Federal Reports

The National Oceanic and Atmospheric Administration's (NOAA's) Office of Marine and Aviation Operations (OMAO) is overseeing the construction of new ships, known as Class B ships, to replace hydrographic survey ships that are nearing the end of their planned service lives. Shipbuilding is a complex, multistage industrial process that requires structured oversight and controls at each phase. If the existing hydrographic survey ships are not replaced on time, NOAA has estimated a loss of 90 to 100 percent of its charting and mapping capability for the country’s Pacific Islands and Tropical Pacific and West Coast regions by 2028.

Our objective was to assess the management and oversight of the Class B ship acquisition by OMAO. We found that OMAO’s acquisition planning did not fully account for the resources, requirements, and processes that are necessary to perform Government Contract Quality Assurance (GCQA) management and oversight tasks for a new shipbuilding program. Specifically, for its Class B ship construction, OMAO (1) did not fully develop and implement the necessary controls to conduct GCQA, (2) did not identify or develop the necessary personnel, skills, and experience to conduct GCQA, and (3) did not have a system or method to record and track quality deficiencies and observations. Correcting these issues is critical to ensure that the ship construction meets contract requirements and an acceptable level of quality.

We made five recommendations to help OMAO implement its quality assurance program for ship construction, address shortfalls in workforce planning and technical oversight, and ensure that quality assurance oversight metrics during ship construction are tracked and stored. NOAA concurred with our recommendations and is working to implement them.
 

The Cybersecurity Information Sharing Act of 2015 (Cybersecurity Act) requires agencies to develop processes and procedures to facilitate and promote the timely sharing of cyber threat information. It also requires the Office of Inspector General to report to Congress at least every 2 years on the sufficiency of information sharing policies, procedures, and guidelines.

We participated in a joint review led by the Office of the Inspector General of the Intelligence Community to assess efforts by seven executive agencies, including the Department of Energy, to implement Cybersecurity Act requirements related to policies and procedures, information sharing, and barriers.

Our evaluation determined that the Department had taken the actions necessary to implement the requirements of the Cybersecurity Act. Specifically, we found that policies and procedures related to the sharing of cyber threat indicators were sufficient and included requirements for the removal of personally identifiable information. Officials also indicated that they were unaware of any violations by the Department regarding the failure to remove personally identifiable information related to a cybersecurity threat. In addition, Department officials informed us that security clearances were authorized for the purpose of sharing classified cyber threat indicators and defensive measures with the private sector. The Department also continued to share and receive cyber threat indicators using Automated Indicator Sharing capabilities during the period under review.

Although the barrier related to the quality of cyber threat indicators received from the Office of the Director of National Intelligence was mitigated since our 2023 evaluation, with the discontinued active feed of the Intelligence Community Analysis and Signature Tool, Department officials noted another barrier related to the quality of cyber threat indicators shared with the Department and industry partners. Specifically, information-sharing fatigue from the large quantity of cyber threat indicators was noted as an issue. While Department officials noted this barrier, we did not identify any associated impact to the sharing of threat indicators and defensive measures from calendar year 2023 through calendar year 2024.

Due to the Department’s continued implementation of the Cybersecurity Act, we did not make formal recommendations for improvement.

In fiscal year 2025, CPSC staff obligated funds, through various interagency agreements, without having properly delegated authority to do so.  Although we found no indicia of fraud, waste, abuse, or other criminal activity, the unauthorized obligations constitute non-monetary loss improper payments.

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General initiated this project to summarize findings from prior EPA OIG reports on the EPA’s management of the Infrastructure Investment and Jobs Act funding for the 2022 Clean School Bus Rebates Program that could help inform the Agency’s decision-making when funding future programs.
 

Summary of Findings

We reviewed five previously issued EPA OIG reports related to the EPA’s 2022 Clean School Bus Rebates Program. From those, we identified two main issues with the program: the application and selection process and the management of funds. We also analyzed the 11 recommendations that we made to the EPA to address the deficiencies identified in those five prior reports. The Agency has completed or is in the process of implementing corrective actions for all 11 prior recommendations.

As required by the Inspector General Act of 1978 (as amended), this Semiannual Report summarizes the activities of the Office of Inspector General for the preceding 6-month period.

Our Objective(s) 

To assess whether FAA (1) has selected and implemented the required high-impact baseline security controls for its high-impact systems and (2) is mitigating potential vulnerabilities for its high-impact systems. 

Why This Audit 

FAA relies on critical information systems to meet its mission of safely and efficiently managing air travel in the United States. In August 2021, we reported that FAA had re-categorized 45 information systems as high-impact systems. Further, we found FAA was not holding its high-impact system owners responsible for remediating high-security baseline control weaknesses. Given our previous findings, and the potential risks to the National Airspace System (NAS) if high-impact baseline security controls are not fully implemented, we self-initiated this audit. 

What We Found 

FAA has begun selecting and implementing required security controls for its high-impact systems supporting the NAS, but gaps remain. 

• FAA has made progress but has not selected all required high baseline security controls for its systems that support the NAS. We found 15 of the 45 high-impact systems we reviewed had security controls selected under the outdated NIST SP 800-53 Revision 4 (Rev 4) standards, rather than the current Revision 5 (Rev 5) standards. 
• FAA has not fully implemented required security controls for systems that support the NAS. According to system documentation we reviewed, FAA had not fully implemented 1,836 (11.3 percent) of the 16,245 required controls for the 45 systems. 
• Some high-impact systems continue to have missing baseline security controls, according to their system documentation. 
• According to FAA, these gaps exist in part because of technical and other challenges with FAA's systems. Until these gaps are filled, these systems may be vulnerable to cyberattacks that could cause severe or catastrophic effects on the NAS. 

FAA does not fully track and mitigate all potential vulnerabilities for its high-impact systems in DOT's system of record. 

• FAA is not tracking and mitigating vulnerabilities within DOT's system of record, as required. As a result, FAA is not being fully transparent with the Department in identifying its vulnerabilities. 
• FAA has not ensured its security system documentation is fully updated with the status of all vulnerabilities. 

Recommendations 

We made 4 recommendations to mitigate the risks associated with not selecting and implementing all required high-baseline security controls and/or not fully mitigating potential vulnerabilities for FAA's 45 high-impact systems supporting the NAS. 

Note: The Department has determined that this report contains sensitive security information (SSI) that is controlled under 49 C.F.R. parts 15 and 1520. No part of this report may be disclosed to persons without a "need to know," as defined in 49 C.F.R. parts 15 and 1520, except with the written permission of the Administrator of the Transportation Security Administration or the Secretary of Transportation. Unauthorized release may result in civil penalty or other action. For U.S. government agencies, public disclosure is governed by 5 U.S.C. 552 and 49 C.F.R. parts 15 and 1520. Relevant portions of this public version of the report have been redacted.

In 2023, the Smithsonian Institution (Smithsonian) began a multi-year project to revitalize the Hirshhorn Museum Sculpture Garden. Smithsonian awarded a firm-fixed-price contract to address waterproofing, concrete decay and stormwater management problems, among other issues, for the Sculpture Garden. 

The Office of the Inspector General contracted with Sikich CPA LLC to determine whether the Smithsonian approved the contractor’s applications for payment in accordance with the terms and conditions of the contract.