What the Review Found
The OIG found that VA’s ICAM program did not meet three of the four OMB governance requirements; therefore, VA did not effectively manage and coordinate its ICAM efforts. 6 Specifically, VA did not assign roles and responsibilities to effectively manage and coordinate ICAM efforts, implement a single comprehensive ICAM policy or meet goals established in its technology solutions roadmap for fiscal years (FY) 2020 and 2021, or implement updated NIST digital identity risk management requirements.
These issues occurred primarily because leaders of the different offices performing VA’s ICAM functions have not agreed on how the program should be governed, creating an obstacle to implementing OMB’s requirements. Without proper ICAM governance, VA is at risk of both restricting information from users who need it to perform their job functions and leaving information vulnerable to improper use. VA also risks being unable to mitigate the OIG’s Federal Information Security Modernization Act (FISMA) audit findings of deficiencies in ICAM processes…
What the OIG Recommended
The OIG recommended the VA deputy secretary designate roles and responsibilities for all program offices involved in VA’s ICAM program. The deputy secretary should also provide and ensure appropriate oversight and coordination between designated program offices to implement a comprehensive ICAM policy. The OIG also recommended that the assistant secretary for information and technology update and publish the VA directive and handbook associated with identity and access management to include current NIST requirements. The OIG further recommended that the assistant secretary for HRA/OSP update and publish VA directives and handbooks associated with the Homeland Security Presidential Directive Program and VA’s personnel security and suitability program, as required by VA’s enterprise directives management procedures…
