Each year agency program officials, chief information officers, and inspectors general must review their agencies’ information security programs and report to the Department of Homeland Security and Congress on the programs’ compliance with the Federal Information Security Modernization Act (FISMA). The OIG contracted with an independent public accounting firm, CliftonLarsonAllen LLP (CLA), to evaluate VA’s information security program for FY 2023. After assessing 45 major applications and general support systems hosted at 23 VA facilities and on the VA Enterprise Cloud, CLA concluded that VA continues to face significant challenges meeting FISMA requirements.The audit found continuing significant deficiencies related to access, configuration management, and change management controls, as well as service continuity practices, all of which are designed to protect mission-critical systems from unauthorized access, alteration, or destruction. These deficiencies can be remedied by improving the deployment of security patches, system upgrades, and system configurations to mitigate significant security vulnerabilities and enforce a consistent process across all field offices; improving performance monitoring to ensure controls operate as intended at all facilities; communicating identified security deficiencies to mitigate significant risks; and addressing security-related issues that contributed to the information technology material weakness reported in the FY 2023 audit of VA’s consolidated financial statements.Of CLA’s 25 recommendations, VA concurred with 15 and non-concurred with 10; some of the 25 recommendations addressed repeat deficiencies from previous FISMA reports spanning multiple years. CLA will follow up on the outstanding recommendations and evaluate the adequacy of corrective actions in the FY 2024 audit of VA’s information security program.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 01 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the NIST Risk Management Framework. Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions. | |||||
| 02 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system stewards and Information System Security Officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones for all known risks and weaknesses including those identified during security control assessments. | |||||
| 03 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement controls to ensure that system stewards and responsible officials obtain appropriate documentation prior to closing Plans of Action and Milestones. | |||||
| 04 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. | |||||
| 05 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documentation, including control assessments on a risk-based rotation or as needed. Such updates will ensure all required information is included and accurately reflects the current environment. | |||||
| 06 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security standards on domain controls, operating systems, databases, applications, and network devices. | |||||
| 07 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement periodic reviews to minimize accounts and permissions in excess of required functional responsibilities, and to remove unauthorized or unnecessary accounts. | |||||
| 08 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. | |||||
| 09 | No | $0 | $0 | ||
| We recommended the Office of Personnel Security, Human Resources, and Contract Offices implement improved processes for establishing and maintaining accurate investigation data within VA systems used for background investigations. | |||||
| 10 | No | $0 | $0 | ||
| We recommended the Office of Personnel Security, Human Resources, and Contract Offices strengthen processes to ensure appropriate levels of background investigations are completed for applicable VA employees and contractors. | |||||
| 11 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. | |||||
| 12 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved processes for tracking and resolving vulnerabilities that cannot be addressed within policy timeframes. Implement more effective patch and vulnerability management processes to mitigate identified security deficiencies and reduce applicable security risks. | |||||
| 13 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately monitored for compliance with established VA security standards. | |||||
| 14 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved controls that restrict vulnerable medical devices from unnecessary access to the general network. | |||||
| 15 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology enhance procedures for tracking security responsibilities for networks, devices, and components not managed by the Office of Information and Technology to ensure vulnerabilities are remediated in a timely manner. | |||||
| 16 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. | |||||
| 17 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved procedures to enforce standardized system development and change control processes that integrates information security throughout the life cycle of each system. | |||||
| 18 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved procedures to ensure that system outages and disruptions are tracked to specific system boundaries and that interdependent systems are considered for the purposes of tracking and measuring against stated system recovery time objectives. | |||||
| 19 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology ensure contingency plans for all systems and applications are updated and tested in accordance with VA requirements. | |||||
| 20 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology ensure that systems and applications are adequately logged and monitored to facilitate an agency-wide awareness of information security events. | |||||
| 21 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks. | |||||
| 22 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved measures to ensure that all security controls are assessed in accordance with VA policy and that identified issues or weaknesses are adequately documented and tracked within POA&Ms. | |||||
| 23 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved processes to monitor for unauthorized changes to system components and the installation of prohibited software on all agency devices and platforms. | |||||
| 24 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA applications and operations. | |||||
| 25 | No | $0 | $0 | ||
| We recommended the Assistant Secretary for Information and Technology implement improved procedures for monitoring contractor-managed systems and services and ensure information security controls adequately protect VA sensitive systems and data. | |||||
