Review of Alleged Mismanagement of Systems to Drive Performance Project

We evaluated the merits of allegations that VA did not use an appropriate contract vehicle to develop and implement the “Systems to Drive Performance” (STDP) dashboard, a system to track cost accounting data to facilitate senior leadership decision making. We did not substantiate the allegations regarding an inappropriate STDP contract vehicle, inadequate system testing, and system redundancy. However, we substantiated the allegation that VA did not adequately protect sensitive information from unauthorized access and disclosure. Specifically, we determined that more than 20 system users had inappropriate access to sensitive STDP information. VA’s National Data Systems Group did not consistently approve requests for user access to STDP. Further, project managers did not report unauthorized access as a security event. STDP project managers were not fully aware of VA’s security requirements for system development, nor had they formalized user account management procedures. Inadequate Information Security Officer oversight contributed to weaknesses in user account management and failure to report excessive user privileges as security violations. The Principal Deputy Assistant Secretary for Information Technology and the Assistant Secretary for Management agreed with our findings and recommendations.