GAO

Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices

What GAO Found The nation's critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems. IoT generally refers to the technologies and devices that allow for the network connection and interaction of a wide array of “things,” throughout such places as buildings, transportation infrastructure, or homes. OT are programmable systems or devices that interact with the physical environment, such as building automation systems that control machines to regulate and monitor temperature. Figure: Overview of Connected IT, Internet of Things (IoT), and Operational Technology To help federal agencies and private entities manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have issued guidance and provided resources. Specifically, CISA has published guidance, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established working groups on OT. NIST has published several guidance documents on IoT and OT, maintained a center of cybersecurity excellence, and established numerous working groups. In addition, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks. Selected federal agencies with a lead role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems. Title: Sector Lead Agencies' Internet of Things (IoT) or Operational Technology (OT) Cybersecurity Initiatives Sector (Lead Federal Agency) Examples of IoT or OT Initiatives Energy (Department of Energy) Considerations for OT Cybersecurity Monitoring Technologies guidance provides suggested evaluation considerations for technologies to monitor OT cybersecurity of systems that, for example, distribute electricity through the grid.   Cybersecurity for the Operational Technology Environment methodology aims to enhance energy sector threat detection of anomalous behavior in OT networks, such as electricity distribution networks. Healthcare and public health (Department of Health and Human Services) Pre-market Guidance for Management of Cybersecurity identifies issues related to cybersecurity for manufacturers to consider in the design and development of their medical devices, such as diagnostic equipment.   Post-market Management of Cybersecurity in Medical Devices provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices, such as infusion pumps. Transportation systems (Departments of Homeland Security and Transportation) Surface Transportation Cybersecurity Toolkit is designed to provide informative cyber risk management tools and resources for control systems that, for example, function on the mechanics of the vessel.   Department of Homeland Security's Transportation Security Administration's Enhancing Rail Cybersecurity Directive requires actions, such as conducting a cybersecurity vulnerability assessment and developing of cybersecurity incident response plans for higher risk railroads. Source: GAO analysis of agency documentation │ GAO-23-105327 However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts. Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown. The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards. Pursuant to the act, in June 2021 NIST issued a draft guidance document that, among other things, provides information for agencies, companies and industry to receive reported vulnerabilities and for organizations to report found vulnerabilities. The act also requires the Office of Management and Budget (OMB) to establish a standardized process for federal agencies to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met. As of November 22, 2022, OMB had not yet developed the mandated process for waiving the prohibition on procuring or using non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data gathering with other entities. According to OMB, it is targeting November 2022 for the release of guidance on the waiver process. Given the act's restrictions on agency use of non-compliant IoT devices beginning in December 2022, the lack of a uniform waiver process could result in a range of inconsistent actions across agencies. Why GAO Did This Study Cyber threats to critical infrastructure IoT and OT represent a significant national security challenge. Recent incidents—such as the ransomware attacks targeting health care and essential services during the COVID-19 pandemic—illustrate the cyber threats facing the nation's critical infrastructure. Congress included provisions in the IoT Cybersecurity Improvement Act of 2020 for GAO to report on IoT and OT cybersecurity efforts. This report (1) describes overall federal IoT and OT cybersecurity initiatives; (2) assesses actions of selected federal agencies with a lead sector responsibility for enhancing IoT and OT cybersecurity; and (3) identifies leading guidance for addressing IoT cybersecurity and determines the status of OMB's process for waiving cybersecurity requirements for IoT devices. To describe overall initiatives, GAO analyzed pertinent guidance and related documentation from several federal agencies. To assess lead agency actions, GAO first identified the six critical infrastructure sectors considered to have the greatest risk of cyber compromise. From these six, GAO then selected for review three sectors that had extensive use of IoT and OT devices and systems. The three sectors were energy, healthcare and public health, and transportation systems. For each of these, GAO analyzed documentation, interviewed sector officials, and compared lead agency actions to federal requirements. GAO also analyzed documentation, interviewed officials from the selected sectors, and compared those sector's cybersecurity efforts to federal requirements. GAO also interviewed OMB officials on the status of the mandated waiver process.

