Federal Reports

The Federal Information Security Modernization Act (FISMA) requires OIGs to annually assess the effectiveness of the agency’s information security program. Each independent evaluation must include a test of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems and an assessment of the effectiveness of the information security policies, procedures, and practices of the agency. The FY 2023 FISMA review focused on 20 core and 20 supplemental reporting metrics identified by OMB, using criteria developed by the CIGIE and issued by OMB. Using this framework, we assessed the effectiveness of each security function using maturity level scoring as follows: (1) Ad-hoc, (2) Defined, (3) Consistently Implemented, (4) Managed and Measurable, and (5) Optimized. Level 1, Ad-hoc, is the lowest maturity level and Level 5, Optimized, is the highest maturity level. For a security function to be considered effective, an agency’s security programs must score at or above Level 4, Managed and Measurable. The auditors determined that the Department’s overall IT security program and practices are effective. In addition, the auditors identified potential areas of improvement involving (1) managing information security risks; (2) two-factor authentication enforcement; (3) implementing access provisioning controls for privileged users; and (4) implementing event logging requirements at the enterprise level.

This Office of Inspector General Comprehensive Healthcare Inspection Program report describes the results of a focused evaluation of the inpatient and outpatient care provided at the Erie VA Medical Center and associated outpatient clinics in Ohio and Pennsylvania. This evaluation focused on five key operational areas:• Leadership and organizational risks• Quality, safety, and value• Medical staff privileging• Environment of care• Mental health (emergency department and urgent care center suicide prevention initiatives)The OIG issued five recommendations for improvement in two areas:1. Medical Staff Privileging• Professional practice evaluationso Completion by providers with equivalent training and similar privilegeso Consideration of evaluation results by the Medical Executive Committee• Ongoing Professional Practice Evaluationso Incorporating service-specific criteriao Basing service chiefs’ reprivileging recommendations on evaluation activities2. Mental Health• Completion of Comprehensive Suicide Risk Evaluations

While assessing an anonymous allegation of wrongdoing involving two fiduciaries, the VA Office of Inspector General (OIG) discovered inconsistencies in the disability benefits questionnaires the Veterans Benefits Administration (VBA) uses to elicit medical professionals’ assessments of veterans’ mental competency. VBA uses disability benefits questionnaires when inquiring about a veteran’s capability to manage their finances. Two of the four questionnaires included the regulatory definition of mental incompetency, but none of them posed the question for assessing mental competency in a way that matches the regulatory definition wording. Language discrepancies on the questionnaire can lead medical examiners to provide inconsistent competency decisions for veterans.According to 38 C.F.R. § 3.353(a), which VA promulgated, “A mentally incompetent person is one who because of injury or disease lacks the mental capacity to contract or to manage his or her own affairs, including disbursement of funds without limitation.” The regulation also states, “Unless the medical evidence is clear, convincing and leaves no doubt as to the person’s incompetency, the rating agency will make no determination of incompetency without a definite expression regarding the question by the responsible medical authorities.” When a disability medical examiner responds to the mental competency question, the response is used as evidence and can influence a rating veterans service representative’s decision regarding that veteran’s ability to manage their own affairs, including benefit payments. Consistency in the disability benefits questionnaires helps support appropriate and equitable outcomes.This memorandum is meant to convey the information necessary for VBA to determine if additional actions are warranted.

We found that the NPS was unable to effectively identify and manage its deferred maintenance due to inaccurate and unreliable data.