Review of Alleged Unauthorized Access to VA Systems

The Office of Inspector General evaluated the allegations that certain contractors, without proper security clearances, gained unauthorized access to VA systems and networks and whether VA was providing adequate oversight to ensure the contractor is meeting VA information security requirements. We substantiated the allegations that the contractor did not comply with VA information security policies for accessing mission critical systems and networks. Specifically, contractor personnel: improperly shared user accounts when accessing VA networks and systems; did not readily initiate actions to terminate accounts of separated employees; and did not obtain appropriate security clearances or complete security training for access to VA systems and networks. Also, VA has not implemented oversight to ensure the contractor complies with VA information security policies and procedures, making sensitive data at risk of inappropriate disclosure or misuse. We recommend the Assistant Secretary for Information and Technology monitor contractor user accounts and terminate those for separated employees; ensure contractor personnel are vetted and trained prior to accessing VA systems; request a modification the contract to reflect higher level personnel security requirements; and review the contractor’s current system security controls and practices to ensure compliance with VA requirements. The Department agreed with our findings and recommendations.