Department of Veterans Affairs CIO Roger Baker complied with federal information security requirements when he deployed Apple iPhones and iPads on the VA network, but he might have circumvented some rules in the process, according to a new federal audit, Federal Computer Week reports.
Linda Halliday -- assistant inspector general for audits and evaluations in the VA Office of Inspector General -- recently published the audit, which her office completed May 15 (Lipowicz, Federal Computer Week, 5/25).
In July 2011, Baker announced that VA will allow employees to use Apple iPhones and iPads on its network (iHealthBeat, 7/26).
In September 2011, a federal telephone hotline received a confidential complaint alleging that VA was circumventing the Federal Information Security Management Act and other federal security rules regarding the use of Apple devices on the VA network.
In addition, Sen. Jon Kyl (R-Ariz.) asked the VA Office of Inspector General to evaluate whether VA was meeting FISMA requirements when it stored sensitive data without FIPS 140-2 hardware encryption.
According to Halliday, compliance with FIPS 140-2 encryption standards is required when agencies use cryptographic-based security systems to protect sensitive data.
In the audit, Halliday wrote, "VA deployed more than 200 Apple iPhones and iPads with encryption that was not FIPS 140-2 certified."
However, Baker took "compensating" measures to protect the sensitive data, the audit found. It noted that although the Apple devices were not protected with FIPS 140-2-certified encryption, the agency allowed only FIPS 140-2-certified applications to access sensitive data on the mobile devices.
Halliday wrote, "We determined that VA’s approach of allowing only FIPS 140-2-certified applications to access or store sensitive encrypted data on the mobile device met FISMA requirements for data protection."
The audit recommended that VA improve its data security protections by:
- Maintaining an accurate inventory; and
- Configuring devices in a consistent manner.
Baker agreed with the inspector general's recommendations, according to the audit (Federal Computer Week, 5/25).