Breadcrumb

Administrative Investigation, Improper Access to the VA Network by VA Contractors from Foreign Countries, Office of Information and Technology, Austin, TX

Report Information

Issue Date
Report Number
13-01730-159
VISN
State
Texas
District
VA Office
Information and Technology (OIT)
Report Author
Office of Investigations
Report Type
Administrative Investigation
Recommendations
4
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
Seven years after the 2006 data breach, VA information security employees still reacted with indifference, little sense of urgency, or responsibility concerning a possible cyber threat incident. Austin Information Technology Center (AITC) OIT employees failed to follow VA information security policy and contract security requirements when they approved VA contractor employees to work remotely and access VA’s network from China and India. One accessed it from China using personally-owned equipment (POE) that he took to and left in China, and the other accessed it from India using POE that he took with him to India and then brought back to the United States (US). After the Acting CIO learned of this improper remote access, he gave verbal instructions for it to cease; however, VA information security employees at all levels failed to quickly respond to stop the practice and to determine if there was a compromise to any VA data as a result of VA’s network being accessed internationally. Further, we found that a VA employee, as well as other VA contractor employees, improperly connected to VA’s network from foreign locations.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Office of the Secretary (SVA)
We recommend that the VA Chief of Staff (COS) confer with the Offices of Human Resources (OHR), General Counsel (OGC), and Accountability Review (OAR) to determine the appropriate administrative action to take, if any, against the OIT employees involved in this particular matter.
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Office of the Secretary (SVA)
We recommend that the COS confer with OGC and the Executive Director of the Office of Acquisition Operations (OAO) to determine the appropriate action to take against Systems Made Simple, Inc., for contractor employees failing to adhere to VA information security policies and contract security requirements.
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Office of the Secretary (SVA)
We recommend that the COS ensure that VA's information security policies are thoroughly reviewed and rewritten to address any weaknesses.
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Office of the Secretary (SVA)
We recommend that the COS ensure that VA's information security training is thoroughly reviewed and rewritten to address any weaknesses.