Review of VA’s Alleged Circumvention of Security Requirements for System Certifications and Apple Mobile Devices

In response to a confidential hotline allegation, we evaluated whether VA’s approach for information system certification and storing sensitive data on Apple mobile devices circumvents information security requirements. Senator Kyl also requested we evaluate whether VA’s approach for only storing sensitive data on encrypted mobile device applications meets FISMA requirements. We determined VA was not circumventing FISMA certification and accreditation requirements by suspending security control testing and granting operational waivers for existing information systems. We also determined that VA’s approach for allowing only certified applications to access sensitive data or storing encrypted data on the mobile device met FISMA information security requirements for data protection. However, we noted that VA could improve management controls by ensuring an accurate inventory and consistent configuration of mobile devices deployed enterprise-wide. The Assistant Secretary for Information Technology concurred with our findings and recommendations.