Federal Reports

We performed a wireless penetration test of select Centers for Medicare & Medicaid Services' Data Centers and facilities to determine whether CMS's security controls over its wireless networks were effective.

Overall, the Department continues to implement changes to strengthen its enterprise-wide information security program. However, opportunities were identified that will allow HHS to continue to enhance its enterprise-wide information security program. We identified several reportable exceptions in the Department's security program. Areas for improvement were identified in the Department's Continuous Monitoring Management, Configuration Management, Identity and Access Management, Incident Response and Reporting, Risk Management, Security Training, Plan of Action and Milestones, Remote Access Management, Contingency Planning, and Contractor Systems.

For the time period reviewed, we found that the Pennsylvania Department of Labor and Industry, Office of Vocational Rehabilitation (Pennsylvania) had adequate internal controls to provide reasonable assurance that the data it reported in its Case Services Report (RSA-911) were complete, but it did not have adequate internal controls to ensure that the data were accurate and adequately supported. Specifically, we found that Pennsylvania lacked policies and procedures to require verification of the data entered into participants’ case files and for its RSA-911 reporting process and lacked an adequate monitoring process to ensure that data were accurate and required documentation was maintained in participant case files. In addition, we found that Pennsylvania did not have written policies and procedures for its RSA-911 reporting process. Our testing of data that Pennsylvania reported to the Rehabilitation Services Administration (RSA) found a significant number of unverifiable data entries for data elements that RSA used to calculate Pennsylvania’s performance indicator results. Consequently, we have no assurance that the performance indicator results that RSA calculated were reliable.

This is a publication by GAO's Inspector General that concerns internal GAO operations. This report addresses the extent to which GAO identifies and collects student loan repayment (SLR) debts from former employees who did not fulfill their 3-year service agreements.