VA Needs a Cyber Audit of its Governmentwide Financial Services Center

Jonathan Weiss/Shutterstock

The accounting shared services program—used by a range of federal agencies and programs—needs to ensure its systems are secure.

The Veterans Affairs Department needs to audit the cybersecurity of one of its components, and the results will likely have effects beyond the agency.

VA’s Financial Services Center, based in Austin, Texas, released a request for information Friday seeking cybersecurity audit services for the shared services program, which manages accounting and financial services for VA and provides those services to other federal agencies for a fee.

The audit is expected to cover the entirety of FSC’s IT systems—major and minor—covered under the program’s authority to operate, or ATO.

FSC IT officials want the audit to address three main areas. From the RFI:

  • Compliance: Including analysis of VA alignment to and compliance with federal government statutes, mandates and compliance goals.
  • Strategy: Including analysis of how VA is adapting processes, procedures and policies in support of the compliance analytics requirement.
  • Sustainment: Including analysis to support VA alignment to federal frameworks, compliance tools and governance processes to ensure consistency across VA.

“The contractor shall provide a gap analysis on which cybersecurity tools, processes, and controls the government should employ and provide recommendations of methods to improve visibility as well as incident response time following VA best practices,” the RFI states.

In order to keep FSC officials in the loop along the way, the vendor will be expected to file an initial assessment report 45 days after the contract is awarded; weekly progress reports; a monthly program management report; and, ultimately, a final assessment report.

While FSC is looking for feedback from the marketplace, the eventual solicitation likely won’t be a full and open competition. Per the RFI, FSC plans to make an award off of VA’s Transformation Twenty-One Total Technology Next Generation, or T4NG, contract.

Responses to the RFI are due by 2 p.m. August 11.

FSC officials expect work on the contract to start six months from date of award.