Open Recommendations

The Oklahoma City VA Health Care System Director ensures that routine non-gynecological turnaround time corrective actions are documented and monitored for effectiveness, as required by the Veterans Health Administration.

The Oklahoma City VA Health Care System Director conducts a comprehensive review of the quality of care provided by the Chief of Pathology and Laboratory Medicine Service, identifies deficiencies, and takes action as warranted.

The Oklahoma City VA Health Care System Director reviews the Pathology and Laboratory Medicine Service event reporting requirements for variance events and ensures completion according to facility policy and Veterans Health Administration requirements.

The Oklahoma City VA Health Care System Director, in conjunction with the National Center for Patient Safety, evaluates patient safety event reporting processes within the Pathology and Laboratory Medicine Service, and ensures completion according to Veterans Health Administration requirements.

Implement vulnerability management processes to ensure all vulnerabilities are identified and plans of action and milestones are created for vulnerabilities that cannot be mitigated by VA deadlines.

Implement a more effective baseline configuration process to ensure network devices and databases are running authorized software that is configured to approved baselines and free of vulnerabilities.

Perform a cost-benefit analysis and implement appropriate controls within the federal Electronic Health Record to limit disclosure of veteran personally identifiable information based on job responsibility.

Segregate the duties of maintaining key stock and making keys.

Place network infrastructure equipment in a communications closet or approved enclosure to restrict access to only authorized personnel.

Complete the installation of grounding measures for all telecommunications closets to protect information technology equipment against electromagnetic pulse attack or electrostatic discharge. Ensure the work completed by contractors adheres to the requirements as defined in the work order.

Enforce the requirement for unit management to monitor fuel card purchases, including annotating all high-risk fuel transactions with an appropriate comment.

Reevaluate FAA's Business Staffing Rules so that workload, fleet count based on make/model/series, and aircraft models and series with separate maintenance review board reports are considered in the staffing algorithm for each inspector position.

Require that an independent workplace survey of the FAA United CMO be conducted to determine how inspector fleet assignments and workload distribution are impacting office culture. This should include implementing an action plan to address these needs.

Establish and implement an action plan to address FAA's documented staffing shortages and provide continuous resources to the United CMO that addresses retirement trends, average training time, and staffing turnover for a period longer than 3 years to ensure sufficient oversight.

Develop a strategic plan to provide outreach and education to the entire inspector work force on the protections of Safety Management System (SMS) data once the designation of protection is published in the Federal Registry. This should include education on inspectors' ability to request and review an air carrier's SMS data and records when conducting surveillance and addressing non-compliances.

Develop and implement a policy for FAA personnel to determine when an inspection should be postponed based on the percentage and/or type of questions that cannot be answered. This should include a management control so that FAA personnel with authority to assign inspections use "resources not available" when this threshold is met.

Provide analytical support from FAA's Safety Analysis Branch to CMOs to gather, analyze, and trend data for questions that have been answered "not observable" to support risk-based decision making.

Implement a plan with the Office of Acquisition and Logistics Project Management Office to ensure system access is more granular and the intent of the principle of least privilege is met.

Ensure all roles and accesses, including those provided by default access, are reviewed and certified periodically as required.

Implement a permanent solution to provide supervisors and information owners with visibility of all roles and accesses, including those provided by default access, granted to users.

OIG recommends the deputy assistant secretary for the FMBT Service implement a plan with the Office of Acquisition and Logistics Project Management Office to ensure system access is more granular and the intent of the principle of least privilege is met.

OIG recommends the deputy assistant secretary for the FMBT Service ensure all roles and accesses, including those provided by default access, are reviewed and certified periodically as required.

OIG recommends the deputy assistant secretary for the FMBT Service implement a permanent solution to provide supervisors and information owners with visibility of all roles and accesses, including those provided by default access, granted to users.

FHFA's Chief Financial Officer should seek recovery of $5,208 in overpayments questioned in this report, as appropriate.

FHFA's Chief Financial Officer should update FHFA’s invoice review policies and procedures to require CORs and Invoice Approvers to perform a documented review of invoice billing rates (e.g., confirmation against contract or task order tables) prior to payment approval.

