Report Summary

The OIG contracted with CliftonLarsonAllen LLP (CLA) to evaluate VA’s information security program for FY 2021 for compliance with the Federal Information Security Modernization Act. CLA evaluated 50 major applications and general support systems hosted at 24 VA sites and on the VA Enterprise Cloud. CLA concluded that VA continues to face significant challenges meeting requirements and made 26 recommendations. The FY 2020 FISMA report also provided 26 recommendations for improvement; some recommendations were modified or not closed because of repeat deficiencies. CLA recommended that VA address security-related issues that contributed to the information technology material weakness reported in the FY 2021 audit of VA’s consolidated financial statements and improve deployment of security patches, system upgrades, and system configurations to mitigate significant security vulnerabilities and enforce a consistent process across all field offices. CLA also recommended VA improve performance monitoring to ensure controls operate as intended at all facilities and communicate identified security deficiencies to mitigate significant risks. CLA will follow up on the outstanding recommendations in the FY 2022 audit of VA’s information security program.