Federal Reports

The Veterans Affairs Enterprise Cloud (VAEC) hosts more than 200 systems that employees, veterans, and contractors use to support the delivery of health care, compensation benefits, and home loan guarantees for veterans. The OIG conducted this audit to determine if VA is effectively assessing and monitoring security and privacy controls for cloud computing in accordance with federal guidance to include the National Institute of Standards and Technology (NIST) risk management framework. Based on the audit team’s findings, the team also assessed VA’s process for monitoring cloud service performance levels (including outages).In September 2020, NIST updated its guidance regarding security and privacy controls. Although VA has been working on updates, systems were not yet compliant as of June 2023. This occurred because of failures in oversight to ensure that policies and procedures reflected governing federal security and privacy controls. For the 13 VAEC systems reviewed, the team found deficiencies in the areas of securing personally identifiable information and supply chain management, though no incursions or other impacts were detected.The audit team only identified weaknesses in the last of seven steps in NIST’s risk management framework related to controls. Specifically, the audit team estimated that 123 of the 148 systems hosted on the VAEC did not have proof of continuous monitoring.The OIG also found VA may be missing opportunities to recoup service credits when vendors do not perform as required, such as when service provider actions result in outages that exceed agreed-upon acceptable durations. This occurred, in part, because VA lacked a consistent process to identify, document, and submit cloud service recoupment claims. Further, VA did not identify who was responsible for submitting the requests to the cloud service providers and making the claims. VA concurred with the OIG’s five recommendations for corrective action.

Objective: To determine whether the Social Security Administration accurately processed manual actions related to the termination of benefits for Old-Age, Survivors and Disability Insurance beneficiaries.

Objective: To determine whether the Social Security Administration included the required whistleblower rights and protection language in contracts that exceed the simplified acquisition threshold, in accordance with the Federal Acquisition Regulation.

Objective: To determine whether the Social Security Administration properly processed windfall offset determinations.

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the El Paso VA Healthcare System because it had not previously been visited as part of the OIG’s annual FISMA audit.The OIG focused on three control areas it determined to be at highest risk—configuration management, security management, and access controls. The OIG identified two deficiencies in configuration management controls, none in security management controls, and six in access controls. The configuration management deficiencies were in vulnerability management and flaw remediation. The healthcare system’s vulnerability management controls did not identify all network weaknesses, such as unsupported versions of applications, and flaw remediation controls did not ensure comprehensive patch management. Further, some vulnerabilities were not remediated within established time frames. Additionally, the software system used to report vulnerabilities to facilities was not complete and accurate. For example, it did not have host names for 16 percent of the entries.The OIG identified multiple access deficiencies: inventories of keys used by employees to gain access to buildings and rooms were not completed, reviews of physical access logs were not done quarterly as required, temperature and humidity controls were lacking in communications rooms, surveillance cameras were inoperable, water detection controls were not working, and the emergency power shutoff was not tested annually.The OIG made eight recommendations to address the noted deficiencies.

This Office of Inspector General Comprehensive Healthcare Inspection Program report describes the results of a focused evaluation of the inpatient and outpatient care provided at the VA Northern California Health Care System, which includes the Sacramento VA Medical Center, Martinez VA Medical Center, an outpatient clinic at Travis Air Force Base, and other outpatient clinics in California. This evaluation focused on five key operational areas:• Leadership and organizational risks• Quality, safety, and value• Medical staff privileging• Environment of care• Mental health (emergency department and urgent care center suicide prevention initiatives)The OIG issued seven recommendations for improvement in three areas:1. Medical Staff Privileging• Evaluation result documentation and reporting• Reprivileging recommendations based on service-specific Ongoing Professional Practice Evaluation data2. Environment of Care• Panic and over-the-door alarm testing in the inpatient mental health unit• Cleanliness, furnishings, and equipment• Properly stored and secured medications3. Mental Health• Timely follow-up for patients at risk for suicide discharged from the Emergency Department