[Senate Hearing 115-59]
[From the U.S. Government Publishing Office]





                                                         S. Hrg. 115-59
 
                             A LOOK AHEAD:
                   INSPECTOR GENERAL RECOMMENDATIONS
                     FOR IMPROVING FEDERAL AGENCIES

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            FEBRUARY 8, 2017

                               __________

    Printed for the use of the Committee on Commerce, Science, and Transportation
    
    
    
    
    
    
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    







                   U.S. GOVERNMENT PUBLISHING OFFICE
                   
 26-591 PDF                 WASHINGTON : 2017       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001     



    
                             


       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                   JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi         BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri                  MARIA CANTWELL, Washington
TED CRUZ, Texas                      AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska                RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas                  BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska                 EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada                  CORY BOOKER, New Jersey
JAMES INHOFE, Oklahoma               TOM UDALL, New Mexico
MIKE LEE, Utah                       GARY PETERS, Michigan
RON JOHNSON, Wisconsin               TAMMY BALDWIN, Wisconsin
SHELLEY MOORE CAPITO, West Virginia  TAMMY DUCKWORTH, Illinois
CORY GARDNER, Colorado               MAGGIE HASSAN, New Hampshire
TODD YOUNG, Indiana                  CATHERINE CORTEZ MASTO, Nevada
                       Nick Rossi, Staff Director
                 Adrian Arnakis, Deputy Staff Director
                    Jason Van Beek, General Counsel
                 Kim Lipsky, Democratic Staff Director
              Chris Day, Democratic Deputy Staff Director
                      Renae Black, Senior Counsel
                      
                      
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 8, 2017.................................     1
Statement of Senator Thune.......................................     1
Statement of Senator Nelson......................................     3
    Letter dated February 3, 2017 to Hon. Bill Nelson from 
      Christopher W. Dentel, Inspector General, U.S. Consumer 
      Product Safety Commission..................................     5
    Letter dated February 6, 2017 to Hon. Bill Nelson from Mary 
      Mitchelson, Inspector General, Corporation for Public 
      Broadcasting...............................................     9
    Letter dated February 6, 2017 to Hon. Bill Nelson from Calvin 
      L. Scovel III, Inspector General, U.S. Department of 
      Transportation.............................................    11
    Letter dated February 6, 2017 to Hon. Bill Nelson from David 
      L. Hunt, Inspector General, Federal Communications 
      Commission.................................................    14
    Letter dated February 6, 2017 to Hon. Bill Nelson from Jon 
      Hatfield, Inspector General, Federal Maritime Commission...    16
    Letter dated February 7, 2017 to Hon. Bill Nelson from Tom 
      Howard, Inspector General, Amtrak..........................    21
    Letter dated February 7, 2017 to Hon. Bill Nelson from John 
      Roth, Inspector General, Department of Homeland Security...    23
    Letter dated February 7, 2017 to Hon. Bill Nelson from Peggy 
      E. Gustafson, Inspector General, U.S. Department of 
      Commerce...................................................    29
    Letter dated February 7, 2017 to Hon. Bill Nelson from Roslyn 
      A. Mazer, Inspector General, Federal Trade Commission......    30
    Letter dated February 7, 2017 to Hon. Bill Nelson from 
      Allison C. Lerner, Inspector General, National Science 
      Foundation.................................................    34
    Letter dated February 8, 2017 to Hon. Bill Nelson from Paul 
      K. Martin, Inspector General, NASA.........................    36
Statement of Senator Blumenthal..................................   101
Statement of Senator Wicker......................................   103
Statement of Senator Blunt.......................................   104
Statement of Senator Klobuchar...................................   106
Statement of Senator Cantwell....................................   108
Statement of Senator Inhofe......................................   110
Statement of Senator Booker......................................   111
Statement of Senator Cortez Masto................................   113
Statement of Senator Capito......................................   115
Statement of Senator Cruz........................................   117
Statement of Senator Duckworth...................................   119

                               Witnesses

Allison C. Lerner, Inspector General, National Science Foundation    39
    Prepared statement...........................................    41
Hon. Peggy E. Gustafson, Inspector General, U.S. Department of 
  Commerce.......................................................    45
    Prepared statement...........................................    47
Hon. John Roth, Inspector General, U.S. Department of Homeland 
  Security.......................................................    56
    Prepared statement...........................................    57
Hon. Calvin L. Scovel III, Inspector General, U.S. Department of 
  Transportation.................................................    86
    Prepared statement...........................................    87

                                Appendix

Response to written questions submitted to Allison C. Lerner by:
    Hon. John Thune..............................................   127
    Hon. Deb Fischer.............................................   128
    Hon. Dean Heller.............................................   128
    Hon. Bill Nelson.............................................   128
Response to written questions submitted to Hon. Peggy E. 
  Gustafson by:
    Hon. John Thune..............................................   130
    Hon. Deb Fischer.............................................   131
    Hon. Dean Heller.............................................   132
    Hon. Bill Nelson.............................................   132
    Hon. Cory Booker.............................................   133
    Hon. Tom Udall...............................................   133
Response to written questions submitted to Hon. John Roth by:
    Hon. John Thune..............................................   135
    Hon. Deb Fischer.............................................   136
    Hon. Dean Heller.............................................   137
    Hon. Bill Nelson.............................................   138
    Hon. Cory Booker.............................................   138
    Hon. Tom Udall...............................................   140
Response to written questions submitted to Hon. Calvin L. Scovel 
  III by:
    Hon. John Thune..............................................   142
    Hon. Roy Blunt...............................................   144
    Hon. Deb Fischer.............................................   144
    Hon. Dean Heller.............................................   145
    Hon. Todd Young..............................................   146
    Hon. Bill Nelson.............................................   147
    Hon. Tom Udall...............................................   148


                             A LOOK AHEAD:



                   INSPECTOR GENERAL RECOMMENDATIONS



                     FOR IMPROVING FEDERAL AGENCIES

                              ----------                              


                      WEDNESDAY, FEBRUARY 8, 2017

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:05 a.m. in 
room SD-G50, Dirksen Senate Office Building, Hon. John Thune, 
Chairman of the Committee, presiding.
    Present: Senators Thune [presiding], Wicker, Blunt, Cruz, 
Fischer, Heller, Inhofe, Johnson, Capito, Gardner, Young, 
Nelson, Cantwell, Klobuchar, Blumenthal, Booker, Udall, Peters, 
Duckworth, Hassan, and Cortez Masto.

             OPENING STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    The Chairman. Good morning. This hearing will come to 
order.
    Last week, this Committee held a hearing on reducing 
unnecessary regulatory burdens. We heard from stakeholders 
representing several sectors of the American economy about ways 
government agencies can regulate smarter, protecting public 
safety and market fairness while fostering economic growth and 
innovation.
    Today, we will discuss another important way to make 
government more efficient and effective, by identifying and 
eliminating waste, fraud, and abuse in Federal departments and 
agencies. For this task, there is no more effective tool than 
the Inspectors General.
    Created by the Inspector General Act of 1978, IGs serve as 
watchdogs over more than 70 Federal agencies. According to the 
Council of Inspectors General on Integrity and Efficiency, 
agency incorporation of IG recommendations led to $26 billion 
in potential savings in Fiscal Year 2015, and IG criminal and 
civil cases led to another $10.3 billion returned to the 
treasury. These figures amount to $14 saved for every taxpayer 
dollar invested in the work of the IGs.
    This year marks the beginning of a new administration, and 
it will be important for new department and agency heads to be 
fully aware of the issues that have plagued their organizations 
in recent years. Each of the IGs on the panel today recently 
published the top management challenges of their agencies for 
the new fiscal year. In addition to these, we will be 
discussing some of the hundreds of IG recommendations that 
remain open after, in some cases, several years.
    The Department of Commerce faces a number of challenges 
across its agencies. For example, the National Oceanic and 
Atmospheric Administration manages the acquisition and 
development of critical weather satellites and will have to 
address cost and schedule overruns while avoiding gaps in 
satellite coverage.
    FirstNet, which is an independent authority within the 
Commerce Department, is also reaching critical early stages in 
its rollout of a nationwide public safety broadband network, 
and I believe FirstNet will continue to benefit greatly from 
rigorous oversight by the Inspector General.
    New Commerce Department leadership will also have to ensure 
that all of the Department's employees respect and follow 
government spending rules in the wake of an IG investigation 
into unjustified spending by the former Under Secretary for 
International Trade. The National Science Foundation will have 
to address significant issues it has had keeping its large 
facilities, such as the National Ecological Observatory 
Network, or NEON, on time and on budget. The Committee ensured 
additional oversight of these facilities in the American 
Innovation and Competitiveness Act, and we'll be eager to see 
these implemented.
    The Department of Homeland Security oversees two components 
that are essential for ensuring the safety of our nation's 
transportation system, the U.S. Coast Guard and the 
Transportation Security Administration. The Coast Guard will 
have to tackle the challenges of improving cybersecurity, 
information management, and financial reporting.
    TSA has had several high profile issues in recent years, 
including airport security failures discovered by IG red team 
testing, as well as breaches involving the Secure 
Identification Display Area, or SIDA, badges of airport 
employees. The Committee worked to address these issues in the 
FAA Extension, Safety, and Security Act of 2016, but new 
department leadership will have to continue to work with DHS 
OIG to ensure the ongoing safety of the traveling public.
    Finally, the Department of Transportation's major 
challenges include setting up the playing field for 
revolutionary new transportation technologies such as unmanned 
aerial vehicles and self-driving vehicles while also 
maintaining a world class standard of safety. The Department 
must also more effectively manage the series of major upgrade 
programs to the National Airspace System known collectively as 
NextGen and ensure the effective implementation of the 
provisions of the FAST Act. This work will inform our 
discussions as we work to craft an FAA reauthorization bill 
this year.
    Finally, I would like to address briefly some recent 
developments within the IG community. The media has reported 
that the new administration's transition team considered 
removing some IGs. It appears, however, that they quickly 
changed their minds and notified these IGs, including Mr. Roth 
and Mr. Scovel, that they would not be removed. I am confident 
that incoming agency leadership will continue to find the 
oversight work of their IGs to be as invaluable as I have.
    We have testifying before us today a distinguished all-IG 
panel. The Honorable Peggy Gustafson, Inspector General of the 
Department of Commerce, who, I would note, has been on the job 
at Commerce for only about 3 weeks although she is a veteran 
IG; Ms. Allison Lerner, Inspector General of the National 
Science Foundation, who also has served for nearly 20 years in 
leadership roles within the Commerce Department IG's office; 
the Honorable John Roth, Inspector General of the Department of 
Homeland Security, who spent 25 years in high-profile positions 
within the Department of Justice; and the Honorable Calvin 
Scovel III, Inspector General of the Department of 
Transportation, who last year celebrated a decade of service as 
DOT's Inspector General, which followed a distinguished 29-year 
career with the U.S. Marine Corps.
    I want to thank you all for being here and look forward to 
a productive discussion.
    I will now turn to Ranking Member Nelson for any opening 
remarks that he would like to make.

                STATEMENT OF HON. BILL NELSON, 
                   U.S. SENATOR FROM FLORIDA

    Senator Nelson. Thank you, Mr. Chairman.
    Inspectors general throughout the Federal Government play a 
critical role in ferreting out waste, fraud, and abuse and 
ensuring that agencies serve as good stewards of taxpayer 
dollars. So thank you for what you do.
    I'll give you an example. The Department of Commerce IG's 
office identified $1 billion in financial benefits and 
potential cost savings for four fiscal years while receiving 
$225 million in appropriations. That's a return on investment 
of more than $5 for every single dollar invested in that 
office.
    And the other offices represented here today have shown 
similarly impressive returns on investment. Inspectors General 
ensure that Federal employees are not muzzled by their 
superiors when they challenge efforts to distort, misrepresent, 
or suppress scientific research and analysis. We are seeing 
increasing attempts by some special interests to keep agencies 
from reporting scientific data and studies on critical public 
health and safety issues. A couple come to mind: climate change 
and sea level rise.
    Well, we shouldn't stand for this suppression and hope none 
of you IGs will either. That is why late yesterday, 26 
Senators, including many on this Committee, joined me in filing 
legislation to protect science and scientists from political 
interference. That's why this Senator specifically inquired of 
the nominee for Secretary of Commerce as to his ideas on 
allowing free expressions in an agency where a lot of 
scientific analysis is given and where he has several Nobel 
Laureates that are employees.
    This legislation that we filed would ensure that Federal 
scientists can communicate their findings to the public, the 
news media, and Congress. It also requires Federal agencies to 
implement and enforce scientific integrity policies and ensure 
procedures are in place to report when those integrity policies 
are broken. At the end of the day, inspectors general should 
play an important role in protecting whistleblowers who, in 
this particular example, believe scientific integrity has been 
compromised. But to carry out these vital functions, they must 
have one thing, and that is independence.
    Recently, The Washington Post and other news outlets 
reported that members of the administration's transition team 
contacted a number of IGs and told them, according to The 
Washington Post, that they were ``temporary holdovers'' and may 
be replaced. Needless to say, this Senator found that news to 
be troubling, especially since Inspectors General have always 
been seen as independent entities that should only be removed 
for cause.
    Last week, I sent letters to 11 IGs under this Committee's 
jurisdiction to inquire further about the nature and extent of 
these transition team contacts and to learn more about each 
agency's whistleblower policies. I've received responses from 
all 11 IGs. Both the DOT and DHS IGs have confirmed to me that 
they had been contacted by the transition team and initially 
informed that they would only serve on a temporary basis.
    Mr. Chairman, I'd like to ask that these letters be entered 
into the record.
    The Chairman. Without objection.
    [The information referred to follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
   
                  
                                

    So during today's hearing, it's my hope that we can learn 
more about how we can ensure the independence of these offices. 
I also look forward to hearing how the Inspectors General will 
work to ensure that the integrity of the scientific process is 
protected.
    So, thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Nelson.
    We'll move to our panel, and I want to start on my left and 
your right with Ms. Lerner, and then we'll move to Ms. 
Gustafson, Mr. Roth, and Mr. Scovel. If you could confine your 
stated public remarks to as much as 5 minutes, that would be 
great. Anything else will get put into the record and we'll get 
to our questions.
    So, Ms. Lerner, please proceed.

  STATEMENT OF ALLISON C. LERNER, INSPECTOR GENERAL, NATIONAL 
                       SCIENCE FOUNDATION

    Ms. Lerner. Thank you. Mr. Chairman and members of the 
Committee, I appreciate this chance to discuss some of the top 
management challenges facing the National Science Foundation. 
As requested, my testimony will focus on areas that pose the 
highest risk of accountability to NSF: management of 
cooperative agreements for large facility research projects, 
management of the Intergovernmental Personnel Act Program, and 
the U.S. Antarctic Program, and improving grant administration.
    NSF uses cooperative agreements to construct and operate 
its most costly and highest-risk research facilities. As of 
January 2017, NSF has 22 cooperative agreements valued at over 
$50 million each and totaling over $4.4 billion. Since 2010, my 
office has issued 28 reports containing more than 80 
recommendations related to NSF's use and management of these 
agreements for large facilities.
    Our work has demonstrated that the need for strong 
oversight of large facility cooperative agreements extends over 
the life cycle of such awards. Pre-award oversight should 
include audits of proposed budgets and accounting systems to 
ensure that awardees' cost estimates are fair and reasonable 
and that the entity's accounting system is adequate to bill the 
government properly.
    Once an award has been made, we have recommended incurred 
cost submissions and audits. Such actions help ensure that 
costs being claimed by awardees are consistent with Federal 
requirements and enable NSF to identify and address problematic 
or fraudulent charges as early as possible.
    NSF has developed policies and procedures for large 
facilities awards to address some OIG recommendations, 
including guidance requiring an analysis of proposed costs for 
each large facility before an award is made to determine if the 
costs are adequately supported and a new management fee policy 
to strengthen oversight of the use of such fees. These new 
policies represent important steps toward accomplishing the 
goal of increased accountability over the Foundation's largest 
and riskiest projects, and they contributed to the removal of a 
longstanding significant deficiency in this year's financial 
statement audit.
    Given this progress, our ongoing work will focus in part on 
how NSF is applying its new policies. Implementing them will 
require sustained management attention; effective communication 
with the awardee community; clear award terms and conditions; 
and, most importantly, a continuing commitment to change the 
culture at NSF. We will also pay close attention to the 
Foundation's actions in response to the American Innovation and 
Competitiveness Act, which contains a number of key oversight 
requirements related to NSF's large facilities.
    To advance its mission of supporting science and 
engineering research and education, NSF brings in temporary 
personnel under the Intergovernmental Personnel Act for 
rotational assignments of up to 4 years. Since individuals 
serve in a temporary capacity, there is significant turnover in 
staff at NSF, especially in executive positions charged with 
leading the Foundation and setting its vision.
    The Foundation's use of IPAs also comes at a high cost. In 
2015, NSF paid nearly $8.9 million for 27 executive level IPAs. 
Such IPAs can also earn substantially more than Federal 
employees. In 2015, the highest paid executive level IPA salary 
was $440,000.
    NSF has begun to take steps to reduce IPA costs. Among 
other things, it no longer reimburses IPAs for lost consulting 
income. We plan to examine NSF's actions in response to both 
our recommendations and provisions of the Competitiveness Act 
which focuses on IPAs.
    Management of the U.S. Antarctic Program and NSF's 
Antarctic Support Contract is a continuing challenge. In recent 
reports, we have recommended ways for NSF to improve oversight 
of the health and safety of participants in the USAP and to 
prioritize and track its actions in response to the 2012 Blue 
Ribbon Panel report. We plan to be onsite in Antarctica in 
January 2018 to conduct field work for the 2017 audits of NSF's 
financial statements and its information security program.
    Ensuring that grant funds are spent as intended is 
essential to NSF's mission. Because many NSF awardees pass 
portions of their funding on to subrecipients, we have recently 
started an audit of NSF's process to ensure that its awardees 
are appropriately monitoring their subrecipients. We plan to 
share our findings with Congress in December 2017.
    Finally, we continue to monitor challenges associated with 
NSF's move this year to its new headquarters in Alexandria, 
Virginia. We'll provide updates as we identify risks.
    A key contributor to the progress the Foundation has made 
in responding to our office's work is the Stewardship 
Collaborative, which was established by NSF and OIG in 2010 as 
a collective effort to help achieve the shared mission of 
proper stewardship of the taxpayers' investment in science. My 
office will continue to utilize the full range of our audit and 
investigative resources to exercise robust oversight of NSF's 
stewardship of Federal funds and to safeguard the integrity of 
the Foundation's operations.
    Public trust and confidence demand the highest level of 
accountability, and we look forward to working with NSF 
management, the National Science Board, and Congress to achieve 
this goal.
    Thank you.
    [The prepared statement of Ms. Lerner follows:]

      Prepared Statement of Allison C. Lerner, Inspector General, 
                      National Science Foundation
    Mr. Chairman and Members of the Committee, I appreciate this 
opportunity to discuss the Office of Inspector General's (OIG) work to 
promote the efficiency and effectiveness of the National Science 
Foundation's (NSF) programs and operations and to safeguard their 
integrity. My office is committed to providing rigorous, independent 
oversight of NSF, and I welcome the chance to discuss some of the top 
management challenges facing the Foundation, NSF's progress in 
addressing these challenges, and work that remains to further advance 
accountability and transparency at NSF.
Background
    NSF is an independent Federal agency and the funding source for 
approximately 24 percent of all federally supported basic research 
conducted by the Nation's colleges and universities. In many areas, 
such as mathematics and computer science, NSF is the major source of 
Federal backing. The Foundation funds approximately 12,000 new awards 
each year, thereby fulfilling its mission to promote the progress of 
science. Proposals for funding are assessed by panels of experts as 
part of NSF's merit review process.
    Awards are made primarily as grants to individuals and small groups 
of investigators, as well as to research centers and facilities where 
scientists, engineers, and students undertake research projects. The 
Foundation also uses cooperative agreements and contracts to fund major 
research equipment such as telescopes, Antarctic research sites, and 
high-end computer facilities. In FY 2016 NSF was appropriated 
approximately $7.5 billion to carry out the Foundation's programs and 
operations.
    The OIG is independent from NSF and reports directly to Congress 
and the National Science Board (NSB). Our mission is to conduct 
independent and objective audits, inspections, reviews and 
investigations of National Science Foundation programs and operations, 
and to recommend policies and corrective actions to promote 
effectiveness and efficiency and prevent and detect waste, fraud, and 
abuse. Consistent with our statutory mandate, the OIG has an oversight 
role and does not determine policy or in management activities 
involving the Foundation or program operations. Thus, my office is not 
responsible for managing any NSF programs, nor do we attempt to assess 
the scientific merit of research funded by the Foundation.
    The OIG has two main components: the Office of Audit and the Office 
of Investigations. The Office of Audit is responsible for auditing 
NSF's internal operations, as well as the grants, contracts, and 
cooperative agreements funded by the Foundation. Among its ongoing 
responsibilities are the annual audits of NSF's financial statements 
and the annual reviews of NSF's information system security program.
    Through our audit work, we are able to monitor management functions 
that may pose significant financial or programmatic risks to the 
Foundation. In determining priorities for this work, we consider the 
results of prior audits and consult with the Foundation's senior 
management, the National Science Board and Congress, the Office of 
Management and Budget, and members of the research community supported 
by the Foundation. In selecting areas for audit, we assess factors such 
as the risk involved in the activity, the potential for monetary 
recovery for the government, and the potential for the greatest 
substantive benefit for NSF.
    The Office of Investigations (OI) is responsible for investigating 
allegations of wrongdoing involving NSF programs and operations, agency 
personnel, and organizations or individuals who submit proposals to, 
receive awards from, or conduct business with NSF. OI also houses a 
team of investigative scientists responsible for investigating 
allegations of fabrication, falsification or plagiarism in NSF-funded 
research. We focus our investigative resources on the most serious 
cases, as measured by such factors as the amount of money involved, the 
seriousness of the alleged criminal, civil or ethical violations, and 
the strength of the evidence. When appropriate, the results of these 
investigations are referred to the Department of Justice for possible 
criminal prosecution or civil litigation, or to NSF for administrative 
resolution.
NSF's Top Management Challenges
    In accordance with the Reports Consolidation Act of 2000, each year 
the OIG identifies what it considers to be the most serious management 
and performance challenges facing NSF. The top management challenges 
reflect fundamental program risk that are likely to require NSF's 
attention for years to come.
    The OIG identified seven challenges for NSF for FY 2017. My 
testimony will focus on four of NSF's most pressing challenges: 
management of cooperative agreements for large facility research 
projects, management of the Intergovernmental Personnel Act program, 
management of the U.S. Antarctic Program, and improving grant 
administration. I will also briefly discuss risks associated with NSF's 
move to its new building, which is scheduled to begin toward the end of 
this Fiscal Year.
Management of Cooperative Agreements for Large Facility Research 
        Projects
    NSF uses cooperative agreements to construct and operate its most 
costly and highest risk research facilities. As of January 25, 2017, 
NSF had 459 active cooperative agreements, totaling nearly $8 billion. 
Twenty-two of these agreements are valued at over $50 million each and 
add up to cumulatively to more than $4.4 billion.
    Since 2010, my office has issued 28 reports containing more than 80 
recommendations related to NSF's use and management of cooperative 
agreements for the construction and operation of its high-dollar, high-
risk research facilities. Monitoring of cooperative agreements was also 
cited as a significant deficiency in NSF's financial statement audits 
for Fiscal Years 2011 through 2015.
    In addition to OIG's oversight, in the spring of 2015, at the 
request of the NSF Director and the National Science Board, the 
National Academy of Public Administration (NAPA) examined NSF's use of 
cooperative agreements for large facilities and benchmarked its 
practices against other, similar Federal agencies.
    NAPA issued its report in December 2015. That document articulated 
the fundamental challenge that NSF is facing:

        It is clear that, in the past, NSF has prioritized the 
        innovative scientific aspects of large facility construction 
        projects; the agency now needs to apply equal emphasis on 
        increased internal management of the business practices 
        critical to enhanced oversight and project success. In doing 
        so, the Panel believes that NSF and NSB will enhance the 
        agency's ability to fulfill its mission of supporting 
        groundbreaking science.\1\
---------------------------------------------------------------------------
    \1\ National Science Foundation: Use of Cooperative Agreements to 
Support Large Scale Investment in Research, National Academy of Public 
Administration (December 2015), pp. 6-7.

    The need for stronger oversight of large cooperative agreements 
begins before the award has been made. Pre-award oversight should 
include audits of proposed budgets and accounting systems to ensure 
that awardees' cost estimates are fair and reasonable and that their 
accounting systems are adequate to bill the government properly. Pre-
award oversight is especially important as the proposed budget for 
these projects, once approved by NSF, creates the basis upon which 
awardees can draw down advanced funds over the course of the award.
    The importance of pre-award oversight was underscored by the 
results of audits of three of NSF's large facility projects--the Ocean 
Observatories Initiative (OOI), the Daniel K. Inouye Solar Telescope 
(DKIST),\2\ and the National Ecological Observatory Network (NEON). As 
a result of those jobs, auditors questioned $305 million in unallowable 
or unsupported costs out of $1.1 billion in total costs for the three 
projects.
---------------------------------------------------------------------------
    \2\ Formerly known as the Advanced Technology Solar Telescope.
---------------------------------------------------------------------------
    The lack of support for costs in the $469.3 million NEON proposal 
was so significant that the auditors issued an adverse opinion stating 
the proposal did not form an acceptable basis for negotiation of a fair 
and reasonable price. Auditors disclaimed an opinion on the DKIST 
proposal, concluding that cost data provided in the pre-award cost 
proposal for the $344 million project was so significantly flawed that 
they were unable to perform an audit. Based on these audits, we 
recommended that prior to making an award NSF obtain proposal and 
accounting system audits for high risk cooperative agreements valued in 
excess of $50 million. The NAPA report also recommended that NSF 
address potential cost proposal issues before making an award.
    The serious questions about the adequacy of the proposed budgets 
led us to examine NSF's cost surveillance throughout the lifecycle of 
large facility projects. Adequate oversight is essential after the 
award is made to ensure that expenditures are consistent with the 
award's terms and conditions. To this end, we have recommended that NSF 
obtain incurred cost submissions and incurred cost audits of high risk 
cooperative agreements valued in excess of $50 million. Such 
submissions and audits will enable NSF to determine if costs claimed 
are reasonable and allowable under Federal requirements.
    Proper oversight also includes validating the information awardees 
provide in Earned Value Management (EVM) reports and certifying the EVM 
systems used to track project schedule and cost. Our work has 
identified opportunities for improvement in this area. For example, 
monthly EVM progress reports for the NEON project were not accurate, 
which undermined NSF's ability to promptly identify problems that 
ultimately led to NSF having to significantly de-scope the project to 
avoid an $80 million cost overrun.
    We are currently broadening our work in this area to encompass 
cooperative agreements for the operations phase of large facility 
projects. Over time, NSF spends significantly more on operating its 
facilities than it does on constructing them. To illustrate, NSF 
requested over $193 million for Fiscal Year 2017 to pay for four NSF 
large facility construction projects. In contrast, NSF's operation and 
maintenance request for its existing large facilities for the same time 
period exceeded $1 billion, in addition to more than $200 million for 
Federally Funded Research and Development Centers. We have just begun a 
job focusing on the risk of potential commingling of construction and 
operations funds.
    NSF has developed new policies and procedures for large facility 
awards to address some OIG and NAPA recommendations. Among other 
things, NSF's new guidance requires completion of a Cost Proposal 
Review Document (CPRD) for each large facility proposal to ensure that 
a thorough and well-documented record exists of NSF's determination 
that proposed costs are reasonable. The CPRD is NSF's analysis of 
whether an awardee's proposed costs are supported adequately and 
describes NSF's plans for oversight of the award.
    In addition, according to NSF's new guidance, the Grants and 
Agreements Officer must determine that a project's estimated costs are 
reasonable prior to making a construction award for a facility. NSF has 
also instituted a new management fee policy, as well as implementing 
guidance, to strengthen its oversight over awardees' use of management 
fee.
    These new policies represent important steps by NSF toward the goal 
of increased accountability over the Foundation's largest and riskiest 
projects. As a result of these actions, NSF's most recent financial 
statement audit removed a multi-year significant deficiency focused on 
NSF's monitoring of large cooperative agreements. While these outcomes 
reflect real progress on this important issue, we will continue to 
monitor this area because of the unique challenges it poses to the 
Foundation.
    Based on the serious nature of these challenges and the progress 
that has been made to date, our objective moving forward is to examine 
how NSF is applying its new policies to strengthen accountability for 
both construction and operations awards from the pre-award stage 
through the lifecycle of the award. Implementing these new policies 
will require sustained management attention, effective communication 
with the awardee community, clear award terms and conditions, and most 
importantly, a continuing commitment to change culture at NSF.
    We will also pay close attention to the actions NSF takes in 
response to requirements in the American Innovation and Competitiveness 
Act. The Act contains a number of key oversight requirements related to 
NSF's large facility portfolio. For instance, it requires NSF to 
conduct a pre-award analysis of costs before making an award, obtain 
periodic external reviews on project management and performance, retain 
control over funds budgeted for contingency, and to establish 
guidelines regarding inappropriate expenditures associated with all fee 
types.
Management of the Intergovernmental Personnel Program
    To further the agency's mission of supporting science and 
engineering research and education, NSF draws on scientists, engineers, 
and educators on rotational assignment from academia, industry, or 
other eligible organizations. All of the non-permanent appointments are 
Federal employees with the exception of those who come to NSF under 
Intergovernmental Personnel Act (IPA) assignments. Individuals on IPA 
appointments remain employees of their home institutions. As a result, 
pay and benefits for IPAs are set by their home institutions and are 
not subject to limitations on Federal pay and benefits.
    While there are benefits that come from having IPAs at NSF, there 
are also challenges. For example, since IPAs can serve in a temporary 
capacity for up to four years, there is significant turnover in staff 
at NSF, especially in executive positions charged with leading the 
Foundation and setting its vision. As of December 2016, five of the 
seven Assistant Directors, whose primary responsibility is providing 
leadership and direction to the Foundation's scientific directorates, 
are IPAs (one Assistant Director slot is vacant). In addition, as of 
the same date, 20 out of NSF's 29 scientific divisions are led by IPAs 
(2 of those positions are vacant).
    The Foundation's use of IPAs comes at a high cost and these costs 
are rising. In 2015, NSF paid nearly $8.9 million \3\ for 27 executive-
level IPAs, compared to $6.5 million for the same expenses for 21 
executive-level IPAs in 2012. IPA salaries can also significantly 
exceed the salaries of the highest paid Federal employees. In 2015 the 
highest executive-level IPA salary was more than $440,000, up 45 
percent from $301,247 in 2012. In 2015 the salaries for all but two 
executive level IPAs were more than the highest salary of a Federal 
employee at NSF. The number of IPAs has also increased--in 2009, there 
were 20 executive-level IPAs, whereas there were 29 executive-level 
IPAs in December 2016.
---------------------------------------------------------------------------
    \3\ Includes salary, fringe benefits, lost consulting, and per 
diem.
---------------------------------------------------------------------------
    Since 2010, we have recommended that NSF evaluate ways to reduce 
IPA costs and have suggested, among other things, that the Foundation 
consider expanding the use of telework and seek greater cost sharing 
from IPAs' home institutions. Because IPA salaries and benefits are 
funded with program-related appropriations, savings in IPA costs would 
free up funds for additional research.
    In response to our recommendations NSF no longer reimburses IPAs 
for lost consulting income; previously IPAs could receive up to $10,000 
from NSF each year for consulting income they received while at their 
institutions. NSF also formed a steering committee in April 2016 to 
explore opportunities to reduce IPA costs. To this end, NSF has 
indicated that it will pilot a required 10 percent cost sharing of 
IPAs' academic-year salary and fringe benefits in FY 2017.
    Moving forward, we will monitor NSF's actions in response to our 
recommendations on this topic. We will also examine NSF's actions in 
response to the American Innovation and Competitiveness Act, which 
required the Foundation to report on its efforts to cut costs 
associated with employing IPAs.
Management of the U.S. Antarctic Program
    NSF, through the United States Antarctic Program (USAP), manages 
U.S. scientific research in Antarctica. In December 2011, NSF awarded 
an Antarctic Support Contract to Lockheed Martin to support NSF's 
management of the USAP.\4\ The contract is NSF's largest, valued at 
nearly $2 billion over 13 years. The Antarctic Support Contract and its 
subcontracts provide logistical support for information technology, 
food, laboratory management, and other services which enable the USAP's 
three research stations (McMurdo, South Pole, and Palmer) to operate 
year round.
---------------------------------------------------------------------------
    \4\ In August 2016, Leidos Holdings Inc. and Lockheed Martin's 
Information Systems and Global Solutions business segment merged. As a 
result of the merger, Leidos will hold the Antarctic Support Contract, 
once plans for all contracts affected by the merger have been reviewed.
---------------------------------------------------------------------------
    We have previously examined NSF's response to a July 2012 Blue 
Ribbon Panel report and suggested that including more specific 
information, such as interim milestones and target dates for 
implementing actions, would enhance NSF's ability to prioritize and 
track its corrective actions in response to the Panel report. Given the 
large number of action items associated with the Panel recommendations-
the panel identified 84 implementing actions within three separate 
categories--there is a real risk that NSF could lose track of its 
progress with respect to these actions unless it approaches 
implementation systemically.
    We have also examined NSF's oversight of and the Antarctic Support 
Contractor's actions to ensure the health and safety of participants in 
the USAP. We found that in general NSF's oversight and the Contractor's 
performance were effective in ensuring adequate health and safety. We 
also identified four areas for improvement, including the lack of a 
process for identifying, responding to, and tracking data on misconduct 
that occurs in the USAP, and opportunities to enhance pharmacy 
operations.
    In January 2018 we plan to visit the McMurdo and South Pole 
research stations to conduct fieldwork for the 2017 financial statement 
audit, the 2017 audit of NSF's information security program, and other 
aspects of the USAP program as appropriate.
Improving Grant Administration
    Making grants in support of promising scientific research is 
central to NSF's mission. Thus, ensuring that grant funds are spent as 
intended is critical. While efforts to reduce the administrative burden 
on grantees have value, the agency must proceed carefully so that 
accountability for public funds is not compromised in the process.
    Because many NSF awardees pass portions of their funding on to 
subrecipients that perform a significant amount of the project's work, 
NSF must ensure that such awardees are appropriately overseeing the 
actions and expenditures of their subrecipients. We have recently 
started an audit on NSF's process to ensure that its awardees are 
monitoring their subrecipients and, pursuant to the American Innovation 
and Competitiveness Act, we will provide our report and any associated 
recommendations, to Congress no later than December 2017.
Moving NSF Headquarters to a New Building
    NSF has four months (September through December 2017) to complete 
its move from the two buildings it currently occupies in Arlington, 
Virginia, to its new headquarters in Alexandria, Virginia, and 
decommission its current offices before its current leases expire at 
the end of December, 2017. If the current offices are not 
decommissioned prior to January 1, 2018, the Foundation will have to 
begin paying possibly increased rent for the Arlington offices, in 
addition to rent for its new Alexandria location. Our most recent 
examination of risks associated with NSF's move recommended that NSF 
improve its baseline schedule, which could play a critical role in 
NSF's ability to identify and manage project risk.
    NSF management informed us that it does not intend to update its 
baseline schedule and proposed an alternative approach that relies on 
its existing schedule. We will continue to closely monitor NSF's 
progress toward meeting the deadline to move and will provide updates 
to the agency and the Congress as we identify risks.
NSF and OIG Efforts to Strengthen Accountability
    As noted previously, the Foundation has begun to make progress in 
its efforts to achieve greater accountability. A key contribution to 
the progress to date has been made by the Stewardship Collaborative, a 
group which was established by NSF and OIG in 2010 as a collective 
effort by both offices to help achieve the shared mission of proper 
stewardship of the taxpayer's investment in science, engineering, and 
education.
    The Collaborative is made up of members from varying units within 
NSF and OIG and is chaired by Senior Executive leaders from NSF's 
financial administration division and OIG's Office of Audit. It meets 
monthly to discuss current issues and possible upcoming barriers to 
resolution--as well as potential solutions. For example, it recently 
developed a joint training effort to improve understanding of the audit 
resolution process, including members' responsibilities in the process.
    Along with increasing positive communication, the Collaborative has 
been instrumental in resolving a number of critical audit 
recommendations. Most importantly, it has helped ensure that NSF has 
addressed recommendations without impinging on the OIG's independence 
and that management decisions are made by the right people within the 
Foundation.
Conclusion
    Scientific research and discovery are the building blocks of the 
technological advances that are essential for our Nation's economy to 
grow and to meet the challenges of the future, and NSF has an essential 
role to play in promoting scientific discovery. For the agency to 
achieve its mission, NSF must spend its research funds in the most 
effective and efficient manner while maintaining the highest level of 
accountability over taxpayer dollars.
    My office will continue to utilize the full range of our audit and 
investigative resources to exercise robust oversight of NSF's 
stewardship of Federal funds and to safeguard the integrity of the 
Foundation's operations.
    NSF applies its highest level of attention and scrutiny to 
determine the scientific merit of the projects it decides to fund. It 
is imperative that NSF apply the same rigorous attention and scrutiny 
to its financial management of its programs and operations. Public 
trust and confidence demand the highest level of accountability, and we 
look forward to working with NSF management, the National Science 
Board, and Congress to achieve this goal.

