Report Summary

Title: VA Needs to Improve Governance of Identity, Credential, and Access Management Processes
Report Number: 22-00210-191 Download
Report
Issue Date: 8/3/2022
City/State:
VA Office: Office of the Secretary
Report Author: Office of Audits and Evaluations
Report Type: Review
Release Type: Unrestricted
Summary:

Identity, credential, and access management (ICAM) is a set of tools, policies, and systems used to ensure the right individual has access to the right resource, at the right time, for the right reason in support of federal business objectives. In February 2021, the VA Office of Inspector General (OIG) received a hotline complaint claiming the Office of the Assistant Secretary for Human Resources and Administration/Operations, Security, and Preparedness and the Office of Information and Technology have not agreed since 2016 on roles and responsibilities for VA’s ICAM program. This has contributed to VA not being able to effectively comply with Office of Management and Budget (OMB) policy. The OIG reviewed to determine whether VA is effectively governing its ICAM program as required.

The OIG found VA did not effectively manage and coordinate its ICAM program because it did not meet three of the four OMB governance requirements. Specifically, VA did not effectively assign roles and responsibilities, implement a single comprehensive ICAM policy, meet goals established in its technology solutions roadmap for fiscal years 2020 and 2021, or implement updated digital identity risk management requirements.

These issues occurred primarily because leaders of the different offices performing VA’s ICAM functions have not agreed on how it should be governed. Without proper governance, VA risks both restricting information from users who need it to perform their job functions and leaving information vulnerable to improper use.

The OIG recommended the VA deputy secretary designate roles and responsibilities for all program offices involved in the ICAM process and ensure appropriate oversight and coordination. The OIG also made recommendations to the assistant secretary for information and technology and to the assistant secretary for human resources and administration/operations, security, and preparedness.