Federal Reports

This interim report presents the results of our self-initiated audit of mail delivery, customer service, and property conditions at the Ramona Main Post Office (MPO) in Ramona, CA (Project Number 22-062). The Ramona Main Post Office is in the California 6 District of the WestPac Area and services ZIP Code 92065, which serves about 35,349 people and is considered to be an urban community. We judgmentally selected the Ramona MPO based on the number of stop-the-clock (STC) scans occurring at the delivery unit, rather than at the customer’s delivery address.

This interim report presents the results of our self-initiated audit of mail delivery, customer service, and property conditions at the Downtown San Diego Station in San Diego, CA (Project Number 22-060). The Downtown San Diego Station is in the California District of the WestPac Area. The station services ZIP Code 92101, which serves about 36,785 people and is considered an urban community. We judgmentally selected the Downtown San Diego Station based on the number of stop-the-clock (STC)3 scans occurring at the delivery unit, rather than at the customer’s delivery address.

As required by the Inspector General Act of 1978 (as amended), this Semiannual Report summarizes the activities of the Department of Transportation Office of Inspector General for the preceding 6-month period.

Because key accounting policies were not adhered to, the EPA cannot ensure that $6.8 million in appropriated dollars went toward their intended purposes, potentially violating laws.

VA’s Financial Services Center (FSC) provides products and services to VA and other government agencies. The OIG inspected the FSC to determine whether it was meeting federal guidance in four security control areas: configuration management, contingency planning, security management, and access controls.Within configuration management, the inspection team identified deficiencies with component inventory, vulnerability management, and flaw remediation. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability-scanning tools, OIT did not detect 228 of the 252 vulnerabilities the team identified. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The inspection team did not identify significant findings in the controls implemented for contingency planning, other than a minor delay in reviewing policies.The team’s review of security management controls identified that the FSC did not have procedures for how to maintain systems and information integrity. Without procedures, staff may not know how to apply policies or be held accountable for their failure to do so. Finally, the team identified access control deficiencies, as 107 of the 278 FSC systems failed to generate or forward audit logs for analysis. Also, the FSC’s video surveillance system was not fully functional. Ineffective monitoring and recording of facility activities supporting information systems minimizes the FSC’s incident response capabilities. A lack of an effective incident response capability can undermine management’s awareness of security vulnerabilities that could hinder the operation of mission critical systems.The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, developing local system and information integrity procedures, generating and forwarding audit reports for analysis, and continuing to upgrade the video surveillance system.

VA’s Financial Services Center (FSC) provides products and services to VA and other government agencies. The OIG inspected the FSC to determine whether it was meeting federal guidance in four security control areas: configuration management, contingency planning, security management, and access controls.Within configuration management, the inspection team identified deficiencies with component inventory, vulnerability management, and flaw remediation. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability-scanning tools, OIT did not detect 228 of the 252 vulnerabilities the team identified. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The inspection team did not identify significant findings in the controls implemented for contingency planning, other than a minor delay in reviewing policies.The team’s review of security management controls identified that the FSC did not have procedures for how to maintain systems and information integrity. Without procedures, staff may not know how to apply policies or be held accountable for their failure to do so. Finally, the team identified access control deficiencies, as 107 of the 278 FSC systems failed to generate or forward audit logs for analysis. Also, the FSC’s video surveillance system was not fully functional. Ineffective monitoring and recording of facility activities supporting information systems minimizes the FSC’s incident response capabilities. A lack of an effective incident response capability can undermine management’s awareness of security vulnerabilities that could hinder the operation of mission critical systems.The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, developing local system and information integrity procedures, generating and forwarding audit reports for analysis, and continuing to upgrade the video surveillance system.