Reports

Department of Defense OIG

Audit of DoD Actions Taken to Protect DoD Information When Using Collaboration Tools During the Coronavirus Disease–2019 Pandemic

Full Details: Oversight.gov Report Page

Audit | 6/06/2023

D-2023-0079-D000CR-0001-0001.A1a - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0001.A1b - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0002.A2 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0003.A3 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0004.A4 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0001-0005.A5 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0001.B1a - Closed

(U) Rec. B.1.a: The DoD OIG recommended that the Chief Information Officer for the Defense Finance and Accounting Service renegotiate changes with the Adobe Connect vendor to configure Adobe Connect to require privileged users to authenticate into the collaboration tool using multifactor authentication.

D-2023-0079-D000CR-0002-0001.B1b - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0002.B2 - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0003.B3a - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0003.B3b - Closed

Recommendation is CUI

D-2023-0079-D000CR-0002-0003.B3c - Closed

Rec. B.3.c: The DoD OIG recommended that the Chief Information Officer for the Defense Threat Reduction Agency configure Zoom for Government to lock user accounts after three unsuccessful logon attempts in a 15-minute period.

D-2023-0079-D000CR-0003-0001.C1 - Closed

Recommendation is CUI

General Services Administration OIG

Audit of GSA’s Response to COVID-19: PBS Faces Challenges to Meet the Ventilation and Acceptable Indoor Air Quality Standard in GSA-Owned Buildings

Full Details: Oversight.gov Report Page

Audit | 6/05/2023

Department of Defense OIG

Audit of DoD Actions Taken to Implement Cybersecurity Protections Over Remote Access Software in the Coronavirus Disease–2019 Telework Environment

Full Details: Oversight.gov Report Page

Audit | 3/24/2023

D-2023-0057-D000CR-0001-0001.A1 - Closed

Rec. A.1: The DoD OIG recommended that the Director of the U.S. Southern Command - Joint Interagency Task Force South Command, Control, Communications, Computers, Cyber and Intelligence direct its network administrators to scan the VMware Horizon main virtual desktop for malware in accordance with the McAfee Endpoint Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not scanning the main virtual desktop.

D-2023-0057-D000CR-0001-0002.A2a - Open

Rec. A.2.a: The DoD OIG recommended that the Chief Information Officer of the Department of the Air Force revise its policy to align with the Windows 10 Security Technical Implementation Guide requirement for disabling inactive user accounts after no more than 35 days.

D-2023-0057-D000CR-0001-0002.A2b - Open

Rec. A.2.b: The DoD OIG recommended that the Chief Information Officer of the Department of the Air Force direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0001-0003.A3 - Closed

Rec. A.3: The DoD OIG recommended that the Chief Information Officer of the Naval Surface Warfare Center - Panama City Division direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0001-0004.A4a - Closed

Rec. A.4.a: The DoD OIG recommended that the Chief Information Officer of the Defense Intelligence Agency revise its policy to align with the Windows 10 Security Technical Implementation Guide requirement for disabling inactive users after no more than 35 days.

D-2023-0057-D000CR-0001-0004.A4b - Closed

Rec. A.4.b: The DoD OIG recommended that the Chief Information Officer of the Defense Intelligence Agency direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0001-0005.A5a - Closed

Rec. A.5.a: The DoD OIG recommended that the Director of the Marine Corps Information Command, Control, Communications, and Computers revise the organization's policy to align with the Windows 10 Security Technical Implementation Guide requirement for disabling inactive users after no more than 35 days.

D-2023-0057-D000CR-0001-0005.A5b - Closed

Rec. A.5.b: The DoD OIG recommended that the Director of the Marine Corps Information Command, Control, Communications, and Computers direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0001-0006.A6 - Closed

Rec. A.6: The DoD OIG recommended that the Director of the Defense Information Systems Agency Joint Service Provider direct network and system administrators to disable inactive user accounts after no more than 35 days of inactivity in accordance with the Windows 10 Security Technical Implementation Guide, develop compensating controls, or formally accept the risk of not disabling the inactive user accounts.

D-2023-0057-D000CR-0002-0001.B1 - Closed

Rec. B.1: The DoD OIG recommended that the Director of the Defense Information Systems Agency Joint Service Provider direct network and system administrators to revise the vulnerability management program to include mitigation timeframes for all vulnerabilities and develop plans of actions and milestones for all vulnerabilities that cannot be mitigated in a timely manner.

General Services Administration OIG

COVID-19: PBS Faces Challenges in Its Efforts to Improve Air Filtration in GSA-Controlled Facilities

Full Details: Oversight.gov Report Page

Audit | 9/30/2022

Social Security Administration OIG

The Social Security Administration’s Enumeration Services During the COVID-19 Pandemic

Objective: To determine whether the Social Security Administration (SSA) complied with its enumeration policies and procedures and had adequate controls over managing evidentiary documents submitted to support Social Security number (SSN) card applications during the COVID-19 pandemic.

