Open Recommendations

We recommend that BIE develop a plan focused on hiring additional maintenance and grounds staff at Tate Topa Tribal School.

We recommend that BIE provide all Tate Topa Tribal School facilities maintenance staff the necessary computer hardware, software, and training to access the facility management system.

We recommend that BIE review and analyze all Tate Topa Tribal School work orders in the Facility Management System and update work order status as needed to ensure accuracy.

We recommend that BIE develop an updated and accurate map of the Tate Topa Tribal School campus.

We recommend that BIE develop and deliver training to emphasize the importance of accurate and complete recordkeeping in the facility management system.

(U) Rec. 1: The DoD OIG recommended that the Under Secretary of Defense for Policy, in coordination with the Director of the Defense Security Cooperation Agency, work with the Director of the Department of State Bureau of Political'Military Affairs Office of Regional Security and Arms Transfers to develop and implement a policy stating that a single entity is responsible for notifying both the divesting and receiving security cooperation organizations of all approved, government'to'government third'party transfers of enhanced end'use monitoring"designated defense articles to a hostile environment. Additionally, the policy should require the divesting security cooperation organizations to notify the receiving security…

Fiscal Service perform a review of the current system environment against the CMDB.

Fiscal Service perform a risk assessment over the subject matter and determine the appropriate personnel to be responsible for monitoring and updating the CMDB.

Fiscal Service update policy and procedures related to the above recommendations and disseminate the documentation to enforce such policy and procedures.

We recommend the Assistant Secretary for Employment and Training to evaluate its authority to share data and develop fraud prevention resources and controls with other federal entities, including SBA, that include data sharing mechanisms to detect and mitigate fraud.

Remedy $24,464 in unallowable questioned costs related to excess administrative expenditures beyond the 5-percent allowance charged to the 2018 award.

Remedy $16,168 in unsupported questioned costs related to non-personnel administrative costs.

Remedy $196,776 in unallowable questioned costs related to excess drawdowns for the 2018 award.

Coordinate with West Virginia JCS to ensure FFRs are accurate and supported by accounting records going forward.

Remedy $198,099 in unsupported subaward expenditures.

Evaluate its authority to share data and develop fraud prevention resources and controls with other federal entities, including DOL, that include data sharing mechanisms to detect and mitigate fraud.

Collaborate with DOL to conduct a joint study to assess and identify disaster program data elements that should be shared for data matching with UI claim data elements for the purpose of detecting potentially fraudulent activities under both the UI and SBA disaster assistance programs.

IHS should assess the relative benefits of its current recruitment and retention strategies to guide future staffing plans, as well as exploring new tools to address staffing shortfalls.

IHS should explore options for expanding housing for DSFC staff.

1. We recommend that the Assistant Secretary of Commerce for Communications and Information and NTIA Administrator direct FirstNet Authority’s Chief Executive Officer to ensure that special hardening measures are implemented for the unique threats faced in the Maui region, as required by the contract.

3. We recommend that the Assistant Secretary of Commerce for Communications and Information and NTIA Administrator direct FirstNet Authority’s Chief Executive Officer to reevaluate the RTO metric to ensure that it aligns with the NPSBN’s operational purpose of being available during disasters.

5. We recommend that the Assistant Secretary of Commerce for Communications and Information and NTIA Administrator direct FirstNet Authority’s Chief Executive Officer to take the necessary steps to ensure that FirstNet Authority has access to real-time network data and the ability to actively monitor network services and deployed assets.

We recommend that the DOI Secretary or designee establish a risk appetite as required in the Office of Management and Budget Circular No. A-123 and implement a process to ensure Departmentwide awareness of the risk appetite.

We recommend that the DOI Deputy Secretary or designee implement a process to periodically reevaluate and adjust risk appetite and tolerance levels to meet DOI's needs in accordance with the Office of Management and Budget Circular No. A-123.

We recommend that the DOI Deputy Secretary or designee create a comprehensive risk profile as required by the Office of Management and Budget Circular No. A-123 and ensure it is properly approved and incorporated into discussions for decision making.

We recommend that the DOI Deputy Secretary or designee establish a risk management council or an equivalent governance system to direct and oversee the establishment of DOI's risk profiles, regularly assess risk, develop appropriate risk responses, and approve the updated risk profile annually.

We recommend that the DOI Deputy Secretary or designee define the enterprise risk management roles and responsibilities for DOI's leadership at the executive, bureau, and office level and ensure those roles and responsibilities are clearly communicated.

Develop and implement guidance for Clean School Bus Program personnel on reviewing Clean School Bus rebate recipients' use and management of rebate funds.

