Federal Reports

The objective of our audit was to review the U. S. Department of Education’s (Department) compliance with the requirements outlined under Section 759(a) of the Geospatial Data Act. Specifically, we determined whether the Department implemented the 13 covered agency responsibilities listed in Section 759(a) of the Geospatial Data Act.We found that the Department is in compliance with the applicable responsibilities outlined under Section 759(a) of the Geospatial Data Act. Specifically, we found that the Department implemented all 12 of the 13 covered agency responsibilities listed in Section 759(a) of the Geospatial Data Act that we reviewed. We were unable to evaluate compliance with one covered agency responsibility as the applicable data standards related to this responsibility have not yet been defined by the Federal Geographic Data Committee and the Office of Management and Budget.

The VA Office of Inspector General (OIG) conducts information technology (IT) inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Alexandria VA Medical Center (VAMC) in Louisiana because it had not been previously visited as part of the annual FISMA audit.The OIG inspections are focused on four security control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, contingency planning, security management, and access controls. The OIG found deficiencies with configuration management, security management, and access controls, but not with contingency planning controls.The deficiencies in configuration management included inaccurate inventories, uninstalled patches, and out-of-date operating systems, all of which deprive users of reliable access to information and could risk unauthorized access to, or the alteration or destruction of, critical systems. The team identified a security management issue in the center’s video surveillance system that could impact the integrity and protection of that system. Weak physical access controls, such as incorrectly installed or failing equipment, compromised the security and maintenance of the information system, and an outdated operating system prevented accurate tracking of access to the data center.The OIG made six recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the Alexandria VAMC because they are related to enterprise-wide information technology security issues similar to those identified on previous FISMA audits and IT security reviews. The OIG also made two recommendations to the Alexandria VAMC director.