Federal Reports

Due to the risk of harm to the Tennessee Valley Authority (TVA) from the loss or breach of private information held by a third party, we performed an audit of BlueCross BlueShield of Tennessee’s (BCBST) security controls.  Our audit objective was to determine if BCBST has controls in place to meet contract requirements for the protection of data held by the vendor on behalf of TVA.

We determined that BCBST has controls in place to meet the contract requirements for the protection of data held on behalf of TVA.  However, we identified wording in the contract that could be improved to avoid potential confusion.  TVA management agreed with our finding and incorporated improvements into the contract amendment effective January 1, 2026.

The report contains an unmodified opinion on Natural Resources Conservation Service’s financial statements as of September 30, 2025, as well as an assessment of NRCS' internal controls over financial reporting and compliance with laws and regulations.

The U.S. Consumer Product Safety Commission (CPSC) OIG retained KPMG, LLP (KPMG), an independent public accounting firm, to perform the independent audit of the CPSC’s financial statements for fiscal year (FY) 2025 in accordance with auditing standards generally accepted in the United States.  This report is contained in the CPSC’s Annual Financial Report which also contains the complete set of financial statements, management’s discussion and analysis, and required supplementary and other information.  KPMG found that the CPSC received a qualified or clean opinion.  However, the agency was found to have two material weaknesses, first identified in FY 2023; and one significant deficiency.

There continues to be an increased focus on supply chain risks in the Federal Government. In December 2020, the Government Accountability Office reported that a majority of the 23 agencies reviewed, which included the Department of Energy, had not implemented selected foundational practices for managing information and communications technology supply chain risks. In the Department’s case, information technology (IT) supply chain risk management (SCRM) is a particular challenge due to the diversity of its missions and decentralized operating environment.

We initiated this audit to determine whether the Department effectively managed its IT SCRM process.

We determined that the Department made progress in effectively managing its IT SCRM process, but opportunities for improvement existed to help ensure compliance with Federal and Department requirements. Specifically, we found issues related to the accuracy of the Department’s critical software inventory and insufficient assessments and reviews of potentially vulnerable suppliers. For example, the Department had not developed an accurate inventory of its critical software, which could have prevented it from protecting critical software, platforms, and data from unauthorized access. The Department also faced unknown SCRM risks because it did not always conduct assessments of technology acquisitions, including vendors with foreign ownership, control, or influence.

Without improvements to its SCRM process, the Department is vulnerable to potentially malicious, counterfeit, or vulnerable IT equipment or services. The inability to identify critical software quickly also places the Department at an elevated risk in the event of a compromise as it may be unable to rapidly respond to remediate vulnerabilities. Further, had entities routinely performed SCRM assessments and reviews, they may have increased awareness of supply chain risks involving certain vendors, resulting in different security decisions including implementing monitoring, conducting routine reviews of the vendor, or selecting a different vendor.

We suggest that the Department develop an accurate inventory of its critical software. In addition, we also suggest that three of the sites reviewed ensure that policies and procedures related to SCRM for IT acquisitions are developed and effectively implemented.

The VA Office of Inspector General (OIG) conducted a healthcare inspection of the VA Nebraska-Western Iowa Health Care System (facility) in Omaha from November 2024 through May 2025, following a congressional request to evaluate allegations related to the inpatient mental health unit’s environment of care. The OIG also evaluated allegations from another complainant regarding unit staffing and identified additional concerns related to training, policy guidance, and oversight.

The OIG substantiated facility leaders did not ensure adequate night lighting in patient rooms, which may affect patients’ sleep and hinder staff’s ability to conduct safety rounds. The OIG also substantiated the unit was not consistently staffed with the required number of employees trained in therapeutic containment for high-risk areas, placing patients and employees at risk. Although the OIG did not substantiate allegations that the unit was unclean and restroom doors did not lock, the OIG found female patients were unable to access the restroom without staff assistance.

The OIG found nursing leaders did not (1) develop a required patient safety rounding standard operating procedure, increasing the risk of inconsistent observation practices, and (2) ensure a clear process for using a risk for violence assessment, contributing to the inability to determine required staffing.

Additionally, facility leaders did not (1) consistently report root cause analysis action items, which may result in leaders being unaware of opportunities to improve care, and (2) notify Veterans Integrated Service Network (VISN) 23 leaders of bed closures exceeding 60 days, misrepresenting available bed capacity.

The Under Secretary for Health concurred with 2 OIG recommendations related to high-risk workplace staffing guidance; the VISN Director concurred with 1 recommendation regarding oversight of bed changes; and the Facility Director concurred with 10 recommendations regarding unit lighting, rounding procedures, mitigation planning, staffing and training requirements, and root cause analysis reporting.

We found that ONRR did not appropriately identify, assess, issue, and collect penalties related to mineral and energy leases.

The Department of Game and Fish should take steps to improve its leave allocation process, as well as subaward and equipment management.