Federal Reports

Objective: To report internal control weaknesses, noncompliance issues, and unallowable costs identified in the single audit to SSA for resolution action.

Objective: To report internal control weaknesses, noncompliance issues, and unallowable costs identified in the single audit to SSA for resolution action.

Objective: To report internal control weaknesses, noncompliance issues, and unallowable costs identified in the single audit to SSA for resolution action.

The Department of Homeland Security's technology, procedures, and coordination were not fully effective to screen and vet non citizens applying for admission into the United States or asylum seekers whose asylum applications were pending for an extended period. Although U.S. Customs and Border Protection (CBP) deployed new technologies to enhance traveler screening, it could not access all Federal data necessary to enable complete screening and vetting of noncitizens seeking admission into the United States. In addition, CBP used varied and sometimes inconsistent inspection procedures for travelers arriving in vehicles at land ports of entry. Finally, CBP does not have the technology to perform biometric matching on travelers arriving in vehicles at land ports of entry.

Follow-Up and Close-Out of the Review of the FLRA's Contract File Management System

This report presents the results of our verification inspection of the U.S. Small Business Administration’s (SBA) corrective actions for the six recommendations from the Office of Inspector General (OIG) audit report SBA’s State Trade Expansion Program (Report 18-11).We initiated this verification inspection to follow up on the six recommendations and determine whether SBA’s corrective actions are still in place and effective. Accordingly, our objective was to determine the effectiveness of SBA’s corrective actions for 1) establishing performance measurements using the recipients’ reported data, 2) developing policies and implementing a process to ensure recipients report accurate and complete information, 3) clearly defining essential measurement criteria, 4) requiring State Trade Expansion Program applicants to include reimbursement and activity thresholds in their proposals, 5) enhancing the quarterly review process, and 6) increasing oversight of cooperative agreement recipients. We determined that recommendations 1, 2, and 3 were fully implemented; however, SBA management only partially addressed recommendations 4, 5, and 6. We will track management’s execution by reopening these three recommendations and will work with SBA to establish a target date for implementing corrective actions through the audit follow-up process.The Trade Facilitation and Trade Enforcement Act of 2015 (the Act) directed the U.S. Small Business Administration (SBA) to establish the State Trade Expansion Program (STEP). In FY 2023, STEP grant awards totaled $19.92 million.

The Veterans Health Administration (VHA) requires its medical facilities to use the Medical/Surgical Prime Vendor (MSPV) program’s distribution contracts for cost effective ordering and distribution of healthcare supplies. The VA Office of Inspector General (OIG) conducted this audit to assess the extent to which VHA medical facilities use the MSPV program.The OIG found that medical facilities did not always purchase through the program because items were often unavailable on the MSPV product list. Sometimes staff did not use the program before ordering from the open market, often from their own prime vendor, because the ordering system defaults to the previous supplier rather than the MSPV product list. Staff do not always report issues with the prime vendor or unavailable or back-ordered products, which some attribute to an ineffective reporting tool and quicker results through local workarounds. The OIG also found the program office and medical center leaders have not provided effective oversight, which may affect training and local leaders’ motivation to enforce the program’s use. In 2022, facilities spent about $865 million on supplies available through the MSPV program, but $353 million went for open market purchases instead of through MSPV. Had facilities purchased these through MSPV, VHA could have saved approximately $35.5 million. Finally, the MSPV product list did not include the majority of medical and surgical supplies facilities purchase; the OIG determined that medical facilities spent about $1.5 billion on items not available through MSPV.The OIG made nine recommendations to the under secretary for health, including to identify a VA owned system where staff can check product availability and price, review open market purchases, improve training on MSPV usage and tools, ensure staff report unavailable items, and increase items available through the program.

