Federal Reports

This report provides information on the U.S. Fish and Wildlife Service’s use of Inflation Reduction Act funding for listed species recovery efforts.

The OIG received a hotline allegation from a VA medical center employee regarding the improper sharing of sensitive information on VA’s internal network. The complainant reported that an employee could search for fellow employees on the internal network and find documents and emails that contained sensitive personal information. Among these documents were human resources paperwork, such as interview questions and reference checks, performance awards, and personally identifiable information for veterans getting surgery.

The OIG confirmed sensitive personal information was accessible by VA users who had no business need to access it. Furthermore, the OIG noted that the type of sensitive personal information accessible should not have been hosted on the systems it was found on, as the information exceeded the systems’ security authorizations. The OIG determined this was a national issue because the hosting systems are cloud based and the information was observable by any authorized VA employee, regardless of location.

To address the reasons for the improper sharing, the OIG recommended that the assistant secretary for information and technology 
   •    ensure facilities and programs remove unauthorized sensitive personal information from collaborative application sites such as SharePoint; 
   •    direct facilities and programs to standardize SharePoint administration, inventory and consolidate their SharePoint sites; 
   •    implement enforcement mechanisms such as recommended architecture to allow greater control of permissions and content; 
   •    expand roles and responsibilities for privacy officers and information system security officers; 
   •    implement automated tools to detect and correct improper sharing agencywide; and 
   •    mandate standardized training for SharePoint administrators and owners. 

The assistant secretary concurred with all recommendations, and the OIG agreed to close two recommendations after VA provided sufficient evidence of implementation. The four other recommendations remain open.

Our audit objective was to determine whether USPTO had an effective governance structure and processes in place to manage its AI tools. To meet our objective, we tested two of the six AI tools USPTO had in use when we began our audit. 

Overall, we found that USPTO has begun developing its AI workforce but should strengthen key organizational and system-level governance practices needed to effectively manage and oversee its AI tools. Specifically, USPTO:

• Has a governance structure that defines roles and responsibilities for key personnel, but should improve internal stakeholder involvement
• Should promote transparency on its AI tools to external stakeholders
• Does not have the specific, measurable objectives needed to define system success 
• Did not trace requirements or technical specifications to system objectives
• Does not have an AI-specific risk management plan

Together, these weaknesses increase the risk that USPTO will develop unreliable, untrustworthy AI systems. 
 

The Office of Inspector General performed an evaluation of an Agricultural Research Service (ARS) facility’s physical condition and security.

The Office of Inspector General is issuing this management advisory to bring to the U.S. Small Business Administration’s (SBA) attention possible security threats from personally owned devices accessing the agency’s information technology network from national and international locations with only a username and password.

We identified in our fiscal years 2023 and 2024 Federal Information Security Modernization Act assessments that SBA did not have multifactor authentication enabled for users to access the agency’s secure network. Relying on usernames and passwords alone greatly increases the risk of SBA data being accessed and exploited by cyber criminals and other bad actors. We also determined personally owned devices could access the SBA network from foreign locations, which is prohibited by SBA information technology policy.

We made five recommendations, and SBA management agreed with all five. All of the recommendations have been closed or resolved.

The Office of the Inspector General performed an audit of TVA’s transmission network cybersecurity.  The audit scope was limited to a specific type of connectivity within TVA’s transmission network.  The audit objective was to determine the level of cybersecurity in place for this type of connectivity.

We determined the connectivity within TVA’s transmission network had a high level of cybersecurity in place commensurate with the level of associated risk.  In addition, our testing of internal controls identified process improvements related to configuration management.  We recommend the Senior Vice President, Grid, update configuration management processes to improve periodic reviews.