Federal Reports

The Federal Information Security Management Act requires the information security program of every agency to be evaluated each year. In FY 2021, SBA faced new information security challenges under the weight of lending huge amounts during the pandemic. In 2021, the agency had to deal with months of continued issues caused by the unprecedented volume of loan and grant applications spurred by the Coronavirus Aid, Relief, and Economic Security Act and other pandemic relief laws. We tested a subset of systems in nine areas, called “domains,” and evaluated them using guidance for FISMA metrics. Inspectors General are required to assess the effectiveness of information security programs on a maturity model spectrum.We rated SBA’s overall program of information security as ”not effective” because SBA only achieved a maturity level rating of “managed and measurable” in one of the nine domains.Based on tests of the eight information systems, we determined the results of each domain as follows:1. Risk Management — Defined2. Supply Chain Risk Management — Ad Hoc3. Configuration Management—Defined4. Identity and Access Management — Consistently Implemented5. Data Protection and Privacy — Consistently Implemented6. Security Training — Defined7. Information Security Continuous Monitoring — Defined8. Incident Response — Managed and Measurable9. Contingency Planning — Consistently Implemented.We made 10 recommendations in five of the domains: three recommendations in risk management, three recommendations for configuration management, two for identity and access management, one recommendation for security training, and one for information security continuous monitoring. SBA management agreed with the recommendations in this report.

A new white paper from the U.S. Postal Service Office of Inspector General (OIG) assessed changes in the geographic distribution of collection points and retail sites, and the extent to which these changes display patterns that may have disproportionately affected populations in locations with specific racial, ethnic, and income characteristics. The OIG also identified demographic trends in service performance scores and the volume of negative customer feedback across the U.S. USPS is not required to consider a community’s demographic characteristics — such as race, ethnicity, and income — when implementing changes to mail access or evaluating service quality. However, if the Postal Service considered demographic data, management would be better informed about the potential unintended consequences of their decisions.

KPMG made 60 recommendations intended to strengthen the DOI’s information security program as well as the programs of DOI bureaus and offices.

An Amtrak train attendant based in New Orleans, Louisiana, was terminated from employment on April 4, 2022, following his administrative hearing. The employee was terminated after our investigation resulted in criminal charges for making false statements and theft of government funds. He pleaded guilty to these charges on April 27, 2022.Our investigation found the former employee fraudulently received unemployment benefits provided under the Coronavirus Aid, Relief, and Economic Security Act. The employee was not eligible to receive the funds as he was employed by Amtrak during this time and the loan application form he submitted contained false information. The employee received an $89,583 Paycheck Protection Program (PPP) loan by falsifying information in the loan application. He will be sentenced at a future date.