Federal Reports

As part of our annual audit plan, we audited costs billed to the Tennessee Valley Authority (TVA) by HJM Forest Resource Management Services, LLC (HJM) under Contract No. 15243 for vegetation management, initial clearing, and maintenance of TVA transmission line rights-of-way. Our audit objective was to determine if costs were billed in accordance with the terms of the contract. Our audit scope included about $16.5 million in costs billed to TVA from September 1, 2020, through December 31, 2022. In summary, we determined costs billed by HJM generally complied with the contract, except for $3,853 in overbilled labor costs due to ineligible premium overtime pay. (Summary Only)

We have completed our fiscal year (FY) 2023 Federal Information Security Modernization Act of 2014 (FISMA) penetration test and vulnerability assessment. The objective of this evaluation was to test and verify the technical implementation of a limited set of security controls on judgmentally selected U.S. Department of Housing and Urban Development (HUD) information systems and applications.HUD demonstrated successes in securely configuring networks and systems. The local area network (LAN) configurations in the Regional Office we tested ensured that our security testing tools could not operate properly, which prevents unauthorized use of security tools on network-connected devices. We also found that HUD improved its ability to detect active threats. HUD’s security information and event management solution detected one of our simulated malicious activities. Lastly, HUD made progress at addressing known vulnerabilities, as they mitigated a structured query language injection vulnerability on one of the web applications we tested.Our testing did identify potential security weaknesses within one of the tested systems. We exploited an authentication bypass vulnerability, reducing the effectiveness of HUD's least privilege, non-repudiation, and session auditing controls. Using a nonprivileged account, we discovered a plain text password file from 2003. This password file was not current, but a lack of encryption allowed us to learn password trends of users. We accessed privileged information on a HUD system without a privileged account. We discovered that a select number of HUD usernames can be associated with an employee’s identity, leading to a higher risk of additional attacks.We discovered some systems used unsupported or end-of-life operating systems. While we discovered strengths in some of HUD’s security posture, this evaluation revealed security weaknesses in one of the systems we tested which HUD should continue to improve. This report issues recommendations that address the specific weaknesses we discovered. We also offer opportunities for improvement, which will not be formally tracked as recommendations, to help guide HUD in technical system improvements. Continued collaboration between OCIO and program offices will help address weaknesses and improve HUD’s overall security posture. The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.Open configuration optionsRECOMMENDATION STATUS DATE ISSUED SUMMARY2023-OE-0001a-01 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-02 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-03 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-04 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-05 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.2023-OE-0001a-06 Open December 20, 2023 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.