Our Objective(s)To (1) determine whether MARAD has implemented an information management system for the SAPR Program that complies with NDAA requirements and (2) assess the system's cybersecurity and privacy controls.
Why This AuditThe 2023 National Defense Authorization Act (NDAA) required MARAD to establish for the U.S. Merchant Marine Academy's (USMMA) Sexual Assault Prevention and Response (SAPR) Program an information management system (IMS) for sexual assault and sexual harassment claims, and for the Office of Inspector General to conduct a cybersecurity audit of the system.
What We FoundMARAD has not established an information management system for USMMA's SAPR Program that complies with NDAA requirements.
Instead of acquiring a new IMS, USMMA uses a spreadsheet system for the SAPR Program.
USMMA officials acknowledge that this spreadsheet system does not meet the Academy's needs.
The SAPR Program tracks and maintains most but not all required information in its spreadsheet system.
The program also has not implemented a process to update the records of acquitted individuals in its spreadsheet system.
The SAPR Program's spreadsheet system lacks sufficient cybersecurity and privacy controls.
The program's spreadsheet system lacks the cybersecurity controls required by the National Institute of Standards and Technology and the Department of Transportation's Cybersecurity Compendium to properly secure and protect the confidentiality, integrity, and availability of the program's sensitive data and information.
MARAD's Privacy Officer has not analyzed the spreadsheet system to determine what privacy protections should be implemented to protect personally identifiable information stored in the system.
Recommendations We have made four recommendations to improve MARAD's oversight of USMMA's Sexual Assault Prevention and Response Program.
