OIG Reports

No. 1   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the NIST Risk Management Framework. Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions. (This is a modified repeat recommendation from prior years.)

No. 2   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system stewards and information system security officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones for all known risks and weaknesses including those identified during security control assessments. (This is a modified repeat recommendation from prior years.)

No. 3   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement controls to ensure that system stewards and responsible officials obtain appropriate documentation prior to closing Plans of Action and Milestones. (This is a modified repeat recommendation from prior years.)

No. 4   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. (This is a repeat recommendation from prior years.)

No. 5   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documents such as security plans and interconnection agreements on an annual basis and ensure the information accurately reflects the current environment. (This is a modified repeat recommendation from prior years.)

No. 6   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security standards on domain controls, operating systems, databases, applications, and network devices. (This is a repeat recommendation from prior years.)

No. 7   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from prior years.)

No. 8   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a repeat recommendation from prior years

No. 9   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology fully implement two-factor authentication to the extent feasible for all user accounts throughout the agency. (This is a repeat recommendation from prior years.)

No. 10   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. (This is a repeat recommendation from prior years.)

No. 11   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)

No. 12   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately implemented for compliance with established VA security standards. (This is a repeat recommendation from prior years.)

No. 13   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved network access controls that restrict medical devices from systems hosted on the general network. (This is a modified repeat recommendation from prior years.)

No. 14   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology consolidate the security responsibilities for networks not managed by the Office of Information and Technology, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)

No. 15   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a repeat recommendation from prior years.)

No. 16   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved procedures to enforce standardized system development and change control processes that integrates information security throughout the life cycle of each system. (This is a repeat recommendation from prior years.)

No. 17   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology review system boundaries, recovery priorities, system components, and system interdependencies and implement appropriate mechanisms to ensure that established system recovery objectives are met. (This is a modified repeat recommendation from prior years.)

No. 18   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement more effective agency-wide incident response procedures to ensure timely notification, reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is a repeat recommendation from prior years.)

No. 19   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology ensure that VA’s Cybersecurity Operations Center has full access to all security incident data to facilitate an agency-wide awareness of information security events. (This is a repeat recommendation from prior years.)

No. 20   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks. (This is a repeat recommendation from prior years.)

No. 21   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved measures to ensure that security control deficiencies are tracked individually instead of consolidating security deficiencies under one control. (This is a modified repeat recommendation from prior years.)

No. 22   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of prohibited software on agency devices. (This is a repeat recommendation from prior years.)

No. 23   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA programs and operations. (This is a repeat recommendation from prior years.)

No. 24   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved procedures for monitoring contractor-managed systems and services and ensure information security controls adequately protect VA sensitive systems and data. (This is a modified repeat recommendation from prior years.)

No. 25   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology ensure appropriate levels of background investigations be completed for all personnel in a timely manner, implement processes to monitor and ensure timely reinvestigations on all applicable employees and contractors, and monitor the status of the requested investigations.

No. 1   to Veterans Health Administration (VHA)

The OIG recommended that the executive director of VHA Procurement establish effective and consistent quality assurance reviews, especially for contracts deemed higher risk, to ensure all closeout requirements, such as identifying and deobligating excess funds, closing out contracts timely, and properly completing and uploading closeout documentation, are performed in accordance with the Federal Acquisition Regulation and the Veterans Health Administration procurement manual.

No. 2   to Veterans Health Administration (VHA)

The OIG recommended that the executive director of VHA Procurement ensure all contracting officers receive standardized training regarding the Veterans Health Administration procurement manual closeout procedures, including the correct use of closeout procedures for contracts that are awarded using Federal Acquisition Regulation part 8 and simplified acquisition procedures.

No. 3   to Veterans Health Administration (VHA)

The OIG recommended that the executive director of VHA Procurement ensure the contract files for the 40 sampled contracts have complete closeout documentation in accordance with the Federal Acquisition Regulation and Veterans Health Administration procurement manual.

No. 1   to Veterans Benefits Administration (VBA)

Determine whether public-use disability benefits questionnaires continue to be an effective means of gathering evidence to support claims for benefit entitlement and, if necessary, take steps to discontinue their use.

