Federal Reports

As required by the Inspector General Act of 1978 (as amended), this Semiannual Report summarizes the activities of the Department of Transportation Office of Inspector General for the preceding 6-month period.

Because key accounting policies were not adhered to, the EPA cannot ensure that $6.8 million in appropriated dollars went toward their intended purposes, potentially violating laws.

VA’s Financial Services Center (FSC) provides products and services to VA and other government agencies. The OIG inspected the FSC to determine whether it was meeting federal guidance in four security control areas: configuration management, contingency planning, security management, and access controls.Within configuration management, the inspection team identified deficiencies with component inventory, vulnerability management, and flaw remediation. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability-scanning tools, OIT did not detect 228 of the 252 vulnerabilities the team identified. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The inspection team did not identify significant findings in the controls implemented for contingency planning, other than a minor delay in reviewing policies.The team’s review of security management controls identified that the FSC did not have procedures for how to maintain systems and information integrity. Without procedures, staff may not know how to apply policies or be held accountable for their failure to do so. Finally, the team identified access control deficiencies, as 107 of the 278 FSC systems failed to generate or forward audit logs for analysis. Also, the FSC’s video surveillance system was not fully functional. Ineffective monitoring and recording of facility activities supporting information systems minimizes the FSC’s incident response capabilities. A lack of an effective incident response capability can undermine management’s awareness of security vulnerabilities that could hinder the operation of mission critical systems.The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, developing local system and information integrity procedures, generating and forwarding audit reports for analysis, and continuing to upgrade the video surveillance system.

VA’s Financial Services Center (FSC) provides products and services to VA and other government agencies. The OIG inspected the FSC to determine whether it was meeting federal guidance in four security control areas: configuration management, contingency planning, security management, and access controls.Within configuration management, the inspection team identified deficiencies with component inventory, vulnerability management, and flaw remediation. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability-scanning tools, OIT did not detect 228 of the 252 vulnerabilities the team identified. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The inspection team did not identify significant findings in the controls implemented for contingency planning, other than a minor delay in reviewing policies.The team’s review of security management controls identified that the FSC did not have procedures for how to maintain systems and information integrity. Without procedures, staff may not know how to apply policies or be held accountable for their failure to do so. Finally, the team identified access control deficiencies, as 107 of the 278 FSC systems failed to generate or forward audit logs for analysis. Also, the FSC’s video surveillance system was not fully functional. Ineffective monitoring and recording of facility activities supporting information systems minimizes the FSC’s incident response capabilities. A lack of an effective incident response capability can undermine management’s awareness of security vulnerabilities that could hinder the operation of mission critical systems.The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, developing local system and information integrity procedures, generating and forwarding audit reports for analysis, and continuing to upgrade the video surveillance system.

The OBLR did not complete all certified corrective actions and still lacks current and accurate information needed to monitor an estimated $46.6 million of program income.

This report presents the OIG’s Fiscal Year (FY) 2021 assessment of the effectiveness of GAO’s information security program in relation to selected Federal Information Security Modernization Act of 2014 (FISMA) requirements.

This report offers our perspective relative to issues the company could face as it prepares to receive funding from the Infrastructure Investment and Jobs Act (IIJA), which could begin later in fiscal year 2022. While the OIG recognizes the company has made significant progress in the past decade, this report focuses on specific challenges relative to receiving IIJA funds.Safe operations and a safe workplace will remain the cornerstone of the company’s success. Taken as a whole, however, the sheer size of the IIJA’s funding and requirements could strain the company’s ability to manage its current operations while concurrently planning and managing a long-term multibillion-dollar infrastructure portfolio. Therefore, as the company prepares for its expanded role, we highlighted four challenges for consideration.• Demonstrating fiscal responsibility, including transparently and accurately accounting for IIJA funds.• Building a skilled workforce to plan and execute IIJA projects.• Working collaboratively with partners to achieve common IIJA goals.• Improving program and project management for IIJA endeavors.