VA ‘Moving Toward Full Compliance’ With Geospatial Data Law, Watchdog Finds

The Department of Veterans Affairs is “moving toward full compliance” with a 2018 law guiding the management and sharing of federal agencies’ geospatial data, according to an audit conducted by the VA’s Office of Inspector General.

Under the Geospatial Data Act—a 2018 law designed to promote the use, collection and management of location information—federal agencies are required to follow geospatial data standards established by the Federal Geographic Data Committee, or FGDC, as well as comply with other data reporting and sharing requirements. As part of the law, the inspector general of covered federal agencies is also required to submit a report to Congress on a biennial basis detailing “the collection, production, acquisition, maintenance, distribution, use, and preservation of geospatial data.” The OIG’s audit, released on Wednesday, complies with the law’s mandate. 

The OIG said that VA uses geospatial data, including across its sub-agencies, to “support budget, strategic planning, and policy decisions to provide health care, benefits, and burial services to veterans.”

“The Veterans Health Administration provides care to over 9 million enrolled veterans and uses geospatial information to improve veterans’ experiences, such as by calculating drive time and distance between residences and the closest VHA healthcare facilities,” the report said. “Geospatial data also strengthen and improve the National Cemetery Administration’s ability to permanently account for remains, mark gravesites, track gravesite usage, and digitally map gravesites.”

The audit found that VA “met nine of the 12 applicable covered agency requirements of the law.” One requirement was not applicable because VA “does not collect, hold, manage, or consume declassified geospatial data.”

The report noted agencywide progress since the last Geospatial Data Act-mandated audit, released in January 2021,which also found that VA was not in compliance with three of the law’s requirements. Those deficient requirements included preparing and implementing an agency-specific strategy for advancing activities related to geospatial data, promoting the integration of geospatial data and ensuring geospatial data was included on record schedules approved by the National Archives and Records Administration, or NARA.

In both audits, OIG said that VA was not able to comply with the requirement regarding the implementation of a strategy to advance geospatial data activities “due to the absence of an approved strategic plan” from FGDC. The latest audit, however, noted that FGDC has approved the strategic plan and VA is “in the process of implementing a VA enterprise data strategy roadmap and VA spatial data strategy.” 

While OIG also found that VA was still not in full compliance with the requirement to promote geospatial data integration, it said the agency was in the concurrence process with its “enterprise data strategy roadmap and spatial strategy” and was “working collaboratively across the agency and entered into enterprise license agreements.” And OIG’s latest audit also found that VA is now in compliance with the requirement governing the inclusion of geospatial data on agency record schedules approved by NARA. 

Since the last audit, however, OIG found that VA has fallen out of compliance with the requirement to “protect personal privacy and maintain confidentiality in accordance with federal policy and law,” after additional criteria were added to assess agency compliance. 

The report said that Veterans Health Administration officials were, in part, unable to provide the audit team with a risk assessment of its geographic information systems—or GIS—which meant they did not “document and fully consider the confidentiality, integrity, and availability of data to achieve an authority to operate before the GIS was hosted on VA’s network.” However, OIG noted that the agency is currently moving to transition its current GIS to a new VA enterprise cloud, and as a result “is taking actions to meet this requirement.”

As a result of VA’s ongoing efforts to comply with all of the Geospatial Data Act’s requirements, OIG did not offer the agency any recommendations for improvement.

“The OIG recognizes the complexity of integrating multiple geographic information systems across the agency,” the report said, adding that “OIG encourages VA to complete its planned actions to ensure compliance.”