    The Chairman. Thank you, Ms. Lerner.
    We'll now turn to the Honorable Peggy Gustafson.

 STATEMENT OF HON. PEGGY E. GUSTAFSON, INSPECTOR GENERAL, U.S. 
                     DEPARTMENT OF COMMERCE

    Ms. Gustafson. Chairman Thune, Ranking Member Nelson, and 
members of the Committee, I very much appreciate the 
opportunity to testify today about the Department of Commerce's 
top management and performance challenges.
    In my more than 7 years of being an IG in Federal 
Government, it is very clear that it is extremely helpful when 
Congress calls up the IGs and asks us to discuss our work, 
because the agency pays a lot of attention when it knows that 
Congress is asking us about our work. So I appreciate being 
called up here at the beginning of this Congress, this 
administration, at the beginning of my tenure as Commerce IG.
    My testimony today is going to focus on some of the areas 
discussed in our most recent top management challenges report 
covering Fiscal Year 2017.
    Chairman Thune, as you noted, with the passage of the 
Middle Class Tax Relief and Job Creation Act of 2012, FirstNet 
was established as an independent entity within the National 
Telecommunications and Information Administration. NTIA's 
mission is to create and operate the first high-speed 
nationwide wireless broadband network for public safety at all 
levels. So far, FirstNet's significant challenges have been 
managing the complex acquisitions inherent in the network, 
estimated to cost tens of billions of dollars once it is built; 
successfully consulting with state and local public safety 
entities and strengthening their internal controls as our 
office and other independent auditors identify issues in need 
of correction action.
    To date, FirstNet has been provided with approximately $7 
billion in funding, as provided in its enabling legislation. As 
FirstNet has grown and been built up, its expenditures have 
continued to increase as it moves toward building this network. 
In 2012, FirstNet spent less than $250,000, and by 2015, it had 
spent $49 million in expenditures. But, of course, these 
represent only the tip of the iceberg.
    FirstNet's significant spending is going to begin this year 
in earnest, when it awards the most significant contract that 
is going to be awarded to a partner who will work with FirstNet 
to build this network envisioned in the original legislation. 
And, again, everybody anticipates that this network is going to 
cost tens of billions of dollars. We are committed to providing 
oversight during this critical stage of this deployment.
    To date, our work has focused on FirstNet's efforts related 
to internal control and its consultations with stakeholders on 
the network features, but our future work is going to be 
dependent on FirstNet's post-award activities. It may include 
oversight of FirstNet's management of state network plans, 
issues related to its geographical coverage, or the management 
of the contract itself. As you noted, Senator Thune, we will 
continue to adjust our oversight approach as FirstNet grows and 
as its challenges become greater.
    Another major challenge facing the Department is that the 
National Oceanic and Atmospheric Administration must manage the 
risks of its satellite acquisition and development. NOAA's 
environmental satellite programs represent about one-sixth of 
the Department's more than $9 billion budget. NOAA must 
continue to manage the acquisition and development risks of the 
satellite systems as they develop and launch the next 
generation of weather satellites.
    NOAA had delayed the launch of its geostationary satellite, 
GOES-R, numerous times before its November 2016 launch. This 
delay and other delays create risks of coverage gaps in weather 
information as the existing NOAA satellites reach the end of 
their design life.
    Another NOAA challenge and a fourth major issue is 
balancing the priorities of the fishing industry and its 
multiple stakeholders. NOAA Fisheries must balance the 
competing factors of promoting commercial and recreational 
fishing while preserving the populations of fish and marine 
life. As Congress has increasingly looked into NOAA's Fisheries 
management, our office has planned oversight work on related 
issues, such as a survey of scientific assessments that NOAA 
uses to estimate the populations of various fish stocks.
    Another area I would like to mention briefly is the 
creation of a Department-wide culture of accountability. The 
Department of Commerce's goal of operational excellence 
requires management's attention to its computer systems as well 
as other Department-wide risk factors. Under an audit we 
performed pursuant to the Cybersecurity Act of 2015, we 
identified significant challenges related to strengthening the 
national security systems. We understand the Department is now 
addressing the risks associated with its national security 
systems, but cybersecurity will certainly be an issue that 
remains on our radar and as a focus of our work.
    In 2016, our Office of Investigations processed more than 
500 complaints regarding departmental operations. We opened 
more than 80 investigations into allegations of fraud, waste, 
and abuse and closed more than 50 investigations. Almost half 
of these investigations resulted in criminal convictions, 
suspensions or debarment, or disciplinary actions.
    The last thing I want to focus on very quickly is the 
efficiency and effectiveness of the Department's operations. We 
are committed to ensuring that the Department resolves and 
implements each recommendation that is included in our 
products. Since Fiscal Year 2015, we have provided more than 
200 recommendations to the Department. For the recommendations 
listed in Fiscal Year 2015, two-thirds have been implemented; 
and for the recommendations made in 2016, this rate is 
currently around one-third.
    I would note that Mr. Ross in his confirmation hearing 
talked about the need to address the outstanding issues related 
to our reports, and should he be confirmed, I am very much 
looking forward to working with him and the other leadership of 
the Department to make sure that these reports are addressed 
and these recommendations are getting closed.
    Thank you very much.
    [The prepared statement of Ms. Gustafson follows:]

   Prepared Statement of Hon. Peggy E. Gustafson, Inspector General, 
                      U.S. Department of Commerce
    Chairman Thune, Ranking Member Nelson, and Members of the 
Committee:

    I appreciate the opportunity to testify today as you consider 
upcoming challenges for the Department of Commerce. The Department 
plays a pivotal role in implementing the President's initiatives for 
economic recovery and job creation--and, like other Federal agencies, 
faces significant financial uncertainties in the upcoming budget year.
    Today I will briefly summarize several challenges facing the 
Department. These areas are addressed in greater depth in our recent 
Top Management and Performance Challenges (TMC) report, which we 
prepare annually as required by the Reports Consolidation Act of 
2000.\1\ Our TMC report identifies what we consider, from our oversight 
perspective, to be the Department's most significant management and 
performance challenges within each of the Department's strategic goals:
---------------------------------------------------------------------------
    \1\ 31 U.S.C. Sec. 3516(d).

        Challenge 1. TRADE AND INVESTMENT--Expand the U.S. economy 
        through increased exports and foreign direct investment that 
---------------------------------------------------------------------------
        leads to more and better American jobs.

        Challenge 2. INNOVATION--Foster a more innovative U.S. 
        economy--one that is better at inventing, improving, and 
        commercializing products and technologies that lead to higher 
        productivity and competitiveness.

        Challenge 3. ENVIRONMENT--Ensure communities and businesses 
        have the necessary information, products, and services to 
        prepare for and prosper in a changing environment.

        Challenge 4. DATA--Improve government, business, and community 
        decisions and knowledge by transforming Department data 
        capabilities and supporting a data-enabled economy.

        Challenge 5. OPERATIONAL EXCELLENCE--Strengthen the 
        Department's capacity to achieve its objectives, maximize 
        return on program investments, and deliver quality, timely 
        service.

    The challenges I will highlight today focus on the following areas:

    1.  the First Responder Network Authority (FirstNet)

    2.  the National Telecommunications and Information Administration 
            (NTIA)

    3.  National Oceanic and Atmospheric Administration (NOAA) 
            satellites

    4.  NOAA Fisheries

    5.  oversight of the Department's management and spending

    6.  OIG recommendations issued to the Department of Commerce
I. FirstNet
Addressing the challenges of ensuring the successful procurement and 
        monitoring of a nationwide high-speed, broadband network 
        dedicated to public safety
    FirstNet, created by the Middle Class Tax Relief and Job Creation 
Act of 2012 (the Act), is an independent authority within NTIA. The law 
gives FirstNet the mission to build, operate, and maintain the first 
high-speed, nationwide wireless broadband network dedicated to public 
safety at the local, state, tribal, and Federal levels. FirstNet will 
provide a single interoperable platform for emergency and daily public 
safety communications.\2\
---------------------------------------------------------------------------
    \2\ Pub. L. No. 112-96; see also 47 U.S.C. Sec. 1426. See First 
Responder Network Authority. About FirstNet [online]. www.firstnet.gov/
about (accessed February 6, 2017).
---------------------------------------------------------------------------
    The program currently operates with no appropriated funds other 
than those initially borrowed. The Federal Communications Commission 
(FCC) sold by auction valuable spectrum to the public in FYs 2014 and 
2015. Of the $45 billion raised, $6.8 billion was provided to FirstNet 
in FY 2015 to build a network on retained spectrum. Currently, the 
program has $6.5 billion on hand.
    FirstNet's most significant challenges to date concern managing its 
acquisitions, consulting with public safety entities at all levels, and 
strengthening internal control.

        Effective management of acquisitions. In January 2016, FirstNet 
        issued a request for proposals (RFP) for the development, 
        building, and management of a National Public Safety Broadband 
        Network (NPSBN). Proposals were due May 31, 2016, and 
        FirstNet--with assistance from the Department of Interior's 
        Acquisitions Services Directorate--evaluated proposals to 
        select the best vendor solution. The award will be delayed due 
        to a protest by an unsuccessful bidder.

        In its RFP, FirstNet adopted an objectives-based approach--
        rather than a traditional requirements-driven model--to help 
        industry develop innovative solutions for the NPSBN. The 
        successful bid must meet the objective-based goals of the RFP. 
        Also, as the RFP points out, FirstNet must provide services at 
        competitive prices, given constrained local, state, and Federal 
        budgets. Further, FirstNet must be self-sustaining--by 
        leveraging existing infrastructure, maximizing value for excess 
        network capacity, and optimizing its pricing structure.

        The contractor selected will be awarded a contract billion to 
        build a cellular network dedicated to first responders. Once 
        complete, it is estimated that the network could cost $25-50 
        billion, all of which will be covered by the contractor--which 
        will build and maintain the network, working with all 56 states 
        and territories. The contractor will also implement either the 
        FirstNet plan or integrate the state-approved plan. Other 
        contractor responsibilities will include managing revenues, 
        costs, and paying yearly fees to FirstNet.

        Effective consultation with states and localities. FirstNet is 
        required by the Act to consult with the 56 states and 
        territories, as well as tribes and Federal public safety 
        entities, in order to build and deploy an effective NPSBN.\3\ 
        NTIA issued $116.56 million in grant awards under the Act's 
        State and Local Implementation Grant Program (SLIGP) to promote 
        associated outreach, data collection, and planning for the 
        NPSBN. Nearly all entities were consulted to discuss priority 
        and preemption (i.e., moving commercial users off the network 
        in an emergency), coverage for large events, rural coverage, 
        and what users will pay for the service. States and territories 
        provided network coverage feedback for developing state plans.
---------------------------------------------------------------------------
    \3\ 47 U.S.C. Sec. 1426(b)(1).

        To realize a nationwide design that meets public safety needs, 
        FirstNet must continue to work with designated points-of-
        contact at each location and entity and develop individual 
        state plans for building and deploying radio access networks. 
        FirstNet will provide a coverage plan for each state and 
        territory or, if the plan is not found acceptable, the state 
        can provide its own. If a state opts out of FirstNet, and uses 
        its own coverage plan, that state's plan will still be required 
        to tie into FirstNet's backbone system--and it will pay for the 
---------------------------------------------------------------------------
        FirstNet service. Plans will be submitted to FCC for approval.

        Continue to strengthen internal control. Reports issued by 
        OIG,\4\ the Government Accountability Office,\5\ and an 
        independent public accounting firm \6\ have identified the need 
        for FirstNet to strengthen its controls. Our recent audit of 
        FirstNet's management of its interagency agreements (IAAs) 
        found that FirstNet could strengthen controls regarding 
        documenting IAA tracking and closeout procedures; we also noted 
        that FirstNet could maintain readily available documentation 
        and provide timely responses to audit requests to demonstrate 
        transparency and accountability of programs and operations.\7\
---------------------------------------------------------------------------
    \4\ See U.S. Department of Commerce Office of Inspector General, 
December 5, 2014. FirstNet Must Strengthen Management of Financial 
Disclosures and Monitoring of Contracts, OIG-15-013-A. Washington, 
D.C.: OIG. See also DOC OIG, August 14, 2015. Audit of FirstNet's 
Workforce and Recruiting Challenges, Participation at Discretionary 
Outreach Events, and Internal Control, OIG-15-036-A. Washington, D.C.: 
DOC OIG.
    \5\ U.S. Government Accountability Office, April 2015. Public-
Safety Broadband Network: FirstNet Should Strengthen Internal Controls 
and Evaluate Lessons Learned, GAO-15-407. Washington, D.C.: GAO.
    \6\ Harper, Rains, Knight & Company, July 22, 2015. Independent 
Auditors' Report.
    \7\ DOC OIG, June 29, 2016. FirstNet Can Strengthen Its Controls by 
Documenting Procedures to Close and Track Interagency Agreements, OIG-
16-035-A. Washington, D.C.: DOC OIG.

    A FirstNet-OIG memorandum of understanding (MOU) funded at $1.35 
million was developed in FY 2014 to address lack of an oversight 
provision in FirstNet legislation. This MOU was cancelled in July 2016, 
and now OIG funds its FirstNet oversight with its base appropriation.
II. NTIA
Addressing increased demand for radio frequency spectrum and 
        implementing a 
        replacement system to modernize, automate, and integrate key 
        spectrum management functions
    NTIA must address the increasing demand for radio frequency 
spectrum through sharing among Federal and commercial entities. It will 
accomplish this mission through expanding broadband Internet access and 
adoption, expanding the use of spectrum, and ensuring the Internet is 
an engine for economic growth.
    Freeing up radio frequency spectrum to meet the increasing demand 
for high-speed broadband services--while ensuring no loss of critical 
existing and planned federal, state, local, and tribal government 
capabilities--remains a key challenge facing the Department. In June 
2010, the President directed the Department, working through NTIA, to 
make 500 megahertz of Federal and non-federal spectrum available by 
2020 to support wireless broadband needs.\8\ In June 2013, Federal 
agencies were further directed to expand the availability of spectrum 
by accelerating efforts to share Federal spectrum with non-federal 
users.\9\
---------------------------------------------------------------------------
    \8\ The White House Office of the Press Secretary, June 28, 2010. 
``Unleashing the Wireless Broadband Revolution,'' Memorandum for the 
Heads of Executive Departments and Agencies [online]. https://
www.whitehouse.gov/the-press-office/presidential-memorandum-unleashing-
wireless-broadband-revolution (accessed August 17, 2016).
    \9\ The White House Office of the Press Secretary, June 14, 2013. 
``Expanding America's Leadership in Wireless Innovation,'' Memorandum 
for the Heads of Executive Departments and Agencies [online]. https://
www.whitehouse.gov/the-press-office/2013/06/14/presidential-memoran
dum-expanding-americas-leadership-wireless-innovatio (accessed August 
17, 2016).
---------------------------------------------------------------------------
    According to the most recent report \10\--as of June 2016, or 6 
years after the President's 2010 directive and with 4 years remaining 
to achieve the goal--NTIA reported that it has made 245 megahertz of 
spectrum available, which is almost half of the 500 megahertz goal. 
NTIA continues to investigate opportunities to make additional spectrum 
available by conducting studies, consulting with the Federal 
Communications Commission, and undertaking research and development 
(R&D) activities to better understand spectrum-sharing capabilities 
between Federal and non-federal users. Additionally, NTIA continues to 
search for a replacement system for the Federal Spectrum Management 
System (FSMS), which was terminated in 2015. FSMS was intended to 
support Federal spectrum management by (1) identifying and managing 
spectrum for Federal use and (2) identifying and releasing spectrum for 
non-federal use.
---------------------------------------------------------------------------
    \10\ DOC NTIA, June 17, 2016. Sixth Interim Progress Report on the 
Ten-Year Plan and Timetable, Washington, D.C.: DOC NTIA.
---------------------------------------------------------------------------
    As the 2020 target approaches, NTIA's challenge is to incorporate 
lessons learned from its R&D activities and consultation efforts into 
actual strategies that lead to more efficient use and availability of 
radio frequency spectrum. Also, the termination of FSMS necessitates 
that the Department identify a technological system that can modernize, 
automate, and integrate key spectrum management functions.
    Ongoing OIG oversight. Our ongoing work includes

   NTIA Management of the State and Local Implementation Grant 
        Program (SLIGP). This $135 million grant program supports state 
        level efforts to plan for the implementation of FirstNet. We 
        anticipate issuing our final report in FY 2017.

   NTIA Oversight of Grant Award to the Los Angeles Regional 
        Interoperable Communications System (LA-RICS). This $154 
        million Broadband Technology Opportunities Program (BTOP) 
        grantee has entered into an initial 5-year spectrum lease 
        agreement with FirstNet, allowing it to provide wireless 
        communication services to public safety entities. For this 
        audit initiated in FY 2017, we will assess LA-RICS' efforts to 
        meet grant objectives and provide the FirstNet with lessons 
        learned.
III. NOAA Satellites
Managing environmental satellite system acquisition and development 
        risks
    The Department must manage risks associated with the acquisition 
and development of environmental satellite systems. NOAA's major 
satellite system programs are among the Department's largest 
investments, totaling more than 16 percent of its $9.7 billion FY 2017 
budget request.
    NOAA geostationary and polar-orbiting environmental satellites 
provide some of the most important data and imagery for weather 
forecasting and storm tracking. After a number of delays, NOAA's GOES-R 
program launched its first satellite--GOES-16--on November 19, 2016. 
The month before, NOAA announced that the JPSS program would delay the 
launch of JPSS-1 approximately 6 months, to the fourth quarter of FY 
2017. Both have faced similar challenges completing the integration and 
testing of satellites and ground systems. At the same time, the 
programs are developing or planning for additional satellites.
    Our work on these programs has highlighted the need for effective 
management to mitigate the potential for gaps in the environmental data 
provided by NOAA's current, aging systems. Below we preview the 
challenges posed by GOES-R, JPSS, and the Polar Follow-On programs, as 
well as processing data from the GOES-16 and JPSS-1 satellites and new 
challenges to maintaining satellite coverage.

        Completing and launching GOES-R series satellites. A number of 
        integration and test problems caused NOAA to delay the GOES-R 
        estimated launch date form March 2016 to October 2016. In 
        addition, a launch anomaly on an international space station 
        resupply mission in March 2016 raised concerns about GOES-R's 
        launch vehicle. After an investigation and corrective actions, 
        GOES-R's launch date was postponed from October to November 
        2016, further threatening NOAA's ability to maintain a spare, 
        on-orbit satellite. NOAA launched GOES-R on November 19 and 
        renamed it GOES-16. Its on-orbit commissioning has reportedly 
        gone well and once operational, NOAA will have mitigated the 
        risk of a gap in its geostationary satellite coverage.

        However, GOES-R development issues and schedule delays have 
        affected the progress of the program's next mission, GOES-S. 
        NOAA slipped the GOES-S planned launch date from May 2017 to 
        March 2018. The GOES-R mission's problems pulled resources away 
        from the GOES-S effort and, in some cases, required the use of 
        GOES-S components as spares for GOES-R. Further, the program is 
        managing a risk related to the need to rework antenna stations, 
        which are on the ground system schedule's critical path for 
        GOES-S launch readiness.

        Completing preparations for the launch of JPSS-1. The JPSS 
        program was committed to launching JPSS-1 no later than the end 
        of the second quarter of FY 2017. However, additional problems 
        with a key instrument and further delays in the completion of 
        its ground system led NOAA and the program to delay the launch, 
        which is now scheduled for September 23, 2017.

        The program had to significantly revise the integration and 
        testing sequence of activities for JPSS-1 in order to 
        accommodate the delayed completion of the Advanced Technology 
        Microwave Sounder (ATM) and pivoted support systems (gimbals) 
        for the satellite's two science mission data antennas. We 
        reported in April 2016 that JPSS-1's schedule reserves \11\ 
        were below the program's procedural requirements. The 
        satellite's environmental testing campaign began in mid-March. 
        In July 2016, testing detected additional problems with ATMS 
        that required its removal from the satellite in order to 
        investigate and correct.
---------------------------------------------------------------------------
    \11\ This referred to schedule reserves toward what was then a 
January 20, 2017, planned launch date.

        The JPSS-1 launch is also contingent upon an upgrade of the 
        JPSS common ground system. This major upgrade will provide new 
        hardware and software, capabilities for supporting JPSS-1, a 
        full backup capability, additional ground antenna stations, 
        multiple operating environments, and significant security 
        improvements. Its completion has been prolonged by software 
        development and integration problems, adding risk to the JPSS-1 
---------------------------------------------------------------------------
        launch schedule.

        In April 2016--before the discovery of additional problems with 
        ATMS--we concluded that the program's ability to meet full 
        requirements for JPSS-1 launch was at risk. Further, the 
        program's need to revise its integration and testing approach 
        to preserve its schedule risked having lower-level system 
        requirements insufficiently tested.\12\ In October, NOAA 
        concluded that the instrument and ground system problems 
        presented too much risk to its second quarter launch commitment 
        date and delayed the launch to the fourth quarter.
---------------------------------------------------------------------------
    \12\ DOC OIG, April 26, 2016. The Joint Polar Satellite System: 
Further Planning and Executive Decisions Are Needed to Establish a 
Long-term, Robust Program, OIG-16-026-I. Washington, D.C.: DOC OIG, 12-
13.

        Recently, the importance of launching JPSS-1 has taken on added 
        urgency. The JPSS program has been responding to more frequent 
        issues with Suomi National Polar-orbiting Partnership (Suomi 
        NPP), which was launched in 2011 and is now operating beyond 
        its designed mission life. Suomi NPP is the only provider of 
        certain JPSS-quality data from the afternoon polar orbit. The 
        loss of that data before JPSS-1 is in operation would result in 
---------------------------------------------------------------------------
        a data gap that could affect the accuracy of weather forecasts.

        Establishing life-cycle cost and schedule baselines for Polar 
        Follow-On program. The JPSS program formulated the acquisition 
        and development of two additional satellites--JPSS-3 and JPSS-
        4--which are intended to be copies of JPSS-2. Funded under the 
        Polar Follow-On program budget, the missions will be integrated 
        with and managed by the JPSS program. In December 2016, the 
        Deputy Secretary of the Department of Commerce formally 
        approved the Polar Follow-On life-cycle cost and schedule 
        baselines.

        Preparing to process observational data from GOES-16 series and 
        JPSS-1. The ground system development problems both programs 
        were addressing risked the deferral of planned operational 
        capabilities until after the launches of GOES-16 and JPSS-1. 
        Management attention to post-launch test activities is needed 
        to ensure users' needs are met--and to inform a new 
        Administration and Congress of data availability and its effect 
        on forecasts.

        The GOES-R program continues to conduct post-launch testing of 
        GOES-16. The results of the testing will indicate whether or 
        not certain planned capabilities will be delayed. For JPSS, we 
        recommended, in our April 2016 report, that the National 
        Weather Service complete a contingency plan to expedite the use 
        of JPSS-1 data, if needed, once the satellite is launched and 
        communicate the plan to users and stakeholders by the end of 
        the third quarter of FY 2016. We also recommended that NOAA 
        provide stakeholders with a list of key activities for 
        operationalizing JPSS-1 data that NOAA will undertake during 
        the potential gap period. However, NOAA has yet to complete 
        these activities in accordance with its audit action plan.

        New challenges to maintaining satellite coverage. Issues 
        include the following:

                GOES backup concerns: NOAA maintains operational 
                geostationary satellites at two positions over the 
                Western Hemisphere: GOES-East (the GOES-13 satellite) 
                and GOES-West (GOES-15). A third satellite (currently, 
                GOES-14) is kept in storage-mode at a location between 
                them and is intended to provide backup capability 
                should either of the operational satellites fail. 
                Events in recent years have demonstrated the need for 
                this redundancy. GOES-13 failures have necessitated a 
                call-up of the backup satellite twice. Additionally, 
                GOES-15 only has one operable star tracker remaining 
                among its three onboard. If the final star tracker 
                fails, GOES-15 will be unable to meet its mission 
                requirements.

                GOES-16, as the newest and fourth NOAA satellite on 
                orbit, is planned to take one of the operational 
                positions in November 2017.

                JPSS-1 launch delay prolongs potential coverage gap: 
                NOAA's need to delay the launch of JPSS-1 from March 
                2017 to September 2017 prolongs a period of increased 
                risk of a polar satellite coverage gap due to the aging 
                of Suomi NPP beyond its mission design life. In April 
                2016, using assumptions based on the program status at 
                that time, we had assessed that NOAA would be facing a 
                period of increased risk for 7-10 months starting in 
                November 2016. Now, assuming a JPSS-1 launch in late 
                September 2017, the potential coverage gap period, 
                which began in November 2016, has increased to 14-17 
                months.

        Ongoing OIG oversight: Audit of JPSS program performance and 
        Polar Follow-On baseline establishment. For an audit of JPSS 
        and Polar Follow-On programs, our objective is to assess the 
        cost, schedule, and technical performance of selected 
        components of the JPSS program, as well as the establishment of 
        Polar Follow-On program baselines.
IV. NOAA Fisheries
Balancing the priorities of sustainable fisheries with those of 
        multiple stakeholders
    The National Marine Fisheries Service (NOAA Fisheries) must balance 
two competing interests: (1) promoting commercial and recreational 
fishing as vital elements of our national economy and (2) preserving 
populations of fish and other marine life. The Magnuson-Stevens Fishery 
Conservation and Management Act of 1976 (Magnuson-Stevens Act),\13\ the 
Marine Mammal Protection Act of 1972,\14\ and the Endangered Species 
Act of 1973 \15\ gave NOAA Fisheries responsibility for rebuilding and 
maintaining sustainable fisheries and promoting the recovery of 
protected marine species. The Magnuson-Stevens Act also made NOAA 
Fisheries the primary Federal agency for managing marine fisheries and 
established a regional fishery management council system to help the 
agency carry out its mission.
---------------------------------------------------------------------------
    \13\ Pub. L. No. 94-265; see also 16 U.S.C. 1801 et seq.
    \14\ Pub. L. No. 92-522; see also 16 U.S.C. 1361 et seq.
    \15\ Pub. L. No. 93-205; see also 16 U.S.C. 1531 et seq.
---------------------------------------------------------------------------
    Developing conservation and management measures requires 
collecting, analyzing, and reporting demographic information about fish 
populations via stock assessments. These assessments are a key element 
of the fishery management process; they are used to determine whether 
additional regulations are necessary to rebuild fish stocks or whether 
an increase in fishing opportunities can be allowed. NOAA continues to 
face challenges to ensuring timely and accurate assessments and 
providing consultation to its stakeholders. OIG's oversight of such 
activity includes responses to members of Congress about regional 
issues, as well as an upcoming review of NOAA stock assessments.

        Congressional responses. On June 13, 2016, we received a 
        request from Senators Blumenthal and Murphy and Congressman 
        Courtney asking for information about fishery management across 
        the Northeast and mid-Atlantic. Specifically, they raised 
        issues related to the

     current management structure of black sea bass, summer 
            flounder, and scup, as well as their statutory 
            requirements;

     current structure of fisheries management in the area;

     effectiveness of the quota share transfer between states; 
            and

     sufficiency of the liaison model to address concerns of 
            one region's fishery management council where another 
            region's council has jurisdiction.

        In its August 30, 2016, response to us, NOAA stated that

     Fisheries released a formal Fisheries Allocation Review 
            Policy and two associated procedural directives to provide 
            a consistent approach for the Councils to periodically re-
            evaluate fishery allocations.

     NOAA also communicated that the Mid-Atlantic Fisheries 
            Management Council recently voted to increase the New 
            England Fishery Management Council's voting seats on the 
            Demersal Species Committee--under which black sea bass, 
            summer flounder, and scup are managed--to three. In NOAA's 
            estimation, this approach provides another opportunity for 
            Northern states to be involved in the management of these 
            stocks.

     Lastly, NOAA Fisheries is currently considering a request 
            from the New England Fishery Management Council for joint 
            management of black sea bass, summer flounder, and scup.

        On September 14, 2016, our Deputy IG's response to the 
        Congressional request stated in part that

     OIG was planning a project to inventory the science that 
            NOAA Fisheries' Office of Science and Technology has used 
            to estimate the population of various fish stocks.

     The Fisheries Management Councils have the authority under 
            the Magnuson-Stevens Act to conduct any activities that are 
            necessary and appropriate to carrying out its functions.

     With respect to issues managing fish stock and quota share 
            transfer, NOAA and the Fisheries Management Councils have 
            the expertise needed to address concerns related to the 
            science used in their decisions.

     OIG presented to NOAA the Congressional concerns raised 
            with respect to issues with the current management 
            structure and liaison model, and requested NOAA to provide 
            a response (which we ultimately included as an enclosure to 
            our response).

        In addition, on June 27, 2016, we received a request from 
        Senator Rubio for OIG to review the Department's decisions and 
        assessment modeling, especially the Beaufort Assessment Model, 
        as it relates to the South Atlantic red snapper fishery.

        OIG reached out to NOAA for information related to Senator 
        Rubio's request. In its July 27, 2016, response to us, NOAA 
        stated that

     A protracted benchmark stock assessment was conducted for 
            red snapper and gray triggerfish, with various public 
            meetings informing the decisions made with respect to these 
            species, including the use of the Beaufort Assessment 
            Model. This information is consolidated on a public 
            website.

     The decision process related to these species has numerous 
            features involving multiple stakeholders, the South 
            Atlantic Fishery Management Council, and the NOAA Fisheries 
            Southeast Fisheries Science Center, among others.

        On August 29, 2016, our Deputy IG replied to the Senator's 
        request by stating in part that

     OIG was planning a project to inventory the science that 
            NOAA Fisheries' Office of Science and Technology has used 
            to estimate the population of various fish stocks.

     OIG conveyed NOAA response to the Senator's concerns.

     To date, we have not encountered or been alerted to 
            specific risks with respect to NOAA's actions or the 
            Fishery Management Council process.

        Ongoing OIG oversight: Review of NOAA Fisheries stock 
        assessment enterprise. NOAA Fisheries manages approximately 500 
        fish stocks. Its stock assessments examine the effects of 
        fishing and other factors to describe the past and current 
        status of a fish stock, answer questions about the size of a 
        fish stock, and make predictions about how a fish stock will 
        respond to current and future management measures.

