Federal Reports

The VA Office of Inspector General (OIG) conducted this inspection to determine whether the Harlingen VA Health Care Center in Texas was meeting federal security guidance. The OIG selected the Harlingen center because it had not been previously visited as part of the OIG’s annual Federal Information Security Modernization Act audit of VA’s information security program and practices.The OIG team found deficiencies in the center’s component inventory, vulnerability management, and system life-cycle management. Specifically, the center had an inaccurate component inventory; unsupported versions of applications, missing patches, and vulnerable plug-ins; and critical or high-risk vulnerabilities in the network that had gone unidentified. Additionally, the inspection team found the system life cycle did not replace applications before they became unsupported. Without effective configuration management, users do not have adequate assurance that the system and network will perform as intended.The team also found the Harlingen VA Health Care Center was deficient in contingency planning. The center did not adequately plan for restoring local IT operations. Consequently, after a disaster, the center may not be able to readily restore all operations as they existed before.Further, the center had deficiencies in three access controls. Database managers did not adequately maintain log data for local databases, computer rooms and communications closets were not equipped with fire detection devices, and the center’s VA police computer room did not have a visitor access log. These deficiencies could impede the center’s ability to respond to incidents.The OIG made five recommendations to address the deficiencies.

This report presents the results of our audit to determine whether the U.S. Small Business Administration (SBA) maintained effective management control activities and monitoring of the design and implementation of third-party operated SBA systems. SBA needed information technology systems from third-party service providers that could improve the system efficiency and productivity to process high transaction volumes, transmit data between other information systems, and safeguard the integrity and confidentiality of the personally identifiable information processed by the programs.We found the agency’s entity-level control environment was not designed in accordance with federal guidance at the beginning of the COVID-19 assistance programs. The agency allowed the third-party systems to be put into service without conducting the baseline assessments. With no baseline, the agency could not perform effective continuous monitoring. Also, we found that control processes did not identify, communicate, and capture privacy and identity risks on an enterprise-wide basis.We made 10 recommendations to strengthen the agency’s entity-level IT control environment. The areas addressed included cybersecurity risk and privacy controls, system development life cycle, continuous monitoring, and the supply chain risk management processes.SBA management fully agreed with seven recommendations, disagreed with two recommendations, and stated one recommendation was specific to the pandemic and will not likely be repeated. While the agency agreed to implement seven recommendations, management’s planned corrective actions did not fully address identified control issues.

The U.S. Postal Service uses the Time and Attendance Collection System (TACS) as the primary application to collect employee time and attendance data to capture the number of workhours employees spend working various Postal Service operations.This was a follow-up to our Timecard Administration audit issued December 9, 2020. In the prior audit we identified issues with disallowed timecard adjustments, management oversight, time collection devices replacement strategies, and TACS control deficiencies. We recommended management reiterate disallowed time policy; establish a formal oversight process to ensure periodic reviews of supervisors’ documentation supporting disallowed timecard adjustments; resolve system deficiencies that allow supervisors to bypass completing the time disallowance record in TACS; and procure and test new, automated time collection devices.

Independent Review of 4003(b) Loan Recipient’s Validation Memo – SpinLaunch Inc.