‘Continuing Significant Deficiencies’ Hamper VA’s Information Security Controls, Audit Finds


An audit released by the VA Office of Inspector General found that the department “needs to implement improved controls” to address persistent gaps in its information security program.

The Department of Veterans Affairs “continues to face significant challenges” in complying with the Federal Information Security Modernization Act—or FISMA—according to an audit released by the VA Office of Inspector General on Wednesday. 

The annual review, which was conducted by VA’s OIG along with public accounting firm CliftonLarsonAllen LLP, assessed the department’s information security controls to determine if they met federal cybersecurity requirements during fiscal year 2022.

Auditors examined “selected controls supporting 47 major applications and general support systems at 23 VA facilities and the VA enterprise cloud” to determine their compliance with FISMA, as well as reporting requirements outlined by the Department of Homeland Security and “applicable” information security guidelines from the Office of Management and Budget and the National Institute of Standards and Technology. 

While the review noted that since the fiscal year 2021 audit, VA “has made progress developing, documenting and distributing policies and procedures” to bolster its information security controls, it found that the department “still faces challenges implementing components of its agencywide information security risk management program to meet FISMA requirements.”

The audit said that VA’s continuing lack of compliance with FISMA was “due to the nature and maturity of its information security program” and that the department “needs to implement improved controls” to enhance the effectiveness of its information security program.

“Consequently, this audit identified continuing significant deficiencies related to access controls, configuration management controls, change management controls, and service continuity practices designed to protect mission-critical systems from unauthorized access, alteration or destruction,” the report said. 

The report noted that VA took positive steps during the 2022 fiscal year to address previously identified deficiencies in its information security controls, such as implementing new tools, launching new initiatives and actively working on new security-related projects across the department. This included the continuation of VA’s enterprise cybersecurity strategy program “to address previously identified security weaknesses,” as well as implementation of the department’s cybersecurity strategy that was released last year.

Some of the broader improvements that were identified also included “enhanced boundary protections and network threat monitoring techniques,” as well as “further enhancements and use of the centralized audit log collection and analysis tool and increased visibility to server infrastructure.”

However, the audit found that the steps taken “require time to mature and demonstrate evidence of their effectiveness,” and that information security controls “need to be applied in a comprehensive manner to information systems across VA in order to be considered consistent and fully effective.”

“Accordingly, we continue to see information system security deficiencies similar in type and risk level to our findings in prior years and an overall inconsistent implementation and enforcement of the security program,” the report said. “Moving forward, VA needs to ensure a proven process is in place across the agency. VA also needs to continue to address deficiencies that exist within access and configuration management controls across all systems and applications.”

The audit outlined 26 recommendations to help VA enhance its information security program, including steps to “improve deployment of security patches, system upgrades and system configurations” to mitigate security vulnerabilities and “improve performance monitoring to ensure controls are operating as intended at all facilities.”

The fiscal year 2021 audit of VA’s FISMA compliance also provided 26 recommendations to the department, and the latest report noted that some of the previous report’s recommendations “were modified or not closed because relevant information security control deficiencies identified during the FY 2022 FISMA audit were repeat deficiencies.”

“Despite VA’s commitment to close the recommendations, some have been repeated for multiple years,” the review noted, adding that “the OIG remains concerned that continuing delays in addressing these open recommendations could contribute to reporting a material weakness in VA’s information technology security controls during the FY 2023 audit of the department’s consolidated financial statements.”