        On January 13, 2017, OIG initiated a project for inventorying 
        the science that NOAA Fisheries' Office of Science and 
        Technology has used to estimate the population of various fish 
        stocks. NOAA has provided us a list of 40 models and 964 
        assessments completed since 2004 and their respective 
        scientific models. Our preliminary work is currently underway.
V. Oversight of the Department's Management and Spending
IT and cybersecurity issues
    Our Cybersecurity Act of 2015 audit identified that the Department 
faces significant challenges to securing its national security 
systems.\16\ We found that the Department had not followed longstanding 
requirements for managing the security risks for some of its national 
security systems. After we disclosed this issue to the Department's 
senior management, the Chief Information Officer developed a plan to 
correct the issues we identified. Currently, the Department is in the 
process of mitigating the security risks.
---------------------------------------------------------------------------
    \16\ DOC OIG, August 4, 2016. Review of IT Security Policies, 
Procedures, Practices, and Capabilities in Accordance with the 
Cybersecurity Act of 2015, OIG-16-040-A. Washington, D.C.: OIG.
---------------------------------------------------------------------------
    The Enterprise Security Operations Center (ESOC) is to provide 
Department-wide security situational awareness to senior Departmental 
and bureau managers. To meet OMB's requirement,\17\ the Department has 
also designated ESOC as its principal security operations center, which 
will be responsible for coordinating communication with the Department 
of Homeland Security, U.S. Computer Emergency Readiness Team, and OMB; 
and sharing cybersecurity intelligence and information with the 
Department's bureaus. In August 2016, ESOC began to receive and analyze 
cybersecurity-related information covering all of the Department's 
bureaus.
---------------------------------------------------------------------------
    \17\ OMB, October 30, 2015. Cybersecurity Strategy and 
Implementation Plan (CSIP) for the Federal Civilian Government, M-16-
04. Washington, D.C.: OMB, 16.
---------------------------------------------------------------------------
    As part of the Department's enterprise continuous monitoring 
initiative, the Enterprise Cybersecurity Monitoring and Operations 
(ECMO) is to provide timely information about vulnerabilities to system 
owners in the bureaus. ECMO has been funded through the Department's 
working capital fund (WCF). In FY 2016, the Department put the 
implementation of ECMO on hold until its WCF received additional 
funding. This action delayed the Department-wide continuous monitoring 
capabilities to its high-impact systems. Currently, the Department 
plans to complete the implementation of ECMO on high-impact systems by 
the end of September 2017.
Creating a Department-wide culture of accountability
    Over the course of 2016, OIG's Office of Investigations (OI) 
processed more than 500 complaints regarding the Department's 
operations; opened more than 80 investigations into allegations of 
fraud, waste, and abuse related to the Department's programs and funds; 
and closed more than 50 open investigations. Many of these closed 
investigations resulted in successful criminal convictions (8), 
suspension or debarment actions (10), and administrative disciplinary 
actions (5).
    OI released two investigative reports to the public in 2016. One 
report described OIG's detailed analysis of work hours claimed by more 
than 8,000 patent examiners at the U.S. Patent and Trademark Office. In 
that investigation, we found hundreds of thousands of hours that 
examiners claimed to work that could not be supported by evidence of 
actual work, which equated to more than $18 million in potential waste. 
The second report detailed evidence gathered by OIG showing how a high-
ranking political appointee received multiple unwarranted 
reimbursements for expenses he incurred during stays at luxury hotel 
accommodations while on official travel, inappropriately used a 
subordinate to handle personal tasks for him on a regular basis, and 
caused his agency to spend thousands of dollars on questionable 
expenses associated with renovation work that he wanted done to his 
office suite.

        Preventing travel abuse. In the latter case, pertaining to 
        government travel, our inquiries raised concerns about the 
        Department's compliance with governing laws and rules, 
        particularly the Federal Travel Regulation and the Department's 
        travel-related policies. In particular, we identified issues 
        with Department personnel involved in the preparation and 
        approval of official travel, specifically with regard to 
        premium-class travel involving senior Department personnel. 
        While some of the problems identified in these inquiries 
        appeared to result from intentional abuse, other failures 
        stemmed from critical misunderstandings of key travel-related 
        laws and rules by one or more employees responsible for 
        administering travel.

        NOAA Fisheries' Alaska Regional Office Use of Contract Raises 
        Issues Regarding Personal Services (Office of Audit and 
        Evaluation product originating from an OI hotline complaint). 
        We reviewed a complaint received in January 2015 from a 
        confidential complainant regarding NOAA Fisheries Alaska 
        Regional Office's use of grants and cooperative agreements. The 
        objective of our review was to determine whether NOAA 
        inappropriately used a cooperative agreement and grant to 
        acquire personal services, as alleged by the confidential 
        complainant.

        We were unable to substantiate the complainant's claim. 
        However, we did find that the regional office used a contract 
        to acquire administrative support services, the execution and 
        management of which contained similarities in appearance to 
        prohibited personal services contracts, which should be avoided 
        to ensure that NOAA Fisheries does not inappropriately 
        supplement its full-time employee workforce.

        We recommended the Assistant Administrator for Fisheries (1) 
        develop a control process that restricts future awards from 
        being managed as personal service contracts; and (2) distribute 
        guidance to NOAA Fisheries program staff on statutory 
        restrictions and limitations relating to personal services 
        contracts.

        Conference spending issues. On December 2, 2016, we issued a 
        memorandum, Biweekly Reporting on Conference Spending by the 
        Department of Commerce (OIG-17-006-M), that provides the 
        results of OIG's analysis of biweekly conference spending 
        reports provided by the Department. Our review found the 
        following results:

     USPTO is likely under-reporting its FY 2016 conference 
            activity to OIG. In its FY 2015 biweekly submissions to 
            Office of Administration Programs (OAP), the U.S. Patent 
            and Trademark Office (USPTO) reported a total of 36 
            conferences. In FY 2016, USPTO reported none. OIG noted 
            that USPTO's interpretation of the policy is overly broad 
            and, through its application, may not be reporting 
            conference information as envisioned by Congress or OMB.

     It is unclear whether the Census Bureau is under-reporting 
            its FY 2016 conference activity to OIG. In its FY 2015 
            biweekly submissions to OAP, the Census Bureau (Bureau) 
            reported a total of 14 conferences. In FY 2016, the Bureau 
            has reported 3. The Bureau's explanation indicates that, 
            upon clarification of the policy, it stopped reporting 
            these training events. It is not clear who provided this 
            clarification to the Bureau--and, while its explanation 
            refers to an ``opinion'' to not report on similar events in 
            FY 2016, this opinion was not provided to OIG nor was it 
            described as a legal opinion.
VI. OIG Recommendations Issued to the Department of Commerce
    Our office is committed to ensuring that the Department resolves 
and implements each recommendation provided in our products. Since FY 
2015 alone, we have provided 205 recommendations to the Department, 
identifying program improvements, operational efficiencies, and cost 
savings in a wide range of programs and activities. For those delivered 
in FY 2015, 57 of 86 have been implemented by the Department--a rate of 
66 percent for those issued during this time. For FY 2016, this rate is 
currently 30 percent (33 of 111 recommendations implemented), as the 
Department begins to take action on many of these recommendations in FY 
2017. Overall, 115 recommendations--issued between October 1, 2015, and 
the end of January 2017--remain either unresolved or unimplemented as 
of the end of January 2017.
    Much of our work produces results that directly benefit the 
taxpayer. With respect to OIG's return on investment, we have reported 
more than $125 million in monetary benefits over the last 2 full fiscal 
years. These include (a) questioned costs and (b) funds to be put to 
better use as a result of audits and inspections, as well as (c) 
monetary issues identified by investigations.
    In addition to the recent and upcoming work we have highlighted in 
the above discussion of Department challenges--which included agencies 
and programs of particular interest to this Committee--OIG is engaged 
in other oversight work on challenges related to, among other issues,

  1.  preparations for the 2020 decennial census,

  2.  U.S. Patent and Trademark Office programs,

  3.  the National Institute of Standards and Technology,

  4.  the International Trade Administration's Commercial Service and 
        Enforcement and Compliance offices, and

  5.  the Department's and operating units' working capital funds and 
        unliquidated obligations.

    OIG expresses its appreciation to the former Secretary of Commerce 
for supporting our efforts as Department management addressed our 
recommendations. We look forward to the continued support of the 
incoming Secretary.
    This concludes my prepared statement, and I will be pleased to 
respond to any questions you or other Committee members may have.

    The Chairman. Thank you, Ms. Gustafson.
    Mr. Roth?

        STATEMENT OF HON. JOHN ROTH, INSPECTOR GENERAL, 
              U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Roth. Chairman Thune, Ranking Member Nelson, and 
members of the Committee, thank you for inviting me here to 
testify today.
    As you know, DHS' mission to protect the Nation entails a 
wide array of responsibilities. Our office reflects the size 
and complexity of the Department. In a typical year, we issue 
nearly 200 audit and inspection reports and complete over 600 
investigations. In our audit and inspection reports, we make 
nearly 400 recommendations in an average year. We receive 
nearly 19,000 complaints through our hotline and website, 
including hundreds of whistleblower retaliation complaints per 
year, and have pending nearly 1,000 investigations at any one 
time.
    Although significant progress has been made, the Department 
continues to face longstanding persistent challenges overseeing 
and managing its homeland security mission. These challenges 
affect every aspect of the mission, from preventing terrorism 
and protecting our border and transportation systems to 
enforcing our immigration laws, ensuring disaster resiliency, 
and securing cyberspace. My written testimony talks about each 
of these issues under the Committee's jurisdiction, but for my 
oral testimony, I'll simply discuss our work as it relates to 
TSA.
    With regard to TSA's aviation passenger screening 
responsibilities, we previously identified vulnerabilities in 
their screening operations caused by a combination of 
technology failures, insufficient processes, and human error. 
Fortunately, TSA's response to our finding has represented a 
marked change from previous practice. TSA's leadership 
understood the gravity of our findings and moved to revamp 
training, improve technology, and refine checkpoint policies 
and procedures in an attempt to increase checkpoint 
efficiencies. More importantly, the previous administrator 
reemphasized the security mission of TSA to its work force.
    We are in the midst of another round of covert testing of 
checkpoint operations across the country. We will report our 
results to this committee as well as other committees of 
jurisdiction.
    While there has been much focus on checkpoint operations, 
we remain concerned about access to secure areas by airport 
employees and unauthorized individuals. Controlling access to 
secured airport areas is critical to the safety of passengers 
and aircraft for obvious reasons. Unfortunately, the current 
system has much to be desired. Airport operators are required 
to perform criminal history and immigration checks prior to 
granting individuals badges that allow them unescorted access 
to secure areas, and TSA is required to oversee this process.
    Despite TSA's efforts to ensure only cleared individuals 
enter secure areas, we have identified numerous 
vulnerabilities. For example, we found that TSA does not have 
an adequate monitoring process in place to ensure that airport 
operators properly adjudicated credential applicants' criminal 
histories, and we also found weaknesses in the verification 
process for an individual's authorization to work in the U.S. 
Weaknesses in this program represent a security risk to 
aviation transportation.
    Moreover, although TSA is required to perform an annual 
inspection of commercial airport security operations, which 
includes reviews of the documentation that airport workers had 
submitted in applying for credentials, we found that at larger 
airports, TSA looked at as few as 1 percent of all aviation 
workers' applications. In addition, we found other weaknesses 
in the method by which the documentation was verified. We have 
made recommendations to fix these vulnerabilities, and we will 
follow up to ensure TSA takes the required steps to ensure 
better performance in this area.
    We also have concerns with the sufficiency of vetting 
itself. Airport workers are subject to only minimal vetting, 
the same level of vetting, for example, that a pre-check 
passenger receives, including a fingerprint-based criminal 
history check to determine whether an individual has been 
convicted of or is under indictment for certain felonies and 
whether that person in on the terrorist watch list. The risk 
presented by such limited vetting is compounded by the fact 
that airport workers are subject to physical screening at only 
three of the approximately 450 airports under TSA's 
jurisdiction. We believe that this creates a significant risk 
to aviation security.
    Additionally, there are significant risks that lost or 
stolen access badges could allow unauthorized access to secure 
airport areas. In response to congressional concerns and media 
reports, we conducted a review of TSA's controls over access 
badges. Based on its inspections, TSA had asserted to us that 
most airports adequately control badges for employees working 
in non-public areas.
    However, we found this not to be accurate. TSA had simply 
relied on the airport operators' assurances that the airports 
were properly accounting for badges. In fact, in a recent audit 
where we actually compared employer records against airport 
records, we found an unacceptable percentage of airport 
employers had not reported lost or missing badges or failed to 
recover the badge from those who had left employment. Again, we 
believe that this represents a significant risk to aviation 
security.
    Mr. Chairman, this concludes my testimony. I'm happy to 
answer questions you or any members of the Committee may have.
    [The prepared statement of Mr. Roth follows:]

       Prepared Statement of Hon. John Roth, Inspector General, 
                  U.S. Department of Homeland Security
    Chairman Thune, Ranking Member Nelson, and Members of the 
Committee, thank you for inviting me to testify on the work of the 
Office of Inspector General of the Department of Homeland Security.
    As you know, DHS' mission to protect the Nation entails a wide 
array of responsibilities. These range from facilitating the flow of 
commerce and travelers, countering terrorism, and securing and managing 
the border to enforcing and administering immigration laws and 
preparing for and responding to natural disasters.
    Our office reflects the size and complexity of the Department. In a 
typical year, we issue nearly 200 audit and inspection reports and 
conduct over 600 investigations. In our audit and inspection reports, 
we make nearly 400 recommendations in an average year. We receive 
nearly 19,000 complaints through our hotline and website, including 
over 400 whistleblower complaints per year, and have pending nearly 
1,000 investigations at any one time.
    Currently, as it relates to matters under this Committee's 
jurisdiction, we have 115 open recommendations. A full list of these 
recommendations is attached as appendix A. The number of open 
recommendations, particularly those with which the Department did not 
agree, has fallen precipitously. We are generally pleased with the 
level of responsiveness we have received from the Department, which we 
believe is a result of significant leadership commitment to the 
principles of an independent internal audit function.
Major Management Challenges Facing DHS
    Homeland Security faces many challenges, and we at OIG have focused 
our energy on the major management and performance challenges. We have 
listed six:

   creating a unified department,

   employee morale and engagement,

   acquisition management,

   grants management,

   cybersecurity, and

   improving management fundamentals.\1\
---------------------------------------------------------------------------
    \1\ Major Management and Performance Challenges Facing the 
Department of Homeland Security, OIG-17-08 (November 2016).

    Although significant progress has been made, the Department 
continues to face long-standing, persistent challenges overseeing and 
managing its homeland security mission. These challenges affect every 
aspect of the mission, from preventing terrorism and protecting our 
borders and transportation systems to enforcing our immigration laws, 
ensuring disaster resiliency, and securing cyberspace. The Department 
is continually tested to work as one entity to achieve its complex 
mission. The key to sustaining the gains made thus far is a leadership 
commitment by the new Administration and continued thoughtful but 
vigorous oversight by this Committee and my office.
    I will briefly discuss our work in the three areas under the 
Committee's jurisdiction: the Transportation Security Administration, 
the Coast Guard, and the Department's cyber responsibilities.
Transportation Security Administration
The Nature of the Threat
    Nowhere is the asymmetric threat of terrorism more evident than in 
the area of aviation security. TSA cannot afford to miss a single, 
genuine threat without potentially catastrophic consequences, and yet a 
terrorist only needs to get it right once. Securing the civil aviation 
transportation system remains a formidable task--with TSA responsible 
for screening travelers and baggage for over 1.8 million passengers a 
day at 450 of our Nation's airports. Complicating this responsibility 
is the constantly evolving threat by adversaries willing to use any 
means at their disposal to incite terror.
    The dangers TSA must contend with are complex and not within its 
control. Recent media reports have indicated that some in the U.S. 
intelligence community warn terrorist groups like the Islamic State 
(ISIS) may be working to build the capability to carry out mass 
casualty attacks, a significant departure from--and posing a different 
type of threat than--simply encouraging lone wolf attacks. According to 
these media reports, a mass casualty attack has become more likely in 
part because of a fierce competition with other terrorist networks--
being able to kill opponents on a large scale would allow terrorist 
groups such as ISIS to make a powerful showing. We believe such an act 
of terrorism would likely be carried out in areas where people are 
concentrated and vulnerable, such as the Nation's commercial aviation 
system.
Mere Intelligence is Not enough
    In the past, officials from TSA, in testimony to Congress, in 
speeches to think tanks, and elsewhere, have described TSA as an 
intelligence-driven organization. According to TSA, it continually 
assesses intelligence to develop countermeasures in order to enhance 
the multiple layers of security at airports and onboard aircraft. This 
is a necessary thing, but it is not sufficient.
    In the vast majority of the instances, the identities of those who 
commit terrorist acts were simply unknown to the intelligence community 
beforehand. Terrorism, especially suicide terrorism, depends on a cadre 
of newly-converted individuals who are often unknown to the 
intelligence community. Moreover, the threat of ISIS- or Al Qaeda-
inspired actors--those with no formal ties to the larger organizations, 
but who simply take inspiration from them--increase the possibilities 
of a terrorist actor being unknown to the intelligence community.
    What this means is that there is no easy substitute for the 
checkpoint. The checkpoint must necessarily be intelligence driven, but 
the nature of terrorism today means that each and every passenger must 
be screened in some way.
TSA Does Not Have a Risk-Based Security Strategy
    TSA has many responsibilities beyond air travel, and is 
responsible, generally through the use of regulation and oversight, for 
surface transportation security. However, TSA focuses primarily on air 
transportation security and largely ignores other modes. We found that 
TSA does not have an intelligence-driven, risk-based security strategy 
to inform security and budget needs across all types of transportation. 
In 2011, TSA began publicizing that it uses an ``intelligence-driven, 
risk-based approach'' across all transportation modes. However, we 
found this not to be true. In an audit we released this past September, 
we reported that TSA specifically designed this approach to replace its 
one-size-fits-all approach to air passenger screening, but did not 
apply it to other transportation modes. Additionally, TSA's agency-wide 
risk management organizations provide little oversight of TSA's surface 
transportation security programs. TSA established an Executive Risk 
Steering Committee which was intended to create a crosscutting, risk-
based strategy that would drive resource allocations across all modes. 
However, no entity at TSA, places much emphasis on non-air 
transportation modes.
    As a result, TSA dedicated 80 percent of its nearly $7.4 billion FY 
2015 budget to direct aviation security expenditures, and only about 2 
percent to direct surface transportation expenditures. Its remaining 
resources were spent on support and intelligence functions. A formal 
process that incorporates risk into its budget formulation would help 
TSA ensure it best determines and prioritizes the resources necessary 
to fulfill its missions.\2\
---------------------------------------------------------------------------
    \2\ Transportation Security Administration Needs a Crosscutting 
Risk-Based Security Strategy (OIG-16-134).
---------------------------------------------------------------------------
    As a result of a lack of focus on surface transportation, TSA's 
efforts in this area have been lacking. Recently, we have published two 
reports that identify significant weaknesses in TSA's ability to secure 
surface transportation modes and the Nation's maritime facilities and 
vessels. Specifically, we identified issues with the reliability of 
background checks for port workers, and passenger rail security.
    With regard to surface transportation, we issued a report that 
found that TSA has failed to develop and implement regulations 
governing passenger rail security required more than nine years ago. 
Specifically, although required to by the Implementing Recommendations 
of the 9/11 Commission Act of 2007, TSA neither identified high-risk 
carriers, nor issued regulations requiring those carriers to conduct 
vulnerability assessments and implement DHS-approved security plans. 
TSA also did not issue regulations that would require a railroad 
security training program. Furthermore, unlike aviation and maritime 
port workers, TSA has not developed regulations requiring security 
background checks for rail workers. TSA has just submitted a notice of 
proposed rulemaking on one rule to the Federal Register, but 
unfortunately, will not even commit to a timeline as to when they will 
move the other two regulations forward.\3\
---------------------------------------------------------------------------
    \3\ TSA Oversight of National Passenger Rail System Security (OIG-
16-91).
---------------------------------------------------------------------------
    We issued a second report that found that TSA is missing key 
internal controls in the Transportation Worker Identification 
Credential (TWIC) program. The background check process for TWICs 
includes a check for immigration-, criminal-, and terrorism-related 
offenses that would preclude someone from being granted unescorted 
access to secure facilities at seaports. Our review found that TSA did 
not adequately integrate the security measures intended to identify 
fraudulent applications into the background check process. This was the 
case notwithstanding the fact that a GAO report found the same problems 
five years ago.\4\
---------------------------------------------------------------------------
    \4\ TWIC Background Checks are Not as Reliable as They Could Be 
(OIG-16-128).
---------------------------------------------------------------------------
Checkpoint Performance
    Detection of dangerous items on people and in baggage requires 
reliable equipment with effective technology, as well as well-trained 
and alert TSOs who understand and consistently follow established 
procedures and exercise good judgment. We believe there are 
vulnerabilities in TSA's screening operations, caused by a combination 
of technology failures and human error. Since 2004, we have conducted 
eight covert penetration testing audits on passenger and baggage 
screening operations. Because these audits involved covert testing and 
contain classified or Sensitive Security Information, we can only 
discuss the results in general terms at this hearing.
    Previous covert testing identified vulnerabilities in TSA's use of 
Advanced Imaging Technology (AIT) equipment at domestic airports. We 
previously engaged in covert penetration testing to evaluate the 
effectiveness of TSA's Automated Target Recognition software and 
checkpoint screener performance in identifying and resolving potential 
security threats at airport checkpoints. The specific result of our 
covert testing, like the testing we have done in the past, is 
classified at the Secret level. However, we can describe the results as 
troubling and disappointing.\5\
---------------------------------------------------------------------------
    \5\ Covert Testing of TSA's Passenger Screening Technologies and 
Processes at Airport Security Checkpoints (Unclassified Summary (OIG-
15-150).
---------------------------------------------------------------------------
    Unfortunately, the results of this covert testing was in line with 
previous covert testing we had conducted, both on the AIT machines as 
well as on checked baggage and access to secured airport areas.\6\
---------------------------------------------------------------------------
    \6\ TSA Penetration Testing of Advanced Imaging Technology 
(Unclassified Summary), OIG 12-06; Covert Testing of Access Controls to 
Secured Airport Areas, OIG-12-26; Vulnerabilities Exist in TSA's 
Checked Baggage Screening Operations (Unclassified Summary), OIG-14-
142.
---------------------------------------------------------------------------
    I am pleased to report that in the last 18 months, TSA's response 
to our findings has represented a marked change from previous practice. 
TSA's leadership understood the gravity of our findings, and moved to 
revamp training, improve technology, and refine checkpoint policies and 
procedures in an attempt to increase checkpoint effectiveness. This 
plan is appropriate because the checkpoint must be considered as a 
single system; the most effective technology is useless without the 
right personnel, and the personnel need to be guided by the appropriate 
procedures. Unless all three elements are operating effectively, the 
checkpoint will not be effective.
    More importantly, the previous Administrator reemphasized the 
security mission of TSA to the workforce.
    We are in the midst of another round of covert testing across the 
country. Consistent with our obligations under the Inspector General 
Act, we will report our results to this Committee as well as other 
committees of jurisdiction.
Expedited Screening and Risk Assessment
    We applaud TSA's efforts to use risk-based passenger screening 
because it allows TSA to focus on high-risk or unknown passengers 
instead of known, vetted passengers who pose less risk to aviation 
security.
    However, we have had deep concerns about some of TSA's previous 
decisions about this risk. For example, we recently assessed the 
PreCheck Initiative, which is used at about 125 airports to identify 
low-risk passengers for expedited airport checkpoint screening. 
Starting in 2012, TSA massively increased the use of Precheck. Some of 
the expansion--for example allowing Precheck to other Federal 
Government-vetted or known flying populations, such as those in the CBP 
Trusted Traveler Program--made sense. In addition, TSA continues to 
promote participation in Precheck by passengers who apply, pay a fee, 
and undergo individualized security threat assessment vetting.
    However, we believe that TSA's use of risk assessment rules, which 
grant expedited screening to broad categories of individuals based on 
some questionable assumptions about relative risk based on factors 
unrelated to individual assessment of risk, create an unacceptable risk 
to aviation security. We have been communicating with TSA officials 
about this, and TSA has provided us a plan by which they will decrease 
reliance on this process. However, we remain concerned about the pace 
of progress in this area and will continue to monitor the situation.\7\
---------------------------------------------------------------------------
    \7\ Use of Risk Assessment within Secure Flight, OIG-14-153 (June 
2015).
---------------------------------------------------------------------------
Airport Employee Vetting and Access Controls to Secure Areas
    Airport employees, as well as unauthorized individuals, entering 
the secure areas of airports pose a serious potential risk to security. 
Controlling access to secured airport areas is critical to the safety 
of passengers and aircraft. Despite TSA's efforts to ensure only 
cleared individuals enter secure areas, we have identified numerous 
vulnerabilities.
    Federal regulations require individuals who apply for credentials 
to work in secure areas of commercial airports to undergo background 
checks. TSA and airport operators are required to perform these checks 
prior to granting individuals badges that allow them unescorted access 
to secure areas.
    We found that TSA was generally effective in identifying 
individuals with links to terrorism. Since its inception in 2003, TSA 
has directed airports to deny or revoke 58 airport badges as a result 
of its vetting process for credential applicants and existing 
credential holders. In addition, TSA has implemented quality review 
processes for its scoring model, and has taken proactive steps based on 
non-obvious links to identify new terrorism suspects that it nominates 
to the watchlist.
    Despite rigorous processes, TSA did not identify 73 individuals 
with links to terrorism because TSA is not cleared to receive all 
terrorism categories under current interagency watchlisting guidance. 
At our request, the National Counterterrorism Center (NCTC) performed a 
data match of over 900,000 airport workers with access to secure areas 
against the NCTC's Terrorist Identities Datamart Environment (TIDE). As 
a result of this match, we identified 73 individuals with terrorism-
related category codes who also had active credentials. According to 
TSA officials, the interagency policy in effect at the time prevented 
the agency from receiving all terrorism-related codes during vetting.
    TSA officials recognized that not receiving these codes represents 
a weakness in its program, and informed us that TSA cannot guarantee 
that it can consistently identify all questionable individuals without 
receiving these categories. In response to this audit, the Department 
worked with the Intelligence Community to ensure that TSA had access to 
the entire TIDE. This has closed a significant vulnerability, and we 
are pleased to report that we were able to close our recommendation.
    Additionally, this same audit found that TSA also did not have an 
adequate monitoring process in place to ensure that airport operators 
properly adjudicated credential applicants' criminal histories, and 
also found weaknesses in the verification process for an individual's 
authorization to work in the United States. Weaknesses in these 
programs present a security risk to aviation transportation.
    TSA's Office of Security Operations performed annual inspections of 
commercial airport security operations, including reviews of the 
documentation that aviation workers submitted when applying for 
credentials. However, due to workload at larger airports, this 
inspection process looked at as few as one percent of all aviation 
workers' applications. In addition, we found other weaknesses in the 
method by which the documentation was verified.\8\
---------------------------------------------------------------------------
    \8\ TSA Can Improve Aviation Worker Vetting, OIG-15-98 (June 2015).
---------------------------------------------------------------------------
    The necessity to permit access to secure areas to only known and 
trusted individuals should be self-evident. Those with unsupervised, 
unescorted access to aircraft could secrete dangerous items on board. 
Unfortunately, the current system has much to be desired. Open source 
reporting shows that those with unescorted access regularly stow 
contraband on airplanes. Last week, for example, American Airlines 
accidentally discovered during routine maintenance 31 pounds of cocaine 
secreted in the nose of an American Airlines Boeing 757. According to 
published news reports, this was the second time in three years this 
had occurred.\9\
---------------------------------------------------------------------------
    \9\ http://www.upi.com/Top_News/US/2017/01/31/Thirty-pounds-of-
cocaine-found-in-nose-of-American-Airlines-plane/9461485853935/. This 
is a fairly common occurrence. See, e.g., https://www.cbp.gov/newsroom/
local-media-release/cbp-jfk-seizes-cocaine-and-heroin-inside-aircraft 
(cocaine and heroin found in two separate incidents at JFK in 2015; 
secreted inside aircraft panels); http://www.actionnewsjax.com/news/
local/3-kilos-of-cocaine-found-on-jetblue-plane-months-after-flight-
attendant-caught-smuggling/412777000 (three kilograms of cocaine 
discovered on JetBlue aircraft inside wing panel in June 2016).
---------------------------------------------------------------------------
    Other open source media, as well as congressional hearings, have 
highlighted the risks involved. In 2013, an avionics technician with 
unescorted access to airplanes was convicted for his part in a plot to 
wage violent jihad by driving a bomb-laden van onto the tarmac at the 
Wichita airport and detonate it. His goal, according to the prosecutors 
involved in the case, was to inflict maximum casualties just before 
Christmas.\10\ In another instance, a gun-smuggling conspiracy used a 
baggage handler to smuggle weapons, including loaded weapons, onto 
flights from Atlanta to New York. Law enforcement authorities were able 
to confirm that they had shipped approximately 129 firearms in that 
manner.\11\
---------------------------------------------------------------------------
    \10\ https://www.justice.gov/opa/pr/kansas-man-pleads-guilty-plot-
explode-car-bomb-airport.
    \11\ https://www.justice.gov/usao-ndga/pr/baggage-handler-
hartsfield-jackson-airport-arrested-smuggling-guns-airport-evading
---------------------------------------------------------------------------
    Airport workers are subject to only minimal vetting--the same level 
of vetting, for example, that a PreCheck passenger receives--including 
a fingerprint-based criminal history check to determine whether an 
individual has been convicted of or is under indictment for certain 
enumerated felonies, and whether that person is on the terrorist watch 
list.\12\ The risk presented by such limited vetting is compounded by 
the fact that airport workers are subject to physical screening at only 
two of the approximately 450 airports under TSA's jurisdiction. We 
believe that this creates a significant risk to aviation security.
---------------------------------------------------------------------------
    \12\ The felonies are listed at 49 CFR 1542.209.
---------------------------------------------------------------------------
    Additionally, there is a significant risk that lost or stolen 
airport access badges could allow unauthorized people access to secure 
airport areas. In response to congressional concerns and media reports, 
we conducted a review of TSA's controls over access badges. Based on 
its comprehensive and targeted inspections, TSA has asserted that most 
airports adequately control badges for employees working in nonpublic 
areas. However, we found this not to be accurate.
    From TSA's own testing conducted in 2015, as well as our own 
testing recently conducted, we conclude that airports do not always 
properly account for access media badges after they are issued to 
employees. TSA's current inspection practice of relying on information 
reported by airports about access media badges limits its oversight of 
badge controls. During our inspection, we found that a significant 
percentage of the airports we looked at did not have accurate 
information about active access media badges.
    By testing more controls, which are designed to curtail the number 
of unaccounted for badges, TSA could strengthen its oversight of 
airports. Improved oversight by TSA, including encouraging wider use of 
airports' best practices, would help mitigate the risks to airport 
security posed by unaccounted for employee badges.\13\
---------------------------------------------------------------------------
    \13\ TSA Could Improve Its Oversight of Airport Controls over 
Access Media Badges, OIG-17-04 (October 2016).
---------------------------------------------------------------------------
TSA Business Practices
    We have continuing concerns with TSA's stewardship of taxpayer 
dollars spent on aviation security.
    Last May, we issued a report on TSA's Security Technology 
Integrated Program (STIP), a data management system that connects 
airport transportation security equipment, such as Explosive Trace 
Detectors, Explosive Detection Systems, Advanced Technology X-ray, 
Advanced Imaging Technology, and Credential Authentication Technology. 
This program enables the remote management of this equipment by 
connecting it to a centralized server that supports data management, 
aids threat response, and facilitates equipment maintenance, including 
automated deployment of software and configuration changes.
    However, we found that, while progress has been made, numerous 
deficiencies continue in STIP information technology security controls, 
including unpatched software and inadequate contractor oversight. This 
occurred because TSA typically has not managed STIP equipment in 
compliance with DHS guidelines regarding sensitive IT systems. Failure 
to comply with these guidelines increases the risk that baggage 
screening equipment will not operate as intended, resulting in 
potential loss of confidentiality, integrity, and availability of TSA's 
automated explosive, passenger, and baggage screening programs.
    TSA also has not effectively managed STIP servers as IT 
investments. Based on senior-level TSA guidance, TSA officials did not 
designate these assets as IT equipment. As such, TSA did not ensure 
that IT security requirements were included in STIP procurement 
contracts. This promoted the use of unsupported operating systems that 
created security concerns and forced TSA to disconnect STIP servers 
from the network. TSA also did not report all STIP IT costs in its 
annual budgets, hindering the agency from effectively managing and 
evaluating the benefits and costs of STIP.\14\
---------------------------------------------------------------------------
    \14\ IT Management Challenges Continue in TSA's Security Technology 
Integrated Program, OIG-16-87 (May 2016).
---------------------------------------------------------------------------
    Another recent audit revealed that the safety of airline passengers 
and aircraft could be compromised by TSA's inadequate oversight of its 
equipment maintenance contracts. TSA has four maintenance contracts 
valued at about $1.2 billion, which cover both preventive and 
corrective maintenance for airport screening equipment. Because TSA 
does not adequately oversee equipment maintenance, it cannot be assured 
that routine preventive maintenance is performed on thousands of 
screening units, or that this equipment is repaired as needed, ready 
for operational use, and operating at its full capacity. In response to 
our recommendations, TSA agreed to develop, implement, and enforce 
policies and procedures to ensure its screening equipment is maintained 
as required and is fully operational while in service.\15\
---------------------------------------------------------------------------
    \15\ The Transportation Security Administration Does Not Properly 
Manage Its Airport Screening Equipment Maintenance Program, OIG-15-86 
(May 2016).
---------------------------------------------------------------------------
Sensitive Security Information
    I remain concerned about TSA's use of the Sensitive Security 
Information (SSI) designation. In our latest report on airport-based IT 
systems, TSA had demanded the redaction of information that had 
previously been freely published without objection, and which my IT 
security experts state poses no threat to aviation security. TSA's 
history of abusing the SSI designation is well documented, and we are 
conducting a review of TSA's management and use of the SSI designation, 
which should be out this summer. Inconsistently and inappropriately 
marking information in our reports as SSI impedes our ability to issue 
reports to the public that are transparent without unduly restricting 
information, which is key to accomplishing our mission and required 
under the Inspector General Act.
Coast Guard
    Within the Department of Homeland Security, U.S. Customs and Border 
Protection's (CBP) Air and Marine Operations (AMO) and the United 
States Coast Guard (Coast Guard) share responsibility for maritime 
security missions. At the request of Congress, we reviewed the maritime 
missions and responsibilities of AMO and the Coast Guard.
    We found that the maritime missions and responsibilities of AMO and 
the Coast Guard are not duplicative. Their efforts to interdict drugs 
and people bolster the overall effectiveness of DHS' maritime border 
security. The agencies contribute to the national strategy of layered 
maritime security and conduct different activities, which leads to more 
interdictions. We also found very little overlap in mission locations. 
For example, of the 206 combined locations where AMO and the Coast 
Guard conduct operations in customs waters, only 17 of them (8 percent) 
have similar capabilities and an overlapping area of responsibility.
    However, AMO and the Coast Guard could improve coordination and 
communication at those 17 areas. For example, we found that the 
majority of those locations did not train together, and nearly half (45 
percent) did not coordinate operations or activities.\16\
---------------------------------------------------------------------------
    \16\ AMO and Coast Guard Maritime Missions Are Not Duplicative, But 
Could Improve with Bettter Coordination, OIG-17-03 (October 2016).
---------------------------------------------------------------------------
    We also supervised the annual financial statement audit, which 
concluded that, as it relates to the internal control environment, the 
Coast Guard had a number of internal control deficiencies in the areas 
of financial disclosure reports; accounts receivable; civilian and 
military payroll; financial reporting process; and accounts payable 
accrual. However, these deficiencies were not considered significant, 
and thus were not reported in the agency's FY 2015 financial statement 
report.\17\ The FY 2016 review is ongoing.
---------------------------------------------------------------------------
    \17\ United States Coast Guard's Management Letter for DHS' FY 2015 
Financial Statements Audit, OIG-16-77.
---------------------------------------------------------------------------
    With regard to Coast Guard's information technology issues, 
however, the financial statement auditors found that there were IT 
control deficiencies related to access controls, segregation of duties, 
and configuration management of Coast Guard's core financial and feeder 
systems. In many cases, new control deficiencies reflected weaknesses 
over controls and systems that were new to the scope of the FY 2015 
audit. Such deficiencies limited Coast Guard's ability to ensure that 
critical financial and operational data were maintained in such a 
manner to ensure confidentiality, integrity, and availability. These 
issues, when combined with other IT issues, contributed to a material 
weakness in IT controls and financial system functionality at the DHS 
Department-wide level.\18\
---------------------------------------------------------------------------
    \18\ Information Technology Management Letter for the United States 
Coast Guard Component of the FY 2015 Department of Homeland Security 
Financial Statement Audit, OIG-16-44.
---------------------------------------------------------------------------
    The conclusions reached in that audit are similar to the 
deficiencies in the Coast Guard IT systems we discovered during our 
2015 Federal Information Security Modernization Act (FISMA) audit. For 
example, we found that the Coast Guard was operating 35 separate 
information systems without an ``Authority to Operate.'' This 
represents 56 percent of Coast Guard's high-value assets and mission 
essential systems, and 67 percent of all other systems. A system 
operating without an authority to operate means the Coast Guard cannot 
ensure they have implemented effective controls to protect the 
sensitive information stored and processed by these systems.\19\ Coast 
Guard made significant strides in this area between our FY 2015 and FY 
2016 FISMA audits, and in our latest review, had reduced the number of 
systems without an authority to operate to six.\20\
---------------------------------------------------------------------------
    \19\ Evaluation of DHS' Information Security Program for Fiscal 
Year 2015, OIG-16-08.
    \20\ Evaluation of DHS' Information Security Program for Fiscal 
Year 2016, OIG-17-24.
---------------------------------------------------------------------------
    On a positive note, we conducted a review of the Coast Guard's 
major acquisition process. We did so as a result of concerns we had 
raised in an earlier 2012 audit, which found that the Coast Guard's 
schedule-driven acquisition process allowed the construction of 
Sentinel Class Fast Response Cutter to begin before all of the 
operational, design and technical risks were resolved. This 
necessitated modification of the cutters under construction, causing 
scheduling delays and additional costs. In this verification review, we 
examined the Coast Guard's acquisition of a different vessel, the 
Offshore Patrol Cutter, to see if the Coast Guard had absorbed the 
lessons from our audit. We found that the Coast Guard's plans to reduce 
risks during this acquisition show progress toward achieving the 
intended results of our earlier audit. However, it is too early in the 
acquisition to determine whether the Coast Guard has fully implemented 
its plans. We will continue to look at the issue.\21\
---------------------------------------------------------------------------
    \21\ Verification Review of U.S. Coast Guard's Acquisition of the 
Sentinel Class-Fast Response Cutter, OIG-12-68.
---------------------------------------------------------------------------
Cybersecurity Threat Issues
    Our office looked at a number of cyber issues as it relates to DHS 
in the recent past.
FISMA
    The Federal Information Security Modernization Act (FISMA) requires 
Federal agencies to establish security protections for information 
systems that support their operations and report annually on the 
effectiveness of information security policies, procedures, and 
practices. FISMA also requires that the agency OIG perform an annual 
independent evaluation of the agency's information security program and 
practices and report on agency compliance in the following areas:

