Open Recommendations

We noted that in OIG Audit Report No. 17-AUD-15, a suggestion was made to “modify NARA's SDLC methodology to align it better for agile projects” that has not been addressed. In addition to resolving this issue, we recommend NARA’s Information Services review and update the SDLC Methodology to ensure it reflects current NARA practices related to system development methodologies utilized at the agency. NARA should modify the description of their SDLC methodology processes to be more agile, by adopting the cyclical approach described in GAO’s Agile Assessment Guide – Best Practices for Agile Adoption and Implementation. The system development process…

We recommend NARA’s Office of the Chief Financial Officer finalize Interim Guidance 400-5, Capitalization Policy for NARA Assets on capitalization of costs for Software Development Projects and enhance to address the scenario where programming and development for internal software is outsourced to external contractors. This should include the types of costs to be capitalized, materiality, and documentation requirements.

OIG recommends that the Special Immigrant Visa (SIV) Senior Coordinating Official, in coordination with the Bureau of Consular Affairs and the Joint Executive Office for the Bureau of Near Eastern Affairs and the Bureau of South and Central Asian Affairs, develop and implement a strategic performance management approach to improve the outcomes of the Afghan SIV program, including establishing goals and measures of success to evaluate progress against those established goals.

We recommend that the Florida Agency for Health Care Administration refund $106,153,061 to the Federal Government, representing the Federal share of rebates for calendar years 2015 through 2019 that the State agency did not refund.

We recommend that the Manager, Fermi Site Office, direct the Contracting Officer, in consultation with the Cognizant Federal Agency Official, to determine the allowability of costs questioned in this report, as summarized in Appendix 2, and recover any amounts deemed unallowable.

We recommend that the Manager, Fermi Site Office, direct the Contracting Officer, in consultation with the Cognizant Federal Agency Official, to conduct a risk assessment of FY 2018 subcontracts containing cost-type components to determine the appropriate audit coverage necessary and arrange for those audits to be conducted.

We recommend that the Manager, Fermi Site Office, direct the Contracting Officer, in consultation with the Cognizant Federal Agency Official, to require FRA to establish a policy to permit reasonable subsistence reimbursements for visiting researchers on extended assignment.

Recommend that the Acting Manager, direct the Contracting Officer, in consultation with the Cognizant Federal Agency Official, to determine the allowability of costs questioned in the report, as summarized in Appendix 2,and recover any amounts deemed unallowable.

We recommend that the Manager, Fermi Site Office, direct the Contracting Officer, in consultation with the Cognizant Federal Agency Official, to require FRA to establish a policy to permit reasonable subsistence reimbursements for visiting researchers on extended assignment.

We recommend that CPB management require KSVR-FM to post its most recent unaudited financial statement on its website.

We recommend that CPB management require KSVR-FM to identify the corrective actions and controls it will implement to ensure future compliance with Act and CPB requirements for open financial records.

We recommend that CPB management require KSVR-FM to identify the corrective actions and controls it will implement to ensure future compliance with diversity requirements.

We recommend that CBP’s Office of Facilities and Asset Management: a. evaluate all International Mail Facility space agreements to identify unusable space for future cost savings; and b. revise agreements with unusable space, given the $3.2 million in funds that could have been put to better use identified in this audit.

We recommend that CBP’s Office of Facilities and Asset Management develop and implement a process for escalating and effectively resolving local and regional facility issues.

We recommend that CPB management require WOJB-FM to identify the corrective actions and controls it will implement to ensure future compliance with CPB’s General Provisions requirements for diversity.

Incorporate the required standard cloud security clauses in the Department's enterprise cloud service contracts as well as other cloud services contracts for FAA, MARAD, and OST to ensure the cloud services are secure.

Working with the appropriate DOT procurement officials for FAA, FMCSA, FHWA, MARAD, FRA, NHTSA, PHMSA, and OST, set up service level agreements as required, with each of their cloud service providers to define and set agency expectations and cloud service provider-specific responsibilities.

Direct departmental security officials working with appropriate procurement officials to verify that service level agreements contain a requirement to report security incidents to DOT's Security Operations Center and require confirmation of completion.

Develop and implement a process that enables FAA's Security Operations Center to receive the necessary log data for ensuring proper cybersecurity incident monitoring for all departmental cloud-based systems.

Report DOT plans for fully adopting multifactor authentication and encryption for data at rest and in transit in accordance with Executive Order 14028.

Direct and require confirmation of completion from OST's cloud-based system owner for the Federal Human Resources Navigator-Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Use personal identity verification cards as the primary authentication mechanism to ensure secure system login. c. Develop a Privacy Impact Analysis to help identify and manage personally identifiable information and privacy risks. d. Identify a…

Direct and require confirmation of completion from OST's cloud-based system owner for the Electronic Document Management System-Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Require multifactor authentication for non-DOT system users. c. Develop and implement a process to automatically disable inactive system accounts after 60 days of inactivity.

Direct and require confirmation of completion from OST's cloud-based system owner for the Data Analysis Visualization Environment-Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Develop and implement a process to conduct monthly vulnerability scans as required by DOT.

