VA's Federal Information Security Modernization Act Audit for Fiscal Year 2016

Report Information

Issue Date
Report Number
16-01949-248
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Audit
Recommendations
31
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
The Federal Information Security Modernization Act (FISMA) of 2014 requires agency Inspectors General to annually assess the effectiveness of agency information security programs and practices. Our FY 2016 audit determined whether VA’s information security program complied with FISMA requirements and applicable National Institute for Standards and Technology guidelines. We contracted with the independent accounting firm CliftonLarsonAllen LLP to perform this audit. VA has made progress developing policies and procedures but still faces challenges implementing components of its agency-wide information security continuous monitoring and risk management program to meet FISMA requirements. While some improvements were noted, this audit identified continuing significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems. Weaknesses in access and configuration management controls resulted from VA not fully implementing security standards on all servers, databases, and network devices. VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, databases, and server platforms VA-wide. Further, VA has not remediated approximately 7,200 outstanding system security risks in its corresponding Plans of Action and Milestones to improve its information security posture. As a result, the FY 2016 Consolidated Financial Statement audit concluded that a material weakness still exists in connection with VA’s information security program. This report contains 33 recommendations for improving VA’s information security program. We recommended the Acting Assistant Secretary for Information and Technology implement comprehensive measures to mitigate security vulnerabilities affecting VA’s mission-critical systems. The Acting Assistant Secretary for Information and Technology agreed with our findings and recommendations. We will monitor the implementation of corrective action plans.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved processes to ensure all VA systems and devices are formally “Authorized to Operate” and system security controls are evaluated before allowing such systems to connect to VA’s general network or the Internet. (This is a new recommendation.)
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology fully implement an agency-wide risk management governance structure, along with mechanisms to identify, monitor, and manage risks across the enterprise. (This is a repeat recommendation from prior years.)
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement mechanisms to ensure sufficient supporting documentation is captured to justify closure of Plans of Action and Milestones. (This is a repeat recommendation from prior years.)
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved processes to ensure that all identified weakness are incorporated into the Governance Risk and Compliance tool, in a timely manner, and corresponding Plans of Actions and Milestones are developed to track corrective actions and remediation. (This is a repeat recommendation from prior years.)
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement system enhancements to the Governance Risk and Compliance tool to prevent the automatic re-opening of closed Plans of Action and Milestones and such actions are updated to accurately reflect their current status. (This is a repeat recommendation from prior years.)
No. 6
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement clear roles, responsibilities, and accountability for developing, maintaining, completing, and reporting on Plans of Action and Milestones. (This is a repeat recommendation from prior years.)
No. 7
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, including accurate system interconnections, boundary, control, and ownership information. (This is a repeat recommendation from prior years.)
No. 8
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documents such as risk assessments, privacy impact assessments, and security control assessments on an annual basis and ensure all required information accurately reflects the current environment. (This is a repeat recommendation from prior years.)
No. 9
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement mechanisms to enforce VA password policies and standards on all operating systems, databases, applications, and network devices. (This is a repeat recommendation from prior years.)
No. 10
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from prior years.)
No. 11
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology enable system audit logs on all systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a modified repeat recommendation from prior years.)
No. 12
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology fully implement two-factor authentication for all network access methods throughout the agency. (This is a modified repeat recommendation from prior years.)
No. 13
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and Web application servers. (This is a repeat recommendation from prior years.)
No. 14
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s Web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)
No. 15
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology maintain complete and accurate baseline configurations and ensure all baselines are appropriately implemented for compliance with established VA security standards. (This is a modified repeat recommendation from prior years.)
No. 16
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved network access controls to ensure medical devices and networks, not managed by OI&T, are appropriately segregated from general networks and mission-critical systems. (This is a repeat recommendation from prior years.)
No. 17
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology consolidate the security responsibilities for networks, not managed by OI&T, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)
No. 18
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a new recommendation.)
No. 19
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved procedures to enforce a standardized system development and change control framework that integrates information security throughout the life cycle of each system. (This is a modified repeat recommendation from prior years.)
No. 20
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved processes to ensure information system contingency plans are updated with the required information. (This is a modified repeat recommendation from prior years.)
No. 21
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved processes for ensuring the encryption of backup data prior to transferring the data offsite for storage. (This is a modified repeat recommendation from prior years.)
No. 22
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved processes for the testing of contingency plans and failover capabilities for critical systems to ensure that all components can be recovered at an alternate site in the event of a system failure or disaster. (This is a modified repeat recommendation from prior years.)
No. 23
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology document a Business Impact Analysis for all systems and incorporate applicable Recovery Point Objectives for those systems. (This is a modified repeat recommendation from prior years.)
No. 24
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology identify all external network interconnections and implement improved processes for monitoring VA networks, systems, and connections for unauthorized activity. (This is a repeat recommendation from prior years.)
No. 25
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement more effective agency-wide incident response procedures to ensure timely reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is a repeat recommendation from prior years.)
No. 26
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology ensures that VA’s Network Security and Operations Center has full access of all security incident data to facilitate an agency-wide awareness of information security events. (This is a new recommendation.)
No. 27
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans and data exfiltrations from VA networks. (This is a modified repeat recommendation from prior years.)
No. 28
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of unauthorized software on agency devices. (This is a repeat recommendation from prior years.)
No. 29
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology develop a comprehensive software inventory process to identify major and minor software applications used to support VA programs and operations. (This is a repeat recommendation from prior years.)
No. 30
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement procedures for overseeing contractor-managed cloud-based systems and ensure information security controls adequately protect VA sensitive systems and data. (This is a repeat recommendation from prior years.)
No. 31
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommended the Acting Assistant Secretary for Information and Technology implement mechanisms for updating systems inventory, including contractor-managed systems and interfaces, and provide this information in accordance with Federal reporting requirements. (This is a modified repeat recommendation from prior years.)