37 IGs Report on Agency Tech Challenges Related to $2.4 Trillion COVID Relief Package

Samfotograf/Shutterstock

A new report shows similar issues with bandwidth, cybersecurity and aging IT systems across government, exacerbated by the coronavirus pandemic.

Federal agencies got a huge influx of cash through pandemic-related stimulus bills, much of which was either disbursed through government IT systems or used to enhance agency technology capabilities. But, as with all federal IT delivery, this has not always gone smoothly.

The Coronavirus Aid, Relief and Economic Security, or CARES, Act approved spending $2.4 trillion to help the nation through the COVID-19 pandemic, almost all of which was disbursed through federal programs, or used directly to support agency operations.

The federal oversight community is tracking this spending, and the Council of Inspectors General on Integrity and Efficiency—made up of inspectors general from across government—released an initial report identifying unique and common challenges agencies have faced managing this huge pot of money.

“Given the amount of money at issue, the need to distribute aid quickly, and the use of grants and loans to disburse funds, effectively managing the programs funded by these bills presents a significant challenge to many executive branch agencies,” the report states. “Moreover, these same factors increase the risk of fraud and misuse of these funds.”

IGs from 37 agencies contributed to the final report from the Pandemic Response Accountability Committee, which broke the common challenges into four “key areas of concern,” including IT security and management.

“CIGIE previously has identified information technology security and management as a long-standing, serious, and ubiquitous challenge that impacts agencies across the government, highlighting agencies’ dependence on reliable and secure IT systems to perform their mission-critical functions,” the IGs wrote.

“These concerns remain a significant challenge, but are impacted by (1) widespread reliance on maximum telework to continue agency operations during the pandemic, which has strained agency networks and shifted IT resources, and (2) additional opportunities and targets for cyberattacks created by remote access to networks and increases in online financial activity.”

In the introduction, the report’s authors point to the Office of Personnel Management as one example.

OPM IT managers told the IG they “were concerned about the ability of OPM’s aging infrastructure to absorb the sudden workload increase in remote access.” While they were able to adjust, “the shift to telework also highlighted OPM’s lack of teleconferencing software and shortcomings in its ability to remotely administer its systems.”

The report also honed in on the related but separate issue of cybersecurity, both from the perspective of a weaker security posture with a distributed workforce, as well as the higher potential for insider threats—employees, malicious or unintentional—leaking sensitive data.

“These challenges are exacerbated by the pandemic,” the report states.

“For example, [the Environmental Protection Agency] OIG stated that unprecedented levels of remote access raise the risk of security breaches of remotely stored and transmitted data. Similarly, [the National Reconnaissance Office] OIG cited the risk of inadvertent spills and disclosures of classified information by employees performing unclassified work at home using computers with weak passwords or poorly secured home Wi-Fi routers, cell phones, free social media platforms, and other non-secure means of communication.”

While the report does not offer any specific recommendations for any agency issues, “By identifying these top challenges across the federal government, the PRAC hopes to assist agency managers and policymakers in determining how best to address them,” the IGs wrote.

Some additional highlights from the report, broken down by agency:

General Services Administration

The government’s landlord and buyer has instituted new “flexibilities” with regard to “credentialing, termination of credentials and building access, and issuance and collection of government supplied equipment for contractors” to allow for more social distancing.

“While these allowances may be necessary in the short-term, GSA must ensure sufficient controls remain,” the report states. “In addition, in cases where contractors use their own information technology equipment, GSA must ensure it is in compliance with the GSA Office of the Chief Information Officer's IT security policy and technical security guidelines. Failure to do so exposes GSA to potential attacks that could lead to the disruption of agency operations and the unauthorized disclosure of sensitive information.”

NASA

While the report does not go into NASA’s COVID-related IT challenges, the authors note the agency was given $60 million in emergency funding. To date, the agency has spent $8.5 million, mostly on “contractor impact claims, information technology services and cleaning supplies,” with the remainder earmarked for “increased cleaning efforts at each NASA facility as well as purchases of personal protective equipment.”

