Federal Reports

The Federal Risk and Authorization Management Program (FedRAMP) standardizes security and risk assessments for cloud technologies for federal agencies, including VA. In April 2019, the VA Office of Inspector General (OIG) received allegations that VA’s Office of Information and Technology’s (OIT’s) Project Special Forces (PSF) was not following FedRAMP policies or VA policy for deploying software-as-a-service (SaaS) applications. The OIG found that OIT granted security authorizations for applications that were not authorized by FedRAMP. Eight of the nine applications cited by the complainant were in use on the VA network—some without FedRAMP or VA authorization. Another three applications were approved to operate on VA’s network without FedRAMP authorization. The OIG did not substantiate that PSF-developed applications were improperly managed outside the VA Enterprise Cloud group. However, PSF did not follow VA security requirements in developing interfaces that allow third parties to “plug into” the VA to send and retrieve data. OIT personnel stated that there was no formal OIT authorization process until April 2019. After that date, the review team did not find instances of VA-authorized applications without FedRAMP authorization. OIT staff also misunderstood the FedRAMP authorization requirements for SaaS applications containing data classified as less sensitive.Failure to comply with FedRAMP standards increases the risk that VA and veterans’ data could be compromised. The OIG made four recommendations to the acting chief information officer (1) to determine whether to prevent use of the unauthorized SaaS applications and (2) whether the reviewed applications should be authorized or reported to the Federal Chief Information Officer. The remaining recommendations were (3) to implement alerts for interface-related abuse and (4) to either use application programming interfaces that transmit sensitive information and requirements for cross-origin resource sharing or seek exceptions to the standards. VA concurred with all recommendations.

While conducting fieldwork for our International Mail Operations and Performance Data project, we found significant operational delays of international outbound (export) packages. Operations were significantly challenged at the Postal Service’s five ISCs due to a large number of export packages identified as having insufficient AED. Postal Service data showed nearly 2.9 million pieces with missing AED between January and August 2021. We also found significant processing delays of some export packages identified with insufficient AED.

The OIG conducted a performance audit to determine whether the FTC’s contracting officer’s representative (COR) program is operating in compliance with federal requirements and FTC policies and procedures.

For our final report on the evaluation of the United States Patent and Trademark Office’s (USPTO’s) patent examination process, our objectives were to (I) assess whether patents are examined in compliance with applicable statutes, regulations, and case law; (2) identify deficiencies within the examination process impacting the quality of patents granted; and (3) identify areas for improvement within the examination process to increase its effectiveness and efficiency. We contracted with The MITRE Corporation (MITRE)—an independent firm—to perform this evaluation. Our office oversaw the progress of this evaluation to ensure that MITRE performed the evaluation in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation (December 2020) and contract terms. However, MITRE is solely responsible for the attached report and conclusions expressed in it.

HHS-OIG'S Semiannual Report to Congress describes OIG's work identifying significant risks, problems, abuses, deficiencies, remedies, and investigative outcomes relating to the administration of HHS programs and operations that were disclosed during the semiannual reporting period April 1, 2021, through September 30, 2021.

What OIG Evaluated: 

1. Evaluate Library Services and OCIOs project management and software development practices using the U.S. Government Accountability Office's  Schedule Assessment Guide, Cost Estimating and Assessment Guide, and Software Development: Effective Practices and Federal Challenges in Applying Agile Methodologies. 
2. Evaluate and conclude on whether the representation of the project in Library Services is comprehensive and sufficient with regard to scheduling Library Services staff activities to support the implementation.

What OIG Found: 

- Required project management cost and risk documentation was not adequately completed for Audio Visual Collection Management System  
- Office of the Chief Information Officer did not adequately define and document an System Development Life Cycle implementation methodology for Audio Visual Collection Management System 
- Incomplete Risk Register for the Audio Visual Collection Management System Project Risks

What OIG Recommends: 

- Finalize cost estimates (based on current estimates at completion) as the current baseline to facilitate performance management metrics through completion of the Audio Visual Collection Management System project. 
- Develop and implement required project documentation, specifically the cost estimating spreadsheet and cost estimating document, following applicable guidance for the Audio Visual Collection Management System project. 
- Develop and implement required project documents, specifically the sensitivity analysis and risk assessments following applicable guidance for the Audio Visual Collection Management System project.   
- Review and update the Audio Visual Collection Management System project charter to accurately reflect the implementation methodology and approval for this project.
- Review and update the project management plan to include the required details of a hybrid methodology.
- Reperform the project charter review checklist to ensure all checklist requirements are met and that the project meets Project Management Office quality standards.   
- Ensure the Project Manager oversees the immediate completion of the project risk register for the Audio Visual Collection Management System project.