VA Continues Moving toward Full Compliance with Geospatial Data Covered Agency Responsibilities

The VA Office of Inspector General (OIG) conducted this audit to determine whether VA complied with the law governing geospatial data and to follow up on recommendations from its previous report. VA’s administrations rely on geospatial data when supporting budgets, performing strategic planning, and making policy decisions to provide health care, benefits, and burial services to veterans.In its previous report, the OIG found VA was not compliant with three covered agency requirements: VA was not compliant with requirements 1 and 3 because all necessary actions had not been completed, and VA was not compliant with requirement 9 because it had not met additional recommended criteria to protect personal privacy and maintain confidentiality. Since the previous report, VA continues to move toward compliance. For this audit, the OIG found VA was not compliant with two of the 12 requirements. According to VA officials, VA does not collect, hold, manage, or consume declassified geospatial data, and the OIG team did not find evidence to the contrary, making the related requirement not applicable.While VA was found not compliant with requirements 5 and 9, the OIG only made two recommendations regarding requirement 9 because VA is working toward satisfying requirement 5. The OIG’s two recommendations follow: (1) reevaluate the risk determination for the Veterans Health Administration Geographic Information System and determine if the system should be set to a security categorization level of moderate based on the personally identifiable information and other sensitive data maintained in the system and (2) reassess whether the security incidents were a breach and instruct staff associated with the incident response process that each security and privacy incident that occurs must be captured on a separate Privacy Security Events Tracking System ticket and investigation details must be accurately documented and confirmed.