VA's Federal Information Security Management Act Assessment for FY 2011

In compliance with the Federal Information Security Management Act (FISMA), this assessment determined the extent VA’s information security program complied with FISMA requirements and applicable National Institute for Standards and Technology guidelines. We found VA has made progress developing policies and procedures, but still faces challenges implementing components of its agency-wide information security risk management program to meet FISMA requirements. We continued to identify significant deficiencies related to controls in system access, configuration management, continuous monitoring, as well as service continuity practices designed to protect mission-critical systems from unauthorized access, alteration, or destruction. This report provides 31 recommendations for improving VA’s information security program. The Assistant Secretary for Information and Technology agreed with our findings and recommendations.