VA's Federal Information Security Modernization Act Audit for Fiscal Year 2016

Veterans Affairs Office of Inspector General (OIG) sent this bulletin at 06/21/2017 12:19 PM EDT

Having trouble viewing this email? View it as a Web page.

You are subscribed to Oversight Reports for Veterans Affairs Office of Inspector General (OIG). This information has recently been updated, and is now available.

06/20/2017 08:00 PM EDT

The Federal Information Security Modernization Act (FISMA) of 2014 requires agency Inspectors General to annually assess the effectiveness of agency information security programs and practices. Our FY 2016 audit determined whether VA’s information security program complied with FISMA requirements and applicable National Institute for Standards and Technology guidelines. We contracted with the independent accounting firm CliftonLarsonAllen LLP to perform this audit. VA has made progress developing policies and procedures but still faces challenges implementing components of its agency-wide information security continuous monitoring and risk management program to meet FISMA requirements. While some improvements were noted, this audit identified continuing significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems. Weaknesses in access and configuration management controls resulted from VA not fully implementing security standards on all servers, databases, and network devices. VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, databases, and server platforms VA-wide. Further, VA has not remediated approximately 7,200 outstanding system security risks in its corresponding Plans of Action and Milestones to improve its information security posture. As a result, the FY 2016 Consolidated Financial Statement audit concluded that a material weakness still exists in connection with VA’s information security program. This report contains 33 recommendations for improving VA’s information security program. We recommended the Acting Assistant Secretary for Information and Technology implement comprehensive measures to mitigate security vulnerabilities affecting VA’s mission-critical systems. The Acting Assistant Secretary for Information and Technology agreed with our findings and recommendations. We will monitor the implementation of corrective action plans.

Update your subscriptions, modify your password or e-mail address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your e-mail address to log in. If you have questions or problems with the subscription service, please contact subscriberhelp.govdelivery.com. All other inquiries can be directed to vaoig.reportsstaff@va.gov.

This service is provided to you at no charge by Veterans Affairs Office of Inspector General (OIG).