Report Summary

Title: VA's Federal Information Security Management Act Assessment for FY 2011
Report Number: 11-00320-138
Issue Date: 4/6/2012
VA Office: Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Audits, Reviews & Evaluations
Release Type: Unrestricted
Summary: In compliance with the Federal Information Security Management Act (FISMA), this assessment determined the extent VA’s information security program complied with FISMA requirements and applicable National Institute for Standards and Technology guidelines. We found VA has made progress developing policies and procedures, but still faces challenges implementing components of its agency-wide information security risk management program to meet FISMA requirements. We continued to identify significant deficiencies related to controls in system access, configuration management, continuous monitoring, as well as service continuity practices designed to protect mission-critical systems from unauthorized access, alteration, or destruction. This report provides 31 recommendations for improving VA’s information security program. The Assistant Secretary for Information and Technology agreed with our findings and recommendations.