Federal Reports

During a prior review, the VA Office of Inspector General (OIG) discovered three scenarios in which the VA improperly collected debts from veterans without first providing them with legally required notice and due process and notified VA. This management advisory memorandum gives VA the information it needs to determine whether to take further action to address similarly situated veterans.VA provides veterans tax-free monthly compensation in recognition of disabilities incurred or aggravated during active military service. These payments may change over time for various reasons, such as improved or worsening conditions or a change in dependents. If a decision retroactively reduces a veteran’s payment rate, a veteran incurs a debt that may be repaid through reductions in the retroactive benefits or reductions in future monthly benefits. Regulations require that VA notify affected veterans of the amount and reasons for the debt. VA must also inform veterans they have the right to dispute the debt, request a waiver of collection, request a hearing on the waiver request, and appeal the decision that caused the debt.In three example cases in which VBA improperly collected debts without notifying veterans of the debt amount or of their right to dispute it or request a waiver, VA agreed the debts were collected improperly due to automated actions in VA’s electronic systems that triggered debt collection.VA agreed to review these systems to help prevent improper debt collection from veterans in comparable circumstances and ensure they receive required notice and due process. The OIG asked VA to report on what actions it takes as a result of these findings. VBA’s comments provided in the memorandum appendix propose corrective electronic system updates.

We determined that USCIS did not apply the IT access controls needed to restrict unnecessary access to its systems, networks, and information. Specifically, USCIS did not consistently manage access for personnel, service accounts, and privileged users. We attribute these deficiencies to insufficient internal controls and day-to-day oversight to ensure access controls are administered appropriately and effectively to prevent unauthorized access. Additionally, we determined USCIS did not implement all the required security settings and updates for its IT systems and workstations to help reduce the risks that may result from an access control weakness. Although USCIS systems and workstations were generally compliant with required security standards, not all required settings and updates were implemented due to concerns that they may negatively impact system operations. Lastly, we determined that while USCIS appropriately relied on departmental guidance for access control policies and procedures, the guidance was outdated and did not include the latest Federal requirements. These deficiencies may limit the Department’s ability to reduce the risk of unauthorized access to its network, which may disrupt mission operations. We made 10 recommendations to improve USCIS’ access controls and system security and DHS’ access control guidance. USCIS and DHS concurred with all 10 recommendations.

The CSB's operations are challenged by vacancies in mission-critical positions and an inability to fully use the resources allocated by Congress.