No. 2   to Veterans Benefits Administration (VBA)

Update the Veterans Benefits Administration’s adjudication procedures manual to assist claims processors in determining whether public-use disability benefits questionnaires were conducted through telehealth and include specific steps on what to do if claims processors suspect that public-use disability benefits questionnaires were completed via telehealth.

No. 3   to Veterans Benefits Administration (VBA)

Revise public-use disability benefits questionnaire forms to include a mechanism for the private provider to indicate whether the examination was completed in person or through telehealth.

No. 4   to Veterans Benefits Administration (VBA)

Notify veterans and private providers on public-facing forums and public-use disability benefits questionnaires that telehealth examinations are not acceptable for use in making benefit entitlement determinations.

No. 1   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits conduct a review of automatically and manually completed fiscal year 2016 drill pay adjustments that involved active duty military periods during that fiscal year, and take corrective actions as necessary.

No. 2   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits conduct a review of automatically and manually completed fiscal year 2016 drill pay adjustments that involved a response to the proposal letter, and take corrective actions as necessary.

No. 3   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits remind Intake Processing Center staff of their responsibilities for processing responses to drill pay proposal letters, including the appropriate actions to take when a response is received disagreeing with the proposal, and implement a plan to ensure staff compliance.

No. 4   to Veterans Benefits Administration (VBA)

The OIG recommended the under secretary for benefits implement a plan to provide detailed training for VBA staff who process drill pay adjustments and monitor the effectiveness of the training.

No. 1   to Veterans Benefits Administration (VBA)

Review rating decisions made by the rating veterans service representative since being released on single-signature status, and correct any decisions found to be made in error.

No. 2   to Veterans Benefits Administration (VBA)

Ensure rating decisions involving clear and unmistakable errors are signed by a quality review specialist and the veterans service center manager, or their designee.

No. 3   to Veterans Benefits Administration (VBA)

Ensure rating veterans service representatives do not have the function to establish claims in VA’s electronic system.

No. 1   to Veterans Health Administration (VHA)

The Cincinnati Veterans Affairs Medical Center director ensures the Cincinnati Education and Research for Veterans Foundation’s board of directors establishes policies that require responsible officials to verify adequate supporting documentation before approving expenditures.

No. 2   to Veterans Health Administration (VHA)

The Cincinnati Veterans Affairs Medical Center director ensures the Cincinnati Education and Research for Veterans Foundation’s board of directors, or responsible officials, approve reimbursements to the executive director.

No. 3   to Veterans Health Administration (VHA)

The Cincinnati VA Medical Center director establishes procedures to ensure Research and Development Budget Office staff review VA-affiliated nonprofit corporation invoices to make certain services were performed or the goods have been received in accordance with Intergovernmental Personnel Act agreements prior to approving invoices for payment.

No. 4   to Veterans Health Administration (VHA)

The Cincinnati VA Medical Center director establishes procedures to ensure the Research and Development Budget Office supervisor conducts periodic reviews of the VA-affiliated nonprofit corporation invoices authorized for payment by staff as required by VA Financial Policies and Procedures, Volume VIII, Chapter 1A.

No. 1   to Veterans Health Administration (VHA)

Develop and implement a mechanism for VA facilities and their respective VA community care departments to routinely identify and exchange wait time data to help make decisions that reduce patient wait times.

No. 2   to Veterans Health Administration (VHA)

Routinely monitor the timeliness of each distinct stage of the community care consult process so Veterans Integrated Service Network 8 facilities can identify specific delays.

No. 3   to Veterans Health Administration (VHA)

Ensure facilities routinely monitor the Office of Community Care staffing tool and take appropriate actions to confirm actual staffing levels are sufficient to meet workloads in a timely manner.

No. 4   to Veterans Health Administration (VHA)

Ensure community care administrative staff are effectively cross-trained to carry out applicable administrative consult processing duties to streamline scheduling and authorizations, and implement a control to monitor whether facilities are processing community care consults in accordance with Office of Community Care guidance and recommendations.

No. 5   to Veterans Health Administration (VHA)

Develop and implement specific facility plans to address the backlog of open consults and the growing number of new consults.

