Breadcrumb

VA's Federal Information Security Management Act Audit for Fiscal Year 2012

Report Information

Issue Date
Report Number
12-01712-229
VISN
State
Alabama
California
District of Columbia
Florida
Illinois
Kentucky
Ohio
Pennsylvania
South Carolina
Tennessee
Texas
Utah
Vermont
Virginia
West Virginia
District
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Audit
Recommendations
32
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
Our FY 2012 audit of VA’s information security program determined the extent to which VA complied with the Federal Information Security Management Act (FISMA) requirements and applicable National Institute for Standards and Technology guidelines. This audit is an annual requirement and we contracted with an independent accounting firm, CliftonLarsonAllen LLP, to perform this work. We found VA made progress developing policies and procedures but still faces challenges implementing components of its agency-wide information security risk management program to meet FISMA requirements. While some improvements were noted, we continued to identify significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems. Weaknesses in access and configuration management controls resulted from VA not fully implementing security control standards on all servers and network devices. VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms, and Web applications VA-wide. Further, VA has not remediated approximately 4,000 outstanding system security risks in its corresponding Plans of Action and Milestones to improve its overall information security posture. As a result of the FY 2012 consolidated financial statement audit, CliftonLarsonAllen LLP concluded a material weakness still exists in VA’s information security program. We recommended the Acting Assistant Secretary for Information and Technology implement comprehensive measures to mitigate security vulnerabilities affecting VA’s mission-critical systems. The Acting Assistant Secretary for Information and Technology agreed with our findings and recommendations and provided plans for corrective actions. OIG will monitor implementation of the action plans. However, we remain concerned that several of the action plans are not expected to be in place until September 2014 for both new and prior recommendations. OIG will monitor implementation through interim progress reports until proposed actions are complete.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology fully develop and implement an agency-wide risk management governance structure, along with mechanisms to identify, monitor, and manage risks across the enterprise. (This is a repeat recommendation from last year.)
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement mechanisms to ensure sufficient supporting documentation is captured in the central database to justify closure of Plans of Action and Milestones. (This is a repeat recommendation from last year.)
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology define and implement clear roles and responsibilities for developing, maintaining, completing, and reporting Plans of Action and Milestones. (This is a repeat recommendation from last year.)
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement mechanisms to ensure Plans of Action and Milestones are updated to accurately reflect current status information. (This is a repeat recommendation from last year.)
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, including accurate system interconnection and ownership information. (This is a repeat recommendation from last year.)
No. 6
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement improved processes for updating key security documents such as risk assessments, security impact analyses, and security self assessments on at least an annual basis and ensure all required information accurately reflects the current environment and new risks in accordance with Federal standards. (This is a new recommendation.)
No. 7
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement mechanisms to enforce VA password policies and standards on all operating systems, databases, applications, and network devices. (This is a repeat recommendation from last year.)
No. 8
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement periodic access reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from last year.)
No. 9
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology enable system audit logs and conduct centralized reviews of security violations on mission-critical systems. (This is a repeat recommendation from last year.)
No. 10
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement mechanisms to ensure all remote access computers have updated security patches and antivirus definitions prior to connecting to VA information systems. (This is a repeat recommendation from last year.)
No. 11
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement two-factor authentication for remote access throughout the agency. (This is a new recommendation.)
No. 12
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement effective automated mechanisms to continuously identify and remediate security deficiencies on VA's network infrastructure, database platforms, and Web application servers. (This is a modified repeat recommendation from last year.)
No. 13
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement a patch and vulnerability management program to address security deficiencies identified during our assessments of VA's Web applications, database platforms, network infrastructure, and work stations. (This is a modified repeat recommendation from last year.)
No. 14
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement standard security configuration baselines for all VA operating systems, databases, applications, and network devices. (This is a repeat recommendation from last year.)
No. 15
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement procedures to enforce a system development and change control framework that integrates information security throughout the life cycle of each system. (This is a repeat recommendation from last year.)
No. 16
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement processes to ensure information system contingency plans are updated with the required information and lessons learned are communicated to senior management. (This is a modified repeat recommendation from last year.)
No. 17
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology develop and implement a process for ensuring the encryption of backup data prior to transferring the data offsite
No. 18
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology ensure that agreements for alternate processing sites have been established that define the roles and responsibilities for alternate locations in the event of a disaster. (This is a new recommendation.)
No. 19
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology fully implement an automated 24-hour security event and incident correlation solution to monitor security for all systems interconnections, database security events, and mission-critical platforms supporting VA programs and operations. (This is a modified repeat recommendation from last year.)
No. 20
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology identify all external network interconnections and ensure appropriate Interconnection Security Agreements and Memoranda of Understanding are in place to govern them. (This is a repeat recommendation from last year.)
No. 21
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement more effective agency-wide incident response procedures to ensure timely resolution of computer security incidents in accordance with VA set standards. (This is a modified repeat recommendation.)
No. 22
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement effective continuous monitoring processes to identify and prevent the use of unauthorized application software, hardware (including personal storage devices), and system configurations on its networks. (This is a repeat recommendation from last year.)
No. 23
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology develop a comprehensive software inventory process to identify major and minor software applications used to support VA programs and operations. (This is a repeat recommendation from last year.)
No. 24
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology develop procedures to integrate information security costs into the capital planning process while ensuring traceability of Plans of Action and Milestones remediation costs to appropriate capital planning budget documents. (This is a repeat recommendation from last year.)
No. 25
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement procedures for overseeing contractor-managed systems and ensuring information security controls adequately protect VA sensitive systems and data. (This is a repeat recommendation from last year.)
No. 26
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement mechanisms for updating the Federal Information Security Management Act systems inventory, including interfaces with contractor-managed systems, and annually review the systems inventory for accuracy. (This is a repeat recommendation from last year.)
No. 27
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Acting Assistant Secretary for Information and Technology implement mechanisms to ensure all users with VA network access participate in and complete required VA-sponsored security awareness training. (This is a modified repeat recommendation from last year.)
No. 28
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Assistant Secretary for Information and Technology develop mechanisms to ensure risk assessments accurately reflect the current control environment, compensating controls, and the characteristics of the relevant VA facilities.
No. 29
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Assistant Secretary for Information and Technology review and update all applicable position descriptions to better describe sensitivity ratings and better document employee personnel records and contractor files, including 'Rules of Behavior' instructions, annual privacy and Health Insurance Portability and Accountability Act of 1996 training certifications, and position sensitivity level designations.
No. 30
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Assistant Secretary for Information and Technology ensure appropriate levels of background investigations be completed for all applicable VA employees and contractors in a timely manner, implement processes to monitor and ensure timely reinvestigations on all applicable employees and contractors, and monitor the status of the requested investigations.
No. 31
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Assistant Secretary for Information and Technology reduce wireless security vulnerabilities by ensuring sites have an effective and up-to-date methodology to protect against the interception of wireless signals and unauthorized access to the network and ensure the wireless network is segmented and protected from the wired network.
No. 32
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommend the Assistant Secretary for Information and Technology identify and deploy solutions to encrypt sensitive data and resolve clear text protocol vulnerabilities.