Report Summary

Title: VA's Federal Information Security Management Act Audit for Fiscal Year 2012
Report Link: http://www.va.gov/oig/pubs/VAOIG-12-01712-229.pdf
Report Number: 12-01712-229
Issue Date: 6/27/2013
City/State: Austin, TX
Birmingham, AL
Chillicothe, OH
Columbia, SC
Falling Waters, WV
Hines, IL
Lexington, KY
Loma Linda, CA
Martinsburg, WV
Memphis, TN
Philadelphia, PA
Salt Lake City, UT
Washington, DC
West Palm Beach, FL
White River Junction, VT
Quantico, VA
VA Office: Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Audits, Reviews & Evaluations
CFS/FISMA Report
Release Type: Unrestricted
Summary: Our FY 2012 audit of VA’s information security program determined the extent to which VA complied with the Federal Information Security Management Act (FISMA) requirements and applicable National Institute for Standards and Technology guidelines. This audit is an annual requirement and we contracted with an independent accounting firm, CliftonLarsonAllen LLP, to perform this work. We found VA made progress developing policies and procedures but still faces challenges implementing components of its agency-wide information security risk management program to meet FISMA requirements. While some improvements were noted, we continued to identify significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems. Weaknesses in access and configuration management controls resulted from VA not fully implementing security control standards on all servers and network devices. VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms, and Web applications VA-wide. Further, VA has not remediated approximately 4,000 outstanding system security risks in its corresponding Plans of Action and Milestones to improve its overall information security posture. As a result of the FY 2012 consolidated financial statement audit, CliftonLarsonAllen LLP concluded a material weakness still exists in VA’s information security program. We recommended the Acting Assistant Secretary for Information and Technology implement comprehensive measures to mitigate security vulnerabilities affecting VA’s mission-critical systems. The Acting Assistant Secretary for Information and Technology agreed with our findings and recommendations and provided plans for corrective actions. OIG will monitor implementation of the action plans. However, we remain concerned that several of the action plans are not expected to be in place until September 2014 for both new and prior recommendations. OIG will monitor implementation through interim progress reports until proposed actions are complete.