Federal Reports

Our audit objective was to determine whether USPTO had an effective governance structure and processes in place to manage its AI tools. To meet our objective, we tested two of the six AI tools USPTO had in use when we began our audit. 

Overall, we found that USPTO has begun developing its AI workforce but should strengthen key organizational and system-level governance practices needed to effectively manage and oversee its AI tools. Specifically, USPTO:

• Has a governance structure that defines roles and responsibilities for key personnel, but should improve internal stakeholder involvement
• Should promote transparency on its AI tools to external stakeholders
• Does not have the specific, measurable objectives needed to define system success 
• Did not trace requirements or technical specifications to system objectives
• Does not have an AI-specific risk management plan

Together, these weaknesses increase the risk that USPTO will develop unreliable, untrustworthy AI systems. 
 

The Office of Inspector General performed an evaluation of an Agricultural Research Service (ARS) facility’s physical condition and security.

The Office of Inspector General is issuing this management advisory to bring to the U.S. Small Business Administration’s (SBA) attention possible security threats from personally owned devices accessing the agency’s information technology network from national and international locations with only a username and password.

We identified in our fiscal years 2023 and 2024 Federal Information Security Modernization Act assessments that SBA did not have multifactor authentication enabled for users to access the agency’s secure network. Relying on usernames and passwords alone greatly increases the risk of SBA data being accessed and exploited by cyber criminals and other bad actors. We also determined personally owned devices could access the SBA network from foreign locations, which is prohibited by SBA information technology policy.

We made five recommendations, and SBA management agreed with all five. All of the recommendations have been closed or resolved.

The U.S. Postal Service is responsible for processing, transporting, and delivering the nation’s Election and Political Mail. The Postal Service has specific policies and procedures on the proper acceptance, processing, delivery, and documentation of Election and Political Mail.

Our objective was to evaluate the service performance and visibility of Election and Political Mail during the 2024 general election. For this audit, we reviewed Election and Political Mail policies and mail tracking methods, analyzed service performance data, and judgmentally selected and conducted observations at 68 mail processing facilities and 947 delivery units during the 2024 general election season.

Overall, the Postal Service significantly exceeded service performance goals for Election and most Political Mail, but opportunities existed for the Postal Service to improve tracking of Ballot Mail within its network. The Postal Service applied its “extraordinary measures” to expedite handling of Ballot Mail. In fact, we found the Postal Service provided service above rates charged for certain ballots and late arriving Political Mail. The Postal Service could have potentially received $15.4 million more in revenue if it charged rates in line with the service provided on these ballots. When we observed non-compliance with Election and Political Mail policies and procedures, we found it was caused by confusion in the field over new, electronic processes or temporary changes in the mail flow due to the election. We did not see widespread instances of delayed Election or Political Mail in delivery units before or after the election, but better controls could lead to more accurate daily reporting on the status of Election and Political Mail from delivery operations.

In addition, the Postal Service estimated that just under 40 million ballots mailed to and from voters did not have performance tracking data. The Postal Service’s inability to track ballots negatively impacts its and other interested parties’ visibility into the status of ballots in the postal network.

The Office of the Inspector General performed an audit of TVA’s transmission network cybersecurity.  The audit scope was limited to a specific type of connectivity within TVA’s transmission network.  The audit objective was to determine the level of cybersecurity in place for this type of connectivity.

We determined the connectivity within TVA’s transmission network had a high level of cybersecurity in place commensurate with the level of associated risk.  In addition, our testing of internal controls identified process improvements related to configuration management.  We recommend the Senior Vice President, Grid, update configuration management processes to improve periodic reviews.