Breadcrumb

VA Continues Moving toward Full Compliance with Geospatial Data Covered Agency Responsibilities

Report Information

Issue Date
Closure Date
Report Number
24-00122-247
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Audit
Report Topic
Information Technology and Security
Major Management Challenges
Information Systems and Innovation
Recommendations
2
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary

The VA Office of Inspector General (OIG) conducted this audit to determine whether VA complied with the law governing geospatial data and to follow up on recommendations from its previous report. VA’s administrations rely on geospatial data when supporting budgets, performing strategic planning, and making policy decisions to provide health care, benefits, and burial services to veterans.

In its previous report, the OIG found VA was not compliant with three covered agency requirements: VA was not compliant with requirements 1 and 3 because all necessary actions had not been completed, and VA was not compliant with requirement 9 because it had not met additional recommended criteria to protect personal privacy and maintain confidentiality. Since the previous report, VA continues to move toward compliance. For this audit, the OIG found VA was not compliant with two of the 12 requirements. According to VA officials, VA does not collect, hold, manage, or consume declassified geospatial data, and the OIG team did not find evidence to the contrary, making the related requirement not applicable.

While VA was found not compliant with requirements 5 and 9, the OIG only made two recommendations regarding requirement 9 because VA is working toward satisfying requirement 5. The OIG’s two recommendations follow: (1) reevaluate the risk determination for the Veterans Health Administration Geographic Information System and determine if the system should be set to a security categorization level of moderate based on the personally identifiable information and other sensitive data maintained in the system and (2) reassess whether the security incidents were a breach and instruct staff associated with the incident response process that each security and privacy incident that occurs must be captured on a separate Privacy Security Events Tracking System ticket and investigation details must be accurately documented and confirmed.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 1/23/2025

Reevaluate the risk determination for the Veterans Health Administration Geographic Information System and determine if the system should be set to a security categorization level of “moderate” based on the personally identifiable information and other sensitive data maintained in the system.

No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 1/23/2025

Ensure the Data Breach Response Service director instructs staff associated with the incident response process that each security and privacy incident that occurs must be captured on a separate Privacy Security Events Tracking System ticket, confirms document investigation details are accurate, and reassesses whether the security incidents were a breach.