Mission Accountability Support Tracker Lacked Sufficient Security Controls

The VA Office of Inspector General (OIG) evaluated the merits of a May 2021 hotline complaint alleging that the Veterans Benefits Administration (VBA) disregarded privacy procedures so it could more quickly use a workload tracking system without receiving the appropriate security authorization. The Mission Accountability Support Tracker (MAST) helps quantify the work VBA’s support services staff perform in response to employee requests for facility, equipment, and vehicle management; reasonable accommodation; and identification card issuance and renewal. Because staff use personally identifiable information (PII) in their work, the information could be compromised in an unauthorized, unsecure application. The complaint also alleged that VBA knew that MAST did not have an approved privacy threshold analysis or privacy impact assessment, yet trained staff on using the system and knowingly “loaded” PII into the application. The privacy threshold analysis and privacy impact assessment mitigate the risk of unauthorized access and subsequent data misuse, changes, loss, or disclosure. The assessments also help ensure that systems or applications have security controls that are appropriate for the sensitivity of the information stored. The OIG found that VBA and the Office of Information and Technology (OIT) did not correctly follow privacy and security procedures. VBA’s privacy threshold analysis was inaccurate, and OIT did not conduct a privacy impact assessment. OIT’s misclassification of MAST as an asset resulted in insufficient security controls. Further, VBA lacked the authority to operate MAST before using it in regional offices. The OIG made four recommendations to ensure future information technology projects follow an approved management process and that VBA provides sufficient guidance to staff to ensure MAST is used as intended while keeping the PII of VA employees and contractors safe and secure.