Federal Reports

From February 28 to March 2, 2023, we conducted unannounced inspections of four U.S. Customs and Border Protection (CBP) facilities in the Laredo area, specifically three Border Patrol stations and one Office of Field Operations port of entry. Our inspection revealed instances of high time in custody in some Border Patrol holding facilities. We also found CBP faced challenges properly documenting and securing personal property. Three of the four facilities we inspected did not accurately track or record property on inventory logs or in the respective data systems. In addition, we found inaccurate data in detainee custody logs at all inspected CBP facilities.

U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and the United States Secret Service (Secret Service) did not adhere to Department privacy policies or develop sufficient policies before procuring and using commercial telemetry data (CTD). Specifically, the components did not adhere to DHS’ privacy policies and the E-Government Act of 2002, which require certain privacy sensitive technology or data obtained from that technology, such as CTD, to have an approved Privacy Impact Assessment (PIA) before such technology is developed or procured.

For this year’s review, IGs were required to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas — Identify, Protect, Detect, Respond, and Recover — to determine the effectiveness of their agencies’ information security program and the maturity level of each function area.1 The maturity levels are: Level 1 - Ad Hoc, Level 2 - Defined, Level 3 - Consistently Implemented, Level 4 - Managed and Measurable, and Level 5 - Optimized. To be considered effective, the NRC’s information security program must be rated Level 4 – Managed and Measurable.The audit included an assessment of the NRC’s information security programs and practices consistent with the FISMA and reporting instructions issued by the Office of Management and Budget (OMB). The scope also included assessing selected security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, for a sample of systems in the NRC’s FISMA inventory of information systems. Audit fieldwork covered the NRC’s headquarters located in Rockville, MD from January 2023 to June 2023. The audit covered the period from October 1, 2022, through June 30, 2023.We concluded that the NRC implemented effective information security policies, procedures, and practices, since it achieved an overall Level 4 – Managed and Measurable maturity level; therefore, the NRC has an effective information security program. Although we concluded that the NRC implemented an effective information security program overall, its implementation of a subset of selected controls was not fully effective. We noted new and repeat weaknesses in its security program related to the risk management, supply chain risk management, configuration management, identity and access management, security training, incident response, and contingency planning domains of the FY 2023 IG FISMA Reporting Metrics. As a result, we made three new recommendations to assist the NRC in strengthening its information security program. Additionally, we noted 21 prior year recommendations remain open from the FY 2022 FISMA audit and FY 2021 FISMA evaluation based on inspection of evidence received during fieldwork.

The OIG contracted with CliftonLarsonAllen, LLP (CLA) to conduct a vulnerability assessment and an external penetration test of the U.S. Nuclear Regulatory Commission’s (NRC) information system environment in support of the NRC’s fiscal year (FY) 2023 Federal Information Security Modernization Act of 2014 (FISMA) audit. During the vulnerability assessment and external penetration test, CLA identified weaknesses that, if remediated, would help strengthen the NRC’s security posture.

Annual summary perspective on the most serious management and performance challenges facing the FTC, as well as a brief assessment of the agency’s progress in addressing those challenges.

Our objective was to reassess the company’s management and oversight of New Acela, including the trainset acquisition and other program elements necessary to launch revenue service, since we last reported on the program in 2020.We found that, despite recent improvements to the New Acela Program’s management, the program is more than three years behind schedule and additional delays are likely. Current delays have resulted in significant cost increases, operational impacts, and delayed revenue, and further schedule slippage would exacerbate these impacts. We identify two reasons for the current—and likely future—delays to New Acela. First, the vendor has not produced a validated computer model that demonstrates the New Acela is safe to proceed with additional trainset testing. While federal regulations require the company to submit to FRA trainset performance predictions from the computer model showing that it is valid, the vendor is responsible for developing and validating the model. This is the first step in a multi-step regulatory process for FRA to approve the trainsets to operate in passenger revenue service. Second, of the 12 serial trainsets and 22 café cars the vendor has produced, all have defects. Although some defects are expected when producing a new trainset, the vendor’s schedule for addressing them is incomplete, and without more complete information, the company cannot verify whether remediating the defects will impact the overall program schedule and the revenue service launch. More broadly, the issues we identified on New Acela are similar to challenges that have occurred on other rolling stock acquisitions. Since Amtrak is planning a multi-billion dollar program to replace its fleet of long-distance trains while it is also engaged in the ongoing process of replacing its intercity trains, we recommend that the company 1) enhance its process to formally capture and incorporate lessons learned from New Acela and other rolling stock purchases, 2) direct the vendor to provide complete and accurate schedules to address defects, and 3) work with the vendor to identify the risk of future defects.

The VA Office of Inspector General conducted a healthcare inspection at the Hampton VA Medical Center (facility) in Virginia to assess allegations related to the delay in diagnosis and treatment of a patient with a newly found lung mass.The OIG substantiated that there was a delay in diagnosis and treatment for a patient with a new lung mass, highly suspicious for cancer. The OIG found multiple care coordination deficiencies in scheduling and communication that led to the delay. As the patient likely had metastatic disease at initial presentation, the OIG could not determine if the delay in care coordination contributed to the patient’s death.The OIG determined the facility did not have an operational cancer committee, tumor board, or a certified cancer registrar at the time of the inspection. The lack of administrative oversight, and programmatic development, directly impacts the quality of patient cancer care. The lack of the programs did not contribute to the patient’s death, but may have impacted the quality of oncology services provided by the facility.The OIG determined that the facility submitted a Joint Patient Safety Report after being notified of the OIG inspection. Although a root cause analysis was conducted, the facility failed to identify care coordination deficiencies, such as scheduling delays, as contributing factors to the patient’s death. An institutional disclosure was conducted but lacked documented evidence that facility leaders provided the patient’s family member the required information about potential compensation.The OIG made seven recommendations to the Facility Director related to care coordination agreements, compliance with Veterans Health Administration (VHA) Patient Aligned Care Team policies and VHA cancer registry requirements, and a review of both the root cause analysis and institutional disclosure to ensure alignment with VHA policies.

This Office of Inspector General (OIG) Comprehensive Healthcare Inspection Program report describes the results of a focused evaluation of the inpatient and outpatient care provided at the Gulf Coast Veterans Health Care System in Biloxi, Mississippi. This evaluation focused on five key operational areas:• Leadership and organizational risks• Quality, safety, and value• Medical staff privileging• Environment of care• Mental health (emergency department and urgent care center suicide prevention initiatives)The OIG issued six recommendations for improvement in three areas:1. Quality, Safety, and Value• Defined governance structure2. Medical Staff Privileging• Ongoing Professional Practice Evaluationso Service-specific criteriao Data maintained in privileging folders• Evaluations by practitioners with equivalent specialized training and similar privileges• Executive Committee of the Medical Staff review3. Environment of Care• Clean and safe environment