Skip to main content
Date Issued
Submitting OIG
Department of Transportation OIG
Agencies Reviewed/Investigated
Department of Transportation
Components
Maritime Administration
Report Number
IT2025013
Report Description

Our Objective(s)To (1) determine whether MARAD has implemented an information management system for the SAPR Program that complies with NDAA requirements and (2) assess the system's cybersecurity and privacy controls.
Why This AuditThe 2023 National Defense Authorization Act (NDAA) required MARAD to establish for the U.S. Merchant Marine Academy's (USMMA) Sexual Assault Prevention and Response (SAPR) Program an information management system (IMS) for sexual assault and sexual harassment claims, and for the Office of Inspector General to conduct a cybersecurity audit of the system.
What We FoundMARAD has not established an information management system for USMMA's SAPR Program that complies with NDAA requirements.

Instead of acquiring a new IMS, USMMA uses a spreadsheet system for the SAPR Program.
USMMA officials acknowledge that this spreadsheet system does not meet the Academy's needs.
The SAPR Program tracks and maintains most but not all required information in its spreadsheet system.
The program also has not implemented a process to update the records of acquitted individuals in its spreadsheet system.

The SAPR Program's spreadsheet system lacks sufficient cybersecurity and privacy controls.

The program's spreadsheet system lacks the cybersecurity controls required by the National Institute of Standards and Technology and the Department of Transportation's Cybersecurity Compendium to properly secure and protect the confidentiality, integrity, and availability of the program's sensitive data and information.
MARAD's Privacy Officer has not analyzed the spreadsheet system to determine what privacy protections should be implemented to protect personally identifiable information stored in the system.

Recommendations We have made four recommendations to improve MARAD's oversight of USMMA's Sexual Assault Prevention and Response Program.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
4
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 4 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 Yes $0 $0

Direct U.S. Merchant Marine Academy (USMMA) Sexual Assault Prevention and Response (SAPR) Program officials to work with appropriate USMMA IT officials to ensure that data collected and used for tracking claims and incidents of sexual assault and sexual harassment is secure in accordance with NDAA requirements.

4 Yes $0 $0

Direct the Maritime Administration's Privacy Officer to complete a privacy impact analysis to ensure personally identifiable information used by the U.S. Merchant Marine Academy (USMMA) Sexual Assault Prevention and Response (SAPR)'s Program is secure based on Federal requirements and verify completion.

3 Yes $0 $0

Direct U.S. Merchant Marine Academy (USMMA) Sexual Assault Prevention and Response (SAPR) Program officials to work with the USMMA's IT officials to implement the necessary security controls in the following areas: access control, encryption, audit logging, data exfiltration, data integrity, and backup, to mitigate possible cybersecurity risks to the SAPR Program's sensitive information in the interim to the extent possible until a new system is implemented and verify completion.

2 Yes $0 $0

Direct U.S. Merchant Marine Academy (USMMA) Sexual Assault Prevention and Response (SAPR) Program officials to update its spreadsheet system to include all information available that is required by the statute and verify completion.

Department of Transportation OIG

United States