2024-089: Perform an Evaluation of Student Information System Access Roles Applicable to: Northern Virginia Community College Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Student Financial Assistance Cluster Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e) Known Questioned Costs: $0 NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties. In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege. NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security Applicable to: Department of Education - Direct Aid to Public Education Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management; Audit and Accountability ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data. The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles Applicable to: Northern Virginia Community College Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Student Financial Assistance Cluster Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e) Known Questioned Costs: $0 NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties. In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege. NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles Applicable to: Northern Virginia Community College Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Student Financial Assistance Cluster Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e) Known Questioned Costs: $0 NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties. In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege. NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-102: Implement Internal Controls over TANF Federal Special Reporting Applicable to: Department of Social Services Prior Year Finding Number: 2023-106 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award Number and Year: 2401VATANF - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a) Known Questioned Costs: $0 Benefit Programs has not documented its process for preparing the ACF’s Annual Report on State MOE Programs (ACF-204) for the TANF federal grant program. ACF requires Social Services submit this data annually and uses the information in reports to Congress about how TANF programs are evolving, in assessing State and Territory MOE expenditures, and in assessing the need for legislative changes. Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. During fiscal year 2024, Benefit Programs performed an analysis of ACF-204 reporting errors identified during the prior audit to determine causality and has taken actions to resolve those errors. Additionally, Benefit Programs created a systems modification request to correct errors that it identified as occurring due to inaccurate programming in the data modification phase of the federal report creation. However, Benefit Programs has not yet documented its processes for preparing the ACF-204 report through a written policy and procedure. Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Benefit Programs should dedicate the necessary resources to document its processes for preparing the ACF-204 report to ensure reasonably accurate reporting of TANF MOE Programs to ACF in accordance with the ACF-204 reporting instructions. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: 2023-107; 2022-106 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award Number and Year: 2401VATANF - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining adequate internal control over Federal Funding Accountability and Transparency Act (FFATA) reporting. FFATA reporting is intended to provide full disclosure of how entities and organizations are obligating federal funds. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds from roughly 5,300 subawards. While auditing FFATA reporting for the TANF federal grant program, we noted that Finance did not file any FFATA reports for its subrecipients. Social Services awarded over $72 million in nearly 300 new TANF subawards during fiscal year 2024. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action that equals or exceeds $30,000 to the FFATA Subaward Reporting System (FSRS) by the end of the month following the obligating action. This also applies to any subaward modifications that increase the amount to equal or exceed $30,000. Finally, 2 CFR § 200.303(a) states that the non-federal entity must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance uses a decentralized approach to fulfil its FFATA reporting responsibilities since it does not determine which subrecipients will receive federal funding. Since there is an elevated risk that Finance will not report all subaward information to FSRS, it has obtained a report of subrecipients from its financial reporting system and identified those who spent $30,000 or more in TANF funds during fiscal year 2024. However, Finance management did not compare this report to its FSRS submissions to verify that the agency submitted the submissions accurately and timely. As a result, Finance management did not recognize that it did not comply with the FFATA reporting requirements. When Social Services does not upload all obligating actions meeting the reporting threshold to FSRS as required, a citizen or federal official may have a distorted view as to how Social Services is obligating federal funds. Finance management should provide sufficient oversight to confirm that the agency is submitting FFATA reporting submissions timely. Specifically, Finance management should periodically compare the report of subrecipients from its financial reporting system to FSRS to ensure it is reporting all subawards to FSRS and escalate any concerns that hinder its ability to comply with federal regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-102: Implement Internal Controls over TANF Federal Special Reporting Applicable to: Department of Social Services Prior Year Finding Number: 2023-106 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award Number and Year: 2401VATANF - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a) Known Questioned Costs: $0 Benefit Programs has not documented its process for preparing the ACF’s Annual Report on State MOE Programs (ACF-204) for the TANF federal grant program. ACF requires Social Services submit this data annually and uses the information in reports to Congress about how TANF programs are evolving, in assessing State and Territory MOE expenditures, and in assessing the need for legislative changes. Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. During fiscal year 2024, Benefit Programs performed an analysis of ACF-204 reporting errors identified during the prior audit to determine causality and has taken actions to resolve those errors. Additionally, Benefit Programs created a systems modification request to correct errors that it identified as occurring due to inaccurate programming in the data modification phase of the federal report creation. However, Benefit Programs has not yet documented its processes for preparing the ACF-204 report through a written policy and procedure. Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Benefit Programs should dedicate the necessary resources to document its processes for preparing the ACF-204 report to ensure reasonably accurate reporting of TANF MOE Programs to ACF in accordance with the ACF-204 reporting instructions. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: 2023-107; 2022-106 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award Number and Year: 2401VATANF - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining adequate internal control over Federal Funding Accountability and Transparency Act (FFATA) reporting. FFATA reporting is intended to provide full disclosure of how entities and organizations are obligating federal funds. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds from roughly 5,300 subawards. While auditing FFATA reporting for the TANF federal grant program, we noted that Finance did not file any FFATA reports for its subrecipients. Social Services awarded over $72 million in nearly 300 new TANF subawards during fiscal year 2024. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action that equals or exceeds $30,000 to the FFATA Subaward Reporting System (FSRS) by the end of the month following the obligating action. This also applies to any subaward modifications that increase the amount to equal or exceed $30,000. Finally, 2 CFR § 200.303(a) states that the non-federal entity must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance uses a decentralized approach to fulfil its FFATA reporting responsibilities since it does not determine which subrecipients will receive federal funding. Since there is an elevated risk that Finance will not report all subaward information to FSRS, it has obtained a report of subrecipients from its financial reporting system and identified those who spent $30,000 or more in TANF funds during fiscal year 2024. However, Finance management did not compare this report to its FSRS submissions to verify that the agency submitted the submissions accurately and timely. As a result, Finance management did not recognize that it did not comply with the FFATA reporting requirements. When Social Services does not upload all obligating actions meeting the reporting threshold to FSRS as required, a citizen or federal official may have a distorted view as to how Social Services is obligating federal funds. Finance management should provide sufficient oversight to confirm that the agency is submitting FFATA reporting submissions timely. Specifically, Finance management should periodically compare the report of subrecipients from its financial reporting system to FSRS to ensure it is reporting all subawards to FSRS and escalate any concerns that hinder its ability to comply with federal regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-104: Implement Internal Controls over LIHEAP Federal Special Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VALIEA - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a); 45 CFR § 96.82(a) Known Questioned Costs: $0 Benefit Programs has not documented its processes for preparing and verifying the information reported in the LIHEAP federal grant program’s Annual Household Report. The federal government requires Social Services to annually submit this data and uses this information to provide reports to Congress for assessing the uses of funds for the assistance of households in need. Benefit Programs uses a third-party service provider to produce data reports from its case management system that program staff use to populate the LIHEAP Annual Household Report and Benefit Programs relies on the third-party service provider’s internal controls during the data extraction process. Benefit Programs could not substantiate the information reported for four out of seven (57%) of the line items in Section I - Number of assisted households of the most recent LIHEAP Annual Household Report. Specifically, we noted the following inconsistencies: Benefit Programs reported 2,571 households assisted on the Emergency Furnace Repair and Replacement line, which is 12 percent higher than the information in the case management system. Benefit Programs reported 118,347 households assisted on the Any Type of LIHEAP Assistance line, which is 21 percent lower than the information in the case management system. Benefit Programs reported 117,274 households assisted on the Bill Payment Assistance line, which is 20 percent higher than the information in the case management system. Benefit Programs could not provide support to substantiate the Weatherization line. Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and its terms and conditions. Further, 45 CFR § 96.82(a) requires each grantee, whether a State or an insular area, that receives an annual allotment of at least $200,000 to submit this data for the 12-month period preceding the federal fiscal year in which the grantee requests the funds. The grantee must report the data separately for LIHEAP heating, cooling, crisis, and weatherization assistance. If Social Services does not submit this report properly, ACF may not grant them their LIHEAP grant allotment as per 45 CFR § 96.82(c). Benefit Programs has not dedicated the necessary resources to document its processes for preparing the LIHEAP Annual Household Report. Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Additionally, reporting potentially inaccurate information prevents the federal government from adequately monitoring Social Services’ overall performance for the LIHEAP federal grant program. Therefore, Benefit Programs should dedicate the necessary resources to document its processes for preparing the LIHEAP Annual Household Report, including the processes used to verify the data provided by its third-party service provider. