Federal Reports

To view the report, please click on the link below.

U.S. Customs and Border Protection (CBP) did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data without CBP’s authorization or knowledge, and compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack. While CBP and DHS took immediate action to mitigate the data breach, we attribute this incident to the subcontractor violating numerous DHS security and privacy protocols for safeguarding sensitive data. Consequently, this incident may damage the public’s trust in the Government’s ability to safeguard biometric data, and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry. We made three recommendations to aid CBP in addressing the vulnerabilities that caused the 2019 data breach, and to better mitigate future incidents through greater oversight of third-party partners. CBP concurred with all three recommendations.

OIG reviewed whether APHIS adequately administered the NVS to ensure it is prepared to respond to animal diseases affecting human health and the economy.

What We Looked AtWe performed a quality control review (QCR) on the single audit that Cherry Bekaert, LLP performed for the City of Charlotte’s (City) fiscal year that ended June 30, 2018. During this period, the City expended approximately $100 million from the U.S. Department of Transportation’s (DOT) grant programs. Cherry Bekaert determined that DOT’s major programs were the Federal Transit Cluster, the Airport Improvement Program, and the Highway Planning and Construction Cluster. Our QCR objectives were to determine (1) whether the audit work complied with the Single Audit Act of 1984, as amended, and the Office of Management and Budget’s Uniform Guidance, and the extent to which we could rely on the auditors’ work on DOT’s major programs; and (2) whether the City’s reporting package complied with the reporting requirements of the Uniform Guidance. What We FoundCherry Bekaert’s audit work complied with the requirements of the Single Audit Act, the Uniform Guidance, and DOT’s major programs. We found nothing to indicate that Cherry Bekaert’s opinion on each of DOT’s major programs were inappropriate or unreliable. However, we identified deficiencies in Cherry Bekaert’s audit work that should be corrected in future audits. In addition, we identified a deficiency in each of the City’s initial and revised reporting packages that required correction and resubmission.

We evaluated the National Park Service’s (NPS’) general agreements (GAs) to determine if the NPS oversees its GAs to ensure compliance with policies and governing laws.We found that the NPS did not oversee its GAs to ensure compliance with policies and governing laws. The NPS did not maintain a central inventory for its GAs and was unaware of the number of active GAs. Therefore, we selected three parks to review in the Intermountain Region: Yellowstone, Grand Teton, and Rocky Mountain.We found the NPS was misusing GAs at all three parks we reviewed, which is likely a result of the informal review process associated with these instruments. During our evaluation, we determined that the NPS used the GAs to provide financial assistance or transfer goods or services to non-Federal entities, in apparent contravention of policies and laws. Further, we noted that personnel who were not authorized to commit NPS resources signed the GAs that inappropriately transferred something of value, which puts the NPS at risk of unauthorized commitments. The NPS has neither provided clear, consistent guidance, nor provided training on how to develop and use GAs at the national level.We make five recommendations to help the NPS improve oversight of its GAs. Based on the NPS’ response to our draft report, we consider one recommendation unresolved, one recommendation resolved and implemented, and three recommendations resolved but not implemented. We will refer the recommendations to the Assistant Secretary for Policy, Management and Budget for resolution and to track implementation.

We reviewed 6 of the 11 recommendations from our 2018 evaluation report titled, The Bureau of Indian Education Is Not Ensuring That Background Checks at Indian Education Facilities Are Complete, to verify whether the Bureau of Indian Education implemented them.We confirmed that Recommendations 1 – 3 and 6 – 8 have been resolved and implemented.