Federal Reports

The U.S. Postal Service holds its cash in the Postal Service Fund with the Federal Reserve Bank of New York and, traditionally, has invested its excess cash in highly liquid, overnight investments (Overnight Treasuries) issued by the U.S. Department of Treasury (Treasury), where interest rate changes are more pronounced than in longer-term investments. Postal Service cash has grown from $2.3 billion in fiscal year (FY) 2013 to $19.6 billion at year-end FY 2022.

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. These inspections focus on four security control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, contingency planning, security management, and access controls. During this inspection, the OIG found deficiencies with configuration management, security management, and access controls.Configuration management controls were deficient in vulnerability remediation, the process to identify, classify, and fix weaknesses. Without an effective vulnerability management program, opportunities for exploitation increase.The security management control deficiency was in system security planning, which is needed for authorizing a system to operate. Without a system security plan or an authorization to operate, and without requiring contractors to adhere to federal and VA security requirements, the facility cannot be sure that security controls will be implemented as required.The security management deficiencies were in network segmentation, physical access, environmental, audit and monitoring, and records management controls. Without these safeguards, breaches are more likely to occur and harder to detect, and assets are at risk of accidental or intentional destruction.The assistant secretary for information and technology and chief information officer concurred with all but one of the OIG’s nine recommendations. Regarding his nonconcurrence, the assistant secretary reported that the devices identified by the OIG as lacking required isolation—the finding that resulted in recommendation 4—do not meet the definition for devices subject to this requirement. However, these devices were identified by the facility as containing medical systems and therefore, per VA policy, fall under the medical device isolation architecture guidance. The OIG thus stands by its recommendation.

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Tuscaloosa VA Medical Center in Alabama because it had not been previously visited as part of the annual FISMA audit.The OIG’s information security inspections focus on four security control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, contingency planning, security management, and access controls. During this inspection, the OIG found deficiencies with configuration management, security management, and access controls. Deficiencies in configuration management included critical-risk vulnerabilities that VA’s Office of Information and Technology did not identify, uninstalled patches, and unscannable database servers, all of which deprive users of reliable access to information and could risk unauthorized access to, or the alteration or destruction of, critical systems. The team identified a security management weakness concerning missing or insufficiently detailed action plans to address identified vulnerabilities. Weak access controls, such as missing logs, insufficient climate controls for communications equipment, and uninstalled backup power supplies, compromised the security and maintenance of the information system and its ability to withstand power disruptions.The OIG made six recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the facility because they are related to enterprise-wide information security issues similar to those identified on previous FISMA audits and information security inspections. The OIG also made two recommendations to the Tuscaloosa VA Medical Center director.

NASA’s plan to land humans on the Moon by the end of 2025 and send a crewed mission to Mars in the 2030s rest in part on significant participation and partnerships with international space agencies and their long-term commitments to the Artemis campaign. In this audit, we examined NASA’s efforts to partner with other space agencies on Artemis missions.

The VA Office of Inspector General (OIG) assessed allegations at the Richard L. Roudebush VA Medical Center (facility) that a newly trained interventional cardiologist was hired despite poor training and references. Further allegations claimed that the interventional cardiologist provided poor quality of care to patients and that facility leaders did not respond to staff concerns regarding this provider.The OIG did not substantiate that the interventional cardiologist was hired despite poor training and references, but identified deficiencies in the processes used to credential, privilege, and evaluate performance of the interventional cardiologist. Inexperienced staff used a third-party wage verification form instead of the required verification directly from the school or program director to verify completion of an interventional cardiology fellowship training program.The OIG did not substantiate that the interventional cardiologist provided poor quality of care to patients that resulted in adverse clinical outcomes. Despite staff complaints of clinical concerns related to the interventional cardiologist, none identified instances of adverse clinical outcomes related to poor patient care.The OIG did not substantiate that facility leaders failed to act on staff members’ concerns about the interventional cardiologist’s practice. As a result of multiple concerns shared with facility leaders by cardiology nursing staff, the interventional cardiologist’s cardiac catheterization laboratory privileges were suspended and a factfinding investigation was initiated. The OIG found that actions taken were not done timely.While not an allegation, the OIG determined that the volume of percutaneous coronary intervention (PCI) procedures performed at the facility was not sufficient to maintain interventional cardiologists’ competence and patient safety.Five recommendations were addressed to the Facility Director related to credentialing and privileging, mentoring newly trained interventional cardiologists, focused professional practice evaluations, factfinding investigations, and PCI procedure volume.

Florida residents Jean Barbier and Bryan DeCastro pleaded guilty to conspiracy to commit wire fraud on January 10, 2023, and January 17, 2023, respectively, in U.S. District Court, Southern District of Florida. Both defendants were employed by a company contracted by Amtrak to provide food services. Our investigation found that DeCastro fraudulently altered the timecards of Barbier and another individual to make it appear they worked more hours than they did, resulting in payment for hours they did not work. Barbier then paid DeCastro kickbacks for falsely inflating the timecards. Both defendants are scheduled to be sentenced on a future date.