   1.  Continuous Monitoring Management

   2.  Configuration Management

   3.  Identity and Access Management

   4.  Incident Response and Reporting

   5.  Risk Management

   6.  Security Training

   7.  Plan of Action and Milestones

   8.  Remote Access Management

   9.  Contingency Planning

  10.  Contractor Systems

    Each year the OIG is required to issue two FISMA reports: A general 
FISMA report concerning the Department's ``Sensitive But 
Unclassified,'' ``Secret,'' and ``Top Secret'' systems to the Office of 
Management and Budget; and a second report based on our assessment of 
DHS' intelligence systems to the Intelligence Community Inspector 
General (IC IG) with no recommendations. Based on the results in our IC 
IG report, we issue a third report to the Department that includes 
recommendations for correcting the deficiencies identified regarding 
DHS' intelligence systems.
General FISMA
    For FY 2016, we found that DHS has taken actions to strengthen its 
information security program.\22\
---------------------------------------------------------------------------
    \22\ Evaluation of DHS' Information Security Program for Fiscal 
Year 2016, OIG-17-24.
---------------------------------------------------------------------------
    On July 22, 2015, in response to cyber-attacks on the Federal 
Government, the DHS senior leadership ordered DHS and its Components to 
strengthen their cyber defenses. Components were to implement the 
following cybersecurity infrastructure measures within 30 days:

   consolidate all of DHS' Internet traffic behind the 
        Department's trusted Internet connections,

   implement strong authentication through the use of personal 
        identity verification (PIV) cards for all privileged and 
        unprivileged access accounts,

   achieve 100 percent SA compliance for systems identified by 
        the Component as high value assets and 95 percent compliance 
        for the remaining systems, and

   retire all discontinued operating systems and servers (e.g., 
        Windows XP and Windows Server 2000/2003).

    To further enhance the Department's cyber defense, in January 2016 
DHS senior leadership further ordered Components to take the following 
actions to protect their networks and educate their employees within 45 
days:

   establish the capability to perform searches for compromise 
        indicators within 24 hours of detected suspicious network 
        activity,

   remove users' administrative privileges on workstations 
        connected to the networks, and

   require two-factor authentication for all users accessing 
        the Department's Homeland Secure Data Network.

    The Components have made significant progress in remediating 
security weaknesses identified, compared to the same period last year. 
Further, as of May 2016, all Components were reporting information 
security metrics to the Department, enabling DHS to better evaluate its 
security posture.
    Despite the progress made, Components were not consistently 
following DHS' policies and procedures to maintain current or complete 
information on remediating security weaknesses in a timely fashion. 
Components operated 79 unclassified systems with expired authorities to 
operate. Further, Components had not consolidated all Internet traffic 
behind the Department's trusted Internet connections and continued to 
use unsupported operating systems that may expose DHS data to 
unnecessary risks. We also identified deficiencies related to 
configuration management and continuous monitoring. Without addressing 
these deficiencies, the Department cannot ensure that its systems are 
adequately secured to protect the sensitive information stored and 
processed in them.
Intelligence FISMA
    Pursuant to FISMA, we reviewed the Department's policies, 
procedures, and system security controls for the enterprise-wide 
intelligence system in September of last year. Since our FY 2015 
evaluation, the Office of Intelligence and Analysis has continued to 
provide effective oversight of the department-wide system and has 
implemented programs to monitor ongoing security practices. In 
addition, Intelligence and Analysis has relocated its intelligence 
system to a DHS data center to improve network resiliency and support.
    The Coast Guard has migrated all of its sites that process Top 
Secret/Sensitive Compartmented Information to the Department of Defense 
Intelligence Information System owned by the Defense Intelligence 
Agency. However, Coast Guard must continue to work with the Defense 
Intelligence Agency to clearly identify agency oversight 
responsibilities for the Department of Defense Intelligence Information 
System enclaves that support Coast Guard's intelligence operations.\23\
---------------------------------------------------------------------------
    \23\ Review of DHS' Information Security Program for Intelligence 
Systems of Fiscal Year 2016, OIG-16-131 (September 2016).
---------------------------------------------------------------------------
Science and Technology Directorate Insider Threats
    The DHS Science and Technology Directorate (S&T) is the primary DHS 
research arm. Its mission is to strengthen the Nation's security and 
resiliency by providing knowledge products and innovative solutions for 
DHS. Trusted insiders at S&T are given elevated access to mission-
critical assets, including personnel, facilities, information, 
equipment, networks, and systems. Trusted insiders may also be aware of 
weaknesses in organizational policies and procedures, as well as 
physical and technical vulnerabilities in computer networks and 
information systems.
    We have begun an audit to assess the effectiveness of steps S&T has 
taken to protect its IT assets and data from potential unauthorized 
access, disclosure, or misuse by its employees, contractors, and 
business partners--especially those with special or elevated access 
based upon their job descriptions or functions. The scope of our review 
includes S&T headquarters and selected S&T locations that use or 
maintain IT systems and data; security operations and incident response 
centers; and other locations as needed. We expect to complete this 
performance audit and report on the results in February 2017.
    Mr. Chairman, this concludes my testimony. I am happy to answer any 
questions you or any members of the Committee may have.

                                                 Department of Homeland Security Open Recommendations as of December 31, 2016 (TSA, USCG, FISMA)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                                                                                                Funds to be Put
                   Report No.          Report Title          Date  Issued                    Recommendation                     Rec. No.      DHS  Comp.     Questioned Cost     to Better Use
                                                                                                                                                             (Federal Share)    (Federal Share)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1                    OIG-15-16   Evaluation of DHS'            12/12/2014   We recommend that the Chief Information Security           2             MGMT
                                  Information Security                       Officer (CISO) evaluate whether the
                                  Program for Fiscal Year                    Department's system inventory methodology is
                                  2014                                       effective to prevent Components from
                                                                             circumventing the existing process to procure
                                                                             or develop new systems.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2                    OIG-15-16   Evaluation of DHS'            12/12/2014   We recommend that the CISO strengthen the                  6             MGMT
                                  Information Security                       process to ensure that all DHS systems receive
                                  Program for Fiscal Year                    the proper authority to operate in accordance
                                  2014                                       with applicable OMB and National Institute of
                                                                             Standards and Technology (NIST) security
                                                                             authorization guidance.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3                    OIG-16-08   Evaluation of DHS'            11/13/2015   We recommend that the DHS CISO strengthen the              3             MGMT
                                  Information Security                       Department's oversight of the Component's
                                  Program for Fiscal Year                    information security programs to ensure they
                                  2015                                       comply with requirements throughout the year
                                                                             instead of peaking in compliance during the
                                                                             months leading up to annual Federal Information
                                                                             Security Management Act of 2002, as amended
                                                                             (FISMA) reporting.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
4                    OIG-16-08   Evaluation of DHS'            11/13/2015   We recommend that DHS CISO implement input                 5             MGMT
                                  Information Security                       validation controls on DHS' enterprise
                                  Program for Fiscal Year                    management systems and perform quality reviews
                                  2015                                       to validate that the information entered is
                                                                             accurate.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
5                    OIG-12-26   Transportation Security         1/6/2012   This is a classified report.                               5              TSA
                                  Administration Covert
                                  Testing of Access
                                  Controls to Secured
                                  Airport Areas
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
6                   OIG-14-132   Audit of Security               9/5/2014   We recommend that the TSA Chief Information                3              TSA
                                  Controls for DHS                           Officer (CIO) establish a process to report
                                  Information Technology                     Security Technology Integrated Program (STIP)
                                  Systems at Dallas/Fort                     computer security incidents to TSA Security
                                  Worth International                        Operations Center (SOC).
                                  Airport
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
7                   OIG-14-132   Audit of Security               9/5/2014   We recommend that the TSA Chief Information                5              TSA
                                  Controls for DHS                           Officer (CIO) provide required vulnerability
                                  Information Technology                     assessment reports to the DHS Vulnerability
                                  Systems at Dallas/Fort                     Management Branch.
                                  Worth International
                                  Airport
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
8                   OIG-14-142   (U) Vulnerabilities            9/16/2014   This is a classified report.                               4              TSA
                                  Exist in TSA's Checked
                                  Baggage Screening
                                  Operations
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
9                   OIG-14-142   (U) Vulnerabilities            9/16/2014   This is a classified report.                               5              TSA
                                  Exist in TSA's Checked
                                  Baggage Screening
                                  Operations
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10                  OIG-14-153   Use of Risk Assessment          9/9/2014   (SSI) This recommendations contains Sensitive              1              TSA
                                  within Secure Flight                       Security Information.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
11                   OIG-15-18   Audit of Security             12/16/2014   We recommend that the TSA CIO designate the                6              TSA
                                  Controls for DHS                           intrusion detection and surveillance Security
                                  Information Technology                     Systems as DHS information technology (IT)
                                  Systems at John F.                         systems and implement applicable management,
                                  Kennedy International                      technical, operational, and privacy controls
                                  Airport-Sensitive                          and reviews.
                                  Security Information
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
12                   OIG-15-29   Security Enhancements          1/28/2015   (SSI) This recommendations contains Sensitive              1              TSA
                                  Needed to the TSA                          Security Information.
                                  PreCheckTM Initiative
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
13                   OIG-15-29   Security Enhancements          1/28/2015   (SSI) This recommendations contains Sensitive              2              TSA
                                  Needed to the TSA                          Security Information.
                                  PreCheckTM Initiative
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
14                   OIG-15-29   Security Enhancements          1/28/2015   (SSI) This recommendations contains Sensitive              4              TSA
                                  Needed to the TSA                          Security Information.
                                  PreCheckTM Initiative
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
15                   OIG-15-29   Security Enhancements          1/28/2015   (SSI) This recommendations contains Sensitive              5              TSA
                                  Needed to the TSA                          Security Information.
                                  PreCheckTM Initiative
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
16                   OIG-15-29   Security Enhancements          1/28/2015   (SSI) This recommendations contains Sensitive              9              TSA
                                  Needed to the TSA                          Security Information.
                                  PreCheckTM Initiative
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
17                   OIG-15-29   Security Enhancements          1/28/2015   We recommend that the TSA Assistant                       10              TSA
                                  Needed to the TSA                          Administrator for the Office of Intelligence
                                  PreCheckTM Initiative                      and Analysis: Employ exclusion factors to refer
                                                                             TSA PreCheck passengers to standard security
                                                                             lane screening at random intervals.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
18                   OIG-15-29   Security Enhancements          1/28/2015   We recommend that the TSA Assistant                       13              TSA
                                  Needed to the TSA                          Administrator for the Office of Security
                                  PreCheckTM Initiative                      Operations: Develop and implement a strategy to
                                                                             address the TSA PreCheck  lane covert testing
                                                                             results.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
19                   OIG-15-29   Security Enhancements          1/28/2015   (SSI) This recommendations contains Sensitive             14              TSA
                                  Needed to the TSA                          Security Information.
                                  PreCheckTM Initiative
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
20                   OIG-15-45   Allegations of Granting        3/16/2015   (SSI) This recommendations contains Sensitive              1              TSA
                                  Expedited Screening                        Security Information.
                                  through TSA PreCheck
                                  Improperly (OSC File
                                  No. DI-14-3679)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
21                   OIG-15-86   The Transportation              5/6/2015   We recommend that TSA's Office of Security                 1              TSA
                                  Security Administration                    Capabilities (OSC) and Office of Security
                                  Does Not Properly                          Operations develop and implement a preventive
                                  Manage Its Airport                         maintenance validation process to verify that
                                  Screening Equipment                        required routine maintenance activities are
                                  Maintenance Program                        completed according to contractual requirements
                                                                             and manufacturers' specifications. These
                                                                             procedures should also include instruction for
                                                                             appropriate TSA airport personnel on
                                                                             documenting the performance of Level 1
                                                                             preventive maintenance actions.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
22                   OIG-15-86   The Transportation              5/6/2015   We recommend that TSA's Office of Security                 2              TSA
                                  Security Administration                    Capabilities and Office of Security Operations
                                  Does Not Properly                          Develop and implement policies and procedures
                                  Manage Its Airport                         to ensure that local TSA airport personnel
                                  Screening Equipment                        verify and document contractors' completion of
                                  Maintenance Program                        corrective maintenance actions. These
                                                                             procedures should also include quality
                                                                             assurance steps that would ensure the integrity
                                                                             of the information collected.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
23                   OIG-15-88   Audit of Security               5/7/2015   We recommend that the TSA CIO provide required            14              TSA
                                  Controls for DHS                           vulnerability assessment reports to the DHS
                                  Information Technology                     Vulnerability Management Branch for STIP
                                  Systems at San                             servers tested, similar to those operating at
                                  Francisco International                    San Francisco International Airport (SFO).
                                  Airport
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
24                   OIG-15-88   Audit of Security               5/7/2015   We recommend that the TSA CIO update the                  15              TSA
                                  Controls for DHS                           operating systems on STIP servers to a vendor-
                                  Information Technology                     supported version that can be patched to
                                  Systems at San                             address emerging vulnerabilities.
                                  Francisco International
                                  Airport
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
25                   OIG-15-98   TSA Can Improve Aviation        6/4/2015   We recommend that the TSA Acting Administrator             6              TSA
                                  Worker Vetting                             implement all necessary data quality checks
                                                                             necessary to ensure that all credential
                                                                             application data elements required by TSA
                                                                             Security Directive 1542-04-08G are complete and
                                                                             accurate.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
26                  OIG-15-118   Transportation Security         8/6/2015   We recommend that the Assistant Administrator,             2              TSA
                                  Administration's                           Office of Human Capital for TSA and the Federal
                                  Management of Its                          Air Marshal Service conduct a cost-benefit
                                  Federal Employees'                         analysis to ensure all costs are considered to
                                  Compensation Act                           implement one medical case management system
                                  Program                                    for TSA, including its Federal Air Marshal
                                                                             Service.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
27                   OIG-16-32   TSA's Human Capital            1/29/2016   We recommend that TSA's Assistant Administrator            1              TSA
                                  Services Contract Terms                    for the Office of Acquisition ensure that
                                  and Oversight Need                         Personnel Futures Program (PFP) contracts
                                  Strengthening                              contain lessons learned from the human capital
                                                                             services (HR Access) contract that include:--
                                                                             developing and implementing policy guidance for
                                                                             administering award fee type contracts;--
                                                                             monetary penalties for performance deficiencies
                                                                             including violating Federal law;--performance
                                                                             timeframes and prescriptive language in the
                                                                             statement of works (SOW);--performance metrics
                                                                             that correspond to the majority of sections in
                                                                             the SOWs;--timeframes for correcting
                                                                             performance deficiencies; and--requirements for
                                                                             initiating and issuing performance letters, and
                                                                             for factoring performance deficiencies
                                                                             addressed in those letters into performance
                                                                             evaluations and award determinations.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
28                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant                1              TSA
                                  Continue in TSA's                          Administrator for OSC jointly ensure that IT
                                  Security Technology                        security controls are included in STIP system
                                  Integrated Program                         design and implementation so that STIP servers
                                                                             are not deployed with known technical
                                                                             vulnerabilities.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
29                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant                2              TSA
                                  Continue in TSA's                          Administrator for OSC jointly ensure that STIP
                                  Security Technology                        servers use approved operating systems for
                                  Integrated Program                         which the Department has established minimum
                                                                             security baseline configuration guidance.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
30                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant                3              TSA
                                  Continue in TSA's                          Administrator for the Office of Security
                                  Security Technology                        Capabilities jointly ensure that STIP servers
                                  Integrated Program                         have the latest software patches installed so
                                                                             that identified vulnerabilities will not be
                                                                             exploited.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
31                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant                4              TSA
                                  Continue in TSA's                          Administrator for OSC jointly ensure that IT
                                  Security Technology                        security testing is performed so that STIP
                                  Integrated Program                         servers are not deployed with known technical
                                                                             vulnerabilities.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
32                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant                5              TSA
                                  Continue in TSA's                          Administrator for OSC jointly ensure that
                                  Security Technology                        authorized TSA staff obtain and change
                                  Integrated Program                         administrator passwords for all STIP servers at
                                                                             airports so that contractors no longer have
                                                                             full control over this equipment at airports.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
33                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant                6              TSA
                                  Continue in TSA's                          Administrator for OSC jointly implement a
                                  Security Technology                        contractor oversight process so that only
                                  Integrated Program                         authorized and approved software, along with
                                                                             timely updates, is installed on STIP airport
                                                                             servers.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
34                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant                7              TSA
                                  Continue in TSA's                          Administrator for OSC jointly inventory all
                                  Security Technology                        locations at Orlando International Airport
                                  Integrated Program                         housing STIP servers and switches and ensure
                                                                             that these locations comply with DHS policy
                                                                             concerning physical security controls.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
35                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant                8              TSA
                                  Continue in TSA's                          Administrator for OSC jointly ensure an
                                  Security Technology                        adequate operational recovery capability for
                                  Integrated Program                         STIP servers at Data Center 1 (DC1) in case
                                                                             Data Center 2 (DC2) becomes inaccessible.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
36                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant                9              TSA
                                  Continue in TSA's                          Administrator for OSC jointly establish a
                                  Security Technology                        process for providing STIP server vulnerability
                                  Integrated Program                         assessment reports to the Department so that
                                                                             DHS leadership may adequately monitor system
                                                                             compliance capability.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
37                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant               10              TSA
                                  Continue in TSA's                          Administrator for OSC jointly ensure that IT
                                  Security Technology                        security requirements are included in equipment
                                  Integrated Program                         procurement contracts for IT components of STIP
                                                                             and passenger and checked baggage screening
                                                                             equipment as required.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
38                   OIG-16-87   IT Management Challenges       5/10/2016   We recommend that the TSA CIO and Assistant               11              TSA
                                  Continue in TSA's                          Administrator for OSC jointly institute
                                  Security Technology                        controls so that all IT costs associated with
                                  Integrated Program                         STIP are accurately captured and reported in
                                                                             annual budget submissions as required.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
39                   OIG-16-91   TSA Oversight of               5/13/2016   We recommend that the TSA Administrator ensure             1              TSA
                                  National Passenger Rail                    TSA develops and adheres to a detailed, formal
                                  System Security                            milestone plan to deliver the remaining 9/11
                                                                             Act Notices of Proposed Rulemaking to DHS.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
40                  OIG-16-128   TWIC Background Checks          9/1/2016   We recommend that the Assistant Administrator,             2              TSA
                                  are Not as Reliable as                     Office of Intelligence and Analysis,
                                  They Could Be                              Transportation Security Administration conduct
                                                                             a comprehensive risk analysis of the Security
                                                                             Threat Assessment processes to identify areas
                                                                             needing additional internal controls and
                                                                             quality assurance procedures; and develop and
                                                                             implement those procedures, including periodic
                                                                             reviews to evaluate their effectiveness.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
41                  OIG-16-128   TWIC Background Checks          9/1/2016   We recommend that the Assistant Administrator,             3              TSA
                                  are Not as Reliable as                     Office of Intelligence and Analysis,
                                  They Could Be                              Transportation Security Administration improve
                                                                             Transportation Worker Identification Credential
                                                                             program-level performance metrics to ensure
                                                                             they align with the program's core objectives,
                                                                             and direct management officials to use these
                                                                             metrics for all the supporting offices.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
42                  OIG-16-128   TWIC Background Checks          9/1/2016   We recommend that the Assistant Administrator,             4              TSA
                                  are Not as Reliable as                     Office of Intelligence and Analysis,
                                  They Could Be                              Transportation Security Administration review
                                                                             current Transportation Worker Identification
                                                                             Credential Security Threat Assessment guidance
                                                                             to ensure it provides adjudicators the
                                                                             necessary information and authority to complete
                                                                             Security Threat Assessments.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
43                  OIG-16-134   TSA Needs a Crosscutting        9/9/2016   We recommend that the Deputy Administrator, TSA,           1              TSA
                                  Risk-Based Security                        develop and implement a crosscutting risk-based
                                  Strategy                                   security strategy that encompasses all
                                                                             transportation modes. The strategy should, at a
                                                                             minimum:--define intelligence-driven, risk-
                                                                             based security;--identify objectives for an
                                                                             intelligence-driven, risk-based security
                                                                             approach;--identify steps for all
                                                                             transportation modes to achieve risk-based
                                                                             security objectives;--provide guidelines for
                                                                             aligning resources with risk;--establish
                                                                             priorities, milestones, and performance
                                                                             measures to gauge the effectiveness of the
                                                                             strategy; and--establish responsible parties
                                                                             and timelines for strategy implementation.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
44                  OIG-16-134   TSA Needs a Crosscutting        9/9/2016   We recommend that the Deputy Administrator, TSA,           3              TSA
                                  Risk-Based Security                        establish a formal budget planning process that
                                  Strategy                                   uses risk to help inform resource allocations.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
45                   OIG-17-04   TSA Could Improve Its         10/14/2016   We recommend that the TSA Administrator: Direct            1              TSA
                                  Oversight of Airport                       TSA personnel to conduct additional tests of
                                  Controls over Access                       access media badge controls during
                                  Media Badges                               comprehensive and targeted inspections of U.S.
                                                                             airports.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
46                   OIG-17-04   TSA Could Improve Its         10/14/2016   We recommend that the TSA Administrator: Issue             2              TSA
                                  Oversight of Airport                       guidance to U.S. airports clearly explaining
                                  Controls over Access                       how to determine whether an airport's lost,
                                  Media Badges                               stolen, and unaccounted for access media badges
                                                                             are exceeding the 5 percent threshold.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
47                   OIG-17-04   TSA Could Improve Its         10/14/2016   We recommend that TSA share with airport                   3              TSA
                                  Oversight of Airport                       operators the best practices some airports use
                                  Controls over Access                       to mitigate the risks of lost, stolen, and
                                  Media Badges                               unaccounted for access media badges and
                                                                             encourage airport operators to use these
                                                                             practices when feasible.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
48                   OIG-17-14   Summary Report on Audits      11/29/2016   We recommend that the TSA CIO update TSA's                 1              TSA
                                  of Security Controls                       Business Impact Analyses for TSA Network
                                  for TSA Information                        (TSANet) and Security Technology Integrated
                                  Technology Systems at                      Program (STIP) to include the TSA local area
                                  Airports                                   networks (LAN), points of contact, and business
                                                                             processes that would be adversely affected by a
                                                                             potential communications outage at airports.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
49                   OIG-17-14   Summary Report on Audits      11/29/2016   We recommend that the TSA CIO establish a plan             2              TSA
                                  of Security Controls                       to conduct recurring reviews of the
                                  for TSA Information                        operational, technical, and management security
                                  Technology Systems at                      controls for TSA IT systems at U.S. airports
                                  Airports                                   nationwide.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
50                   OIG-10-11   Independent Auditors'         11/13/2009   We recommend that the Coast Guard implement            I-A.4               USCG
                                  Report on DHS' FY 2009                     accounting and financial reporting processes
                                  Financial Statements                       including an integrated general ledger system
                                  and Internal Control                       that is The Federal Financial Managers
                                  Over Financial                             Improvement Act of 1996 (FFMIA) compliant.
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
51                   OIG-10-11   Independent Auditors'         11/13/2009   We recommend that the Coast Guard design and           I-D.8               USCG
                                  Report on DHS' FY 2009                     implement policies, procedures, and internal
                                  Financial Statements                       controls to support the completeness,
                                  and Internal Control                       existence, accuracy, and presentation and
                                  Over Financial                             disclosure assertions related to the data
                                  Reporting                                  utilized in developing disclosure and related
                                                                             supplementary information for Stewardship
                                                                             property, plant, and equipment (PP&E) that is
                                                                             consistent with generally accepted accounting
                                                                             principles (GAAP).
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
52                   OIG-11-86   U.S. Coast Guard's              6/1/2011   We recommend that the Assistant Commandant for             1               USCG
                                  Marine Safety Program--                    Marine Safety, Security and Stewardship, U.S.
                                  Offshore Vessel                            Coast Guard complete and disseminate to field
                                  Inspections                                units New Construction Project Inspector
                                                                             Performance Qualification Standards and update
                                                                             the Marine Safety Manual accordingly.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
53                   OIG-11-86   U.S. Coast Guard's              6/1/2011   We recommend that the Assistant Commandant for             3               USCG
                                  Marine Safety Program--                    Marine Safety, Security and Stewardship, U.S.
                                  Offshore Vessel                            Coast Guard augment Marine Information for
                                  Inspections                                Safety and Law Enforcement (MISLE) access
                                                                             controls, and develop subsequent policy, so
                                                                             that the same person cannot open, complete, and
                                                                             close an inspection case.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
54                   OIG-12-07   Independent Auditors'         11/11/2011   We recommend that the Coast Guard, establish new     I.A.3.a               USCG
                                  Report on DHS' FY 2011                     or improve existing policies, procedures, and
                                  Integrated Financial                       related internal controls to ensure that: The
                                  Statements and Internal                    year-end close-out process, reconciliations,
                                  Control over Financial                     and financial data and account analysis
                                  Reporting                                  procedures are supported by documentation,
                                                                             including evidence of effective management
                                                                             review and approval, and beginning balances in
                                                                             the following year are determined to be
                                                                             reliable and auditable.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
55                   OIG-12-07   Independent Auditors'         11/11/2011   We recommend that the Coast Guard, establish new     I.A.3.e               USCG
                                  Report on DHS' FY 2011                     or improve existing policies, procedures, and
                                  Integrated Financial                       related internal controls to ensure that: All
                                  Statements and Internal                    intra-governmental activities and balances are
                                  Control over Financial                     reconciled on a timely basis, accurately
                                  Reporting                                  reflected in the financial statements, and
                                                                             differences are resolved in a timely manner in
                                                                             coordination with the Department's Office of
                                                                             Financial Management (OFM).
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
56                   OIG-13-20   Independent Auditors'         11/14/2012   We recommend that the Coast Guard establish new    I.A.1.c.i               USCG
                                  Report on DHS FY 2012                      or improve existing policies, procedures, and
                                  Consolidated Financial                     related internal controls to ensure that: All
                                  Statements and Report                      non-standard adjustments (i.e., journal
                                  on Internal Control                        entries, top side adjustments, and scripts)
                                  Over Financial                             impacting the general ledger are adequately
                                  Reporting                                  researched, supported, and reviewed prior to
                                                                             their recording in the general ledger.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
57                   OIG-13-20   Independent Auditors'         11/14/2012   We recommend that the Coast Guard establish new   I.A.1.c.ii               USCG
                                  Report on DHS FY 2012                      or improve existing policies, procedures, and
                                  Consolidated Financial                     related internal controls to ensure that: All
                                  Statements and Report                      non-GAAP policies are identified and their
                                  on Internal Control                        quantitative and qualitative financial
                                  Over Financial                             statement impacts have been documented.
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
58                   OIG-13-20   Independent Auditors'         11/14/2012   We recommend that the Coast Guard: Continue to       I.E.1.a               USCG
                                  Report on DHS FY 2012                      improve the enforcement of existing policies
                                  Consolidated Financial                     and procedures related to processing obligation
                                  Statements and Report                      transactions and the periodic review and
                                  on Internal Control                        validation of undelivered orders. In
                                  Over Financial                             particular, emphasize the importance of
                                  Reporting                                  performing effective reviews of open
                                                                             obligations, obtaining proper approvals, and
                                                                             retaining supporting documentation.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
59                   OIG-13-20   Independent Auditors'         11/14/2012   We recommend that the Coast Guard: Continue with     I.E.1.b               USCG
                                  Report on DHS FY 2012                      current remediation efforts to develop and
                                  Consolidated Financial                     implement policies, procedures, and internal
                                  Statements and Report                      controls over the monitoring of reimbursable
                                  on Internal Control                        agreements and unfilled customer orders to
                                  Over Financial                             ensure activity, including closeout and de-
                                  Reporting                                  obligation, is recorded timely and accurately.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
60                   OIG-13-20   Independent Auditors'         11/14/2012   We recommend that the Coast Guard: Implement         I.E.1.c               USCG
                                  Report on DHS FY 2012                      sufficient policies and procedures for
                                  Consolidated Financial                     recording the appropriate budgetary entries
                                  Statements and Report                      timely upon receipt of goods, and prior to
                                  on Internal Control                        payment.
                                  Over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
61                   OIG-13-19   Identification,               12/21/2012   We recommend that the Assistant Commandant for             3               USCG
                                  Reutilization, and                         Resources and Chief Financial Officer (CFO)
                                  Disposal of Excess                         develop and implement a demilitarization
                                  Personal Property by                       program, in coordination with the Department of
                                  the United States Coast                    Defense Demilitarization Office, that includes
                                  Guard                                      training and certification for United States
                                                                             Coast Guard personnel who manage, oversee, or
                                                                             process personal property from acquisition to
                                                                             disposal.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
62                   OIG-13-19   Identification,               12/21/2012   We recommend that the Assistant Commandant for             4               USCG
                                  Reutilization, and                         Resources and CFO develop and implement a
                                  Disposal of Excess                         process to enter and track all classified
                                  Personal Property by                       personal property in the Oracle Fixed Asset
                                  the United States Coast                    Module. Develop and implement standardized
                                  Guard                                      policies and procedures to ensure
                                                                             accountability, monitoring, and oversight of
                                                                             disposal of classified personal property
                                                                             components (e.g., hard drives and printer
                                                                             cartridges).
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
63                   OIG-13-19   Identification,               12/21/2012   We recommend that the Assistant Commandant for             6               USCG
                                  Reutilization, and                         Resources and CFO develop and implement a
                                  Disposal of Excess                         comprehensive training program, to include
                                  Personal Property by                       reutilization and disposal, for property
                                  the United States Coast                    managers, tailored to each level of personal
                                  Guard                                      property management responsibility. The
                                                                             training should include Commanding Officers,
                                                                             Accountable Property Officers, Personal
                                                                             Property Administrators, and Property
                                                                             Custodians and mandatory training for Oracle
                                                                             Fixed Asset Module users before granting future
                                                                             access.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
64                   OIG-13-19   Identification,               12/21/2012   We recommend that the Assistant Commandant for             7               USCG
                                  Reutilization, and                         Resources and CFO develop and implement
                                  Disposal of Excess                         policies and procedures to account for newly
                                  Personal Property by                       purchased computers that comply with the U.S.
                                  the United States Coast                    Coast Guard's Personal Property Management
                                  Guard                                      Manual requirement for entry of personal
                                                                             property into the Oracle Fixed Asset Module
                                                                             within 30 calendar days of receipt from the
                                                                             vendor.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
65                   OIG-13-92   Marine Accident                5/23/2013   We recommend that the USCG Assistant Commandant            1               USCG
                                  Reporting,                                 for Resources and CFO implement an
                                  Investigations, and                        investigations and inspections retention plan
                                  Enforcement in the                         to ensure qualified personnel are retained
                                  United States Coast                        within the inspections and investigations
                                  Guard                                      specialties.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
66                   OIG-13-92   Marine Accident                5/23/2013   We recommend that the USCG Assistant Commandant            2               USCG
                                  Reporting,                                 for Resources and CFO revise and strengthen its
                                  Investigations, and                        personnel management policies by implementing
                                  Enforcement in the                         provisions of the 2010 Coast Guard
                                  United States Coast                        Authorization Act, which allows promotions by
                                  Guard                                      specialty for marine inspectors and
                                                                             investigators to foster retention and
                                                                             continuity.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
67                   OIG-13-92   Marine Accident                5/23/2013   We recommend that the USCG Assistant Commandant            3               USCG
                                  Reporting,                                 for Resources and CFO develop a complete
                                  Investigations, and                        process with sufficient resources to review,
                                  Enforcement in the                         track, and address all recommendations
                                  United States Coast                        resulting from investigations reports.
                                  Guard
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
68                   OIG-13-92   Marine Accident                5/23/2013   We recommend that the USCG Assistant Commandant            5               USCG
                                  Reporting,                                 for Resources and CFO provide training and
                                  Investigations, and                        guidance to all investigations personnel on all
                                  Enforcement in the                         enforcement options.
                                  United States Coast
                                  Guard
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
69                   OIG-13-92   Marine Accident                5/23/2013   We recommend that the USCG Assistant Commandant            6               USCG
                                  Reporting,                                 for Resources and Chief Financial Officer
                                  Investigations, and                        develop Civil Penalty enforcement training
                                  Enforcement in the                         guidelines for preparing and supporting Civil
                                  United States Coast                        Penalty cases for all investigations staff.
                                  Guard                                      USCG should consider using officers with
                                                                             previous experience in the Hearing Office to
                                                                             complete this task.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
70                   OIG-14-18   Independent Auditors'         12/11/2013   We recommend that Coast Guard: Fully adhere to              C.1.b          USCG
                                  Report on DHS' FY 2013                     established inventory policies and procedures.
                                  Financial Statements
                                  and Internal Control
                                  over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
71                   OIG-14-18   Independent Auditors'         12/11/2013   We recommend that Coast Guard: Establish new or             C.1.d          USCG
                                  Report on DHS' FY 2013                     improve existing processes to identify and
                                  Financial Statements                       evaluate lease agreements to ensure that they
                                  and Internal Control                       are appropriately classified as operating or
                                  over Financial                             capital, and are properly reported in the
                                  Reporting                                  financial statements and related disclosures.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
72                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard: Adopt policies,         1.a.b               USCG
                                  Report on DHS' FY 2014                     procedures, and accounting treatments
                                  Financial Statements                       documented in ad hoc technical accounting
                                  and Internal Control                       research papers into official financial
                                  over Financial                             reporting guidance that is distributed agency
                                  Reporting                                  wide; and refine financial reporting policies
                                                                             and procedures to prescribe process level
                                                                             internal controls at a sufficient level of
                                                                             detail to ensure consistent application to
                                                                             mitigate related financial statement risks.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
73                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard: Identify and            1.a.c               USCG
                                  Report on DHS' FY 2014                     employ additional skilled resources.
                                  Financial Statements
                                  and Internal Control
                                  over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
74                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard, establish new or       1.a.ii               USCG
                                  Report on DHS' FY 2014                     improve existing policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that:
                                  and Internal Control                       Environmental liability schedules are updated,
                                  over Financial                             maintained, and reviewed.
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
75                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard, establish new or      1.a.iii               USCG
                                  Report on DHS' FY 2014                     improve existing policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that:
                                  and Internal Control                       Underlying data used in the estimation of
                                  over Financial                             environmental liabilities is complete and
                                  Reporting                                  accurate.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
76                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard, establish new or       1.a.iv               USCG
                                  Report on DHS' FY 2014                     improve existing policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that:
                                  and Internal Control                       Accrual decisions and/or calculations as well
                                  over Financial                             as the validation of prior year accrual amounts
                                  Reporting                                  are properly reviewed.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
77                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard: Design and                 1.C.1.a          USCG
                                  Report on DHS' FY 2014                     implement controls to appropriately track asset
                                  Financial Statements                       activity at a transaction level and ensure the
                                  and Internal Control                       timely recording of asset additions, deletions,
                                  over Financial                             or other adjustments.
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
78                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard: Continue to                1.C.1.b          USCG
                                  Report on DHS' FY 2014                     implement controls over the transfer of
                                  Financial Statements                       completed construction in progress assets to in-
                                  and Internal Control                       use and accurately recording leasehold
                                  over Financial                             improvements, asset impairments, and
                                  Reporting                                  construction in progress activity.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
79                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard: establish new or           1.C.1.d          USCG
                                  Report on DHS' FY 2014                     improve existing policies, procedures, and
                                  Financial Statements                       related internal controls to sufficiently
                                  and Internal Control                       support personal and real property balances,
                                  over Financial                             including electronics, internal-use software,
                                  Reporting                                  land, buildings and other structures.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
80                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard: establish new, or          1.C.1.e          USCG
                                  Report on DHS' FY 2014                     improve existing, processes to identify and
                                  Financial Statements                       evaluate lease agreements to ensure they are
                                  and Internal Control                       appropriately classified as operating or
                                  over Financial                             capital, and are properly reported in the
                                  Reporting                                  financial statements and related disclosures.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
81                   OIG-15-10   Independent Auditors'         11/14/2014   We recommend that Coast Guard: Identify and               1.C.1.f          USCG
                                  Report on DHS' FY 2014                     employ additional skilled resources.
                                  Financial Statements
                                  and Internal Control
                                  over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
82                   OIG-15-55   United States Coast            3/27/2015   We recommend that the USCG CIO: Implement                  1               USCG
                                  Guard Has Taken Steps                      software to protect against the unauthorized
                                  to Address Insider                         removal of sensitive information through
                                  Threats, but Challenges                    removable media devices and e-mail accounts.
                                  Remain
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
83                   OIG-15-55   United States Coast            3/27/2015   We recommend that the USCG CIO: Implement                  2               USCG
                                  Guard Has Taken Steps                      stronger physical security controls to protect
                                  to Address Insider                         USCG's IT assets from possible loss, theft,
                                  Threats, but Challenges                    destruction, and malicious actions.
                                  Remain
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
84                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Establish new, or         1.a               USCG
                                  Report on DHS' FY 2015                     improve existing, policies, procedures, and
                                  Financial Statements                       related internal controls.
                                  and Internal Control
                                  over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
85                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard establish new or        1.a.ii               USCG
                                  Report on DHS' FY 2015                     improve existing policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that:
                                  and Internal Control                       Transactions flowing between various general
                                  over Financial                             ledger systems, whether the result of
                                  Reporting                                  remediation or system limitation manual
                                                                             workarounds, are sufficiently tracked and
                                                                             analyzed to ensure complete and accurate
                                                                             reporting of operational activity and related
                                                                             general ledger account balances.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
86                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Establish new or        1.a.v               USCG
                                  Report on DHS' FY 2015                     improve existing policies, procedures, and
                                  Financial Statements                       related internal controls to ensure: The year-
                                  and Internal Control                       end close-out process, reconciliations, and
                                  over Financial                             financial data and account analysis procedures
                                  Reporting                                  are supported by documentation, including
                                                                             evidence of effective management review and
                                                                             approval; and beginning balances in the
                                                                             following year are determined to be reliable
                                                                             and supported.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
87                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard establish new or        1.a.vi               USCG
                                  Report on DHS' FY 2015                     improve existing policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that: All
                                  and Internal Control                       intra-governmental activities and balances are
                                  over Financial                             reconciled on a timely basis, accurately
                                  Reporting                                  reflected in the financial statements, and
                                                                             differences are resolved in a timely manner.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
88                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard establish new or       1.a.vii               USCG
                                  Report on DHS' FY 2015                     improve existing policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that:
                                  and Internal Control                       Adequate understanding and oversight of
                                  over Financial                             assumptions used in significant estimates is
                                  Reporting                                  maintained by Coast Guard management and
                                                                             continued appropriateness of those assumptions
                                                                             are routinely evaluated.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
89                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Identify and              1.c               USCG
                                  Report on DHS' FY 2015                     employ additional skilled resources and align
                                  Financial Statements                       them to financial reporting oversight roles.
                                  and Internal Control
                                  over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
90                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Develop processes          1.C.1.b          USCG
                                  Report on DHS' FY 2015                     and monitoring mechanisms to track construction-
                                  Financial Statements                       in-progress (CIP) projects at an asset level
                                  and Internal Control                       and continue to implement controls over the
                                  over Financial                             transfer of completed CIP assets to in-use and
                                  Reporting                                  accurately record leasehold improvements, asset
                                                                             impairments, and construction in progress
                                                                             activity.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
91                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Design contracts           1.C.1.c          USCG
                                  Report on DHS' FY 2015                     for Coast Guard's major construction projects
                                  Financial Statements                       to isolate costs between development and
                                  and Internal Control                       maintenance (i.e., capitalizable vs. expense),
                                  over Financial                             at an individual asset level, in order to
                                  Reporting                                  enhance traceability of CIP costs.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
92                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Establish new or           1.C.1.e          USCG
                                  Report on DHS' FY 2015                     improve existing policies, procedures, and
                                  Financial Statements                       related internal controls to sufficiently
                                  and Internal Control                       review personal and real property activity and
                                  over Financial                             balances, including electronics, internal-use
                                  Reporting                                  software, land, buildings and other structures,
                                                                             and verify costs are appropriate and reflect
                                                                             USCG's business operations during the fiscal
                                                                             year.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
93                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Establish new, or          1.C.1.f          USCG
                                  Report on DHS' FY 2015                     improve existing, processes to identify and
                                  Financial Statements                       evaluate lease agreements to ensure they are
                                  and Internal Control                       appropriately classified as operating or
                                  over Financial                             capital, and are properly reported in the
                                  Reporting                                  financial statements and related disclosures.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
94                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Develop and                1.C.1.h          USCG
                                  Report on DHS' FY 2015                     implement procedures to support the
                                  Financial Statements                       completeness, accuracy, and existence of all
                                  and Internal Control                       data utilized (e.g., real property multi-use
                                  over Financial                             assets) in developing required financial
                                  Reporting                                  statement disclosures, and related
                                                                             supplementary information, for stewardship
                                                                             property.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
95                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Implement                 1.d               USCG
                                  Report on DHS' FY 2015                     accounting and financial reporting processes
                                  Financial Statements                       and an integrated general ledger system that is
                                  and Internal Control                       FFMIA compliant.
                                  over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
96                   OIG-16-06   Independent Auditors'         11/13/2015   We recommend that Coast Guard: Develop a                 1.e               USCG
                                  Report on DHS' FY 2015                     comprehensive understanding of their actuarial
                                  Financial Statements                       evaluations and document the sources of all
                                  and Internal Control                       underlying data and assumptions.
                                  over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
97                   OIG-16-15   (U) Fiscal Year 2015          12/14/2015   This recommendation is classified.                         2               USCG
                                  Evaluation of DHS'
                                  Compliance with Federal
                                  Information Security
                                  Modernization Act
                                  Requirements for
                                  Intelligence Systems
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
98                   OIG-16-15   (U) Fiscal Year 2015          12/14/2015   This recommendation is classified.                         3               USCG
                                  Evaluation of DHS'
                                  Compliance with Federal
                                  Information Security
                                  Modernization Act
                                  Requirements for
                                  Intelligence Systems
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
99                   OIG-16-15   (U) Fiscal Year 2015          12/14/2015   This recommendation is classified.                         4               USCG
                                  Evaluation of DHS'
                                  Compliance with Federal
                                  Information Security
                                  Modernization Act
                                  Requirements for
                                  Intelligence Systems
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
100                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that DHS develop continuous                   2               USCG
                                  Report on DHS' FY 2016                     monitoring and testing of IT general controls
                                  Financial Statements                       to identify weaknesses, assess the resulting
                                  and Internal Control                       risks created by any identified IT
                                  over Financial                             deficiencies, and respond to those risks
                                  Reporting                                  through implementing compensating controls.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
101                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard establish new, or            5               USCG
                                  Report on DHS' FY 2016                     improve existing, policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that
                                  and Internal Control                       transactions flowing between various general
                                  over Financial                             ledger systems, whether the result of balance
                                  Reporting                                  clean-up activities or system limitation manual
                                                                             workarounds, are sufficiently tracked and
                                                                             analyzed to ensure complete and accurate
                                                                             reporting of operational activity and related
                                                                             general ledger account balances.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
102                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard establish new, or            6               USCG
                                  Report on DHS' FY 2016                     improve existing, policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that all
                                  and Internal Control                       non-standard adjustments (i.e., journal entries
                                  over Financial                             and top side adjustments) impacting the general
                                  Reporting                                  ledger are adequately researched, supported,
                                                                             and reviewed prior to their recording in the
                                                                             general ledger.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
103                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard establish new, or            7               USCG
                                  Report on DHS' FY 2016                     improve existing, policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that the
                                  and Internal Control                       year-end close-out process, reconciliations,
                                  over Financial                             and financial data and account analysis
                                  Reporting                                  procedures are supported by documentation,
                                                                             including evidence of effective management
                                                                             review and approval; and beginning balances in
                                                                             the following year are determined to be
                                                                             reliable and supported.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
104                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard establish new, or            8               USCG
                                  Report on DHS' FY 2016                     improve existing, policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that all
                                  and Internal Control                       intra-governmental activities and balances are
                                  over Financial                             reconciled, accurately reflected in the
                                  Reporting                                  financial statements, and differences are
                                                                             resolved in a timely manner.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
105                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard establish new, or            9               USCG
                                  Report on DHS' FY 2016                     improve existing, policies, procedures, and
                                  Financial Statements                       related internal controls to ensure that
                                  and Internal Control                       Management possesses adequate understanding,
                                  over Financial                             maintains documentation, exercises oversight of
                                  Reporting                                  chosen assumptions, and routinely evaluates the
                                                                             completeness and accuracy of underlying data
                                                                             and the continued appropriateness of
                                                                             assumptions used in significant estimates.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
106                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard establish new, or           10               USCG
                                  Report on DHS' FY 2016                     improve existing, policies, procedures, and
                                  Financial Statements                       related internal controls to increase training
                                  and Internal Control                       and development of existing resources to better
                                  over Financial                             align them to financial reporting oversight
                                  Reporting                                  roles.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
107                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard design and                  19               USCG
                                  Report on DHS' FY 2016                     implement controls to appropriately track asset
                                  Financial Statements                       activity at the transaction level and ensure
                                  and Internal Control                       the timely recording of asset additions,
                                  over Financial                             deletions, or other adjustments.
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
108                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard develop processes           20               USCG
                                  Report on DHS' FY 2016                     and monitoring mechanisms to track CIP projects
                                  Financial Statements                       at an asset level, continue to implement
                                  and Internal Control                       controls over the transfer of completed CIP to
                                  over Financial                             in-use assets, and increase monitoring of CIP
                                  Reporting                                  activity to ensure accurate recording in the
                                                                             general ledger.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
109                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard involve financial           21               USCG
                                  Report on DHS' FY 2016                     management personnel in the procurement of
                                  Financial Statements                       contracts for Coast Guard's major construction
                                  and Internal Control                       projects to ensure that they are structured to
                                  over Financial                             facilitate isolation of costs between
                                  Reporting                                  development and maintenance (i.e.,
                                                                             capitalizable vs. expensed), at an individual
                                                                             asset level, in order to enhance traceability
                                                                             of CIP costs.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
110                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard adhere to                   22               USCG
                                  Report on DHS' FY 2016                     established inventory policies and procedures.
                                  Financial Statements
                                  and Internal Control
                                  over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
111                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard establish new, or           23               USCG
                                  Report on DHS' FY 2016                     improve existing, policies, procedures, and
                                  Financial Statements                       related internal controls to sufficiently
                                  and Internal Control                       review personal and real property activity and
                                  over Financial                             balances in order to verify costs are
                                  Reporting                                  appropriate and reflect USCG's business
                                                                             operations during the fiscal year.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
112                  OIG-17-12   Independent Auditors'         11/14/2016   We recommend that Coast Guard attract and deploy          24               USCG
                                  Report on DHS' FY 2016                     additional skilled resources to support the
                                  Financial Statements                       control environment and provide the necessary
                                  and Internal Control                       financial reporting oversight.
                                  over Financial
                                  Reporting
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
113                  OIG-17-03   AMO and Coast Guard           10/14/2016   We recommend that the Coast Guard Commandant,              2               USCG,
                                  Maritime Missions Are                      CBP Commissioner, and U.S. Immigration and                                  CBP,
                                  Not Duplicative, But                       Customs Enforcement Director revise the                                    ICE
                                  Could Improve with                         Maritime Operations Coordination Plan to
                                  Better Coordination                        include requirements for coordination and
                                                                             information sharing at all levels, especially
                                                                             the local level.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
114                 OIG-16-105   DHS' Use of Reimbursable       6/23/2016   We recommend that the DHS Under Secretary for              3               USCG,                         $2,823,229
                                  Work Agreements with                       Management ensure that deobligation has                                 MGMT
                                  GSA                                        occurred for the following two reimbursable
                                                                             work agreements that the component was unable
                                                                             to prove had been done.--Coast Guard
                                                                             Reimbursable Work Agreements (RWA) #N3288560--
                                                                             $43,575 should be deobligated--Coast Guard RWA#
                                                                             B0511609--$2,779,654 should be deobligated.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
115                 OIG-16-105   DHS' Use of Reimbursable       6/23/2016   We recommend that the DHS Under Secretary for              2               USCIS,    $12,694,185
                                  Work Agreements with                       Management conduct a review of the following                              USCG,
                                  GSA                                        three reconciliation differences for the                                MGMT
                                                                             reimbursable work agreements, determine the
                                                                             reasons for the differences, and make any
                                                                             necessary corrections.--Coast Guard RWA#
                                                                             N3288560--$12,328,457 expenditure difference--
                                                                             Coast Guard RWA# B0511609--$320,228 expenditure
                                                                             difference--USCIS RWA# N3322206--$45,500
                                                                             expenditure difference.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                            Total Monetary Findings                                                              $12,694,185         $2,823,229
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total Recommendations as of December 31, 2016: 115
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