The Office of the Inspector General of the Intelligence Community Releases Its Semiannual Report (Oct 2023 – Mar 2024) to Congress

Why We Did This ReportThe U.S. Environmental Protection Agency Office of Inspector General initiated this audit based on a request from the U.S. Senate Committee on Homeland Security and Governmental Affairs. The objective of the audit is to assess the EPA’s preparation to implement the public notification requirements under section 2106 of the Water Infrastructure Improvements for the Nation Act. Summary of FindingsAt the time of our audit, the EPA was not ready to comply with the public notification requirements under section 2106 of the Water Infrastructure Improvements for the Nation Act. Although the Office of Water reported that it was in the process of developing a strategy, it had not developed a plan or milestones or provided guidance to help EPA regions, states, and water systems to be ready to comply with the notification requirements by the compliance date of October 16, 2024. The Office of Water also does not receive data in a timely manner to monitor lead ALE, oversee water systems’ compliance with the notification requirements, and provide the notices if water systems and states have not done so. Based on tap water samples reported in the EPA’s tracking system from January 2021 through March 2023, we identified 498 water systems with lead ALE, serving about 2.3 million people. With millions of people potentially affected by lead ALE, water systems, states, and the EPA must be ready to comply by October 2024.

What We Looked AtWe performed a quality control review (QCR) on the single audit that the Office of the Washington State Auditor/State Auditor's Office (SAO) performed for the City of Bellevue’s fiscal year that ended December 31, 2022. During this period, the City expended approximately $35.6 million from U.S. Department of Transportation (DOT) programs. SAO determined that DOT’s major programs were the Office of the Secretary of Transportation’s Transportation Infrastructure Finance and Innovation Act (TIFIA) loan program and the Federal Highway Administration’s Highway Planning and Construction Cluster.Our QCR objectives were to determine whether (1) SAO’s audit work complied with the Single Audit Act of 1984, as amended, the Office of Management and Budget’s Uniform Guidance, and the extent to which we could rely on the auditor’s work on DOT’s major programs and (2) the City’s reporting package complied with the reporting requirements of the Uniform Guidance.What We FoundSAO complied with the requirements of the Single Audit Act, the Uniform Guidance, and DOT’s major programs. We found nothing to indicate that SAO’s opinion on DOT’s major programs were inappropriate or unreliable. Additionally, we did not identify deficiencies in the City’s reporting package that required correction and resubmission. Accordingly, we assigned SAO an overall rating of pass.

Quality Review of FLRA OIG Audit Operations for the Period April 1, 2023 through March 31, 2024

The Tennessee Valley Authority (TVA) has two fixed wing aircraft (FWA) that are to be used for mission-related transportation and business travel. According to TVA Standard Programs and Processes (SPP) 32.041, Use of TVA Fixed Wing Aircraft, its FWA are to be used in support of TVA's mission and congressionally mandated programs, in alignment with TVA Board Practice the Federal Travel Regulation, and other pertinent regulatory governance. In 2018, we performed an audit of TVA’s FWA and found TVA was not complying with various federal regulations and TVA policies and procedures regarding the use of its FWA. Due to the high number of issues found during our previous audit, we performed this follow-up audit to determine if TVA is complying with applicable laws and regulations and TVA policies and procedures regarding the use of its FWA. Our audit scope included all flight legs by TVA’s FWA between January 1, 2021, and January 31, 2023.We determined TVA was not in compliance with federal regulations related to (1) performing cost comparisons, (2) obtaining management authorizations to fly, and (3) reporting appropriate flight data to the General Services Administration. Additionally, TVA was not in compliance with its policies and procedures regarding (1) approving exceptions to flight restrictions, (2) documenting flight authorizations and business justifications, (3) providing timely flight approvals, and (4) performing semi annual audits. In addition, we noted a lack of clarity in TVA policies and procedures regarding required use travel.

This report presents the results of our audit of mail delivery operations and property conditions at the Leon Station in Tallahassee, FL.

This report presents the results of our audit of the Tallahassee Processing and Distribution Facility.

This report presents the results of our audit of mail delivery operations and property conditions at the Westside Station in Tallahassee, FL.

The U.S. Postal Service’s mission is to provide timely, reliable, secure, and affordable mail and package delivery to more than 160 million residential and business addresses across the country. The U.S. Postal Service Office of Inspector General reviews delivery operations at facilities across the country and provides management with timely feedback in furtherance of this mission.

