Federal Reports

What We Looked AtThe Office of Management and Budget (OMB) requires Federal agencies to implement Information Security Continuous Monitoring (ISCM), which entails the near real-time detection of cybersecurity risks, threats, and malicious activity. ISCM enables agencies to more effectively address evolving, frequent, and increasingly aggressive cybersecurity attempts to compromise Federal information systems. A large number of systems at the Department of Transportation (DOT) contain sensitive data that require protection; accordingly, we initiated this audit. Our audit objectives were to assess (1) how DOT's ISCM program conforms to OMB and National Institute of Standards and Technology requirements and (2) the status and progress of DOT's implementation of its ISCM program. This review also supports our annual audit mandated by the Federal Information Security Modernization Act.What We FoundDOT's program lacks a procedure for verifying Federal Aviation Administration (FAA) performance data reported to OMB. While DOT has met the requirement to submit quarterly reports, we identified significant errors in one submission. The Department also lacks adequate procedures for providing accurate submissions to OMB. In addition, FAA has not yet completed phase 1 of the Continuous Diagnostics and Mitigation Program, which targets the management of cybersecurity assets and activities. Finally, FAA does not have procedures for reporting on or validating its Cross Agency Priority goal data and cannot be certain those data are accurate.Our RecommendationsDOT concurred with our three recommendations to improve its ISCM program.

The VA Office of Inspector General (OIG) conducted this audit to determine if VA and State Approving Agencies (SAAs) were effectively reviewing and monitoring education and training programs that enrolled Post-9/11 GI bill students to ensure only eligible programs participated. Prior OIG reports noted significant financial risks for these programs. Based on its review, the OIG estimated that 86 percent of SAAs did not adequately oversee the education and training programs to make certain only eligible programs participated. The OIG estimated that, without correction, the Veterans Benefits Administration (VBA) could issue an estimated $2.3 billion in improper payments to ineligible programs over the next five years. Oversight deficiencies occurred, in part, because VBA maintained it has a limited role for oversight of SAAs. Congress intended VBA to work cooperatively with the SAAs to ensure the quality and the effective administration of Post-9/11 GI Bill programs and to protect student and taxpayer interests. However, the former Executive Director of VBA Education Service stated that the SAAs were primarily responsible for the review, approval, and monitoring of programs, and that VBA was prohibited under Title 38 from exercising control over the SAAs. VBA maintained this position, even though it is authorized to establish and negotiate contracts with SAAs and to set requirements for the SAAs’ completion of program reviews, approvals, and monitoring in the terms and conditions of these contracts. The OIG recommended clarifying requirements for approvals, requiring periodic reapproval of programs, reporting schools with misleading advertising, strengthening compliance, revising program assessment standards, and confirming that SAA funding can support the recommended steps.

We audited American Family Housing’s special needs assistance program funds due to a hotline complaint alleging that the nonprofit used program funds for hotels, spas, raises, and bonuses not related to the program. Our objective was to determine whether the nonprofit administered its program funds in accordance with U.S. Department of Housing and Urban Development (HUD) requirements.We determined that the hotline complaint allegations had no merit. The nonprofit administered its program funds in accordance with HUD requirements for the expenses reviewed. The program expenses reviewed were supported and eligible.There are no recommendations.

The Trade Facilitation and Trade Enforcement Act of 2015 (TFTEA) requires U.S. Customs and Border Protection (CBP) to establish standard operating procedures (SOP) for searching, reviewing, retaining, and sharing information in communication, electronic, or digital devices at U.S. ports of entry. We determined that CBP’s Office of Field Operations (OFO) did not always conduct the searches at U.S. ports of entry according to its SOPs. Specifically, because of inadequate supervision to ensure OFO officers properly documented searches, OFO cannot maintain accurate quantitative data or identify and address performance problems related to these searches. These deficiencies in supervision, guidance, and equipment management, combined with a lack of performance measures, limit OFO’s ability to detect and deter illegal activities related to terrorism; national security; human, drug, and bulk cash smuggling; and child pornography.

The OIG investigated an allegation that a National Park Service (NPS) contractor in the U.S. Virgin Islands attempted to provide a cash bribe to an NPS employee. We also investigated allegations that a park supervisor influenced Government personnel to hire a family member as a contractor, that another supervisor prepared fraudulent Government documents to support an improper payment to a contractor, and that two supervisors received free personal work or discounts from a contractor in return for work or promises of work.We found that in June 2018, an NPS contractor gave an NPS employee $500 cash as an illegal gratuity for hiring him to do contract work at the park. The employee immediately reported the incident and turned the money over to the park’s acting superintendent, who provided it to our office.In addition, we found that a park supervisor gave the appearance of a conflict of interest when she told park staff about her family member’s qualifications, but we found no evidence the supervisor was directly involved in hiring the family member as a contractor.We further found that another supervisor failed to follow park guidance by preparing a micropurchase approval form after the contractor had been paid instead of completing the approval form before the work was completed. We did not, however, find that the payment was improper because the contractor performed the work. We found no evidence that two supervisors received free or discounted personal work from a contractor in exchange for work or promises of work.We presented our illegal gratuity finding to the U.S. Attorney’s Office for the District of the U.S. Virgin Islands, which declined prosecution.