OIG Seal
Department of Veterans Affairs, Office of Inspector General
Michael J. Missal, Inspector General

OIG Reports

| 19-06935-96 | Summary | Report

Recommendations (25)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the NIST Risk Management Framework. Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions. (This is a modified repeat recommendation from prior years.)

No. 2   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system stewards and information system security officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones for all known risks and weaknesses including those identified during security control assessments. (This is a modified repeat recommendation from prior years.)

No. 3   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement controls to ensure that system stewards and responsible officials obtain appropriate documentation prior to closing Plans of Action and Milestones. (This is a modified repeat recommendation from prior years.)

No. 4   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. (This is a repeat recommendation from prior years.)

No. 5   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documents such as security plans and interconnection agreements on an annual basis and ensure the information accurately reflects the current environment. (This is a modified repeat recommendation from prior years.)

No. 6   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security standards on domain controls, operating systems, databases, applications, and network devices. (This is a repeat recommendation from prior years.)

No. 7   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from prior years.)

No. 8   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a repeat recommendation from prior years

No. 9   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology fully implement two-factor authentication to the extent feasible for all user accounts throughout the agency. (This is a repeat recommendation from prior years.)

No. 10   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. (This is a repeat recommendation from prior years.)

No. 11   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)

No. 12   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately implemented for compliance with established VA security standards. (This is a repeat recommendation from prior years.)

No. 13   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved network access controls that restrict medical devices from systems hosted on the general network. (This is a modified repeat recommendation from prior years.)

No. 14   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology consolidate the security responsibilities for networks not managed by the Office of Information and Technology, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)

No. 15   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a repeat recommendation from prior years.)

No. 16   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved procedures to enforce standardized system development and change control processes that integrates information security throughout the life cycle of each system. (This is a repeat recommendation from prior years.)

No. 17   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology review system boundaries, recovery priorities, system components, and system interdependencies and implement appropriate mechanisms to ensure that established system recovery objectives are met. (This is a modified repeat recommendation from prior years.)

No. 18   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement more effective agency-wide incident response procedures to ensure timely notification, reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is a repeat recommendation from prior years.)

No. 19   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology ensure that VA’s Cybersecurity Operations Center has full access to all security incident data to facilitate an agency-wide awareness of information security events. (This is a repeat recommendation from prior years.)

No. 20   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks. (This is a repeat recommendation from prior years.)

No. 21   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved measures to ensure that security control deficiencies are tracked individually instead of consolidating security deficiencies under one control. (This is a modified repeat recommendation from prior years.)

No. 22   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of prohibited software on agency devices. (This is a repeat recommendation from prior years.)

No. 23   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA programs and operations. (This is a repeat recommendation from prior years.)

No. 24   to Office of Information and Technology (OIT)

We recommended the Assistant Secretary for Information and Technology implement improved procedures for monitoring contractor-managed systems and services and ensure information security controls adequately protect VA sensitive systems and data. (This is a modified repeat recommendation from prior years.)

No. 25   to Office of Information and Technology (OIT)

We recommended the Executive in Charge for Information and Technology ensure appropriate levels of background investigations be completed for all personnel in a timely manner, implement processes to monitor and ensure timely reinvestigations on all applicable employees and contractors, and monitor the status of the requested investigations.

Total Monetary Impact of All Recommendations

These recommendations have no monetary value.

| 19-08374-112 | Summary | Report

Recommendations (4)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

The Under Secretary for Health ensures the clarification of policy regarding emergent mental health services extension request procedures including expected timeframes and patient notification processes.

No. 2   to Veterans Health Administration (VHA)

The Under Secretary for Health expedites the establishment of policy regarding follow-up of patients identified by the Recovery Engagement and Coordination for Health –Veterans Enhanced Treatment program and no longer receiving Veterans Health Administration services.

No. 3   to Veterans Health Administration (VHA)

The Coatesville VA Medical Center Director ensures compliance with the 90-day emergent mental health services extension request policies and procedures, as required by the Veterans Health Administration.

No. 4   to Veterans Health Administration (VHA)

The Coatesville VA Medical Center Director evaluates the Grant and Per Diem Program medical emergency procedures, seeks consultation with relevant subject matter experts including IntegratedEthics®, and takes action as appropriate.

Total Monetary Impact of All Recommendations

These recommendations have no monetary value.

| 19-07682-103 | Summary | Report

Recommendations (6)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

The VA St. Louis Health Care System Director makes certain the Chief of Staff ensures research providers take action based on stress-test results to include coordination of care and notification to primary providers as warranted.

No. 2   to Veterans Health Administration (VHA)

The VA St. Louis Health Care System Director ensures that a full retrospective review of patients enrolled, to date, in the Arm Exercise Versus Pharmacologic Stress Testing for Clinical Outcome Prediction study with positive stress tests received communication of their test result and follow-up care if indicated.

