VA’s Federal Information Security Modernization Act Audit for Fiscal Year 2017

Report Information

Issue Date
Report Number
17-01257-136
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Audit
Recommendations
27
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
The Federal Information Security Modernization Act of 2014 (FISMA) requires each federal agency to develop, document, and implement an agencywide information security and risk management program. VA has made progress producing, documenting, and distributing policies and procedures as part of its program. VA still faces challenges, however, implementing components of its agencywide information security risk management program to meet FISMA requirements. This audit identified continuing significant deficiencies related to access, configuration management, and change management controls, as well as service continuity practices designed to protect mission-critical systems from unauthorized access, alteration, or destruction. The report includes 29 recommendations for improving VA’s information security program and an appendix addressing the status of prior recommendations and VA’s plans for corrective action. VA successfully closed four recommendations in FY 2017. The Executive in Charge for the Office of Information and Technology generally concurred with the recommendations and submitted adequate corrective action plans. The OIG will continue to evaluate VA’s progress during its audit of VA’s information security program in FY 2018, although the OIG remains concerned that ongoing delays in implementing effective corrective actions might contribute to the continued reporting of an information technology material weakness in this year’s audit of VA’s Consolidated Financial Statements.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology fully implement an agency-wide risk management governance structure, along with mechanisms to identify, monitor, and manage risks across the enterprise. (This is a repeat recommendation from prior years.)
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement mechanisms to ensure sufficient supporting documentation is captured to justify closure of Plans of Action and Milestones. (This is a repeat recommendation from prior years.)
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes to ensure that all identified weaknesses are incorporated into the Governance Risk and Compliance tool, in a timely manner, and corresponding Plans of Actions and Milestones are developed to track corrective actions and remediation. (This is a repeat recommendation from prior years.)
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement clear roles, responsibilities, and accountability for developing, maintaining, completing, and reporting on Plans of Action and Milestones. (This is a repeat recommendation from prior years.)
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. (This is a modified repeat recommendation from prior years.)
No. 6
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes for reviewing and updating key security documents such as risk assessments and security control assessments on an annual basis and ensure the information accurately reflects the current environment. (This is a modified repeat recommendation from prior years.)
No. 7
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement mechanisms to enforce VA password policies and standards on all operating systems, databases, applications, and network devices. (This is a repeat recommendation from prior years.)
No. 8
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from prior years.)
No. 9
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a repeat recommendation from prior years.)
No. 10
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology fully implement two-factor authentication for all network access methods throughout the agency. (This is a repeat recommendation from prior years.)
No. 11
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. (This is a repeat recommendation from prior years.)
No. 12
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)
No. 13
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology maintain a complete and accurate security baseline configurations for all platforms and ensure all baselines are appropriately implemented for compliance with established VA security standards. (This is a modified repeat recommendation from prior years.)
No. 14
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved network access controls to ensure medical devices and networks, not managed by the Office of Information and Technology, are appropriately segregated from general networks and mission-critical systems. (This is a repeat recommendation from prior years.)
No. 15
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology consolidate the security responsibilities for networks not managed by the Office of Information and Technology, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)
No. 16
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a repeat recommendation from prior years.)
No. 17
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved procedures to enforce a standardized system development and change control framework that integrates information security throughout the life cycle of each system. (This is a repeat recommendation from prior years.)
No. 18
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes for ensuring the encryption of backup data prior to transferring the data offsite for storage. (This is a repeat recommendation from prior years.)
No. 19
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes for the testing of contingency plans and failover capabilities for critical systems to ensure that all components can be recovered at the assigned sites and within stated timeframes. (This is a modified repeat recommendation from prior years.)
No. 20
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology identify all external network interconnections and implement improved processes for monitoring VA networks, systems, and connections for unauthorized activity. (This is a repeat recommendation from prior years.)
No. 21
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement more effective agency-wide incident response procedures to ensure timely reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is a repeat recommendation from prior years.)
No. 22
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology ensure that VA’s Network Security and Operations Center has full access to all security incident data to facilitate an agency-wide awareness of information security events. (This is a repeat recommendation from prior years.)
No. 23
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans and data exfiltrations from VA networks. (This is a repeat recommendation from prior years.)
No. 24
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of unauthorized software on agency devices. (This is a repeat recommendation from prior years.)
No. 25
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology develop a comprehensive software inventory process to identify major and minor software applications used to support VA programs and operations. (This is a repeat recommendation from prior years.)
No. 26
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved procedures for overseeing contractor-managed cloud-based systems and ensure information security controls adequately protect VA sensitive systems and data. (This is a repeat recommendation from prior years.)
No. 27
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement mechanisms for updating systems inventory, including contractor-managed systems and interfaces, and provide this information in accordance with Federal reporting requirements. (This is a repeat recommendation from prior years.)