Review of Unauthorized System Interconnection at the VA Regional Office in Wichita, Kansas

The VA Office of Inspector General (OIG) Hotline Division received an allegation that an unauthorized system interconnection existed between a Veterans Service Organization (VSO) network and the Wichita, KS, VA Regional Office (VARO). More specifically, the allegation stated that a system interconnection existed without a required Interconnection Security Agreement in place to define applicable information security requirements. The complaint also stated that the system interconnection was not disclosed to the OIG during a recent Federal Information Security Modernization Act audit. We substantiated the allegation that an unauthorized system interconnection existed between the Wichita VARO and the Kansas Commission on Veterans Affairs Office network. We also substantiated the allegation that the system interconnection was not disclosed to the OIG because Office of Information Technology (OI&T) staff did not believe the connection constituted a formal system interconnection according to VA policy. The unauthorized system interconnection occurred because OI&T technical staff did not have the technical knowledge or exercise due diligence to identify the system interconnection in accordance with VA policy; OI&T technical staff did not follow VA’s change management procedures for reviewing and approving significant network and system changes; and Wichita VARO did not have a formal process in place for managing VSO system change requests that may adversely affect VA’s network environment. As a result, the unauthorized system interconnection violated VA policy and the computers used by VSO representatives were inappropriately allowed to use client software to establish simultaneous network connections between VA’s and the VSO’s networks. We recommended the Assistant Secretary for Information Technology, in conjunction with the Wichita VARO facility director, ensure that the network interconnection with the Kansas Commission of Veterans Affairs is brought into compliance with VA information security requirements. The Principal Deputy Under Secretary for Benefits and the Acting Assistant Secretary for Office of Information and Technology concurred with our findings and recommendations. We will follow up on the implementation of corrective actions.