Federal Reports

The OIG’s Audit of Cost-Reimbursement Contracts revealed several deficiencies that had the potential to impact the agency’s ability to determine whether cost-reimbursement contract costs are allowable, allocable, and reasonable through the performance of due diligence regarding invoice review. The OIG found ineffective and inefficient processes by the Contracting Officer Representatives and non-compliance with contract clauses and insufficient billing documentation. The OIG questioned approximately $227 million in labor charges and more than $226,000 in travel charges.

The objective of the performance audit was to determine whether the Social Security Administration’s (SSA) overall information security program and practices were effective and consistent with Federal Information Security Modernization Act of 2014 (FISMA)1 requirements, as defined by the Department of Homeland Security (DHS).

To see our report, click on the link below

What We Looked AtThe Federal Motor Carrier Safety Administration (FMCSA) regulates and oversees the safety of commercial motor vehicles. It partners with other agencies and the motor carrier industry to conduct this work. The Agency uses 13 web-based applications to aid vehicle registration, inspections, and other activities. Many of FMCSA’s information systems contain sensitive data, including personally identifiable information (PII). Due to the importance of FMCSA’s programs to the transportation system and sensitivity of some Agency information, we conducted this audit of FMCSA’s information technology (IT) infrastructure. Our objective was to determine whether FMCSA’s IT infrastructure contains security weaknesses that could compromise the Agency’s systems and data. What We FoundWe found vulnerabilities in several Agency web servers that allowed us to gain unauthorized access to FMCSA’s network. FMCSA did not detect our access or placement of malware on the network in part because it did not use required automated detection tools and malicious code protections. We also gained access to 13.6 million unencrypted PII records. Had malicious hackers obtained this PII, it could have cost FMCSA up to $570 million in credit monitoring fees. Furthermore, the Agency does not always remediate vulnerabilities as quickly as DOT policy requires. These weaknesses put FMCSA’s network and data at risk for unauthorized access and compromise. Our RecommendationsFMCSA concurred with our 13 recommendations. We consider all 13 recommendations resolved but open pending FMCSA’s completion of planned actions. Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.

What We Looked AtThe Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 set up appropriations to support executive agency operations during the COVID-19 pandemic. The Federal Transit Administration (FTA) has received nearly $70 billion in CARES Act and other COVID-19 relief appropriations. FTA uses several financial management systems to approve, process, and disperse this funding for the transit industry’s COVID-19 response and recovery. Given the size of this investment, we initiated this audit. Our audit objective was to assess the effectiveness of FTA’s financial management systems’ security controls designed to protect the confidentiality, integrity, and availability of the systems and their information. What We FoundFTA’s financial management systems have security control deficiencies that could affect FTA’s ability to approve, process, and disburse COVID-19 funds. FTA security officials mislabeled and incorrectly documented control types for over 180 security controls in its fiscal year 2020 system security plans for these systems. FTA also does not adequately monitor security controls provided by or inherited from DOT’s common control provider. FTA also has not remediated security control weaknesses identified since 2016. Lastly, FTA lacks sufficient contingency planning and incident response capabilities such as alternate set of personnel to restore its financial management systems if its primary personnel are unavailable. Due to these security control weaknesses, FTA’s security officials cannot be sure financial management systems have the proper safeguards and countermeasures in place to protect the systems and that they effectively manage information security risk. Our RecommendationsFTA concurred with all of our 13 recommendations to help the Agency address its security control weaknesses and improve its systems’ cybersecurity posture. Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.