Federal Reports

Since the 1930s, the Buy American Act has required federal agencies to provide preferential treatment in its purchases of domestic end-products. The Postal Service is not subject to the Buy American Act, but prescribes a provision and clause for domestic preference when awarding supply contracts and has issued guidance for evaluating proposals offering domestic and foreign end-products in. The objective was to assess whether the Postal Service applied domestic preference requirements during the award of vehicle and vehicle parts contracts.

This report contains the results of our audit of the U.S. Consumer Product Safety Commission’s (CPSC) Occupant Emergency Program (OEP). The goal of an OEP is to safeguard federal personnel, visitors, property, and other assets.

Most Medicare claims that durable medical equipment suppliers submitted for replacement positive airway pressure (PAP) device supplies did not comply with Medicare requirements. Of the 110 claims in our sample that Medicare paid in 2014 and 2015, 24 complied with Medicare requirements; however, 86 claims with payments totaling $13,414 did not. On the basis of our sample results, we estimated that Medicare made overpayments of almost $631.3 million for replacement PAP device supply claims that did not meet Medicare requirements.

The U.S. Bureau of Reclamation (USBR) operates five hydropower dams categorized as critical infrastructure by the U.S. Department of Homeland Security. Our evaluation focused on the USBR’s operational and technical practices for protecting two of these dams, and the related industrial control system (ICS) it relies on to remotely control operations including, generators, gates, and outlet valves.We found the ICS at low risk of compromise from external cyber threats as our analysis of computer network traffic showed that the ICS is isolated from the internet and from USBR’s business systems and our analysis of ICS computer memory did not detect hidden malware or other indicators of compromise. The USBR’s account management and personnel security practices, however, put the ICS and the infrastructure it operates at high risk from insider threats. Specifically, we found that the USBR:• Failed to limit the number of ICS users with system administrator access and had an extensive number of group accounts• Did not comply with password policies and failed to remove inactive system administrator accounts• Did not follow best practices recommending that personnel with elevated system privileges complete more rigorous background investigationsThese deficiencies occurred because USBR management failed to strengthen bureau risk management practices in response to rapidly escalating threats to critical infrastructure. An ICS breach could disrupt USBR operations and has the potential to adversely affect national security. We make five recommendations to help the USBR improve the security posture of its critical dams by mitigating insider threats to the ICS.

The OIG investigated allegations that officials from the Bureau of Reclamation (USBR) and the U.S. Department of the Interior, Office of the Solicitor (SOL), obstructed an administrative inquiry into alleged sexual misconduct by a USBR official. The complainant alleged that USBR and SOL officials withheld information, attempted to influence witnesses by holding meetings to discuss the inquiry, and tried to stop the inquiry. The complainant further alleged that these officials provided advice to the inquiry while also advising regional management on how to address the alleged misconduct. Finally, the complainant alleged that an SOL official made disparaging comments about their work product to USBR leadership because of the complaint.We found that two USBR officials omitted information during the administrative inquiry and that one also withheld a requested document. While we did not find evidence of improper involvement to influence or stop the inquiry, we did find that poor communication between the USBR and the SOL created confusion and mistrust regarding the roles and responsibilities of those involved with the inquiry. We confirmed that the SOL criticized some of the content in the report prepared by the complainant, which the SOL said included the complainant’s opinions, but we did not find evidence that any personnel actions were taken against the complainant.