Federal Reports

Our Objective(s)
To perform a quality control review (QCR) of Sikich's fiscal year 2025 audit of the effectiveness of the Department of Transportation's (DOT) information security program and practices.

Why This Audit
The Federal Information Security Modernization Act of 2014 requires agencies to develop, implement, and document agencywide information security programs and practices. The Act also requires inspectors general to conduct annual reviews to determine the effectiveness of their agencies' information security programs and report their review results to the Office of Management and Budget. To meet this requirement, we contracted with Sikich to conduct this audit subject to our oversight. We performed a QCR of Sikich's report and related documentation.

What We Found
The independent auditor, Sikich, found that DOT's information security program and practices were not effective and made seven recommendations to improve DOT's information security program.
Establish and implement guidance for performing Cybersecurity Framework 2.0 activities through policies and procedures, including the development of current and target cybersecurity profiles which consider anticipated changes in DOT's cybersecurity posture.
Define and implement policies and procedures that utilize standard data elements and taxonomy to develop and maintain an up-to-date inventory of all software assets and associated licenses, including Executive Order critical software.
Document policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and the corresponding metadata for DOT's data types.
Create and maintain a comprehensive inventory of data and corresponding metadata.
Work with Federal Aviation Administration (FAA) Chief Information Officer (CIO) to secure a reliable funding stream for continuous vetting.
Work with FAA CIO to initiate and complete the background investigation of FAA employees in public trust positions.
Work with FAA CIO to enroll FAA employees into continuous vetting through Trusted Workforce.

Our QCR disclosed no instances in which Sikich did not comply, in all material respects, with generally accepted Government auditing standards.

Recommendations
DOT concurs with Sikich's seven recommendations.

To ensure the continued operations of the International Space Station and the safety of the crew, NASA and its spacesuit support contractor must ensure the suits used for spacewalks, designed more than 50 years ago, are well-maintained and reliable. The contractor, Collins Aerospace, has struggled to ensure sufficient life support components for the suits are delivered when needed and within budget and that meet quality expectations. While Collins’ performance over the last several years has declined, NASA has limited leverage to incentivize improved performance.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to determine whether leaders and staff followed required procedures related to suspected elder abuse of a community living center (CLC) resident at the St. Albans VA Medical Center in Queens, part of the VA New York Harbor Healthcare System (system). 

The OIG determined leaders and staff failed to follow procedures to report suspected abuse. A nursing assistant witnessed another nursing assistant allegedly abuse a resident but failed to immediately notify a supervisor, due to being “scared.” Nursing leaders and staff did not immediately ensure the resident’s safety, and did not report the suspected abuse to a unit social worker, VA Police, the resident’s family, and the New York State Department of Health. A nurse practitioner evaluated bruises on the resident and did not document a complete physical exam, consider whether the bruises were related to abuse, or inform the resident’s family. Staff described a culture of silence in the CLC in which staff generally did not report, or underreported, patient safety incidents due to fear of reprisal or administrative burdens. 

Leaders conducted two factfinding investigations into the alleged abuse; however, neither factfinding was thorough, which led to inaccurate conclusions. Factfinding 2 was completed approximately five months after the alleged abuse, exceeding a 14-day completion requirement. An accurate conclusion would have indicated the allegation of patient abuse was plausible and required system leaders to conduct an administrative investigation board. 

The OIG found additional reporting deficiencies related to other incidents of suspected resident abuse; insufficient staff training; substandard documentation by staff, which hindered reviews and investigations; and omissions in Veterans Health Administration and system abuse-related policies. 

The OIG made one recommendation to the Under Secretary for Health, who concurred in principle, and six recommendations to the System Director.
 

AmeriCorps OIG investigated allegations that individuals posing as AmeriCorps employees on social media sites offered grant funds in exchange for a fee, such as gift cards or cell phones, as part of a scheme known as "advance fee fraud." The evidence collected through the investigation supports the finding that the fraud suspects executed the schemes by utilizing fake social media profiles, Voice Over Internet Protocol (VOIP) phone numbers, fake email addresses, and Virtual Private Networks (VPNs). At the conclusion of the investigation, AmeriCorps OIG made six recommendations to AmeriCorps, which concurred with five of the six.