According to a nuclear industry peer organization, ensuring the right spare and replacement items are available when they are needed to support critical plant equipment is essential to minimizing equipment unavailability and optimizing generation. Nuclear Power Group Standard Programs and Processes 09.18.8, Equipment Obsolescence Program, defines obsolete equipment as an item in plant service no longer manufactured or otherwise difficult to procure and qualify. It establishes methods for (1) identification of obsolete items, (2) prioritization of obsolescence issues, and (3) resolution of obsolescence issues critical to plant reliability. Based on a previous evaluation that identified obsolescence issues negatively impacting equipment at the Tennessee Valley Authority’s (TVA) nuclear sites, we performed an evaluation of TVA Nuclear obsolete equipment to determine if TVA Nuclear was effectively managing obsolete equipment. We determined TVA Nuclear’s management of obsolete equipment could be improved. Specifically, we found (1) some obsolescence issues were not being proactively resolved, (2) proactive analytics and vulnerability reviews were not being performed, and (3) there was a lack of ownership and engagement in the obsolescence program. We also identified an opportunity for improvement related to prioritization of obsolescence issues.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.

NASA’s Commercial Lunar Payload Services (CLPS) initiative was designed to provide rapid, affordable, and frequent payload deliveries to the Moon via commercial lunar landers. In this report, we assessed NASA’s management of the CLPS initiative.

An audit of the NLRB mail ballot election procedures and internal controls

The OIG conducted this inspection from June 2023 to January 2024 to assess the stewardship and oversight of funds by the VA North Texas Health Care System. This inspection assessed the following financial activities and administrative processes to determine whether appropriate controls and oversight were in place: managerial cost accounting information, open obligations oversight, purchase card use, and inventory and supply chain management.Though the healthcare system used managerial cost accounting information to compare budgeted amounts to actual results as VA policy requires, that information was not used to make effective economic choices.Further, the OIG found the healthcare system did not always perform monthly reviews and reconciliations of open obligations to release unneeded funds. As a result, an estimated $14 million in open obligations were invalid, of which $12.2 million could have been put to better use. The healthcare system also was using funds from future obligations to pay for current-year services, which may have violated law and regulations.Purchase card transactions at the healthcare system were not always processed as required. The team sampled 66 transactions totaling about $292,000 from May 1, 2022, through March 31, 2023, and found 20 did not comply. The OIG also found 12 sampled transactions where healthcare system officials could have considered using a contract.Finally, the healthcare system could benefit from improving the efficiency of inventory oversight by ensuring inventory values are recorded accurately. The OIG also found the healthcare system did not conduct thorough supply chain management oversight or establish and follow inventory procedures.The OIG made eight recommendations to the healthcare system director and one to the Veterans Integrated Service Network 17 director. The recommendations address issues that, if left unattended, may eventually interfere with financial efficiency practices and the stewardship of VA resources.

The U.S. Postal Service is the second largest employer in the United States with over 640,000 employees and $2.15 billion in bi-weekly salaries. To provide employees with convenient access to their payroll, benefits, and personnel data, the Postal Service uses the LiteBlue portal. This web-based portal contains several human resources (HR) applications, including PostalEASE, which allows employees to establish direct deposits, create or modify payroll allotments, and update retirement and health benefits information. In October 2022, some employees entered their login credentials into several fake LiteBlue websites, allowing bad actors to obtain their login credentials and fraudulently reroute employees’ payroll direct deposits and create payroll allotments to bank accounts they controlled.

This report presents the results of our audit of mail delivery, customer service, and property conditions in the Minnesota-North Dakota District.

Why We Did This ReportThe U.S. Environmental Protection Agency Office of Inspector General conducted this evaluation to determine the financial capacity of the New Mexico Environment Department to manage its Infrastructure Investment and Jobs Act funding for the Clean Water State Revolving Fund Program. Summary of FindingsThe New Mexico Environment Department, or NMED, is sufficiently meeting the financial and organizational dimensions of capacity to manage and use its infrastructure funds for the Clean Water State Revolving Fund, or CWSRF, Program. However, the NMED faces stakeholder- and human-capital-related challenges that limit its capacity to effectively manage and use its CWSRF Infrastructure Investment and Jobs Act, or IIJA, funding. These challenges are compounded by the fact that the NMED is not fully staffed and has difficulty filling its vacancies. Should program participation increase, NMED staff may have difficulty managing the corresponding increase in the CWSRF workload.

