In response to a confidential hotline allegation, the U.S. Department of Veterans Affairs' Office of Inspector General (VA OIG) has issued its report evaluating whether the VA’s approach for information system certification and storing sensitive data on Apple mobile devices circumvents information security requirements.

Sen. Jon Kyl (R-Ariz.) also requested that the VA OIG evaluate whether VA’s approach for only storing sensitive data on encrypted mobile device applications meets Federal Information Security Management Act of 2002 (FISMA) requirements.

“We determined VA was not circumventing FISMA certification and accreditation requirements by suspending security control testing and granting operational waivers for existing information systems,” according to information posted on the organization’s website. “We also determined that VA’s approach for allowing only certified applications to access sensitive data or storing encrypted data on the mobile device met FISMA information security requirements for data protection.”

The VA OIG noted, however, that VA could improve management controls by ensuring an accurate inventory and consistent configuration of mobile devices deployed enterprisewide.

The VA OIG made the following two recommendations:

1. The assistant secretary for information and technology implement minimally acceptable baseline security configuration requirements for VA mobile devices in accordance with FISMA.
2. The assistant secretary centrally manage the distribution of VA mobile devices to ensure they are accurately inventoried and configured in accordance with minimum security standards.

The assistant secretary for information and technology concurred with the findings and recommendations, according to the agency. The entire review is available on the VA OIG website.