Federal Information Security Modernization Act Audit for Fiscal Year 2019

Report Information

Issue Date
Report Number
19-06935-96
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Audit
Report Topic
FISMA
Recommendations
25
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
The Federal Information Security Modernization Act (FISMA) requires annual evaluations of the information security program at each federal agency. The Department of Homeland Security and the Office of Management and Budget review the results, which are used to develop a report to Congress on agencies’ compliance with FISMA. The OIG contracted with an independent public accounting firm to assess VA’s information security program for fiscal year (FY) 2019, in accordance with FISMA. CliftonLarsonAllen LLP evaluated 49 major applications and general support systems hosted at 24 VA facilities that support the Veterans Health Administration, Veterans Benefits Administration, and National Cemetery Administration. The firm concluded that VA continues to face significant challenges meeting FISMA requirements and made 25 recommendations. It noted that all recommendations were repeated or modified from previous reports on FISMA compliance. The firm recommended that VA address security related issues that contributed to the information technology weakness reported in the FY 2019 audit of VA’s consolidated financial statements. It also recommended improving deployment of security patches, system upgrades, and system configurations that would mitigate significant security vulnerabilities and enforce a consistent process across field offices. Another recommendation was to improve performance monitoring to ensure controls are operating as intended, and to communicate identified security deficiencies to appropriate personnel. VA successfully closed three previous recommendations for FISMA compliance in FY 2019. CliftonLarsonAllen LLP will follow up on the outstanding recommendations and evaluate VA’s corrective actions during its FISMA audit for FY 2020. If VA continues to delay corrective actions, a material weakness in informational technology security controls may be reported in the FY 2020 audit of VA’s consolidated financial statements.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology consistently implement an improved continuous monitoring program in accordance with the NIST Risk Management Framework. Specifically, implement an independent security control assessment process to evaluate the effectiveness of security controls prior to granting authorization decisions. (This is a modified repeat recommendation from prior years.)
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement improved mechanisms to ensure system stewards and information system security officers follow procedures for establishing, tracking, and updating Plans of Action and Milestones for all known risks and weaknesses including those identified during security control assessments. (This is a modified repeat recommendation from prior years.)
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement controls to ensure that system stewards and responsible officials obtain appropriate documentation prior to closing Plans of Action and Milestones. (This is a modified repeat recommendation from prior years.)
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology develop mechanisms to ensure system security plans reflect current operational environments, include an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated. (This is a repeat recommendation from prior years.)
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement improved processes for reviewing and updating key security documents such as security plans and interconnection agreements on an annual basis and ensure the information accurately reflects the current environment. (This is a modified repeat recommendation from prior years.)
No. 6
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure compliance with VA password policy and security standards on domain controls, operating systems, databases, applications, and network devices. (This is a repeat recommendation from prior years.)
No. 7
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement periodic reviews to minimize access by system users with incompatible roles, permissions in excess of required functional responsibilities, and unauthorized accounts. (This is a repeat recommendation from prior years.)
No. 8
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology enable system audit logs on all critical systems and platforms and conduct centralized reviews of security violations across the enterprise. (This is a repeat recommendation from prior years
No. 9
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology fully implement two-factor authentication to the extent feasible for all user accounts throughout the agency. (This is a repeat recommendation from prior years.)
No. 10
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement more effective automated mechanisms to continuously identify and remediate security deficiencies on VA’s network infrastructure, database platforms, and web application servers. (This is a repeat recommendation from prior years.)
No. 11
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement a more effective patch and vulnerability management program to address security deficiencies identified during our assessments of VA’s web applications, database platforms, network infrastructure, and workstations. (This is a repeat recommendation from prior years.)
No. 12
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology maintain a complete and accurate security baseline configuration for all platforms and ensure all baselines are appropriately implemented for compliance with established VA security standards. (This is a repeat recommendation from prior years.)
No. 13
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement improved network access controls that restrict medical devices from systems hosted on the general network. (This is a modified repeat recommendation from prior years.)
No. 14
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology consolidate the security responsibilities for networks not managed by the Office of Information and Technology, under a common control for each site and ensure vulnerabilities are remediated in a timely manner. (This is a repeat recommendation from prior years.)
No. 15
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement improved processes to ensure that all devices and platforms are evaluated using credentialed vulnerability assessments. (This is a repeat recommendation from prior years.)
No. 16
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement improved procedures to enforce standardized system development and change control processes that integrates information security throughout the life cycle of each system. (This is a repeat recommendation from prior years.)
No. 17
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology review system boundaries, recovery priorities, system components, and system interdependencies and implement appropriate mechanisms to ensure that established system recovery objectives are met. (This is a modified repeat recommendation from prior years.)
No. 18
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement more effective agency-wide incident response procedures to ensure timely notification, reporting, updating, and resolution of computer security incidents in accordance with VA standards. (This is a repeat recommendation from prior years.)
No. 19
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology ensure that VA’s Cybersecurity Operations Center has full access to all security incident data to facilitate an agency-wide awareness of information security events. (This is a repeat recommendation from prior years.)
No. 20
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement improved safeguards to identify and prevent unauthorized vulnerability scans on VA networks. (This is a repeat recommendation from prior years.)
No. 21
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement improved measures to ensure that security control deficiencies are tracked individually instead of consolidating security deficiencies under one control. (This is a modified repeat recommendation from prior years.)
No. 22
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology fully develop a comprehensive list of approved and unapproved software and implement continuous monitoring processes to prevent the use of prohibited software on agency devices. (This is a repeat recommendation from prior years.)
No. 23
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology develop a comprehensive inventory process to identify connected hardware, software, and firmware used to support VA programs and operations. (This is a repeat recommendation from prior years.)
No. 24
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Assistant Secretary for Information and Technology implement improved procedures for monitoring contractor-managed systems and services and ensure information security controls adequately protect VA sensitive systems and data. (This is a modified repeat recommendation from prior years.)
No. 25
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the Executive in Charge for Information and Technology ensure appropriate levels of background investigations be completed for all personnel in a timely manner, implement processes to monitor and ensure timely reinvestigations on all applicable employees and contractors, and monitor the status of the requested investigations.