Direct U.S. Merchant Marine Academy (USMMA) Sexual Assault Prevention and Response (SAPR) Program officials to work with appropriate USMMA IT officials to ensure that data collected and used for tracking claims and incidents of sexual assault and sexual harassment is secure in accordance with NDAA requirements.

Direct the Maritime Administration's Privacy Officer to complete a privacy impact analysis to ensure personally identifiable information used by the U.S. Merchant Marine Academy (USMMA) Sexual Assault Prevention and Response (SAPR)'s Program is secure based on Federal requirements and verify completion.

Direct U.S. Merchant Marine Academy (USMMA) Sexual Assault Prevention and Response (SAPR) Program officials to work with the USMMA's IT officials to implement the necessary security controls in the following areas: access control, encryption, audit logging, data exfiltration, data integrity, and backup, to mitigate possible cybersecurity risks to the SAPR Program's sensitive information in the interim to the extent possible until a new system is implemented and verify completion.

The Chief, Taxpayer Services, and Chief, Tax Compliance Officer, should update internal guidance and develop more robust training to ensure that employees perform adequate research of tax accounts to identify outstanding tax debt prior to initiating manual refunds or credit elects.

The Chief, Taxpayer Services, and Chief, Tax Compliance Officer, should request the necessary programming changes to ensure that the duplicate return freeze and the telephone excise tax freeze code function appropriately. In addition, request programming changes to ensure that overpayments from undelivered refunds and interest offset appropriately.

The Chief Information Officer should ensure that the requested programming changes are implemented by January 2026.

We recommend that the Centers for Medicare & Medicaid Services instruct the SSAs to follow up with the five nursing homes (three nonprofit and two Government-owned) that may not have complied with Federal requirements to verify that they have taken corrective actions.

We recommend that the Health Resources and Services Administration require the OPTN IT system contractor to remediate the 22 vulnerabilities identified and verify that the 22 vulnerabilities identified were remediated.

We recommend that the Health Resources and Services Administration require the OPTN IT system contractor to improve network monitoring by implementing NIST SP 800-53, Revision 5, for the OPTN IT system, to include data loss prevention technology to prevent unauthorized exfiltration of information (Control SC-7(10)) and red-team exercises to simulate attempts by adversaries to compromise organizational systems (Control CA-8(2)).

We recommend that the Health Resources and Services Administration implement procedures to help ensure that the OPTN IT system contractor maintains compliance with federally required cybersecurity controls policies and standards on a continuing basis.

Castro recommends Treasury OIG follow-up with Guam's management to confirm the transactions noted as unsupported expenditures within the Direct Payments greater than or equal to $50,000, Aggregate Reporting less than $50,000, and Aggregate Payments to Individuals can be supported. If support is not provided, Treasury OIG should recoup the funds or request that Guam management provide support for replacement expenses, not previously charged, that were eligible during the CRF period of performance. Further, based on the Government of Guam's responsiveness to Treasury OIG's requests and its ability to provide to provide sufficient documentation and/or replace unsupported and ineligible transactions charged…

Treasury OIG follow-up with Guam's management to 1) determine the feasibility of performing additional testing to verify if unsupported disaster relief payment errors identified were isolated errors or if it represents a systemic issue across other disaster relief payments claimed by Guam; and 2) determine the feasibility of performing additional testing on unsupported expenditures paid to hotels for quarantining to determine eligibility and reasonableness.

We recommend Treasury's Office of Capital Access should follow-up with Guam to obtain a copy of its fiscal year 2022 Single Audit report.

Treasury's Office of Capital Access to ensure that management decision letters are issued on the findings identified in the Single Audit Reports

We recommend that CGS Administrators, LLC discontinue its practices that limit the reopening of prior years' cap calculations and start reopening all prior years' cap calculations.

We recommend that CGS Administrators, LLC revise its policies and procedures so that it meets the reopening deadlines established in Federal requirements.

We recommend that CGS Administrators, LLC conduct the prior years' hospice cap calculations for the five hospices with UPIC recoupments and collect any additional overpayments.

We recommend that OPM centralize its audit resolution process into one program structure, instead of the current audit resolution structure that delegates responsibilities to multiple programs within OPM.

We recommend that OPM implement a plan to develop an agency-wide audit tracking system with all of the functionality needed to facilitate resolution workflows and which acts as a repository for all resolution and closure documentation.

We recommend that Federal Employee Insurance Operations work with all appropriate stakeholders to update the MOUs to reflect the Federal Employee Insurance Operations' current resolution process and implement a plan to regularly review and update the MOUs.

We recommend that Internal Oversight Compliance design a system of controls to track recommendations requiring monetary recoveries, including the five recommendations identified in this finding, to ensure that OPM has recovered all monies.

We recommend that Internal Oversight and Compliance immediately track the three recommendations described in our finding and begin the resolution process to resolve and close the recommendations.