Federal Reports

To see our report, click on the link below

For this audit, our objective was to determine if the U.S. Department of Commerce and its bureaus identify and remediate vulnerabilities on their high value IT assets (HVAs) in accordance with federal requirements. We found that while the Department conducts HVA assessments in accordance with federal requirements, it did not always effectively identify and remediate vulnerabilities. It also did not follow best practice security guidance for HVAs. As a result, I. HVAs are operating with significant risk due to unresolved vulnerabilities; and II. OIG successfully exploited security weaknesses on multiple HVAs. All seven of the HVAs in our review had at least one exploitable vulnerability type, and the Department’s vulnerability scanners do not always identify vulnerabilities in HVAs. We also learned during our audit that the U.S. Patent and Trademark Office (USPTO) had asked the Department to downgrade all of its HVAs to non-HVAs. In September 2023, the Department’s Chief Information Officer agreed to downgrade the majority of USPTO’s HVAs.

Audit of the USITC's Vehicle Fleet Program

The objective was to determine whether the Social Security Administration’s mobile phone security conformed with Federal standards and guidelines. Our audit report (A-14-19-50811) contain information that, if not protected, could result in adverse effects to the Agency’s information systems. In accordance with government auditing standards, we have separately transmitted to SSA management our detailed findings and recommendations and excluded from this report certain sensitive information because of the potential damage if the information is misused. We have determined the omitted information neither distorts the audit results described in this summary report nor conceals improper or illegal practices.

Based on our review of Preventive Maintenance (PM) metric data provided by the Tennessee Valley Authority (TVA), we determined PMs were generally being performed within established schedules at TVA’s nuclear plants; however, some metrics indicated performance could be improved. In addition, we found other areas where improvements are needed, including: (1) some discrepancies between TVA’s PM metrics data in Cognos (the business analytics reporting tool used across TVA to access and analyze company data) reports and the data submitted to an industry peer organization; (2) PMs needed that were not established, causing declines of equipment condition and a regulatory finding; and (3) recurring issues that prevented or delayed PMs being performed. Additionally, we identified obsolescence-related equipment issues at TVA’s nuclear plants. Specifically, obsolescence-related equipment issues were identified in many program, system, and component health reports as having a negative impact.