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-104: Implement Internal Controls over LIHEAP Federal Special Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VALIEA - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR § 200.303(a); 45 CFR § 96.82(a) Known Questioned Costs: $0 Benefit Programs has not documented its processes for preparing and verifying the information reported in the LIHEAP federal grant program’s Annual Household Report. The federal government requires Social Services to annually submit this data and uses this information to provide reports to Congress for assessing the uses of funds for the assistance of households in need. Benefit Programs uses a third-party service provider to produce data reports from its case management system that program staff use to populate the LIHEAP Annual Household Report and Benefit Programs relies on the third-party service provider’s internal controls during the data extraction process. Benefit Programs could not substantiate the information reported for four out of seven (57%) of the line items in Section I - Number of assisted households of the most recent LIHEAP Annual Household Report. Specifically, we noted the following inconsistencies: Benefit Programs reported 2,571 households assisted on the Emergency Furnace Repair and Replacement line, which is 12 percent higher than the information in the case management system. Benefit Programs reported 118,347 households assisted on the Any Type of LIHEAP Assistance line, which is 21 percent lower than the information in the case management system. Benefit Programs reported 117,274 households assisted on the Bill Payment Assistance line, which is 20 percent higher than the information in the case management system. Benefit Programs could not provide support to substantiate the Weatherization line. Title 2 CFR § 200.303(a) requires the non-federal entity to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient is managing the federal award in compliance with federal statutes, regulations, and its terms and conditions. Further, 45 CFR § 96.82(a) requires each grantee, whether a State or an insular area, that receives an annual allotment of at least $200,000 to submit this data for the 12-month period preceding the federal fiscal year in which the grantee requests the funds. The grantee must report the data separately for LIHEAP heating, cooling, crisis, and weatherization assistance. If Social Services does not submit this report properly, ACF may not grant them their LIHEAP grant allotment as per 45 CFR § 96.82(c). Benefit Programs has not dedicated the necessary resources to document its processes for preparing the LIHEAP Annual Household Report. Documented policies and procedures will help Social Services maintain continuity with its processes to comply with laws and regulations. Without documented policies and procedures, there is a risk that Social Services could report inaccurate information to the federal government that could lead to Social Services incurring fines and/or penalties. Additionally, reporting potentially inaccurate information prevents the federal government from adequately monitoring Social Services’ overall performance for the LIHEAP federal grant program. Therefore, Benefit Programs should dedicate the necessary resources to document its processes for preparing the LIHEAP Annual Household Report, including the processes used to verify the data provided by its third-party service provider. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-011: Improve Fiscal Agent Oversight Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a) Known Questioned Costs: $0 Medical Assistance Services did not obtain and review a System and Organization Controls (SOC) report, specifically a SOC I, Type 2 report, to gain assurance over its fiscal agent’s internal controls relevant to financial reporting. In addition to services related to information systems management and security, Medical Assistance Services contracts with the fiscal agent to perform accurate and timely payments of Medicaid claims to providers and maintain an accounts receivable ledger for the collection of provider funds owed to Medical Assistance Services. The fiscal agent processed over $22 billion in Medicaid-related payments during fiscal year 2024. Medical Assistance Services obtained a SOC 2, Type 2 report related to the fiscal agent’s controls over information systems management and security, however, this report did not provide an opinion over internal controls relevant to Medical Assistance Services’ significant fiscal activity and financial reporting. The Commonwealth’s Accounting Policies and Procedures Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment. It also states that agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. The existing contract between Medical Assistance Services and the fiscal agent does not require the fiscal agent to obtain an independent review opining to the effectiveness of internal controls related to Medical Assistance Services’ significant fiscal activities and financial reporting. Management asserted that they are currently working to modify the contract with the provider to add this requirement. Although management maintains a high degree of interaction with its fiscal agent, they cannot adequately ensure the fiscal agent has designed and implemented sufficient controls, and whether the controls are operating effectively without obtaining and reviewing a SOC I, Type 2 report. This issue increases the risk that management will not detect a weakness in the fiscal agent’s environment, which could negatively impact the Commonwealth. Medical Assistance Services should continue to work with the fiscal agent to add language to the contract that would require the fiscal agent to obtain an appropriate independent audit of its internal controls relevant to Medical Assistance Services’ financial activities and reporting. Once the new contract language is in effect, Medical Assistance Services’ management should obtain and review the SOC I, Type 2 report annually to ensure the fiscal agent is meeting contractual obligations and has proper internal controls over Medical Assistance Services’ significant fiscal activities and financial reporting. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-017: Improve IT Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2023-086; 2022-090 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Third-Party Service Providers (Information Systems) ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services has made progress to document and implement a formal process for maintaining oversight for three of its IT third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting. Since the prior year audit, Medical Assistance Services developed its Information Technology (IT) Third Party Risk Management Procedure, which was effective on February 1, 2024, to facilitate the implementation of its IT System and Services Acquisition Policy. However, Medical Assistance Services is still working to implement the new procedure, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers that is not covered by the Virginia Information Technologies Agency (VITA) Commonwealth of Virginia Risk and Authority Management Program. Medical Assistance Services does not confirm the geographic location of sensitive data monthly for IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside of the United States’ jurisdiction. Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner. Medical Assistance Services experienced delays in implementing its new procedure due to limited staffing to properly communicate and train those responsible for monitoring IT service providers. Medical Assistance Services expects to complete its implementation by October 2024. Medical Assistance Services should dedicate the resources necessary to finish implementing its Third-Party Risk Management Procedure. Additionally, Medical Assistance Services should ensure that those tasked with monitoring IT service providers are confirming the geographic location of sensitive data and the provider’s performance of vulnerability scanning and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-022: Improve Information Security Program and Controls Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2023-010; 2022-024; 2021-024; 2020-024 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services continues to address weaknesses in its information technology (IT) general controls originally identified in a 2020 audit and confirmed in a 2023 audit covering the same IT general controls conducted by Medical Assistance Services’ Internal Audit division. During the 2023 audit, Internal Audit tested 105 controls required by the Commonwealth’s previous version of the Information Security Standard, SEC501, and identified 61 individual control weaknesses, a 58% non-compliance rate, that Internal Audit grouped into eight findings. Medical Assistance Services addressed four of the eight findings during fiscal year 2024. Noncompliance with required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening Medical Assistance Services ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to the number of findings and resources required to remediate the weaknesses. Medical Assistance Services updated its corrective action plan for the four remaining findings in June 2024, stating corrective actions are still ongoing with an estimated completion date of September 2024. Medical Assistance Services should prioritize and dedicate the necessary resources to ensure timely completion of its corrective action plans and to become compliant with the current version of the Commonwealth’s Information Security Standard, SEC530 (Security Standard). These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-023: Improve Database Security Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Contingency Planning; Identification and Authentication; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services does not have formal policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining the database supporting its primary system for financial accounting and reporting operations in accordance with the Security Standard, and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). As a result, Medical Assistance Services has not implemented some required controls over the database. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system and apply more restrictive security configurations for sensitive systems. The Security Standard also requires Medical Assistance Services to review and update the policies, procedures, and baseline configuration on an annual basis and following an environmental change. Without detailed policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining its database, Medical Assistance Services increases the risk that the system will not meet the minimum security requirements and recommendations to protect its sensitive data from malicious parties. Medical Assistance Services has experienced a lack of resources which has contributed to the absence of documentation outlining control requirements and procedures needed to properly secure the database. The absence of this documentation contributed to the deficiencies communicated in the FOIAE document and as a result, Medical Assistance Services has not consistently evaluated and applied security controls. Medical Assistance Services should dedicate the resources necessary to develop and implement formal policies and procedures to support its database based on the Security Standard requirements and settings recommended by industry best practices, such as the CIS Benchmark. Medical Assistance Services should develop a formal baseline configuration for the database that defines required security controls outlined in industry best practices, such as the CIS Benchmark. The baseline configuration should define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established baseline configuration on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address risks present in the database to ensure the configuration aligns with the Security Standard and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-024: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Prior Year Finding Number: 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Planning; Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding in 2018, Social Services remediated some risk management and contingency planning issues. However, Social