Categories -

Broadband: USDA Should Set Performance Goals and Improve Fraud Risk Management for Funding Program

What GAO Found The U.S. Department of Agriculture's (USDA) ReConnect program was established by statute and awards grants and loans to provide broadband service in rural areas. In 2019 and 2020, USDA conducted two rounds of funding in which applicants were able to apply for a grant, a loan, or a combination of the two, as shown in the figure. As of October 2022, USDA was reviewing applications for a third round of awards. Rounds One and Two of ReConnect Awards, by Award Type and Households Served USDA uses information from ReConnect and its other broadband programs to inform agency-wide performance goals, but has not set performance goals specific to ReConnect. For example, during the first two funding rounds, USDA used ReConnect data to support two department-wide performance goals—one on the number of new subscribers resulting from projects funded by ReConnect and other USDA telecommunications programs, and one on private investment resulting from certain USDA-funded projects. However, USDA did not establish performance goals that would define the specific results it expected ReConnect to achieve. Setting performance goals would help the department better determine if ReConnect is meeting expectations distinct from its other programs. Based on that information, it could then make informed decisions about the program. USDA's oversight of ReConnect aligns with some but not all of the selected leading practices in GAO's fraud risk framework. The framework calls for: (1) designating an entity to oversee fraud risk management activities for a program, (2) documenting that entity's responsibilities, and (3) conducting and documenting a fraud risk assessment for a program, among other practices. USDA officials told GAO that its Office of the Chief Risk Officer is the designated entity to oversee fraud risk management for ReConnect. However, USDA officials have not documented this office's responsibilities specifically for fraud risk management. In addition, USDA officials have identified and considered specific fraud risks in ReConnect, but they have not conducted a fraud risk assessment for the program. Documenting the Office of the Chief Risk Officer's responsibilities for fraud risk management and conducting a fraud risk assessment would help USDA ensure that it routinely identifies and mitigates all potential fraud risks to the ReConnect program. Why GAO Did This Study A significant gap in broadband access remains between U.S. urban and rural populations, according to the Federal Communications Commission. The importance of closing the gap was highlighted during the COVID-19 pandemic, which has required many Americans to work, learn, and socialize from home. USDA's ReConnect program, which began in 2018, provides grants and loans to broadband providers serving rural communities to help close the broadband gap. GAO was asked to review the ReConnect program. Among other objectives, this report examines the program's (1) performance goals and (2) alignment with selected leading fraud risk management practices. GAO analyzed ReConnect award and application data from 2018 through 2021, and compared USDA's performance documentation to leading performance assessment practices. GAO also compared USDA's fraud risk management processes to GAO's fraud risk framework and interviewed USDA officials.

Categories -

Paid Tax Return Preparers: IRS Efforts to Oversee Refundable Credits Help Protect Taxpayers but Additional Actions and Authority Are Needed

What GAO Found The Internal Revenue Service (IRS) designed the Refundable Credits Return Preparer Strategy program to address improper payments associated with refundable tax credits and other benefits. This program includes tailored education and enforcement actions for paid preparers identified as having returns filed with a high probability of errors. The program aims to change the behavior of paid preparers and their clients and improve the accuracy of returns claiming these credits. IRS has yet to develop a long-term plan that identifies and links long-term goals, objectives, activities, and performance measures for this program. Instead, program officials have focused on the operation of the program on a year-to-year basis. This includes ensuring preparers at risk of noncompliance are assigned to appropriate compliance actions. However, a long-term plan would provide a road map to help ensure that decisions align with program goals and inform budget requests and resource decisions. Without a long-term plan, program officials will continue to be limited in their ability to plan strategically. IRS identified a need for an IRS-wide tax return preparer strategy that would ensure consistent treatment of all preparers across different compliance programs. However, progress on the IRS-wide strategy stalled. Thus, how the Refundable Credits Return Preparer Strategy program fits into a broader service-wide strategy remains unclear. IRS officials noted that the strategy cannot be finalized until the IRS-wide reorganization is completed. IRS received significant additional funding as part of the Inflation Reduction Act of 2022. The agency is developing a detailed spend plan for these funds. Officials reported that the IRS-wide strategy was still under consideration within IRS's reorganization. However, until the IRS reorganization is complete and the IRS-wide preparer strategy is implemented, IRS may be missing opportunities to capitalize on prior planning efforts. While the Refundable Credits Return Preparer Strategy program helps encourage preparer compliance with due diligence requirements, the challenge with preparer accuracy is much broader. IRS data show the program can reach a small fraction—less than 2 percent in 2021—of preparers with education and enforcement activities. Further, tax preparers are not held to uniform standards because IRS lacks the authority to establish professional requirements for all types of preparers. This puts some taxpayers at risk of receiving insufficient or incompetent tax preparation services and potentially burdensome enforcement actions. Providing IRS with the authority to establish requirements for all paid preparers would allow IRS to target its resources more efficiently on noncompliant preparers. Why GAO Did This Study Millions of taxpayers claim refundable tax credits each year. About half of taxpayers use a paid preparer, according to the Department of the Treasury. However, these credits have complex eligibility rules that can be difficult to follow. This can result in errors and improper claims. For fiscal year 2021, IRS estimated that it paid $115 billion in refundable tax credits, but $26 billion were improperly paid. GAO was asked to examine IRS's Refundable Credits Return Preparer Strategy program. This report assesses (1) the extent to which the program incorporates key elements of program design, and (2) how, if at all, IRS could broaden the effect of its strategy to reduce improper payments, among other objectives. GAO reviewed IRS program data and documentation. GAO also interviewed IRS officials, paid preparers, and industry groups. Further, GAO compared IRS's efforts to guidance on key program elements from the Office of Management and Budget's Circular No. A-11 and IRS's Strategic Plan.

