Federal Reports

What We Looked AtTo support its mission to provide the safest, most efficient airspace system in the world, the Federal Aviation Administration (FAA) seeks to procure state-of-the-art systems, high-quality goods, and first-rate services. In 2017, for example, the Agency made over $4 billion worth of purchases—of which a range of $87 million to an estimated $1.7 billion could be subject to the Buy American Act (BAA) and the FAA-specific Buy American Preference provisions (BAP). In response to a congressional request, we initiated this audit to assess FAA’s policies and procedures for awarding and administering contracts in accordance with domestic content laws. Specifically, we evaluated FAA’s policies and procedures for (1) implementing Buy American requirements and (2) overseeing Buy American compliance. What We FoundFAA’s Acquisition Management System requires Buy American–applicable contracts to include specific clauses that direct vendors to certify the origins of goods or products and contracting officers (CO) to fully understand BAA and BAP requirements. However, we found Buy American–applicable contracts where COs had omitted or improperly applied the required clauses, lacked vendor certifications, or did not fulfill contract filing requirements—due to a lack of BAA- and BAP-specific guidance and training. As a result, we estimate that FAA may have put up to $127 million in Federal funds at risk due to contracts missing required vendor certifications. In addition, while Federal policy directed agencies to monitor, enforce, and comply with the Buy American Laws, FAA does not require its staff to assess and report on compliance, although it has tools available for this purpose. The Agency also lacks effective processes for recording “place of manufacture data” or for tracking usage of BAP waivers. As a result, FAA cannot be certain that it is meeting the intent of the Buy American Laws—to purchase American-made materials and goods to strengthen our economic and national security. Our RecommendationsWe made eight recommendations to improve FAA’s compliance and oversight for contracts subject to domestic content laws. FAA concurred with all eight recommendations, which we consider resolved but open pending completion of the planned actions.

We audited the Harris County Hurricane Harvey Community Development Block Grant Disaster Recovery (CDBG-DR) program. We initiated this audit as part of our commitment to helping the U.S. Department of Housing and Urban Development (HUD) address its top management challenges and to support HUD’s strategic objective to support effectiveness and accountability in long-term disaster recovery. Further, Congress has expressed strong interest in HUD’s disaster programs.Our objective was to assess the efficiency and effectiveness of Harris County’s Hurricane Harvey CDBG-DR program and whether the program was assisting disaster participants in a timely manner; specifically, to examine the status of its HUD-approved activities and challenges, if any, in implementing the activities.We found that Harris County had not efficiently or effectively operated its Hurricane Harvey CDBG-DR program. Specifically, 3 years after Hurricane Harvey, Harris County had assisted only 112 of 4,513 planned program participants and had spent less than 1 percent of its grant funds. Harris County’s challenges included an inability to effectively assist applicants and inefficiencies in its reimbursement program. These conditions occurred because Harris County was overwhelmed by the number of programs it intended to operate and its staff did not respond effectively to Texas General Land Office (Texas GLO) guidance and training. As a result, the Texas GLO reduced the number of Harris County’s programs and assumed control of $338.7 million (27 percent) of its $1.2 billion Hurricane Harvey grant suballocation.We recommend that the Director of the Office of Block Grant Assistance require the Texas GLO to (1) provide its plan to continuously monitor Harris County’s pace and performance in its remaining program and take appropriate action to ensure that program goals are met; (2) set performance and financial milestones for all programs and activities funded under Harris County’s subrecipient agreement; (3) monitor Harris County’s capacity to manage its funds and address duplicative, inefficient, and cost-prohibitive processes or positions; and, (4) review Harris County’s priorities for providing assistance to program participants. Implementation of these recommendations would include determining whether additional activities need to be combined or eliminated and repurposing additional grant funds if necessary.

DHS had not yet strengthened its cybersecurity posture by implementing a Continuous Diagnostics and Mitigation (CDM) Program. DHS spent more than $180 million between 2013 and 2020 to design and deploy a department-wide continuous monitoring solution but faced setbacks. DHS initially planned to deploy its internal CDM solution by 2017 using a “One DHS” approach that restricted components to a standard set of common tools. We attributed DHS’ limited progress to an unsuccessful initial implementation strategy, significant changes to its deployment approach, and continuing issues with component data collection and integration. As of March 2020, DHS had developed a key element of the program, its internal CDM dashboard. However, the dashboard contained less than half of the required asset management data. As a result, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time. Finally, we identified vulnerabilities on CDM servers and databases. This occurred because DHS did not clearly define patch management responsibilities and had not yet implemented required configuration settings. Consequently, databases and servers could be vulnerable to cybersecurity attack, and the integrity, confidentiality, and availability of the data could be at risk. We made three recommendations for DHS to update its program plan, address vulnerabilities, and define patch management responsibilities.

The Transportation Security Administration (TSA) did not manage the Recruitment and Hiring (R&H) contract in a fiscally responsible manner. Specifically, TSA did not properly plan contract requirements prior to awarding the contract and did not develop accurate cost estimates for all contract modifications. We recommended TSA establish a cross-functional requirements working group for planning and awarding the R&H re-compete efforts as well as other Personnel Futures Program contract requirements. The working group should develop a holistic and forward-thinking acquisition strategy, as well as implement a comprehensive process for reviewing and determining requirements. We also recommended TSA ensure Human Capital improves contract management activities including, but not limited to, requirements planning and realistic cost estimate development by obtaining additional expert resources or leveraging existing expertise. We made two recommendations to improve TSA’s contract management. TSA concurred with both recommendations.

This report contains information about recommendations from the OIG's audits, evaluations, reviews, and other reports that the OIG had not closed as of the specified date because it had not determined that the Department of Justice had fully implemented them. The list omits information that the Department of Justice determined to be limited official use or classified, and therefore unsuitable for public release.The status of each recommendation was accurate as of the specified date and is subject to change. Specifically, a recommendation identified as not closed as of the specified date may subsequently have been closed.