Federal Reports

The report contains an unmodified opinion on Commodity Credit Corporation’s (CCC) financial statements as of September 30, 2025, as well as an assessment of CCC’s internal control over financial reporting and compliance with laws and regulations.

The Reports Consolidation Act of 2000 requires the Executive Branch Inspectors General to identify and report annually on the top management challenges facing their agencies. The U.S. Government Publishing Office (GPO), Office of the Inspector General (OIG), also adopted this requirement as a best practice. 

Due to the risk of harm to the Tennessee Valley Authority (TVA) from the loss or breach of private information held by a third party, we performed an audit of BlueCross BlueShield of Tennessee’s (BCBST) security controls.  Our audit objective was to determine if BCBST has controls in place to meet contract requirements for the protection of data held by the vendor on behalf of TVA.

We determined that BCBST has controls in place to meet the contract requirements for the protection of data held on behalf of TVA.  However, we identified wording in the contract that could be improved to avoid potential confusion.  TVA management agreed with our finding and incorporated improvements into the contract amendment effective January 1, 2026.

The report contains an unmodified opinion on Natural Resources Conservation Service’s financial statements as of September 30, 2025, as well as an assessment of NRCS' internal controls over financial reporting and compliance with laws and regulations.

The U.S. Consumer Product Safety Commission (CPSC) OIG retained KPMG, LLP (KPMG), an independent public accounting firm, to perform the independent audit of the CPSC’s financial statements for fiscal year (FY) 2025 in accordance with auditing standards generally accepted in the United States.  This report is contained in the CPSC’s Annual Financial Report which also contains the complete set of financial statements, management’s discussion and analysis, and required supplementary and other information.  KPMG found that the CPSC received a qualified or clean opinion.  However, the agency was found to have two material weaknesses, first identified in FY 2023; and one significant deficiency.

In accordance with the Reports Consolidation Act of 2000, the OIG reports annually on the most serious management and performance challenges the U.S. Department of Education (Department) faces. For FY 2026, we identified four management challenges the Department faces as it continues its efforts to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access. These challenges are (1) oversight and monitoring of grantees, (2) Oversight & monitoring of student financial assistance programs; (3) data quality and reporting, and (4) information technology security. The report includes a summary of each challenge, a brief assessment of the Department’s progress in addressing each challenge, and shares information on further actions that, if properly implemented, could enhance the effectiveness of the Department’s programs and operations.

There continues to be an increased focus on supply chain risks in the Federal Government. In December 2020, the Government Accountability Office reported that a majority of the 23 agencies reviewed, which included the Department of Energy, had not implemented selected foundational practices for managing information and communications technology supply chain risks. In the Department’s case, information technology (IT) supply chain risk management (SCRM) is a particular challenge due to the diversity of its missions and decentralized operating environment.

We initiated this audit to determine whether the Department effectively managed its IT SCRM process.

We determined that the Department made progress in effectively managing its IT SCRM process, but opportunities for improvement existed to help ensure compliance with Federal and Department requirements. Specifically, we found issues related to the accuracy of the Department’s critical software inventory and insufficient assessments and reviews of potentially vulnerable suppliers. For example, the Department had not developed an accurate inventory of its critical software, which could have prevented it from protecting critical software, platforms, and data from unauthorized access. The Department also faced unknown SCRM risks because it did not always conduct assessments of technology acquisitions, including vendors with foreign ownership, control, or influence.

Without improvements to its SCRM process, the Department is vulnerable to potentially malicious, counterfeit, or vulnerable IT equipment or services. The inability to identify critical software quickly also places the Department at an elevated risk in the event of a compromise as it may be unable to rapidly respond to remediate vulnerabilities. Further, had entities routinely performed SCRM assessments and reviews, they may have increased awareness of supply chain risks involving certain vendors, resulting in different security decisions including implementing monitoring, conducting routine reviews of the vendor, or selecting a different vendor.

We suggest that the Department develop an accurate inventory of its critical software. In addition, we also suggest that three of the sites reviewed ensure that policies and procedures related to SCRM for IT acquisitions are developed and effectively implemented.