Federal Reports

Annual summary perspective on the most serious management and performance challenges facing the FTC, as well as a brief assessment of the agency’s progress in addressing those challenges.

The VA Office of Inspector General (OIG) Vet Center Inspection Program provides a focused evaluation of aspects of the quality of care delivered at vet centers. The OIG inspected four randomly selected vet centers throughout Pacific district 5 zone 1: Anchorage, Alaska; Eugene, Oregon; and Everett and Walla Walla, Washington.The OIG inspection focused on four review areas: suicide prevention; consultation, supervision, and training; outreach; and environment of care. In the suicide prevention review, the OIG team evaluated vet center staff participation in the VA medical facility mental health executive council meetings resulting in one recommendation for two of four vet centers inspected. The consultation, supervision, and training review identified concerns with external clinical consultation, vet center director monthly chart reviews, and completion of select trainings resulting in two recommendations across three of four vet centers inspected. The outreach review evaluated outreach plan completion, inclusion of strategic components, and tailoring of outreach activities to cultural background information identified in the plan which resulted in one recommendation across all four vet centers inspected. The environment of care review evaluated vet centers’ physical environment and general safety resulting in eight recommendations across three of the four vet centers inspected.The OIG issued a total of 12 recommendations for improvement

What We Looked At This report presents the results of our quality control review (QCR) of an audit of the Department of Transportation’s (DOT) information security program and practices. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agency-wide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget. To meet this requirement, we contracted with Sikich to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.What We FoundOur QCR disclosed no instances in which Sikich did not comply, in all material respects, with generally accepted Government auditing standards.Our RecommendationsDOT concurs with all 10 of Sikich’s recommendations. Sikich considers 10 recommendations resolved but open pending completion of planned actions. 

What We Looked AtFollowing a series of disruptive cyberattacks in the public and private sectors, the President issued an Executive Order in 2021 requiring civilian Federal agencies to protect and secure their critical infrastructure and computer systems, which underpin the American people’s security and privacy. The Continuous Diagnostics and Mitigation (CDM) program aims to provide a consistent, Governmentwide set of continuous monitoring tools to enhance the Federal Government’s ability to identify and respond in real-time or near real-time, to the risk of emerging cyber threats. The Department of Transportation (DOT) uses continuous monitoring tools on its networks to secure information technology assets. We initiated this audit to assess DOT’s continuous monitoring tools for detecting, preventing, and reporting cybersecurity threats that may compromise DOT’s information systems and data. Specifically, we evaluated DOT’s (1) automation of its continuous monitoring tools to provide near real-time detection of cybersecurity risks in key operational areas, (2) hardware asset inventory reports and the software installed on the Department’s hardware assets, and (3) configuration of its network software and remediation of known network asset vulnerabilities.What We FoundFirst, DOT uses continuous monitoring tools to automate cybersecurity monitoring, but FAA is not using tools to provide near real-time monitoring on all mission-critical NAS systems. Specifically, the Department uses continuous monitoring tools to support essential CDM requirements and has implemented a CDM Dashboard to automatically report cybersecurity information. However, FAA has not performed near real-time cyber monitoring activities on 62 of 85 National Airspace Systems Cyber Management Systems due to air traffic and safety concerns. Second, DOT did not maintain an accurate inventory of its hardware assets, and FAA is still developing policies for a software inventory reconciliation process. Third, DOT is not configuring all its network software in accordance with requirements nor mitigating its known network vulnerabilities associated with its continuous monitoring tools and network endpoints. Addressing our concerns is key to DOT’s progress in reducing its threat surface and improving its cybersecurity posture. Our RecommendationsWe made five recommendations to improve the DOT’s cybersecurity posture and reduce cybersecurity risks. DOT and FAA agreed with the recommendations. We consider all recommendations resolved but open pending completion of planned actions. Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. Relevant portions of this public version of the report have been redacted.