Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

GAO Finds VA Security Risk Management Policies Lacking

What GAO Found

The Department of Veterans Affairs' (VA) risk management policies include some but not all of the elements of standards set by the Interagency Security Committee (ISC). ISC was established via executive order to develop security standards and best practices that federal agencies are to follow when developing and conducting risk assessments. As part of this process, VA's policy identifies minimum countermeasures as called for in ISC's standards. In other areas, VA policy only partially adheres or does not adhere to ISC's standards, for example:

  • Of the five factors ISC calls for when calculating a facility's security level, VA considers three but does not consider a facility's population and size.
  • VA policy does not include performance measures, such as the number of countermeasures in use or the percentage of facility assessments completed; this percentage is a key element of ISC's standards for assessing the effectiveness of an agency's security programs.

Officials at VA said that its risk management program was developed prior to the ISC standards' being issued in 2013 and that it is up to each agency to determine how to best apply the standards. Nevertheless, VA officials said they are currently reexamining their policies. Until VA reviews its policies in accordance with ISC standards, its approach to risk management may not yield the appropriate security posture needed to adequately protect its medical centers.

VA's oversight activities for risk management do not encompass key aspects of the Standards for Internal Control in the Federal Government and Circular A-123 from the Office of Management and Budget that require agencies to conduct oversight activities to ensure the accountability and effectiveness of agency programs. VA has an oversight process to ensure that biennial assessments of individual facilities' security are completed. However, VA:

  • does not review the quality of medical centers' required risk assessments,
  • does not identify whether countermeasures were implemented appropriately by the medical centers, and
  • does not collect system-wide data to gain an understanding of physical security issues across medical centers.

In the absence of a comprehensive VA-wide strategy or guidance that reflects these internal control standards, individual sites have established their own approaches to carrying out VA's risk management policy. 

Read More

Sign In or Register to comment.