Report Summary

Title: VA's Federal Information Security Modernization Act Audit for Fiscal Year 2016
Report Number: 16-01949-248
Issue Date: 6/21/2017
VA Office: Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Audits, Reviews & Evaluations
Release Type: Unrestricted
Summary: The Federal Information Security Modernization Act (FISMA) of 2014 requires agency Inspectors General to annually assess the effectiveness of agency information security programs and practices. Our FY 2016 audit determined whether VA’s information security program complied with FISMA requirements and applicable National Institute for Standards and Technology guidelines. We contracted with the independent accounting firm CliftonLarsonAllen LLP to perform this audit. VA has made progress developing policies and procedures but still faces challenges implementing components of its agency-wide information security continuous monitoring and risk management program to meet FISMA requirements. While some improvements were noted, this audit identified continuing significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems. Weaknesses in access and configuration management controls resulted from VA not fully implementing security standards on all servers, databases, and network devices. VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, databases, and server platforms VA-wide. Further, VA has not remediated approximately 7,200 outstanding system security risks in its corresponding Plans of Action and Milestones to improve its information security posture. As a result, the FY 2016 Consolidated Financial Statement audit concluded that a material weakness still exists in connection with VA’s information security program.
This report contains 33 recommendations for improving VA’s information security program. We recommended the Acting Assistant Secretary for Information and Technology implement comprehensive measures to mitigate security vulnerabilities affecting VA’s mission-critical systems. The Acting Assistant Secretary for Information and Technology agreed with our findings and recommendations. We will monitor the implementation of corrective action plans.