Federal Information Security Modernization Act Audit for Fiscal Year 2018

Report Information

Issue Date
Report Number
18-02127-64
VA Office
Office of the Secretary (SVA)
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Audit
Recommendations
28
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
The VA Office of Inspector General (OIG) contracted with CliftonLarsonAllen LLP to assess the VA’s information security program in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). FISMA requires agencies to conduct annual reviews of their information security programs and report the results to the Department of Homeland Security. CliftonLarsonAllen LLP found that VA continues to face significant challenges complying with FISMA requirements. The report recommends several key areas for VA information security program improvement. Security-related issues contributed to an information technology material weakness reported in the fiscal year (FY) 2018 audit of VA’s Consolidated Financial Statements, which VA needs to address. It also needs to improve deployment of security patches, system upgrades, and system configurations. These improvements will mitigate significant security vulnerabilities and enforce a consistent process across all field offices. To ensure controls are operating as intended at all facilities, VA should also improve performance monitoring. Finally, VA needs to communicate identified security deficiencies to the appropriate personnel so they can take corrective actions that will mitigate these risks. Because CliftonLarsonAllen LLP is responsible for the findings and recommendations included in this report, the OIG is not expressing an opinion on VA’s information security program in place during FY 2018. This report provides 28 recommendations from CliftonLarsonAllen LLP for improving VA’s information security program. The Principal Deputy Assistant Secretary for Information and Technology concurred with 25 of the recommendations. The OIG believes the three remaining recommendations warrant further attention from VA and will follow up on the issues during the FY 2019 FISMA audit. The OIG’s independent auditors will follow up on the outstanding recommendations and evaluate the adequacy of corrective actions during the FY 2019 assessment.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology consistently implement the agency-wide risk management governance structure, along with mechanisms to identify, monitor, and manage risks across the enterprise. (This is a modified repeat recommendation from prior years.)
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement mechanisms to ensure sufficient supporting documentation is captured to justify closure of Plans of Action and Milestones. (This is a repeat recommendation from prior years.)
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes to ensure that all identified weaknesses are incorporated into the Governance Risk and Compliance tool in a timely manner, and corresponding Plans of Action and Milestones are developed to track corrective actions and remediation. (This is arepeat recommendation from prior years.)
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement clear roles, responsibilities, and accountability for developing, maintaining, completing, and reporting on Plans of Action and Milestones. (This is a repeat recommendation from prioryears.)
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. (This is a repeat recommendation from prior years.)
No. 6
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes for reviewing and updating key security documents such as security plans and security control assessments on an annual basis and ensure the information accurately reflects the current environment. (This is a modified repeat recommendation from prior years.)
No. 7
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement mechanisms to enforce VA password policies and standards on all operating systems, databases, applications, and network devices. (This is a repeat recommendation from prioryears.)
No. 8
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeatrecommendation from prior years.)
No. 9
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a repeat recommendation from prior years.)
No. 10
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology fully implement two-factor authentication to the extent feasible for all user accounts throughout the agency. (This is a modified repeat recommendation from prior years.)
No. 11
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. (This is a repeat recommendation from prior years.)
No. 12
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)
No. 13
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately implemented for compliance with established VA security standards. (This is a repeat recommendation from prior years.)
No. 14
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved network access controls to restrict medical devices from the general network and ensure that databases, file shares, and management devices, are adequately secured prior to connecting to VA’s network. (This is a modified repeat recommendation from prior years.)
No. 15
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology consolidate thesecurity responsibilities for networks not managed by the Office of Information and Technology, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)
No. 16
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a repeat recommendation from prior years.)
No. 17
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved procedures to enforce a standardized system development and change control framework that integrates information security throughout the life cycle of each system. (Thisis a repeat recommendation from prior years.)
No. 18
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes for ensuring that backup data is adequately secured in accordance with organizational policy. (This is a repeat recommendation from prior years.)
No. 19
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved processes for the review of system outages and disruptions for contingency plan improvements in accordance with defined policy. (This is a modified repeat recommendationfrom prior years.)
No. 20
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology identify all external network interconnections and implement improved processes for monitoring VA networks, systems, and connections for unauthorized activity. (This is a repeatrecommendation from prior years.)
No. 21
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement more effective agency-wide incident response procedures to ensure timely reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is arepeat recommendation from prior years.)
No. 22
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology ensure that VA’s Cybersecurity Operations Center has full access to all security incident data to facilitate anagency-wide awareness of information security events. (This is a repeat recommendationfrom prior years.)
No. 23
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks. (This is a modified repeat recommendation from prior years.)
No. 24
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of prohibited software on agency devices. (This is amodified repeat recommendation from prior years.)
No. 25
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA programs and operations. (This is a modified repeat recommendationfrom prior years.)
No. 26
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement improved procedures for overseeing contractor-managed systems and ensure information security controls adequately protect VA sensitive systems and data. (This is a modified repeat recommendation from prior years.)
No. 27
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology implement mechanisms for updating their systems inventory, including contractor-managed systems and interfaces, and provide this information in accordance with Federal reporting requirements. (This is a repeat recommendation from prior years.)
No. 28
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology ensure appropriate levels of background investigations be completed for all personnel in a timely manner, implement processes to monitor and ensure timely reinvestigations on all applicable employees and contractors, and monitor the status of the requested investigations.