Full Details: Oversight.gov Report Page

Audit | 9/30/2022

1 - Closed

Develop and periodically conduct comprehensive refresher training on topics including but not limited to:
- processing original Social Security Number (SSN) cards for individuals aged 12 or older and emphasize requirements and documentation of the in-person interview;
- acceptable forms of evidentiary documents, and
- processing new (different) and replacement SSN cards when adoption

10 - Open

Complete the privacy assessments for the WorkTrack application.

2 - Open

Update quality control reviews to include comparison of SSNAP inputs to an applicant-submitted Form SS-5 and evidentiary documents, and provide feedback to the technicians who made input errors (such as race and ethnicity) or did not use the appropriate evidentiary documents.

3 - Open

Revise enumeration policy to include clear instructions for when Form SSA-5002 is required and how to properly document the form.

4 - Closed

Update Program Operations Manual System (POMS) to provide current instructions for enumeration notices and archive outdated policy.

5 - Open

Retain enumeration notices in the Online Retrieval System for individuals with assigned SSNs.

6 - Open

Create and implement automated tools to assist staff in navigating through enumeration evidentiary document requirements.

7 - Closed

Take corrective action on all keying errors and cross-referencing errors we identified.

8 - Closed

Require managers to verify that incident reports are submitted through the Personally Identifiable Information (PII) Loss Reporting Tool before they approve reimbursement to customers for replacing lost original documents.

9 - Closed

Update the National Mail Handling Business Process to include standard Agency-wide mitigation steps for misdirected mail including original documents.

Small Business Administration OIG

COVID-19 and Disaster Assistance Information Systems Security Controls

This report presents the results of our audit to determine whether the U.S. Small Business Administration (SBA) maintained effective management control activities and monitoring of the design and implementation of third-party operated SBA systems. SBA needed information technology systems from third-party service providers that could improve the system efficiency and productivity to process high transaction volumes, transmit data between other information systems, and safeguard the integrity and confidentiality of the personally identifiable information processed by the programs. We found the...

Full Details: Oversight.gov Report Page

Audit | 9/27/2022

1 - Open

Ensure the existing SBA System Development Methodology is updated to include supply chain risk-management practices as required by OMB Circular A-130 and high-value asset system designation guidance. Also, ensure high-value asset system risks are incorporated into the enterprise risk management framework, as recommended by OMB M-19-03 and SBA SOP 90 47 6.

10 - Open

Implement an automated process to document and monitor system changes as recommended by NIST SP 800-53 Rev. 5.

2 - Open

Communicate and enforce the SBA System Development Methodology in which a traceability matrix is used to ensure that system requirements can be tested and demonstrated in the operational system. Ensure all requirements are aligned with the contractual acceptance criteria.

3 - Open

Implement in updated agency guidance, the requirements of OMB Circular No. A-123 that stipulate a SOC 1 Type 2 report is needed for all new and existing financial systems. This guidance should also require confirmation at least annually that the controls are functioning as designed.

4 - Closed

Enforce the requirement to establish and implement internal controls to ensure appropriate program officials perform and document contract reviews to ensure that information security is appropriately addressed in the contracting language, as required by OMB Circular A-130 and SBA SOP 90 47 6.

5 - Open

In conjunction with the Enterprise Risk Management Board, implement enterprise-wide privacy risk mitigation practices that can be assimilated into new and existing system program designs.

6 - Open

Complete an initial assessment and authorization for each information system and all agency-designated common controls before operation.

7 - Open

Transition information systems and common controls to an ongoing authorization process (when eligible for such a process) with the formal approval of the respective authorizing officials or reauthorize information systems and common controls as needed, on a time or event-driven basis in accordance with agency risk tolerance, as required by OMB Circular No. A-130 and SOP 90 47 6.

8 - Open

Review and update POA&Ms at least quarterly as required by SOP 90 47 6.

9 - Closed

Ensure data-sharing agreements are reviewed annually as required by SBA SOP 90 47 6.

Department of Defense OIG

Audit of the DoD Certification Process for Coronavirus Aid, Relief, and Economic Security Act Section 4003 Loans Provided to Businesses Designated as Critical to Maintaining National Security

Full Details: Oversight.gov Report Page

Audit | 9/20/2022

Small Business Administration OIG

COVID-19 Economic Injury Disaster Loan Applications Submitted from Foreign IP Addresses

We evaluated the U.S. Small Business Administration’s (SBA) controls to flag or prevent potentially fraudulent Coronavirus Disease 2019 (COVID-19) Economic Injury Disaster Loan (EIDL) applications submitted from foreign Internet Protocol (IP) addresses. Although the agency implemented several layers of controls to prevent or reduce fraud from foreign countries, individuals at foreign IP addresses were able to access the COVID-19 EIDL application system. SBA received millions of attempts to submit COVID-19 EIDL applications from foreign IP addresses and stopped most of them; however, the agency...

