Review of Alleged Lack of Access Controls for VA's Project Management Accountability System (PMAS) Dashboard

The Office of Inspector General received an allegation that the Office of Information and Technology (OI&T) had ineffective access controls over the Project Management Accountability System (PMAS) Dashboard and related project management data and metric reporting information. We substantiated the allegation that PMAS Dashboard access controls were inadequate. OI&T did not configure 17 of the 18 PMAS Dashboard access groups to provide the least needed access privileges even though VA policy required OI&T grant access to VA systems based on the least need (the practice of limiting access to the minimal level that will allow normal performance of duties). Instead, OI&T designed these 17 groups to have full user access privileges to the PMAS Dashboard data, regardless of individual user need. This occurred because the OI&T director concluded that the PMAS data were not at risk; thus, OI&T should not spend limited funds to develop group access ranging from read only to full access. When requested, OI&T staff could not provide a cost analysis identifying the costs to develop access controls. In addition, OI&T did not develop user access logs. This prevented OI&T from identifying active users and periodically validating their actions. Thus, OI&T could not effectively manage its risk to data integrity. Without configuring all the PMAS Dashboard groups to restrict user access to the data, VA does not comply with Federal Information Technology security requirements and VA Handbook 6500, and has assumed unnecessary risks to the integrity of its project management data. We recommended the Assistant Secretary for Information and Technology create read only access to PMAS and ensure each user’s access is based on the least needed privilege. We also recommended that the Assistant Secretary develop Dashboard access logs and periodically review all users’ access to ensure users still have legitimate needs for system access. The Assistant Secretary for Information and Technology concurred with our recommendations and provided acceptable corrective action plans. We will monitor their implementation.