We audited the U.S. Department of Housing and Urban Development (HUD), Office of Fair Housing and Equal Opportunity’s, implementation of Executive Order 13988, which President Biden issued to prevent and combat discrimination on the basis of gender identity or sexual orientation. We performed this audit to assess HUD’s progress in developing an action plan to implement the executive order. Our audit objective was to determine whether HUD had established and implemented a plan to prevent and combat discrimination based on gender identity and sexual orientation. HUD developed a proposed plan of action related to Executive Order 13988. According to HUD Office of General Council officials, HUD submitted its proposed plan to the White House Domestic Policy Council within 100 days of Executive Order 13988, thereby satisfying the requirements of the executive order. To implement its plan, HUD regional offices and Fair Housing Assistance Program agencies identified and notified almost all complainants who alleged gender identity or sexual orientation discrimination in accordance with its guidance. It also committed to the Equal Access Rule. As a result of developing and implementing the plan, HUD had reasonable assurance that its regional offices and FHAP agencies were properly identifying and addressing allegations of gender identity or sexual orientation discrimination in HUD programs and HUD-assisted housing and shelters.The report contains no recommendations.

The OIG conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the VA Bedford Healthcare System because it had not been recently visited as part of the annual FISMA audit.The OIG’s information security inspection focused on three security control areas: configuration management, security management, and access controls. During this inspection, the OIG found deficiencies with all three areas.Configuration management deficiencies included databases hosting personally identifiable information not monitored with quarterly compliance scans, thereby increasing the risk of an undetected data breach. The team also found that devices not meeting VA baseline security configurations should have been updated with vendor-supported systems software during the standard system development life-cycle process.Within security management, the OIG determined that special-purpose systems did not have an authorization to operate and the special-purpose systems at Bedford included one that warranted higher security levels. The OIG also identified deficiencies with the continuous monitoring of the Lynx Duress panic button system.Finally, restricting physical access, monitoring of physical access, and implementing appropriate physical and environmental controls were also deficient. At the Edith Nourse Rogers Memorial Veterans’ Hospital, concerns were identified with badge and key access, hospital video surveillance of the server room and communications closet, and emergency power controls and proper grounding.The OIG made five recommendations to the assistant secretary for information and technology and chief information officer and four recommendations to the VA Bedford Healthcare System director in conjunction with the assistant secretary for information technology.

The OIG is issuing this evaluation to assess whether the U.S. Small Business Administration (SBA) effectively implemented internal controls when using the U.S. Department of the Treasury’s Do Not Pay (DNP) databases to detect and prevent payments of Coronavirus Disease 2019 (COVID-19) Economic Injury Disaster Loans (EIDL) and grants to ineligible entities.Despite implementing controls requiring loan officers to check DNP databases prior to approval of COVID-19 EIDLs and provide applicants 30 days to rectify any negative information received from DNP, the agency continued to award and disburse COVID-19 EIDL and grant funds to those listed in a DNP database without mitigating the negative information.We recommended the agency review the 3,643 potential improper payments we identified and determine if applicants can rectify the negative information; if not, we recommend the agency work to recover the funds.SBA management partially agreed with our recommendation, stating they will review and address loans and grants in the child support population that had information on the application or credit report that was not previously addressed. For the remainder of the DNP population, management stated they will review those grants and loans with an alert in the file that was not previously addressed. Management’s proposed corrective actions do not satisfy the recommendation to review the potentially ineligible loans and grants.

The FCC was compliant in 11 of its 13 programs that were susceptible to significant improper payments. The Universal Service Fund (USF)-Lifeline (LL) program, and the Affordable Connectivity Program (ACP) were non-compliant with one of the 10 PIIA criteria. The report presents five findings and five recommendations to address the audit findings. In the Management Response, the FCC concurred on four findings and non-concurred on one of the two noncompliance findings, related to the Lifeline Program.

We rated the Department of Homeland Security’s information security program for FY 2023 as “effective,” according to this year’s reporting instructions. We based this rating on our evaluation of the Department’s compliance with requirements of the Federal Information Security Modernization Act of 2014 for unclassified and national security systems. As recommended by this year’s reporting instructions, we used a calculated average approach when determining the effectiveness of the domain, function, and overall program. DHS received a maturity rating of “Level 4 – Managed and Measurable” in the Identify, Protect, Detect, Respond, and Recover functions based on this year’s reporting guidance.

