officer Stephen Warren told reporters about the problem  in advance of a Tuesday hearing with the House Veterans Affairs Committee, according to a Federal News Radio article.


The Department of Veterans Affairs has not met the standards of the Federal Information Security Management Act for 16 straight years. (Damian Dovarganes/AP)

The VA inspector general’s office plans to publish a report on the audit findings next year that says the agency once again failed to meet the standards of the Federal Information Security Management Act.

Warren’s disclosures come less than a week after news of a series of cyberattacks detected last month on federal government computer systems at the National Weather Service, the State Department, the U.S. Postal Service and the White House.

“I was disappointed, and I know the team was disappointed given the significant time and effort we applied this year,” Warren said, according to the article. “But we are going to continue to drive on this. We are going to continue to push so that we move forward on the rigorous, disciplined plan the team has put together so that when the audit team shows up next year, they will continue to see the constant improvement they recognized even this past audit season.”

The VA’s 2013 cybersecurity audit identified 6,000 security risks, with the inspector general proposing 35 actions to address the problems. A department official told Federal News Radio that the VA believes it has fulfilled 18 of those recommendations.

The inspector general told VA that it reduced its number of vulnerabilities by 21 percent, and Warren said the agency is making plans to address the concerns from the upcoming audit report, according to the article.

“Veterans’ information is well-protected because we put mitigating controls in places where we can best simultaneously protect Veterans’ information and not impeded our ability to provide timely health care that they have earned and deserve.

Warren said in a statement that the department faces a “significant volume of threats,” similar to other agencies and health-care networks. He added that the VA constantly blocks attempted breaches and works to ensure that no unencrypted e-mails leave the organization.

“Our security posture is successfully keeping veteran information safe, and as we believe that IT security is an evolving process, we’re always striving to improve,” Warren said.

Correction: A previous version of this article incorrectly attributed the VA statements in the last two paragraphs to a department spokeswoman instead of to VA Chief Information Officer Stephen Warren. The article has been updated with proper attribution.