Federal Reports

The Federal Information Security Modernization Act of 2014 (FISMA) requires each agency’s Inspector General (IG) to conduct an annual independent evaluation to determine the effectiveness of the information security program (ISP) and practices of its respective agency. Our audit objective was to determine the effectiveness of Tennessee Valley Authority’s (TVA) ISP and practices as defined by the Fiscal Year (FY) 2022 Core IG Metrics Implementation Analysis and Guidelines (see Appendix B). Our audit scope was limited to answering the core IG metrics.The FISMA methodology considers metrics at a level 4 (managed and measurable) or higher to be at an effective level of security. Based on our analysis of the core IG metrics and associated maturity models, we found 12 of the 20 core IG metrics were at a level 1 (ad-hoc), level 2 (defined), or level 3 (consistently implemented); therefore, TVA's ISP was not operating in an effective manner as defined by the FY 2022 Core IG Metrics Implementation Analysis and Guidelines.

Boiler plants are essential to operating VA medical facilities. If boilers are not properly inspected, updated, and maintained, they may fail, putting veteran and employee safety at risk and disrupting patients’ access to care.The Veterans Health Administration (VHA) established a policy to safely operate boiler plants in VHA Directive 1810. The VA Office of Inspector General (OIG) audited to determine whether the New York/New Jersey VA Health Care Network—Veterans Integrated Service Network (VISN) 2—effectively followed that directive when inspecting and maintaining boiler plants.The OIG selected VISN 2 because data from fiscal year (FY) 2021 showed it had the most boiler plant components requiring maintenance and deficiencies associated with boiler plant components operating past their expected lifespans. The OIG determined VISN 2 did not fully comply with VHA Directive 1810 on useful life assessments and operations testing and inspections. Additionally, VHA leaders lacked information necessary for effective oversight.The OIG made six recommendations for facilities to manage the inspection and maintenance of boiler plants more effectively. The VISN 2 director should ensure useful life assessments are conducted for boilers operating past their expected or extended lifespans to ensure safe operation. Office of Healthcare Engineering leaders should clarify policies and procedures for scheduling useful life assessments for boilers, update VHA Directive 1810 to ensure medical facility boiler policies reflect current procedures and clarify the frequency of tests and inspections and whether they require third-party inspectors.The OIG also recommended the VISN 2 director review medical facilities’ boiler operation policies regarding notifying officials and planning corrective action to ensure they are consistent with VHA Directive 1810. The VISN 2 director also should employ a management information system to facilitate access to inspection records, useful life assessments, and corrective action plans.

The U.S. Postal Inspection Service is responsible for Postal Service policies, procedures, standards, and requirements for facility security and access controls. It has also established a risk management process — the Vulnerability Risk Assessment Tool (VRAT) — to ensure compliance with facility security policies and procedures and identify facility security deficiencies. Additionally, the Postal Inspection Service is an associate member of the Interagency Security Committee (ISC) formed by Executive Order 12977 to enhance the quality and effectiveness of security in protecting federal facilities.

We determined that the Lower Brule Sioux Tribe did not follow applicable requirements in its agreements with the BIA.

Objective: To determine whether the Social Security Administration (SSA) made payments to beneficiaries who were deceased according to Utah records.

The U.S. Border Patrol within U.S. Customs and Border Protection (CBP) followed its screening procedures to prevent migrants with serious criminal backgrounds or individuals on the terrorist watch list from entering the United States. We determined that Border Patrol agents conducted required record checks on the migrants from our sample that they released into the country.

This report presents the results of the System and Organization Controls 1 Type 2 examination conducted in accordance with Statement on Standards for Attestation Engagements No. 21 for the United States Department of Agriculture (USDA) Office of the Chief Information Officer (OCIO) description of its data center hosting and security systems used to process user entities’ transactions throughout the period October 1, 2021, to June 30, 2022.

This report presents the results of the System and Organization Controls 1 Type 2 examination conducted in accordance with Statement on Standards for Attestation Engagements No. 21 for the United States Department of Agriculture’s (USDA) National Finance Center (NFC) description of its payroll and personnel systems used to process user entities payroll and human resource transactions throughout the period October 1, 2021, to June 30, 2022.