Federal Reports

The OIG conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the VA Bedford Healthcare System because it had not been recently visited as part of the annual FISMA audit.The OIG’s information security inspection focused on three security control areas: configuration management, security management, and access controls. During this inspection, the OIG found deficiencies with all three areas.Configuration management deficiencies included databases hosting personally identifiable information not monitored with quarterly compliance scans, thereby increasing the risk of an undetected data breach. The team also found that devices not meeting VA baseline security configurations should have been updated with vendor-supported systems software during the standard system development life-cycle process.Within security management, the OIG determined that special-purpose systems did not have an authorization to operate and the special-purpose systems at Bedford included one that warranted higher security levels. The OIG also identified deficiencies with the continuous monitoring of the Lynx Duress panic button system.Finally, restricting physical access, monitoring of physical access, and implementing appropriate physical and environmental controls were also deficient. At the Edith Nourse Rogers Memorial Veterans’ Hospital, concerns were identified with badge and key access, hospital video surveillance of the server room and communications closet, and emergency power controls and proper grounding.The OIG made five recommendations to the assistant secretary for information and technology and chief information officer and four recommendations to the VA Bedford Healthcare System director in conjunction with the assistant secretary for information technology.

The OIG is issuing this evaluation to assess whether the U.S. Small Business Administration (SBA) effectively implemented internal controls when using the U.S. Department of the Treasury’s Do Not Pay (DNP) databases to detect and prevent payments of Coronavirus Disease 2019 (COVID-19) Economic Injury Disaster Loans (EIDL) and grants to ineligible entities.Despite implementing controls requiring loan officers to check DNP databases prior to approval of COVID-19 EIDLs and provide applicants 30 days to rectify any negative information received from DNP, the agency continued to award and disburse COVID-19 EIDL and grant funds to those listed in a DNP database without mitigating the negative information.We recommended the agency review the 3,643 potential improper payments we identified and determine if applicants can rectify the negative information; if not, we recommend the agency work to recover the funds.SBA management partially agreed with our recommendation, stating they will review and address loans and grants in the child support population that had information on the application or credit report that was not previously addressed. For the remainder of the DNP population, management stated they will review those grants and loans with an alert in the file that was not previously addressed. Management’s proposed corrective actions do not satisfy the recommendation to review the potentially ineligible loans and grants.

The FCC was compliant in 11 of its 13 programs that were susceptible to significant improper payments. The Universal Service Fund (USF)-Lifeline (LL) program, and the Affordable Connectivity Program (ACP) were non-compliant with one of the 10 PIIA criteria. The report presents five findings and five recommendations to address the audit findings. In the Management Response, the FCC concurred on four findings and non-concurred on one of the two noncompliance findings, related to the Lifeline Program.

We rated the Department of Homeland Security’s information security program for FY 2023 as “effective,” according to this year’s reporting instructions. We based this rating on our evaluation of the Department’s compliance with requirements of the Federal Information Security Modernization Act of 2014 for unclassified and national security systems. As recommended by this year’s reporting instructions, we used a calculated average approach when determining the effectiveness of the domain, function, and overall program. DHS received a maturity rating of “Level 4 – Managed and Measurable” in the Identify, Protect, Detect, Respond, and Recover functions based on this year’s reporting guidance.

We rated the Department of Homeland Security’s information security program for FY 2023 as “effective,” according to this year’s reporting instructions. We based this rating on our evaluation of the Department’s compliance with requirements of the Federal Information Security Modernization Act of 2014 for unclassified and national security systems. As recommended by this year’s reporting instructions, we used a calculated average approach when determining the effectiveness of the domain, function, and overall program. DHS received a maturity rating of “Level 4 – Managed and Measurable” in the Identify, Protect, Detect, Respond, and Recover functions based on this year’s reporting guidance.