The Department of Veterans Affairs is FIPS 200 complaints for several reasons. First, the organization has adhered to security measures and standards as set by the FIPS 200. The department has ensured that its information system is only accessed by the authorized users only. Only authorized personnel, devices, processes and functions are able to access the information system of the department. Secondly, it has ensured that all the managers, staffs and other authorized users are aware of the potential risks that may arise from their interaction with the system.
One of the weak areas is the inability of the department to conduct regular security scanning of its wireless technologies. The department rarely conducts regular security scanning of its wireless technologies as required by FIPS 200 compliance policy that emphasizes on regular system audit (FIPS PUB 200, 2006). Secondly, the department has not established an effective incident response plan. FIPS 200 requires organization to have a well-established and operation incident response team that is ever ready to handle any real or suspected security risk (Spargo, Karr & Turvey, 2013).
If I were the federal CIO, I will ensure the department has adopted regular security audit of its information systems. The exercise would be conducted once in two months to ensure the department is compliant with FIPS 200 and other security standards. I will also ensure the department has created, retained and protected documents for information system audit. Secondly, I will ensure VA department has established an incident response plan that will analyze how incidents will be handled once suspected or occurred. The incident response team will be prepared to detect, investigate, analyze, contain, recover and document any incidents when it occurs.
FIPS PUB 200: Minimum security requirements for federal information and information system (2006). Federal information processing standards publication, 1-17.
Spargo, G., Karr, A. & Turvey, C.L.(2013). 8: Technology Options for the Provision of Mental Health Care Through Videoteleconferencing. The views expressed in this chapter are those of the authors and do not necessarily reflect the position or policy of the Department of Veterans Affairs or the US government. In Telemental Health, 135-151