Skip to main content
Report File
Date Issued
Submitting OIG
Department of Veterans Affairs OIG
Agencies Reviewed/Investigated
Department of Veterans Affairs
Components
Office of Information and Technology
Veterans Health Administration
Report Number
24-01232-02
Report Description

The VA Office of Inspector General’s information security inspection program assesses whether VA facilities are meeting federal security requirements related to four control areas the OIG determined to be at highest risk. For this inspection, the OIG selected the Health Eligibility Center (HEC) in Atlanta, Georgia. The OIG found deficiencies in three of the four areas inspected.
Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation, system life-cycle management, and remediation of unauthorized software.
There were no deficiencies in contingency planning controls, which include physical and environmental controls.
In the area of security management, about 3.3 million veterans’ records containing sensitive personal information were not encrypted. VA security policy requires the encryption of sensitive information hosted on computer systems.
Access controls provide reasonable assurance that computer resources are restricted to authorized individuals. At the HEC, the OIG found deficiencies with access controls in the inventory of facility keys as well as in logging administrative actions, log retention, and log reviews.
The OIG made five recommendations aimed at correcting the identified deficiencies.

Report Type
Inspection / Evaluation
Location

Atlanta, GA
United States

Number of Recommendations
5
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 1 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
01 Yes $0 $0

The assistant secretary for information and technology and chief information officer improve vulnerability management processes to ensure all vulnerabilities are identified and that plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

Department of Veterans Affairs OIG

United States