Federal Reports

The Cybersecurity and Infrastructure Security Agency (CISA) has addressed the basic information sharing requirements of the Cybersecurity Act of 2015 (Cybersecurity Act) but has made limited progress improving the overall quality of threat information.

The Cybersecurity and Infrastructure Security Agency (CISA) has addressed the basic information sharing requirements of the Cybersecurity Act of 2015 (Cybersecurity Act) but has made limited progress improving the overall quality of threat information.

In recent years, several Department of Homeland Security (DHS) components have been victims of cyberattacks. To protect its sensitive information from potential exploitation, DHS implements multiple layers of defense against malware, ransomware, and phishing attacks.

Chau Nguyen, a.k.a. Cindy Le, a resident of Yorba Linda, California, was sentenced on August 22, 2022, in United States District Court, Central District of California, to one day in prison (time served), 12 months’ home confinement, and was ordered to pay $7,623,701 in joint restitution to Tricare and $70,065 to Amtrak. Our investigation found that Cindy Le’s husband, Tony Le, who is serving a 70-month prison sentence, used his pharmacy to submit more than $13 million in fraudulent claims for unnecessary compounded medications to both Tricare and Amtrak’s health care plans. When Tony Le was away from the pharmacy, Cindy Le continued the fraudulent scheme to illegally bilk the insurance plans. Five defendants were convicted and sentenced in this investigation, and a total of $838,552 in restitution has been ordered paid to Amtrak.

We initiated this work as a survey of Amtrak’s practices for developing and managing construction contracts. During our review, however, we identified other relevant challenges, which we are raising to inform key stakeholders as the company plans to receive its first tranche of funding from the Infrastructure Investment and Jobs Act.We found that the company’s electronic procurement system, Ariba on Demand, is not operating as a centralized and automated repository for storing its procurement contracts. This has led to contracting officers storing contract files and supporting documentation in multiple systems (in addition to Ariba on Demand) like SharePoint—a web-based collaboration platform—and on personal drives. As a result, using Ariba on Demand, our auditors were unable to determine the total number of company contracts, suppliers, and change orders. Amtrak also cannot readily find such data in Ariba on Demand or any other system. The lack of a centralized and automated repository limits companywide oversight of contracts and poses legal and financial risks. These risks will persist and be exacerbated by the influx of Infrastructure Investment and Jobs Act funds and the initiation of new construction projects. In addition, we identified six challenges with Ariba on Demand—as the company is currently using it—including a limited ability to protect sensitive information, difficulties registering suppliers, and various technical limitations that require manual workarounds and increase the time and effort necessary to develop and manage construction contracts.The company may want to determine whether Ariba on Demand has the capability to meet its needs for an automated contract repository and, if not, to explore other viable solutions. In addition, it may want to assess the relative risks of the other challenges we identified and prioritize addressing them.