|Title:||VA Applications Lacked Federal Authorizations, and Interfaces Did Not Meet Security Requirements|
|VA Office:||Office of Information and Technology (OIT)
|Report Author:||Office of Audits and Evaluations
The Federal Risk and Authorization Management Program (FedRAMP) standardizes security and risk assessments for cloud technologies for federal agencies, including VA. In April 2019, the VA Office of Inspector General (OIG) received allegations that VA’s Office of Information and Technology’s (OIT’s) Project Special Forces (PSF) was not following FedRAMP policies or VA policy for deploying software-as-a-service (SaaS) applications. The OIG found that OIT granted security authorizations for applications that were not authorized by FedRAMP. Eight of the nine applications cited by the complainant were in use on the VA network—some without FedRAMP or VA authorization. Another three applications were approved to operate on VA’s network without FedRAMP authorization. The OIG did not substantiate that PSF-developed applications were improperly managed outside the VA Enterprise Cloud group. However, PSF did not follow VA security requirements in developing interfaces that allow third parties to “plug into” the VA to send and retrieve data. OIT personnel stated that there was no formal OIT authorization process until April 2019. After that date, the review team did not find instances of VA-authorized applications without FedRAMP authorization. OIT staff also misunderstood the FedRAMP authorization requirements for SaaS applications containing data classified as less sensitive.