The Department of Veterans Affairs (VA) is looking to implement a new risk assessment framework that will bring standardization and consistency to authorization decisions.
The move comes in response to a repeat recommendation from the VA Office of Inspector General (OIG). In the VA OIG’s Federal Information Security Modernization Act Audit for Fiscal Year 2022, the OIG made 26 recommendations for the VA to improve its information security program – the same number of recommendations from fiscal year (FY) 2021.
Despite the VA’s efforts to close the recommendations, the OIG said some have been repeated for multiple years.
Nevertheless, Kurt DelBene, VA’s chief information officer (CIO) and assistant secretary for information and technology, pledged his commitment to addressing these recommendations.
Specifically, the OIG recommended that DelBene consistently implement an improved continuous monitoring program in accordance with the National Institute of Standards and Technology (NIST) Risk Management Framework. The OIG called on the CIO to implement an independent security control assessment process to “evaluate the effectiveness of security controls prior to granting…
