VA’s Federal Information Security Modernization Act Audit for Fiscal Year 2017

The Federal Information Security Modernization Act of 2014 (FISMA) requires each federal agency to develop, document, and implement an agencywide information security and risk management program. VA has made progress producing, documenting, and distributing policies and procedures as part of its program. VA still faces challenges, however, implementing components of its agencywide information security risk management program to meet FISMA requirements. This audit identified continuing significant deficiencies related to access, configuration management, and change management controls, as well as service continuity practices designed to protect mission-critical systems from unauthorized access, alteration, or destruction. The report includes 29 recommendations for improving VA’s information security program and an appendix addressing the status of prior recommendations and VA’s plans for corrective action. VA successfully closed four recommendations in FY 2017. The Executive in Charge for the Office of Information and Technology generally concurred with the recommendations and submitted adequate corrective action plans. The OIG will continue to evaluate VA’s progress during its audit of VA’s information security program in FY 2018, although the OIG remains concerned that ongoing delays in implementing effective corrective actions might contribute to the continued reporting of an information technology material weakness in this year’s audit of VA’s Consolidated Financial Statements.