Federal Reports

Our objective was to evaluate the effectiveness of internal controls over the Postal Service’s annual capital property review at network distribution centers and processing and distribution centers. We judgmentally selected four network distribution centers and processing and distribution centers to conduct site visits.

Our objective was to determine whether DIA's Emergency and Extraordinary Expenses (EEE) were properly authorized and that reimbursements were properly supported. We issued our results in a classified report on September 29, 2023.

From February 28 to March 2, 2023, we conducted unannounced inspections of four U.S. Customs and Border Protection (CBP) facilities in the Laredo area, specifically three Border Patrol stations and one Office of Field Operations port of entry. Our inspection revealed instances of high time in custody in some Border Patrol holding facilities. We also found CBP faced challenges properly documenting and securing personal property. Three of the four facilities we inspected did not accurately track or record property on inventory logs or in the respective data systems. In addition, we found inaccurate data in detainee custody logs at all inspected CBP facilities.

U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and the United States Secret Service (Secret Service) did not adhere to Department privacy policies or develop sufficient policies before procuring and using commercial telemetry data (CTD). Specifically, the components did not adhere to DHS’ privacy policies and the E-Government Act of 2002, which require certain privacy sensitive technology or data obtained from that technology, such as CTD, to have an approved Privacy Impact Assessment (PIA) before such technology is developed or procured.

For this year’s review, IGs were required to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas — Identify, Protect, Detect, Respond, and Recover — to determine the effectiveness of their agencies’ information security program and the maturity level of each function area.1 The maturity levels are: Level 1 - Ad Hoc, Level 2 - Defined, Level 3 - Consistently Implemented, Level 4 - Managed and Measurable, and Level 5 - Optimized. To be considered effective, the NRC’s information security program must be rated Level 4 – Managed and Measurable.The audit included an assessment of the NRC’s information security programs and practices consistent with the FISMA and reporting instructions issued by the Office of Management and Budget (OMB). The scope also included assessing selected security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, for a sample of systems in the NRC’s FISMA inventory of information systems. Audit fieldwork covered the NRC’s headquarters located in Rockville, MD from January 2023 to June 2023. The audit covered the period from October 1, 2022, through June 30, 2023.We concluded that the NRC implemented effective information security policies, procedures, and practices, since it achieved an overall Level 4 – Managed and Measurable maturity level; therefore, the NRC has an effective information security program. Although we concluded that the NRC implemented an effective information security program overall, its implementation of a subset of selected controls was not fully effective. We noted new and repeat weaknesses in its security program related to the risk management, supply chain risk management, configuration management, identity and access management, security training, incident response, and contingency planning domains of the FY 2023 IG FISMA Reporting Metrics. As a result, we made three new recommendations to assist the NRC in strengthening its information security program. Additionally, we noted 21 prior year recommendations remain open from the FY 2022 FISMA audit and FY 2021 FISMA evaluation based on inspection of evidence received during fieldwork.