The Department of Veterans Affairs needs to do more to strengthen cybersecurity, such as determining and addressing the areas that pose the greatest risks, the Government Accountability Office found. Although VA has implemented many GAO recommendations, risks to sensitive information remain.
The Department of Veterans Affairs (VA) has faced long-standing challenges in its efforts to deploy information technology (IT) initiatives in two critical areas needing modernization: the department’s aging health information system, known as the Veterans Health Information Systems and Technology Architecture (VistA); and VA’s outdated, non-integrated financial and acquisition management systems requiring complex manual work processes that have contributed to the department reporting financial management system functionality as a material weakness. Specifically,
- GAO has reported on the challenges that the department has faced with its three previous unsuccessful attempts to modernize VistA over the past 20 years. In February 2021, GAO reported that VA had made progress toward implementing its fourth effort—a modernized electronic health record system. However, GAO stressed that the department needed to address all critical severity test findings (that could result in system failure) and high severity test findings (that could result in system failure, but have acceptable workarounds) before deploying the system at future locations.
- In March 2021, GAO reported on the department’s Financial Management Business Transformation, a program intended to modernize financial and acquisition systems. GAO found that VA had generally adhered to best practices in the areas of program governance, project management, and testing. However, the department had not fully met best practices for developing and managing cost and schedule estimates. GAO recommended that VA follow such practices to help minimize the risks of cost overruns and schedule delays.
GAO has also reported that VA has struggled to secure information systems and associated data; implement information security controls and mitigate known security deficiencies; establish key elements of a cybersecurity risk management program; and identify, assess, and mitigate the risks of information and communications technology supply chains. GAO has made numerous recommendations to VA to address these areas. Many of those recommendations have been addressed, but others have not been fully implemented.
VA has demonstrated mixed results in implementing key provisions of the Federal Information Technology Acquisition Reform Act (commonly referred to as FITARA). Specifically, VA has made substantial progress in improving its licensing of software, which led it to identify $65 million in cost savings. Further, it has made some progress in consolidating its data centers and achieving cost savings and avoidances. However, it has made limited progress in addressing requirements related to managing IT investment risk and enhancing the authority of its Chief Information Officer. Fully implementing the act’s provisions would position the department to deliver better service to our veterans through modern, secure technology.
GAO has made numerous recommendations in recent years aimed at improving VA’s IT system modernization efforts, cybersecurity program, and implementation of key FITARA provisions. While VA has generally agreed with these, it still needs to implement many of the recommendations.