Federal Reports

The Department of Homeland Security Headquarters (HQ) did not adequately secure a non-Tier 1 High Value Asset (HVA) system used to support data analysis and reporting on DHS component operations, which rendered the system and its sensitive information vulnerable to cyberattacks. Although DHS HQ developed policies and procedures meant to reduce risks to sensitive information stored on the HVA system and effectively implemented certain controls, we determined the system did not meet security requirements.  We identified nine unique critical and high-risk vulnerabilities that appeared 182 times in the system and, through simulated cyberattack penetration testing, were able to exploit vulnerabilities.  The vulnerabilities we identified pose significant security risks, increasing the likelihood an attacker could gain access to sensitive information. These deficiencies demonstrate that DHS HQ needs to strengthen its management of the HVA system.  Ensuring the system complies with the Department’s security and privacy policies will better protect the sensitive information processed by the system.  Until these deficiencies are addressed, DHS HQ may not be equipped to protect the HVA system and cannot ensure it will be able to quickly respond to and recover from a cyberattack. 

The U.S. Postal Service has been transporting live, day-old poultry since 1918. “Day-old poultry” is defined as day-old chickens, ducks, emus, geese, guinea birds, partridges, pheasants, quail, and turkeys. As the primary shipper for these time-sensitive shipments, or “lives,” the Postal Service provides an essential service for hatcheries, farmers, feed stores, and backyard hobbyists. Last year, the Postal Service handled over 41 million lives through its air network alone.

To ensure safe, effective, and efficient transportation, the Postal Service requires mailers of live animals to comply with established guidelines. In turn, the Postal Service prioritizes shipment of lives through its processing and logistic networks.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to review allegations regarding internal endocrine consult management, endocrine clinic utilization, and patient access to gender-affirming hormone therapy (GAHT) at the VA Fayetteville Coastal Healthcare System (system) in North Carolina. The OIG also reviewed leaders’ awareness of and response to these concerns.

The OIG substantiated that the chief of medicine (COM) did not effectively manage internal consults. Specifically, the COM did not communicate endocrine consult management process changes to key stakeholders, did not process consults according to Veterans Health Administration (VHA) timeliness requirements, canceled a large volume of consults without communicating to sending providers, converted face-to face consults to e-consults without providing a mechanism for sending providers to communicate concerns, and delayed implementation of a required service line agreement. 

The COM’s deficient management of endocrine consults negatively impacted endocrine clinic utilization and resulted in provider-created workarounds and patients not receiving timely endocrine appointments. From February through early October 2024, patient access to GAHT was delayed because of the COM’s actions, resulting in adverse clinical outcomes. The OIG found the COM’s interpersonal communication skills did not reflect the high reliability organization (HRO) values of clear communication and respect for others, and negatively affected system staff across multiple services.

The OIG made one recommendation to the Veterans Integrated Service Network Director to review the leadership performance of the COM, and six recommendations to the System Director related to reviewing the endocrine consult management process, reviewing patients affected by delayed endocrine consults, ensuring service line agreements are developed, confirming effective utilization of endocrine clinic appointments, ensuring there is a process for monitoring and tracking clinic profile modification requests, and evaluating communication gaps between leaders to comply with HRO goals.

This Office of Inspector General (OIG) Healthcare Facility Inspection program report describes the results of a focused evaluation of the care provided at the West Palm Beach VA Healthcare System in Florida. 

This evaluation focused on five key content domains:
     •    Culture
     •    Environment of care
     •    Patient safety
     •    Primary care
     •    Veteran-centered safety net

The OIG issued no recommendations.

The Office of the Inspector General (OIG) found that the U.S. Nuclear Regulatory Commission (NRC) generally administered performance awards effectively; however, the OIG identified deficiencies in administering special act awards that require improvement. Specifically, the NRC granted special act awards frequently, often without sufficient justification, raising concerns about compliance with the policy criteria intended to recognize exceptional or superior achievements or contributions. In some cases, award justifications appeared to be duplicated, and some awards were miscoded in employee records, further highlighting weaknesses in award processing and documentation practices.
The NRC can improve the accuracy and consistency of its performance award determinations. The issues identified by the OIG included overlapping appraisal periods and failure to prorate awards for some part-time employees, resulting in noncompliance with award limits. In addition, time off was granted in excess of the NRC policy limits, underscoring the need to enhance oversight of time-off awards to prevent future occurrences.
The report makes nine recommendations to strengthen the documentation, justification, and oversight of awards to ensure compliance with applicable rules and agency policy.

An Amtrak coach cleaner based in New Orleans, Louisiana, signed a civil settlement agreement on September 22, 2025, with the U.S. Attorney’s Office, Eastern District of Louisiana. The employee agreed to pay $19,132.75 in restitution and a penalty of $4,497.25 related to the fraudulent receipt of a Paycheck Protection Program (PPP) loan. We found that the employee submitted an application containing false statements and information to qualify for the loan. As a result, the employee received a PPP loan in the amount of $16,452 to which she was not entitled.

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General has identified concerns regarding the installation and use of unauthorized software, specifically jiggler software, on EPA computers and networks. Commonly referred to as “mouse jigglers,” jiggler software simulates activity on a laptop, preventing the laptop from entering sleep mode and locking out its user. After running network scans in two EPA regions in November and December 2024, the Agency discovered 120 employees and contractors using jiggler software.

Summary of Findings

Our investigation found that jiggler software could bypass the Agency’s Windows Installer settings, that some of the EPA’s information technology specialists believed they were exempt from the policy, and that other EPA employees and contractors installed the software without authorization. Furthermore, we discovered inconsistencies in how quickly the regional offices acted to remove the jiggler software after it was detected. The installation and use of unauthorized software on EPA computers and networks represent critical cybersecurity risks and ethics violations for the Agency.