OIG Found VA ICAM Governance Needs Improvement

Last month, the VA OIG released its findings regarding the VA’s governance of its Identity, Credential, and Access Management (ICAM) program.

Federal ICAM programs are required to meet four OMB requirements:

1. Establish an agency-wide ICAM office, team, or other governance structure to effectively enforce ICAM efforts. In addition, the chief operating officers or the agency equivalents must ensure regular coordination among agency leaders to implement, manage, and maintain the ICAM policies, processes, and technologies.
2. Define and maintain a single comprehensive ICAM policy, process, and technology solution roadmap.
3. Outline performance expectations for security and privacy risk management.
4. Incorporate digital identity risk management into existing federal processes as outlined in the National Institute of Standards and Technology (NIST) guidelines.

The VA OIG found that the department's ICAM program did not meet three of the four program requirements.  Specifically, roles and responsibilities to effectively manage and coordinate ICAM efforts were not assigned. The VA did not implement a single comprehensive ICAM policy or meet goals established in its technology solutions roadmap for FY 2020 and 2021. And the VA did not implement updated NIST digital identity risk management requirements.

The OIG attributed most of these issues to a lack of cooperation and internal confusion between different VA offices performing ICAM functions. These offices “have not agreed on how the program should be governed, creating an obstacle to implementing OMB’s requirements,” according to the report. “Without proper ICAM governance, the VA is at risk of restricting information from users who need it to perform their job functions and leaving information vulnerable to improper use.”

The OIG recommended the following:

• Designate roles and responsibilities for all program offices involved in VA’s ICAM program.
• Establish appropriate oversight and coordination between designated program offices to implement a comprehensive ICAM policy.
• Update and publish the VA directive and handbook associated with identity and access management to include current NIST requirements.
• Update and publish VA directives and handbooks associated with the Homeland Security Presidential Directive 12 Program and VA’s personnel security and suitability program.

The VA agreed with the OIG’s findings and recommendations. The OIG also found the VA’s corresponding corrective action plans acceptable and will monitor VA’s progress.