Federal Reports

The Federal Information Security Management Act requires the information security program of every agency to be evaluated each year. In FY 2021, SBA faced new information security challenges under the weight of lending huge amounts during the pandemic. In 2021, the agency had to deal with months of continued issues caused by the unprecedented volume of loan and grant applications spurred by the Coronavirus Aid, Relief, and Economic Security Act and other pandemic relief laws. We tested a subset of systems in nine areas, called “domains,” and evaluated them using guidance for FISMA metrics. Inspectors General are required to assess the effectiveness of information security programs on a maturity model spectrum.We rated SBA’s overall program of information security as ”not effective” because SBA only achieved a maturity level rating of “managed and measurable” in one of the nine domains.Based on tests of the eight information systems, we determined the results of each domain as follows:1. Risk Management — Defined2. Supply Chain Risk Management — Ad Hoc3. Configuration Management—Defined4. Identity and Access Management — Consistently Implemented5. Data Protection and Privacy — Consistently Implemented6. Security Training — Defined7. Information Security Continuous Monitoring — Defined8. Incident Response — Managed and Measurable9. Contingency Planning — Consistently Implemented.We made 10 recommendations in five of the domains: three recommendations in risk management, three recommendations for configuration management, two for identity and access management, one recommendation for security training, and one for information security continuous monitoring. SBA management agreed with the recommendations in this report.

A new white paper from the U.S. Postal Service Office of Inspector General (OIG) assessed changes in the geographic distribution of collection points and retail sites, and the extent to which these changes display patterns that may have disproportionately affected populations in locations with specific racial, ethnic, and income characteristics. The OIG also identified demographic trends in service performance scores and the volume of negative customer feedback across the U.S. USPS is not required to consider a community’s demographic characteristics — such as race, ethnicity, and income — when implementing changes to mail access or evaluating service quality. However, if the Postal Service considered demographic data, management would be better informed about the potential unintended consequences of their decisions.

KPMG made 60 recommendations intended to strengthen the DOI’s information security program as well as the programs of DOI bureaus and offices.

An Amtrak train attendant based in New Orleans, Louisiana, was terminated from employment on April 4, 2022, following his administrative hearing. The employee was terminated after our investigation resulted in criminal charges for making false statements and theft of government funds. He pleaded guilty to these charges on April 27, 2022.Our investigation found the former employee fraudulently received unemployment benefits provided under the Coronavirus Aid, Relief, and Economic Security Act. The employee was not eligible to receive the funds as he was employed by Amtrak during this time and the loan application form he submitted contained false information. The employee received an $89,583 Paycheck Protection Program (PPP) loan by falsifying information in the loan application. He will be sentenced at a future date.

In September 2021, the Atlanta Journal Constitution reported on large quantities of unopened mail being stored in the warehouse basement of the VA medical facility in Atlanta. The OIG conducted a review that found the Atlanta VA Health Care System (HCS) had formed a task force to open, sort, and process stacks of mail reportedly piled as high as 10 feet and dating back at least 10 months. When opened, the 17,660 pieces of mail contained medical records, claims, nearly $207,000 in checks, and correspondence from veterans.The mail backlog began accruing after a November 2020 verbal agreement between Atlanta VA HCS officials and VHA’s Payment Operations and Management (POM) personnel. The agreement called for POM staff to vacate space in a building leased by the medical facility where POM was processing mail if Atlanta VA HCS personnel took over the responsibility for processing that mail.The OIG determined that VA should have established a formal agreement clearly detailing each office’s responsibilities. VA HCS leaders did not include responsible managers in decision making discussions and lacked a clear understanding of the volume of mail processing work they were accepting. Atlanta VA HCS did not ensure mailroom staff were adequately prepared or trained to handle or sort the influx of mail, and POM officials were later reluctant to help, citing the verbal agreement.Given the mail mismanagement in Atlanta, VHA should ascertain the effects the mail processing delays had on veterans and community care providers and take corrective action. Because POM is implementing similar transitions at sites across the country, POM and medical facilities need to ensure there is adequate staff with sufficient training to handle the mail processing workload. VA concurred with the OIG’s five recommendations.