    The Chairman. Thank you, Mr. Roth.
    Mr. Scovel?

STATEMENT OF HON. CALVIN L. SCOVEL III, INSPECTOR GENERAL, U.S. 
                  DEPARTMENT OF TRANSPORTATION

    Mr. Scovel. Chairman Thune, Ranking Member Nelson, members 
of the Committee, thank you for inviting me to testify on DOT's 
top management challenges and unimplemented recommendations. I 
greatly appreciate the Committee's sustained keen interest and 
your support for Offices of Inspector General, including mine. 
It's an honor to be here today with several fellow IGs whose 
well respected work is critical to the management of our 
country's resources, safety, and security.
    Every year, my office reports on significant challenges for 
DOT. My testimony today focuses on three critical areas we 
identified for DOT for 2017: safety, stewardship, and 
completion of mandates and recommendations.
    As Secretary Chao stated clearly during her confirmation 
hearing, safety remains at the forefront of DOT's mission.
    The United States continues to have one of the safest 
transportation systems in the world. However, new technologies 
and industries bring new challenges. For example, FAA recently 
issued a rule to help safely integrate small unmanned aircraft 
systems, known as UAS, into our airspace. However, the number 
of UAS sightings by pilots and others continues to go up. Over 
1,400 were reported for the first three quarters of 2016, as 
compared to only 238 in all of 2014. Many of these occurred at 
altitudes well above the 400 feet maximum altitude authorized 
by FAA for civil UAS. Maintaining safety will require a strong, 
risk-based oversight system by FAA and coordination with other 
agencies.
    DOT and NHTSA face similar safety challenges with 
driverless car technology. Several companies are already 
developing and testing various iterations, and the number is 
expected to grow quickly. DOT and policymakers must clearly 
define the tools and standards necessary to oversee and 
regulate this industry and the technology underlying it.
    At the same time, NHTSA must continue to improve its 
processes for investigating vehicle safety defects. Most 
recently, a Takata airbag defect resulted in 11 fatalities and 
180 injuries. Due in part to my office's investigative work, 
Takata Corporation has recalled tens of millions of vehicles 
and agreed last month to pay $1 billion in criminal penalties. 
NHTSA is making progress toward addressing our recommendations 
to collect and analyze more comprehensive vehicle safety data, 
but must continue to improve internal controls within its 
Office of Defects Investigations.
    With regard to stewardship, we have identified areas where 
DOT can improve how it manages and oversees the billions of 
dollars invested each year in our transportation 
infrastructure. For example, FAA faces ongoing challenges to 
deliver six programs that are essential to implement NextGen 
and modernize our outdated air traffic control systems. Cost 
estimates for these programs now total over $5.7 billion, and 
their completion has been pushed beyond 2020. As a watch item, 
many requirements remain undefined, and FAA has yet to fully 
quantify how these programs will achieve expected benefits for 
the aviation industry.
    Protecting our infrastructure also requires addressing 
increasingly sophisticated cybersecurity threats. However, DOT 
has not effectively implemented programs to actively monitor 
and mitigate security breaches immediately during or after an 
incident. Recent trends in mobile, cloud, and workplace 
technology also present new challenges to monitoring and 
securing DOT's network.
    Finally, as it carries out its mission, DOT must develop 
strategies to efficiently carry out mandated and recommended 
improvements. These include provisions in the 2015 FAST Act to 
improve investments in highway and transit projects as well as 
key aviation safety mandates from the 2016 FAA Extension Act. 
The FAA mandates include, for example, requiring better records 
on a pilot's training and background. DOT has also faced delays 
in addressing recommendations to improve pipeline and hazardous 
material safety issued by both our office and NTSB.
    In conclusion, my office will continue to assist DOT and 
Congress as we work to meet these and other challenges, 
including helping the Department leverage its resources to 
promote safety and efficiency and prevent fraud in any 
forthcoming infrastructure investment plans. We will also 
continue to keep you informed as to the status of specific 
recommendations we have made to the Department.
    Mr. Chairman, this concludes my prepared statement. I'm 
happy to answer any questions you or other committee members 
may have.
    [The prepared statement of Mr. Scovel follows:]

  Prepared Statement of Hon. Calvin L. Scovel III, Inspector General, 
                   U.S. Department of Transportation

   Top Management Challenges Facing the Department of Transportation

    Chairman Thune, Ranking Member Nelson, and Members of the 
Committee:

