Federal Reports

Agency program officials, chief information officers, and inspectors general must annually review information security programs and report to the Department of Homeland Security and Congress on agency compliance with the Federal Information Security Modernization Act (FISMA). The OIG contracted with an independent public accounting firm, CliftonLarsonAllen LLP (CLA), to evaluate VA’s information security program for FY 2024. After assessing 49 major applications and general support systems hosted at 23 VA facilities and on the VA Enterprise Cloud, CLA concluded that VA continues to face significant challenges meeting FISMA requirements because of the nature and maturity of its information security program.

The audit found continuing deficiencies related to access controls, configuration management controls, security management controls, and service continuity practices designed to protect mission-critical systems from unauthorized access, alteration, or destruction. These deficiencies can be remedied by addressing security-related issues that contributed to the information technology material weakness reported in the FY 2024 audit of VA’s consolidated financial statements; improving the deployment of security patches, system upgrades, and system configurations; improving performance monitoring to ensure controls operate as intended; and communicating identified security deficiencies to appropriate personnel.

Of CLA’s 23 recommendations, VA concurred with 12 and did not concur with 11. Some of the 23 recommendations addressed repeat deficiencies from previous FISMA reports spanning multiple years. CLA will follow up on the outstanding recommendations and evaluate the adequacy of corrective actions in the FY 2025 audit of VA’s information security program.

To learn how communities across the nation responded to the pandemic, we initiated a multi-part review of six communities—two cities, two rural counties, and two Tribal reservations. This report is the sixth community-specific report and focuses on our work in Jicarilla Apache Nation Reservation in New Mexico, where we previously identified that recipients, including city government, small businesses, and individuals, received almost $80 million from 42 pandemic relief programs and subprograms. This report provides a closer look at ten pandemic programs and subprograms provided to Jicarilla Apache Nation Reservation by six federal departments.

The purpose of this report is to provide the results of our survey of the Peace Corps’ compliance with the anti-gag provision requirement in the Whistleblower Protection Enhancement Act (WPEA) (5 U.S.C. § 2302(b)(13)). We initiated this assessment at the request of Senator Chuck Grassley. (See attached Senator Grassley Letter, dated March 11, 2024). 

The audit objective was to determine if the U.S. Nuclear Regulatory Commission (NRC) is effectively managing and monitoring selected research and development grants in accordance with applicable federal requirements, agency policies and guidance, and award terms and conditions.

The OIG found that the NRC was not effectively managing or monitoring selected research and development grants.  Specifically, the OIG found that staff in the Office of Nuclear Regulatory Research assumed grants officer responsibilities without a grants officer appointment or through a delegation as a grants officer representative.  We also found that NRC staff did not request or review source documents to support equipment purchased using grant funds.  Additionally, we found that the NRC does not have a public repository for final performance reports or other means to share the results of federally funded research grants.

The OIG further determined that the grants officer had not ensured that all relevant documents were contained in the official grant files; 11 grants were not closed out within one year of the performance end date and the NRC had not deobligated more than $321,000 in funds that could have been put to better use; and, grants awarded through the Integrated University Program (the predecessor to the University Nuclear Leadership Program) with periods of performance ending in 2021 and 2022 had more than $920,000 of funds that were not deobligated and could be put to better use.  The report contains nine recommendations to improve management and monitoring of research and development grants. 

The Office of the Inspector General conducted an audit of TVA’s cloud inventory due to the Tennessee Valley Authority’s (TVA) increased use of cloud services.  Our objective was to determine if TVA maintained an accurate and complete cloud inventory.  Although we determined TVA’s (1) defined processes related to managing cloud inventory were designed in alignment with identified best practices, and (2) access controls for the cloud inventory were operating effectively, TVA does not maintain an accurate and complete cloud inventory.  Specifically, (1) cloud services procured outside of the IT organization’s procurement process were not included in inventory, (2) reconciliation controls did not include all available sources to identify cloud services, and (3) required fields in existing inventory data were incomplete. 

This report, specifically identifies Center for Internet Security, a nongovernmental organization/business entity.  Pursuant to the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L. No. 117-263 §5274, any such organization may submit a written response to the report within 30 days, clarifying or providing additional context for each instance within the report in which the organization is specifically identified.  Any response provided for that purpose will be appended to the final, published report.  If you have any questions about this process, please contact Jeffrey McKenzie at (865) 633-7374 or jtmckenzie@tvaoig.gov within 30 days of publication.