Federal Reports

Semiannual Report to Congress: Covering October 1, 2017 - March 31, 2018

Since the 1930s, the Buy American Act has required federal agencies to provide preferential treatment in its purchases of domestic end-products. The Postal Service is not subject to the Buy American Act, but prescribes a provision and clause for domestic preference when awarding supply contracts and has issued guidance for evaluating proposals offering domestic and foreign end-products in. The objective was to assess whether the Postal Service applied domestic preference requirements during the award of vehicle and vehicle parts contracts.

This report contains the results of our audit of the U.S. Consumer Product Safety Commission’s (CPSC) Occupant Emergency Program (OEP). The goal of an OEP is to safeguard federal personnel, visitors, property, and other assets.

Most Medicare claims that durable medical equipment suppliers submitted for replacement positive airway pressure (PAP) device supplies did not comply with Medicare requirements. Of the 110 claims in our sample that Medicare paid in 2014 and 2015, 24 complied with Medicare requirements; however, 86 claims with payments totaling $13,414 did not. On the basis of our sample results, we estimated that Medicare made overpayments of almost $631.3 million for replacement PAP device supply claims that did not meet Medicare requirements.

The U.S. Bureau of Reclamation (USBR) operates five hydropower dams categorized as critical infrastructure by the U.S. Department of Homeland Security. Our evaluation focused on the USBR’s operational and technical practices for protecting two of these dams, and the related industrial control system (ICS) it relies on to remotely control operations including, generators, gates, and outlet valves.We found the ICS at low risk of compromise from external cyber threats as our analysis of computer network traffic showed that the ICS is isolated from the internet and from USBR’s business systems and our analysis of ICS computer memory did not detect hidden malware or other indicators of compromise. The USBR’s account management and personnel security practices, however, put the ICS and the infrastructure it operates at high risk from insider threats. Specifically, we found that the USBR:• Failed to limit the number of ICS users with system administrator access and had an extensive number of group accounts• Did not comply with password policies and failed to remove inactive system administrator accounts• Did not follow best practices recommending that personnel with elevated system privileges complete more rigorous background investigationsThese deficiencies occurred because USBR management failed to strengthen bureau risk management practices in response to rapidly escalating threats to critical infrastructure. An ICS breach could disrupt USBR operations and has the potential to adversely affect national security. We make five recommendations to help the USBR improve the security posture of its critical dams by mitigating insider threats to the ICS.