Federal Reports

The objective of this audit was to determine whether the Farm Credit Administration has designed and implemented appropriate controls over its Emergency Operations Center.

During fiscal year (FY) 2025, the Office of Inspector General (OIG) conducted cybersecurity reviews to determine whether the Department of Energy’s unclassified cybersecurity program was implemented in accordance with Federal and Department requirements. The OIG also performed the audit, The Department of Energy’s Fiscal Year 2025 Consolidated Financial Statements, which included test work over controls related to information technology.

The management letter discusses the results of cybersecurity reviews conducted by the OIG in FY 2025 and the results of our Federal Information Security Modernization Act of 2014 evaluation.

The OIG issued 33 cybersecurity findings (including 13 repeat prior year findings) to Department sites and programs related to information technology controls. However, three of those prior year findings, along with their recommendations, are being tracked in other OIG issued reports. Additionally, the audit, The Department of Energy’s Fiscal Year 2025 Consolidated Financial Statements, identified a significant deficiency related to access controls over various Department financial systems. The findings that led to the significant deficiency are included within this report.

The weaknesses occurred for a variety of reasons. For instance, deficiencies related to access controls occurred, in part, due to management not responding to changes in risks or identifying risks associated with inappropriate or unnecessary access to systems.

Without improvements to address the weaknesses identified in our report, the Department may be unable to adequately protect its information systems and data from compromise, loss, or unauthorized modification.

Our objective was to assess the progress of the National Oceanic and Atmospheric Administration (NOAA) in implementing the Geostationary Extended Observations (GeoXO) weather satellite program. We also evaluated NOAA’s efforts to address the risk of a future gap in geostationary observations, and we assessed the program’s risk management processes. 

We found that the GeoXO program has made adequate progress in its current phase of development and that it is achieving the desired technology maturity. However, NOAA should consider enhancing its continuity planning and risk management processes by (1) managing the risk of a continuity gap in geostationary satellite data, as the current series’s backup satellites are likely to reach the end of their lifespans before the first GeoXO satellite becomes operational, and (2) improving risk management processes to ensure the mission’s success.

The OIG conducted this audit to determine whether VHA national program offices provided effective oversight of contracted community-based outpatient clinics (CBOCs). The audit team found the offices did not effectively oversee contracted CBOCs because oversight ended after vendors were awarded contracts to acquire, furnish, and run the clinics. This left VHA without national oversight of the effectiveness of the contracts. VHA’s policies governing contracts for CBOCs did not incorporate all responsibilities required of a VHA program office: identifying emerging national issues, communicating with internal and external stakeholders, managing quality and compliance, and evaluating program effectiveness and efficiency. The policy omissions limited program offices’ ability to identify and implement solutions for national issues, such as contractors not meeting performance metrics, start-up (construction) costs keeping small businesses from competing for contracts, staff having to manually create patient rosters (monthly lists of patients for which contractors can invoice VA), and medical centers (which were supposed to oversee CBOC operations) not appointing adequately certified contract monitors. The problems the OIG audit team documented may have adversely affected care provided to veterans—sampled CBOCs provided healthcare services that scored below VHA’s overall performance metrics—and created administrative challenges for VA medical centers and contracting offices.

The audit team also found that, contrary to federal acquisition requirements, contract templates did not give contracting officers the option to include performance incentives. Without effective means to hold contractors accountable for performance, the contracting officers and VA medical centers accepted and paid in full for services that did not meet requirements.

The OIG made 12 recommendations, including to delegate program office oversight responsibilities, monitor contractor compliance with the contracts, develop consistent procedures for patient rosters, and work with the VA Office of General Counsel on start-up costs and incentives.

This audit was performed by the Defense Contract Audit Agency (DCAA) on behalf of the Department of Energy’s Office of Inspector General, which examined Fermi Research Alliance, LLC’s costs incurred and claimed for fiscal years 2021 and 2022 at the Fermi National Accelerator Laboratory, under management and operating contract No. DE-AC02-07CH11359.

The audit’s objective was to determine if costs charged to Department Contract No. DE-AC02-07CH11359 for fiscal years 2021 and 2022 were allowable, allocable, and reasonable in accordance with applicable laws, regulations, and contract terms.

The DCAA performed the audit in accordance with generally accepted government auditing standards.

The DCAA identified two audit findings and questioned approximately $9.9 million in performance award fees and $142,463 in direct costs. Specifically, the DCAA questioned performance award fees in the General and Administrative pool. The DCAA questioned the performance award fees, which represented a contractual incentive paid by the Department because the fee was included as a cost in the General and Administrative pool. The DCAA reconciled the proposed fee amount to the general ledger, and the Department determined that the contractor was entitled to the earned fee. The DCAA also questioned labor costs due to claimed triple-time pay for employees working on holidays, which exceeded allowable pay of double-time. In addition to the questioned costs noted, the DCAA reported two scope limitations because real-time testing was not performed, which resulted in unresolved risk that could materially affect: (1) labor costs and (2) direct materials and supplies costs.  

If the issues identified by the DCAA are fully addressed, it should help ensure that costs charged to the Department are allowable, allocable, and reasonable in accordance with contract terms. We recommend that the contractor coordinate with the contracting officer to resolve the questioned costs identified in this report.