The Department of Veterans Affairs is looking at facial recognition technology for its frontline medical workers to log into their workstations more quickly, and spend more time treating veterans.
VA Chief Information Security Officer Lynette Sherrill said the department plans on piloting facial recognition tools next year at VA hospitals, particularly for frontline clinicians working in intensive care units.
The pilot, if successful, would give VA health care employees an alternative to using their Personal Identity Verification (PIV) cards to securely log onto the department’s network.
“I’ve got nurses and clinicians trying to care for veterans. And they’ve got to reach for a PIV card … and plug it into a workstation to log in, while they’re trying to give a veteran a shot or give a patient an exam. So if I can make that a more frictionless authentication experience for them, I feel like that’s my job to help them,” Sherrill said Nov. 7 at the Rise8’s Prodacity summit in Washington, D.C.
Sherrill told Federal News Network on the sidelines of the event that the VA plans to run facial recognition pilots throughout 2024 with clinical staff.
“Much like we use facial recognition to log into an iPhone today, that’s that type of experience we want to give VA clinical staff,” she said in an interview.
Sherrill said there’s already a high rate of PIV card utilization among the VA workforce. About 95% of employees, she added, are using their PIV cards to log onto the VA network.
But even with those metrics, that means roughly 30,000 VA employees are logging on only with a username and password.
Sherrill said the facial recognition pilot is focused on providing a “more frictionless authentication process” for VA clinical staff.
“The technology is finally there, where we can utilize the technology to provide a better experience for our end users,” she said.
Carrie Lee, VA’s deputy chief information officer for product engineering service, told Federal News Network that she’s heading up the department’s new identity, credential and access management (ICAM) modernization efforts.
“We’re looking at our single sign-on experiences for both internal and external users, making sure that we are using multifactor [authentication], and making it compliant, making it an easy experience for the users,” Lee said.
For external users, Lee said VA is using Login.gov and transitioning off of legacy credentials that only require a username and password, and may not be as secure.
The VA is also setting a new standard for cybersecurity across its networks.
VA is shifting some of its systems to a continuous Authority to Operate (ATO). It’s a trend that’s already happening across the Defense Department.
The idea is VA will keep checking in to make sure its systems uphold cybersecurity requirements, rather than just checking off that those standards are met once before their launch.
“We have quarterly reviews that review the security posture of every application within that continuous ATO, where I can click down and see how many risks were mitigated, how many vulnerabilities did we keep from being released into production,” Lee said. “I can go in at any point, and understand what’s happening in that environment for multiple applications.”
Sherrill said the continuous ATO marks a step toward the VA having an “automated enterprise risk view” across its network.
“With the ever-changing threat landscape that we’re dealing with in cybersecurity today, one of the things that is very hard to keep up with is how is the risk posture of all of our systems changing,” she said.
Sherrill added that the VA, with its new automated cybersecurity tools, will be able to respond more quickly to zero-day vulnerabilities and other emerging threats.
“What this integration and automation is going to [is] … we’d know immediately, ‘These are our six most critical systems impacted by this zero-day vulnerability.’ And we’d be able to focus our resources on those systems, to make sure that we could maintain a risk posture that’s acceptable to the organization,” she said.
Lee said the continuous ATO will also allow VA’s IT workforce to develop code and software more quickly, and spend less time on manual cybersecurity compliance work.
“It also frees up a lot of people from manually entering into our [governance, risk and compliance] systems the compliance information, which can take a lot of resources, to be able to focus on higher value valuable tasks, such as actually developing systems,” Lee said.
Lee said the VA has more than 1,000 systems with an ATO. Of those, she said she’s the authorizing official for about 400 of them. She said she spends about an hour each week authorizing systems.
“VA is an extremely complex organization. We’re probably the largest IT infrastructure of any civilian federal agency,” Lee said. “I really need to understand the security of the system I’m looking at the time I look at it. So, the assurance of having those automated controls in place, and understanding that technical risk posture, instead of just the compliance is very important to me, from an authorizing official perspective.”
Lee said the VA has reduced the ATO process from 400 days to about 60 days for new products coming into the environment.
VA’s Office of Information is also taking steps to make sure its employees are incorporating cybersecurity into the foundation of everything in development.
Sherrill said no VA OIT development team is allowed to publish “any critical or high vulnerabilities in code.”
“We understand very uniformly that you can no longer produce a quality system if it’s not secure. And that’s our mantra at VA now – if it’s not secure, it’s not quality code, it’s not a quality product, so you’ve got to go back to the drawing board,” she said.
The VA is also focused on bringing in the next generation of cyber workers.
“We’ve got to use nontraditional hiring methods and nontraditional people and get them interested in cybersecurity,” Sherrill said. “We’ve got cybersecurity people leaving the cybersecurity industry because of burnout. We have to stop doing that. We’ve got to figure out how do we fill that pipeline back?”
Sherrill told Federal News Network that the VA is looking at ways to partner with the Defense Department’s SkillBridge program, which places transitioning service members into civilian careers.
“If I can bring in transitioning service members who already have cyber skills, and they’re transitioning out of the service, and I can give them a soft place to transition to and the VA and then give them two [or] three years of training, and they launch into industry — that’s a win,” she said. “But if they choose to stay in VA, and they get passionate about the mission, like most of us are in serving veterans, that’s a win as well.”
Sherrill said the VA also sees potential in reaching out to military spouses to consider careers in cybersecurity.
“They have an aptitude that they uniquely bring into the field, and I think that’s an untapped resource for us. We’ve got to look at these non-traditional places to really bring resources into the cyber pool,” she said.
The VA this summer rolled out a Special Salary Rate for its IT and cybersecurity employees, resulting in an average 17% pay raise. The SSR is meant to narrow the gap between what the government and private sector can afford to pay in-demand tech experts.
“We’re bringing in people and being able to pay them, not at the exact level they would be making in the industry, but close to that level. And between that, the benefits we offer and our amazing mission, I think we’ve been able to get the best talent,” Lee said.