Federal Reports

As required by FISMA, OIG reviewed USDA’s ongoing efforts to improve its information technology security program and practices during FY 2022.

The Geospatial Data Act of 2018 (Act) was signed into law in October 2018 to help develop, drive, and manage the National Spatial Data Infrastructure, which includes the technology, policies, criteria, standards, and employees necessary to promote geospatial data sharing throughout Federal, state, tribal, and local governments, and the private sector. The Act outlines requirements for Federal geospatial data governance structures, encourages organized use and collaboration within agencies, and promotes broader sharing of geospatial data—information linked to specific geographic locations—across agencies. The Act requires the Office of Inspector General to report on the Department of Energy’s collection, production, acquisition, maintenance, distribution, use, and preservation of geospatial data. In particular, the Office of Inspector General shall evaluate compliance with: (1) standards for geospatial data, including metadata for geospatial data established under the Act; (2) the agency responsibilities and requirements under the Act; and (3) limitations on the use of Federal funds under the Act. In September 2020, we released the results of our inaugural review that evaluated the Department’s initial efforts to implement the Act. At that time, we found that although the Department had initiated or completed actions related to each of the covered agency responsibilities, we identified that it had not fully implemented 12 of the 13 requirements outlined in the Act.We conducted our current audit to determine whether the Department met the requirements of the Act. This report documents the results of our test work.Due to limitations with agencies’ abilities to implement the Act, our test work was limited to identifying the Department’s efforts to implement the 13 covered agency responsibilities contained in Section 759 of the Act. In particular, the Federal Geographic Data Committee had not yet adopted or endorsed any Geospatial Data Theme Standards at the time of our review. As such, and consistent with current guidance issued by the Council of the Inspectors General on Integrity and Efficiency, we did not evaluate the effectiveness of the Department’s efforts to implement these standards or to limit the use of Federal funds for geospatial data at this time. Our audit found that while the Department had taken some additional steps to implement the Act since our initial report in September 2020, significant work remained to fully implement the Act’s requirements. Specifically, the Department had completed additional actions related to the 13 covered agency responsibilities; however, we identified that it still had not fully implemented 12 of the requirements. For instance, we found:• Although the Department prepared and published a geospatial data strategy in support of the strategic plan for the National Spatial Data Infrastructure, as required by the Act, it had not implemented the strategy to advance geographic information, related geospatial data, and activities appropriate to its mission. • The Department also had not completed its geospatial data inventory and, therefore, could not optimize data integration between its geospatial users. Further, the Department had not ensured that all geospatial data included metadata and that the metadata was available through the GeoPlatform, as required by the Act.These concerns occurred, in part, because progress on the development and issuance of an implementation plan for the Department of Energy Geospatial Data Management Strategy 2021–2025 had been delayed. Additionally, there was confusion among program and site officials about the amount and types of geospatial data that existed within the Department. We also noted a general lack of awareness of the Department’s centralized geospatial data information sites dedicated to the sharing of geospatial data best practices and tools.Although we determined that the Department had made progress since our last review, significant work remains for it to meet the Act’s requirements. We made three recommendations that, if fully implemented, will improve understanding and implementation of the Act. In particular, we recommend that the Department’s Chief Information Officer: (1) determine the actions, milestones, and resources needed to fully implement the Department of Energy Geospatial Data Management Strategy 2021–2025 and issue a corresponding implementation plan to the Department’s geospatial data users; (2) develop and implement a process to increase engagement with the Department’s program offices and field sites to ensure that the requirements of the Act are better understood; and (3) develop a mechanism to ensure all Department program offices and field sites can access the Department’s centralized geospatial data information.

The objective of our review was to determine the Department’s progress on spending program administration funds authorized by coronavirus response and relief laws, including how those funds have been used to date, and the Department’s plans for using remaining funds.We found that the Department has allocated nearly 100 percent2 of its pandemic assistance program administration funds and that the Department is on track to obligate all of its program administration funds prior to the dates the funds are set to expire. The Department allocated the funds to 11 principal offices and as of February 1, 2022, these principal offices have obligated3 or committed4 approximately $19.4 million (51 percent) of the $38 million in total pandemic assistance program administration funds.