    Thank you for inviting me here today to discuss the Department of 
Transportation's (DOT) top management challenges. Safe, efficient, and 
innovative transportation is critical to the U.S. and global economy 
and essential to creating opportunities that enhance our quality of 
life. Every year, the Department invests more than $70 billion in a 
wide range of programs to protect and modernize our transportation 
infrastructure. Our office supports these efforts through our audits 
\1\ and criminal investigations, which promote effectiveness and root 
out fraud, waste, and abuse in Federal programs. We look forward to 
working with our Secretary and this Committee to help uphold DOT's 
commitment to the traveling public. We report annually to the 
Administration and Congress on DOT's top management challenges. My 
statement today will focus on the challenges \2\ our work has 
identified along three cross-cutting areas: (1) addressing new and 
ongoing safety challenges, (2) enhancing stewardship of DOT's financial 
and growing infrastructure investments, and (3) effectively addressing 
existing mandates and recommendations.
---------------------------------------------------------------------------
    \1\ For a list of our ongoing audits, see the exhibit.
    \2\ Top Management Challenges for Fiscal Year 2017, Department of 
Transportation (OIG Report No. PT2017007), November 15, 2016. OIG 
reports and testimonies are available on our website: https://
www.oig.dot.gov.
---------------------------------------------------------------------------
Summary
    As Secretary of Transportation Elaine L. Chao has affirmed, DOT's 
primary objective is safety. Meeting this objective requires addressing 
a number of new and ongoing challenges--from ensuring the safe 
integration of emerging technologies such as Unmanned Aircraft Systems 
(UAS) and driverless cars to promptly investigating passenger vehicle 
defects and pipeline safety violations. At the same time, DOT must 
protect its investments in its multibillion-dollar infrastructure and 
systems with careful financial scrutiny and sustained management 
attention. This includes stronger efforts to enhance the capacity and 
resilience of the National Airspace System (NAS), manage high-risk 
contracts and evolving public-private financing arrangements, and 
safeguard our information technology (IT) systems from increasingly 
complex cybersecurity threats. Finally, as it carries out its mission, 
DOT must develop strategies to more effectively address safety 
recommendations and congressional mandates.
Addressing New and Ongoing Safety Challenges
    Safety remains the Department's highest priority, and DOT is 
committed to improving how it oversees our Nation's airspace, roads, 
pipelines, and other critical systems. Yet, emerging technologies, 
industry safety concerns, and enforcement issues pose challenges to 
DOT's safety mission. Key focus areas we have identified for DOT 
include ensuring its oversight keeps pace with the rapid rise of UAS 
and driverless cars, improving how it collects and uses vehicle safety 
recall data, and effectively addressing pipeline safety violations.
Overseeing an Expanding and Dynamic Unmanned Aircraft Systems Industry
    Through a sustained focus, DOT, the Federal Aviation Administration 
(FAA), and industry have maintained a safe aviation system, with no 
fatal passenger accidents involving domestic commercial carriers in 
over 7 years. However, the growing demand for commercial UAS 
operations--for purposes ranging from pipeline monitoring and precision 
agriculture to package delivery and filmmaking--presents one of the 
most significant safety challenges for FAA in decades. FAA recently 
forecast 1.9 million units in potential annual sales of UAS in 2016, 
which could increase to 4.3 million units sold annually by 2020. While 
this represents substantial opportunities for U.S. businesses, it also 
raises safety concerns, since FAA has not yet established a 
comprehensive oversight framework to ensure this evolving industry can 
operate safely in the same airspace with other private, commercial, and 
military aircraft.
    FAA took an important step forward to advance UAS integration in 
June 2016 with a new rule regulating the use of small UAS \3\ (i.e., 
systems weighing less than 55 pounds). However, the rule does not yet 
permit several high-profile aspects of potential UAS use, such as 
delivering packages beyond the line of sight of the pilot, underscoring 
the need for further regulatory efforts. Until then, FAA will continue 
to accommodate some UAS operations through regulatory waivers and 
exemptions.
---------------------------------------------------------------------------
    \3\ 14 CFR Part 107 (June 2016).
---------------------------------------------------------------------------
    Moreover, as the number of UAS operations has grown, so has the 
number of UAS sightings by pilots and other sources.\4\ In 2015, there 
were over 1,100 UAS events reported compared to just 238 in 2014, 
according to FAA's UAS event data. As shown in the figure below, 71 
percent of sightings occurred at altitudes at or above the 400-feet 
maximum FAA-authorized altitude for civil UAS--with 29 percent of 
sightings reported at altitudes at or above 3,000 feet, approaching 
areas where other aircraft operate.\5\
---------------------------------------------------------------------------
    \4\ While sightings are primarily reported by pilots, reports also 
come from air traffic controllers, law enforcement officers, and the 
general public.
    \5\ It is important to note that FAA has not verified the validity 
of the reports received by air traffic, but the data indicate that a 
number of UAS operators may be flying their aircraft outside of FAA 
guidelines.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    These events highlight the importance of establishing a risk-based 
system for UAS oversight, especially since the number of UAS sightings 
has continued to increase--with over 1,400 reported for the 9-month 
period ending in September 2016, according to FAA. However, FAA's 
efforts in this area are incomplete. For example, the Agency lacks a 
robust data reporting and tracking system for UAS activity. It also has 
provided only limited UAS-related training and guidance to safety 
inspectors. As a result, FAA is currently restricted to a reactive 
approach for addressing UAS incidents and issues as they arise, rather 
than proactively identifying and mitigating potential risks.
    As we recently reported,\6\ to make progress FAA will need to 
establish the capacity for integrated UAS data and analysis and 
implement a process to verify UAS operators' compliance with 
regulations. Further, FAA must continue coordinating with other 
Government agencies to advance UAS detection technology. These steps 
are critical to ensure that FAA can meet UAS demand while maintaining 
the safety of the NAS.
---------------------------------------------------------------------------
    \6\ FAA Lacks a Risk-Based Oversight Process for Civil Unmanned 
Aircraft Systems, (OIG Report No. AV2017018) December 1, 2016.
---------------------------------------------------------------------------
Preparing To Oversee Driverless Cars
    The emergence of driverless cars is another developing technology 
that will present significant regulatory and oversight challenges for 
DOT. While this is still in the early stages, several companies are 
already developing and testing driverless cars, and the number is 
expected to grow quickly over the next decade. In September 2016, DOT 
issued a Federal Automated Vehicles Policy, which sets the framework 
for the next 50 years with guidance for the safe and rapid development 
of advanced automated vehicle safety technologies. Along with 
developing the tools and standards to oversee and regulate this new 
technology, DOT will need to consider the impact on several of its 
agencies and work to ensure they can adapt as needed to maintain DOT's 
commitment to both safety and innovation. For example, the National 
Highway Traffic Safety Administration (NHTSA) will have to consider 
whether new authority is needed to ensure that these new vehicles are 
as safe as standard motor vehicles. Similarly, for commercial motor 
vehicles, the Federal Motor Carrier Safety Administration (FMCSA) needs 
to identify any impact to its safety regulations and update operational 
procedures as required.
Enhancing Processes for Collecting and Analyzing Vehicle Safety Recall 
        Data
    Recent large-scale recalls from auto manufacturers highlight a 
number of safety challenges for the Department. Since 2014, General 
Motors (GM) has recalled nearly 9 million U.S. vehicles for a defect 
involving a faulty ignition switch that resulted in GM receiving more 
than 100 death claims and more than 200 injury claims. In addition, 
NHTSA is overseeing a recall of Takata airbags installed in tens of 
millions of U.S. vehicles due to a safety defect that led to 11 
fatalities and approximately 180 injuries in the United States. Due in 
part to our investigative work, Takata Corporation agreed last month to 
pay a total of $1 billion in criminal penalties.
    NHTSA's Office of Defects Investigation (ODI) is responsible for 
overseeing safety recalls and monitoring recall completion rates. The 
GM and Takata recalls and others have prompted congressional concerns 
over NHTSA's safety processes. We have issued numerous audit 
recommendations over the years to the Agency to strengthen its internal 
controls and use of safety data. NHTSA is working to address those 
concerns, but more work remains. For example, NHTSA recently completed 
work on 12 of the 17 recommendations from our 2015 audit, which found 
ODI had insufficient processes for verifying that manufacturers submit 
complete and accurate early warning reporting data.\7\ However, NHTSA 
has not completed our five recommendations to enhance collection and 
analysis of early warning reporting data and the process for reviewing 
complaints. We also reported in February 2016 \8\ that ODI needed 
better quality control mechanisms to comply with policies that NHTSA 
established in response to our 2011 recommendations involving 
documentation and testing weaknesses.\9\ Those two recommendations from 
our 2016 report remain open.
---------------------------------------------------------------------------
    \7\ Inadequate Data and Analysis Undermine NHTSA's Efforts To 
Identify and Investigate Vehicle Safety Concerns (OIG Report No. 
ST2015063), June 18, 2015.
    \8\ Additional Efforts Are Needed To Ensure NHTSA's Full 
Implementation of OIG's 2011 Recommendations (OIG Report No. 
ST2016021), February 24, 2016.
    \9\ Process Improvements Are Needed for Identifying and Addressing 
Vehicle Safety Defects (OIG Report No. MH012001), October 6, 2011.
---------------------------------------------------------------------------
    This month, we plan to announce an audit of ODI's recall processes 
as mandated by Congress in the Fixing America's Surface Transportation 
Act (FAST Act).\10\ Consistent with this mandate, and as agreed to with 
congressional staff, our audit will examine NHTSA's processes for 
monitoring manufacturers' proposed recall remedies and scope and 
overseeing safety recall implementation. We will keep Congress apprised 
of our progress in this area.
---------------------------------------------------------------------------
    \10\ Pub. L. No. 114-94 (2015).
---------------------------------------------------------------------------
Addressing Violations of Pipeline Safety Regulations
    A key DOT mission is mitigating the safety risks posed by the 
Nation's 2.5 million-mile pipeline transportation system. The Pipeline 
and Hazardous Materials Safety Administration (PHMSA) develops and 
enforces regulations for the safe and reliable operation of pipelines. 
However, PHMSA has faced challenges enforcing some key regulatory 
safeguards. There have been a number of serious pipeline-related 
incidents over the past several years. From 2012 to 2016, there were 
144 serious pipeline incidents resulting in 63 fatalities. Many of 
these were due to violations of safety regulations required by the 
Natural Gas Pipeline Safety Act (PSA).\11\
---------------------------------------------------------------------------
    \11\ Pub. L. No. 90-481 (1968).
---------------------------------------------------------------------------
    Historically, however, it has been difficult to prosecute such 
violations due to language in Title 49 U.S.C. Section 60123(a), the 
criminal statute for pipeline safety violations. This section requires 
that the violation be committed ``knowingly and willfully.'' Instead, 
the Department of Justice has had more success prosecuting cases under 
Section 5124 (the criminal statute for hazardous materials violations), 
which allows prosecutions for ``reckless'' violations (i.e., display of 
deliberate indifference or conscious disregard to the consequences of 
their conduct). In the past 10 years, Federal charges under Section 
60123(a) were brought against only four individuals and companies, and 
in only one case did a prosecution result in a guilty verdict of a 
utility company for violations of Section 60123(a)--the case against 
the Pacific Gas and Electric Company (PG&E).
    The case against PG&E arose after a natural gas pipeline ruptured 
in San Bruno, CA, in 2010, killing 8 people. It was investigated by the 
Department of Justice, our office, the Federal Bureau of Investigation, 
and local law enforcement. On August 9, 2016, a Federal jury found PG&E 
guilty of multiple knowing and willful violations of the PSA and of 
obstructing the National Transportation Safety Board's (NTSB) 
investigation. On January 26, 2017, the maximum sentence was imposed--5 
years of probation and a $3 million fine. The court also ordered the 
company to announce in local and national media that it was found 
guilty of violating the PSA and obstructing a Federal investigation. 
While this sentence sends a message to the industry, as a policy 
matter, DOT and Congress may wish to consider whether the deterrent 
effect of prosecuting violations of the PSA might be enhanced by 
amending Section 60123(a) to include reckless violations.
Enhancing Stewardship of DOT's Financial and Infrastructure Investments
    DOT receives billions of Federal dollars annually to fund projects 
to build, repair, and maintain our Nation's vast transportation 
infrastructure, ranging from air traffic control tools to roads and 
bridges and IT systems. Safeguarding these and future investments 
requires sound financial management and strong upfront risk mitigation 
strategies for increasing threats. Key challenges for the Department 
include enhancing the capacity and resiliency of the NAS, increasing 
oversight of high-risk contracts and Departmentwide financial programs, 
and effectively addressing rapidly evolving cybersecurity risks.
Enhancing the Capacity, Efficiency, and Resiliency of the NAS
    FAA operates the safest aviation system in the world and continues 
to work with stakeholders to implement new technologies that are 
providing near-term benefits to airspace users, such as fuel savings 
and increased airspace capacity and efficiency. However, FAA faces 
ongoing challenges with its investments to deliver specific 
capabilities and programs required to implement the Next Generation Air 
Transportation System (NextGen), which aims to modernize and replace 
1950s-era ground radar and equipment.
    For example, FAA has worked with industry to identify and begin 
implementing the four highest priority NextGen capabilities: (1) 
advancing performance-based navigation (PBN), (2) improving access to 
closely spaced parallel runways, (3) enhancing airport surface 
operations, and (4) developing data communications for controllers and 
pilots. However, FAA is behind schedule in key areas and faces 
challenges achieving the full range of benefits, particularly with its 
top priority to develop new PBN procedures. These have faced delays due 
in part to community concerns over aircraft noise and the lack of 
automated tools to help controllers sequence and space aircraft.
    We also recently reported \12\ that FAA has not fully identified 
the total costs, capabilities, or completion schedules for any of the 
six NextGen transformational programs \13\ that are required to 
implement NextGen and introduce key capabilities. Cost estimates for 
these six programs now total over $5.7 billion (increasing from a $2.1 
billion estimate in 2012), and their completion has been pushed beyond 
2020. Many of these programs' benefits remain unquantified as to how 
they will improve the flow of air traffic or controller workforce 
productivity. For example, FAA has mandated that all airspace users 
must purchase and install the Automatic Dependent Surveillance-
Broadcast System (ADS-B) Out \14\ equipment by 2020. However, the 
majority of benefits are expected from ADS-B In, which will enable 
display of information in the cockpit. Yet, ADS-B In's requirements and 
associated schedule and costs continue to evolve, making it uncertain 
when benefits from enhancing NAS capacity will be achieved.
---------------------------------------------------------------------------
    \12\ Total Costs, Schedules, and Benefits of FAA's NextGen 
Transformational Programs Remain Uncertain (OIG Report No. AV2017009), 
November 10, 2016.
    \13\ The six transformational programs are Automatic Dependent 
Surveillance-Broadcast (ADS-B), System Wide Information Management 
(SWIM), Data Communications (DataComm), NAS Voice System (NVS), Common 
Support Services-Weather (CSS-Wx), and Collaborative Air Traffic 
Management-Technologies (CATM-T).
    \14\ ADS-B Out involves the broadcast of information to FAA ground 
systems.
---------------------------------------------------------------------------
    While working to increase capacity and efficiency through NextGen, 
FAA must also take steps to ensure that the NAS can quickly recover 
from catastrophic--sometimes intentional--events. For example, in 
September 2014, an FAA contract employee deliberately started a fire at 
FAA's Chicago Air Route Traffic Control Center that disrupted air 
traffic for more than 2 weeks and led to reported industry losses of 
over $350 million. The event highlighted weaknesses in FAA's current 
air traffic control infrastructure, which has limited flexibility to 
respond to system failures and quickly return to normal operations. We 
recently reported \15\ that while FAA has begun to develop new 
contingency plans to better respond to such failures, the plans are 
still incomplete, and many of the key technologies, such as the new NAS 
Voice System,\16\ are years away from implementation.
---------------------------------------------------------------------------
    \15\ Although FAA Has Taken Steps To Improve its Operational 
Contingency Plans, Significant Work Remains To Mitigate Effects of 
Major System Disruptions, (OIG Report No. AV2017020) January 11, 2017.
    \16\ NAS Voice System (NVS) is expected to standardize the voice 
communication infrastructure among FAA air traffic facilities by 
replacing 11 aging analog voice communication systems with a single 
digital technology.
---------------------------------------------------------------------------
Increasing Oversight of High-Risk Contracts
    DOT relies on billions of dollars in contracts each year to fund 
programs across all modes of transportation. In Fiscal Years 2015 and 
2016, DOT spent over $6 billion in contracts annually. Our work has 
identified areas where the Department can improve its internal controls 
and accountability in managing its sizable investments, including 
strengthening oversight and planning for contracts and minimizing the 
use of contract types that present the greatest financial risks to the 
Government.
    For example, cost-reimbursable contracts are considered high risk 
because of the potential for cost escalation and the fact that the 
Government pays a contractor's costs of performance regardless of 
whether the work is completed. Our review \17\ of six Operating 
Administrations found that they did not (1) perform adequate 
acquisition planning and document their justifications \18\ for using 
this contract type or (2) consistently assess oversight risks, properly 
designate oversight personnel, or verify that contractors' accounting 
systems are adequate to provide reliable cost data.
---------------------------------------------------------------------------
    \17\ DOT Does Not Fully Comply With Revised Federal Acquisition 
Regulations on the Use and Management of Cost-Reimbursement Awards (OIG 
Report No. ZA2013118), August 5, 2013.
    \18\ The Federal Acquisition Regulation states that a cost-
reimbursement award may only be used when (1) circumstances do not 
allow the agency to define its requirements sufficiently to allow for a 
fixed-price award or (2) uncertainties involved in contract performance 
do not permit costs to be estimated with sufficient accuracy to use any 
type of fixed-price award.
---------------------------------------------------------------------------
    Similarly, we found that FAA--which awards more contract dollars 
annually than any other Operating Administration--lacked basic internal 
controls and contracting practices for its sole-source and multiple-
award contracts. Sole-source contracts are negotiated without the 
benefit of competition and carry the risk of overspending. Our work 
\19\ found that FAA did not do enough to reduce its use of sole-source 
contracts, as directed by OMB in 2009. Between Fiscal Years 2008 and 
2014, FAA awarded 624 sole-source contracts with a total value of about 
$2.2 billion. For most of the sole-source contracts we reviewed, FAA 
had not conducted an adequate market analysis or developed independent 
cost estimates to ensure reasonable prices. We also found issues with 
FAA multiple-award service contracts. While multiple award service 
contracts are not by nature high-risk, the various task orders issued 
under them frequently lack sufficient oversight and competition. For 
example, for FAA's $1.1 billion Systems Engineering 2020 (SE-2020) 
contracts,\20\ FAA did not ensure full competition or documentation for 
task orders or ensure contract oversight staff had the needed skills 
for their jobs.\21\ This can increase the risk of cost overruns or 
payment for services that do not meet DOT's needs.
---------------------------------------------------------------------------
    \19\ FAA Lacks Adequate Controls To Accurately Track and Award Its 
Sole Source Contracts (OIG Report No. ZA2016065), May 9, 2016.
    \20\ SE-2020 is a portfolio of contracts that FAA uses to obtain 
professional and technical services to support its development and 
implementation of NextGen--the Agency's effort to modernize and 
maintain the NAS. During our 2012 review of FAA's SE-2020 contracts, 
the Agency's cumulative maximum value was $7.3 billion. When we 
initiated our 2016 follow-up review, FAA reported its current award 
baseline was $1.1 billion.
    \21\ FAA's Contracting Practices Are Insufficient To Effectively 
Manage Its Systems Engineering 2020 Contracts (OIG Report No. 
ZA2012082), March 28, 2012.
---------------------------------------------------------------------------
Improving Stewardship of Credit Programs and Managing Delinquent Debt
    To be an effective steward of taxpayer dollars while financing 
large infrastructure projects, DOT must carefully manage the 
consolidation of credit programs that leverage private investment, such 
as the Transportation Infrastructure Finance and Innovation Act (TIFIA) 
and the Railroad Rehabilitation and Improvement Financing (RRIF). In 
2014, DOT established the Build America Transportation Investment 
Center (BATIC) to streamline public-private coordination when planning 
and implementing infrastructure projects. Since BATIC's inception, DOT 
credit programs have issued credit instruments totaling roughly $10 
billion to 21 projects that support up to $26 billion in transportation 
infrastructure. Recognizing BATIC's impact on funding for 
infrastructure projects, Congress mandated the restructuring of DOT 
credit programs to consolidate the TIFIA and RRIF programs with BATIC 
in 2015. This restructuring is ongoing; sustained management attention 
will be critical to complete and oversee these significant financial 
arrangements.
    Managing DOT's financial commitments also includes establishing and 
maintaining internal controls to more effectively identify and collect 
delinquent debt.\22\ Our audit work found \23\ that weak internal 
controls at DOT contributed to an increase in outstanding debt owed the 
Federal Government by individuals and non-Federal entities and an 
increased risk that these debts would not be collected and returned to 
DOT. From Fiscal Years 1999 to 2013, DOT's reported delinquent debt 
increased by over 300 percent, from approximately $170 million to $737 
million. DOT-wide policies and procedures are needed to accurately 
identify and report delinquent debt and recoveries, collect debts in a 
timely manner, and ensure DOT has the requisite skills and internal 
controls for carrying out these programs.
---------------------------------------------------------------------------
    \22\ A debt is an amount owed by an individual and/or a non-Federal 
entity. This includes direct and guaranteed loans, such as those 
provided to States for financing transportation projects. 
Administrative debts include civil fines and penalties and payroll 
overpayments. A debt becomes delinquent when payment is not made by the 
due date or end of the grace period established in an agreement or 
specified in the billing notice.
    \23\ Weak Internal Controls for Collecting Delinquent Debt Put 
Millions of DOT Dollars at Risk (OIG Report No. FI2015065), July 9, 
2015.
---------------------------------------------------------------------------
Coordinating Technological Initiatives and Extending Security 
        Boundaries to 
        Address Cybersecurity Risks
    As cybersecurity threats become increasingly sophisticated and more 
numerous, DOT faces the challenge of reevaluating and expanding 
traditional approaches to secure IT systems. DOT must work to fulfill 
existing requirements while also implementing new strategies to meet 
the additional security demands of mobile technology, cloud-based 
computing, and other technological developments. However, cybersecurity 
remains a significant challenge for DOT and its Operating 
Administrations.
    To its credit, DOT has supplied personal identification 
verification (PIV) cards to all its employees. However, DOT has not 
fully implemented the use of these cards Departmentwide for access to 
its facilities and information systems. In fact, only 140 of its 460 
systems (30 percent) can use PIV cards for access. In addition, 530 FAA 
facilities do not use PIV cards for physical access. DOT also has not 
effectively implemented other cybersecurity initiatives, such as 
programs to actively monitor and mitigate security weaknesses 
immediately during or after an attack. For example, we recently 
reported \24\ that DOT's continuous monitoring program lacks sufficient 
maturity to be effective, leaving the Department's systems vulnerable 
to exploitable hardware and software.
---------------------------------------------------------------------------
    \24\ FISMA 2016: DOT Continues To Make Progress, but the 
Department's Information Security Posture Is Still Not Effective OIG 
Report No. FI2017008), November 9, 2016.
---------------------------------------------------------------------------
    Furthermore, recent trends in mobile, cloud, and workplace 
technology--such as the proliferation of smartphones and tablets and an 
increasing number of remote employees--present new challenges to 
monitoring and securing DOT's network. As the industry moves towards 
extending desktop virtualization and cloud computing, DOT will need to 
change how it stores and manages data in order to effectively respond 
to cybersecurity incidents. As we recently reported, DOT's current 
incident monitoring is incomplete due to lack of access to FAA's and 
cloud service providers' systems.
Effectively Addressing Existing Mandates and Recommendations
    In recent years, DOT has faced a significant challenge to implement 
mandated and recommended improvements to its safety oversight and 
program management. These include MAP-21 provisions for highway and 
transit projects, issued in 2012, as well as 2015 FAST Act 
requirements. In 2016, the FAA Extension, Safety, and Security Act 
(Extension Act) \25\ also set out new requirements for DOT regarding 
pilot safety issues and oversight of foreign repair stations. At the 
same time, DOT has struggled to meet deadlines for mandates and 
recommendations regarding pipeline and hazardous materials safety. 
Going forward, it will be important for DOT to prioritize actions to 
meet statutory requirements, weigh which rulemakings will have the 
greatest safety merit and which existing regulations may require 
additional scrutiny, and assess steps needed to meet these or any 
future congressional directives. For example, DOT will need to improve 
its compliance with the Federal Information Technology Acquisition 
Reform Act (FITARA),\26\ which is intended to improve agencies' IT 
acquisitions and enhance congressional monitoring. DOT recently 
received a failing grade on the House Committee on Oversight and 
Government Reform's FITARA Scorecard.
---------------------------------------------------------------------------
    \25\ Pub. L. No. 114-190 (2016).
    \26\ Federal Information Technology Acquisition Reform provisions 
of the Carl Levin and Howard P. ``Buck'' McKeon National Defense 
Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, div.A, 
title VIII, subtitle D, 128 Stat. 3292, 3438-3450 (Dec. 19, 2014).
---------------------------------------------------------------------------
Implementing Legislative Requirements for Highway and Transit Projects
    MAP-21 established requirements for States to employ performance-
based management of DOT's highway and transit programs, including 
linking State transportation performance plans to Federal-aid highway 
funds through an asset management plan. As DOT finalizes rulemakings 
\27\ to meet these requirements, it will need to adjust its risk-based 
oversight to ensure that States consistently comply with the new rules 
and that the rules achieve desired outcomes. Additionally, MAP-21 
called for DOT to accelerate highway, bridge, and transit project 
delivery. These actions include rulemakings to streamline the 
environmental review process and required reports to Congress on 
environmental actions. DOT has implemented half of the actions it 
initially identified. However, DOT recognizes that it needs to revise a 
large number of its planned actions to comply with more recent FAST Act 
requirements that will affect these areas. This includes, for example, 
a rulemaking that allows States to assume FHWA responsibilities under 
the National Environmental Policy Act \28\ for environmental reviews, 
consultation, and compliance for Federal highway projects.
---------------------------------------------------------------------------
    \27\ For example, the Federal Highway Administration (FHWA) has 
established a process for development of a State risk-based asset 
management plan, including defining minimum standards for developing 
and operating bridge and pavement management systems, and a rulemaking 
for setting performance targets and measures covering bridges and 
pavement.
    \28\ Pub. L. No. 91-190 (1969).
---------------------------------------------------------------------------
Managing New Safety Requirements From the FAA Extension Act
    FAA has several ongoing initiatives to enhance aviation safety but 
faces challenges to implement new requirements of the 2016 Extension 
Act. Several of the act's provisions also mirror recommendations from 
our office. For example, in line with our recent report,\29\ the act 
includes requirements for new pilot training on monitoring flight 
automation systems and new inspector guidance for tracking and 
assessing pilot proficiency in manual flight. FAA will need to ensure 
that air carrier training programs address these provisions so that 
pilots maintain the skills needed to fly safely and recover from a 
failure with cockpit automated systems or an unexpected event, 
particularly in the critical phases of flight.
---------------------------------------------------------------------------
    \29\ Enhanced FAA Oversight Could Reduce Hazards Associated With 
Increased Use of Flight Deck Automation, (OIG Report No. AV2016013), 
January 7, 2016.
---------------------------------------------------------------------------
    A critical safety component reflected in the Extension Act is 
ensuring air carriers have the information they need on a pilot's 
training and background to make informed hiring decisions. We have 
monitored FAA's efforts to establish a pilot records database since it 
was first mandated in 2010. We reported in 2015\30\ that FAA's progress 
has been limited; currently, FAA does not expect to complete the 
database by the act's deadline of April 2017. In response, FAA 
accelerated efforts to launch its portion of the database and expects 
it to be available to air carriers this month. However, FAA has yet to 
decide how best to obtain and input air carrier records as far back as 
2005, as the act requires, given the differences among carriers' data 
and recordkeeping systems. FAA is working on a rulemaking to address 
this problem and expects to issue it in 2018, at the earliest.
---------------------------------------------------------------------------
    \30\ FAA Delays in Establishing a Pilot Records Database Limit Air 
Carriers' Access to Background Information, (OIG Report No. AV2015079), 
August 20, 2015.
---------------------------------------------------------------------------
    Another aviation safety priority that we have reported on since 
2003 is foreign repair stations. Currently there are approximately 840 
repair stations located outside the United States. Under the Extension 
Act, FAA must ensure that its safety assessment system prioritizes 
inspections at foreign repair stations performing heavy maintenance for 
U.S. carriers, using risk-based oversight and data to track corrective 
actions. However, we continue to find weaknesses in FAA's ability to 
get the data it needs to assess risk and effectively monitor foreign 
repair stations covered under the United States and European Union (EU) 
Aviation Safety Agreement, which went into effect in 2011 and covers 
more than 400 FAA-certificated repair stations in Europe.\31\ 
Currently, foreign authorities are only required to provide FAA with 
repair station inspection results pertaining to those FAA regulations 
that differ from the EU's--not complete facility inspection reports. In 
response to our recommendation in 2015,\32\ FAA is developing 
procedures to obtain these facility inspection reports, which should 
help it to better assess risk.
---------------------------------------------------------------------------
    \31\ With this agreement, the United States expanded its aviation 
safety partnership from 3 countries in 1999 (France, Germany, and 
Ireland) to 18 countries today (the original 3 plus Austria, Belgium, 
Czech Republic, Denmark, Finland, Italy, Luxembourg, Malta, the 
Netherlands, Poland, Portugal, Romania, Spain, Sweden, and the United 
Kingdom). While this agreement minimizes duplicative oversight and 
relieves FAA inspectors from performing mandatory, annual inspections 
overseas, FAA still retains its responsibility to ensure its foreign 
repair stations comply with U.S. regulations.
    \32\ FAA Has Not Effectively Implemented Repair Station Oversight 
in the European Union, (OIG Report No. AV2015066), July 15, 2015.
---------------------------------------------------------------------------
Addressing Pipeline and Hazardous Materials Safety Recommendations and 
        Mandates
    Given the number of pipeline and hazardous materials incidents over 
the last several years--more than 86,000 incidents between 2012 and 
2016--PHMSA has received many mandates and recommendations to improve 
how it mitigates these safety risks. Specifically, since 2005, PHMSA 
has received 263 mandates and recommendations. To its credit, PHMSA 
completed nearly two-thirds of them but in doing so, missed about 75 
percent of its mandated deadlines. Our work shows that PHMSA must focus 
on improving its processes, oversight, and project management to 
address the remaining or any future recommendations or mandates in a 
timelier manner. As we reported in October 2016,\33\ 20 of PHMSA's 81 
mandates (25 percent) remain unimplemented, as well as about half of 
NTSB's 118 safety recommendations and 7 recommendations from the 
Government Accountability Office.
---------------------------------------------------------------------------
    \33\ Insufficient Guidance, Oversight, and Coordination Hinder 
PHMSA's Full Implementation of Mandates and Recommendations (OIG Report 
No. ST2017002), October 14, 2016.
---------------------------------------------------------------------------
    In addition, PHMSA is working to address our five recommendations 
to improve how the Agency implements mandates and recommendations and 
coordinates with other Operating Administrations involved with the 
transportation of hazardous materials--FAA, FMCSA, and the Federal 
Railroad Administration. For example, our work found that PHMSA has not 
adequately coordinated, as required by a DOT Order,\34\ on rulemaking 
and international standards development with these agencies, limiting 
its ability to resolve disputes in a timely manner. PHMSA is working to 
address these issues through organizational changes. It is too soon to 
determine whether these plans, once finalized, will aid the Agency's 
ability to meet mandates and recommendations in full and on time.
---------------------------------------------------------------------------
    \34\ DOT Order 1100.74A, Department of Transportation Organization 
Manual: Pipeline and Hazardous Materials Safety Administration, 
September 2010.
---------------------------------------------------------------------------
Conclusion
    The safe and efficient movement of people and goods is vital to our 
Nation's economic growth, global partnerships, and quality of life. We 
remain committed to assisting DOT and the Secretary as they work to 
improve DOT's management of programs and resources and ensure the 
greatest return on investment to taxpayers. We will continue to play a 
leading role in helping the Department detect and prevent fraud. Our 
office has a strong record of identifying weaknesses and recommending 
enhancements to DOT's internal controls to better oversee its programs 
and grants, particularly in large-scale infrastructure investments such 
as the American Recovery and Reinvestment Act of 2009 and Hurricane 
Sandy relief funds. We will continue to strive to find innovative ways 
to ensure the Department fully leverages the fraud detection and 
prevention resources at hand--such as mining and analyzing data to 
better predict high-risk areas for fraud, waste, and abuse.
    I appreciate this Committee's continued support to enable us to 
enhance our coverage of the Department's safety programs, 
administrative and management assets, and information systems security. 
We look forward to providing you with any information you may require 
and pledge our support in promoting safety and efficiency and 
preventing fraud in any forthcoming infrastructure plans.
    This concludes my prepared statement. I will be happy to answer any 
questions you or other Members of the Committee may have.

        Exhibit. DOT OIG's Ongoing Audits as of February 6, 2017
------------------------------------------------------------------------
   Project Title              Objectives              Source/Requester
------------------------------------------------------------------------
Departmentwide
------------------------------------------------------------------------
DOT's               Our objectives are to (1)       Required by the
 Implementation of   provide a status of the         Moving Ahead for
 MAP-21's            Department's actions to carry   Progress in the
 Acceleration of     out MAP-21 Subtitle C           21st Century Act of
 Project Delivery    provisions and (2) identify     2012
 Provisions          possible vulnerabilities in
                     the Department's
                     implementation of these
                     actions.
------------------------------------------------------------------------
DOT's Use of Other  Our audit objective is to       Self-Initiated
 Transaction         evaluate DOT's use and
 Agreements          management of Other
                     Transaction Agreements.
------------------------------------------------------------------------
DOT's               Our audit objective is to       Required by the
 Implementation of   determine whether the           Improper Payments
 the Improper        Department complied with        Elimination and
 Payments            IPERA's requirements as         Recovery Act of
 Elimination and     implemented by the Office of    2010
 Recovery Act of     Management and Budget.
 2010 During
 Fiscal Year 2016
------------------------------------------------------------------------
DOT OCIO            Our audit objectives are to     Self-Initiated
 Cybersecurity       determine whether DOT (1)
 Funding             adequately planned for its
                     cybersecurity funding needs
                     and (2) expended
                     cybersecurity funds in
                     accordance with congressional
                     direction.
------------------------------------------------------------------------
OST's Benefit-Cost  Our audit objective is to       Self-Initiated
 Analysis of the     assess the Office of the
 TIGER Grant         Secretary of Transportation's
 Applications        (OST) policies and procedures
                     for evaluating benefit-cost
                     analyses in determining which
                     TIGER grant applications are
                     forwarded for further review.
------------------------------------------------------------------------
Federal Aviation Administration
------------------------------------------------------------------------
FAA's Policies and  Our audit objectives are to     Requested by the
 Procedures for      identify (1) FAA's              Chairmen of the
 Hiring New Air      justification for adopting      House
 Traffic             the new hiring process and      Transportation and
 Controllers         (2) the changes that have       Infrastructure
                     occurred in the hiring pool     Committee and the
                     since the process was           Subcommittee for
                     implemented.                    Aviation, and
                                                     Senator Nelson
------------------------------------------------------------------------
FAA's Runway        Our objective is to evaluate    Self-Initiated
 Safety              FAA's progress in
 Initiatives         implementing initiatives to
                     improve runway safety.
------------------------------------------------------------------------
FAA's Oversight of  Our objectives are to assess    Requested by the
 Suspected           the effectiveness of FAA's      Ranking Members of
 Unapproved Parts    (1) process for monitoring      the House
                     and investigating suspected     Transportation and
                     unapproved parts and (2)        Infrastructure
                     oversight of industry actions   Committee and the
                     to remove unapproved parts      Subcommittee on
                     from the aviation supply        Aviation
                     chain.
------------------------------------------------------------------------
FAA's Oversight of  Our audit objectives are to     Requested by Senator
 the Safety of       assess the effectiveness of     Dianne Feinstein
 Commercial          FAA's actions to (1) identify
 Airline Flight      vulnerabilities to flight
 Decks               deck security and (2)
                     mitigate identified flight
                     deck vulnerabilities.
------------------------------------------------------------------------
FAA's Progress      Our audit objectives in this    Requested by the
 With Implementing   follow-up audit are to          Chairmen and
 High-Priority       evaluate FAA's (1) process      Ranking Members of
 NextGen             for identifying risks to        the House Committee
 Capabilities        implementing the four           on Transportation
                     prioritized NextGen             and Infrastructure
                     capabilities and (2) actions    and its
                     to mitigate any identified      Subcommittee on
                     risks.                          Aviation
------------------------------------------------------------------------
FAA's Oversight of  Our audit objectives are to     Required by the FAA
 ADS-B Contract      (1) determine whether the ADS-  Modernization and
                     B contract provides FAA the     Reform Act of 2012
                     ability to monitor whether
                     the contractor is providing
                     required ADS-B products and
                     services and (2) evaluate
                     FAA's procedures for
                     determining payments to the
                     contractor.
------------------------------------------------------------------------
FAA Terminal        Our audit objective is to       Directed by the
 Modernization at    assess FAA's progress in        House Committee on
 Large TRACONs       ensuring STARS meets FAA        Appropriations
                     requirements at the 11 large
                     TRACONs and supports NextGen
                     capabilities.
------------------------------------------------------------------------
FAA's Oversight of  Our audit objectives are to     Requested by the
 Regional Airlines   evaluate FAA's process for      Ranking Members of
                     (1) identifying periods of      the House Committee
                     transition and growth at        on Transportation
                     regional carriers and (2)       and Infrastructure
                     adjusting its oversight to      and its
                     respond to changes in           Subcommittee on
                     regional air carrier            Aviation
                     operations.
------------------------------------------------------------------------
FAA's Actions To    Our objectives are to (1)       Requested by the
 Address ERAM        assess the causes of the        Chairmen and
 Outages             recent ERAM outages and         Ranking Members of
                     assess FAA's actions to         the House
                     address them and (2)            Transportation and
                     determine whether tradeoffs     Infrastructure
                     were made to ERAM's design      Committee, Aviation
                     requirements to meet revised    Subcommittee, and
                     implementation schedules, and   the Chairman of the
                     assess the delivery of new      Senate Committee on
                     NextGen capabilities called     Commerce, Science,
                     for in FAA plans.               and Transportation
------------------------------------------------------------------------
FAA's En Route      Our audit objectives are to     Requested by the
 Automation          determine (1) whether FAA has   Senate Committee on
 Modernization       effectively implemented         Commerce, Science,
 Program             security controls to address    and Transportation
 Information         weaknesses identified during
 Security Controls   our prior review of ERAM and
                     (2) what other security
                     weaknesses, if any, have
                     developed.
------------------------------------------------------------------------
FAA's Controller    Our audit objectives are to     House Appropriations
 Scheduling          (1) determine FAA's progress    Committee
 Policies            in adopting and implementing
                     a scheduling tool and (2)
                     identify any challenges that
                     will need to be addressed to
                     realize potential benefits.
------------------------------------------------------------------------
FAA's Process for   Our audit objectives are to     Required by the
 Staffing and        evaluate FAA's (1)              House 2017
 Placing             methodology for determining     Appropriations
 Maintenance         maintenance technician          Report
 Technicians         staffing levels and (2)
                     process for placing
                     maintenance technicians.
------------------------------------------------------------------------
FAA's Management    Our audit objectives are to     Self-Initiated
 of NextGen Pre-     assess FAA's procedures for
 Implementation      (1) selecting, justifying,
 Funding             and measuring the outcomes of
                     projects that received
                     developmental funding and (2)
                     overseeing the execution of
                     these projects.
------------------------------------------------------------------------
FAA's Oversight of  Our audit objectives are to     Self-Initiated
 the Passenger       review FAA's oversight of (1)
 Facility Charge     air carrier compliance with
 Program             collection and remittance of
                     PFC funds and (2) airport
                     operator compliance with the
                     use of PFC funds.
------------------------------------------------------------------------
FAA's Oversight of  Our audit objective is to       Self-Initiated
 Air Carrier Check   assess the effectiveness of
 Pilots              FAA's processes for approving
                     and overseeing air carrier
                     check pilots.
------------------------------------------------------------------------
FAA's Award and     Our audit objectives are to     Self-Initiated
 Oversight of        evaluate FAA's processes for
 eFAST               (1) awarding and (2)
 Procurements        overseeing eFAST
                     procurements.
------------------------------------------------------------------------
FAA's SE2020        Our audit objective is to       Self-Initiated
 Program Task        assess whether FAA's actions
 Order Award and     for awarding task orders and
 Oversight           overseeing the SE2020
                     acquisition program were
                     sufficient to meet its
                     program mission.
------------------------------------------------------------------------
FAA's Oversight of  Our audit objective is to       Self-Initiated
 Revenue Use at      assess FAA's oversight of
 ``Grandfathered''   grandfathered airports'
 Airports            compliance with Federal law
                     related to airport revenue
                     payments.
------------------------------------------------------------------------
FAA Controls Over   Our audit objectives are to     Self-Initiated
 Overflight Fees     assess FAA's policies and
                     procedures for (1) accurately
                     computing overflight fees,
                     (2) granting exceptions
                     appropriately, and (3)
                     collecting or referring fees
                     to Treasury for collection in
                     accordance with Federal laws
                     and regulations.
------------------------------------------------------------------------
Federal Highway Administration
------------------------------------------------------------------------
FHWA's Use of the   Our audit objective is to       Self-Initiated
 Emergency Relief    assess FHWA's processes and
 Program To          guidance for incorporating
 Improve             resilience improvements into
 Resilience          emergency relief projects to
                     rebuild damaged highway
                     infrastructure.
------------------------------------------------------------------------
FHWA Construction   Our audit objectives are to     Self-Initiated
 Force Account       (1) determine the scope and
 Oversight           magnitude of force-account
                     projects funded through the
                     Federal-aid Highway Program
                     and (2) assess FHWA's
                     processes for overseeing
                     compliance with Federal force-
                     account requirements.
------------------------------------------------------------------------
Federal Motor Carrier Safety Administration
------------------------------------------------------------------------
FMCSA's Commercial  Our audit objective is to       Required by the
 Motor Vehicle       determine whether FMCSA's       Consolidated and
 Driver Restart      design and implementation of    Further Continuing
 Study               the restart study complies      Appropriations Act
                     with the requirements of the    of 2015
                     act.
------------------------------------------------------------------------
FMCSA's             Our audit objective is to       Required by the
 Investigative       assess FMCSA's processes for    Consolidated and
 Practices for       ensuring that reviews of        Further Continuing
 High Risk           motor carriers flagged for      Appropriations of
 Carriers            investigation are timely and    2015. Also
                     adequate.                       requested by
                                                     Senator Dick Durbin
------------------------------------------------------------------------
Commercial Motor    Our objectives are to (1)       Mandated by the
 Vehicle Loading     assess available data on        Fixing America's
 and Unloading       motor carrier loading and       Surface
 Delays              unloading delays and (2)        Transportation Act
                     provide information on          of 2015
                     measuring the potential
                     effects of loading and
                     unloading delays.
------------------------------------------------------------------------
Federal Railroad Administration
------------------------------------------------------------------------
FRA's Acquisition   Our audit objectives are to     Self-Initiated
 and Use of          assess (1) FRA's acquisition
 Monitoring and      of MTACs through the Volpe
 Technical           National Transportation
 Assistance          Center and (2) FRA's
 Contractors for     management and use of
 High Speed          oversight services provided
 Intercity           by MTACs for HSIPR projects.
 Passenger Rail
 Grant Oversight
------------------------------------------------------------------------
FRA's Collection    Our audit objective will be to  Self-Initiated
 and Management of   assess FRA's collection and
 Railroad Safety     management of railroad safety
 Data                data.
------------------------------------------------------------------------
Federal Transit Administration
FTA's Oversight of  Our audit objectives will be    Self-Initiated
 Major Capital       to evaluate FTA's (1)
 Projects in the     processes for identifying and
 Western Regions     assessing major capital
                     projects' financial risks,
                     and reviewing and approving
                     grantee financial plans and
                     reports and (2) oversight of
                     grantees' mitigation of
                     financial risks.
------------------------------------------------------------------------
FTA Grantee: the    Our audit objective is to       Mandated by House
 Metropolitan        evaluate METRO's financial      Appropriations
 Transit Authority   condition and capacity,         Committee Report
 of Harris County,   including its ability to fund   114-129
 Texas               new services while
                     maintaining current
                     operations.
------------------------------------------------------------------------
FTA's Oversight of  Our audit objective is to       Self-Initiated
 Integrity           assess FTA's policies for the
 Monitors for        use of integrity monitors and
 Recipients of       evaluate the Agency's
 Hurricane Sandy     oversight of integrity
 Disaster Relief     monitors.
 Funds
------------------------------------------------------------------------
Office of the Secretary of Transportation
------------------------------------------------------------------------
Office of Small     Our audit objectives are to     Self-Initiated
 and Disadvantaged   assess OSDBU's (1) processes
 Business            for establishing the Centers
 Utilization         and (2) oversight of the
 Oversight of        Centers' compliance with
 Small Business      cooperative agreements and
 Transportation      achievement of program
 Resource Centers    objectives.
------------------------------------------------------------------------
Pipeline And Hazardous Materials Safety Administration
------------------------------------------------------------------------
PHMSA's Technical   Our audit objective is to       Required by the
 Assistance Grant    evaluate PHMSA's award and      Protecting Our
 Program             oversight of TAG funds.         Infrastructure of
                                                     Pipelines and
                                                     Enhancing Safety
                                                     Act of 2016
------------------------------------------------------------------------
PHMSA's Workforce   Our audit objectives are to     Required by the
 Management          determine (1) whether PHMSA     Protecting Our
                     has developed geographic        Infrastructure of
                     allocation plans, identified    Pipelines and
                     expected retirement rates,      Enhancing Safety
                     and developed recruitment,      Act of 2016
                     retention, and training
                     strategies for OPS to address
                     gaps and challenges, such as
                     hiring and time-to-hire
                     challenges, and (2) whether
                     previous periods of
                     macroeconomic and pipeline
                     industry conditions impacted
                     the ability to fill OPS
                     vacancies and the degree to
                     which special hiring
                     authorities, including direct
                     hiring authority authorized
                     by the Office of Personnel
                     Management, could have
                     alleviated such difficulty.
------------------------------------------------------------------------


