Open Recommendations

We recommend that the Department oversee the Department's systems change management process to enforce adherence to the change management plan to ensure relevant documentation and approvals are properly completed prior to closing the change ticket.

We recommend that the Department update the Department's systems' change management plan to require program change supporting documentation, such as approvals, be retained.

We recommend that the Department develop and implement formal procedures addressing controls over the Department's systems': (a) Changes to production jobs, and schedules; and (b) Monitoring of actions taken by the generic job processing account in the job scheduling tool, including management of the password for the generic account.

We recommend that FSA design and implement controls to evaluate the magnitude of impact, likelihood of occurrence, and nature of the deficiency in order to tailor the corrective actions to remediate the risk and address the root cause. Further, update guidance to ensure that quality reviews over the POA&M closure documentation are conducted to confirm the noted deficiencies are fully addressed to help prevent future reoccurrences.

We recommend that FSA enforce established access authorization and provisioning controls and ensure all requirements are met and documented prior to granting system access. Follow established user access provisioning procedures detailed in the Federal, Department, and FSA guidance to authorize system access and assign roles that are commensurate with job functions and do not violate the least privilege principle.

We recommend that FSA update access review procedures to require the reviewers to verify the access lists received to be used in the performance and operation of the access reviews is complete and accurate and not modified prior to commencing the access reviews.

We recommend that FSA perform and formally document the periodic reviews of all application user accounts in accordance with Department policy to confirm access is current, authorized, commensurate with job responsibilities, and follow the concept of least privileged.

We recommend that FSA ensure the application access controls comply and operate with the PIV authentication requirements, as required by Department policy.

We recommend that management improve the risk assessment process at the financial statement assertion level and at the process level to ensure the Department and FSA are appropriately defining objectives to enable the identification of risks and define risk tolerances.

We recommend that management implement key monitoring controls to ensure that corrective action plans are implemented to timely remediate control deficiencies identified. In addition, increase oversight, review, and accountability over the process among various offices and directorates within the Department and FSA.

We recommend that management update the risk assessment process related to the evaluation of internal controls to ensure it sufficiently addresses risks within key processes, key data, and other material line items on the consolidated financial statement.

We recommend that management implement the recommendation presented in the material weakness in Exhibit A.

We recommend that the Department evaluate, design, and implement controls to track and report all new and separated contractors to allow for timely onboarding or off-boarding, respectively.

(U) Rec. 1.b: The DoD OIG recommended that the Defense Security Cooperation Agency Director implement procedures to verify that the Military Services enter data into the Defense Security Cooperation Agency 1000 System within 90 days after delivery, as directed in the Defense Security Cooperation Agency Security Assistance Management Manual, by monitoring Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell trackers and documentation.

(U) Rec. 1.c: The DoD OIG recommended that the Defense Security Cooperation Agency Director add Security Assistance Group-Ukraine, 21st Theater Sustainment Command, and the Military Aid Contribution and Coordination Cell to the distribution list of weekly Presidential Determination trackers.

(U) Rec. 1.d: The DoD OIG recommended that the Defense Security Cooperation Agency Director implement a plan of actions and milestones to provide technical updates and administrative procedures that improve functionality and provide simpler and more timely access to the Defense Security Cooperation Agency 1000 System for Military Services and other organizations with a need to know.

(U) Rec. 2.a: The DoD OIG recommended that the U.S. Army Europe and Africa Commanding General direct 21st Theater Sustainment Command and the Military Aid Contribution and Coordination Cell to regularly maintain and post U.S. equipment delivery tracking data and completed shipment transfer documentation to a secure portal that is accessible by the Military Services and other organizations with a need to know to support an accurate property accountability and delivery status with DoD forms appropriately completed by Ukrainian officials.

(U) Rec. 2.b: The DoD OIG recommended that the U.S. Army Europe and Africa Commanding General direct 21st Theater Sustainment Command and the Military Aid Contribution and Coordination Cell personnel to add Presidential Determination numbers (or the equivalent project code) and transportation control numbers to the maximum extent possible to delivery trackers and completed receipt documents for each shipment unit and to scan and upload the documentation to a secure portal.

(U) Rec. 3.a: The DoD OIG recommended that the Army Chief of Staff implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to maintain accountability for all Presidential Drawdown Authority defense articles in a Service accountable property system of record while in transit and until final delivery to Ukrainian officials at Logistics Enabling Node-Poland and maintain auditable records of all transfer documentation.

(U) Rec. 3.b: The DoD OIG recommended that the Army Chief of Staff implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to enter Presidential Drawdown Authority items into the Defense Security Cooperation Agency 1000 System within 90 days after delivery, as directed in the Defense Security Cooperation Agency Security Assistance Management Manual.

(U) Rec. 4.a: The DoD OIG recommended that the Chief of Naval Operations implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to maintain accountability for all Presidential Drawdown Authority defense articles in a Service accountable property system of record while in transit and until final delivery to Ukrainian officials at Logistics Enabling Node-Poland and maintain auditable records of all transfer documentation.

(U) Rec. 4.b: The DoD OIG recommended that the Chief of Naval Operations implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to enter Presidential Drawdown Authority items into the Defense Security Cooperation Agency 1000 System within 90 days after delivery, as directed in the Defense Security Cooperation Agency Security Assistance Management Manual.

(U) Rec. 5.a: The DoD OIG recommended that the Air Force Chief of Staff implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to maintain accountabilities for all Presidential Drawdown Authority defense articles in a Service accountable property system of record while in transit and until final delivery to Ukrainian officials at Logistics Enabling Node-Poland and maintain auditable records of all transfer documentation.

(U) Rec. 5.b: The DoD OIG recommended that the Air Force Chief of Staff implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to enter Presidential Drawdown Authority items into the Defense Security Cooperation Agency 1000 System within 90 days after delivery, as directed in the Defense Security Cooperation Agency Security Assistance Management Manual.

(U) Rec. 6.a: The DoD OIG recommended that the Marine Corps Commandant implement procedures that include the use of Security Assistance Group-Ukraine and the Military Aid Contribution and Coordination Cell tracking and documentation to maintain accountability for all Presidential Drawdown Authority defense articles in a Service accountable property system of record while in transit and until final delivery to Ukrainian officials at Logistics Enabling Node-Poland and maintain auditable records of all transfer documentation.