Critical vulnerabilities discovered in VA business portal
The Department of Veterans Affairs has been working to fix multiple critical security vulnerabilities in one of its major public-facing Web portals that links to a massive database containing personal and financial information on millions of veteran business owners, FedScoop has learned.
The VA announced late Thursday it intends to extend its maintenance and support contract with Herndon, Virginia-based Valador Inc. so the company can conduct “critical security vulnerability repair” on the Vendor Information Pages database — the central repository used by VA to track all businesses that have been verified as veteran-owned or veteran-controlled. Those businesses listed in the VIP database, which is accessible through the VetBiz.gov Web portal, are eligible for contracts specifically set-aside for small businesses owned by veterans and disabled veterans.
The Office of Small and Disadvantaged Business Utilization, which runs VetBiz.gov, had threatened to decommission the site as early as Sept. 27 if the security vulnerabilities were not fixed.
Although it is scheduled to be replaced by the Veterans Enterprise Management System, known as VEMS, delays with the modernization effort have forced VA to continue to use the legacy VIP system. As a result, VIP has been operating under a Temporary Authority to Operate, which expires Sept. 27. The TATO had been issued to allow VA and Valador time to fix the security vulnerabilities, which placed sensitive personal identity information at risk.
In a highly-redacted document posted Sept. 25 that outlined its justification for not requiring a full and open contract competition for the maintenance contract, VA said the award was necessary “to avoid a system shut-down,” which would prevent new veteran-owned businesses from becoming verified and freeze all pending applications.
“If security issues are not addressed by Sept. 27, 2014, the VetBiz system will have to be de-commissioned and all services will stop,” the VA justification document states.
A senior VA official, who declined to be named because they were not authorized to comment publicly, told FedScoop “this is a panicked reaction from a system owner who realizes VA is very serious about information protection.”
The VA said in a statement to FedScoop that the agency does not plan to pull the system offline. “IT systems have vulnerabilities, and prudent management of IT systems allows for risk-based decisions to account for system vulnerabilities. In this particular case, the system was given an ATO with conditions based on the risks presented,” the VA statement said. “As a normal part of VA’s continuous monitoring of its systems, VA authorizes systems and applications to run on its network under an Authority to Operate (ATO). The VetBiz Vendor Information Pages website is currently operating under a conditional ATO while the full ATO is being reviewed for compliance and proper documentation.”
There are approximately 5 million veteran-owned businesses and 500,000 disabled veteran-owned businesses in the U.S. The size and complexity of the VIP system have increased significantly during the past three years. According to VA, the database contained approximately 1 gigabyte of information in 2011, but today it holds more than 1.5 terabytes. Veteran business owners use login names and passwords to access the system, but they are then required to enter a wealth of sensitive information that is used to verify their status, including tax returns, company operating agreements, resumes, bank signature cards, cancelled checks, payroll summary reports, shareholder agreements, lease agreements and copies of their last five contracts or proposals.
The VA awarded the first VetBiz contract to Valador in 2002. Since 2011, the company has received nearly $276,000 in maintenance fees for VetBiz.