Direct and require confirmation of completion from MARAD's cloud-based system owner for US Merchant Marine Academy/Campus Labs-Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Complete an annual security authorization process and obtain a full authorization to operate for its Software-as-a-Service cloud information system to ensure all system risks have been properly identified and accepted in accordance with departmental cybersecurity…

Direct and require confirmation of completion from FRA's cloud-based system owner for its Cloud Application Services-Software-as-a-Service-to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as, required by FedRAMP. b. Update the Privacy Impact Analysis for the Railroad Compliance System to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.

Direct and require confirmation of completion from NHTSA's cloud-based system owner for the Web System-Platform-as-a-Service and Infrastructure-as-a-Service-to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop and implement a process to review audit logs and analyze vulnerability scan reports on its Platform-as-a-Service on a weekly basis to check for various risks, including software flaws per NHTSA's audit and accountability plan.

Direct and require confirmation of completion from PHMSA's cloud-based system owner for the Pipeline Risk Management Information System-Infrastructure-as-a-service-and PHMSA Data Mart-Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for Pipeline Risk Management Information System. b. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its…

Direct and require confirmation of completion from FMCSA's cloud-based system owner for the Cloud Environment-Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use as required by FedRAMP. b. Complete its annual security authorization process and obtain a full Authorization to Operate for its cloud information system to ensure all systems risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Develop and implement a process to…

Direct and require confirmation of completion from FRA's cloud-based system owner for the Multiple Case Incident Analysis-Infrastructure-as-a-service to include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.

Direct and require confirmation of completion from OST's cloud-based system owner for the Infrastructure and Operations Common Operating Environment (COE)-Software-as-a-Service, Infrastructure-as-a-service, and Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop security baseline configuration settings and a checklist and assess whether the COE cloud-based system is properly configured and the network secure. c. Develop and implement a process to conduct reviews…

1. We recommend that the Director of the U.S. Census Bureau evaluate alternative strategies to achieve target response rates, particularly in underrepresented units.

5. We recommend that the Director of the U.S. Census Bureau ensure that regional offices adhere to prescribed telephone interview rates or work with the Bureau of Labor Statistics to adjust them as needed.

6. We recommend that the Director of the U.S. Census Bureau ensure all surveys and regional offices maximize the use of data analysis and monitoring tools to oversee survey quality and performance.

7. We recommend that the Director of the U.S. Census Bureau ensure RI requirements are met and completed in a timely manner.

8. We recommend that the Director of the U.S. Census Bureau reevaluate the effectiveness of the CED survey RI lag time metric.

12. We recommend that the Director of the U.S. Census Bureau ensure that staff are trained on completing adequate falsification investigations.

13. We recommend that the Director of the U.S. Census Bureau strengthen the quality control plan for the CPS by evaluating cases worked by FRS with confirmed falsifications to assess the impact on survey estimates.

15. We recommend that the Director of the U.S. Census Bureau implement a system for tracking FRs with confirmed falsifications so that applicants for FR positions can be appropriately vetted prior to reemployment.

We recommend that the Commissioner of CBP finalize the draft CBP Integrated SWB Mass Irregular Migration Contingency Plan.

We recommend that the Commissioner of CBP establish a comprehensive, formal policy to: • consistently document the use of all available information to make informed facility planning decisions; • conduct and document analysis of all possible alternative options before establishing temporary facilities; and • regularly reassess the continued need for existing temporary facilities and evaluate the cost-effectiveness of maintaining existing temporary facilities.

Create a performance standard that requires that teleservice center managers and other employees who conduct service observations conduct a minimum of three service observations for each qualified 800-number employee per month, as required by SSA policy.

Create policy to ensure all problematic calls identified through speech analytics are referred to regional management and regional management intervenes with the 800-number employees referred within defined timeframes to ensure prompt interventions address problematic and/or inadequate customer service.

Ensure that all data sets within the FDIC that contain relevant threat and vulnerability information are assessed and natural language processing or alternative technological capabilities are considered for enhancing threat and vulnerability information sharing operations.

We recommend that IAF's chief information officer implement level 2 event logging requirements in accordance with Office of Management and Budget memorandum M-21-31.

OCSS should Bolster State agency resilience during emergencies.

OCSS should create forums for identifying and sharing State agency best practices in providing paternity establishment services.

We recommend the TSA Chief Information Officer require the selected High Value Asset system owner to document an approved secure baseline configuration and perform testing to verify that all approved settings are implemented.

We recommend the TSA Chief Information Officer enforce the requirement for the selected High Value Asset system owner to apply security updates and service patches to remediate vulnerabilities on all devices, as required by applicable DHS policies.

We recommend the TSA Chief Information Officer require the selected High Value Asset system owner to develop and implement a supply chain risk management plan to address and mitigate risks associated with the hardware components and software being used on the selected High Value Asset system.

We recommend the TSA Chief Information Officer direct the selected High Value Asset system owner to strengthen its user account management procedures to ensure user access agreements are developed and signed by users before users are given access to the selected High Value Asset system or when the agreement is revised.