No. 3   to Veterans Health Administration (VHA)

The VA St. Louis Health Care System Director ensures that a review of Patient A’s case is completed to determine if disclosure is warranted.

No. 4   to Veterans Health Administration (VHA)

The VA St. Louis Health Care System Director makes certain that the Institutional Review Board ensures adherence to the research study plan related to communication to the primary provider of patient enrollment in the study.

No. 5   to Veterans Health Administration (VHA)

The VA St. Louis Health Care System Director ensures alignment of content for the regadenoson stress test protocols and education provided to staff and healthcare trainees.

No. 6   to Veterans Health Administration (VHA)

The VA St. Louis Health Care System Director ensures the stress test laboratory regadenoson protocol meets VA St. Louis Health Care System Memorandum 00-34 requirements.

Total Monetary Impact of All Recommendations

These recommendations have no monetary value.

| 19-09436-108 | Summary | Report

Recommendations (3)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

The VA Black Hills Healthcare System Director complies with Veterans Health Administration requirements that Level 1 and 2 facilities have an assistant chief of Sterile Processing Services on staff.

No. 2   to Veterans Health Administration (VHA)

The VA Black Hills Healthcare System Director ensures that Sterile Processing Services leaders track changes to manufacturer’s instructions, updates standard operating procedures, retrains staff as needed, and monitors compliance with Veterans Health Administration policy.

No. 3   to Veterans Health Administration (VHA)

The VA Black Hills Healthcare System Director ensures that Sterile Processing Services leaders maintain up-to-date staff competencies for reprocessing, and monitors compliance with Veterans Health Administration policy.

Total Monetary Impact of All Recommendations

These recommendations have no monetary value.

| 19-05866-82 | Summary | Report

Recommendations (3)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

The OIG recommended that the executive director of VHA Procurement establish effective and consistent quality assurance reviews, especially for contracts deemed higher risk, to ensure all closeout requirements, such as identifying and deobligating excess funds, closing out contracts timely, and properly completing and uploading closeout documentation, are performed in accordance with the Federal Acquisition Regulation and the Veterans Health Administration procurement manual.

No. 2   to Veterans Health Administration (VHA)

The OIG recommended that the executive director of VHA Procurement ensure all contracting officers receive standardized training regarding the Veterans Health Administration procurement manual closeout procedures, including the correct use of closeout procedures for contracts that are awarded using Federal Acquisition Regulation part 8 and simplified acquisition procedures.

No. 3   to Veterans Health Administration (VHA)

The OIG recommended that the executive director of VHA Procurement ensure the contract files for the 40 sampled contracts have complete closeout documentation in accordance with the Federal Acquisition Regulation and Veterans Health Administration procurement manual.

Total Monetary Impact of All Recommendations

Open: $ 6,840,219.00
Closed: $ 0.00

| 19-07090-90 | Summary | Report

Recommendations (4)Toggle Content


OpenClosed - ImplementedClosed - Not Implemented

No. 1   to Veterans Health Administration (VHA)

The Richard L. Roudebush VA Medical Center Director reviews and develops cardiology recruitment and retention processes to reach the approved staffing level.

No. 2   to Veterans Health Administration (VHA)

The Richard L. Roudebush VA Medical Center Director explores the possible reasons for difficulties recruiting and retaining cardiologists and takes action to resolve identified issues.

No. 3   to Veterans Health Administration (VHA)

The Richard L. Roudebush VA Medical Center Director ensures that facility staff understand the Veterans Health Administration policy regarding authorized and unauthorized patient wait lists, and monitors compliance.

No. 4   to Veterans Health Administration (VHA)

The Richard L. Roudebush VA Medical Center Director ensures facility managers train staff regarding the consult process and wait list policies, and monitors compliance.

Total Monetary Impact of All Recommendations

These recommendations have no monetary value.

Filter Options

Use the controls below to filter the list of OIG reports. Click on the headings to view the filter choices.

Current Filter

  • All records

4/7/2020 11:28:28 PM


Date RangeRemove

Limits the list of reports to those published in the date range specified below.

Report LocationRemove

Limits the list of reports to those pertaining to the cities selected below. Hold down the control key to select multiple values or to toggle an individual value on or off.

VA Administration/Staff OfficeRemove

Limits the list of reports to those pertaining to the VA offices selected below. Hold down the control key to select multiple values or to toggle an individual value on or off.

Report TypeRemove

Limits the list of reports to the report types selected below. Hold down the control key to select multiple values or to toggle an individual value on or off. For a description of the types of reports published by the OIG, please visit our Reports and Publications homepage.

OIG Report AuthorRemove

Limits reports to those authored by specific OIG elements.

Report NumbersRemove

Helpful for finding reports if you know the report number. Separate multiple values with semicolons.

Search TermsRemove

Limit the results to reports that match your search terms.

Recommendation StatusRemove

Limits reports to those with open or closed recommendations.

Recommendation Action OfficeRemove

Limits reports to those with recommendations specific to the following VA Offices

Displaying records at a time.