Federal Reports

The National Credit Union Administration (NCUA) Office of Inspector General (OIG) conducted this self-initiated audit to assess the NCUA’s Bank Secrecy Act (BSA) program. The objectives of our audit included determining whether the NCUA: (1) adequately reviewed compliance with the Bank Secrecy Act during credit union safety and soundness examinations, (2)issued timely formal or informal enforcement actions to address Bank Secrecy Act-related violations, (3) tailored enforcement actions to address deficiencies identified during the supervisory process, (4) followed up on reported Bank Secrecy Act violations to ensure credit unions take appropriate corrective action before closure of the violation, and (5) appropriately referred significant Bank Secrecy Act violations and deficiencies to the Financial Crimes Enforcement Network, a bureau within the United States Department of the Treasury.

We announced two concurrent audits to determine whether First Responder Network Authority (FirstNet Authority) is ensuring that AT&T is achieving the desired results for device connection targets and Nationwide Public Safety Broadband Network (NPSBN) coverage for each state and territory. We separated these objectives into three components that include (1) the evolution of the desired results for device connection targets and network coverage as executed through contract modifications, (2) oversight of device connection targets, and (3) oversight of network coverage. This report focuses on the first component: FirstNet Authority’s modifications to the contract, to include the rationale behind those changes and whether FirstNet Authority had an effective process for documenting decisions it made concerning those modifications. We found that FirstNet Authority did not consistently adhere to federal and Departmental regulations or demonstrate it received adequate value in return when it changed NPSBN contract requirements.

The VA Office of Inspector General (OIG) issued the report VA Improperly Awarded $10.8 Million in Incentives to Central Office Senior Executives on May 9, 2024. Additional analysis has since raised concerns that the under secretary for health may have recommended critical skill incentives (CSIs) for at least 10 senior executives in the VA central office (VACO) who directly reported to him, and for whom he was therefore not authorized to act as the approving official. Because there were inconsistencies in available data on direct reports, the OIG released this supplemental memorandum to summarize information conveyed to the VA Secretary to further assess whether additional actions are warranted.The OIG also requested that VA provide information on whether any approving officials exceeded their authority in recommending or approving CSIs to VACO senior executives and factor the results into its action plans for implementing the related OIG report recommendations.

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Financial Services Center (FSC) in Austin, Texas, as a follow-up to a 2021 inspection.The OIG focused on three control areas it determined to be at highest risk: configuration management, security management, and access controls. The OIG identified four deficiencies in configuration management controls, one in security management controls, and two in access controls; three of the deficiencies were seen during the 2021 inspection. The configuration management deficiencies were in vulnerability management and flaw remediation, database scans, database baseline configurations, and unsupported components. The FSC’s vulnerability management controls did not identify all network weaknesses. Additionally, operating systems were not supported by the vendor and security patches were missing. Evidence of scans for the FSC’s databases was not provided, and databases had vulnerabilities caused by configurations that deviated from an established baseline. Eighteen network switches were using operating systems that did not meet baseline security requirements, and six were not supported by the vendor. The FSC’s security management controls were found deficient in the monitoring of component inventory with a significant disparity between the number of devices on the network and those identified in the cybersecurity management service. The FSC’s deficiencies in access controls were in monitoring inappropriate or unusual activity and reviewing physical access logs.The OIG made eight recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the FSC. Four of these were also recommendations in the 2021 inspection.