No. 1   to Veterans Health Administration (VHA)

Develop a mechanism to assess whether staffing levels within sleep medicine programs are sufficient for monitoring sleep apnea device use and conducting follow-ups with veterans.

No. 2   to Veterans Health Administration (VHA)

Ensure the Veterans Health Administration is leveraging existing technologies to make sure medical facilities are routinely monitoring veteran use of sleep apnea devices in a consistent and effective manner to more promptly identify individuals at risk of noncompliance with recommended therapies.

No. 3   to Veterans Health Administration (VHA)

Coordinate with the appropriate offices and services, including the Office of Procurement, Acquisitions, and Logistics, Prosthetic and Sensory Aids Service, sleep medicine, and the Veterans Health Administration National Infectious Diseases Service, to (a) assess the viability, potential patient care, and financial impact of an alternative to purchasing sleep apnea devices; (b) make and provide clear guidance on any changes to current Veterans Health Administration processes, including device returns, cleaning, and reissuance; and (c) designate an office with authority to ensure medical facilities implement any processes and recommendations from the assessment.

No. 1   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, and the principal executive director, office of acquisition, logistics, and construction, require the Healthcare Commodities Program Office and Strategic Acquisition Center to develop a formal process to validate correct order fulfillment reporting by the prime vendors, ensure the correct algorithms are used, and help prevent missed opportunities to identify and mitigate issues.

No. 2   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, requires the Healthcare Commodities Program Office to ensure Medical/Surgical Prime Vendor Next Generation contracting officer’s representatives get timely access to the performance metric reporting, such as reporting on correct order fulfillment.

No. 3   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, and the principal executive director, office of acquisition, logistics, and construction, require the Healthcare Commodities Program Office and Strategic Acquisition Center to monitor contracting officer’s representatives to ensure performance metric reporting is reviewed for accuracy.

No. 4   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, and the principal executive director, office of acquisition, logistics, and construction, require the Healthcare Commodities Program Office and Strategic Acquisition Center to strengthen processes and procedures so that staff use the Medical/Surgical Prime Vendor Next Generation formulary to change unit of issuance and product pricing information in the item master files.

No. 5   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, and the principal executive director, office of acquisition, logistics, and construction, require the Healthcare Commodities Program Office and Strategic Acquisition Center to confirm that prime vendor American Medical Depot uses formulary sources when fulfilling requests for medical or surgical products under the Medical/Surgical Prime Vendor Next Generation.

No. 6   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, requires the director, VHA Procurement and Logistics Office, to see that all those who order supplies under the Medical/Surgical Prime Vendor-Next Generation contract have proper delegated authority.

No. 7   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, and the principal executive director, Office of Acquisition, Logistics, and Construction, require the Healthcare Commodities Program Office and Strategic Acquisition Center to monitor the Integrated Product Team’s development and implementation of a process to validate performance metric reporting such as on unadjusted fill rates.

No. 8   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, requires the Procurement and Logistics Office to strengthen controls, monitor the Healthcare Commodities Program Office monthly, and ensure adherence to the established Medical/Surgical Prime Vendor Next Generation program control plan.

No. 9   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, and the principal executive director, Office of Acquisition, Logistics, and Construction, require the Healthcare Commodities Program Office and Strategic Acquisition Center to identify and resolve discrepancies between unadjusted fill rate reporting methods used by the Medical/Surgical Prime Vendor Next Generation prime vendor for select eastern area VA medical centers.

No. 10   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, and the principal executive director, office of acquisition, logistics, and construction, direct the Healthcare Commodities Program Office and Strategic Acquisition Center to see that all prime vendors use the unadjusted fill rate calculation methodology in accordance with the Medical/Surgical Prime Vendor Next Generation contract.

No. 11   to Veterans Health Administration (VHA)

The executive in charge, office of under secretary for health, and the principal executive director, office of acquisition, logistics, and construction, instruct the Healthcare Commodities Program Office and Strategic Acquisition Center to require the Medical/Surgical Prime Vendor Next Generation prime vendor for select eastern area VA medical centers to provide corrected unadjusted fill rates for the fiscal year 2018 and current reporting periods.