OIG Seal
Department of Veterans Affairs, Office of Inspector General
Michael J. Missal, Inspector General

Report Summary

Title: Review of VA’s Alleged Circumvention of Security Requirements for System Certifications and Apple Mobile Devices
Report Number: 12-00089-182 Download
Issue Date: 5/23/2012
VA Office: Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Audits, Reviews & Evaluations
Release Type: Unrestricted

In response to a confidential hotline allegation, we evaluated whether VA’s approach for information system certification and storing sensitive data on Apple mobile devices circumvents information security requirements. Senator Kyl also requested we evaluate whether VA’s approach for only storing sensitive data on encrypted mobile device applications meets FISMA requirements. We determined VA was not circumventing FISMA certification and accreditation requirements by suspending security control testing and granting operational waivers for existing information systems. We also determined that VA’s approach for allowing only certified applications to access sensitive data or storing encrypted data on the mobile device met FISMA information security requirements for data protection. However, we noted that VA could improve management controls by ensuring an accurate inventory and consistent configuration of mobile devices deployed enterprise-wide. The Assistant Secretary for Information Technology concurred with our findings and recommendations.