Federal Reports

According to the Federal Communications Commission, more than 18 million Americans currently lack basic broadband service. With a physical presence in nearly every community in the country, the U.S. Postal Service is uniquely situated to play a role in helping bring 5G and broadband service to those areas of the country currently unserved or underserved. The OIG found there are several potential partnership opportunities that would allow the Postal Service to help bring high-quality broadband to areas where it is currently lacking. These would include colocation of critical infrastructure at Postal Service facilities, positioning them as digital hubs and leveraging USPS resources to collect valuable data about broadband coverage in remote areas. Such an undertaking would serve to further cement the Postal Service’s already critically important role in American life.

The Office of Inspector General evaluated NASA’s management of the Stratospheric Observatory for Infrared Astronomy (SOFIA) Program relative to cost, technical performance, and scientific return.

Our evaluation revealed that the U.S. Department of the Interior did not deploy and operate a secure wireless network infrastructure, as required by National Institute of Standards and Technology (NIST) guidance and industry best practices. We conducted reconnaissance and penetration testing of wireless networks representing each bureau and office using assembled portable test units we assembled for less than $200 and easily concealed in a backpack or purse. We operated these units with smartphones from publicly accessible areas and locations open to visitors.Our attacks simulated the techniques of malicious actors attempting to break into departmental wireless networks, such as eavesdropping, evil twin, and password cracking. These attacks went undetected by security guards and IT security staff as we explored Department facilities and were highly successful—we intercepted and decrypted wireless network traffic in multiple bureaus.We also found that several bureaus and offices did not implement measures to limit the potential adverse effect of breaching a wireless network. Because the bureaus did not have effective protective measures in place, such as network segmentation, we were able to identify assets containing sensitive data or supporting mission-critical operations. Further, we found that the Department:• Did not require regular testing of network security• Did not maintain complete inventories of their wireless network• Published contradictory, outdated, and incomplete guidanceThese deficiencies occurred because the Office of the Chief Information Officer (OCIO) did not provide effective leadership and guidance to the Department and failed to establish and enforce wireless security practices in accordance with NIST guidance and recommended best practices. Without operating secure wireless networks that include boundary controls between networks and active monitoring, the Department is vulnerable to the breach of a high-value IT asset, which could cripple Department operations and result in the loss of highly sensitive data.We make 14 recommendations to strengthen the Department’s wireless network security to prevent potential security breaches, which could have a severe adverse effect on Department operations, assets, or individuals. In response to our draft report, the OCIO concurred with all 14 recommendations and stated that it is working to implement them.

The objective for this report was to assess the effectiveness of the company’s efforts to plan and coordinate track outages. Ineffective track outage planning and coordination can negatively affect the company’s ability to achieve its state-of-good repair goal, which can impact revenue, customer service, and its relationship with external stakeholders. We found that, starting in 2018, the company has built a more disciplined process to plan and coordinate major track outages, such as implementing new procedures to prioritize capital projects and to identify and plan for outages needed to accomplish them. The company has not, however, institutionalized certain practices that will likely improve the company’s track outage planning and coordination process. We found that the company 1) does not have a multi-year companywide track outage plan, 2) relies on outdated technology and software to build the outage plan which inhibits timely updates, and 3) has not clearly defined each departments’ unique role in coordinating the outage plan with commuter railroads and other external organizations. We recommended that the company incorporate a multi-year focus into its planning process, research options with the Information Technology department on ways to update its system and/or software tools, and clearly define departmental roles in coordinating the plan with affected external organizations.