Federal Reports

What We Looked AtHigh value assets (HVA) are information systems, information, and data for which unauthorized access, use, disclosure, disruption, modification, or destruction could have a significant impact on U.S. national security, or public health and safety of the American people. Given the impact that cyberattacks on HVAs can have on the security and resilience of the Nation's transportation infrastructure, we initiated this audit of DOT's HVA Program. At the time of our review, DOT identified that it had 21 HVAs. Our objectives were to evaluate whether DOT (1) established an organization-wide HVA governance program to identify and prioritize HVAs and (2) assesses HVA security controls and ensures timely remediation of identified vulnerabilities.Our RecommendationsWe made seven recommendations to strengthen DOT's HVA Program cybersecurity. DOT concurred with five recommendations and did not concur with and asked to close the other two recommendations. We consider the five recommendations resolved but open pending completion of planned corrective actions. We consider the remaining two recommendations unresolved and request that DOT provide an updated response, reconsider its non-concurrence, or provide documentation to support closing the recommendations.Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552.We plan to post a redacted version of the report when it becomes available.

We audited the Puerto Rico Department of Housing’s (PRDOH) fraud risk management practices to assess the maturity of its antifraud efforts. HUD heavily relies on its grantees to detect and prevent fraud, waste, and abuse and PRDOH is HUD’s second largest Community Development Block Grant Disaster Recovery and Mitigation (CDBG-DR and CDBG-MIT) grantee with over $20 billion in block grant funding. Our objective was to assess PRDOH’s fraud risk management practices for preventing, detecting, and responding to fraud when administering programs funded by HUD grants addressing the 2017 disasters.PRDOH’s fraud risk management processes to mitigate fraud risks either did not exist or were reactionary in nature. This resulted in the lowest desired maturity goal state -- Ad Hoc -- for organizations’ antifraud initiatives. PRDOH must improve its fraud risk management practices to adequately protect HUD funding provided for disaster recovery and mitigation efforts. Because PRDOH does not proactively manage fraud risk and its fraud risk management program is at the lowest state of maturity, it may have missed opportunities to strengthen controls and eliminate fraud vulnerabilities, leaving more than $20 billion in HUD disaster recovery and mitigation funds at increased risk of fraud. Implementing best practices and maturing PRDOH’s fraud risk management program will improve HUD and Puerto Rico’s ability to prevent and detect fraud and effectively utilize federal funds to support long-term disaster recovery and mitigation needs.We recommended that HUD instruct PRDOH to (1) implement a process to regularly conduct fraud risk assessments and determine a fraud risk profile, and (2) improve its fraud awareness initiatives.Further, we recommended that HUD (3) evaluate PRDOH’s risk exposure and tolerance as part of its program-specific fraud risk assessment for disaster grant programs; (4) coordinate with HUD’s Chief Risk Officer to provide training and technical assistance to PRDOH with a focus on the design, implementation, and performance of fraud risk assessments, and establish a fraud risk management framework for the organization; (5) assess whether grantees have mature fraud risk management programs within the disaster recovery and mitigation program; and (6) determine the fraud risk exposure in HUD's disaster recovery and mitigation programs, and work with grantees to implement appropriate fraud mitigation activities.