FHFA's Chief Financial Officer should update FHFA’s invoice review training materials for CORs and Invoice Approvers to include clear step-by-step instructions on how to verify billing rates against contract terms and document verification.

FHFA's Chief Financial Officer should ensure that all staff with invoice approval authority complete the updated training.

FHFA's Chief Financial Officer should update procedures to set timeframes for OCFO personnel to request (a) a written statement on why an invoice was paid late; and (b) written corrective actions to be taken to prevent any future late payment issues.

FHFA's Chief Financial Officer should assign back-ups for OCFO personnel on leave to ensure that the control procedure to obtain written statements explaining why late payments occurred and corrective actions to be taken to prevent any future late payments is performed timely.

The Director of FinCEN should conduct and document an assessment of FinCEN’s decision to offer bulk data access, including the potential risks and how those risks are being mitigated.

The Director of FinCEN should update FinCEN’s bulk data access SOP to specify how to conduct and document reviews of requests and periodic reevaluations of agencies’ need for bulk data access, including which personnel are responsible for conducting these reviews and approving access.

The Director of FinCEN should conduct and document a reevaluation of the basis for granting each agency access to bulk data, in accordance with the bulk data SOP, to determine whether the overall benefits of continuing to provide such access outweigh the potential downsides and whether those downsides can be mitigated effectively.

The Director of FinCEN should review and update the BSA data SORN to ensure it identifies all routine uses and specifically and clearly describes the purpose of bulk data and how external agencies will use the data. Also, ensure FinCEN accurately details its administrative practices.

The Director of FinCEN should ensure that FinCEN, going forward, complies with SORN requirements in the Privacy Act, Treasury regulations, OMB guidance, and Treasury’s Handbook.

The Director of FinCEN should update FinCEN’s BSA data SOPs to require verification that an MOU has been executed with an agency before its users are granted access to BSA data.

The Director of FinCEN should ensure SOPs specifically cover platform program access and require the execution of an MOU with external agencies before providing their users platform program access.

The Director of FinCEN should update FinCEN’s BSA data SOPs to clearly specify the types of access to which they apply.

The Director of FinCEN should execute MOUs with all agencies participating in the platform program.

The Director of FinCEN should immediately review BSA data MOUs to determine which require updates and execute updated MOUs with those external agencies.

The Director of FinCEN should update FinCEN’s BSA data SOPs to require that FinCEN personnel periodically review MOUs to determine if they require an update, and if so, execute updated MOUs with those external agencies.

The Director of FinCEN should update FinCEN’s BSA data SOPs to ensure accurate tracking and consistent documentation of BSA data MOUs.

The Director of FinCEN should update FinCEN’s BSA data SOPs to require a review to ensure FinCEN personnel appropriately maintain MOUs and related documentation. Ensure the update specifies that decision matrices are appropriately maintained.

The Director of FinCEN should update FinCEN’s BSA data SOPs to require that FinCEN identify and permit designees to sign MOUs in lieu of FinCEN’s Director and FinCEN personnel and external agency officials record the execution date on MOUs.

The IPA recommended that OCIO management reinforces policy requirements (through training or other means) for completing periodic monthly reviews of FARS OS privileged user access.

The IPA recommended that OCIO management performs ongoing monitoring to hold responsible control operators accountable for timely completion of such control activities.

The IPA recommended that Fiscal Service management reinforce policy requirements (through training or other means) for removing logical access of terminated and transferred Fiscal Service employees and contractors within 2 business days of their separation date.

The IPA recommended that Fiscal Service management perform ongoing monitoring to hold responsible control performers accountable for timely completion of such control activities

The IPA recommended that Fiscal Service develop and implement documentation to assign responsibility for ensuring adequacy of UNIX and database security and baseline settings.

The IPA recommended that Fiscal Service update existing UNIX and database configuration security baseline documents to ensure that these documents fully incorporate and enforce the components of the DISA STIGs. Management should document any deviations from the STIGs and note compensating controls that mitigate the security risk to an acceptable level.

The IPA recommended that Fiscal Service develop, document, and implement policies, procedures, and controls to conduct periodic reviews of actual UNIX and database settings against the security configuration baselines.