A new report from the Department of Veterans Affairs (VA) Office of Inspector General (OIG) found that the agency is not effectively managing or coordinating its identity, credential, and access management (ICAM) program, and because of that is leaving information vulnerable to cyber intrusions.
According to the OIG, the VA’s ICAM program did not meet three of the four Federal requirements set by the Office of Management and Budget (OMB).
Specifically, the VA failed to assign roles and responsibilities for ICAM management and coordination efforts, implement a single ICAM policy or meet goals set by its technology solutions roadmap, or implement updated National Institute of Standards and Technology (NIST) digital identity risk management requirements.
“These issues occurred primarily because leaders of the different offices performing VA’s ICAM functions have not agreed on how the program should be governed, creating an obstacle to implementing OMB’s requirements,” the report says. “Without proper ICAM governance, VA is at risk of both restricting information from users who need it to perform their job functions and leaving information vulnerable to improper use.”
Additionally, the report says VA is also at risk of being unable to address the OIG’s Federal Information Security Modernization Act (FISMA) audit findings of deficiencies in ICAM processes.
The OIG said the VA “risks leaving its systems vulnerable to compromise by impostors who may gain access to protected information,” if it continues to fall short of Federal ICAM requirements.
The report recommends the VA designate roles and responsibilities for all program offices involved with ICAM, in addition to ensuring proper oversight and coordination are in place. It also recommends VA update and publish ICAM directives and handbooks with current NIST requirements, as well as one “associated with the Homeland Security Presidential Directive 12 Program and VA’s personnel security and suitability program as required by VA’s enterprise directives management procedures.”
The VA agreed with all of the report’s findings and recommendations.