VA Systems Vulnerable to Cyber Intrusions Due to Lack of Effective Oversight, Report Says

The Department of Veterans Affairs failed to comply with federal governance policies in its identity, credential and access management systems and processes due to a "lack of cooperation" between the offices tasked with their oversight, according to a new report. 

Without an adequate governance structure, the Inspector General's report published this month said the VA risks "restricting information from users who need it to perform their job functions" and "leaving information vulnerable to improper use."

The issue is in part due to internal confusion at the VA over which teams are responsible for overseeing the agency's ICAM initiatives. According to the report, the offices of information technology and human resources have disagreed on their ICAM governance roles since 2016. The Inspector General said it began the audit after learning about the oversight issues through its complaint hotline, and later concluded that the agency "did not effectively manage and coordinate its ICAM efforts."  

In addition to internal confusion and "outdated" guidance, the report said the VA failed to meet three of the four governance requirements outlined by the Office of Management and Budget, including assigning responsibilities to manage ICAM efforts, as well as implementing updated digital identity risk management requirements and a single comprehensive ICAM policy to support the agency's technology solutions roadmap for fiscal years 2020 and 2021. 

The report also found that the VA failed to update its own directives and accompanying handbooks due to changes in the agency's credentialing process and after both the HR and IT offices refused to take ownership of ongoing ICAM efforts.

"These issues occurred primarily because leaders of the different offices performing VA's ICAM functions have not agreed on how the program should be governed, creating an obstacle to implementing OMB's requirements," the report said, later noting that the agency was risking "leaving its systems vulnerable to compromise by impostors who may gain access to protected information."

The VA agreed with the IG report findings and submitted corrective action plans that included designating clear roles and responsibilities for each of the offices involved in managing the agency's ICAM policies. The Inspector General's office also said it will continue to monitor the VA's progress as it further develops an effective ICAM oversight framework.