Full Details: Oversight.gov Report Page

Audit | 9/12/2022

Department of Defense OIG

DoD Cooperative Agreements With Coronavirus Aid, Relief, and Economic Security Act Obligations

Full Details: Oversight.gov Report Page

Department of Defense OIG

Audit of North American Aerospace Defense Command and U.S. Northern Command Use of Coronavirus Aid, Relief, and Economic Security Act Funding

Full Details: Oversight.gov Report Page

Audit | 5/17/2022

D-2022-0098-D000AU-0001-0001.a - Closed

Rec. 1.a: The DoD OIG recommended that the Commander, North American Aerospace Defense Command and U.S. Northern Command, develop internal controls that implement emergency funding guidance and ensure proper use of emergency authorized funds.

D-2022-0098-D000AU-0001-0001.b - Closed

Rec. 1.b: The DoD OIG recommended that the Commander, North American Aerospace Defense Command and U.S. Northern Command, develop internal controls that require North American Aerospace Defense Command and U.S. Northern Command officials to retain sufficient evidence, including a clear and accurate description of the goods and services purchased, that demonstrates how those goods and services supported the specific emergency.

D-2022-0098-D000AU-0001-0002.a - Closed

Rec. 2.a: The DoD OIG recommended that the Director, Budget Operations and Personnel, Office of the Deputy Assistant Secretary of the Air Force (Budget) develop and implement internal controls that verify whether current and future emergency expenses meet specific funding requirements prior to reimbursement and retain sufficient evidence of verification.

D-2022-0098-D000AU-0001-0002.b - Closed

Rec. 2.b: The DoD OIG recommended that the Director, Budget Operations and Personnel, Office of the Deputy Assistant Secretary of the Air Force (Budget) conduct a review of North American Aerospace Defense Command and U.S. Northern Command CARES Act transactions 1, 3, 5, 6, 14, 16, 17, 18, 24, and 25 to determine whether the purpose statute was violated. In addition, review the remaining 472 North American Aerospace Defense Command and U.S. Northern Command CARES Act transactions, which were not part of our sample, to ensure CARES Act funds were used as intended.

D-2022-0098-D000AU-0001-0002.c - Closed

Rec. 2.c: The DoD OIG recommended that the Director, Budget Operations and Personnel, Office of the Deputy Assistant Secretary of the Air Force (Budget), in coordination with North American Aerospace Defense Command and U.S. Northern Command, make the appropriate accounting adjustments for transactions 1, 3, 5, 6, 14, 16, 17, 18, 24, and 25 to non-CARES Act funding if the Director's review concludes the purpose statute was violated. The Director's review could result in the potential monetary benefits of $19.2 million (in questioned costs) and $7.4 million (in unsupported costs).

D-2022-0098-D000AU-0001-0002.d - Closed

Rec. 2.d: The DoD OIG recommended that the Director, Budget Operations and Personnel, Office of the Deputy Assistant Secretary of the Air Force (Budget) determine whether any purpose statute violations result in Antideficiency Act violations based on Recommendations 2.b. and 2.c.

D-2022-0098-D000AU-0001-0002.e - Closed

Rec. 2.e: The DoD OIG recommended that the Director, Budget Operations and Personnel, Office of the Deputy Assistant Secretary of the Air Force (Budget) report any resulting Antideficiency Act violations to the Secretary of the Air Force, who then reports relevant information to the President and Congress.

Date Range

Report Type

Report Category

Submitting Agency

State/Local Agency

State (State and Local Reports)

Fraud Type

Agency Reviewed

Related Organizations

Management Challenges

Any Recommendations

Any Open Recommendations

Reports

Audit of DoD Actions Taken to Protect DoD Information When Using Collaboration Tools During the Coronavirus Disease–2019 Pandemic

Audit of GSA’s Response to COVID-19: PBS Faces Challenges to Meet the Ventilation and Acceptable Indoor Air Quality Standard in GSA-Owned Buildings

Audit of DoD Actions Taken to Implement Cybersecurity Protections Over Remote Access Software in the Coronavirus Disease–2019 Telework Environment

COVID-19: PBS Faces Challenges in Its Efforts to Improve Air Filtration in GSA-Controlled Facilities

The Social Security Administration’s Enumeration Services During the COVID-19 Pandemic

COVID-19 and Disaster Assistance Information Systems Security Controls

Audit of the DoD Certification Process for Coronavirus Aid, Relief, and Economic Security Act Section 4003 Loans Provided to Businesses Designated as Critical to Maintaining National Security

COVID-19 Economic Injury Disaster Loan Applications Submitted from Foreign IP Addresses

DoD Cooperative Agreements With Coronavirus Aid, Relief, and Economic Security Act Obligations

Audit of North American Aerospace Defense Command and U.S. Northern Command Use of Coronavirus Aid, Relief, and Economic Security Act Funding

Glossary

Glossary name will go here