Breadcrumb

VA Needs to Improve Governance of Identity, Credential, and Access Management Processes

Report Information

Issue Date
Report Number
22-00210-191
VA Office
Human Resources and Administration Office/Operations, Security, and Preparedness (HRA/OSP)
Information and Technology (OIT)
Office of the Secretary (SVA)
Report Author
Office of Audits and Evaluations
Report Type
Review
Recommendations
4
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
Identity, credential, and access management (ICAM) is a set of tools, policies, and systems used to ensure the right individual has access to the right resource, at the right time, for the right reason in support of federal business objectives. In February 2021, the VA Office of Inspector General (OIG) received a hotline complaint claiming the Office of the Assistant Secretary for Human Resources and Administration/Operations, Security, and Preparedness and the Office of Information and Technology have not agreed since 2016 on roles and responsibilities for VA’s ICAM program. This has contributed to VA not being able to effectively comply with Office of Management and Budget (OMB) policy. The OIG reviewed to determine whether VA is effectively governing its ICAM program as required. The OIG found VA did not effectively manage and coordinate its ICAM program because it did not meet three of the four OMB governance requirements. Specifically, VA did not effectively assign roles and responsibilities, implement a single comprehensive ICAM policy, meet goals established in its technology solutions roadmap for fiscal years 2020 and 2021, or implement updated digital identity risk management requirements. These issues occurred primarily because leaders of the different offices performing VA’s ICAM functions have not agreed on how it should be governed. Without proper governance, VA risks both restricting information from users who need it to perform their job functions and leaving information vulnerable to improper use. The OIG recommended the VA deputy secretary designate roles and responsibilities for all program offices involved in the ICAM process and ensure appropriate oversight and coordination. The OIG also made recommendations to the assistant secretary for information and technology and to the assistant secretary for human resources and administration/operations, security, and preparedness.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Office of the Secretary (SVA)
Designate roles and responsibilities for all program offices involved in VA’s identity, credential, and access management program.
No. 2
Open Recommendation Image, Square
to Office of the Secretary (SVA)
Provide appropriate oversight and ensure coordination between designated program offices to implement a comprehensive identity, credential, and access management policy.
No. 3
Open Recommendation Image, Square
to Information and Technology (OIT)
Update and publish a VA directive and handbook associated with identity and access management that includes current National Institute of Standards and Technology requirements.
No. 4
Open Recommendation Image, Square
to Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP)
Update and publish VA directives and handbooks associated with the Homeland Security Presidential Directive 12 Program and VA’s personnel security and suitability program as required by VA’s enterprise directives management procedures.