Federal Reports

Why We Did This ReportThe U.S. Environmental Protection Agency Office of Inspector General conducted this evaluation to determine the financial capacity of the New Mexico Environment Department to manage its Infrastructure Investment and Jobs Act funding for the Clean Water State Revolving Fund Program. Summary of FindingsThe New Mexico Environment Department, or NMED, is sufficiently meeting the financial and organizational dimensions of capacity to manage and use its infrastructure funds for the Clean Water State Revolving Fund, or CWSRF, Program. However, the NMED faces stakeholder- and human-capital-related challenges that limit its capacity to effectively manage and use its CWSRF Infrastructure Investment and Jobs Act, or IIJA, funding. These challenges are compounded by the fact that the NMED is not fully staffed and has difficulty filling its vacancies. Should program participation increase, NMED staff may have difficulty managing the corresponding increase in the CWSRF workload.

We audited the U.S. Department of Housing and Urban Development (HUD), Office of Fair Housing and Equal Opportunity’s, implementation of Executive Order 13988, which President Biden issued to prevent and combat discrimination on the basis of gender identity or sexual orientation. We performed this audit to assess HUD’s progress in developing an action plan to implement the executive order. Our audit objective was to determine whether HUD had established and implemented a plan to prevent and combat discrimination based on gender identity and sexual orientation. HUD developed a proposed plan of action related to Executive Order 13988. According to HUD Office of General Council officials, HUD submitted its proposed plan to the White House Domestic Policy Council within 100 days of Executive Order 13988, thereby satisfying the requirements of the executive order. To implement its plan, HUD regional offices and Fair Housing Assistance Program agencies identified and notified almost all complainants who alleged gender identity or sexual orientation discrimination in accordance with its guidance. It also committed to the Equal Access Rule. As a result of developing and implementing the plan, HUD had reasonable assurance that its regional offices and FHAP agencies were properly identifying and addressing allegations of gender identity or sexual orientation discrimination in HUD programs and HUD-assisted housing and shelters.The report contains no recommendations.

The OIG conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the VA Bedford Healthcare System because it had not been recently visited as part of the annual FISMA audit.The OIG’s information security inspection focused on three security control areas: configuration management, security management, and access controls. During this inspection, the OIG found deficiencies with all three areas.Configuration management deficiencies included databases hosting personally identifiable information not monitored with quarterly compliance scans, thereby increasing the risk of an undetected data breach. The team also found that devices not meeting VA baseline security configurations should have been updated with vendor-supported systems software during the standard system development life-cycle process.Within security management, the OIG determined that special-purpose systems did not have an authorization to operate and the special-purpose systems at Bedford included one that warranted higher security levels. The OIG also identified deficiencies with the continuous monitoring of the Lynx Duress panic button system.Finally, restricting physical access, monitoring of physical access, and implementing appropriate physical and environmental controls were also deficient. At the Edith Nourse Rogers Memorial Veterans’ Hospital, concerns were identified with badge and key access, hospital video surveillance of the server room and communications closet, and emergency power controls and proper grounding.The OIG made five recommendations to the assistant secretary for information and technology and chief information officer and four recommendations to the VA Bedford Healthcare System director in conjunction with the assistant secretary for information technology.

The OIG is issuing this evaluation to assess whether the U.S. Small Business Administration (SBA) effectively implemented internal controls when using the U.S. Department of the Treasury’s Do Not Pay (DNP) databases to detect and prevent payments of Coronavirus Disease 2019 (COVID-19) Economic Injury Disaster Loans (EIDL) and grants to ineligible entities.Despite implementing controls requiring loan officers to check DNP databases prior to approval of COVID-19 EIDLs and provide applicants 30 days to rectify any negative information received from DNP, the agency continued to award and disburse COVID-19 EIDL and grant funds to those listed in a DNP database without mitigating the negative information.We recommended the agency review the 3,643 potential improper payments we identified and determine if applicants can rectify the negative information; if not, we recommend the agency work to recover the funds.SBA management partially agreed with our recommendation, stating they will review and address loans and grants in the child support population that had information on the application or credit report that was not previously addressed. For the remainder of the DNP population, management stated they will review those grants and loans with an alert in the file that was not previously addressed. Management’s proposed corrective actions do not satisfy the recommendation to review the potentially ineligible loans and grants.

The FCC was compliant in 11 of its 13 programs that were susceptible to significant improper payments. The Universal Service Fund (USF)-Lifeline (LL) program, and the Affordable Connectivity Program (ACP) were non-compliant with one of the 10 PIIA criteria. The report presents five findings and five recommendations to address the audit findings. In the Management Response, the FCC concurred on four findings and non-concurred on one of the two noncompliance findings, related to the Lifeline Program.