Each year agency program officials, chief information officers, and inspectors general must review their agencies’ information security programs and report to the Department of Homeland Security and Congress on the programs’ compliance with the Federal Information Security Modernization Act (FISMA). The OIG contracted with an independent public accounting firm, CliftonLarsonAllen LLP (CLA), to evaluate VA’s information security program for FY 2023. After assessing 45 major applications and general support systems hosted at 23 VA facilities and on the VA Enterprise Cloud, CLA concluded that VA continues to face significant challenges meeting FISMA requirements.The audit found continuing significant deficiencies related to access, configuration management, and change management controls, as well as service continuity practices, all of which are designed to protect mission-critical systems from unauthorized access, alteration, or destruction. These deficiencies can be remedied by improving the deployment of security patches, system upgrades, and system configurations to mitigate significant security vulnerabilities and enforce a consistent process across all field offices; improving performance monitoring to ensure controls operate as intended at all facilities; communicating identified security deficiencies to mitigate significant risks; and addressing security-related issues that contributed to the information technology material weakness reported in the FY 2023 audit of VA’s consolidated financial statements.Of CLA’s 25 recommendations, VA concurred with 15 and non-concurred with 10; some of the 25 recommendations addressed repeat deficiencies from previous FISMA reports spanning multiple years. CLA will follow up on the outstanding recommendations and evaluate the adequacy of corrective actions in the FY 2024 audit of VA’s information security program.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Department of Veterans Affairs | Federal Information Security Modernization Act Audit for Fiscal Year 2023 | Audit | Agency-Wide | View Report | |
| Architect of the Capitol | Follow-Up Evaluation of the Architect of the Capitol Data Center | Inspection / Evaluation | Agency-Wide | View Report | |
| Department of the Treasury | Audit of National Security Loan Program Recipient – MapLarge, Inc. | Audit | Agency-Wide | View Report | |
| Department of Justice | Notification of Concerns Regarding the Department of Justice’s Compliance with Whistleblower Protections for Employees with a Security Clearance | Other | Agency-Wide | View Report | |
| U.S. Agency for International Development | Financial Audit of Coopi - Cooperazione Internazionale Under Multiple Awards, January 1, 2022 to December 31, 2022 | Other |
|
View Report | |
| U.S. Agency for International Development | Performance Audit of Incurred Costs for University Research Co., LLC/Center for Human Services for Fiscal Year Ended September 30, 2020 | Other |
|
View Report | |
| Export-Import Bank | Evaluation of EXIM’s Sub-Saharan Africa Mandate | Inspection / Evaluation | Agency-Wide | View Report | |
| Federal Maritime Commission | FY 2023 PIIA Compliance Report | Review | Agency-Wide | View Report | |
| Federal Deposit Insurance Corporation | DOJ Press Release: Calaveras County Man Sentenced for COVID-19 Paycheck Protection Program Fraud | Investigation |
|
View Report | |
| Amtrak (National Railroad Passenger Corporation) | EMPLOYEE AGREES TO CIVIL SETTLEMENT AFTER FALSIFYING APPLICATION FOR ECONOMIC INJURY DISASTER LOAN ADVANCE | Investigation |
|
View Report | |