    The Chairman. Thank you, Mr. Scovel, and thank you, all of 
you, for your remarks.
    Inspector General Scovel, the FACT Act required the 
Secretary of Transportation to officially certify NHTSA's 
implementation of all of the DOT OIG's recommendations 
regarding improvements to the agency's vehicle defect analysis 
process. Initially, then Secretary Foxx made the certification, 
but in response to my October 6 of last year, 2016, letter, 
your office reported that several of the recommendations 
remained open. In your testimony today, you noted that these 
recommendations remain open.
    Are there areas where NHTSA can still improve its defect 
analysis?
    Mr. Scovel. Thank you, Mr. Chairman. We appreciate the 
Committee's interest, of course, in NHTSA and ODI, and I recall 
specifically this committee's hearing back in June of 2015, hot 
on the heels of our audit report that found significant defects 
in the investigation and analysis section of NHTSA's Office of 
Defects Investigations.
    You're right, of course, that the Department had money at 
stake in terms of closing all 17 recommendations from our June 
2015 report. When Secretary Foxx made his certification, he 
correctly indicated that 12 had been closed, and five had been 
resolved. In audit terminology, that simply means that the 
Department and NHTSA had intended to close those remaining 
five.
    In fact, in response to your question to my office, we've 
renewed our examination of NHTSA and, of course, determined 
that five recommendations remained unanswered. They were still 
open, so they were not closed, and this Committee was correct 
in essentially taking the Department to task for that.
    Most of those open recommendations from that report had to 
do with the early warning reporting data. One recommendation 
had to do with the complaint review process in ODI. Those are 
all key, we assess, to ODI's continued effectiveness.
    Mr. Chairman, we also have two other open recommendations 
regarding ODI, and they stem from a report that we issued in 
the middle of 2016. We wanted to go back and look to an audit 
report that we issued to NHTSA in 2011, where we made a series 
of recommendations concerning their internal operations and 
pre-investigative processes. Two of those recommendations still 
remain open, and they have to do with the efficiency of NHTSA's 
own testing and documentation procedures.
    Taken as a whole, Mr. Chairman, all of those are going to 
be necessary for NHTSA to come to grips with the continuing 
challenges it faces regarding vehicle defects.
    The Chairman. Thank you.
    Inspector General Roth, in your testimony, you noted that 
TSA does not currently have, and I quote, ``an intelligence-
driven, risk-based'' security strategy for all modes of 
transportation, specifically highlighting the challenges of 
securing surface transportation and maritime facilities. Over 
the past year, your office has recommended the development of a 
cross-cutting, risk-based strategy that ensures that TSA is 
considering risks to all modes of transportation and allocating 
resources appropriately.
    What progress has TSA made in this area, and what are two 
immediate priorities you would like to see the new TSA 
Administrator address?
    Mr. Roth. Thank you for the question. We haven't seen a 
terrific amount of progress in this area, largely because the 
recommendations that we made were long-term and it will take 
some time for them to accomplish those recommendations, coupled 
with the fact that those reports are fairly recent in time.
    I think the biggest thing that TSA can do is build a risk-
based budget, which they have not done. Currently, about 80 
percent of their budget goes to aviation transportation, and 
only about 2 percent or 3 percent goes to surface 
transportation. We think that doesn't reflect the risk, and 
what we would vastly prefer is them to do a sort of white 
sheet, blank sheet of paper risk assessment across all modes of 
transportation and then build a budget in accordance with that, 
but that is a long-term project.
    The Chairman. Inspector General Lerner, you testified that 
the NSF needs to show continuing commitment to change the 
culture, in your words, in improving oversight of its fiscal 
management of large research facilities in order to maximize 
research investment. Your work in this area resulted in many 
new oversight requirements in the newly enacted American 
Innovation and Competitiveness Act.
    What grade would you give NSF for implementing OIG, 
National Academy of Public Administration, and congressional 
recommendations?
    Ms. Lerner. I think it's too early to give them a grade on 
implementation at this point. We are happy to see that they 
have guidance in place to address many of the issues that we 
have raised over the years through our recommendations and that 
the National Academy of Public Administration raised in its 
report. We are going to be looking right now to see how they 
are actually implementing that guidance since much of it is 
new, and we haven't had a chance to address the actions that 
they've taken and to see if things are actually working in 
accordance with the new guidance.
    The Chairman. So the grade is incomplete?
    Ms. Lerner. Correct.
    The Chairman. All right. My time has expired.
    Senator Nelson.
    Senator Nelson. Mr. Chairman, I'm going to defer my 
questions so our members can go ahead and get their questions 
asked.
    I just want to comment that so many of the things that you 
all have mentioned that you've been involved in, we have been 
totally involved in: perimeter defense on airports, Takata 
airbags, science, and so forth. And I just want an assurance 
from you all: will you agree or commit to immediately let the 
Chairman and me know if you face any future attempts to remove 
you from office for anything other than legitimate cause? Just 
go down----
    Ms. Lerner. I will.
    Ms. Gustafson. Yes, Senator.
    Mr. Roth. Yes.
    Mr. Scovel. Yes, Senator Nelson.
    Senator Nelson. Thank you.
    The Chairman. I think we have first up on this side Senator 
Blumenthal.

             STATEMENT OF HON. RICHARD BLUMENTHAL, 
                 U.S. SENATOR FROM CONNECTICUT

    Senator Blumenthal. Thanks, Mr. Chairman, and thank you for 
holding this hearing.
    Thank you all for your good work. You are ultimately the 
source of vigilance and enforcement against corruption and 
wrongdoing in our Federal Government without regard to partisan 
advantage and without respect to fear or favor from the 
President. You should be independent and assured of protection 
from the Congress and ultimately accountable to the American 
people. So I want to join my colleagues in thanking you for 
your vigilant independence but also asking you to report to us 
any attempts to impede or intimidate you in your vital work.
    The outstanding recommendations, Mr. Scovel, with regard to 
NHTSA--those are significant recommendations, are they not?
    Mr. Scovel. They most certainly are.
    Senator Blumenthal. And are there timelines for completing 
them?
    Mr. Scovel. Yes. In fact, NHTSA has exceeded the timelines 
that we and they agreed to when we delivered our audit report 
to them back in 2015.
    Senator Blumenthal. Thank you.
    Mr. Scovel. They're over time.
    Senator Blumenthal. Mr. Roth, you indicated that the 
security checks, the covert testing that you've done at airport 
checkpoints, have produced results that are, to quote you, 
``troubling and disappointing.'' Those results are still 
secret, are they not?
    Mr. Roth. Yes, they are.
    Senator Blumenthal. Shouldn't they be disclosed?
    Mr. Roth. That is not a decision for me to make. Certainly, 
any time that you disclose these kinds of vulnerabilities, 
there is a risk that would be involved in there. But, again, 
the fact of classification is done by TSA and not by our 
office.
    Senator Blumenthal. Can those results be made known to 
members of this Committee in a classified setting?
    Mr. Roth. Absolutely.
    Senator Blumenthal. Well, I'm going to request that you 
make them known to us, that we schedule an availability.
    Mr. Chairman, I certainly will avail myself of it.
    You're now engaged in another round of covert testing 
around the country?
    Mr. Roth. That's correct.
    Senator Blumenthal. When will those results be done?
    Mr. Roth. We're hopeful that we will get them out in the 
spring, or at least complete our testing in the spring, and 
then write up the report and then present that report to the 
Department, ultimately to the Congress.
    Senator Blumenthal. I understand that you do not use words 
like ``horrendous'' or ``unacceptable.'' That about as strong 
as you generally are is to use words like ``troubling'' and 
``disappointing,'' which sound to the ordinary person like an 
understatement. But that's pretty strong language for you, 
isn't it?
    Mr. Roth. It was. In our previous covert testing, for 
example, we stopped the covert testing about 80 percent of the 
way through because the results were so alarming that we 
thought we needed to brief the Secretary immediately. We did 
and got very positive results.
    Senator Blumenthal. So ``alarming'' is not too strong a 
word to use.
    Mr. Roth. Apparently not, yes.
    Senator Blumenthal. I am very concerned by the fact of the 
President's announcement about your tenure and its potentially 
inhibiting effect on the work that you do and, especially, on 
whistleblowers. Whistleblowers perform an essential function 
for your offices as well as for law enforcement, do they not?
    Mr. Roth. They absolutely do.
    Senator Blumenthal. I want to ask all the members of the 
panel--and, unfortunately, time doesn't permit me to give you a 
detailed opportunity to respond. But would you agree with me 
that the protections for whistleblowers ought to be 
strengthened? And we can just go down----
    Ms. Lerner. Yes, Senator.
    Ms. Gustafson. Yes, Senator. I do not think the protections 
can be too strong. I think that whistleblowers have to be 
protected.
    Mr. Roth. I would agree with that.
    Mr. Scovel. And I too would agree, sir.
    Senator Blumenthal. Let me ask you, Mr. Scovel--and this is 
a somewhat detailed question, but I think important. The 
President owns several planes, a 757; several helicopters; a 
small Cessna. They all require routine FAA inspections, and 
they're all more than 20 years old. The Washington Post 
reported last month that agency officials at the FAA are afraid 
of reprisals from the new president if they fail to certify 
these aircraft as safe for flying.
    We all remember that one of the President's planes, before 
he was President, lapsed last year--the registration lapsed 
last year, and it was temporarily grounded by the agency. Could 
you tell the Committee what you are doing to ensure that the 
FAA does proper inspections of the planes that are owned by the 
President and that the FAA's safety office avoids any sort of 
abuse or compromise? Because the flying public deserves to know 
that the law is being rigorously enforced.
    Mr. Scovel. Absolutely, sir. Our office has worked with FAA 
and provided oversight of FAA and its aviation safety 
inspection business for many years now. We have an active 
hotline operation center. As, of course, you know, we get over 
5,000 contacts a year. To date, we have received no contacts 
from FAA and aviation safety inspectors pertaining specifically 
to President Trump's aircraft or the inspection procedures that 
may apply to those.
    However, I would like to go on record in this setting and 
speaking in response to your question, but aiming my remarks to 
anybody in the FAA who has to do with aviation safety, whether 
it's safety inspections of the President's aircraft or in any 
other capacity, that they know they can call on us. In 2008, we 
did some landmark audit work and investigation work as well 
specifically pertaining to aviation safety inspections--
allegations that FAA inspectors had been, in our terminology, 
overly collaborative with officials of Southwest Airlines, 
foregoing certain inspections, and as a result, aircraft were 
being flown with cracks in the fuselage.
    We substantiated some of those allegations, but we also 
worked very closely with whistleblowers from within FAA's 
aviation safety division and provided testimony in hearings 
both in the House and the Senate along those lines. I can 
assure this Committee, and I wish to encourage anyone from FAA 
who has concerns about FAA's oversight of safety matters from A 
to Z, that our office is a place that they can turn.
    Senator Blumenthal. Thank you very much.
    Thank you all for your service to our Nation.
    Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Blumenthal.
    Senator Wicker is up next.

              STATEMENT OF HON. ROGER F. WICKER, 
                 U.S. SENATOR FROM MISSISSIPPI

    Senator Wicker. Thank you, Mr. Chairman.
    Ms. Gustafson, you began your testimony talking about 
FirstNet. Let me follow up. As we know, FirstNet was 
established by the Fiscal Cliff Bill in 2012, tasking FirstNet 
with building and operating a nationwide public safety 
broadband network. RFPs were issued to the private sector 
entities last year. Am I correct that states do have the option 
to opt out of FirstNet network deployment provided these states 
build their own radio access networks?
    Ms. Gustafson. That is exactly right, Senator. Once the RFP 
has been awarded and the details are out, the states are going 
to have the option to opt out and take the responsibility of 
building the network themselves with the requirement that they 
meet the FirstNet requirements. But, yes, there is an opt-out 
provision.
    Senator Wicker. Particularly interoperability requirements.
    Ms. Gustafson. Yes.
    Senator Wicker. Now, on December 5, 2014, the Department of 
Commerce OIG issued a report discussing missteps the Board made 
following the establishment of FirstNet. OIG conducted an 
investigation following allegations concerning conflicts of 
interest and inappropriate contract procedures. In light of the 
December 2014 report's findings, FirstNet entered into a 
Memorandum of Understanding pursuant to the Economy Act with 
DOC OIG.
    On June 8 of last year, DOC OIG staff informed the 
Committee staff that FirstNet had decided to cancel the MOU, 
believing that the startup difficulties the organization had 
faced were now resolved. Am I correctly informed that that, 
indeed, did take place, and as a result, will OIG continue to 
have a dedicated FirstNet team?
    Ms. Gustafson. You are correct, Senator. My understanding 
is that it did take place, but that did not change our 
responsibilities or our intent on overseeing FirstNet. We still 
have a dedicated team. We are undergoing reviews now and again, 
as I had noted in my opening statement, when this contract is 
awarded for tens of billions of dollars, we will continue our 
oversight. The only wrinkle for us is that now it becomes 
something that we have to oversee with the one-year funds that 
we are given by Congress. But it is----
    Senator Wicker. And that's the result, and the only result, 
of this cancellation of the MOU.
    Ms. Gustafson. It requires some shifting of priorities with 
our money. But FirstNet is a top management challenge, it is a 
huge risk, and it remains high on our list and subject to 
oversight by us, yes.
    Senator Wicker. Does the OIG have cooperation not only from 
FirstNet but other parts of the Department of Commerce?
    Ms. Gustafson. Yes. My understanding is that we are having 
no issues whatsoever with cooperation either from FirstNet or 
from the other bureaus.
    Senator Wicker. Keep us informed on that.
    Ms. Gustafson. Absolutely.
    Senator Wicker. And, Mr. Scovel, let me ask you about 
unmanned aircraft systems. We've called it various things, but 
now I think the term we're supposed to use is UAS. Is it true 
that although there has been demand for civil UAS operations, 
there is still no practical test that operators take?
    Mr. Scovel. That is correct, Senator. Some operators are 
required to take a knowledge test, but not a practical test in 
terms of going out to the field and demonstrating that they can 
safely fly and operate a UAS or a drone.
    Senator Wicker. Now, I'm told by my friends at Mississippi 
State University that there are a number of UAS Centers of 
Excellence which have test sites at 23 locations across the 
country, including Mississippi, North Dakota, Kansas, Indiana, 
and New Mexico, to name a few states represented on this 
Committee. Wouldn't those be good centers to develop 
demonstration processes and provide the practical tests 
necessary?
    Mr. Scovel. They very well might, and the Centers of 
Excellence that were created by Congress in FAA legislation 
several years ago were designed with just that in mind. FAA, I 
know, has encouraged industry and other stakeholders to 
consider using these Centers of Excellence for any and all 
purposes UAS related.
    Senator Wicker. This is not a decision that requires 
statutory change, is it?
    Mr. Scovel. I don't believe it does. But what it does 
require would be continued partnership--and I say continued 
because FAA, to its credit, has engaged in substantial 
partnership already with the burgeoning UAS industry--but 
continue that partnership between FAA, industry stakeholders, 
and, of course, the Centers of Excellence themselves to see how 
the facilities and capabilities of the Centers might serve the 
needs of industry as they seek to grow the business.
    Senator Wicker. Thank you, sir.
    The Chairman. Thank you, Senator Wicker.
    Senator Blunt is up next.

                 STATEMENT OF HON. ROY BLUNT, 
                   U.S. SENATOR FROM MISSOURI

    Senator Blunt. Thank you, Chairman.
    Mr. Scovel, on the NextGen system, your office issued a 
report that chronicled some of the FAA's failures in 
coordinating research and development for implementing that 
system. You said they lacked, ``a clear process of identifying 
high priority R&D to support NextGen.'' You made a number of 
recommendations as to what needed to be done to get this on 
track. Do you have any sense that any of these recommendations 
have been followed to date?
    Mr. Scovel. Yes. Thanks for the question. NextGen has 
become a perennial concern of my office, the Secretary's 
office, and, of course, FAA. It began its existence years ago 
after being billed as a transformational effort for U.S. 
airspace modernization. Since then, it's become more of an 
infrastructure replacement program, if you will.
    It has been a murky process almost from the get-go, and 
FAA, because of how it has contracted with the six 
transformational systems comprising NextGen, how it has 
segmented those into smaller and smaller pieces that don't 
allow the Congress and the Secretary and industry stakeholders 
the opportunity to see how all of these will eventually link 
together, how much they will all cost, and what the benefits of 
the total package may be, and what the final scheduling may 
be--all of that has been uncertain. We've issued report after 
report with many recommendations. FAA has concurred and 
executed on most of those. Clearly, a lot of work remains to be 
done.
    Senator Blunt. Is it your view that this is just too big a 
project for them, or they can't set the short-term goals that 
move us toward a conclusion? You know, this is constantly 
something out there that can't seem to be accomplished.
    Mr. Scovel. It has been a long, hard haul for FAA. I don't, 
however, believe that it's a matter, necessarily or inherently, 
beyond their capability. Due to some missteps perhaps early on 
in contract planning and acquisition management, FAA may have 
gotten off to a bad start.
    Thanks to a partnership that I referred to earlier between 
an organization called the NextGen Advisory Committee and the 
agency itself, they now have a clear roadmap for the most 
immediate improvements to airspace management that can be 
provided through some of the NextGen initiatives. FAA is doing 
its best to execute on those. The timing certainly isn't what 
industry would prefer, but there are certain aspects of the 
effort by FAA that are simply beyond FAA's control or any other 
entity's control if they were to assume responsibility for 
managing this part of NextGen.
    Senator Blunt. So does that mean the project is just too 
big?
    Mr. Scovel. No, I don't think it's too big, sir.
    Senator Blunt. But you just said it was beyond anybody's 
ability to control it. That sounds like to me it would be too 
big.
    Mr. Scovel. Certain aspects of it. But what I meant to 
say--and thanks for allowing me to clarify it. For instance, 
when industry states its highest priority is the installation 
of performance-based navigation in its aircraft and at FAA 
facilities at airports--so that they can use curved approaches 
to land instead of having to come in with a straight-in 
approach, that's great, and it will certainly help capacity and 
probably timing.
    However, when communities in the vicinity of airports 
experience significant noise--new noise for the first time or 
at different hours--they do resist, they do protest, and they 
do bring lawsuits. It wouldn't matter whether FAA or another 
organization is presiding.
    Senator Blunt. All right. Let's talk about GPS for just a 
minute. In 2015, the Department of Transportation and the 
Deputy Secretary of Defense announced that they would be 
working to build an alternative system to GPS in case there is 
a disruption to the current system. Can you give me an update 
on that?
    Mr. Scovel. I don't have an update on that, sir. I would 
need to get back to my office and communicate further with FAA. 
I do know that part of NextGen's allure is that it will move 
from ground-based radar up to----
    Senator Blunt. Well, now, I'm talking about--OK. Go ahead.
    Mr. Scovel. Yes. The ADS-B system, which is a keystone of 
NextGen, is based on satellite technology and GPS. However, the 
Department now is exploring ways to use a multi-phased array 
radar, which may be the alternative--or at least a backup, 
providing some redundancy--to GPS satellites. FAA has a ways to 
go in order to be able to integrate this multi-phased array 
radar technology into air traffic control and the modernization 
effort. So I think that's what you're referring to.
    Senator Blunt. It is, and my question for the record will 
be if this commitment made in 2015--concerned about the current 
dependency that so many people have with GPS. Are they moving 
forward with a backup system if the current GPS system goes 
down? I don't remember the last time----
    Mr. Scovel. Yes.
    Senator Blunt.--I looked at a roadmap. But I would hope I 
would have one if the GPS system no longer was there for me to 
rely on every time I go somewhere new and often when I go 
somewhere I've been before.
    Mr. Scovel. Right.
    Senator Blunt. Thank you.
    The Chairman. Thank you, Senator Blunt.
    Senator Klobuchar.

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Mr. Chairman. Thank 
you for having this hearing.
    I want to start out with one of the Executive Orders and 
how it has affected some of the airworthiness issues. There 
have been press reports that airworthiness directives that have 
been finalized by the FAA but not yet published in the Federal 
Register were pulled back after the White House issued the 
Executive Order freezing new regulations on January 20.
    Mr. Scovel, have you looked into this, and do you agree 
that airworthiness directives are really critical to safety and 
they should be released to the public?
    Mr. Scovel. Airworthiness directives are absolutely 
critical to the safety of the flying public. And, in fact, we 
view them--and I believe FAA does, too--as, in effect, a 
release valve or a safety valve.
    When the President's Executive Order suspended, at least--
or whatever term may apply--the issuance of new regulations, 
new rulemakings, we were cheered because FAA, of course, had as 
an option in appropriate instances the capability to issue 
airworthiness directives. They customarily require a long lead 
time and extensive coordination with industry to make sure they 
get it right. But my understanding is that FAA may have paused 
on the issuance of ADs but intends to proceed with that and 
will use them in appropriate instances instead of rulemakings.
    Senator Klobuchar. Yes, I don't think any new directives 
were issued until yesterday, which was two and a half weeks 
later.
    Mr. Roth, in your testimony, you note that TSA is 
responsible for screening travelers and baggage for over 1.8 
million passengers a day at 450 of our Nation's airports. 
There's an Executive Order freezing almost all Federal hiring. 
Reports indicate that there are significant concerns that this 
freeze applies to the TSA and could impact security and 
efficiency. In your view, how could the hiring freeze impact 
TSA and our homeland security?
    Mr. Roth. I don't know whether it, in fact, applies to TSA 
or not. But, certainly, what we saw last spring was increased 
lines at checkpoints as a result of an insufficient number of 
transportation security officers. I think the line wait is 
highly sensitive to the number of personnel you have checking 
the baggage and checking the personnel, which I think is pretty 
much common sense.
    Senator Klobuchar. Ms. Gustafson, a similar question on the 
International Trade Administration. We worked really hard, a 
number of us, bipartisan, on steel dumping and trying to get 
those tariffs, which are very complicated, enforced. It has 
made a difference. We've brought back about half our iron ore 
workers, and I know Wilbur Ross in his hearing signified his 
commitment. How could a Federal hiring freeze impact the 
International Trade Administration's ability to respond to 
increased steel dumping?
    Ms. Gustafson. Well, as you know, Senator, the 
International Trade Administration does have a compliance and 
enforcement arm that is charged with trying to enforce those 
laws. I have not looked into what the net effect would be as 
far as if there are going to be immediate impacts on the 
personnel. But, surely, less people working on enforcement 
would be a huge problem for the enforcement being done and 
being done in a timely manner.
    Senator Klobuchar. Thank you.
    Mr. Roth, it has been widely reported that the Department 
of Homeland Security was not asked to provide technical 
assistance or guidance in the drafting of the Executive Order 
on refugees. In your role as Inspector General, you're charged 
with ensuring integrity and efficiency at the Department of 
Homeland Security. Your office announced you will review the 
implementation of the Executive Order. In your experience, 
what's the typical process for drafting and implementing policy 
that affects hundreds of thousands of people like this Order 
did?
    Mr. Roth. I don't have any background on that. Our work in 
this area is simply going to be from the execution or the 
signing of the Executive Order moving forward. In other words, 
it's going to be specifically DHS-focused. What were they told, 
sort of, on the ground? When were they told it? When the court 
orders and the injunctions came in, how was that information 
communicated? And then as a separate piece, we'll be doing 
misconduct investigations to the extent that we find officers 
or agents acting contrary to the instructions that they were 
given.
    Senator Klobuchar. OK. My last question here for all of 
you: As we enter a new administration with new leadership at 
your agencies, are you committed to exercising independent 
judgment in your investigations as you have done in the past?
    Ms. Lerner. Yes, Senator, each and every day.
    Ms. Gustafson. Absolutely, Senator Klobuchar.
    Mr. Roth. Yes.
    Mr. Scovel. Yes, we will, Senator.
    Senator Klobuchar. Thank you.
    The Chairman. Thank you, Senator Klobuchar.
    Senator Cantwell.

               STATEMENT OF HON. MARIA CANTWELL, 
                  U.S. SENATOR FROM WASHINGTON

    Senator Cantwell. Thank you, Mr. Chairman. Thanks for 
having this hearing and thanks to all the witnesses this 
morning.
    I always bring up this comment by the late Commerce 
Secretary Ron Brown that he was the Secretary of Commerce, but 
if he was getting a call from a Member of Congress, it was most 
likely about fish. In Mr. Ross' confirmation process, he, in my 
office, said, ``Yes, I'm having many conversations with my 
colleagues about fish.''
    So I wanted to ask you, Ms. Gustafson--in your testimony, 
you clearly outlined the lack of stock assessments being 
completed by NOAA and the challenges that NOAA faces in 
ensuring how we move forward with various stakeholders if we 
don't have those stock assessments. So my question is: What are 
some of the challenges that we're going to face by not having--
or not facing up to this issue of--stock assessments?
    Ms. Gustafson. Senator Cantwell, I am in the same boat--I 
hate to say boat since we are talking about fish--as Mr. Ross 
in that I, too, in the spring when I was going through 
confirmation was shocked to learn how crucial fish was as far 
as commerce, because it is not the first thing that comes to 
your mind if you are just beginning to know Commerce. I know 
that I did get some questions during my confirmation hearing 
about some concerns about the fisheries and the councils. 
Before I was confirmed, we actually had a request from Senator 
Blumenthal and other members of the Connecticut delegation 
about doing some work in that regard.
    So I am still getting my arms around the fish assessment 
process. I do know that we have planned some work. It will be 
concerning the Gulf States Marine Fisheries Commission. But we 
will be conducting enhanced stock assessments of the fisheries 
in the Gulf, and that is going to allow my office to examine 
the stock assessment process. I am hoping that will help me 
have some answers for the members who this is so crucial to 
their economy and to their constituents.
    Senator Cantwell. I think your testimony has it right. You 
say, ``NOAA continues to face challenges to ensure timely and 
accurate assessments, providing consultation to stakeholders,'' 
and so as you've learned and everybody has learned, these are 
big economic issues for various regions represented on this 
Committee. And without the proper stock assessments, we can't 
make decisions about how to move forward on catch, which 
impacts jobs, impacts regional economies, and, obviously, 
impacts consumers, ultimately, as well.
    I bring this up because I know that Mr. Ross also mentioned 
a lot of questions about making sure that international 
intervention in our fisheries market--that there were things 
that he wanted to do. So, anyway, one thing we can do is get 
stock assessments done. So we'll be happy to follow up with you 
on that. But thank you for including it in your testimony.
    Mr. Roth, one thing I wanted to bring up--we've talked 
about the TSA and airport lines, and Sea-Tac is one of the 
fastest growing airports, I think, 3 years in a row now. One of 
the things that we've used is the canine units. These are 
incredibly important, not just for ease of moving quicker TSA 
lines, but also as a deterrent. As we can see in the Belgium 
explosion and other instances, these dogs can detect those 
kinds of materials.
    We are behind, though, or let's just say the demand is 
outpacing our ability to train. Do you think we need to look at 
alternative training sites to meet the TSA standard?
    Mr. Roth. I would agree with you that TSA has sort of been 
behind the curve with regard to canines. They are doing more 
and more of that. They've been shifting, for example, some 
canines from commercial, sort of, freight air to passenger 
operations. It works very well in conjunction with expedited 
screening where you don't go through the AIT but you actually 
just go through the walk-through metal detector. But there are 
significant challenges, and there's a significant ramp-up. So 
that is an area that I think TSA ought to be studying to see 
whether or not they need greater capacity.
    Senator Cantwell. Or third-party testing sites?
    Mr. Roth. Correct.
    Senator Cantwell. OK. Thank you.
    Mr. Scovel, NTSB just made a decision on the findings of 
the North Dakota accident, basically saying that the axle break 
was part of the issue. Do we need more enforcement of 
inspections in the transportation sector?
    Mr. Scovel. We do. Are you referring specifically to rail 
and hazmat transport?
    Senator Cantwell. Yes.
    Mr. Scovel. Of course, yes.
    Senator Cantwell. Crude by rail, specifically.
    Mr. Scovel. Yes. FRA is challenged like all the safety 
regulators in the Department of Transportation to target most 
efficiently and effectively its limited inspector resources. It 
has to be a data-driven and risk-based analysis that determines 
where and how and how frequently those inspectors will be used. 
But, yes, more can be done, of course.
    Senator Cantwell. Well, we'd like to follow up with you on 
more details to that. For those of us in the northern tier 
states with so much traffic and so much product and the issue 
of these explosions, we definitely want to make sure we have 
ample people covering those inspections.
    Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Cantwell.
    Senator Inhofe.

                 STATEMENT OF HON. JIM INHOFE, 
                   U.S. SENATOR FROM OKLAHOMA

    Senator Inhofe. Thank you, Mr. Chairman. Let me share a 
thought with you for the benefit of our witnesses and those who 
may be here observing that we have a little bit of a problem in 
that we have nine members of this Committee who are also on 
Environment and Public Works. We're meeting at exactly the same 
time. Now, I chaired that Committee for a number of years, and 
this is a problem with this many, and I'm hoping we'll be able 
to change that. But that's the reason you see a lot of members 
coming in and going out.
    One of the things we dealt with over there for a long 
period of time--and, quite frankly, it's differed between 
Democrats and Republicans on the Committee, but I'm a 
conservative Republican, and I chaired the Committee. So the 
over-regulation that we're dealing with on a regular basis--
well, I see that in the jurisdiction of this committee, too.
    So, Mr. Scovel, in any period of rapid technology changes, 
one of the problems I've seen is we're not willing to discard 
the old, and we continue on some of the older practices that we 
don't, you know, have anymore. A good example--in addressing 
our pipeline problems, our nation's regulatory framework--
several decades ago, they established what they call a class 
location system rule for natural gas and pipeline operators.
    Now, it has long since been superseded by new technology. 
They have something right now called the ``Smart Pig'' 
technology, where they can go in and measure the strength of 
the pipeline without having to go through the very expensive 
operation. Now, the problem is that even though they have the 
new technology that can be used, they're continuing to use the 
old technology.
    So are there any other regulations in FMCSA that perhaps 
are no longer necessary but we have not had the foresight to do 
away with them? Any you can think of?
    Mr. Scovel. Thank you, Senator Inhofe. I am aware of the 
example you just cited. It's perhaps the most glaring example 
of the problem that you just described. My office has not 
maintained, specifically with respect to FMCSA or, indeed, 
across the Department, any kind of inventory or list of 
regulations that may be outdated.
    Senator Inhofe. Now, could you do that?
    Mr. Scovel. We could, working with the Department, see what 
we could do by way of an audit report along those lines. I will 
say, too, that with regard to FMCSA, we have looked really at 
the opposite side of the coin that you described, and that has 
to do with FMCSA's ability to enact the rulemakings that, in 
many instances, were mandated by the Congress or by NTSB, and 
its inability to do so in a timely manner and in an effective 
way.
    So it's really not the same problem that you described. We 
did extensive work on that over the last year-plus and found 
problems with FMCSA's ability to do that. And, specifically, 
the material strength problem that you just described, which 
was the subject of a congressional mandate--FMCSA has not yet 
passed a final rule on that. But in conjunction with that, that 
would be an opportunity, specifically, on the older technology 
and the older----
    Senator Inhofe. OK. Well, real quickly, I want to--I 
appreciate that very much. So let's have a chance to visit 
personally about this, because we have some other examples 
also.
    Now, since 2008, the EPA and the DOT have taken an 
increasingly heavy hand in regulating the auto industry with 
greenhouse gas emissions standards and CAFE standards. And just 
days before President Trump's inauguration, the EPA issued a 
final determination. It was about a year earlier than they were 
supposed to do it. It was supposed to be in 2017, but in 
October or November is when we anticipated that would happen. 
My personal feeling is that they did that, wanting to get it 
done before the change was made.
    So I would ask you: How does EPA's sudden departure from 
the previously announced process for reviewing the requirements 
impact the ability of NHTSA to engage on this issue?
    Mr. Scovel. I don't have inside knowledge on what EPA's 
actions or motivations might have been. However, with regard to 
DOT's part in CAFE rulemaking, clearly, now it appears the ball 
is in NHTSA's court, and they have the opportunity to move 
forward in appropriate ways. But they'll need to reconcile what 
they may be able to do now with what EPA has apparently done 
and see how they can advance.
    Senator Inhofe. Well, all right. But what I'd request is 
that you look into that to see what problems came with the 
premature evaluation that they made.
    The last thing--I know my time has expired. But for the 
record, I'd like to suggest that our drone technology is not as 
good as it is in some other countries. Just recently, Rwanda--
their government enabled a drone company to begin delivering 
blood and plasma to rural clinics.
    So there are a lot more things that we could do, and I'd 
just like, for the record, to have you respond as to what might 
be the problem in moving along with technology that we see in 
the U.K. and other countries and perhaps be able to do that 
here in this country.
    Mr. Scovel. We'd be happy to take that question, sir.
    Senator Inhofe. Thank you.
    Senator Inhofe [presiding]. Senator Booker.

