‘Continuing Significant Deficiencies’ Hamper VA’s Information Security Controls, Audit Finds

michaelquirk/Getty

An audit released by the VA Office of Inspector General found that the department “needs to implement improved controls” to address persistent gaps in its information security program.

The Department of Veterans Affairs “continues to face significant challenges” in complying with the Federal Information Security Modernization Act—or FISMA—according to an audit released by the VA Office of Inspector General on Wednesday. 

The annual review, which was conducted by VA’s OIG along with public accounting firm CliftonLarsonAllen LLP, assessed the department’s information security controls to determine if they met federal cybersecurity requirements during fiscal year 2022.

Auditors examined “selected controls supporting 47 major applications and general support systems at 23 VA facilities and the VA enterprise cloud” to determine their compliance with FISMA, as well as reporting requirements outlined by the Department of Homeland Security and “applicable” information security guidelines from the Office of Management and Budget and the National Institute of Standards and Technology. 

While the review noted that since the fiscal year 2021 audit, VA “has made progress developing, documenting and distributing policies and procedures” to bolster its information security controls, it found that the department “still faces challenges implementing components of its agencywide information security risk management program to meet FISMA requirements.”

The audit said that VA’s continuing lack of compliance with FISMA was “due to the nature and maturity of its information security program” and that the department “needs to implement improved controls” to enhance the effectiveness of its information security program.

“Consequently, this audit identified continuing significant deficiencies related to access controls, configuration management controls, change management controls, and service continuity practices designed to protect mission-critical systems from unauthorized access, alteration or destruction,” the report said. 

The report noted that VA took positive steps during the 2022 fiscal year to address previously identified deficiencies in its information security controls, such as implementing new tools, launching new initiatives and actively working on new security-related projects across the department. This included the continuation of VA’s enterprise cybersecurity strategy program “to address previously identified security weaknesses,” as well as implementation of the department’s cybersecurity strategy that was released last year.

Some of the broader improvements that were identified also included “enhanced boundary protections and network threat monitoring techniques,” as well as “further enhancements and use of the centralized audit log collection and analysis tool and increased visibility to server infrastructure.”

However, the audit found that the steps taken “require time to mature and demonstrate evidence of their effectiveness,” and that information security controls “need to be applied in a comprehensive manner to information systems across VA in order to be considered consistent and fully effective.”

“Accordingly, we continue to see information system security deficiencies similar in type and risk level to our findings in prior years and an overall inconsistent implementation and enforcement of the security program,” the report said. “Moving forward, VA needs to ensure a proven process is in place across the agency. VA also needs to continue to address deficiencies that exist within access and configuration management controls across all systems and applications.”

The audit outlined 26 recommendations to help VA enhance its information security program, including steps to “improve deployment of security patches, system upgrades and system configurations” to mitigate security vulnerabilities and “improve performance monitoring to ensure controls are operating as intended at all facilities.”

The fiscal year 2021 audit of VA’s FISMA compliance also provided 26 recommendations to the department, and the latest report noted that some of the previous report’s recommendations “were modified or not closed because relevant information security control deficiencies identified during the FY 2022 FISMA audit were repeat deficiencies.”

“Despite VA’s commitment to close the recommendations, some have been repeated for multiple years,” the review noted, adding that “the OIG remains concerned that continuing delays in addressing these open recommendations could contribute to reporting a material weakness in VA’s information technology security controls during the FY 2023 audit of the department’s consolidated financial statements.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.