Report Summary

Title: VA's Federal Information Security Management Act Audit for Fiscal Year 2013
Report Number: 13-01391-72
Issue Date: 5/29/2014
City/State: Cincinnati, OH
Hampton, VA
Kansas City, MO
Little Rock, AR
Manchester, NH
Miami, FL
New Orleans, LA
Oklahoma City, OK
Reno, NV
San Antonio, TX
San Francisco, CA
Aberdeen, SC
Washington, DC
Philadelphia, PA
Quantico, VA
Hines, IL
Culpeper, VA
Austin, TX
VA Office: Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: CFS/FISMA Report
Release Type: Unrestricted
Summary: In accordance with the Federal Information Security Management Act (FISMA), we conducted our annual assessment of the effectiveness of agency information security programs and practices. Our FY 2013 audit determined the extent to which VA’s information security program complied with FISMA requirements and applicable National Institute for Standards and Technology guidelines. We contracted with the independent accounting firm CliftonLarsonAllen LLP to perform this audit. We found that VA has made progress developing policies and procedures but still faces challenges implementing components of its agency-wide information security risk management program to meet FISMA requirements. While some improvements were noted, FISMA audits continued to identify significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems. Weaknesses in access and configuration management controls resulted from VA not fully implementing security control standards on all servers and network devices. VA has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms, and Web applications VA-wide. Further, VA has not remediated approximately 6,000 outstanding system security risks in its corresponding Plans of Action and Milestones to improve its overall information security posture. As a result of the FY 2013 consolidated financial statement audit, CliftonLarsonAllen LLP concluded a material weakness still exists in VA’s information security program. We recommended the Executive in Charge for Information and Technology implement comprehensive measures to mitigate security vulnerabilities affecting VA’s mission-critical systems. The Executive in Charge for Information and Technology generally agreed with our findings and recommendations. We will monitor implementation of the corrective action plans.