37 IGs Report on Agency Tech Challenges Related to $2.4 Trillion COVID Relief Package

Federal agencies got a huge influx of cash through pandemic-related stimulus bills, much of which was either disbursed through government IT systems or used to enhance agency technology capabilities. But, as with all federal IT delivery, this has not always gone smoothly.

The Coronavirus Aid, Relief and Economic Security, or CARES, Act approved spending $2.4 trillion to help the nation through the COVID-19 pandemic, almost all of which was disbursed through federal programs, or used directly to support agency operations.

The federal oversight community is tracking this spending, and the Council of Inspectors General on Integrity and Efficiency—made up of inspectors general from across government—released an initial report identifying unique and common challenges agencies have faced managing this huge pot of money.

“Given the amount of money at issue, the need to distribute aid quickly, and the use of grants and loans to disburse funds, effectively managing the programs funded by these bills presents a significant challenge to many executive branch agencies,” the report states. “Moreover, these same factors increase the risk of fraud and misuse of these funds.”

IGs from 37 agencies contributed to the final report from the Pandemic Response Accountability Committee, which broke the common challenges into four “key areas of concern,” including IT security and management.

“CIGIE previously has identified information technology security and management as a long-standing, serious, and ubiquitous challenge that impacts agencies across the government, highlighting agencies’ dependence on reliable and secure IT systems to perform their mission-critical functions,” the IGs wrote.

“These concerns remain a significant challenge, but are impacted by (1) widespread reliance on maximum telework to continue agency operations during the pandemic, which has strained agency networks and shifted IT resources, and (2) additional opportunities and targets for cyberattacks created by remote access to networks and increases in online financial activity.”

In the introduction, the report’s authors point to the Office of Personnel Management as one example.

OPM IT managers told the IG they “were concerned about the ability of OPM’s aging infrastructure to absorb the sudden workload increase in remote access.” While they were able to adjust, “the shift to telework also highlighted OPM’s lack of teleconferencing software and shortcomings in its ability to remotely administer its systems.”

The report also honed in on the related but separate issue of cybersecurity, both from the perspective of a weaker security posture with a distributed workforce, as well as the higher potential for insider threats—employees, malicious or unintentional—leaking sensitive data.

“These challenges are exacerbated by the pandemic,” the report states.

“For example, [the Environmental Protection Agency] OIG stated that unprecedented levels of remote access raise the risk of security breaches of remotely stored and transmitted data. Similarly, [the National Reconnaissance Office] OIG cited the risk of inadvertent spills and disclosures of classified information by employees performing unclassified work at home using computers with weak passwords or poorly secured home Wi-Fi routers, cell phones, free social media platforms, and other non-secure means of communication.”

While the report does not offer any specific recommendations for any agency issues, “By identifying these top challenges across the federal government, the PRAC hopes to assist agency managers and policymakers in determining how best to address them,” the IGs wrote.

Some additional highlights from the report, broken down by agency:

General Services Administration

The government’s landlord and buyer has instituted new “flexibilities” with regard to “credentialing, termination of credentials and building access, and issuance and collection of government supplied equipment for contractors” to allow for more social distancing.

“While these allowances may be necessary in the short-term, GSA must ensure sufficient controls remain,” the report states. “In addition, in cases where contractors use their own information technology equipment, GSA must ensure it is in compliance with the GSA Office of the Chief Information Officer's IT security policy and technical security guidelines. Failure to do so exposes GSA to potential attacks that could lead to the disruption of agency operations and the unauthorized disclosure of sensitive information.”

NASA

While the report does not go into NASA’s COVID-related IT challenges, the authors note the agency was given $60 million in emergency funding. To date, the agency has spent $8.5 million, mostly on “contractor impact claims, information technology services and cleaning supplies,” with the remainder earmarked for “increased cleaning efforts at each NASA facility as well as purchases of personal protective equipment.”

National Archives and Records Administration

NARA received $8.1 million under the CARES Act, most of which “will be used to increase NARA’s information technology equipment and infrastructure to promote telework, which will require contracting for goods and services,” the IG wrote, noting, “Accordingly, NARA may be hampered by long-standing challenges in IT security and contract management.”

The IG cites years of poor annual cybersecurity reports dating back to 2007, with issues that continue to be ignored.

“While NARA has introduced initiatives to promote a mature program, real progress will not be made until NARA establishes an effective system of internal control for information security,” the report states. “This will not be completed before NARA expends the CARES Act funds, and NARA must work to ensure that any of these funds spent on IT do not exacerbate current security issues.”

National Reconnaissance Office

For the intelligence community—and the NRO specifically—attempting to facilitate mass teleworking in a classified environment has been difficult.

“In addition to the obvious mission challenges caused by a reduced government and contractor workforce, intelligence community organizations often lack the appropriate mechanisms to facilitate communication with personnel who are no longer on-site and may lack access to government networks,” the report reads. “Further, the nature of work performed, contract terms, and information technology system often do not provide telework options, which impacts intelligence community organizations’ ability to maximize the productivity of its workforce.”

As mentioned above, these issues are exacerbated by the threat of insider leaks, either from malicious actors looking to steal and share national secrets or inadvertent leaks due to poor home security and lax work habits.

Small Business Administration

The SBA IG noted the agency has come a long way with its IT infrastructure, policies and procedures. But, “SBA has experienced serious IT challenges implementing the programs associated with COVID-19 funding,” including the critical loans to keep small businesses stable through statewide shutdowns.

The report offers SBA two recommendations:

• Deploy appropriate security protocols to minimize the risk of data breaches or misuse of personally identifiable information.
• Develop and maintain effective risk management, contingency planning, and incident response practices to minimize vulnerabilities.

Health and Human Services

As with other citizen-focused agencies, “HHS must support a secure, robust information technology infrastructure for both internal HHS and external programs,” the IGs wrote.

For HHS, specifically, that means supporting telehealth and other remote care needs for the health care sector, as well as ensuring a strong baseline of cybersecurity, as health data is a treasure trove for hackers and identity thieves.

“Other key infrastructure for the pandemic response includes the Strategic National Stockpile, quarantine facilities, the drug supply chain, and research and development programs, as well as other health care infrastructure, such as telehealth platforms and devices, networked medical or laboratory equipment, and other technology that enabled remote response to COVID-19,” the report states.

Interior Department

The report notes Interior spends $1.2 billion a year on IT operations but “continues to struggle to implement an enterprise IT security program that balances compliance, cost and risk while enabling bureaus to meet their diverse missions.”

Funding from the CARES Act does not appear to directly affect that situation, however, and “an increased need for remote access to IT systems under COVID-19 restrictions could exacerbate these problems,” the IG said.

Office of Personnel Management

The government’s human resources department was able to adjust for bandwidth issues by restricting the number of people using virtual private networks unnecessarily, as well as “’bandwidth hogs like streaming video services.”

Through April, “The [network operations center] observed that OPM’s VPN and network were generally stable and fully operational,” the IG reported. “However, it also became clear that OPM lacks a suitable enterprise solution for video web conferencing, which limits effective and secure remote collaboration. The increased telework has also highlighted shortcomings in OPM’s ability to remotely administer its systems, as well as aging hardware supporting VPN and network connections.”

The agency received $12 million in supplemental funding under the CARES Act, which will be used for “improved collaboration and conferencing tools, workflow management, remote administration, and the software and hardware needed to support a majority telework environment for the foreseeable future.”

“At this time, other than the normal procurement constraints, the OIG does not see any major challenges facing OPM as it seeks to effectively spend its emergency supplemental funds,” they added.