National Archives and Records Administration

NARA received $8.1 million under the CARES Act, most of which “will be used to increase NARA’s information technology equipment and infrastructure to promote telework, which will require contracting for goods and services,” the IG wrote, noting, “Accordingly, NARA may be hampered by long-standing challenges in IT security and contract management.”

The IG cites years of poor annual cybersecurity reports dating back to 2007, with issues that continue to be ignored.

“While NARA has introduced initiatives to promote a mature program, real progress will not be made until NARA establishes an effective system of internal control for information security,” the report states. “This will not be completed before NARA expends the CARES Act funds, and NARA must work to ensure that any of these funds spent on IT do not exacerbate current security issues.”

National Reconnaissance Office

For the intelligence community—and the NRO specifically—attempting to facilitate mass teleworking in a classified environment has been difficult.

“In addition to the obvious mission challenges caused by a reduced government and contractor workforce, intelligence community organizations often lack the appropriate mechanisms to facilitate communication with personnel who are no longer on-site and may lack access to government networks,” the report reads. “Further, the nature of work performed, contract terms, and information technology system often do not provide telework options, which impacts intelligence community organizations’ ability to maximize the productivity of its workforce.”

As mentioned above, these issues are exacerbated by the threat of insider leaks, either from malicious actors looking to steal and share national secrets or inadvertent leaks due to poor home security and lax work habits.

Small Business Administration

The SBA IG noted the agency has come a long way with its IT infrastructure, policies and procedures. But, “SBA has experienced serious IT challenges implementing the programs associated with COVID-19 funding,” including the critical loans to keep small businesses stable through statewide shutdowns.

The report offers SBA two recommendations:

  • Deploy appropriate security protocols to minimize the risk of data breaches or misuse of personally identifiable information.
  • Develop and maintain effective risk management, contingency planning, and incident response practices to minimize vulnerabilities.

Health and Human Services

As with other citizen-focused agencies, “HHS must support a secure, robust information technology infrastructure for both internal HHS and external programs,” the IGs wrote.

For HHS, specifically, that means supporting telehealth and other remote care needs for the health care sector, as well as ensuring a strong baseline of cybersecurity, as health data is a treasure trove for hackers and identity thieves.

“Other key infrastructure for the pandemic response includes the Strategic National Stockpile, quarantine facilities, the drug supply chain, and research and development programs, as well as other health care infrastructure, such as telehealth platforms and devices, networked medical or laboratory equipment, and other technology that enabled remote response to COVID-19,” the report states.

Interior Department

The report notes Interior spends $1.2 billion a year on IT operations but “continues to struggle to implement an enterprise IT security program that balances compliance, cost and risk while enabling bureaus to meet their diverse missions.”

Funding from the CARES Act does not appear to directly affect that situation, however, and “an increased need for remote access to IT systems under COVID-19 restrictions could exacerbate these problems,” the IG said.

Office of Personnel Management

The government’s human resources department was able to adjust for bandwidth issues by restricting the number of people using virtual private networks unnecessarily, as well as “’bandwidth hogs like streaming video services.”

Through April, “The [network operations center] observed that OPM’s VPN and network were generally stable and fully operational,” the IG reported. “However, it also became clear that OPM lacks a suitable enterprise solution for video web conferencing, which limits effective and secure remote collaboration. The increased telework has also highlighted shortcomings in OPM’s ability to remotely administer its systems, as well as aging hardware supporting VPN and network connections.”

The agency received $12 million in supplemental funding under the CARES Act, which will be used for “improved collaboration and conferencing tools, workflow management, remote administration, and the software and hardware needed to support a majority telework environment for the foreseeable future.”

“At this time, other than the normal procurement constraints, the OIG does not see any major challenges facing OPM as it seeks to effectively spend its emergency supplemental funds,” they added.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.