Federal Reports

This report contains information about recommendations from the OIG's audits, evaluations, reviews, and other reports that the OIG had not closed as of the specified date because it had not determined that the Department of Justice (DOJ) or a non-DOJ federal agency had fully implemented them. The list omits information that DOJ determined to be limited official use or classified, and therefore unsuitable for public release.The status of each recommendation was accurate as of the specified date and is subject to change. Specifically, a recommendation identified as not closed as of the specified date may subsequently have been closed.

The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the VA Dublin Healthcare System in Georgia because it had not been previously visited as part of the annual FISMA audit.The OIG’s information security inspections focus on three security control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, security management, and access controls. During this inspection, the OIG found deficiencies in all three areas.Deficiencies in configuration management included critical-risk vulnerabilities that VA’s Office of Information and Technology did not identify. These security vulnerabilities were not being remediated within VA’s established time frames, which could risk unauthorized access to, or the alteration or destruction of, critical systems.The team identified three security management control weaknesses at the healthcare system: several special-purpose systems did not have authorization to operate, two of these systems did not have appropriate security categorizations, and the healthcare system identified but did not remediate unapproved software.The healthcare system also had deficiencies in physical access security, emergency power, and monitoring of physical and environmental controls.The OIG made four recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the facility because they are related to enterprise-wide information security issues similar to those identified on previous FISMA audits and information security inspections. The OIG also made three recommendations to the Carl Vinson VA Medical Center director.

The VA Office of Inspector General (OIG) conducted national surveys of Veterans Integrated Service Network (VISN) patient safety officers (PSO) and facility patient safety managers (PSM). Both surveys focused on patient safety topics, including oversight, culture, staffing, and training. The OIG also conducted interviews with Veterans Health Administration (VHA) Quality and Patient Safety leaders and PSOs.The OIG identified opportunities for VHA to strengthen patient safety programs at VISNs and facilities. Variability in PSO oversight related to site visit frequency and volume, and unclear expectations for PSO follow-up of facility patient safety program deficiencies, exist. PSOs reported barriers to meeting with community care third-party administrators to discuss quality and safety concerns. A majority of PSOs reported responsibilities for areas outside of the patient safety program while a high percentage of PSMs reported feelings of burnout. Facilities that have a PSM and additional staff achieved a higher level of compliance with completing patient safety requirements.Inclusion of an analysis of patient safety data within National Center for Patient Safety (NCPS) published quarterly reports would help staff drive improvement. Both PSOs and PSMs identified that patient safety is not always considered in decision making. Lastly, although PSO and PSM training is recommended, no formalized training requirements are available.The OIG made one recommendation to the VHA Under Secretary for Health related to evaluating PSO and PSM communication with community care third-party administrators and two recommendations to the VHA Assistant Under Secretary for Quality and Patient Safety related to establishing facility patient safety program oversight requirements and evaluating barriers that limit VISN and facility leaders’ engagement with PSOs and PSMs. The OIG made six recommendations to the VHA NCPS Executive Director related to evaluating quarterly reports, PSO and PSM burnout, patient safety program staffing, and implementing formalized training.

We have identified a concern regarding the inability of both OIG and Agency personnel to extract EPA SBIR contract data—such as information about proposals, bids, awards, contractors, and subcontractors—from the EPA Acquisition System in meaningful ways to allow for oversight through data analytics, queries, and other proactive initiatives.

The EPA should review unliquidated obligations for programs that received a substantial increase through the IIJA to ensure that the funds are used for the intended programs or deobligated timely to fund other environmental projects, as appropriate.

To see our report, click on the link below

For this audit, our objective was to determine if the U.S. Department of Commerce and its bureaus identify and remediate vulnerabilities on their high value IT assets (HVAs) in accordance with federal requirements. We found that while the Department conducts HVA assessments in accordance with federal requirements, it did not always effectively identify and remediate vulnerabilities. It also did not follow best practice security guidance for HVAs. As a result, I. HVAs are operating with significant risk due to unresolved vulnerabilities; and II. OIG successfully exploited security weaknesses on multiple HVAs. All seven of the HVAs in our review had at least one exploitable vulnerability type, and the Department’s vulnerability scanners do not always identify vulnerabilities in HVAs. We also learned during our audit that the U.S. Patent and Trademark Office (USPTO) had asked the Department to downgrade all of its HVAs to non-HVAs. In September 2023, the Department’s Chief Information Officer agreed to downgrade the majority of USPTO’s HVAs.