Federal Reports

The Federal Information Security Modernization Act of 2014 (FISMA) requires each federal agency to develop, document, and implement an agencywide information security and risk management program. VA has made progress producing, documenting, and distributing policies and procedures as part of its program. VA still faces challenges, however, implementing components of its agencywide information security risk management program to meet FISMA requirements. This audit identified continuing significant deficiencies related to access, configuration management, and change management controls, as well as service continuity practices designed to protect mission-critical systems from unauthorized access, alteration, or destruction. The report includes 29 recommendations for improving VA’s information security program and an appendix addressing the status of prior recommendations and VA’s plans for corrective action. VA successfully closed four recommendations in FY 2017. The Executive in Charge for the Office of Information and Technology generally concurred with the recommendations and submitted adequate corrective action plans. The OIG will continue to evaluate VA’s progress during its audit of VA’s information security program in FY 2018, although the OIG remains concerned that ongoing delays in implementing effective corrective actions might contribute to the continued reporting of an information technology material weakness in this year’s audit of VA’s Consolidated Financial Statements.

The OIG investigated allegations that tribal officials manipulated statistical reports they submitted to the Bureau of Indian Affairs (BIA) to influence the amount of Federal funding received by the tribe. We also investigated allegations that tribal officials distributed Federal grant funds to ineligible clients, and that they terminated a former employee for notifying the BIA of potential fraudulent activities.We did not substantiate any of the allegations. We confirmed with BIA officials that the statistical reports they received from the tribe were accurate and did not have any effect on Federal funding to the tribe.We did find that tribal officials spent Federal grant funds to pay for a local cultural workshop that included some ineligible participants, however the Tribe subsequently used non-Federal tribal funds to fully reimburse the grant for the cost of the entire workshop.We found the former employee who claimed retaliation was employed in a temporary position which had expired. The tribe did not extend the terms of the position because the employee failed to meet the requirements for the position, and because their services were no longer needed.

We reviewed the process the DOI’s Executive Resources Board (ERB) used to reassign senior executives to determine whether the ERB complied with Federal legal requirements and U.S. Office of Personnel Management (OPM) guidance. Although the Deputy Solicitor expressed his belief that the process met all legal requirements, absent documentation, we could not independently determine whether or not the ERB complied with the Federal legal requirements governing the administration of the Senior Executive Service (SES). In addition, we found that the ERB did not follow OPM’s guidance for organizing and operating an ERB.The ERB—which was established to oversee the management of SES resources, to include position establishment, performance appraisals, executive development, and reassignments—reassigned 27 of its approximately 227 members of the SES between June 15, 2017, and October 29, 2017. We found that the ERB did not document its plan for selecting senior executives for reassignment, nor did it consistently apply the reasons it stated it used to select senior executives for reassignment. We also found that the ERB did not gather the information needed to make informed decisions about the reassignments, nor did it effectively communicate with the SES members or with most managers affected by the reassignments.As a result, many of the affected senior executives questioned whether these reassignments were political or punitive, based on a prior conflict with DOI leadership, or on the senior executive’s nearness to retirement. Many executives speculated that multiple reasons applied or believed their reassignment may have been related to their prior work assignments, including climate change, energy, or conservation.We made four recommendations that, if implemented, will improve the process for future reassignments. The Deputy Secretary concurred with all four recommendations. We considered one recommendation resolved and implemented, and three recommendations resolved but not implemented. We requested that the Deputy Secretary provide specific information to the Assistant Secretary for Policy, Management and Budget to track resolution and implementation.

The President's Emergency Plan for AIDS Relief (PEPFAR) was authorized to receive $48 billion in funding for the 5-year period beginning October 1, 2008, to assist foreign countries in combating HIV/AIDS, tuberculosis, and malaria. Additional funds were authorized to be appropriated through 2018.

Pursuant to the Federal Information Security Modernization Act of 2014, we reviewed the Department’s security program, including its policies, procedures, and system security controls for the enterprise-wide intelligence system. Since our FY 2016 evaluation, the Office of Intelligence and Analysis (I&A) has continued to provide effective oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices. In addition, the United States Coast Guard is in the process of migrating its intelligence users to a system that is jointly managed by the Defense Intelligence Agency and the National Geospatial Agency.