Federal Reports

The VA Office of Inspector General (OIG) conducted this inspection to determine whether the Tucson Consolidated Mail Outpatient Pharmacy (CMOP) was meeting federal security guidance. The inspection team selected the Tucson CMOP because it is home to the CMOP Local Area Network, which establishes an interface for electronically transferring information between all Veterans Health Administration medical centers and the CMOP host systems located at each of the seven CMOPs, which form an integrated and highly automated outpatient prescription dispensing system.The OIG team found deficiencies in configuration management, contingency planning, and access controls. Specifically, the Tucson CMOP had inaccurate component inventories, ineffective vulnerability management, and inadequate flaw remediation and had not implemented the configuration management plan; lacked a disaster recovery plan; and had not changed the default username and password for the security camera system and did not consistently generate or forward audit records to the Cybersecurity Operations Center. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The OIG made six recommendations to the Tucson CMOP director: implement effective inventory management tools, an effective vulnerability and flaw remediation program, and a disaster recovery plan; ensure CMOP staff understand their assigned roles and responsibilities; task the facility manager to change the default username and password for the security camera system; and request the Office of Information and Technology to configure audit logging on the misconfigured devices in accordance with established baselines, policy, and procedures.

As part of our annual audit plan, we performed an audit of Tennessee Valley Authority’s (TVA) non-power dam control system cybersecurity. Our objective was to determine if the cybersecurity controls of TVA’s non-power dam control system were operating effectively.In summary, we found (1) no clear ownership of the non-power dam control system, (2) vulnerable versions of operating systems and control system software, (3) inappropriate logical and physical access, and (4) internal information technology controls were not operating effectively or had not been designed and implemented. Prior to completion of our audit, TVA clarified the ownership of the control system and took actions to address the inappropriate logical and physical access. We recommend the Senior Vice President, Resource Management and Operations Services, update the non power dam control system to address the identified vulnerabilities and information technology control weaknesses. TVA management agreed with our recommendation and provided information on planned actions.

The objective of the audit was to determine whether the Office of Postsecondary Education (OPE) has an adequate process in place to ensure that institutions of higher education (schools) use Higher Education Emergency Relief Fund (HEERF) grant funds appropriately and that performance goals are met. OPE needs to strengthen its oversight processes to ensure that schools use HEERF grant funds appropriately and that performance goals are met. OPE established and implemented several controls to promote transparency and accountability in program administration, including providing guidance and other technical assistance to schools on the appropriate uses of HEERF grant funds, requiring that schools post to their websites or submit to OPE various reports on their uses of funds as well as other information (HEERF reports), and taking steps to expand independent audit coverage for schools. However, OPE did not perform or document several key activities that are essential to effective program oversight.

The Veterans Data Integration and Federation Enterprise Platform (VDIF) allows VA to share sensitive health information with the Department of Defense and community care providers. VA is required by law to ensure the safe sharing of veterans’ sensitive personal information. Linking information across an extremely diverse and highly fragmented healthcare system can create technical challenges and increase vulnerabilities. Therefore, establishing the appropriate security categorization for VDIF is essential. Moreover, veterans who do not trust VA to protect their information may be more reluctant to seek treatment.The Office of Inspector General (OIG) audited whether VA’s Office of Information and Technology (OIT) developed and implemented sufficient security controls for VDIF to ensure confidentiality, data integrity, and the safeguarding of veterans’ sensitive health information in accordance with federal standards.The OIG found OIT allowed VDIF to become operational without effectively executing all the risk management framework steps developed by the National Institute of Standards and Technology (NIST). While OIT followed the steps, it inappropriately categorized the confidentiality and availability security objectives. This resulted in 22 important security controls not being applied, increasing the risk to personal health information within more than 10 million veteran records. Furthermore, OIT did not adequately determine whether the implemented controls were executed correctly and produced the desired security outcome. OIT did not properly follow NIST and VA policy requirements because of ineffective oversight. Consequently, VDIF became operational with inadequate security controls.The assistant secretary for information and technology did not concur with two OIG recommendations to ensure VDIF’s security objectives are set at high and to reestablish VDIF, instead proposing a privacy overlay as sufficient. The OIG disagrees and also recommended OIT develop appropriate oversight for following proper program management processes and protocols when establishing and monitoring security controls. VA concurred with this recommendation.