Federal Reports

Amtrak (the company) contracted with the independent certified public accounting firm of Ernst & Young LLP to audit its consolidated financial statements as of September 30, 2017, and for the year then ended, and to provide a report on internal control over financial reporting and on compliance and other matters. Because the company receives federal assistance, it must obtain an audit performed in accordance with generally accepted government auditing standards.

We evaluated the Department to determine whether it effectively follows the incident response lifecycle, as defined by the National Institute of Standards and Technology (NIST). We found that the Office of the Chief Information Officer (OCIO) had not fully implemented the capabilities recommended by NIST in its incident detection and response program. During internal threat simulation testing, most of our efforts to conduct reconnaissance, identify vulnerabilities, exfiltrate sensitive data, and communicate with known malicious command and control servers on the internet went unnoticed by the Department.The Department’s decentralized management and authority across the OCIO and bureaus, combined with the flattened internal networks, has eliminated many of the technical security boundaries within the Department’s network – essentially creating blind spots where the OCIO cannot detect malicious activity. Our emulation of malicious activity was successful, in part, because of these blind spots. The Department’s assignment of responsibilities between the OCIO and the bureaus emphasized the Department’s inability to detect and respond to these blind spots.The bureaus and offices had varying levels of capabilities, resources, and approaches to incident response. Even those with more incident response resources relied heavily on the OCIO for perimeter security controls and monitoring services, which were inconsistently shared with the bureaus. Since the OCIO did not establish the foundation necessary to successfully prepare for responding to incidents, the Department could not detect, contain, or recover from incidents in a timely manner.Without a centralized program, Department and bureau incident response teams did not have an effective roadmap outlining policies, procedures, and responsibilities for handling incident response activities. We made 23 recommendations to help the Department improve its incident response program, so it can promptly detect and fully contain cyber threats to maintain the availability, confidentiality, and integrity of Department computer systems and data. The Department concurred with all of our recommendations and is working to implement them.

The Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act) requires the Office of Inspector General to conduct an annual risk assessment and periodic audits on agency charge card programs. We conducted this audit to determine whether the Department of Homeland Security implemented internal controls to prevent illegal, improper, and erroneous purchases and payments. During fiscal year 2016, DHS reported spending approximately $1.2 billion in purchase, travel, and fleet card transactions. Although the Department has established internal controls for its charge card programs, the components we reviewed did not always follow DHS’ procedures. Our testing results of purchase, travel, and fleet card transactions revealed internal control weaknesses. Specifically, we found major internal control weaknesses that persisted at the United States Coast Guard and some control weaknesses within CBP’s Fleet Card Program.

Transmittal of the Final Report Assessing the Federal Trade Commission’s Compliance with the Federal Information Security Management Act for Fiscal Year 2017 (Redacted for public release)

The VA Office of Inspector General (OIG) conducted a healthcare inspection in response to an anonymous complaint alleging patients experienced extended wait times for primary care appointments and that funds intended to maintain or improve primary care services at the Monterey Community Based Outpatient Clinic (clinic), Monterey, California, were misused. The clinic is associated with the parent facility, VA Palo Alto Healthcare System (system), Palo Alto, California. The OIG substantiated that patients experienced extended wait times for clinic primary care appointments. The OIG found the number of new and established clinic primary care appointments taking 30 days or more to schedule increased from fiscal year (FY) 2016 to FY 2017. The OIG determined that clinic wait times for primary care appointments were negatively impacted by Patient Aligned Care Team (PACT) physician vacancies, PACT scheduling processes, and blocking PACT clinic appointments to allow providers to participate in workshops in preparation for opening the new expanded clinic (new clinic) that would serve active duty military members and veterans. The OIG also found a medical support assistant shortage, physician patient panel sizes over the recommended maximum, a reported large number of walk-in patients, and a history of minimal oversight. System and clinic leaders and PACT staff were unaware of adverse patient outcomes that occurred as a result of wait times for appointments. However, lengthy wait times could have negatively impacted patient outcomes. The OIG did not substantiate the misuse of clinic funding which was intended to maintain or improve PACT at the clinic. The OIG analyzed the direct and indirect costs for the clinic from FY 2014 through May 31, 2017, and found that funding had not substantially changed throughout this timeframe. The OIG found no evidence that the system misused PACT funding designated for the current or new clinic. The OIG made three recommendations.