“Enclosed is the final audit report, Federal Information Security Modernization Act Audit for Fiscal Year 2018. The Office of Inspector General (OIG) contracted with the independent public accounting firm, CliftonLarsonAllen LLP, to assess the Department of Veterans Affairs’ (VA) information security program in accordance with the Federal Information Security Modernization Act (FISMA)…”
“According to findings by CliftonLarsonAllen LLP, VA continues to face significant challenges in complying with the requirements of FISMA due to the nature and maturity of its information security program. In order to better achieve FISMA outcomes, VA needs to focus on several key areas, including specific actions that
- Address security-related issues that contributed to the information technology material weakness reported in the FY 2018 audit of VA’s Consolidated Financial Statements.
- Improve deployment of security patches, system upgrades, and system configurations that will mitigate significant security vulnerabilities and enforce a consistent process across all field offices.
- Improve performance monitoring to ensure controls are operating as intended at all facilities, and communicate identified security deficiencies to the appropriate personnel so they can take corrective actions to mitigate significant security risks…”
“This report provides 28 recommendations for improving VA’s information security program. Twenty-seven recommendations are included in the report body and one recommendation is provided in Appendix A. The recommendation in Appendix A addresses the status of a prior year recommendation and VA’s plans for corrective action. VA successfully closed one recommendation in FY 2018. Specifically, the OIG closed recommendation FY 2006-09 from a prior year as VA deployed solutions to encrypt sensitive data and resolve clear text protocol vulnerabilities…”
“The Principal Deputy Assistant Secretary for Information and Technology concurred with 25 of 28 recommendations and provided acceptable action plans in response to these recommendations. While the Principal Deputy Assistant Secretary did not concur with three recommendations, the OIG believes these recommendations warrant further attention from VA and will follow up on these issues during the FY 2019 assessment…”
Read the full 33-page report here.
Source: Federal Information Security Modernization Act Audit for Fiscal Year 2018 – March 12, 2019. VA OIG.
