A new report from the Department of Veterans Affairs (VA) Office of Inspector General (OIG) reveals that the user access controls in the agency’s Integrated Financial and Acquisition Management System (iFAMS) are not sufficient to protect sensitive VA data.
The VA is implementing iFAMS as part of its $8.6 billion Financial Management Business Transformation (FMBT) program. iFAMS is the VA’s third effort to replace its legacy financial management system since 1998.
“From a sample review of 20 iFAMS users, the OIG found that system access was not sufficiently limited as required for all users sampled, presenting a risk of unnecessary access to sensitive acquisition information,” the report says.
“Further, this problem could compound as more VA staff are added to iFAMS with each new wave,” it adds.
The agency watchdog said that 91% of the 2,818 users with access to the VA’s Technology Acquisition Center (TAC) data did not work for the TAC as of February 2025, yet they were requesting access to TAC information.
Additionally, the VA OIG found that 78% of these users had roles that granted exceptionally broad access to sensitive acquisition information, “presenting widespread risk of unnecessary access.”
The report explains that this risk occurred, in part, because iFAMS access controls were too broad. This makes it difficult for supervisors and organizations to grant users access only to the information they need, according to the report.
It also found that quality reviews, which aim to ensure the appropriateness of user access, failed to include all necessary information for reviewers to validate all access granted.
Finally, the VA OIG notes that VA’s Identity and Access Management (IAM) system, which allows supervisors and information owners to see user roles and accesses, “does not show all accesses the users have been granted and therefore does not support comprehensive oversight.”
The VA OIG made three recommendations to the VA and urged corrective actions before the next scheduled iFAMS implementation wave.
Those recommendations include implementing a plan to ensure system access is more granular, ensuring all roles and accesses are reviewed and certified periodically as required, and implementing a permanent solution to provide supervisors and information owners with visibility of all roles and accesses.
The VA concurred with all three recommendations and said it aims to complete the corrective actions by May 2026.