Federal Reports

U.S. Customs and Border Protection (CBP) accounted for its firearms but did not always maintain accurate records for firearm locations or quantities of ammunition, as required. During our physical inventory of firearms in storage at 12 sites, we identified 126 firearms not located at the address indicated in CBP’s system of record. CBP also did not ensure ammunition control, accountability, and loss reporting complied with policy requirements for sensitive assets.

FCC OIG announces the voluntary repayment of $49.4 million of improperly claimed Affordable Connectivity Program (ACP) subsidies after OIG sent the provider a warning letter and issues an advisory notifying other ACP providers of its concern that dozens of other providers are likely not complying with FCC usage and related de-enrollment rules.

FCC OIG announces the voluntary repayment of $49.4 million of improperly claimed Affordable Connectivity Program (ACP) subsidies after OIG sent the provider a warning letter and issues an advisory notifying other ACP providers of its concern that dozens of other providers are likely not complying with FCC usage and related de-enrollment rules.

The Veterans Affairs Enterprise Cloud (VAEC) hosts more than 200 systems that employees, veterans, and contractors use to support the delivery of health care, compensation benefits, and home loan guarantees for veterans. The OIG conducted this audit to determine if VA is effectively assessing and monitoring security and privacy controls for cloud computing in accordance with federal guidance to include the National Institute of Standards and Technology (NIST) risk management framework. Based on the audit team’s findings, the team also assessed VA’s process for monitoring cloud service performance levels (including outages).In September 2020, NIST updated its guidance regarding security and privacy controls. Although VA has been working on updates, systems were not yet compliant as of June 2023. This occurred because of failures in oversight to ensure that policies and procedures reflected governing federal security and privacy controls. For the 13 VAEC systems reviewed, the team found deficiencies in the areas of securing personally identifiable information and supply chain management, though no incursions or other impacts were detected.The audit team only identified weaknesses in the last of seven steps in NIST’s risk management framework related to controls. Specifically, the audit team estimated that 123 of the 148 systems hosted on the VAEC did not have proof of continuous monitoring.The OIG also found VA may be missing opportunities to recoup service credits when vendors do not perform as required, such as when service provider actions result in outages that exceed agreed-upon acceptable durations. This occurred, in part, because VA lacked a consistent process to identify, document, and submit cloud service recoupment claims. Further, VA did not identify who was responsible for submitting the requests to the cloud service providers and making the claims. VA concurred with the OIG’s five recommendations for corrective action.