Services continues not to: accurately verify and validate data and system sensitivity ratings; create risk assessments for 90 percent of its sensitive systems; create system security plans for the 55 current systems identified as sensitive; review risk assessments for 100 percent of its existing documentation; and implement corrective actions identified in risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. ISRM and TSD defined and documented a new risk assessment policy and procedure in April 2024. Social Services also established a new risk assessment process that engages system administrators and system owners to complete a risk assessment worksheet to submit to ISRM for evaluation. ISRM meets with system administrators, system owners, and the Agency Head, to review the resulting risk assessment report and establish a risk mitigation plan. However, Social Services has not yet matured the new risk assessment process due to recently formalizing the process. Social Services established the Cybersecurity Team as part of TSD in fiscal year 2024; therefore, the Cybersecurity Team and ISRM have not yet assessed and integrated the various risk management processes. Additionally, the new risk assessment procedure does not define and document the requirements and processes Social Services must follow to implement the corrective action responsibilities. ISRM should work with TSD, the Cybersecurity Team, and business units to ensure Social Services establishes and maintains an up-to-date sensitive systems list. The Information Security Officer, in conjunction with system and data owners, should classify agency IT systems and data based on sensitivity. Following its new risk assessment procedure and process, ISRM and the Cybersecurity Team should prioritize completing risk assessments and system security plans for its sensitive systems and review those documents annually to validate that the information reflects the current environment. Additionally, TSD should implement security controls to mitigate the risks and vulnerabilities identified in its risk assessments. Improving the IT risk management program will help to ensure the confidentiality, integrity, and availability of the agency’s sensitive systems and mission-essential functions. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-025: Improve Web Application Security Applicable to: Department of Social Services Prior Year Finding Number: 2023-015; 2022-029; 2021-025; 2020-026; 2019-037 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with the Security Standard. During fiscal year 2024, Social Services remediated two of the five previously identified weaknesses; however, these two weaknesses existed during the fiscal year under review. Additionally, Social Services has not remediated three of the previously identified weaknesses. We communicated the weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Lacking and insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritizing other projects also contributed to the weaknesses persisting. TSD, ISRM, and business owners should work together to remediate the remaining weaknesses to secure the web application and meet the minimum requirements in its internal policies and the Security Standard. Addressing these weaknesses will help to ensure the confidentiality, integrity, and availability of sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-035: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Prior Year Finding Number: 2023-027; 2022-022 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Information Security Roles and Responsibilities ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to have an insufficient governance structure to manage and maintain its information security program in accordance with the Security Standard. Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard. We communicated the control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The Security Standard requires the agency head to maintain an information security program that is sufficient to protect the agency’s IT systems and to ensure the agency documents and effectively communicates the information security program. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. The control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation, in addition to Social Services not prioritizing information security within the IT environment. Social Services has hindered its ability to consistently and timely remediate findings from management recommendations issued during prior year audits and bring the information security program in compliance with the Security Standard by not dedicating the necessary IT resources to information security. During fiscal year 2024, Social Services created a cybersecurity team under the Technology Services Division (TSD) to liaison between TSD and the Division of Information Security and Risk Management (ISRM) to help bring the information security program in compliance with the Security Standard. However, due to the magnitude of the project, TSD, the cybersecurity team, ISRM, and the executive team have not yet completed efforts to remediate this finding. TSD, ISRM, and Social Services’ Cybersecurity and Executive teams should continue to work together to bring the IT security program in compliance with the Security Standard. TSD and ISRM should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the control deficiencies discussed in the communication marked FOIAE. Additionally, Social Services should evaluate the organizational placement of the Information Security Officer (ISO) to ensure effective implementation of the information security program and controls. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-041: Evaluate Separation of Duty Conflicts within the Case Management System Applicable to: Department of Social Services Prior Year Finding Number: 2023-034 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Benefit Programs, which is the owner of Social Services’ case management system, has not performed nor documented a conflicting access review to identify the combination of roles that could pose a separation of duties conflict or to ensure compensating controls are in place to mitigate risks arising from those conflicts. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024. The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties of individuals and defining system access authorizations to support separation of duties. Without performing and documenting a conflicting access review, Social Services does not know which combination of roles may pose a separation of duties conflict and is unable to implement compensating controls. In effect, this increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk. Benefit Programs has not yet begun their corrective action efforts and ISRM has not included this finding in its Plan of Actions and Milestones (POAM) report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Information Security Policy. According to Social Services’ Organizational Structure Report, ISRM provides guidance to system owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Benefit Programs should conduct a conflicting access review for the case management system and collaborate with ISRM to ensure it performs and documents this review in accordance with Social Services’ Information Security Policy. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-042: Perform Annual Review of Case Management System Access Applicable to: Department of Social Services Prior Year Finding Number: 2023-035 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Benefit Programs, which is the owner of Social Services’ case management system, continues to not perform the required annual access review. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024. The Security Standard requires the agency to review accounts for compliance with account management on an annual basis. Additionally, ISRM’s Procedures Manual for State and Local Security Officers requires system owners and security officers to review user access privileges annually. System owners and security officers must complete this review within 364 days from the completion date of the last security review. Benefit Programs last completed a security review over the case management system in June 2022. Benefit Programs is responsible for obtaining the case management system’s access listing from ISRM, coordinating the annual review with the security officers, and working with ISRM to modify user access privileges as necessary. However, Benefit Programs did not perform the required annual access review for the case management system because it did not initiate the process with ISRM, and ISRM did not include this finding in its POAM report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Procedures Manual for State and Local Security Officers. According to Social Services’ Organizational Structure Report, ISRM provides guidance to System Owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Social Services increases the risk of improper or unnecessary access to sensitive systems by not reviewing access to the case management system annually, which could potentially result in a system breach or other malicious attack on Social Services’ data and adversely affect its reputation. Benefit Programs should perform the required annual security review for the case management system and collaborate with ISRM to ensure it completes this review in accordance with the Procedures Manual for State and Local Officers. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-047: Continue Improving IT Change and Configuration Management Process Applicable to: Department of Social Services Prior Year Finding Number: 2023-049; 2022-052; 2021-049; 2020-044; 2019-038 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing description of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Social Services’ Change Management Process Guide details the process Social Services follows to manage changes, but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, Social Services migrated to a new change management system of record in October 2023, which also contributed to the delay in remediating the remaining issues due to Social Services prioritizing the migration project. Not prioritizing and aligning IT change management processes with the Security Standard increases the risk of a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services’ IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-053: Improve Vulnerability Remediation Efforts Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services does not install security patches to mitigate vulnerabilities within its IT environment in accordance with its Vulnerability Scan Management procedure. Specifically, as of November 2024, Medical Assistance Services identified a significant number of vulnerabilities classified with a severity of critical and high and numerous vulnerabilities with a severity of medium or low in its IT environment that remained unmitigated beyond the time limits set in its procedure. Medical Assistance Services’ procedure requires the agency to mitigate and validate vulnerabilities within the following timeframes, depending on the vulnerability’s severity rating: High-severity flaws within 30 calendar days; Medium-severity flaws within 60 calendar days; and All others within 90 calendar days. Additionally, the Security Standard requires Medical Assistance Services to “monitor and scan for vulnerabilities in the system and hosted applications at least once every 30 days, and when new vulnerabilities potentially affecting the system are identified and reported.” The Security Standard also requires Medical Assistance Services to remediate legitimate vulnerabilities within 30 days unless otherwise specified by Commonwealth Security Risk Management (CSRM) in accordance with an organizational assessment of risk. The Commonwealth’s IT Risk Management Standard, SEC520 (Risk Management Standard) requires Medical Assistance Services to “fix vulnerabilities within 30 days of a fix becoming available that are either rated as critical or high according to the National Vulnerability Database or otherwise identified by CSRM.” Additionally, the Risk Management Standard requires Medical Assistance Services to remediate all other vulnerabilities within 90 days of a fix becoming available and acquire an approved security exception for the vulnerability should Medical Assistance Services not remediate it within the timeframes identified. Software vulnerabilities are publicly known flaws that bad actors may exploit and use to circumvent organizational information security controls to infiltrate a network or application. The longer these vulnerabilities exist in an environment, the higher the risk of a compromise and unauthorized access to sensitive and mission-critical systems and data. It is therefore imperative for organizations to respond quickly and mitigate these publicly known flaws as soon as possible. Without appropriate software patching and vulnerability management controls, Medical Assistance Services increases the risk of unauthorized access to sensitive and mission-critical systems. Medical Assistance Services lacks the staffing necessary to remediate the high number of vulnerabilities detected within the timeframes required by its Vulnerability Scan Management procedure. Medical Assistance Services should allocate the necessary resources to apply patches within the Vulnerability Scan Management procedure’s required timeframe to mitigate the vulnerabilities affecting its IT environment. If Medical Assistance Services is unable to mitigate vulnerabilities within the required timeframe, it should obtain an extension approval from CSRM that is based on an organizational assessment of risk. Timely remediation of significant vulnerabilities will help protect the confidentiality, integrity, and availability of Medical Assistance Services’ sensitive and mission-critical information. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-058: Conduct Information Technology Security Audits Applicable to: Department of Social Services Prior Year Finding Number: 2023-056 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services is making progress in conducting a comprehensive IT security audit on each sensitive system at least once every three years. While Social Services conducted an IT security audit over an additional 22 percent of its sensitive systems, 14 of the 79 sensitive systems (18%) due for an IT Security Audit remain unaudited. Social Services indicates it is on track to complete the remaining IT security audits by the end of calendar year 2025. The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, shall receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable. During fiscal year 2024, Social Services’ Audit Services Manager collaborated with the business divisions, TSD, and ISRM to schedule and conduct audits. However, Social Services did not perform the remaining IT security audits due to the large number of sensitive systems requiring an audit. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years. Social Services should define and document a formal procedure and process for conducting IT security audits over each sensitive system at least once every three years that tests the effectiveness of the IT security controls and their compliance with Security Standard requirements. Social Services should then complete all outstanding IT security audits to ensure it meets the Security Standard requirements. Compliance with the IT Audit Standard will help to ensure the confidentiality, integrity, and availability of sensitive and mission critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-061: Develop and Provide Role-Based Security Awareness Training to System Administrators and Data Custodians Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Awareness and Training ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 ISRM does not provide applicable role-based training to system administrators or data custodians that have security roles and responsibilities with elevated privileges. Additionally, ISRM does not document a procedure that outlines the steps it follows to administer the role-based training. An established security awareness training program is essential to protecting agency IT systems and data by ensuring that employees understand their roles and responsibilities in securing sensitive information at the agency. Social Services’ Awareness and Training Policy requires that Social Services’ Information Security Officer or designee provide role-based security and privacy training to personnel with the roles and responsibilities of system administrator and data custodian. Social Services’ Security Awareness and Training Policy and the Security Standard also require that Social Services administer role-based training to personnel before authorizing access to the system, information, or performing assigned duties; and annually thereafter, as well as when required by system changes. Without providing role-based training to all personnel with security-related roles, including personnel with the roles and responsibilities of system administrator and data custodian, Social Services increases the risk of human error and negligence. Additionally, lack of adequate role-based training increases the risk that users will be unaware or lack pertinent skills and knowledge to perform their security-related functions, resulting in an increased security risk. ISRM did not provide role-based training to personnel with designated information security roles due to competing priorities. Additionally, although the Awareness and Training Policy requires role-based training, Social Services does not define and document their process to provide role-based training to personnel with security-related functions, such as the specific training that each role should take, the deadline for role-based training completion, and the enforcement measure resulting from not completing the role-based training timely. ISRM should develop procedures that detail the process to provide role-based training to personnel with designated security roles. ISRM should also develop and administer role-based training for systems administrators and data custodians. Improving the security awareness training program will help protect Social Services from malicious attempts to compromise the confidentiality, integrity, and availability of sensitive data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-064: Upgrade End-of-Life Technology Applicable to: Department of Social Services Prior Year Finding Number: 2023-058; 2022-060 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services uses end-of-life (EOL) technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is EOL and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. In May 2024, Social Services established a Cybersecurity Team to track and manage technologies but has not yet completed their processes. Using EOL technologies increases the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for EOL or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs. Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. By dedicating the necessary resources to evaluate and implement these controls and recommendations, Social Services will help to ensure that it adequately secures its IT environment and systems. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-067: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Prior Year Finding Number: 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF), LIHEAP, and TANF federal grant programs. Social Services’ case management system authorized over $17 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2024. Since fiscal year 2019, Social Services gathered retention requirements from the business divisions that support the federal programs and services. In fiscal year 2022, Social Services finalized and documented policies with retention requirements for the data sets handled by each of the ten programs and services supported by its case management system. Social Services determined that due to the risk and complexity of the project, as well as changes to federal requirements since its first analysis, the retention requirements for all ten programs and services supported by its case management system were not feasible as a single release. Therefore, Social Services planned a phased delivery approach including multiple releases. In November 2023, Social Services defined and documented a purge and retention design document to implement Release 1 of the record purge and retention project for its case management system. Social Services subsequently implemented Release 1 of the record purge and retention project in February 2024. However, Social Services has not completed the process to implement the records retention policies for each of the programs and services to ensure consistent retention and destruction of records in compliance with regulations and laws. Title 45 CFR § 155.1210, governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act outlined in § 42.1-91 of the Code of Virginia makes an agency responsible for ensuring that it preserves, maintains, and makes accessible public records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that an agency does not lose information due to hardware, software, or media obsolescence or deterioration. Furthermore, the Virginia Public Records Act in § 42.1-86.1 of the Code of Virginia details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and in accordance with the provisions of Chapter 7 of the Virginia Public Records Act. Further, records that contain identifying information as defined by subsection C of § 18.2-186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability. Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose. The magnitude and complexity of effectively implementing a retention and purge process for an integrated eligibility system delayed completion of the record purge and retention project. Additionally, following Release 1 implementation, Social Services identified an additional required element of the purge and retention project. For these reasons, Social Services plans to update the purge and retention design document and implement Release 2 in February 2025. Further, Social Services plans to complete the purge and retention project with the final release, Release 3, by September 2025. Social Services should complete the record purge and retention project for its case management system and, thereafter, implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-068: Monitor Internal Controls to Ensure Timely Removal of System Access Applicable to: Department of Social Services Prior Year Finding Number: 2023-043; 2022-059; 2021-038;2021-027;2020-025;2019-027;2018-042 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to implement internal controls to monitor the timely removal of system access. The Security Standard requires the organization to disable information system access within 24 hours of employment termination. In response to the prior audit recommendations, ISRM developed an overarching policy governing system access that addresses the timely removal of system access and Social Services’ Division of Human Resources developed a policy to ensure supervisors follow the appropriate steps to offboard separated employees. Additionally, ISRM and the Division of Human Resources worked collaboratively to develop a process to identify individuals whose separation did not follow the offboarding policy and manually removed their access from Social Services’ access management system. However, because of the extent of its corrective actions, Social Services was not able to implement all of its planned corrective actions by the end of fiscal year 2024. Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services could place its data and reputation at risk by not removing access timely. Additionally, Social Services could incur potential financial liabilities should its information become compromised. Therefore, Social Services should continue its corrective action efforts to implement internal controls to monitor the timely removal of system access. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-071: Continue to Ensure ITISP Suppliers Meet All Contractual Requirements Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: 2023-072; 2022-100; 2021-023; 2020-070 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 VITA has made significant progress to monitor and enforce the contractual requirements for the Information Technology Infrastructure Services Program (ITISP) suppliers. During fiscal year 2024, VITA and the Multisource Service Integration (MSI) continued to evaluate the current service level measurements to ensure they align with the Commonwealth’s needs. VITA and the MSI monitored the service level related to security and vulnerability patching for the entire fiscal year. The requirements of this service level for fiscal year 2024 included a Common Vulnerabilities and Exposures (CVE) threshold, which required that ITISP suppliers install any patch with a CVE score above the threshold within 60 days. If the supplier did not meet the service level threshold, VITA enforced a credit for the Commonwealth. Although VITA monitored the service levels implemented in the prior year, not enough time has passed to prove the effects of the consequences enforced. Our audits at various agencies for fiscal year 2024 found critical and highly important security patches not installed within 30 days as required by the Commonwealth’s Information Security Standard, SEC530 (Security Standard). As a result, the systems missing critical security updates are at an increased risk of cyberattack, exploitation, and data breach by malicious parties. When ITISP suppliers do not meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.) it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard. The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software and firmware updates within at least 30 days of the update’s release or within a timeframe approved by Commonwealth Security and Risk Management (CSRM) . Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies’ operations. Additionally, during fiscal year 2024, VITA continued to work with the managed security supplier to address the inability of agencies to access the audit log information in the managed detection and response (MDR) platform. VITA implemented a separate security and event management (SIEM) tool at the end of October 2023 to expand agencies’ capabilities to monitor audit log information. While the supplier implemented the MDR platform, VITA and the supplier determined to replace the MDR platform with the VITA-managed SIEM tool as the permanent audit log monitoring tool. However, while the SIEM tool is in production, it also does not include all audit log information in a usable format to allow agencies to adequately monitor their IT environments. The Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity. Our audits of various agencies for fiscal year 2024 found that agencies rely on VITA and ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Although the supplier was performing audit logging and monitoring, most agencies were unable to obtain access to the audit log information during fiscal year 2024, and thus, were not able to comply with the Security Standard requirements related to audit log monitoring. An inability for all agencies to review and monitor their individual audit logs increases the risk associated with the Commonwealth’s data confidentiality, integrity, and availability. To ensure all agencies that rely on the ITISP’s services comply with the Security Standard, VITA should ensure suppliers meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.). If VITA determines suppliers are not meeting these requirements, VITA should implement escalation procedures to compel the ITISP services to comply with the contractual requirements. Additionally, VITA should communicate with the affected agencies and provide guidance on what the agencies can do to comply with the Security Standard while the suppliers work to meet the requirements of the contract. VITA should also continue working with the ITISP suppliers and agencies to import audit log information to the SIEM tool to ensure agencies can review the activities occurring in their IT environments in accordance with the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332 Known Questioned Costs: $0 Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan: Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan. Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes. Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients. Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332. Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance. Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-011: Improve Fiscal Agent Oversight Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a) Known Questioned Costs: $0 Medical Assistance Services did not obtain and review a System and Organization Controls (SOC) report, specifically a SOC I, Type 2 report, to gain assurance over its fiscal agent’s internal controls relevant to financial reporting. In addition to services related to information systems management and security, Medical Assistance Services contracts with the fiscal agent to perform accurate and timely payments of Medicaid claims to providers and maintain an accounts receivable ledger for the collection of provider funds owed to Medical Assistance Services. The fiscal agent processed over $22 billion in Medicaid-related payments during fiscal year 2024. Medical Assistance Services obtained a SOC 2, Type 2 report related to the fiscal agent’s controls over information systems management and security, however, this report did not provide an opinion over internal controls relevant to Medical Assistance Services’ significant fiscal activity and financial reporting. The Commonwealth’s Accounting Policies and Procedures Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment. It also states that agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. The existing contract between Medical Assistance Services and the fiscal agent does not require the fiscal agent to obtain an independent review opining to the effectiveness of internal controls related to Medical Assistance Services’ significant fiscal activities and financial reporting. Management asserted that they are currently working to modify the contract with the provider to add this requirement. Although management maintains a high degree of interaction with its fiscal agent, they cannot adequately ensure the fiscal agent has designed and implemented sufficient controls, and whether the controls are operating effectively without obtaining and reviewing a SOC I, Type 2 report. This issue increases the risk that management will not detect a weakness in the fiscal agent’s environment, which could negatively impact the Commonwealth. Medical Assistance Services should continue to work with the fiscal agent to add language to the contract that would require the fiscal agent to obtain an appropriate independent audit of its internal controls relevant to Medical Assistance Services’ financial activities and reporting. Once the new contract language is in effect, Medical Assistance Services’ management should obtain and review the SOC I, Type 2 report annually to ensure the fiscal agent is meeting contractual obligations and has proper internal controls over Medical Assistance Services’ significant fiscal activities and financial reporting. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-017: Improve IT Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2023-086; 2022-090 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Third-Party Service Providers (Information Systems) ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services has made progress to document and implement a formal process for maintaining oversight for three of its IT third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting. Since the prior year audit, Medical Assistance Services developed its Information Technology (IT) Third Party Risk Management Procedure, which was effective on February 1, 2024, to facilitate the implementation of its IT System and Services Acquisition Policy. However, Medical Assistance Services is still working to implement the new procedure, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers that is not covered by the Virginia Information Technologies Agency (VITA) Commonwealth of Virginia Risk and Authority Management Program. Medical Assistance Services does not confirm the geographic location of sensitive data monthly for IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside of the United States’ jurisdiction. Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner. Medical Assistance Services experienced delays in implementing its new procedure due to limited staffing to properly communicate and train those responsible for monitoring IT service providers. Medical Assistance Services expects to complete its implementation by October 2024. Medical Assistance Services should dedicate the resources necessary to finish implementing its Third-Party Risk Management Procedure. Additionally, Medical Assistance Services should ensure that those tasked with monitoring IT service providers are confirming the geographic location of sensitive data and the provider’s performance of vulnerability scanning and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-022: Improve Information Security Program and Controls Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2023-010; 2022-024; 2021-024; 2020-024 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services continues to address weaknesses in its information technology (IT) general controls originally identified in a 2020 audit and confirmed in a 2023 audit covering the same IT general controls conducted by Medical Assistance Services’ Internal Audit division. During the 2023 audit, Internal Audit tested 105 controls required by the Commonwealth’s previous version of the Information Security Standard, SEC501, and identified 61 individual control weaknesses, a 58% non-compliance rate, that Internal Audit grouped into eight findings. Medical Assistance Services addressed four of the eight findings during fiscal year 2024. Noncompliance with required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening Medical Assistance Services ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to the number of findings and resources required to remediate the weaknesses. Medical Assistance Services updated its corrective action plan for the four remaining findings in June 2024, stating corrective actions are still ongoing with an estimated completion date of September 2024. Medical Assistance Services should prioritize and dedicate the necessary resources to ensure timely completion of its corrective action plans and to become compliant with the current version of the Commonwealth’s Information Security Standard, SEC530 (Security Standard). These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-023: Improve Database Security Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Contingency Planning; Identification and Authentication; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services does not have formal policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining the database supporting its primary system for financial accounting and reporting operations in accordance with the Security Standard, and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). As a result, Medical Assistance Services has not implemented some required controls over the database. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system and apply more restrictive security configurations for sensitive systems. The Security Standard also requires Medical Assistance Services to review and update the policies, procedures, and baseline configuration on an annual basis and following an environmental change. Without detailed policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining its database, Medical Assistance Services increases the risk that the system will not meet the minimum security requirements and recommendations to protect its sensitive data from malicious parties. Medical Assistance Services has experienced a lack of resources which has contributed to the absence of documentation outlining control requirements and procedures needed to properly secure the database. The absence of this documentation contributed to the deficiencies communicated in the FOIAE document and as a result, Medical Assistance Services has not consistently evaluated and applied security controls. Medical Assistance Services should dedicate the resources necessary to develop and implement formal policies and procedures to support its database based on the Security Standard requirements and settings recommended by industry best practices, such as the CIS Benchmark. Medical Assistance Services should develop a formal baseline configuration for the database that defines required security controls outlined in industry best practices, such as the CIS Benchmark. The baseline configuration should define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established baseline configuration on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address risks present in the database to ensure the configuration aligns with the Security Standard and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-024: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Prior Year Finding Number: 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Planning; Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding