Objective
“The objective of this audit was to determine the extent to which VA’s information security program and practices comply with Federal Information Security Modernization Act (FISMA) requirements, Department of Homeland Security (DHS) reporting requirements, and applicable Office of Management and Budget (OMB) and National Institute for Standards and Technology (NIST) guidance. The VA Office of Inspector General (OIG) contracted with the independent accounting firm CliftonLarsonAllen LLP (CLA) to perform the FY 2019 FISMA audit.”
Overview
“Information security is a high-risk area Government-wide. Congress passed the Federal Information Security Modernization Act of 2014 (Public Law 113-283) in an effort to strengthen Federal information security programs and practices. FISMA provides a comprehensive framework to ensure the effectiveness of security controls over information resources that support Federal operations and assets. We assessed VA’s information security program through inquiries, observations, and tests of selected controls supporting 49 major applications and general support systems at 24 VA facilities. In FY 2019, we identified specific deficiencies in the following areas:
- Agency-Wide Security Management Program
- Identity Management and Access Controls
- Configuration Management Controls
- System Development/Change Management Controls
- Contingency Planning
- Incident Response and Monitoring
- Continuous Monitoring
- Contractor Systems Oversight
This report provides 25 recommendations for improving VA’s information security program: 24 recommendations are included in the report body and one recommendation is provided in Appendix A.” Read the full audit here.
Source: Federal Information Security Modernization Act Audit for Fiscal Year 2019 – March 31, 2020. VA OIG.
