Federal Reports

The fiscal year 2022 FISMA evaluation concluded that AmeriCorps’ information security program remains ineffective. Control weaknesses in the following areas prevent AmeriCorps’ cybersecurity program from maturing: (1) mobile devices, (2) IT asset inventory management, (3) vulnerability and patch management program, (4) Personal Identity Verification (PIV) multifactor authentication, (5) performance measures, (6) security assessments and (7) contingency planning. AmeriCorps has not made significant progress in implementing prior FISMA recommendations: it has implemented only 12 of the 42 open recommendations from the FY 2017- FY 2021 FISMA evaluations. The failure to address critical deficiencies leaves AmeriCorps systems and data vulnerable to breach, which may expose sensitive information, including Personally Identifiable Information, to unauthorized access, use, and disclosure. Implementing more of these recommendations will help AmeriCorps to mature its information security program and bring it closer to effectiveness. AmeriCorps concurred with the three new recommendations in our report, which together with the 30 remaining prior year recommendations, will assist AmeriCorps in developing a mature and effective information security program. The full report contains a summary and evaluation of management’s response.

As required by the Inspector General Act of 1978 (as amended), this Semiannual Report summarizes the activities of the Department of Transportation Office of Inspector General for the preceding 6-month period.

In this Semiannual Report to Congress (SAR), we discuss accomplishments and activities of OIG from October 1, 2022 through March 31, 2023, as well as its goals and plans.

We audited the Puerto Rico Department of Housing’s (PRDOH) Home Repair, Reconstruction, or Relocation (R3) program. We initiated this audit as part of our commitment to helping the U.S. Department of Housing and Urban Development (HUD) support effectiveness and accountability in long-term disaster recovery. Our objective was to determine whether PRDOH followed applicable program requirements when spending R3 program funds.During our audit of PRDOH’s R3 program funds, we determined that PRDOH generally followed applicable program requirements; however, we identified four contracts where PRDOH may have used the prohibited cost plus a percentage of cost (CPPC) contracting method to acquire program management services. Specifically, there were multiple indicators that all four of its program management services contracts could be considered CPPC contracts. PRDOH itself was concerned that these agreements were prohibited CPPC contracts and amended three of the contracts “in order to clarify that the agreement is not a ‘cost-plus-percentage-of-cost’ contract.” However, we believed that the amendments did not completely remove the question of whether these agreements violate the CPPC contracting prohibition. At our request, HUD obtained a legal opinion from its Office of General Counsel which opined that the contracts in question did not constitute a CPPC contract.This report contains no recommendations. However, we are troubled by the manner in which PRDOH handled these four contracts, especially in their formation and administration prior to HUD’s 2019 monitoring review. We believe additional monitoring of PRDOH’s contracting actions is prudent to ensure they are compliant with HUD requirements.

Enterprise Risk Management (ERM) provides an enterprise-wide, strategically aligned portfolio view of organizational challenges that provides improved insight about how to more effectively prioritize and manage risks. The Tennessee Valley Authority (TVA) Board of Directors established a formalized ERM program in 1999 to (1) develop a standard framework and (2) promote risk management awareness and techniques to manage risks throughout the company. Due to the importance of TVA identifying and assessing risks, we evaluated (1) the process used by TVA business units (BU) to identify risks and (2) how BU risks were used to comprise TVA's enterprise risk levels. We determined the processes used by TVA were generally effective for identifying strategic business unit (SBU)/BU risks and assessing those risks to determine enterprise level risks. However, we identified some opportunities for improvement related to documentation of the ERM process and defining and documenting TVA’s risk appetite. Additionally, we could not determine if the risks in the 2022 Enterprise Level Risk Portfolio adequately addressed the rolling blackouts that occurred on December 23 and 24, 2022.