Federal Reports

Because key accounting policies were not adhered to, the EPA cannot ensure that $6.8 million in appropriated dollars went toward their intended purposes, potentially violating laws.

VA’s Financial Services Center (FSC) provides products and services to VA and other government agencies. The OIG inspected the FSC to determine whether it was meeting federal guidance in four security control areas: configuration management, contingency planning, security management, and access controls.Within configuration management, the inspection team identified deficiencies with component inventory, vulnerability management, and flaw remediation. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability-scanning tools, OIT did not detect 228 of the 252 vulnerabilities the team identified. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The inspection team did not identify significant findings in the controls implemented for contingency planning, other than a minor delay in reviewing policies.The team’s review of security management controls identified that the FSC did not have procedures for how to maintain systems and information integrity. Without procedures, staff may not know how to apply policies or be held accountable for their failure to do so. Finally, the team identified access control deficiencies, as 107 of the 278 FSC systems failed to generate or forward audit logs for analysis. Also, the FSC’s video surveillance system was not fully functional. Ineffective monitoring and recording of facility activities supporting information systems minimizes the FSC’s incident response capabilities. A lack of an effective incident response capability can undermine management’s awareness of security vulnerabilities that could hinder the operation of mission critical systems.The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, developing local system and information integrity procedures, generating and forwarding audit reports for analysis, and continuing to upgrade the video surveillance system.

VA’s Financial Services Center (FSC) provides products and services to VA and other government agencies. The OIG inspected the FSC to determine whether it was meeting federal guidance in four security control areas: configuration management, contingency planning, security management, and access controls.Within configuration management, the inspection team identified deficiencies with component inventory, vulnerability management, and flaw remediation. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability-scanning tools, OIT did not detect 228 of the 252 vulnerabilities the team identified. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The inspection team did not identify significant findings in the controls implemented for contingency planning, other than a minor delay in reviewing policies.The team’s review of security management controls identified that the FSC did not have procedures for how to maintain systems and information integrity. Without procedures, staff may not know how to apply policies or be held accountable for their failure to do so. Finally, the team identified access control deficiencies, as 107 of the 278 FSC systems failed to generate or forward audit logs for analysis. Also, the FSC’s video surveillance system was not fully functional. Ineffective monitoring and recording of facility activities supporting information systems minimizes the FSC’s incident response capabilities. A lack of an effective incident response capability can undermine management’s awareness of security vulnerabilities that could hinder the operation of mission critical systems.The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, developing local system and information integrity procedures, generating and forwarding audit reports for analysis, and continuing to upgrade the video surveillance system.

This report presents the OIG’s Fiscal Year (FY) 2021 assessment of the effectiveness of GAO’s information security program in relation to selected Federal Information Security Modernization Act of 2014 (FISMA) requirements.

This report offers our perspective relative to issues the company could face as it prepares to receive funding from the Infrastructure Investment and Jobs Act (IIJA), which could begin later in fiscal year 2022. While the OIG recognizes the company has made significant progress in the past decade, this report focuses on specific challenges relative to receiving IIJA funds.Safe operations and a safe workplace will remain the cornerstone of the company’s success. Taken as a whole, however, the sheer size of the IIJA’s funding and requirements could strain the company’s ability to manage its current operations while concurrently planning and managing a long-term multibillion-dollar infrastructure portfolio. Therefore, as the company prepares for its expanded role, we highlighted four challenges for consideration.• Demonstrating fiscal responsibility, including transparently and accurately accounting for IIJA funds.• Building a skilled workforce to plan and execute IIJA projects.• Working collaboratively with partners to achieve common IIJA goals.• Improving program and project management for IIJA endeavors.

Our objective was to determine to what extent the establishment of CBP’s Centers of Excellence and Expertise (Centers) has improved the assessment, collection, and protection of revenue. The absence of performance standards made it difficult to determine to what extent the establishment of the Centers improve these, but we identified several areas in which CBP could improve its compliance with the Trade Facilitation and Trade Enforcement Act of 2015 (TFTEA), and its procedural guidance for the Centers. Without established performance standards, CBP cannot determine if the Centers are achieving established goals, operating as intended, collecting and protecting trade revenue, or meeting the legislated mission set forth in the TFTEA. We made five recommendations to strengthen CBP’s procedures for assessing, collecting, and protecting trade revenue. CBP concurred with our recommendations.

Our objective was to determine the extent to which FEMA coordinated shelter and supplies to unaccompanied minors along the southwest border. We determined FEMA accomplished its operational goals to help U.S. Department of Health and Human Services (HHS) provide shelter and supplies to unaccompanied children from the U.S. southwest border. Specifically, FEMA worked closely with HHS to establish 14 emergency intake sites in high priority locations in Texas, California, Michigan, and Pennsylvania. FEMA also assisted HHS to build out 23,253 beds and provide other critical supplies, such as food, water, beds, blankets, and medical supplies to emergency intake sites. We did not make any recommendations as a result of this audit. FEMA chose not to submit management comments to the draft report.