Categories -

Export-Import Bank: Loan and Loan Guarantee Program Updates in Response to COVID-19

What GAO Found Using its existing authority, the Export-Import Bank of the United States (EXIM) developed four temporary relief measures for its loan and loan guarantee programs in response to the lack of liquidity and other export financing issues associated with the COVID-19 pandemic. EXIM's Board of Directors approved the relief measures in March 2020. Some of the relief measures expired in April 2022, while others remain in effect until April 2023. EXIM created or modified the following four programs in response to COVID-19: Bridge Financing Program. Newly developed to provide short-term financing for borrowers through direct loans to purchase U.S. goods and services while there was a lack of liquidity available through the private sector. Pre-Delivery/Pre-Export Payment Program. Expanded EXIM's Pre-Export Payment Policy by extending financing eligibility to foreign buyers with long-term financing through commercial lenders and to manufacturing sectors whose foreign buyers had traditionally not participated. Supply Chain Financing Guarantee Program. Temporarily modified EXIM's preexisting program to waive the 50 percent small business target for suppliers, allow U.S. exporters to make sales directly to foreign affiliates, and increase the guarantee coverage from 90 percent to 95 percent. Working Capital Guarantee Program. Temporarily modified EXIM's preexisting program to expand the definition of eligible inventory, increase the guarantee coverage from 90 percent to 95 percent, and expedite implementation of a reduced and more understandable fee structure. GAO found that EXIM documented program updates from the board-approved COVID-19 temporary relief measures and communicated the updates to personnel responsible for the related programs during staff meetings and through emails, memorandums, and press releases. Additionally, EXIM's board directly approved all transaction authorizations made under the relief measures and communicated its approvals through board meeting minutes available on EXIM's website. Why GAO Did This Study EXIM helps U.S. firms export goods and services by providing a range of financial products, including direct loans, loan guarantees, and insurance, when private financing is not available, for example, during times of economic crisis. In response to the COVID-19 pandemic, EXIM implemented several temporary relief measures to inject liquidity into the market and provide increased financing flexibility to facilitate sales of U.S. goods and services abroad. The Export-Import Bank Reauthorization Act of 2012 included a provision for GAO to periodically evaluate EXIM's policies and guidelines for its loan and loan guarantee transactions, among other things. This report discusses how EXIM updated its loan and loan guarantee programs and related procedures in response to COVID-19. GAO reviewed EXIM's COVID-19 temporary relief measures and internal policies, as well as reports related to EXIM, and interviewed EXIM officials. For more information, contact James R. Dalkin at (202) 512-3133 or dalkinj@gao.gov.

Categories -

Semiannual Report to Congress: April 1, 2022 through September 30, 2022

This report was submitted to the Comptroller General in accordance with Section 5 of the Government Accountability Office (GAO) Act of 2008. The report summarizes the activities of GAO's Office of Inspector General (OIG) for the six-month reporting period ending September 30, 2022. During the reporting period, the OIG initiated work on two performance audits and continued work on an additional performance audit. In addition, the OIG closed seven investigations and opened 22 new investigations. The OIG processed 75 substantive hotline complaints, many of which were referred to other OIGs for action because the matters involved were within their jurisdictions. The OIG remained active in the GAO and OIG communities by briefing new GAO employees on its audit and investigative missions, briefing GAO teams on the work of the GAO OIG, and participating in Council of Inspectors General on Integrity and Efficiency committees and working groups, including those related to the Pandemic Response Accountability Committee. Details of these activities and other accomplishments are provided in the report. For more information, contact Tonya R. Ford at (202) 512-5748 or oig@gao.gov.

