The Department of Veterans Affairs has made progress developing information security policies and procedures but still faces challenges implementing components of its agency-wide information security risk management program to meet requirements under the Federal Information Security Management Act, the department’s inspector general has said.
Following an audit by CliftonLarsonAllen LLP, the IG said that while some improvements were noted, FISMA audits continued to identify significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems.
Weaknesses in access and configuration management controls resulted from VA not fully implementing security control standards on all servers and network devices, the IG said.
IT said the department also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms, and Web applications VA-wide.
Further, VA has not remediated approximately 6,000 outstanding system security risks in its corresponding Plans of Action and Milestones to improve its overall information security posture, according to the audit.
