Open Recommendations

Rec. 1.c: The DoD OIG recommended that the Secretary of Defense direct an organization or group to develop a process to prohibit the purchase and use of high-risk commercial off-the-shelf items, when necessary, until mitigation strategies can limit the risk to an acceptable level.

Rec. 2.a: The DoD OIG recommended that the Under Secretary of Defense for Acquisition and Sustainment update existing DoD acquisition policies or develop and implement new policy to require organizations to review and evaluate cybersecurity risks, including supply chain and counterintelligence risks, for high-risk commercial off-the-shelf items prior to purchase, regardless of purchase method.

(U) Rec. 3: The DoD OIG recommended that the DoD Chief Information Officer revise DoD Instruction 8100.04, "DoD Unified Capabilities (UC)," December 9, 2010, to require an assessment of supply chain risks as a condition for approval to be included on the Unified Capabilities approved products list.

(U) Rec. 2.a: The DoD OIG recommended that the DoD Chief Information Officer develop and issue a user activity monitoring policy and strategy, as required by DoD Directive 5205.16, "The DoD Insider Threat Program," September 29, 2014, incorporating Change 2, August 28, 2017.

(U) Rec. 2.b: This recommendation is Controlled Unclassified Information

(U) Rec. 3.a: The DoD OIG recommended that all Combatant Commanders establish a full-time insider threat program manager position to ensure that the program meets national and DoD requirements.

The Bureau of Overseas Buildings Operations, in coordination with Embassy Paramaribo, should address the roof leaks in the new embassy compound and mitigate the resulting health hazards within 180 days.

(U) Rec. A.1.a: The DoD OIG recommended that the DoD Chief Information Officer, in coordination with Defense Pricing and Contracting, implement or revise policy to require all systems and networks that maintain DoD information, including those owned by contractors that maintain DoD information, to use strong passwords that, at a minimum, meet DoD password length and complexity requirements.

(U) Rec. A.1.b: The DoD OIG recommended that the DoD Chief Information Officer, in coordination with Defense Pricing and Contracting, implement or revise policy to require all systems and networks that maintain DoD information, including those owned by contractors that maintain DoD information, to configure their systems and networks to align with DoD requirements for locking after 15 minutes of inactivity and 3 unsuccessful logon attempts.

Encrypt PII data on personal and network drives in accordance with DOT Chief Information Officer Departmental Privacy Risk Management Policy.

Develop a plan and address identified high and medium vulnerabilities on any remaining legacy websites and verify that new websites are being assessed for vulnerabilities.

CMS should seek legislative authority to implement least costly alternative policies for Part B drugs under appropriate circumstances.

We recommend that SAMHSA reconcile each month the OIG stewardship reports (or the HHS electronic Single Audit recommendation listing for audits processed on or after October 1, 2018) with SAMHSA’s audit resolution records and follow up on any differences noted.

We recommend that SAMHSA promptly resolve the 188 outstanding audit recommendations that were past due as of September 30, 2016.

We recommend that SAMHSA finalize and follow its policies and procedures related to the audit resolution process to ensure that all management decisions are issued within the required 6-month resolution period.

We recommend that the State agency maintain the necessary documentation to determine whether it enrolled individuals who did not meet Federal and State Medicaid eligibility requirements, which could have resulted in up to $1,297,308,200 in potentially improper Federal Medicaid payments over the 6-month audit period

We recommend that the State agency take the necessary steps to ensure local district and marketplace staff consider all available, relevant information and data sources, as well as all Federal and State requirements when determining Medicaid eligibility, which could have reduced or eliminated an estimated $520,295,792 in overpayments caused by eligibility errors over the 6-month audit period.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to provide to the Department documentation for purchases and contracts reviewed in this report that is consistent with Regulation 7040 and the Guide for expenditures charged to the Restart and Title I grants, including adequate justification of the procurement of professional services not subject to competition, or return to the Department funds charged to the grants.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to establish controls to ensure that staff involved in the procurement of goods and nonpersonal services follow the requirements established in Regulation 7040, including any updates made in response to Puerto Rico Law 85, and provide training as applicable.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to establish controls to ensure that staff involved in the procurement of professional services follow the requirements established in the Guide, and provide training as applicable.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to timely implement its monitoring plan to properly monitor the Restart program to ensure appropriate use of funds and compliance with applicable laws and regulations.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to segregate monitoring and program coordination duties to eliminate conflicts of interest and reduce the risk of fraud, waste, and abuse.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to implement the procedures created to report fraud, waste, and abuse.

IHS should work with hospitals to ensure that they follow the Indian Health Manual when prescribing and dispensing opioids;

IHS should ensure that all hospitals: Institute complete and updated contingency plans and test plans in accordance with Federal guidelines.