Categories -

Veterans Affairs: Projection, Use, and Oversight of COVID-19 Relief Funding

What GAO Found The Department of Veterans Affairs (VA) received approximately $36.70 billion in supplemental funding outside of its annual appropriation from three COVID-19 relief laws between 2020 and 2021: the CARES Act; the Families First Coronavirus Response Act (FFCRA); and the American Rescue Plan Act of 2021 (ARPA). As of August 23, 2022, VA had obligated approximately 99 percent of its funds from the CARES Act and FFCRA and 56.9 percent of funds from ARPA. Department of Veterans Affairs' (VA) COVID-19 Supplemental Funding and Reported Obligations and Expenditures through August 2022 Note: An obligation is a definite commitment that creates a legal liability to pay and an expenditure is the actual spending of money. To determine the amount of COVID-19 supplemental funds to request from Congress, VA relied on assumptions based on information from public health sources and pre-pandemic data. As the pandemic progressed, VA transferred CARES Act funds within the department to respond to changing circumstances related to the pandemic. Further, it relied on data such as medical facilities' caseloads during COVID-19 peaks to inform its request for ARPA funding. VA used FFCRA and CARES Act funds to finance key areas such as community care, information technology efforts, and education system modernization. It continued to sustain these priorities with ARPA funds. VA is developing plans to continue to finance key areas once the current funding sources are exhausted. VA took actions to address challenges related to the projection, use, and oversight of COVID-19 supplemental funds. For example: VA requested and received congressional approval for greater flexibility in the permitted use of funds to accommodate changing needs; VA established a governance council to review proposed information technology investments; and to address confusion among VA staff, VA's Office of Finance developed guidance documents on the use of supplemental funds. Why GAO Did This Study As of September 26, 2022, VA reported 766,537 cumulative cases of COVID-19 among veterans and 22,990 deaths. The CARES Act, FFCRA, and ARPA included supplemental funds to VA for COVID-19 relief, most of which were for providing health care. To provide oversight of VA's spending of this supplemental funding, Congress passed, and the President signed into law, the VA Transparency & Trust Act of 2021. The Act included a provision for GAO to review supplemental VA funding for COVID-19. This report describes 1) information used to determine the amount of requested COVID-19 supplemental funding; 2) how VA used supplemental funds for the pandemic; and 3) actions VA took in response to challenges related to the projection, use, and oversight of COVID-19 supplemental funds. GAO reviewed VA data on obligations, expenditures, and spend plans for COVID-19 supplemental funding, as well as documentation on supplemental funding processes, and guidance on the use of these funds. GAO interviewed VA officials including officials from six Veterans Integrated Services Networks to gain insights into their roles in the projection, use, and oversight of supplemental funding. These six networks were selected based on geographic diversity and a range of funding levels. VA reviewed a draft of this report and provided technical comments, which were incorporated as appropriate. For more information, contact Sharon M. Silas at (202) 512-7114 or Silass@gao.gov.

Categories -

Internal Revenue Service: Information about Funding, Financial Reporting Controls, and GAO Recommendations

What GAO Found The Inflation Reduction Act of 2022 (Public Law 117-169) provided the Internal Revenue Service (IRS) with $79.4 billion in funding over 10 years to enhance IRS resources and improve taxpayer compliance, among other purposes. This substantial amount of new funding will need effective IRS planning, prioritization, and management to help reduce the gap between taxes owed and taxes paid on time. Limitations in the systems IRS uses to account for federal taxes receivable and other unpaid assessment balances continued to exist during fiscal year 2022. In addition, continuing information system control deficiencies in areas such as encryption and configuration of security settings increase the risk of unauthorized access to, modification of, or disclosure of sensitive financial and taxpayer data and disruption of critical operations. GAO has made numerous recommendations to IRS that, if fully implemented, could address the enforcement of tax laws high-risk area and significantly improve IRS operations. As of November 2022, IRS has a total of 176 unimplemented recommendations. This includes 25 recommendations considered high priority. Why GAO Did This Study IRS estimates that the annual net tax gap—the difference between taxes owed and taxes paid on time—averaged $428 billion for tax years 2014-2016 (latest available). This report addresses (1) IRS funding, (2) IRS financial reporting and information system controls, and (3) IRS high-risk areas and related GAO recommendations. GAO reviewed its prior work on IRS, including GAO High Risk reports, the latest priority recommendation letter to IRS, and recent audits of IRS's financial statements. GAO also reviewed its ongoing efforts to assess IRS's implementation of recommendations.

Categories -