Federal Reports

Why We Did This Report

Under the Infrastructure Investment and Jobs Act, or IIJA, the U.S. Environmental Protection Agency was provided with over $60 billion in appropriations for Agency programs, including the Clean Water and Drinking Water State Revolving Fund Programs, the Superfund Program, geographic programs, and more. Since the IIJA’s enactment, the EPA Office of Inspector General has been conducting timely and relevant oversight to ensure that IIJA funds—taxpayer dollars—are used effectively. Our fourth annual IIJA progress report covers February 1, 2025, through January 31, 2026, and provides an update on our oversight of the EPA’s use of IIJA funds.

Summary of Findings

During the period covered in this report, the OIG issued seven audit reports, six evaluation reports, and two audit follow-up reports related to the Agency’s IIJA activities. In addition to examining initial implementation, we have increasingly focused on how the Agency is managing and overseeing IIJA funds that have already been awarded. In this report, we highlighted Agency accomplishments and identified key challenges, including gaps in the EPA’s guidance, oversight, timely fund utilization, recipient capacity, and data quality that risk slowing and undermining IIJA outcomes.

This memorandum provides the final results of the Office of Inspector General’s (OIG) risk assessment of the U.S. AbilityOne Commission’s (Commission) Government Purchase Card (purchase card) program for fiscal year (FY) 2025.  The OIG concluded that the risk of illegal, improper, or erroneous use in the Commission’s purchase card program is low.  As a result, an audit of the Commission’s purchase card program is not warranted.

The objective of the risk assessment was to analyze and identify the risks of illegal, improper, or erroneous purchases and payments within the Commission’s purchase card program, to determine whether an audit is warranted or make recommendations and identify areas of risk that the Commission could improve to strengthen its purchase card program. 

We found that controls existed to ensure Ohio did not use SNAP administrative funds for participant benefits; however, our analytics of FY 2024 participant data identified 17,000 out of 917,000 households had anomalous data, representing $13.3 million in questioned costs.

Identifying and resolving security flaws and weaknesses in IT infrastructure—known as vulnerability management—helps prevent cyberattacks, data breaches, and system disruptions. The National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST), provides data for vulnerability management to cybersecurity professionals in the public and private sectors. A backlog of unprocessed vulnerabilities began in February 2024 and continued to grow, undermining the NVD’s utility and public trust.

Our objective was to evaluate the effectiveness and sustainability of NIST’s processes for managing cybersecurity vulnerabilities submitted to the NVD, including the long-term effectiveness of NIST’s strategy for reducing its vulnerability backlog and its measures to prevent future processing delays. NIST considers the NVD a key piece of the U.S. cybersecurity infrastructure, but its actions to resolve the growing backlog did not reflect that characterization. We found that NIST did not have sustainable processes to manage NVD submissions and would be unable to clear the backlog of unprocessed vulnerabilities or prevent future processing delays without significant changes.

We made six recommendations to help NIST manage and establish priorities for the NVD, improve the efficiency and sustainability of enrichment processes, and ensure the best use of government resources.