Report Summary

Title: Inspection of Information Technology Security at the Consolidated Mail Outpatient Pharmacy in Dallas, Texas
Report Number: 21-03305-139 Download
Issue Date: 6/1/2022
VA Office: Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Information Security Inspection
Release Type: Unrestricted

The VA Office of Inspector General (OIG) conducts information technology (IT) inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Dallas Consolidated Mail Outpatient Pharmacy (CMOP) because it had not been previously visited as part of the annual FISMA audit.

The OIG inspections are focused on four security control areas that apply to local facilities and have been selected based on their level of risk: configuration management controls, contingency planning controls, security management controls, and access controls. The OIG found deficiencies in configuration management and access controls at the Dallas CMOP, but none in contingency planning or security management controls.

Without effective configuration management, users do not have adequate assurance that the system and network will perform as intended and to the extent needed to support the CMOP’s missions. The access control deficiencies create risks of unauthorized access to critical network resources, inability to respond effectively to incidents, loss of personally identifiable information, or loss of life.

The OIG made 10 recommendations to the Dallas CMOP director aimed at fixing the control deficiencies. The assistant secretary for information and technology provided comments for the Dallas CMOP. The assistant secretary concurred with nine recommendations and did not concur with one recommendation. The OIG disagrees with the nonconcurrence.

Last Updated: