Federal Reports

At the request of the Tennessee Valley Authority (TVA) Supply Chain, we examined the contractor’s cost proposal for work in connection with the validation phase of TVA’s Small Modular Reactor and Clinch River Nuclear project. Our examination objective was to determine if the cost proposal was fairly stated for a planned contract with expenditures up to $25 million.

In our opinion, the cost proposal was overstated. Specifically, the proposed total markup rate for recovery of indirect costs was overstated compared to recent actual costs. We estimated TVA could avoid approximately $2.02 million over the planned $25 million by negotiating revised markup rates to more accurately reflect the contractor’s recent actual costs for 2022 and 2023. Subsequently, the contractor stated it would prefer to use its 2024 provisional total markup rate, which was lower than recent actual costs for 2022 and 2023. We estimated TVA could save an additional $473,000 by negotiating for the 2024 provisional total markup rate for a total cost avoidance of $2.49 million over the potential $25 million contract spend. In addition, we identified opportunities to clarify the draft contract language.

At the request of the Tennessee Valley Authority’s (TVA) Supply Chain, we examined the cost proposal submitted by a company for engineering and construction services in connection with the validation phase of TVA’s Small Modular Reactor and Clinch River Nuclear project. Our examination objective was to determine if the company’s cost proposal was fairly stated for a contract with expenditures up to $25 million.

In our opinion, the company’s cost proposal was overstated. Specifically, the proposed hourly indirect cost recovery rates for the company’s overhead costs and technology costs were overstated compared to recent actual costs. We estimated TVA could avoid approximately $749,000 over the potential $25 million contract by negotiating reduced hourly indirect cost recovery rates to more accurately reflect the company’s recent actual costs. In addition, we also noted some opportunities to clarify the draft contract language.

Our Objective(s)To determine whether security weaknesses exist in FHWA's information technology (IT) infrastructure that could lead to the compromise of the Agency's IT systems and data. Specifically, we reviewed FHWA's (1) adherence to cybersecurity policies and (2) compliance with the Rules of Engagement (ROE) and its cybersecurity incident response procedures.
Why This AuditFHWA's information systems support mission processes that aid in grant management, infrastructure inspections, inventory management, and research and development. Protecting these systems and the information stored in them prevents unauthorized access and compromise. This audit is the fourth in a series of reviews to determine whether the U.S. Department of Transportation (DOT) has the security controls in place to protect its networks and information systems from unauthorized access.
What We FoundDOT's lack of adherence to cybersecurity policies allowed the Office of Inspector General (OIG) to gain unauthorized access into FHWA's network.

FHWA and DOT's Office of the Chief Information Officer (OCIO) do not remediate vulnerabilities in FHWA's IT infrastructure according to policy.
OCIO had not implemented the required network boundary protection controls, which allowed us to access the Federal Aviation Administration's intranet site and sensitive proprietary data. FHWA did not replace default credentials in FHWA information systems, which allowed us to access network printers and sensitive information.
We also used open-source tools to crack and utilize weak and known passwords to compromise and penetrate FHWA IT infrastructure and gain access to two FHWA servers and an OCIO server.

DOT and FHWA officials did not consult with OIG in accordance with the ROE and did not fully follow DOT's incident response procedures, which prevented us from completing testing activities.

After we gained unauthorized access to three of DOT's servers, DOT disconnected one and started decommissioning the other two without consulting with OIG, as required by the ROE. According to DOT officials, FHWA and OCIO technicians did not notify OIG because they did not recognize OIG as the source of scanning and other intrusion attempts.
However, had DOT followed its incident response procedures, it could have identified OIG as an intruder and notified us they were aware of our intrusion so that we could consult and then complete further testing. As a result of these actions, we were unable to determine whether FHWA IT infrastructure is at risk of being further compromised.

RecommendationsWe have made eight recommendations to improve OCIO's IT security posture providing IT shared services to FHWA's IT infrastructure.
Unresolved Recommendations: Two
Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. 552. Relevant portions of this public version of the report have been redacted.