Federal Reports

What We Looked AtWe queried and downloaded 74 single audit reports prepared by non-Federal auditors and submitted to the Federal Audit Clearinghouse between January 1, 2023 and March 31, 2023, to identify significant findings related to programs directly funded by the Department of Transportation (DOT). What We FoundWe found that reports contained a range of findings that impacted DOT programs. The auditors reported 36 incidents of significant noncompliance with Federal guidelines related to 15 grantees that require prompt action from DOT’s Operating Administrations (OA). Of the 36 findings, 21 were repeat findings related to 8 grantees. The auditors also identified questioned costs totaling $14,886,138 for six grantees. Of this amount, $7,612,623 was related to the Crow Tribe of Indians, $5,472,288 was related to Pit River Tribe, and $1,146,291 was related to the COVID-19 formula grants of the Suburban Mobility Authority for Regional Transportation, Detroit, MI. Additionally, we identified nonmonetary repeat findings that caused a disclaimer of opinion for the Crow Tribe of Indians, Crow Agency, MT. RecommendationsWe recommend that DOT coordinate with the impacted OAs to develop a corrective action plan to resolve and close the findings identified in this report. We also recommend that DOT determine the allowability of the questioned transactions and recover $14,886,138, if applicable.

Evaluation of the FLRA's Preparedness Against Cyber Security Attacks

OIG identified the prevention measures that Forest Service established for recreation sites in response to the COVID-19 pandemic.

The lack of vulnerability scans increases the risk that vulnerabilities are not identified and remediated in a timely manner and could result in data loss or disruption to Agency operations.

The Federal Information Security Modernization Act of 2014 (FISMA) requires the Office of Inspector General to conduct an annual independent evaluation to determine whether the Department of Energy’s unclassified cybersecurity program adequately protected its data and information systems. As part of that evaluation, the Office of Inspector General is required to assess the Department’s cybersecurity program according to FISMA security metrics issued by the Office of Management and Budget and the Council of the Inspectors General on Integrity and Efficiency.We conducted this evaluation to determine whether the Department’s unclassified cybersecurity program adequately protected data and information systems. Our fiscal year 2022 FISMA evaluation determined that the Department, including the National Nuclear Security Administration, had not taken appropriate actions to address many previously identified weaknesses related to its unclassified cybersecurity program. Although actions were taken to close 23 of 61 recommendations from our prior evaluations, 38 recommendations remained open. We also issued 35 new recommendations, many of which were similar in type to the deficiencies identified in our previous reports.The weaknesses identified occurred for a variety of reasons. For instance, weaknesses related to system integrity of web applications generally occurred because the applications were configured without adequate security controls designed to reject malicious input. In addition, identity and access management weaknesses occurred because officials were unaware of, or had not implemented, current account management requirements.To correct the cybersecurity weaknesses identified throughout the Department, we made 73 recommendations (of which 38 were made during prior evaluations) to the Department’s programs and sites, including those identified during this evaluation and in other issued reports. Specific recommendations were made to each of the locations where weaknesses were identified. Corrective actions to address each of the recommendations, if fully implemented, should enhance the Department’s unclassified cybersecurity program. Management concurred with all but two recommendations issued to programs and sites related to improving the Department’s cybersecurity program.

This report summarizes the results of the CliftonLarsonAllen (CLA) audit and contains four recommendations that will assist the agency in strengthening cybersecurity controls related to its firewalls and the Security Information and Event Management (SIEM) tool. NCUA management concurred with and has taken or planned corrective actions to address the recommendations.

The VA Office of Inspector General (OIG) conducted a healthcare inspection at the VA Black Hills Health Care System (facility) in Fort Meade and Hot Springs, South Dakota, to evaluate how facility leaders addressed an administrative investigation board’s (AIB) findings and recommendations.The OIG received complaints alleging failures in leadership and management, and misconduct and inappropriate relationships between leaders and staff and between clinical staff and patients within the Mental Health Service. In response, the former Facility Director convened an AIB and detailed two leaders out of the Mental Health Service, in compliance with VA policy. Prior to retirement, the former Facility Director met with the acting Facility Director to discuss the AIB report and advised that two action items required follow-up. The former Facility Director did not share the AIB report with other senior facility leaders, citing not enough time before retirement. As a result, a lapse of understanding and follow-up of the AIB’s recommendations occurred when the former Facility Director retired. After being contacted by the OIG, the acting Facility Director and other senior facility leaders read the AIB report and developed an action plan to address the 11 recommendations. The OIG confirmed that facility leaders were addressing each recommendation and taking steps to address the mental health leader and a staff member, who was a student at the time, identified within the AIB report as having inappropriate relationships with patients. The facility reported the mental health leader to the state licensing board. The facility did not independently verify that the student self-reported the inappropriate relationship to the state licensing board. The OIG made two recommendations to the Facility Director related to completing the action plan, and independently determining if the state licensing board should be notified.