Inspection of Information Technology Security at the Consolidated Mail Outpatient Pharmacy in Dallas, Texas

The VA Office of Inspector General (OIG) conducts information technology (IT) inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Dallas Consolidated Mail Outpatient Pharmacy (CMOP) because it had not been previously visited as part of the annual FISMA audit. The OIG inspections are focused on four security control areas that apply to local facilities and have been selected based on their level of risk: configuration management controls, contingency planning controls, security management controls, and access controls. The OIG found deficiencies in configuration management and access controls at the Dallas CMOP, but none in contingency planning or security management controls. Without effective configuration management, users do not have adequate assurance that the system and network will perform as intended and to the extent needed to support the CMOP’s missions. The access control deficiencies create risks of unauthorized access to critical network resources, inability to respond effectively to incidents, loss of personally identifiable information, or loss of life. The OIG made 10 recommendations to the Dallas CMOP director aimed at fixing the control deficiencies. The assistant secretary for information and technology provided comments for the Dallas CMOP. The assistant secretary concurred with nine recommendations and did not concur with one recommendation. The OIG disagrees with the nonconcurrence.