The VA Office of Inspector General (OIG) conducted this audit to determine if VA is effectively assessing and monitoring security and privacy controls for cloud computing in accordance with federal guidance. Based on the audit team’s findings, the team also assessed VA’s process for monitoring cloud service performance levels.
What the Audit Found
The audit team did not identify deficiencies in how VA completed the first six steps of the NIST risk management framework: preparing, categorizing, selecting, implementing, assessing, and authorizing controls. However, the team found deficiencies related to monitoring in step seven.5 Notably, VA has not yet updated its guidance on security and privacy controls following a September 2020 change to NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.6Although OIT staff informed the team that they are working on updating the related policy, procedures, and directives, the team found systems were not compliant with the revised guidance as of June 2023. According to OIT, the anticipated policy adoption date is December 2023. The audit team made two determinations related to weaknesses in the oversight and monitoring of its VAEC systems. This was due in part to OIT not effectively overseeing the management of security and privacy controls to make sure the systems and the information they contain are protected commensurate with the risk associated with their misuse or unauthorized disclosure. The OIG examined the six infrastructure systems and a sample of seven of the systems hosted on that infrastructure. For those 13 VAEC systems reviewed, the team found sufficient controls for 18 of the 20 security and privacy control families.7The two control families in which deficiencies were found were in the areas of securing personally identifiable information and supply chain management. Further, because required documentation was not always uploaded, the audit team could not verify that ongoing monitoring was occurring. Although no incursions or other impacts were identified in the course of this audit, VA will continue to lack assurance that VAEC controls are working as designed until it finishes updating its guidance and improves active monitoring of these systems…
Want to get involved with OS AI? - A small number of Sponsorship Opportunities are now available here. Starting at $500.