Federal Reports

The U.S. Bureau of Reclamation (USBR) operates five hydropower dams categorized as critical infrastructure by the U.S. Department of Homeland Security. Our evaluation focused on the USBR’s operational and technical practices for protecting two of these dams, and the related industrial control system (ICS) it relies on to remotely control operations including, generators, gates, and outlet valves.We found the ICS at low risk of compromise from external cyber threats as our analysis of computer network traffic showed that the ICS is isolated from the internet and from USBR’s business systems and our analysis of ICS computer memory did not detect hidden malware or other indicators of compromise. The USBR’s account management and personnel security practices, however, put the ICS and the infrastructure it operates at high risk from insider threats. Specifically, we found that the USBR:• Failed to limit the number of ICS users with system administrator access and had an extensive number of group accounts• Did not comply with password policies and failed to remove inactive system administrator accounts• Did not follow best practices recommending that personnel with elevated system privileges complete more rigorous background investigationsThese deficiencies occurred because USBR management failed to strengthen bureau risk management practices in response to rapidly escalating threats to critical infrastructure. An ICS breach could disrupt USBR operations and has the potential to adversely affect national security. We make five recommendations to help the USBR improve the security posture of its critical dams by mitigating insider threats to the ICS.

The OIG investigated allegations that officials from the Bureau of Reclamation (USBR) and the U.S. Department of the Interior, Office of the Solicitor (SOL), obstructed an administrative inquiry into alleged sexual misconduct by a USBR official. The complainant alleged that USBR and SOL officials withheld information, attempted to influence witnesses by holding meetings to discuss the inquiry, and tried to stop the inquiry. The complainant further alleged that these officials provided advice to the inquiry while also advising regional management on how to address the alleged misconduct. Finally, the complainant alleged that an SOL official made disparaging comments about their work product to USBR leadership because of the complaint.We found that two USBR officials omitted information during the administrative inquiry and that one also withheld a requested document. While we did not find evidence of improper involvement to influence or stop the inquiry, we did find that poor communication between the USBR and the SOL created confusion and mistrust regarding the roles and responsibilities of those involved with the inquiry. We confirmed that the SOL criticized some of the content in the report prepared by the complainant, which the SOL said included the complainant’s opinions, but we did not find evidence that any personnel actions were taken against the complainant.

An agreed-upon procedures (AUP) review of AmeriCorps grant funds to the New Mexico Commission for Community Volunteerism (NMCCV) and two subgrantees during the period of January 1, 2015 through March 31, 2017, identified questioned Federal costs totaling $29,627 and matching costs of $121,996, as well as compliance findings. In addition to the AmeriCorps grants, NMCCV also received a Corporation Training and Technical Assistance grant to provide training and assistance to NMCCV and subgrantee staff. The majority of the questioned costs were caused by deficiencies in subgrantees’ financial management systems and non-compliance with member living allowance requirements.NMCCV concurred with most of the findings and recommendations, but disagreed on the finding related to member living allowances and requested an extension to determine the reason for the unsupported costs. The Corporation will resolve the report’s findings and recommendations.