Federal Reports

OIG identified the prevention measures that Forest Service established for recreation sites in response to the COVID-19 pandemic.

The lack of vulnerability scans increases the risk that vulnerabilities are not identified and remediated in a timely manner and could result in data loss or disruption to Agency operations.

The Federal Information Security Modernization Act of 2014 (FISMA) requires the Office of Inspector General to conduct an annual independent evaluation to determine whether the Department of Energy’s unclassified cybersecurity program adequately protected its data and information systems. As part of that evaluation, the Office of Inspector General is required to assess the Department’s cybersecurity program according to FISMA security metrics issued by the Office of Management and Budget and the Council of the Inspectors General on Integrity and Efficiency.We conducted this evaluation to determine whether the Department’s unclassified cybersecurity program adequately protected data and information systems. Our fiscal year 2022 FISMA evaluation determined that the Department, including the National Nuclear Security Administration, had not taken appropriate actions to address many previously identified weaknesses related to its unclassified cybersecurity program. Although actions were taken to close 23 of 61 recommendations from our prior evaluations, 38 recommendations remained open. We also issued 35 new recommendations, many of which were similar in type to the deficiencies identified in our previous reports.The weaknesses identified occurred for a variety of reasons. For instance, weaknesses related to system integrity of web applications generally occurred because the applications were configured without adequate security controls designed to reject malicious input. In addition, identity and access management weaknesses occurred because officials were unaware of, or had not implemented, current account management requirements.To correct the cybersecurity weaknesses identified throughout the Department, we made 73 recommendations (of which 38 were made during prior evaluations) to the Department’s programs and sites, including those identified during this evaluation and in other issued reports. Specific recommendations were made to each of the locations where weaknesses were identified. Corrective actions to address each of the recommendations, if fully implemented, should enhance the Department’s unclassified cybersecurity program. Management concurred with all but two recommendations issued to programs and sites related to improving the Department’s cybersecurity program.

This report summarizes the results of the CliftonLarsonAllen (CLA) audit and contains four recommendations that will assist the agency in strengthening cybersecurity controls related to its firewalls and the Security Information and Event Management (SIEM) tool. NCUA management concurred with and has taken or planned corrective actions to address the recommendations.

The VA Office of Inspector General (OIG) conducted a healthcare inspection at the VA Black Hills Health Care System (facility) in Fort Meade and Hot Springs, South Dakota, to evaluate how facility leaders addressed an administrative investigation board’s (AIB) findings and recommendations.The OIG received complaints alleging failures in leadership and management, and misconduct and inappropriate relationships between leaders and staff and between clinical staff and patients within the Mental Health Service. In response, the former Facility Director convened an AIB and detailed two leaders out of the Mental Health Service, in compliance with VA policy. Prior to retirement, the former Facility Director met with the acting Facility Director to discuss the AIB report and advised that two action items required follow-up. The former Facility Director did not share the AIB report with other senior facility leaders, citing not enough time before retirement. As a result, a lapse of understanding and follow-up of the AIB’s recommendations occurred when the former Facility Director retired. After being contacted by the OIG, the acting Facility Director and other senior facility leaders read the AIB report and developed an action plan to address the 11 recommendations. The OIG confirmed that facility leaders were addressing each recommendation and taking steps to address the mental health leader and a staff member, who was a student at the time, identified within the AIB report as having inappropriate relationships with patients. The facility reported the mental health leader to the state licensing board. The facility did not independently verify that the student self-reported the inappropriate relationship to the state licensing board. The OIG made two recommendations to the Facility Director related to completing the action plan, and independently determining if the state licensing board should be notified.

The VA Office of Inspector General (OIG) reviewed the administrative and clinical responses by facility leaders and staff to allegations of a patient’s report of sexual harassment at the VA Black Hills Health Care System (facility) in Fort Meade and Hot Springs, South Dakota.A patient participating in the Compensated Work Therapy program and the Transitional Residence program reported being sexually harassed by a food service coworker and subsequently died by suicide. The patient initially reported being sexually harassed to a Transitional Residence staff member while a permanent employee residing in a Transitional Residence house. Later that same year, the patient reported to the VA police that the sexual harassment began while participating in the Compensated Work Therapy program. Participants in Compensated Work Therapy and Transitional Residence programs are considered patients and not employees.The OIG determined facility leaders did not take administrative actions that aligned with policy when the patient reported being sexually harassed. Facility leaders understood that the interactions occurred after hours, off VA property, and between two employees, and therefore, no action could be taken. Although the Compensated Work Therapy and Transitional Residence program manager knew that the patient was a participant in the Transitional Residence program, and therefore considered a patient, the program manager took no action, such as speaking with the patient, upon learning of the patient’s report of sexual harassment.The OIG determined that the Transitional Resident staff member and counselor provided clinical support.The OIG made three recommendations related to the reviews of the sexual harassment policy and the actions of the Transitional Residence program manager, and to ensure that the facility policy addresses the safety and rights of patients who are both VA employees and participants in the Transitional Residence program.

The lack of vulnerability scans increases the risk that vulnerabilities are not identified and remediated in a timely manner and could result in data loss or disruption to Agency operations.