“In April 2019, the VA Office of Inspector General (OIG) received allegations that a division in VA’s Office of Information and Technology (OIT)—Project Special Forces (PSF)—was not following FedRAMP policies or VA policy for deploying software-as-a-service (SaaS) applications. The specific allegations concerned unauthorized applications and those applications managed outside established lines of authority:
- Unauthorized applications. OIT allegedly allowed SaaS applications that were not FedRAMP authorized to be used on VA’s network, and PSF allegedly advocated the use of nine unauthorized SaaS applications (including Dropbox, Google Drive, iCloud, GitLab, SlideShare, Evernote, Basecamp, Datadog, and PagerDuty), putting VA and veterans’ data at risk.
- Improperly managed applications. PSF allegedly was developing VA applications for the cloud that were managed outside the VA Enterprise Cloud group, which is responsible for the utilization of all VA cloud assets. While evaluating the merit of this allegation, the OIG also assessed whether PSF developed cloud-based applications and services in compliance with VA security standards.Federal and VA security standards are intended to protect data from unauthorized use. If OIT does not comply with these standards, VA and veterans’ data could be unnecessarily compromised.
What the Review Found
The OIG substantiated that OIT was not fully following FedRAMP policies or VA policy for SaaS applications (which was part of the first allegation). Specifically, OIT did not adhere to FedRAMP requirements when it granted security authorizations and the authority to operate on the VA network for applications that lacked prior FedRAMP authorization. In examining the second part of allegation, the OIG found no evidence that PSF advocated for the nine applications cited by the complainant. However, eight of the nine applications were in use on the VA network—some without FedRAMP or VA authorization. The OIG also determined that seven of the SaaS applications were not granted authority to operate. This noncompliance occurred because OIT allowed some partners that did not meet VA security baselines to use external connections to VA’s network. OIT also used legacy SaaS applications it considered low risk while still in the authorization to operate process. Finally, certain SaaS applications were allowed through the VA firewall without assessing their risk…”
“What the OIG Recommended
The OIG made two recommendations to the acting chief information officer regarding the applications without federal authorization. First, determine whether to prevent employees from using the SaaS applications named in the allegation that lack authority to operate. Second, determine whether federal authorization is required for one of the additional 19 applications reviewed and obtain authorization or report the issue to the Federal Chief Information Officer. Regarding application programming interfaces, the OIG made two recommendations to the acting chief information officer to ensure that PSF improves security controls and documentation. First, either implement JavaScript Object Notation Web Encryption for Lighthouse application programming interfaces that transmit sensitive information and resource-sharing requirements for cross-origin resource sharing or seek exceptions to the standards.Second, implement alerts for application programming interface-related abuse to meet the standard…”
Access the full 39-page report here.
Source: VA Applications Lacked Federal Authorizations, and Interfaces Did Not Meet Security Requirements – December 2, 2021. VA OIG.
