Federal Reports

The VA Office of Inspector General (OIG) conducted this review to assess the merits of an allegation made to its hotline regarding misuse of a veteran’s funds. The daughter of a now-deceased veteran for whom no VA fiduciary was appointed alleged that staff of a state veterans home in California moved her father to a memory care unit without a diagnosis of impaired memory and took control of his funds. Although the veteran was transferred to the memory care unit, the OIG did not substantiate that staff moved him there without a diagnosis of impaired memory and took control of his funds. The Veterans Benefits Administration (VBA) electronic claims file contained a statement signed by a nurse practitioner at the home attesting to his cognitive decline, and the veteran’s death certificate listed the cause of death as cardiorespiratory arrest, progressive debility and decline, and cognitive decline.Concerning his finances, documentation revealed it was not the home but the state of California that took control of the veteran’s funds. The OIG found that neither a bank statement nor the direct deposit form submitted to VA listed the state veterans home as a joint account holder. A representative from the California Department of Veterans Affairs confirmed that the veteran’s funds were frozen to recover unreimbursed care costs. According to California law, the state has the authority to recover any unreimbursed costs of care from the personal property assets of veterans who die while residing in a state veterans home.The OIG made no recommendations but determined VBA had not finalized a decision regarding the veteran’s ability to manage his benefits payments, which might have led VA to appoint a fiduciary. The OIG addressed this in a separate management advisory memorandum to VA.

OIG is required by the Federal Information Security Management Act to assess SBA’s information security program every year. In FY 2020, SBA had an unprecedented volume of loan and grant applications because of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and other related pandemic legislation. As a result, the agency experienced new information security challenges. We tested a subset of systems in eight areas, called “domains,” and evaluated them using guidance for FISMA metrics. Inspectors General are required to assess the effectiveness of information security programs on a maturity model spectrum. We rated SBA’s overall program of information security as ”not effective” because SBA only achieved a maturity level rating of “managed and measurable” in one of the eight domains. Based on tests of the eight information systems, we determined the results of each domain as follows:1. Risk Management — Defined2. Configuration Management—Defined3. Identity and Access Management — Consistently Implemented4. Data Protection and Privacy — Consistently Implemented5. Security Training — Defined6. Information Security Continuous Monitoring — Defined7. Incident Response — Managed and Measurable8. Contingency Planning — Consistently Implemented. We made 10 recommendations in five of the domains: three recommendations in risk management, three recommendations for configuration management, two for identity and access management, one recommendation for security training, and one for information security continuous monitoring. SBA management agreed with the recommendations in this report.

The Office of the Inspector General (OIG) conducted an inspection of GPO’s Suspension and Debarment Program to understand its overall process, associated timelines, and evaluate the effectiveness of the dissemination of debarments inside and outside of GPO.