We rated the Department of Homeland Security’s information security program for FY 2023 as “effective,” according to this year’s reporting instructions. We based this rating on our evaluation of the Department’s compliance with requirements of the Federal Information Security Modernization Act of 2014 for unclassified and national security systems. As recommended by this year’s reporting instructions, we used a calculated average approach when determining the effectiveness of the domain, function, and overall program. DHS received a maturity rating of “Level 4 – Managed and Measurable” in the Identify, Protect, Detect, Respond, and Recover functions based on this year’s reporting guidance.

Why We Did This ReportWe are alerting the U.S. Environmental Protection Agency to the need to ensure that mobile devices for separating employees are properly preserved and timely accessible to the Office of Inspector General to prevent the loss of evidence and other relevant records. Summary The EPA OIG is conducting an administrative investigation of a senior official for alleged ethics violations. In 2024, we notified the EPA Office of Mission Support that the senior official intended to leave, or separate from, the Agency in 2024, and we requested that the OMS preserve the information on the senior official’s electronic devices. Upon the senior official’s separation 30 days later, the OMS received five electronic devices from the official but failed to retain the three mobile devices in a way that would allow us or the Agency to access the information stored on them. As a result, we have been unable to retrieve the information and any potential federal records on these devices that may be relevant to our investigation, including text messages, telephone contact lists, and other forms of messaging. We are concerned that this is not an isolated issue.

For our audit on U.S. Department of Commerce (Department) locality pay, our objective was to determine whether the Department ensures employees are paid the correct locality pay in accordance with applicable regulations and policy. We found that I. Department personnel did not timely initiate or process changes in employee duty stations and II. the Department could not demonstrate that all teleworking employees reported to the office as required by their telework agreements.

Objective: To determine whether the Social Security Administration oversees its employees’ outside employment to mitigate the risk of conflicts of interest and employee misconduct.

OIG reviewed and analyzed USDA default credentials vulnerability scans and followed up on a related prior audit recommendation. We also reviewed and evaluated the Department's policies and procedures, and we interviewed responsible USDA officials. OIG made three recommendations to OCIO and reached management decision on each of them.

The U.S. Postal Service performs a variety of operations, dependent on its vast information technology infrastructure. This infrastructure encompasses 761 systems that the Postal Service strives to maintain and secure from network attacks. In support of the Delivering for America plan, the Postal Service plans to invest in modernizing and enhancing cybersecurity technologies, but it is still managing outdated computing system hardware and software (legacy systems). Secure systems are imperative to uninterrupted operations and protecting Postal Service data.

Why We Did This ReportThe U.S. Environmental Protection Agency Office of Inspector General conducted this audit to determine the extent to which the Great Lakes Restoration Initiative grants support the EPA’s program goals for the Great Lakes. Summary of FindingsThe Great Lakes Restoration Initiative, or GLRI, grants we reviewed documented contributions to the EPA’s program goals for the Great Lakes, including protection of habitats, reduction of discharges of untreated stormwater, and management of invasive species. However, the GLRI grant recipients did not always include environmental justice outputs and outcomes in their final reports. GLRI grant recipients did not always report whether they achieved environmental justice-related activities in their final project reports, nor did EPA project officers monitor whether the GLRI grant recipients included all outputs and outcomes in their final project reports.

The Denali Commission Office of Inspector General issues its Semiannual Report to Congress summarizing the OIG's activities and accomplishments from October 1, 2023, to March 31, 2024.

Our Semiannual Report to Congress covering the period October 1, 2023 to March 31, 2024, features highlights of the OIG’s audit and investigations accomplishments during the past 6 months.

An AmeriCorps Office of Inspector General (AmeriCorps OIG) investigation found that AmeriCorps was inconsistent in how it handled allegations of misconduct by senior management and that AmeriCorps hired a third-party contractor to investigate allegations of financial mismanagement on the part of a senior manager without notifying OIG as required by AmeriCorps Policy 102.

Objective: To determine whether the Social Security Administration issued payments to beneficiaries who were deceased according to State Department records.

This report summarizes the oversight work performed by EAC OIG during the 6-month period ended March 31, 2024.