in 2018, Social Services remediated some risk management and contingency planning issues. However, Social Services continues not to: accurately verify and validate data and system sensitivity ratings; create risk assessments for 90 percent of its sensitive systems; create system security plans for the 55 current systems identified as sensitive; review risk assessments for 100 percent of its existing documentation; and implement corrective actions identified in risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. ISRM and TSD defined and documented a new risk assessment policy and procedure in April 2024. Social Services also established a new risk assessment process that engages system administrators and system owners to complete a risk assessment worksheet to submit to ISRM for evaluation. ISRM meets with system administrators, system owners, and the Agency Head, to review the resulting risk assessment report and establish a risk mitigation plan. However, Social Services has not yet matured the new risk assessment process due to recently formalizing the process. Social Services established the Cybersecurity Team as part of TSD in fiscal year 2024; therefore, the Cybersecurity Team and ISRM have not yet assessed and integrated the various risk management processes. Additionally, the new risk assessment procedure does not define and document the requirements and processes Social Services must follow to implement the corrective action responsibilities. ISRM should work with TSD, the Cybersecurity Team, and business units to ensure Social Services establishes and maintains an up-to-date sensitive systems list. The Information Security Officer, in conjunction with system and data owners, should classify agency IT systems and data based on sensitivity. Following its new risk assessment procedure and process, ISRM and the Cybersecurity Team should prioritize completing risk assessments and system security plans for its sensitive systems and review those documents annually to validate that the information reflects the current environment. Additionally, TSD should implement security controls to mitigate the risks and vulnerabilities identified in its risk assessments. Improving the IT risk management program will help to ensure the confidentiality, integrity, and availability of the agency’s sensitive systems and mission-essential functions. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-025: Improve Web Application Security Applicable to: Department of Social Services Prior Year Finding Number: 2023-015; 2022-029; 2021-025; 2020-026; 2019-037 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with the Security Standard. During fiscal year 2024, Social Services remediated two of the five previously identified weaknesses; however, these two weaknesses existed during the fiscal year under review. Additionally, Social Services has not remediated three of the previously identified weaknesses. We communicated the weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Lacking and insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritizing other projects also contributed to the weaknesses persisting. TSD, ISRM, and business owners should work together to remediate the remaining weaknesses to secure the web application and meet the minimum requirements in its internal policies and the Security Standard. Addressing these weaknesses will help to ensure the confidentiality, integrity, and availability of sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-035: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Prior Year Finding Number: 2023-027; 2022-022 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Information Security Roles and Responsibilities ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to have an insufficient governance structure to manage and maintain its information security program in accordance with the Security Standard. Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard. We communicated the control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The Security Standard requires the agency head to maintain an information security program that is sufficient to protect the agency’s IT systems and to ensure the agency documents and effectively communicates the information security program. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. The control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation, in addition to Social Services not prioritizing information security within the IT environment. Social Services has hindered its ability to consistently and timely remediate findings from management recommendations issued during prior year audits and bring the information security program in compliance with the Security Standard by not dedicating the necessary IT resources to information security. During fiscal year 2024, Social Services created a cybersecurity team under the Technology Services Division (TSD) to liaison between TSD and the Division of Information Security and Risk Management (ISRM) to help bring the information security program in compliance with the Security Standard. However, due to the magnitude of the project, TSD, the cybersecurity team, ISRM, and the executive team have not yet completed efforts to remediate this finding. TSD, ISRM, and Social Services’ Cybersecurity and Executive teams should continue to work together to bring the IT security program in compliance with the Security Standard. TSD and ISRM should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the control deficiencies discussed in the communication marked FOIAE. Additionally, Social Services should evaluate the organizational placement of the Information Security Officer (ISO) to ensure effective implementation of the information security program and controls. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-041: Evaluate Separation of Duty Conflicts within the Case Management System Applicable to: Department of Social Services Prior Year Finding Number: 2023-034 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Benefit Programs, which is the owner of Social Services’ case management system, has not performed nor documented a conflicting access review to identify the combination of roles that could pose a separation of duties conflict or to ensure compensating controls are in place to mitigate risks arising from those conflicts. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024. The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties of individuals and defining system access authorizations to support separation of duties. Without performing and documenting a conflicting access review, Social Services does not know which combination of roles may pose a separation of duties conflict and is unable to implement compensating controls. In effect, this increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk. Benefit Programs has not yet begun their corrective action efforts and ISRM has not included this finding in its Plan of Actions and Milestones (POAM) report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Information Security Policy. According to Social Services’ Organizational Structure Report, ISRM provides guidance to system owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Benefit Programs should conduct a conflicting access review for the case management system and collaborate with ISRM to ensure it performs and documents this review in accordance with Social Services’ Information Security Policy. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-042: Perform Annual Review of Case Management System Access Applicable to: Department of Social Services Prior Year Finding Number: 2023-035 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Benefit Programs, which is the owner of Social Services’ case management system, continues to not perform the required annual access review. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024. The Security Standard requires the agency to review accounts for compliance with account management on an annual basis. Additionally, ISRM’s Procedures Manual for State and Local Security Officers requires system owners and security officers to review user access privileges annually. System owners and security officers must complete this review within 364 days from the completion date of the last security review. Benefit Programs last completed a security review over the case management system in June 2022. Benefit Programs is responsible for obtaining the case management system’s access listing from ISRM, coordinating the annual review with the security officers, and working with ISRM to modify user access privileges as necessary. However, Benefit Programs did not perform the required annual access review for the case management system because it did not initiate the process with ISRM, and ISRM did not include this finding in its POAM report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Procedures Manual for State and Local Security Officers. According to Social Services’ Organizational Structure Report, ISRM provides guidance to System Owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Social Services increases the risk of improper or unnecessary access to sensitive systems by not reviewing access to the case management system annually, which could potentially result in a system breach or other malicious attack on Social Services’ data and adversely affect its reputation. Benefit Programs should perform the required annual security review for the case management system and collaborate with ISRM to ensure it completes this review in accordance with the Procedures Manual for State and Local Officers. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-047: Continue Improving IT Change and Configuration Management Process Applicable to: Department of Social Services Prior Year Finding Number: 2023-049; 2022-052; 2021-049; 2020-044; 2019-038 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing description of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Social Services’ Change Management Process Guide details the process Social Services follows to manage changes, but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, Social Services migrated to a new change management system of record in October 2023, which also contributed to the delay in remediating the remaining issues due to Social Services prioritizing the migration project. Not prioritizing and aligning IT change management processes with the Security Standard increases the risk of a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services’ IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-053: Improve Vulnerability Remediation Efforts Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services does not install security patches to mitigate vulnerabilities within its IT environment in accordance with its Vulnerability Scan Management procedure. Specifically, as of November 2024, Medical Assistance Services identified a significant number of vulnerabilities classified with a severity of critical and high and numerous vulnerabilities with a severity of medium or low in its IT environment that remained unmitigated beyond the time limits set in its procedure. Medical Assistance Services’ procedure requires the agency to mitigate and validate vulnerabilities within the following timeframes, depending on the vulnerability’s severity rating: High-severity flaws within 30 calendar days; Medium-severity flaws within 60 calendar days; and All others within 90 calendar days. Additionally, the Security Standard requires Medical Assistance Services to “monitor and scan for vulnerabilities in the system and hosted applications at least once every 30 days, and when new vulnerabilities potentially affecting the system are identified and reported.” The Security Standard also requires Medical Assistance Services to remediate legitimate vulnerabilities within 30 days unless otherwise specified by Commonwealth Security Risk Management (CSRM) in accordance with an organizational assessment of risk. The Commonwealth’s IT Risk Management Standard, SEC520 (Risk Management Standard) requires Medical Assistance Services to “fix vulnerabilities within 30 days of a fix becoming available that are either rated as critical or high according to the National Vulnerability Database or otherwise identified by CSRM.” Additionally, the Risk Management Standard requires Medical Assistance Services to remediate all other vulnerabilities within 90 days of a fix becoming available and acquire an approved security exception for the vulnerability should Medical Assistance Services not remediate it within the timeframes identified. Software vulnerabilities are publicly known flaws that bad actors may exploit and use to circumvent organizational information security controls to infiltrate a network or application. The longer these vulnerabilities exist in an environment, the higher the risk of a compromise and unauthorized access to sensitive and mission-critical systems and data. It is therefore imperative for organizations to respond quickly and mitigate these publicly known flaws as soon as possible. Without appropriate software patching and vulnerability management controls, Medical Assistance Services increases the risk of unauthorized access to sensitive and mission-critical systems. Medical Assistance Services lacks the staffing necessary to remediate the high number of vulnerabilities detected within the timeframes required by its Vulnerability Scan Management procedure. Medical Assistance Services should allocate the necessary resources to apply patches within the Vulnerability Scan Management procedure’s required timeframe to mitigate the vulnerabilities affecting its IT environment. If Medical Assistance Services is unable to mitigate vulnerabilities within the required timeframe, it should obtain an extension approval from CSRM that is based on an organizational assessment of risk. Timely remediation of significant vulnerabilities will help protect the confidentiality, integrity, and availability of Medical Assistance Services’ sensitive and mission-critical information. