The Federal Information Security Modernization Act (FISMA) requires annual evaluations of the information security program at each federal agency. The Department of Homeland Security and the Office of Management and Budget review the results, which are part of a report to Congress on agencies’ compliance with FISMA.
The VA Office of Inspector General (OIG) contracted with an independent public accounting firm to assess VA’s information security program for fiscal year (FY) 2020. CliftonLarsonAllen LLP evaluated 48 major applications and general support systems hosted at 24 VA sites that support VA’s three administrations.
The firm concluded that VA continues to face significant challenges meeting FISMA requirements and made 26 recommendations for improving VA’s information security program. Specifically, VA should address security-related issues that contributed to the information technology material weakness reported in the FY 2020 audit of VA’s consolidated financial statements, improve deployment of security patches, system upgrades, and system configurations that will mitigate significant security vulnerabilities and enforce a consistent process across all field offices. The firm also recommended VA improve performance monitoring to ensure controls are operating as intended at all facilities and communicate identified security deficiencies so the appropriate personnel can mitigate significant risks.
Two recommendations from previous years were closed, and three new recommendations were added. Some recommendations were modified or not closed because relevant information security control deficiencies were repeated. Despite VA’s commitment that the recommendations would be closed, some of them have been repeated for multiple years.
CliftonLarsonAllen LLP will follow up on the outstanding recommendations in the FY 2021 audit of VA’s information security program. The OIG remains concerned that continuing delays in effectively addressing the recommendations could contribute to reporting a material weakness in VA’s information technology security controls during the FY 2021 audit of the department’s consolidated financial statements.