Federal Reports

U.S. Customs and Border Protection (CBP) did not effectively manage and secure its mobile devices, resulting in vulnerabilities and higher susceptibility to cyberattacks, potential unauthorized access to law enforcement and operational sensitive information, and waste and abuse from under- or over-usage.  Specifically, we found that CBP did not: • Consistently implement required security settings to protect its mobile devices or mitigate risks from applications installed on these devices; • Use its mobile device management system to fully manage and secure its mobile devices; • Address software vulnerabilities within the mobile device management system; • Increase monitoring and protection for devices used outside the United States, which are at a higher risk of cyberattacks; • Perform required steps to reduce risks associated with the disposal, loss, or theft of its mobile devices; and • Monitor its mobile devices for under- or over-usage. CBP allowed mobile devices to operate without completing a security authorization process to ensure required security controls; did not establish or implement sufficient security policies and processes; relied on unclear or contradictory guidance; and did not address its increased mobile device losses.  Moreover, the Department did not provide oversight to ensure that CBP fulfilled DHS requirements for monitoring mobile devices outside the United States and CBP did not enforce its policies.   

An Amtrak coach cleaner based in New Orleans, Louisiana, signed a civil settlement agreement on September 22, 2025, with the U.S. Attorney’s Office, Eastern District of Louisiana. The employee agreed to pay $19,132.75 in restitution and a penalty of $4,497.25 related to the fraudulent receipt of a Paycheck Protection Program (PPP) loan. We found that the employee submitted an application containing false statements and information to qualify for the loan. As a result, the employee received a PPP loan in the amount of $16,452 to which she was not entitled.

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General has identified concerns regarding the installation and use of unauthorized software, specifically jiggler software, on EPA computers and networks. Commonly referred to as “mouse jigglers,” jiggler software simulates activity on a laptop, preventing the laptop from entering sleep mode and locking out its user. After running network scans in two EPA regions in November and December 2024, the Agency discovered 120 employees and contractors using jiggler software.

Summary of Findings

Our investigation found that jiggler software could bypass the Agency’s Windows Installer settings, that some of the EPA’s information technology specialists believed they were exempt from the policy, and that other EPA employees and contractors installed the software without authorization. Furthermore, we discovered inconsistencies in how quickly the regional offices acted to remove the jiggler software after it was detected. The installation and use of unauthorized software on EPA computers and networks represent critical cybersecurity risks and ethics violations for the Agency.

Our Objective(s)
To assess FHWA's policies and procedures for overseeing States' compliance with Coronavirus Response and Relief Supplemental Appropriations Act of 2021 (CRRSAA) requirements and tracking and monitoring CRRSAA funds.

Why This Audit
CRRSAA provided $10 billion to FHWA for Highway Infrastructure Programs (HIP) to prevent, prepare for, and respond to COVID-19-related impacts. The Act required FHWA to obligate the funds by the end of fiscal year 2024. By the end of March 2025, FHWA obligated $9.78 billion in CRRSAA funds with outlays of $8.43 billion. Due to the large amount of funds and timeframe for using them, as well as other Act requirements, we initiated this audit.

What We Found
FHWA generally followed its existing Federal-aid processes to oversee compliance with CRRSAA requirements and track funds but lacked sufficient details for Special Authority provisions.
FHWA instructed its Division offices to use existing processes and developed a HIP-CRRSAA Guidance memorandum to help oversee compliance with CRRSAA requirements and track the funds.
FHWA's HIP-CRRSAA Guidance covered project eligibility requirements, but lacked sufficient details for how States should use, and Divisions should oversee, Special Authority provisions that provide funding for activities not normally eligible under the STBG program.
FHWA followed processes to determine that projects met eligibility and project agreement requirements, complied with the non-Federal share requirement, and did not incur costs prior to obligating funds.

FHWA generally follows its processes to monitor CRRSAA projects and relies on State DOTs to reconcile differences in reported expenditure amounts.
FHWA uses a risk-based approach to monitor Federal-aid highway projects, including CRRSAA-funded projects, and identify potential risks. Division offices tailored their risk assessment and monitoring approaches to each project.
In 2024, FHWA revised its Stewardship and Oversight Agreements-intended to facilitate effective and efficient program delivery and adequate oversight-due to changes in laws and regulations.
Project expenditure reports contained discrepancies between FHWA and State DOT data, but we were able to reconcile those differences with updated State DOT data. FHWA relies on the State DOTs to reconcile differences in reported expenditure amounts.

Recommendations
FHWA generally followed its existing process to oversee CRRSAA compliance, track funds, and monitor projects, so we are not making recommendations.

We found that DOI may have misstated its total acres by 82 percent in its FY 2023 AFR.