Federal Reports

For our final report on our audit of the U.S. Census Bureau’s (the Bureau’s) Demographic Programs Directorate’s reimbursable surveys, our overall objective was to determine whether reimbursable surveys conducted by this directorate provided quality and reliable data to help sponsoring federal agencies make informed decisions. As part of this review we (1) determined whether quality metrics were met or exceeded, (2) determined whether quality assurance processes were working as intended, and (3) assessed the impact of data quality issues on survey sponsors. We found that while the Bureau has established controls along with performance and quality metrics to ensure the quality of survey data, it does not consistently follow or achieve them. Specifically, we found that I. the Bureau needs to improve performance management processes for reimbursable surveys; II. the Bureau needs to improve its quality assurance program for reimbursable surveys; and III. regional offices did not relieve FRs from survey data collection during falsification investigations and systematically track confirmed falsifications for use in future hiring decisions.

This report communicates the results of the Federal Trade Commission (FTC) Office of Inspector General’s (OIG) audit of the FTC progress on the implementation of Zero Trust Architecture.

To see our report, click on the link below

What We Looked AtOver the past 10 years, the Department of Transportation (DOT) and its Operating Administrations (OA) have increased their migration to and adoption of cloud computing based on Federal requirements. In May 2021, the President issued Executive Order 14028 to modernize Federal Government cybersecurity by accelerating the movement to secure cloud services, adopting security best practices, and advancing towards zero trust architecture (ZTA). Given the administration's increased emphasis on cloud services, we initiated this audit. Our audit objectives were to assess the effectiveness of the Department's (1) cloud systems' security and privacy controls and (2) strategy to secure cloud services in order to implement ZTA.What We FoundDOT and its OAs do not consistently implement security and privacy controls to protect their cloud-based systems. First, the Department and several OAs did not effectively follow Federal requirements and best practices to protect their cloud systems from cyberattacks. Second, DOT does not always effectively manage and secure the computing resources for its cloud-based systems by using secure configuration baselines, implementing multifactor authentications, encrypting data, or updating software. Lastly, DOT does not consistently use the appropriate mechanisms to detect, mitigate, and report cyberattacks on the Department's and most of the OAs' cloud-based systems. As a result, DOT may not have visibility into cybersecurity incidents, exposing it to potential threats and security weaknesses. Furthermore, DOT lacks an effective strategy for securing its cloud services transition to ZTA because its current ZTA implementation plan does not include a proposed schedule or migration steps as required by Federal guidelines. This may cause DOT to miss key milestones for implementing ZTA by the end of fiscal year 2024. Therefore, the Department will not be well positioned to meet ZTA's intent to maximize security and minimize uncertainty of computing systems.Our RecommendationsWe made 21 recommendations to improve the Agency's cloud services program and transition its enterprise network to ZTA. DOT concurred with 19 of 21 recommendations, did not concur with 1 recommendation, and asked to close 1 recommendation. We consider 17 of 19 recommendations resolved but open pending completion of planned corrective actions and request DOT provide an updated response for the 2 other recommendations. We consider two recommendations unresolved and request the Agency reconsider its non-concurrence for the first recommendation and provide documentation to support closing the second recommendation.Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. Relevant portions of this public version of the report have been redacted.