Federal Reports

We substantiated allegations that the former manager of Chena Bingo embezzled funds from the tribally operated gaming establishment. 

The National Oceanic and Atmospheric Administration's (NOAA's) Office of Marine and Aviation Operations (OMAO) is overseeing the construction of new ships, known as Class B ships, to replace hydrographic survey ships that are nearing the end of their planned service lives. Shipbuilding is a complex, multistage industrial process that requires structured oversight and controls at each phase. If the existing hydrographic survey ships are not replaced on time, NOAA has estimated a loss of 90 to 100 percent of its charting and mapping capability for the country’s Pacific Islands and Tropical Pacific and West Coast regions by 2028.

Our objective was to assess the management and oversight of the Class B ship acquisition by OMAO. We found that OMAO’s acquisition planning did not fully account for the resources, requirements, and processes that are necessary to perform Government Contract Quality Assurance (GCQA) management and oversight tasks for a new shipbuilding program. Specifically, for its Class B ship construction, OMAO (1) did not fully develop and implement the necessary controls to conduct GCQA, (2) did not identify or develop the necessary personnel, skills, and experience to conduct GCQA, and (3) did not have a system or method to record and track quality deficiencies and observations. Correcting these issues is critical to ensure that the ship construction meets contract requirements and an acceptable level of quality.

We made five recommendations to help OMAO implement its quality assurance program for ship construction, address shortfalls in workforce planning and technical oversight, and ensure that quality assurance oversight metrics during ship construction are tracked and stored. NOAA concurred with our recommendations and is working to implement them.
 

In fiscal year 2025, CPSC staff obligated funds, through various interagency agreements, without having properly delegated authority to do so.  Although we found no indicia of fraud, waste, abuse, or other criminal activity, the unauthorized obligations constitute non-monetary loss improper payments.

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General initiated this project to summarize findings from prior EPA OIG reports on the EPA’s management of the Infrastructure Investment and Jobs Act funding for the 2022 Clean School Bus Rebates Program that could help inform the Agency’s decision-making when funding future programs.
 

Summary of Findings

We reviewed five previously issued EPA OIG reports related to the EPA’s 2022 Clean School Bus Rebates Program. From those, we identified two main issues with the program: the application and selection process and the management of funds. We also analyzed the 11 recommendations that we made to the EPA to address the deficiencies identified in those five prior reports. The Agency has completed or is in the process of implementing corrective actions for all 11 prior recommendations.

As required by the Inspector General Act of 1978 (as amended), this Semiannual Report summarizes the activities of the Office of Inspector General for the preceding 6-month period.

Our Objective(s) 

To assess whether FAA (1) has selected and implemented the required high-impact baseline security controls for its high-impact systems and (2) is mitigating potential vulnerabilities for its high-impact systems. 

Why This Audit 

FAA relies on critical information systems to meet its mission of safely and efficiently managing air travel in the United States. In August 2021, we reported that FAA had re-categorized 45 information systems as high-impact systems. Further, we found FAA was not holding its high-impact system owners responsible for remediating high-security baseline control weaknesses. Given our previous findings, and the potential risks to the National Airspace System (NAS) if high-impact baseline security controls are not fully implemented, we self-initiated this audit. 

What We Found 

FAA has begun selecting and implementing required security controls for its high-impact systems supporting the NAS, but gaps remain. 

• FAA has made progress but has not selected all required high baseline security controls for its systems that support the NAS. We found 15 of the 45 high-impact systems we reviewed had security controls selected under the outdated NIST SP 800-53 Revision 4 (Rev 4) standards, rather than the current Revision 5 (Rev 5) standards. 
• FAA has not fully implemented required security controls for systems that support the NAS. According to system documentation we reviewed, FAA had not fully implemented 1,836 (11.3 percent) of the 16,245 required controls for the 45 systems. 
• Some high-impact systems continue to have missing baseline security controls, according to their system documentation. 
• According to FAA, these gaps exist in part because of technical and other challenges with FAA's systems. Until these gaps are filled, these systems may be vulnerable to cyberattacks that could cause severe or catastrophic effects on the NAS. 

FAA does not fully track and mitigate all potential vulnerabilities for its high-impact systems in DOT's system of record. 

• FAA is not tracking and mitigating vulnerabilities within DOT's system of record, as required. As a result, FAA is not being fully transparent with the Department in identifying its vulnerabilities. 
• FAA has not ensured its security system documentation is fully updated with the status of all vulnerabilities. 

Recommendations 

We made 4 recommendations to mitigate the risks associated with not selecting and implementing all required high-baseline security controls and/or not fully mitigating potential vulnerabilities for FAA's 45 high-impact systems supporting the NAS. 

Note: The Department has determined that this report contains sensitive security information (SSI) that is controlled under 49 C.F.R. parts 15 and 1520. No part of this report may be disclosed to persons without a "need to know," as defined in 49 C.F.R. parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 C.F.R. parts 15 and 1520. Relevant portions of this public version of the report have been redacted.