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-058: Conduct Information Technology Security Audits Applicable to: Department of Social Services Prior Year Finding Number: 2023-056 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services is making progress in conducting a comprehensive IT security audit on each sensitive system at least once every three years. While Social Services conducted an IT security audit over an additional 22 percent of its sensitive systems, 14 of the 79 sensitive systems (18%) due for an IT Security Audit remain unaudited. Social Services indicates it is on track to complete the remaining IT security audits by the end of calendar year 2025. The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, shall receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable. During fiscal year 2024, Social Services’ Audit Services Manager collaborated with the business divisions, TSD, and ISRM to schedule and conduct audits. However, Social Services did not perform the remaining IT security audits due to the large number of sensitive systems requiring an audit. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years. Social Services should define and document a formal procedure and process for conducting IT security audits over each sensitive system at least once every three years that tests the effectiveness of the IT security controls and their compliance with Security Standard requirements. Social Services should then complete all outstanding IT security audits to ensure it meets the Security Standard requirements. Compliance with the IT Audit Standard will help to ensure the confidentiality, integrity, and availability of sensitive and mission critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-061: Develop and Provide Role-Based Security Awareness Training to System Administrators and Data Custodians Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Awareness and Training ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 ISRM does not provide applicable role-based training to system administrators or data custodians that have security roles and responsibilities with elevated privileges. Additionally, ISRM does not document a procedure that outlines the steps it follows to administer the role-based training. An established security awareness training program is essential to protecting agency IT systems and data by ensuring that employees understand their roles and responsibilities in securing sensitive information at the agency. Social Services’ Awareness and Training Policy requires that Social Services’ Information Security Officer or designee provide role-based security and privacy training to personnel with the roles and responsibilities of system administrator and data custodian. Social Services’ Security Awareness and Training Policy and the Security Standard also require that Social Services administer role-based training to personnel before authorizing access to the system, information, or performing assigned duties; and annually thereafter, as well as when required by system changes. Without providing role-based training to all personnel with security-related roles, including personnel with the roles and responsibilities of system administrator and data custodian, Social Services increases the risk of human error and negligence. Additionally, lack of adequate role-based training increases the risk that users will be unaware or lack pertinent skills and knowledge to perform their security-related functions, resulting in an increased security risk. ISRM did not provide role-based training to personnel with designated information security roles due to competing priorities. Additionally, although the Awareness and Training Policy requires role-based training, Social Services does not define and document their process to provide role-based training to personnel with security-related functions, such as the specific training that each role should take, the deadline for role-based training completion, and the enforcement measure resulting from not completing the role-based training timely. ISRM should develop procedures that detail the process to provide role-based training to personnel with designated security roles. ISRM should also develop and administer role-based training for systems administrators and data custodians. Improving the security awareness training program will help protect Social Services from malicious attempts to compromise the confidentiality, integrity, and availability of sensitive data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-064: Upgrade End-of-Life Technology Applicable to: Department of Social Services Prior Year Finding Number: 2023-058; 2022-060 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services uses end-of-life (EOL) technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is EOL and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. In May 2024, Social Services established a Cybersecurity Team to track and manage technologies but has not yet completed their processes. Using EOL technologies increases the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for EOL or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs. Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. By dedicating the necessary resources to evaluate and implement these controls and recommendations, Social Services will help to ensure that it adequately secures its IT environment and systems. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-067: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Prior Year Finding Number: 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF), LIHEAP, and TANF federal grant programs. Social Services’ case management system authorized over $17 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2024. Since fiscal year 2019, Social Services gathered retention requirements from the business divisions that support the federal programs and services. In fiscal year 2022, Social Services finalized and documented policies with retention requirements for the data sets handled by each of the ten programs and services supported by its case management system. Social Services determined that due to the risk and complexity of the project, as well as changes to federal requirements since its first analysis, the retention requirements for all ten programs and services supported by its case management system were not feasible as a single release. Therefore, Social Services planned a phased delivery approach including multiple releases. In November 2023, Social Services defined and documented a purge and retention design document to implement Release 1 of the record purge and retention project for its case management system. Social Services subsequently implemented Release 1 of the record purge and retention project in February 2024. However, Social Services has not completed the process to implement the records retention policies for each of the programs and services to ensure consistent retention and destruction of records in compliance with regulations and laws. Title 45 CFR § 155.1210, governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act outlined in § 42.1-91 of the Code of Virginia makes an agency responsible for ensuring that it preserves, maintains, and makes accessible public records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that an agency does not lose information due to hardware, software, or media obsolescence or deterioration. Furthermore, the Virginia Public Records Act in § 42.1-86.1 of the Code of Virginia details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and in accordance with the provisions of Chapter 7 of the Virginia Public Records Act. Further, records that contain identifying information as defined by subsection C of § 18.2-186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability. Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose. The magnitude and complexity of effectively implementing a retention and purge process for an integrated eligibility system delayed completion of the record purge and retention project. Additionally, following Release 1 implementation, Social Services identified an additional required element of the purge and retention project. For these reasons, Social Services plans to update the purge and retention design document and implement Release 2 in February 2025. Further, Social Services plans to complete the purge and retention project with the final release, Release 3, by September 2025. Social Services should complete the record purge and retention project for its case management system and, thereafter, implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-068: Monitor Internal Controls to Ensure Timely Removal of System Access Applicable to: Department of Social Services Prior Year Finding Number: 2023-043; 2022-059; 2021-038;2021-027;2020-025;2019-027;2018-042 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to implement internal controls to monitor the timely removal of system access. The Security Standard requires the organization to disable information system access within 24 hours of employment termination. In response to the prior audit recommendations, ISRM developed an overarching policy governing system access that addresses the timely removal of system access and Social Services’ Division of Human Resources developed a policy to ensure supervisors follow the appropriate steps to offboard separated employees. Additionally, ISRM and the Division of Human Resources worked collaboratively to develop a process to identify individuals whose separation did not follow the offboarding policy and manually removed their access from Social Services’ access management system. However, because of the extent of its corrective actions, Social Services was not able to implement all of its planned corrective actions by the end of fiscal year 2024. Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services could place its data and reputation at risk by not removing access timely. Additionally, Social Services could incur potential financial liabilities should its information become compromised. Therefore, Social Services should continue its corrective action efforts to implement internal controls to monitor the timely removal of system access. