Federal Reports

Our objective was to determine whether the U.S. Census Bureau has implemented adequate data collection procedures to ensure that American Community Survey (ACS) estimates are reliable. We found that the bureau did not effectively implement its data collection and quality control procedures to ensure that ACS estimates were reliable. We also found that the bureau did not sufficiently monitor ISR data collection procedures and did not effectively implement personal visit data collection and quality control procedures.  

The objective of this audit was to determine whether the Farm Credit Administration has designed and implemented appropriate controls over its Emergency Operations Center.

During fiscal year (FY) 2025, the Office of Inspector General (OIG) conducted cybersecurity reviews to determine whether the Department of Energy’s unclassified cybersecurity program was implemented in accordance with Federal and Department requirements. The OIG also performed the audit, The Department of Energy’s Fiscal Year 2025 Consolidated Financial Statements, which included test work over controls related to information technology.

The management letter discusses the results of cybersecurity reviews conducted by the OIG in FY 2025 and the results of our Federal Information Security Modernization Act of 2014 evaluation.

The OIG issued 33 cybersecurity findings (including 13 repeat prior year findings) to Department sites and programs related to information technology controls. However, three of those prior year findings, along with their recommendations, are being tracked in other OIG issued reports. Additionally, the audit, The Department of Energy’s Fiscal Year 2025 Consolidated Financial Statements, identified a significant deficiency related to access controls over various Department financial systems. The findings that led to the significant deficiency are included within this report.

The weaknesses occurred for a variety of reasons. For instance, deficiencies related to access controls occurred, in part, due to management not responding to changes in risks or identifying risks associated with inappropriate or unnecessary access to systems.

Without improvements to address the weaknesses identified in our report, the Department may be unable to adequately protect its information systems and data from compromise, loss, or unauthorized modification.

Our objective was to assess the progress of the National Oceanic and Atmospheric Administration (NOAA) in implementing the Geostationary Extended Observations (GeoXO) weather satellite program. We also evaluated NOAA’s efforts to address the risk of a future gap in geostationary observations, and we assessed the program’s risk management processes. 

We found that the GeoXO program has made adequate progress in its current phase of development and that it is achieving the desired technology maturity. However, NOAA should consider enhancing its continuity planning and risk management processes by (1) managing the risk of a continuity gap in geostationary satellite data, as the current series’s backup satellites are likely to reach the end of their lifespans before the first GeoXO satellite becomes operational, and (2) improving risk management processes to ensure the mission’s success.

The OIG conducted this audit to determine whether VHA national program offices provided effective oversight of contracted community-based outpatient clinics (CBOCs). The audit team found the offices did not effectively oversee contracted CBOCs because oversight ended after vendors were awarded contracts to acquire, furnish, and run the clinics. This left VHA without national oversight of the effectiveness of the contracts. VHA’s policies governing contracts for CBOCs did not incorporate all responsibilities required of a VHA program office: identifying emerging national issues, communicating with internal and external stakeholders, managing quality and compliance, and evaluating program effectiveness and efficiency. The policy omissions limited program offices’ ability to identify and implement solutions for national issues, such as contractors not meeting performance metrics, start-up (construction) costs keeping small businesses from competing for contracts, staff having to manually create patient rosters (monthly lists of patients for which contractors can invoice VA), and medical centers (which were supposed to oversee CBOC operations) not appointing adequately certified contract monitors. The problems the OIG audit team documented may have adversely affected care provided to veterans—sampled CBOCs provided healthcare services that scored below VHA’s overall performance metrics—and created administrative challenges for VA medical centers and contracting offices.

The audit team also found that, contrary to federal acquisition requirements, contract templates did not give contracting officers the option to include performance incentives. Without effective means to hold contractors accountable for performance, the contracting officers and VA medical centers accepted and paid in full for services that did not meet requirements.

The OIG made 12 recommendations, including to delegate program office oversight responsibilities, monitor contractor compliance with the contracts, develop consistent procedures for patient rosters, and work with the VA Office of General Counsel on start-up costs and incentives.