Federal Reports

The VA Office of Inspector General (OIG) issued the report VA Improperly Awarded $10.8 Million in Incentives to Central Office Senior Executives on May 9, 2024. Additional analysis has since raised concerns that the under secretary for health may have recommended critical skill incentives (CSIs) for at least 10 senior executives in the VA central office (VACO) who directly reported to him, and for whom he was therefore not authorized to act as the approving official. Because there were inconsistencies in available data on direct reports, the OIG released this supplemental memorandum to summarize information conveyed to the VA Secretary to further assess whether additional actions are warranted.The OIG also requested that VA provide information on whether any approving officials exceeded their authority in recommending or approving CSIs to VACO senior executives and factor the results into its action plans for implementing the related OIG report recommendations.

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Financial Services Center (FSC) in Austin, Texas, as a follow-up to a 2021 inspection.The OIG focused on three control areas it determined to be at highest risk: configuration management, security management, and access controls. The OIG identified four deficiencies in configuration management controls, one in security management controls, and two in access controls; three of the deficiencies were seen during the 2021 inspection. The configuration management deficiencies were in vulnerability management and flaw remediation, database scans, database baseline configurations, and unsupported components. The FSC’s vulnerability management controls did not identify all network weaknesses. Additionally, operating systems were not supported by the vendor and security patches were missing. Evidence of scans for the FSC’s databases was not provided, and databases had vulnerabilities caused by configurations that deviated from an established baseline. Eighteen network switches were using operating systems that did not meet baseline security requirements, and six were not supported by the vendor. The FSC’s security management controls were found deficient in the monitoring of component inventory with a significant disparity between the number of devices on the network and those identified in the cybersecurity management service. The FSC’s deficiencies in access controls were in monitoring inappropriate or unusual activity and reviewing physical access logs.The OIG made eight recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the FSC. Four of these were also recommendations in the 2021 inspection.

NGA OIG Spring FY 2024 Semiannual Report to Congress, 1 October 2023 - 31 March 2024