Report Summary

Title: VA Applications Lacked Federal Authorizations, and Interfaces Did Not Meet Security Requirements
Report Number: 20-00426-02 Download
Report
Issue Date: 12/2/2021
City/State:
VA Office: Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Review
Release Type: Unrestricted
Summary:

The Federal Risk and Authorization Management Program (FedRAMP) standardizes security and risk assessments for cloud technologies for federal agencies, including VA. In April 2019, the VA Office of Inspector General (OIG) received allegations that VA’s Office of Information and Technology’s (OIT’s) Project Special Forces (PSF) was not following FedRAMP policies or VA policy for deploying software-as-a-service (SaaS) applications. The OIG found that OIT granted security authorizations for applications that were not authorized by FedRAMP. Eight of the nine applications cited by the complainant were in use on the VA network—some without FedRAMP or VA authorization. Another three applications were approved to operate on VA’s network without FedRAMP authorization. The OIG did not substantiate that PSF-developed applications were improperly managed outside the VA Enterprise Cloud group. However, PSF did not follow VA security requirements in developing interfaces that allow third parties to “plug into” the VA to send and retrieve data. OIT personnel stated that there was no formal OIT authorization process until April 2019. After that date, the review team did not find instances of VA-authorized applications without FedRAMP authorization. OIT staff also misunderstood the FedRAMP authorization requirements for SaaS applications containing data classified as less sensitive.

Failure to comply with FedRAMP standards increases the risk that VA and veterans’ data could be compromised. The OIG made four recommendations to the acting chief information officer (1) to determine whether to prevent use of the unauthorized SaaS applications and (2) whether the reviewed applications should be authorized or reported to the Federal Chief Information Officer. The remaining recommendations were (3) to implement alerts for interface-related abuse and (4) to either use application programming interfaces that transmit sensitive information and requirements for cross-origin resource sharing or seek exceptions to the standards. VA concurred with all recommendations.