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-071: Continue to Ensure ITISP Suppliers Meet All Contractual Requirements Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: 2023-072; 2022-100; 2021-023; 2020-070 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 VITA has made significant progress to monitor and enforce the contractual requirements for the Information Technology Infrastructure Services Program (ITISP) suppliers. During fiscal year 2024, VITA and the Multisource Service Integration (MSI) continued to evaluate the current service level measurements to ensure they align with the Commonwealth’s needs. VITA and the MSI monitored the service level related to security and vulnerability patching for the entire fiscal year. The requirements of this service level for fiscal year 2024 included a Common Vulnerabilities and Exposures (CVE) threshold, which required that ITISP suppliers install any patch with a CVE score above the threshold within 60 days. If the supplier did not meet the service level threshold, VITA enforced a credit for the Commonwealth. Although VITA monitored the service levels implemented in the prior year, not enough time has passed to prove the effects of the consequences enforced. Our audits at various agencies for fiscal year 2024 found critical and highly important security patches not installed within 30 days as required by the Commonwealth’s Information Security Standard, SEC530 (Security Standard). As a result, the systems missing critical security updates are at an increased risk of cyberattack, exploitation, and data breach by malicious parties. When ITISP suppliers do not meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.) it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard. The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software and firmware updates within at least 30 days of the update’s release or within a timeframe approved by Commonwealth Security and Risk Management (CSRM) . Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies’ operations. Additionally, during fiscal year 2024, VITA continued to work with the managed security supplier to address the inability of agencies to access the audit log information in the managed detection and response (MDR) platform. VITA implemented a separate security and event management (SIEM) tool at the end of October 2023 to expand agencies’ capabilities to monitor audit log information. While the supplier implemented the MDR platform, VITA and the supplier determined to replace the MDR platform with the VITA-managed SIEM tool as the permanent audit log monitoring tool. However, while the SIEM tool is in production, it also does not include all audit log information in a usable format to allow agencies to adequately monitor their IT environments. The Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity. Our audits of various agencies for fiscal year 2024 found that agencies rely on VITA and ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Although the supplier was performing audit logging and monitoring, most agencies were unable to obtain access to the audit log information during fiscal year 2024, and thus, were not able to comply with the Security Standard requirements related to audit log monitoring. An inability for all agencies to review and monitor their individual audit logs increases the risk associated with the Commonwealth’s data confidentiality, integrity, and availability. To ensure all agencies that rely on the ITISP’s services comply with the Security Standard, VITA should ensure suppliers meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.). If VITA determines suppliers are not meeting these requirements, VITA should implement escalation procedures to compel the ITISP services to comply with the contractual requirements. Additionally, VITA should communicate with the affected agencies and provide guidance on what the agencies can do to comply with the Security Standard while the suppliers work to meet the requirements of the contract. VITA should also continue working with the ITISP suppliers and agencies to import audit log information to the SIEM tool to ensure agencies can review the activities occurring in their IT environments in accordance with the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332 Known Questioned Costs: $0 Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan: Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan. Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes. Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients. Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332. Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance. Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-011: Improve Fiscal Agent Oversight Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a) Known Questioned Costs: $0 Medical Assistance Services did not obtain and review a System and Organization Controls (SOC) report, specifically a SOC I, Type 2 report, to gain assurance over its fiscal agent’s internal controls relevant to financial reporting. In addition to services related to information systems management and security, Medical Assistance Services contracts with the fiscal agent to perform accurate and timely payments of Medicaid claims to providers and maintain an accounts receivable ledger for the collection of provider funds owed to Medical Assistance Services. The fiscal agent processed over $22 billion in Medicaid-related payments during fiscal year 2024. Medical Assistance Services obtained a SOC 2, Type 2 report related to the fiscal agent’s controls over information systems management and security, however, this report did not provide an opinion over internal controls relevant to Medical Assistance Services’ significant fiscal activity and financial reporting. The Commonwealth’s Accounting Policies and Procedures Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment. It also states that agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. The existing contract between Medical Assistance Services and the fiscal agent does not require the fiscal agent to obtain an independent review opining to the effectiveness of internal controls related to Medical Assistance Services’ significant fiscal activities and financial reporting. Management asserted that they are currently working to modify the contract with the provider to add this requirement. Although management maintains a high degree of interaction with its fiscal agent, they cannot adequately ensure the fiscal agent has designed and implemented sufficient controls, and whether the controls are operating effectively without obtaining and reviewing a SOC I, Type 2 report. This issue increases the risk that management will not detect a weakness in the fiscal agent’s environment, which could negatively impact the Commonwealth. Medical Assistance Services should continue to work with the fiscal agent to add language to the contract that would require the fiscal agent to obtain an appropriate independent audit of its internal controls relevant to Medical Assistance Services’ financial activities and reporting. Once the new contract language is in effect, Medical Assistance Services’ management should obtain and review the SOC I, Type 2 report annually to ensure the fiscal agent is meeting contractual obligations and has proper internal controls over Medical Assistance Services’ significant fiscal activities and financial reporting. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-017: Improve IT Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2023-086; 2022-090 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Third-Party Service Providers (Information Systems) ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services has made progress to document and implement a formal process for maintaining oversight for three of its IT third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting. Since the prior year audit, Medical Assistance Services developed its Information Technology (IT) Third Party Risk Management Procedure, which was effective on February 1, 2024, to facilitate the implementation of its IT System and Services Acquisition Policy. However, Medical Assistance Services is still working to implement the new procedure, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers that is not covered by the Virginia Information Technologies Agency (VITA) Commonwealth of Virginia Risk and Authority Management Program. Medical Assistance Services does not confirm the geographic location of sensitive data monthly for IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside of the United States’ jurisdiction. Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner. Medical Assistance Services experienced delays in implementing its new procedure due to limited staffing to properly communicate and train those responsible for monitoring IT service providers. Medical Assistance Services expects to complete its implementation by October 2024. Medical Assistance Services should dedicate the resources necessary to finish implementing its Third-Party Risk Management Procedure. Additionally, Medical Assistance Services should ensure that those tasked with monitoring IT service providers are confirming the geographic location of sensitive data and the provider’s performance of vulnerability scanning and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-022: Improve Information Security Program and Controls Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2023-010; 2022-024; 2021-024; 2020-024 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services continues to address weaknesses in its information technology (IT) general controls originally identified in a 2020 audit and confirmed in a 2023 audit covering the same IT general controls conducted by Medical Assistance Services’ Internal Audit division. During the 2023 audit, Internal Audit tested 105 controls required by the Commonwealth’s previous version of the Information Security Standard, SEC501, and identified 61 individual control weaknesses, a 58% non-compliance rate, that Internal Audit grouped into eight findings. Medical Assistance Services addressed four of the eight findings during fiscal year 2024. Noncompliance with required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening Medical Assistance Services ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to the number of findings and resources required to remediate the weaknesses. Medical Assistance Services updated its corrective action plan for the four remaining findings in June 2024, stating corrective actions are still ongoing with an estimated completion date of September 2024. Medical Assistance Services should prioritize and dedicate the necessary resources to ensure timely completion of its corrective action plans and to become compliant with the current version of the Commonwealth’s Information Security Standard, SEC530 (Security Standard). These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-023: Improve Database Security Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Contingency Planning; Identification and Authentication; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services does not have formal policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining the database supporting its primary system for financial accounting and reporting operations in accordance with the Security Standard, and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). As a result, Medical Assistance Services has not implemented some required controls over the database. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system and apply more restrictive security configurations for sensitive systems. The Security Standard also requires Medical Assistance Services to review and update the policies, procedures, and baseline configuration on an annual basis and following an environmental change. Without detailed policies, procedures, and a baseline configuration that outlines requirements and justifications for securing and maintaining its database, Medical Assistance Services increases the risk that the system will not meet the minimum security requirements and recommendations to protect its sensitive data from malicious parties. Medical Assistance Services has experienced a lack of resources which has contributed to the absence of documentation outlining control requirements and procedures needed to properly secure the database. The absence of this documentation contributed to the deficiencies communicated in the FOIAE document and as a result, Medical Assistance Services has not consistently evaluated and applied security controls. Medical Assistance Services should dedicate the resources necessary to develop and implement formal policies and procedures to support its database based on the Security Standard requirements and settings recommended by industry best practices, such as the CIS Benchmark. Medical Assistance Services should develop a formal baseline configuration for the database that defines required security controls outlined in industry best practices, such as the CIS Benchmark. The baseline configuration should define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established baseline configuration on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address risks present in the database to ensure the configuration aligns with the Security Standard and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.