Submitting OIG:
Report Description:
The VA Office of Inspector General (OIG) contracted with CliftonLarsonAllen LLP to assess the VA’s information security program in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). FISMA requires agencies to conduct annual reviews of their information security programs and report the results to the Department of Homeland Security. CliftonLarsonAllen LLP found that VA continues to face significant challenges complying with FISMA requirements. The report recommends several key areas for VA information security program improvement. Security-related issues contributed to an information technology material weakness reported in the fiscal year (FY) 2018 audit of VA’s Consolidated Financial Statements, which VA needs to address. It also needs to improve deployment of security patches, system upgrades, and system configurations. These improvements will mitigate significant security vulnerabilities and enforce a consistent process across all field offices. To ensure controls are operating as intended at all facilities, VA should also improve performance monitoring. Finally, VA needs to communicate identified security deficiencies to the appropriate personnel so they can take corrective actions that will mitigate these risks. Because CliftonLarsonAllen LLP is responsible for the findings and recommendations included in this report, the OIG is not expressing an opinion on VA’s information security program in place during FY 2018. This report provides 28 recommendations from CliftonLarsonAllen LLP for improving VA’s information security program. The Principal Deputy Assistant Secretary for Information and Technology concurred with 25 of the recommendations. The OIG believes the three remaining recommendations warrant further attention from VA and will follow up on the issues during the FY 2019 FISMA audit. The OIG’s independent auditors will follow up on the outstanding recommendations and evaluate the adequacy of corrective actions during the FY 2019 assessment.
Date Issued:
Tuesday, March 12, 2019
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
18-02127-64
Component, if applicable:
Office of Information and Technology
Office of the Secretary
Location(s):
Agency-Wide
Type of Report:
Audit
Number of Recommendations:
11
View Document:
Attachment | Size |
---|---|
VAOIG-18-02127-64.pdf | 1.12 MB |
Additional Details Link: