Federal Reports

We have determined that the Corporation for National and Community Service’s (CNCS’s) information security program is NOT EFFECTIVE. CNCS has in place the basic information technology policies, procedures and system security documentation needed for effective cybersecurity. To progress beyond the current maturity level, the Corporation must consistently implement and monitor security controls. We continued to find severe vulnerabilities on the network. CNCS has still not fully implemented baseline security configuration settings specific to the existing information technology environment. Further, CNCS has not implemented multifactor authentication for information system users and administrators. These gaps limit the protection of CNCS systems and data, and may expose sensitive information, including Personally Identifiable Information (PII), to unauthorized access and use.The independent IG report offers 25 recommendations to assist CNCS in strengthening its information security program and reach an Effective rating. CNCS should undertake a strategic analysis of the government-wide metrics and the weaknesses identified in this evaluation, to develop a multi-year approach designed to realize steady, measurable improvements in information security in each of the component areas. Implementing such a plan will require CNCS to allocate sufficient resources, including staffing, and to be accountable for interim milestones in order to reach an overall Effective rating.

We conducted a series of OIG audits at four HHS Operating Divisions (OPDIVs) using network and web application penetration testing to determine how well HHS systems were protected when subject to cyberattacks.

DOJ News Release

We audited selected controls of the GrantSolutions and OneStream applications as part of the internal control assessments required for the fiscal year 2018 financial statement audit under the Chief Financial Officer’s Act of 1990. Our objective was to review the controls for compliance with U.S. Department of Housing and Urban Development information technology policies and Federal information system security and financial management requirements. The OIG has determined that the contents of this audit report would not be appropriate for public disclosure and has therefore limited its distribution to those officials listed on the report distribution list.

As part of our annual audit plan, we audited the tool controls at Sequoyah Nuclear Plant (SQN). Our audit objective was to determine if SQN is in compliance with the Tennessee Valley Authority’s (TVA) Nuclear Power Group Business Practice 226 (BP-226), Tool and Equipment Accountability. In summary, we determined SQN is not in compliance with BP-226. Specifically, we found (1) issues and returns of tools and equipment are not made in TVA’s Tool Management System, and periodic random inventories are not performed; (2) tool room access is not adequately controlled; and (3) a new tool tracking system TVA is planning to use cannot accommodate rigging requirements. TVA management agreed with our findings and recommendations.