This statutory report presents the activities and accomplishments of the OIG from October 1, 2023, through March 31, 2024. The audits, investigations, and related work highlighted in the report are products of our mission to identify and stop fraud, waste, and abuse; and promote accountability, efficiency, and effectiveness through our oversight of the Department’s programs and operations.

The Inspector General Act of 1978 requires the Inspector General to prepare semiannual reports summarizing the activities of the Office of Inspector General for the preceding six-month period. The semiannual reports are intended to keep the Secretary and Congress fully informed of significant findings, progress the Agency has made, and recommendations for improvement.

The Semiannual Report to Congress for the U.S. Consumer Product Safety Commission (CPSC) Office of Inspector General (OIG). This report details the work of the OIG in the oversight of the CPSC for the first half of Fiscal Year (FY) 2024.

Our latest report to Congress highlights the OIG's successful work from October 1, 2023, to March 31, 2024.

The National Credit Union Administration (NCUA) Office of Inspector General (OIG) conducted this self-initiated audit to assess the NCUA’s Bank Secrecy Act (BSA) program. The objectives of our audit included determining whether the NCUA: (1) adequately reviewed compliance with the Bank Secrecy Act during credit union safety and soundness examinations, (2)issued timely formal or informal enforcement actions to address Bank Secrecy Act-related violations, (3) tailored enforcement actions to address deficiencies identified during the supervisory process, (4) followed up on reported Bank Secrecy Act violations to ensure credit unions take appropriate corrective action before closure of the violation, and (5) appropriately referred significant Bank Secrecy Act violations and deficiencies to the Financial Crimes Enforcement Network, a bureau within the United States Department of the Treasury.

We announced two concurrent audits to determine whether First Responder Network Authority (FirstNet Authority) is ensuring that AT&T is achieving the desired results for device connection targets and Nationwide Public Safety Broadband Network (NPSBN) coverage for each state and territory. We separated these objectives into three components that include (1) the evolution of the desired results for device connection targets and network coverage as executed through contract modifications, (2) oversight of device connection targets, and (3) oversight of network coverage. This report focuses on the first component: FirstNet Authority’s modifications to the contract, to include the rationale behind those changes and whether FirstNet Authority had an effective process for documenting decisions it made concerning those modifications. We found that FirstNet Authority did not consistently adhere to federal and Departmental regulations or demonstrate it received adequate value in return when it changed NPSBN contract requirements.

The VA Office of Inspector General (OIG) issued the report VA Improperly Awarded $10.8 Million in Incentives to Central Office Senior Executives on May 9, 2024. Additional analysis has since raised concerns that the under secretary for health may have recommended critical skill incentives (CSIs) for at least 10 senior executives in the VA central office (VACO) who directly reported to him, and for whom he was therefore not authorized to act as the approving official. Because there were inconsistencies in available data on direct reports, the OIG released this supplemental memorandum to summarize information conveyed to the VA Secretary to further assess whether additional actions are warranted.The OIG also requested that VA provide information on whether any approving officials exceeded their authority in recommending or approving CSIs to VACO senior executives and factor the results into its action plans for implementing the related OIG report recommendations.

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Financial Services Center (FSC) in Austin, Texas, as a follow-up to a 2021 inspection.The OIG focused on three control areas it determined to be at highest risk: configuration management, security management, and access controls. The OIG identified four deficiencies in configuration management controls, one in security management controls, and two in access controls; three of the deficiencies were seen during the 2021 inspection. The configuration management deficiencies were in vulnerability management and flaw remediation, database scans, database baseline configurations, and unsupported components. The FSC’s vulnerability management controls did not identify all network weaknesses. Additionally, operating systems were not supported by the vendor and security patches were missing. Evidence of scans for the FSC’s databases was not provided, and databases had vulnerabilities caused by configurations that deviated from an established baseline. Eighteen network switches were using operating systems that did not meet baseline security requirements, and six were not supported by the vendor. The FSC’s security management controls were found deficient in the monitoring of component inventory with a significant disparity between the number of devices on the network and those identified in the cybersecurity management service. The FSC’s deficiencies in access controls were in monitoring inappropriate or unusual activity and reviewing physical access logs.The OIG made eight recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the FSC. Four of these were also recommendations in the 2021 inspection.