Federal Reports

What We Looked AtThe Federal Information Security Management Act of 2002 (FISMA), as amended, requires inspectors general to conduct annual reviews of their agencies' information security programs and report the review results to the Office of Management and Budget (OMB). DOT's operations rely on 471 information technology systems, which represent an annual investment of approximately $3.6 billion. Consistent with FISMA and OMB requirements, our audit objective was to determine the effectiveness of DOT's information security program and practices in five cyber function areas--Identify, Protect, Detect, Respond, and Recover.What We FoundIn all five function areas, DOT is at the Defined maturity level--the second lowest level in of maturity in the model for information security--because the Department has, for the most part, formalized and documented its policies, procedures, and strategies. However, DOT still has policy gaps. We found a number of instances in which implementation of processes did not conform to policy.DOT's Identify, Protect, Detect, Respond, and Recover controls are currently inadequate. Identify controls include risk management, weakness remediation, and security authorization. Protect controls cover configuration management, identity and access management, data protection and privacy and security training. Detect controls identify cybersecurity incidents as part of information security continuous monitoring. Respond controls cover incident handling and reporting, and Recover controls cover development and implementation of plans to restore capabilities and services impaired by cybersecurity incidents.RecommendationsWe made 12 recommendations to help the Department address challenges in its development of a mature and effective information security program. DOT concurred with all 12 of our recommendations.

In accordance with our Annual Performance Plan Fiscal Year 2019, dated October 2018, the Office of Inspector General (OIG) conducted a performance audit of the United States Capitol Police (USCP or the Department) Dignitary Protection Division (DPD) payroll costs and compliance with annual pay limitations. OIG objectives were to (1) determine if the Department effectively monitors DPD payroll cost, and (2) evaluate Department compliance with annual pay limitations. Our scope included Department policies in effect as of December 31, 2018 and data requested from Calendar Years (CYs) 2016, 2017, and 2018. 

The Executive Office of the President’s Office of National Drug Control Policy, Accounting of Drug Control Funding and Performance Summary circular, requires federal agencies to submit annual performance-related information for National Drug Control Program activities. The circular also requires Inspectors General to evaluate reliability of assertions made in the agency’s report. The VA Office of Inspector General (OIG) reviewed whether VA has a system to capture performance information accurately and whether that system was properly applied to generate the performance data reported; VA offered a reasonable explanation for failing to meet performance targets and for any recommendations for meeting future targets; the methodology used for the current year is reasonable; and VA established at least one acceptable performance measure for each Drug Control Decision Unit for which a significant amount of obligations was incurred. The OIG did not identify anything that caused reviewers to believe VA lacked a system to accurately capture performance information or that the system was not properly applied to generate the performance data reported. The OIG is not expressing any opinion on the assertions in the submission because it conducted an attestation review, which does not require a concluding opinion. This report is one of two OIG publications that examine VA’s reporting requirements to ONDCP.

The Executive Office of the President’s Office of National Drug Control Policy, Accounting of Drug Control Funding and Performance Summary circular, requires federal agencies to submit an annual detailed accounting of their funds and activities related to the National Drug Control Program. The circular also requires Inspectors General to evaluate the reliability of assertions made in the agency’s report. The VA Office of Inspector General (OIG) reviewed VA management’s assertions concerning its drug methodology, application of methodology, reprogrammings or transfers, and fund control notices. A previous OIG report, Audit of VA’s Financial Statements for Fiscal Years 2018 and 2017, identified five material weaknesses that repeated from previous years’ reporting. CliftonLarsenAllen LLC identified two additional significant deficiencies while providing an unmodified opinion on VA’s Fiscal Year 2018 consolidated financial statements. Beyond the identified issues, the OIG believes that the assertions in the submission of this report are fairly stated in all material respects, based on the attestation review and the criteria set forth in the circular. The OIG is not expressing any opinion on the assertions in the submission because it conducted an attestation review, which does not require a concluding opinion. This report is one of two OIG publications that examine VA’s reporting requirements to ONDCP.