The VA Office of Inspector General (OIG) conducted a healthcare inspection to assess allegations of adverse clinical outcomes related to three patients’ surgical or invasive procedure(s) at the Columbia VA Health Care System (facility) in South Carolina.The OIG substantiated three patients experienced adverse clinical outcomes related to their surgical or invasive procedure(s). The OIG found quality of care concerns with two of the three patients however, no quality of care concerns were identified for the third patient who experienced complications following a surgical procedure.A medical intensivist incorrectly placed a chest catheter and a thoracic surgeon incorrectly placed a chest tube while attempting to drain a patient’s pleural effusion. The OIG found that clinical care deficiencies made by the intensivist and surgeon led to a series of unplanned events that contributed to the patient’s death. The OIG identified deficiencies in the peer review and quality management processes.A vascular surgeon conducted a wrong site surgery when amputating a patient’s third versus fourth toe. The OIG found that although removal of the patient’s third toe was clinically indicated due to infection, the surgeon failed to acknowledge and discuss the deviation from the informed consent and pre-operative plan with the patient and surgical team. Leaders failed to address the surgeon’s undermining of patient safety protocols and high reliability organization principles. Additionally, the OIG identified deficiencies in practitioners’ and surgical nurses’ compliance with informed consent and time-out protocols.The OIG made one recommendation to the Veterans Integrated Service Network Director regarding a comprehensive review of a patient’s care. The OIG made six recommendations to the Facility Director related to medically-complex patients, peer review practices, timeliness of institutional disclosures and internal reviews, the vascular surgeon’s disregard of patient safety protocols, and informed consent and time-out protocol compliance.

This administrative investigation addressed allegations that VA’s Executive Protection Division (EPD), a component of VA’s Office of Operations, Security, and Preparedness (OSP) that provides protective services to the VA Secretary and Deputy Secretary, was inadequately equipped. The allegations included that EPD personnel (special agents and physical security specialists) had expired or no ballistic body armor (vests), that senior leaders in OSP were aware of this and had denied previous requests to purchase vests, and that special agents’ firearms malfunctioned frequently and needed to be replaced.The OIG found that VA had not procured ballistic vests for some EPD personnel despite a standard operating procedure requiring them to wear body armor most of the time they were working. Further, there were no procedures to assess compliance (such as routine inspections) or establish consequences for nonuse; procure body armor for new personnel; track the condition of armor assigned to personnel; or replace vests that were beyond the manufacturer’s warranty, did not fit, or had other defects.However, the available evidence did not substantiate allegations that senior leaders in OSP had denied vest procurement requests or knew that some personnel needed them. The OIG also could not substantiate based on documentation and interviews that EPD special agents’ firearms malfunctioned frequently and needed replacement.To effectively protect its employees and leaders, VA must provide EPD personnel with the basic safety equipment for performing their jobs. VA concurred with the OIG’s four recommendations for improvements to EPD procedures to address the issuance, maintenance, and replacement of ballistic body armor, as well as enforcing the requirement that EPD personnel wear their vests. It also concurred with the recommendation calling for a review of the condition of all firearms assigned to EPD special agents.

Election Mail is any mailpiece that an authorized election official creates for voters participating in the election process and includes ballots and voter registration materials. The U.S. Postal Service has specific policies and procedures on the proper acceptance, processing, delivery, and recording of Election Mail.Our objective was to evaluate the Postal Service’s readiness for timely processing of Election Mail for the 2022 mid-term election to be held Tuesday, November 8, 2022. To evaluate readiness, during primary elections, we reviewed Election Mail policies, analyzed service performance data, and conducted observations at six Processing and Distribution Centers and 10 delivery units. We also followed up on 14 prior recommendations to determine if the Postal Service’s corrective actions were effective.

The VA Office of Inspector General (OIG) conducted this inspection to determine whether the Harlingen VA Health Care Center in Texas was meeting federal security guidance. The OIG selected the Harlingen center because it had not been previously visited as part of the OIG’s annual Federal Information Security Modernization Act audit of VA’s information security program and practices.The OIG team found deficiencies in the center’s component inventory, vulnerability management, and system life-cycle management. Specifically, the center had an inaccurate component inventory; unsupported versions of applications, missing patches, and vulnerable plug-ins; and critical or high-risk vulnerabilities in the network that had gone unidentified. Additionally, the inspection team found the system life cycle did not replace applications before they became unsupported. Without effective configuration management, users do not have adequate assurance that the system and network will perform as intended.The team also found the Harlingen VA Health Care Center was deficient in contingency planning. The center did not adequately plan for restoring local IT operations. Consequently, after a disaster, the center may not be able to readily restore all operations as they existed before.Further, the center had deficiencies in three access controls. Database managers did not adequately maintain log data for local databases, computer rooms and communications closets were not equipped with fire detection devices, and the center’s VA police computer room did not have a visitor access log. These deficiencies could impede the center’s ability to respond to incidents.The OIG made five recommendations to address the deficiencies.