The Department of Veterans Affairs was deficient in each of five major categories of information security controls in 2006 and remains so today, according to the Government Accountability Office, an investigative arm of Congress.

The five categories are access control, configuration management, segregation of duties, contingency planning and security management.

"Further, in VA's fiscal year 2009 performance and accountability report, the independent auditor stated that, while VA continued to make progress, I.T. security and control weaknesses remained pervasive and continued to place VA's program and financial data at risk," according to testimony GAO officials delivered on May 19 to the oversight subcommittee of the House Committee on Veterans Affairs.

Where there has been progress on security issues there also has been backsliding, according to the GAO. The department in recent years has significantly increased its contingency plan testing, while at the same time the percentage of employees receiving security awareness training has decreased.

Until VA fully and effectively implements a comprehensive information security program and fixes known vulnerabilities, its computer systems--and sensitive information on veterans and beneficiaries--will remain at increased risk, the GAO concludes.

The testimony, "Veterans Affairs Needs to Resolve Long-Standing Weaknesses," is available at

This article can also be found at