Open Recommendations

[Description omitted; CSOSA has determined that this recommendation contains information that is limited official use or classified.]

[Description omitted; CSOSA has determined that this recommendation contains information that is limited official use or classified.]

[Description omitted; CSOSA has determined that this recommendation contains information that is limited official use or classified.]

[Description omitted; CSOSA has determined that this recommendation contains information that is limited official use or classified.]

Ensure that the Cloud Resource Center's inventory of cloud projects in the configuration and production phases is comprehensive and periodically maintained.

Develop and implement a process to ensure that the FedRAMP Project Management Office has an accurate inventory of FedRAMP-approved cloud systems used by the Board.

Ensure that the Board’s information security continuous monitoring standards and associated procedures provide consistent guidance on continuous monitoring frequencies and associated documentation review requirements for cloud service providers.

Require the SAAO to develop and implement a policy to ensure Operating Administrations (OA) meet Uniform Guidance's requirements for Federal awarding agencies.

Require the SAAO to develop and implement processes to ensure that OAs confirm its recipients' single audits and reporting packages are completed and timely submitted to the Federal Audit Clearinghouse (FAC).

Require the SAAO to develop and implement processes that ensure OAs download single audit reports from FAC's Image Management System and OAs identify and track single audit findings directly related to their programs.

Require the SAAO to develop and implement processes that ensure OAs issue timely management decisions on all single audit findings affecting their programs.

Require the SAAO to develop and implement processes that ensure OAs follow up on single audit findings and verify that OAs recipients took appropriate and timely corrective actions.

We recommend FEMA’s Associate Administrator of the Office of Response and Recovery integrate component records managementpolicy into program-specific declarations guidance to specify the records that should be created and maintained in official declaration request files. The program-specific guidance should require the Office of Response and Recovery to maintain, in the official file, senior officials’ decision rationale when the regional offices’ and program offices’ recommendations differ.

We recommend FEMA’s Associate Administrator of the Office of Response and Recovery ensure that component records managementpolicies are adhered to both at Headquarters and Regional offices to validate that each declaration request package is accurate, complete, and in compliance with Federal regulations.

The Commissioner, Wage and Investment Division, should ensure that programming is updated to systemically reject electronic submissions of Forms 2848 and 8821 when missing one of the five essential elements (name, address, signature, etc.) without manually mailing a rejection letter.

The Commissioner, Wage and Investment Division, should develop a process to systemically pull all controlled inventory for each Accounts Management site for the Accounts Management Inventory Report (AMIR) to ensure consistency, reduce human error, and increase efficiencies

The Commissioner, Large Business and International (LB&I) Division, should implement a fully systemic method of monitoring and verifying pushouts are properly reported on partners’ returns

Ensure that BOP staff delegated performance surveillance responsibilities complete required performance reporting tasks and maintain supporting documentation for the contractor's ratings.

Implement a reliable, consistent process throughout all BOP facilities to monitor wait times outside inmate appointments and the causes for cancelled or rescheduled appointments in order to ensure that inmates receive timely medical care.

Implement specific policies and procedures for reviewing billing submitted using Medicare-based rates, and that the BOP ensure that facilities utilize the third-party adjudication vendor.

Implement Bureau-wide policies and standards for CMS contract billings, to include appropriate supporting documentation, at all facilities.

The Bureau of Information Services should update their mobile phone policies to include and implement a National Archives and Records Administration-approved records schedule and transfer procedures for electronic records associated with mobile phones.

The Bureau of Information Services should submit a yearly affidavit to confirm electronic records associated with mobile phones have been identified and retained until the full transition into Microsoft Azure Cloud.

The Railroad Retirement Board's Director of Administration should define and communicate 'personal usage' establishing Railroad Retirement Board's core hours of 5:00 am to 7:00 pm. Any usage outside of core hours would be considered personal usage excluding business management purposes.

The Railroad Retirement Board's Bureau of Information Services should 1) continue efforts to update the Telecommuting and Mobile Security Computing Policy with current laws and regulations and 2) develop a periodic monitoring control to assess personal usage and address it according to agency guidance.