                STATEMENT OF HON. CORY BOOKER, 
                  U.S. SENATOR FROM NEW JERSEY

    Senator Booker. Thank you, Chairman Inhofe, and I agree 
with you wholeheartedly about the drone technology uses going 
on and the innovation outside of our country. We in America, 
frankly, should be leading on that, and I appreciate that.
    I also want to thank the panel just for your work. You are 
truly extraordinary Americans that provide a vital role, 
especially to issues of safety and security, and I'm thankful 
for some of the commentary that's already been made about our 
airports.
    Mr. Roth, I would like to direct some questions to you from 
what I consider not only a frustrating experience, but 
something that I think really goes at the core of our democracy 
and the checks and balances of our government. About a week 
ago, President Trump issued an Executive Order that temporarily 
banned the entry into the United States of people from seven 
majority Muslim countries--I'm sure you are aware. It 
temporarily halted the refugee resettlement program and 
permanently excluded refugees from coming into the United 
States from Syria.
    This Order, called by many a ``Muslim ban''--whether it's 
an anti-refugee ban or whatever label you want to put on it--
clearly triggered nationwide protests and legal challenges and 
is working its way through the courts right now. At the time 
the Order was released, I was here at a very curious tradition 
in Washington called the Alfalfa Club, and I left that when I 
heard about what was going on at Dulles Airport. I also had 
been informed that there had been in the state of Virginia a 
court order that was issued, a temporary restraining order, 
that specifically said that the people being detained--many of 
them were allegedly not just green card holders, but some of 
them, including children, were actually citizens of the United 
States who were being detained along with family members for 
hours at a time--have access to attorneys, but that court order 
was being violated.
    When I got to Dulles Airport, the Executive Order clearly 
was issued. I had a copy of it in my hand and sought to meet 
with Customs and Border Patrol employees, but they declined to 
meet with me, and they declined to explain, frankly, why they 
were violating a Federal court order. My experience, though, 
was not unusual. In fact, press reports have indicated 
widespread confusion, and there's evidence that officials in 
other places were ignoring court orders to provide counsel to 
immigrants or potentially to United States citizens detained at 
the airport in the wake of this Order.
    So, Inspector Roth, you are a lawyer and former Federal 
prosecutor. Would you agree with me that if CBP officials were 
aware of a court order and failed to comply with the Order, 
then the court order factually was violated? Would you agree 
with me on that?
    Mr. Roth. That's my understanding as a lawyer. Obviously, 
it would have to be intentional, that is, knowing, in fact, 
that a court order existed and then choosing not to follow that 
court order, if that's correct.
    Senator Booker. OK. So when I arrived with Judge Brinkema's 
Order in hand, which I showed to officials, it was shuttled 
back to Customs and Border Patrol. So I know that they saw the 
Order before refusing to meet with me. And I wonder, do you 
agree with me that if they saw that Order from a Federal judge, 
just factually--in your experience as a lawyer--that is a 
violation of that Order? If the facts that I'm relating to you 
are correct, and they saw the court order and still refused to 
allow lawyers back to meet with the people they were detaining, 
many of them for hours--that fact pattern is a violation. 
Correct?
    Mr. Roth. Yes.
    Senator Booker. Now, Inspector Roth, you opened a review 
into the implementation of this Executive Order regarding 
refugees and the seven countries that were involved, including 
a look at whether Federal officials engaged in misconduct or 
failed to comply with court orders. Can you just for a moment 
elaborate on your review and specifically tell me that with the 
fact pattern I've relayed to you--what actions could you take 
to hold CBP officials accountable? What are the consequences 
for such violation?
    Mr. Roth. Sure. Our inquiry is two parts. One is a systemic 
inquiry. Who knew what when? How was the information 
transmitted to the field? At what times did the various ports 
of entry understand, one, the Executive Order, and then, two, 
the variety of different court orders as they came in. So that 
is sort of a systemic look that we're taking.
    But, as you note, we're also taking a look at what we would 
call misconduct investigations, which is something that we do 
hundreds of times a year, is investigate instances in which an 
individual CBP officer engaged in misconduct, and, certainly, 
knowingly violating a court order would be, in my view, 
misconduct. So we are going to be looking at those things. It's 
still very much in the early stages as to what it is that we're 
looking at.
    But the IGs don't impose discipline on individuals. We 
would, of course, recommend to the Department or find facts and 
then give that to the Department for them to institute whatever 
disciplinary actions would have to be taken against individual 
members. Now, if there is a clear violation of law, we'll refer 
that to the U.S. Attorney's office and the Justice Department 
to determine sort of the appropriate stance there.
    Senator Booker. Thank you very much, sir. My time has 
expired.
    The Chairman [presiding]. Thank you, Senator Booker.
    Senator Cortez Masto.

           STATEMENT OF HON. CATHERINE CORTEZ MASTO, 
                    U.S. SENATOR FROM NEVADA

    Senator Cortez Masto. Thank you.
    Thank you for joining us today. And let me first of all say 
thank you for what you do. It is such an important task that 
you undertake. I was the Attorney General for the state of 
Nevada, and one of the roles I had was the investigation and 
prosecution of waste and fraud in our Medicaid programs. So I 
know what you do is so important for the taxpayers, and it is 
important oversight.
    One of the things, however, I want to talk to you about--
and I'm going to throw one question out to all of you--which 
has been a concern of mine is cybersecurity threats that you 
have talked about and the concern that Federal agencies are not 
appropriately meeting these demands. Can each one of you talk 
about the agency that you're overseeing and the concerns about 
whether and how they're meeting those demands and what should 
be done or could be done to address cybersecurity threats?
    Ms. Lerner. At NSF, as many of my other colleagues do, each 
year, we do an assessment of the agency's information security 
program through the FISMA audits, and we have had many repeat 
findings over the years and, in particular, some relating to 
information security in Antarctica. The agency is aware of 
these issues, and we are engaged in constant communications 
with them about what can be done.
    Some of the issues, especially those in Antarctica, will 
hopefully be addressed when they renovate the facilities down 
at McMurdo. But it will be an ongoing area of back-and-forth 
between us and the agency to address these issues.
    Ms. Gustafson. Thank you, Senator. At the Department of 
Commerce, exactly as at the Small Business Administration, 
where I was Inspector General before coming to Commerce, I see 
security as a top management challenge. I think that is across 
the board. We have done several reviews in this area, and what 
Commerce suffers from, again, tends to be similar to what other 
agencies have, which are legacy systems that are very hard to 
protect and just kind of longstanding problems when the ball 
continues to move, as far as, you know, the cybersecurity 
threats keep changing.
    So the key for us is going to be for the Department to 
continue to make that a focus and for the message from the top 
to be that it is going to be taken seriously. I think that is 
going to be the best thing that Commerce can do, and it is 
certainly something we will continue to work on.
    Mr. Roth. For DHS, we've been challenged because of the 
breadth of what it is that we do and the number of different 
separate organizations that don't really work as a single team. 
I will have to say that the Department, for its own IT systems, 
has made considerable improvement in the last two years. But 
there still needs to be considerable work done.
    For example, in our last report, with regard to the 
Department's IT systems, we noted that they reduced the number 
of computer systems that were operating without an authority to 
operate, which is really like a driver's license. It's a 
certification by the head--the CIO that, in fact, this system 
meets all the requirements under Federal law for IT security. 
They reduced that by a significant percentage, but there are 
still 79 systems within DHS without authorities to operate, 
which is somewhat like flying a plane without an airworthiness 
certificate. It's not something that you ought to do, because 
you have no assurances that that information is secure.
    That's one part of it. So they're continually challenged 
there. They're continually challenged with acquisition of IT, 
and we've done a lot of work with regard to that. If you can't 
acquire the IT, you can't secure it.
    And then the third aspect we have within the Department is 
that they have the governmentwide responsibility for securing 
the dot-gov e-mail addresses, for example, and the dot-gov 
networks. They have a program called, ``Einstein 3 
Accelerated,'' which is a significant program that's supposed 
to be detecting intrusions and then rejecting them. We haven't 
done work on that, but the GAO has done work on it that has 
been fairly critical of whether or not it, in fact, works.
    So those are all our challenges as we move forward.
    Mr. Scovel. Thank you, Senator. Cybersecurity for DOT is 
one of our top challenges and one that we are continually 
focused on. DOT is challenged, like every other agency in 
government. The technology moves very fast, like Inspector 
General Gustafson mentioned. Legacy systems always pose 
challenges, too. The number of recommended changes that we have 
made to the Department continually exceeds their ability to 
respond appropriately.
    Across a number of cybersecurity domains, my techies, if 
you will, have cited problems for me and the Department. Risk 
management is one. Inspector General Roth mentioned systems 
operating without authorization. The same is true at DOT. The 
number has risen from 10 to 70 over all of our 450-plus systems 
in the Department since 2011. When it comes to identity and 
risk management, DOT, as well, is deficient. The PIV card or 
the multifactor identification capability that our ID cards 
provide--only 30 percent of the Department's systems are 
enabled to require PIV card access to those systems.
    Continuous monitoring of networks, which Inspector General 
Roth also mentioned for DHS, is a problem as well for the 
Department of Transportation. Incident handling and reporting--
we have found significant instances both within the Department 
and, specifically, at FAA, which is a significant problem area 
for the Department and cybersecurity because of its 
independence and also because FAA's air traffic control systems 
are critical infrastructure, as that term of art is used in the 
cybersecurity world.
    When there was a significant fire at an air traffic control 
center--a high-altitude, long-distance center in Chicago--and 
the system had to shut down for a couple of weeks, that was an 
incident that was not reported to the Department of Homeland 
Security, for instance.
    Finally, contingency planning. This would be one of my top 
three challenges for the Department. It keeps me awake at 
night. Fewer than--well, 14 percent of the Department's systems 
have proper contingency plans, and they've been tested 
effectively. The other 86 percent are deficient, in our 
estimation.
    Senator Cortez Masto. Thank you. I see my time is up, but 
this is a concern of mine that keeps me up at night and that I 
don't think we're paying enough attention to.
    So, Mr. Chairman, I know my time is up. I've got additional 
questions, if it's all right to be able to submit those in 
writing.
    The Chairman. Yes, absolutely.
    Senator Cortez Masto. Thank you.
    The Chairman. Thank you, Senator Cortez Masto.
    Senator Capito.

            STATEMENT OF HON. SHELLEY MOORE CAPITO, 
                U.S. SENATOR FROM WEST VIRGINIA

    Senator Capito. Thank you, Mr. Chairman, and thank all of 
you.
    I'd like to start with Inspector Gustafson of Commerce. I'm 
very proud of the role that my state of West Virginia plays as 
a backup facility for NOAA and, particularly, backing up some 
of the data and processing that the satellite receives, the 
GOES-R satellite.
    You mentioned in your testimony the challenges that NOAA 
has faced in launching that, and it was postponed, and then I 
noticed that the next one that's scheduled will not be 
launching for another year. I just wanted to sort of dig into 
that a little bit more. Can you summarize your thoughts and 
concerns about where this--obviously, it's a concern to the 
everyday American, as this is satellite data that helps us 
predict flash floods, save lives and property, and other 
things? So if you could expound on that a little bit.
    Ms. Gustafson. That is exactly right. The NOAA satellites 
are crucial, not just so that you know if you need to wear a 
coat tomorrow. But it is a health, safety, and very big 
monetary issue. There are two big satellite programs at NOAA, 
as you noted, the GOES and Polar System satellites, one system 
where the launch of the first JPSS was just pushed back again 
to September.
    So some of the issues that happen when you begin to have 
these pushbacks is that there is a possibility of a gap in 
coverage, where some of the satellites up there are old and 
have exceeded their life already. They are still working, but 
they have exceeded their life expectancy. But that is coupled 
with the very, very large expense of these systems--billions of 
dollars. But I think what is crucial for NOAA is that it 
continues to take the lessons learned from each satellite so 
that it can be applied--because these are all a series of 
satellites and a series of very large acquisitions. One of the 
themes that you will see in our reports is that it is important 
that NOAA be understanding the risks, alleviating those risks, 
and making the adjustments needed such that the next satellite 
following is learning from some of the difficulties that these 
satellites have had that have caused them the slippage in their 
launch, for example.
    Senator Capito. The impression I got from reading your 
testimony--I'm sorry I wasn't here when you all were giving 
your testimony--was that the last satellite that was delayed 
then had to borrow from the funding from the next satellite. Is 
that right? So it sort of stalls out not just the technical 
aspects of it, but the funding aspect of it as well?
    Ms. Gustafson. The funding is always tricky for the 
satellites because it is so much money; especially when we are 
in an environment where we are working under CRs. That has 
caused some difficulties for the satellite programs, where the 
funding is not available at the beginning of the fiscal year. 
That caused some difficulty with some of the satellite planning 
and the activities because they were working under a short-term 
continuing resolution. So NOAA is constantly, again, doing that 
balance of planning for the future but making sure that the 
work is getting done today.
    Senator Capito. Right. I'd like to continue with you, 
please, on a different topic. In 2010, our state received 
$126.3 million in the BTOP program with funds through NTIA as a 
result of the American Recovery and Reinvestment Act, and we 
also received $42 million to construct an open access middle 
mile. Even with this investment, our state is ranked the 
lowest, if not the lowest, near the bottom, in terms of 
broadband deployment.
    What kind of measurement of success--when you're flushing 
out $126 million--did Commerce do with these funds to find out 
they were being deployed for the actual purposes for which they 
were meant?
    Ms. Gustafson. Senator, I would like to give you a better 
answer than I could possibly give you right here with three 
weeks into my tenure.
    Senator Capito. Yes, that's fair.
    Ms. Gustafson. I do know that the important thing on those 
issues, especially the BTOP grants, is they will have a direct 
impact and, again, hopefully will lead to lessons learned for 
the very big FirstNet program and the National Public Safety 
Broadband Network program. That is why we are doing some work, 
as I noted in my written and my oral testimony, on that to make 
sure that, again, we are learning.
    And I think, when I was looking at Mr. Ross' testimony when 
he was before you as the nominee, one of the things he said 
that kind of stuck with me was if it cannot be measured, it 
cannot be managed, which is something I actually had not heard 
before. But I thought that was actually a pretty insightful 
thing. I do not know whether he made it up, but I think it was 
a good thing.
    So I think that whether there are metrics is something that 
is important to look at. I do not know regarding the BTOP 
program if my office before had looked at it.
    Senator Capito. And just, finally, since I'm running out of 
time, Inspector Scovel--and I'm not going to ask the question. 
But, if I had the time, I would ask this question: What kind of 
deep dive has been done in terms of the intent of Congress to 
alleviate some of the permitting issues to make them concurrent 
rather than consecutive and to save money, time, and get more 
completed projects? I'll just submit a written question along 
that line to see where you are on that and where the Department 
is as well.
    Mr. Scovel. Thank you. We do have some information that may 
help you.
    Senator Capito. Thank you.
    The Chairman. Thank you, Senator Capito.
    Senator Cruz.

                  STATEMENT OF HON. TED CRUZ, 
                    U.S. SENATOR FROM TEXAS

    Senator Cruz. Thank you, Mr. Chairman.
    Mr. Scovel, a few minutes ago, you raised the 
vulnerabilities at the FAA to cyber threats and cyber 
terrorism. Can you describe those vulnerabilities and what 
steps we need to take to guard against them?
    Mr. Scovel. Some of the work that we've done, quite 
honestly, Senator, has been in the SSI arena. It's the 
sensitive security information. We'll be happy to provide that 
in more detail in a closed setting.
    However, what I can say--and this is work that dates back a 
while that we've refreshed over the years--is that FAA 
essentially maintains two systems, two networks. One, on the 
administrative side, more open to the public, operates the 
agency itself. The air traffic control system is designed to be 
a closed environment and impenetrable to malefactors, if you 
will. In effect, my techies have been able to, through the 
administrative system, come right up to this supposed firewall 
between the two, between the administrative and the operating 
systems, and they concluded that had they wished to at the 
time, they could have entered the air traffic control 
modernization area.
    So perhaps we could elaborate more on that with you in a 
closed setting. But that's the essence, that's the 
vulnerability, and FAA's air traffic control system has been 
designated critical infrastructure in the technical sense, and 
it's the only such system, I believe, within the Department of 
Transportation to merit that distinction. So it's absolutely 
critical.
    Senator Cruz. Well, that certainly is dismaying. I would 
definitely like to follow up on the classified context. It's 
not lost on anybody the catastrophic loss of life that a 
successful cyber attack on air traffic control could 
potentially lead to.
    Let me shift to a related topic, which is in November of 
last year, your office issued a report on the FAA's NextGen 
program. In that report, you found that despite the fact that 
the FAA has identified what it calls transformational programs 
intended to provide new capabilities for air traffic control, 
and despite the fact that it has invested over $3 billion in 
these transformational programs since 2007, the total cost, 
benefits, and timelines for the programs are still uncertain. 
My understanding is that the cost estimates for the programs 
are now somewhere in the range of $6 billion, with the time for 
implementation beyond 2020.
    Can you please elaborate for the Committee on the problems 
you identified in your review of NextGen?
    Mr. Scovel. Yes. I could speak for a long, long time about 
it, unfortunately, but I will keep it short. In fact, the 
numbers that you quoted, sir, can be updated. Even more 
recently, FAA's total cost estimate--very tentative in our view 
at this point still--is $20 billion for the agency, with 
completion pegged between 2025 and 2030, perhaps.
    Senator Cruz. And that's a forward-looking estimate? Is 
that $20 billion new dollars?
    Mr. Scovel. No, that would be total.
    Senator Cruz. Total.
    Mr. Scovel. Already invested from about 2003 on. For 
industry, about $15 billion more. Caveat that with the fact 
that several years ago now, an internal study to FAA, worst 
case scenario, pegged the total cost for NextGen at $100 
billion to be split between the agency and industry. Right now, 
FAA cost and scheduled completion is still undetermined.
    FAA, to its credit, has undertaken continued partnerships 
with the aviation industry and has determined to focus on four 
key priorities that could be completely in place perhaps by the 
early 2020s. And if that were to happen, that would be a 
significant benefit and advantage to the American aviation 
industry.
    Beyond that, however, the ADS-B system, which is a 
cornerstone for the entire modernization effort, would still 
need to be finalized. That would push it into the middle 2020s, 
with requirements still to be determined, and without those key 
requirements, then the benefits to industry, who will have to 
equip--after all, it's not just hardware that the agency is 
buying, but----
    Senator Cruz. So two final questions. Can you describe the 
benefits to the country that NextGen modernization could 
provide? And you also made recommendations for better 
management within the FAA to produce NextGen. Can you describe 
those recommendations?
    Mr. Scovel. Yes. The advantages are greater capacity, time 
and speed savings on the part of the flying public, arguably 
better enhanced safety across a number of vectors. If all of 
those were to come into place, the country would be much better 
served in terms of its air traffic control system.
    Your second question, sir, had to do with our 
recommendations to FAA for improved management. We have issued 
them by the dozen. The agency has implemented many, many of 
them, with still others yet to go. We will continue to keep our 
eye on it and work with the agency to do all we can to advance 
the effort.
    Senator Cruz. Thank you very much.
    The Chairman. Thank you, Senator Cruz.
    Senator Duckworth.

              STATEMENT OF HON. TAMMY DUCKWORTH, 
                   U.S. SENATOR FROM ILLINOIS

    Senator Duckworth. Thank you, Mr. Chairman, for convening 
this very important meeting.
    The Inspector General Act established IGs in our agencies 
to provide leadership and to promote economy, efficiency, and 
effectiveness in the administration of agency programs. The 
faithful execution of this duty requires political independence 
so that IGs and their staffs can properly prioritize and ferret 
out waste, fraud, and abuse wherever it may occur.
    That's why I was so gratified to see Inspector General Roth 
respond swiftly to my request for a comprehensive investigation 
into the Federal Government's chaotic implementation of 
President Trump's immigration Executive Order, more commonly 
known as the Muslim ban, an EO that the courts are now 
examining closely because it may not honor the protections the 
Constitution guarantees.
    Mr. Roth, after this hearing, would you provide my staff 
with an update on how the investigation is going?
    Mr. Roth. We can give you an update as to the general 
parameters, what it is that we're looking at, and our proposed 
timelines, our estimated timelines. The specifics of the actual 
investigation--because it's an investigation, we never want to 
sort of preview what it is until it's finally over. But we're 
happy to give you what information we can.
    Senator Duckworth. Thank you. I appreciate that.
    This question is for the entire panel. The administration 
is reportedly seeking to find cost savings by slashing program 
offices that politically or philosophically do not fit in their 
worldview or short-term political agenda. At Commerce, the 
administration is looking to eliminate the Minority Business 
Development Agency, the Economic Development Administration, 
the International Trade Administration, and the Manufacturing 
Extension Partnership.
    At NASA, there are even reports that President Trump would 
entirely eliminate all climate research. At Transportation, 
they may be looking at phasing out the Federal Transit 
Administration, slashing Federal surface transportation 
spending, and eliminating operating subsidies to Amtrak and 
funding for TIGER.
    Look, instead of draconian, politically driven cuts, I know 
that your work as IGs has led to the correction of wasteful 
practices and elimination of inefficiencies. Could each of you 
quantify or describe the savings and efficiencies that your 
oversight has resulted in within your own agencies, just some 
examples?
    Mr. Scovel. Sure. Thank you, Senator. Our office--in the 
last fiscal year, our return on investment, if you will, was 
$54 to $1, which means that we were able to identify fines, 
restitutions, or recoveries on the criminal side, and on the 
administrative side, we were able to find recommendations for 
funds to be put to better use or question costs that, together, 
amounted to $54 for every appropriated dollar that came to the 
OIG, and that's just, of course, within the Department of 
Transportation.
    Within the Federal Highway Administration, one of our key 
findings and recommendations had to do with a $4.4 billion 
total package having to do with how that operating 
administration in DOT administers part of its grant program 
called Preliminary Engineering and how, essentially, money was 
being left on the table in the various states. So that's a 
significant example, a key one.
    Another one would have to do with delinquent debt. We did a 
study last year that determined that DOT's delinquent debt, 
which comprises on the administrative side of things like civil 
penalties, payroll overpayments--on the other side, it had to 
do with other grants and loans that may have been offered by 
the department to states and localities. All together, that 
amounted to almost half a billion dollars in terms of 
delinquent debt that the department was not properly following 
up on and making efforts to collect.
    So those are a couple of examples, and we would, again, 
marry that up with what our return on investment has been for 
the OIG, the taxpayer, and the department.
    Senator Duckworth. Fifty-four dollars for every dollar 
spent--that sounds like a good deal for the American taxpayer.
    Mr. Scovel. Thanks.
    Senator Duckworth. Thank you for the hard work that you do. 
How is the hiring freeze affecting your ability to carry out 
your duties?
    Mr. Scovel. Right now, we're feeling a squeeze, but not too 
much, thankfully. However, as time goes on, it certainly will. 
Even beyond the hiring freeze, which, right now, as you know, 
has been labeled as temporary, we are most concerned about the 
longer-range budget problem. Seventy-five percent of my budget 
goes to payroll and salary and expenses for our people.
    We have no hardware. We have no programs. We have no 
grants. What we are able to produce for you and for the 
Secretary in keeping with my statutory mission to keep you 
fully and currently informed is criminal investigations and 
audit reports. That's produced by our people, and when we 
suffer budget cuts, that means fewer people. Inevitably, it 
means fewer audit reports and criminal investigations, which 
will impinge on your ability to stay fully and currently 
informed.
    Sadly, our very recent experience in terms of sequestration 
with all of this--in my office, we imposed a hiring freeze that 
lasted about 18 months to get us through that without any 
furloughs or RIFs of our existing staff. We were successful in 
doing that. But it did mean that we had to put the squeeze on 
the audit reports that we were able to generate in response to 
requests and our own self-initiated work.
    So it's a prospect that I don't look forward to. Of course, 
we'll do what we have to, and I promise this Committee and 
others we will do all we can with what we've got, but beyond 
that, it's a physical impossibility. But thanks for your 
interest, though.
    Senator Duckworth. Thank you. I'm out of time. I would ask 
the other panelists to submit your answers for the record. But 
it sounds like you're a good deal for the American taxpayer.
    Thank you.
    The Chairman. Thank you, Senator Duckworth.
    I'm going to go to Senator Blumenthal again in just a 
minute. But I want to follow up, Mr. Roth, with a response to 
Senator Booker's questions. You underscored that actual 
knowledge of a valid court order would be necessary to a 
finding of misconduct by a particular CBP officer. Would you 
agree that such inquiries are necessarily fact specific?
    Mr. Roth. Well, they're absolutely fact specific, which is 
why we're conducting the inquiry. We have agents flying out to 
the various airports that were affected by this to conduct 
interviews and understand, sir, what the timeline is, who knew 
what when, and how that works.
    The Chairman. And I know you answered yes to Senator 
Booker's question about his own efforts to transmit a court 
order to CBP. But would you agree that having a U.S. Senator 
hand a paper copy of a court order to a frontline employee or a 
non-lawyer would, at a minimum, be extraordinary and might 
necessitate some prudent checking with CBP's chain of command 
before any action, or before any intentional misconduct should 
be imputed?
    Mr. Roth. We are going to investigate all the facts and 
circumstances behind this, and, typically, what we do is write 
a report that shows all the facts and circumstances, and then 
we transmit it to the Department for their assessment and 
determination of whether any discipline is necessary.
    The Chairman. So you would check with their chain of 
command in the process?
    Mr. Roth. Right. As we do these interviews, obviously, we 
interview the individual CBP officer, but we'd also interview 
all the way up the chain of command so we have an understanding 
of the context by which all this happens.
    The Chairman. All right. Thank you.
    Senator Blumenthal.
    Senator Blumenthal. Thanks, Mr. Chairman.
    Mr. Roth, a court order is binding on all employees of the 
Department of Homeland Security, is it not?
    Mr. Roth. That's my understanding, yes.
    Senator Blumenthal. Well, it's a pretty simple question. 
It's not a ``gotcha'' question. There's no trick answer here. 
It is binding. It is binding not only on DHS employees, 
generally, but on the United States Customs and Border 
Protection officials, specifically. And would you agree with me 
that making an employee of the CBP aware of the law by anyone 
is a proper action?
    Mr. Roth. Again, this is highly fact specific. Like any 
kind of inquiry like this, as you know from your background, 
there are a lot of different circumstances. For example, there 
might be an advice of counsel defense, for example, that may 
play in. We simply don't know, and I think it's probably not 
particularly productive to speculate as to what the facts are 
going to show until we get the facts.
    Senator Blumenthal. My office has received reports that 
numerous law enforcement officers at the Customs and Border 
Protection reportedly have been illegally arresting, detaining, 
and intimidating innocent individuals arriving in the United 
States. Are these activities ongoing, to your knowledge?
    Mr. Roth. I can't answer that question. I have no knowledge 
one way or the other as to whether that's continuing as we go. 
I will say that these kinds of----
    Senator Blumenthal. But you've received those reports?
    Mr. Roth. We received a number of allegations, not simply a 
Senate referral, but we received a number of allegations from 
individuals as well as organized groups as to the conduct of 
CBP, which is why we opened the investigation. It's really no 
different from the kinds of investigations we do every day.
    Senator Blumenthal. Roughly, how many reports have you 
received?
    Mr. Roth. I can't estimate at this point.
    Senator Blumenthal. Is it in the tens or the twenties or 
single digits?
    Mr. Roth. It's not single digits, but I really can't give 
you an accurate answer.
    Senator Blumenthal. So more than 10?
    Mr. Roth. That's my understanding as we sit here. It's well 
more than 10, yes.
    Senator Blumenthal. I'm not holding you to a number here. 
I'm just interested in the general volume of the complaints.
    Mr. Roth. Right. And what we're getting to is some 
nongovernmental organizations who are compiling various 
complaints by individuals who were affected by this and then 
transmitting those to us.
    Senator Blumenthal. Wouldn't it be helpful to have a clear 
pledge from the Department of Homeland Security and the 
Department of Justice as to the provisions of these court 
orders and a clear commitment to respect and abide by these 
rulings of the courts?
    Mr. Roth. Our inquiry is going to be largely focused on 
those first 3 or 4 days. My understanding, again, just from 
reading the media, is that, in fact, that statement has been 
made, that there is a commitment to obey lawful court orders. 
But, again, it's going to be highly fact-based, when people 
received knowledge of these orders and what they did as a 
result of those orders. That is going to be the focus.
    Senator Blumenthal. And you'll keep us informed about what 
the results are?
    Mr. Roth. Absolutely.
    Senator Blumenthal. Thank you.
    Just finally, to follow the issue that Senator Nelson 
raised, I've been reviewing the letters that you sent to him in 
response to his inquiry to you, and I noted that each of you 
were informed that your services would be needed only on a 
``temporary basis,'' and that was July--I'm sorry, January 13, 
2017. Correct?
    Ms. Gustafson. Senator Blumenthal, I was not contacted. 
Just to be clear, I did not receive a phone call or anything 
else.
    Senator Blumenthal. You did not?
    Ms. Gustafson. No.
    Ms. Lerner. And I also did not receive any information 
speaking about being retained temporarily. What I heard, 
ultimately, was that I was staying.
    Senator Blumenthal. Have you received anything in writing?
    Ms. Lerner. No.
    Senator Blumenthal. Have you?
    Ms. Gustafson. No, Senator.
    Senator Blumenthal. Mr. Roth and Mr. Scovel, you were 
informed that you would no longer be needed, correct?
    Mr. Roth. Correct.
    Senator Blumenthal. And then you were subsequently informed 
that you would remain on the job?
    Mr. Roth. That's correct.
    Mr. Scovel. In my case, Senator, I was informed, and I 
quote, that I was ``being held over on a temporary basis.'' 
That was late on the evening of Friday, January 13. The 
following Wednesday, the eighteenth, I was told verbally that I 
would be remaining in office.
    Senator Blumenthal. Who informed you? Was that Justin Clark 
who informed you on the thirteenth that you would be held over 
on a temporary basis?
    Mr. Scovel. No, it wasn't. It was a member of the 
Presidential transition team for DOT. His name was Marcus 
Lemon.
    Senator Blumenthal. And in your case, Mr. Roth?
    Mr. Roth. It was the head of the DHS transition team whose 
name is Michael Dougherty.
    Senator Blumenthal. And who subsequently informed you that 
you would stay on the job?
    Mr. Roth. Mr. Dougherty, after I actually reached out to 
him that following Wednesday--was unaware of some of the 
developments that occurred, so he needed to get back with me. 
Took about an hour, and then he called me back and he basically 
said disregard the previous message.
    Senator Blumenthal. And in your case, Mr. Scovel?
    Mr. Scovel. Again, it was Mr. Lemon. I was meeting with the 
transition team on an unrelated matter, and in a side bar 
discussion mentioned it again to Mr. Lemon, and that's when he 
gave me what I took to be reassurance that I would remain in 
office.
    Senator Blumenthal. Has anyone on this panel received 
anything in writing providing you with assurance that you will 
remain in your present position?
    Mr. Scovel. I've received nothing in writing, sir.
    Mr. Roth. No, Senator.
    Ms. Gustafson. No, Senator.
    Ms. Lerner. No, Senator.
    Senator Blumenthal. Wouldn't it be helpful to have 
something, given that you have been informed that your jobs may 
be in jeopardy, in writing?
    Mr. Scovel. Perhaps. I should say I don't really need it. I 
recall back in 2009, I received nothing in writing, either, and 
I was in office as IG at DOT. Sir, my commission that hangs on 
the wall over my desk says that I serve during the pleasure of 
the President of the United States for the time being. I 
understand my individual status simply to be on a day-to-day 
basis at the pleasure of the President.
    I do understand that the Congress has important 
institutional and larger governmental reasons to be interested 
in the continuation of Inspectors General, and I greatly 
appreciate your questions along these lines. The scope of any 
removal action or the reasons for it are certainly of larger 
interest. For me, as an individual, though, it's steady as she 
goes, business as usual.
    Senator Blumenthal. Well, I have far exceeded my time, and 
the Chairman, as usual, is very gracious and generous, and I 
appreciate it.
    But I want to suggest that every Inspector General ought to 
be assured and given a commitment in writing that they will 
continue in office unless the President decides, for some 
reason relating to misconduct of that Inspector General, that 
he or she should be removed, because of not only the comfort 
level it will give you, but also the effect on morale and 
commitment of the people who work for you. And as much as we 
thank you for your service, I want to thank also the folks who 
work with you, because their service also is absolutely 
essential to keep government honest. This comment has nothing 
to do with Republican or Democratic administrations, but it's 
the reason why I suggested that whistleblower protection should 
be enhanced and why protection for you should be made clear.
    Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Blumenthal, and as I noted 
in my opening statement, I agree, and I think the IGs have 
confirmed that the transition team quickly corrected the 
comments about the IGs being held over temporarily. But as in 
any administration or multiple administrations, the Office of 
Inspector General ought to be something that is treated with 
respect indifferently, and I am grateful--we have, in the 
previous administration, the Obama administration, in its first 
months in power, fired an Inspector General at AmeriCorps 
during an investigation of a prominent supporter of the 
President, and that's the kind of thing we don't want to see 
happen. So I'm glad that you're receiving confirmation that 
you're going to stay in your positions and keep up the 
important and great work that you and your offices do.
    I have one final question for Mr. Roth, and it has to do 
with something that happened just recently, and that is that 
TSA announced that this month, it will be limiting access to 
pre-check expedited screening lanes to travelers enrolled in a 
trusted traveler program. It's basically removing those who may 
have had access through frequent flyer programs. We support 
robust vetting of pre-checked enrollees, but TSA has also 
struggled to expand the roles of those in the trusted traveler 
programs.
    Will you commit to monitoring the impact of these changes 
on airport checkpoint wait times and long lines?
    Mr. Roth. This is the first we've heard of this. Obviously, 
this has been a matter of some concern for us--who is entitled 
to expedited screening and who is not. There used to be a 
fairly robust program of randomly selecting passengers to go 
through expedited screening. We thought that was an 
unacceptable risk. We asked them to take it out.
    We had a number of recommendations with regard to expedited 
screening. As I sit here, I can't recall whether the frequent 
flyer mile people, who received it as a result of having a 
status in frequent flyers, was part of our recommendation. So 
I'll have to get back to you specifically.
    But I may candidly have made a recommendation that those 
individuals who are unvetted in any other way--and they're 
different than, for example, trusted traveler programs that are 
run by CBP, for example, or Federal employees who have a 
certain level of clearance. Those who have a gold sort of 
frequent flyer status sometimes get expedited screening by the 
virtue of that and that alone. We are not 100 percent sure that 
that represents an acceptable risk. But I certainly will be 
happy to take your comments back.
    The Chairman. Thank you. This is something that--we all saw 
examples of some of the long lines that occurred, and there has 
been an effort to try and move people more into the PreCheck 
Program. But we would also want to ensure that the programs 
that are used to expedite travelers through wait lines are 
ensuring that the people are vetted appropriately.
    Well, thank you all for your testimony and for the great 
work that you and your offices do. You obviously get a very 
good return for the American taxpayer, and we appreciate that. 
We'll look forward to hearing from you again, I'm sure, in the 
future.
    I would also say to any members--Senators who perhaps 
aren't here but I'm sure members of their staff are--that if 
there are additional questions that they want to submit for the 
record, get those in. And upon receipt, if we could have all of 
you respond as quickly as possible, that would be greatly 
appreciated.
    So thank you so much for your time and for your testimony. 
And with that, this hearing is adjourned.
    [Whereupon, at 12:05 p.m., the hearing was adjourned.]

                            A P P E N D I X

     Response to Written Questions Submitted by Hon. John Thune to 
                         Hon. Allison C. Lerner
    Question 1. From 2011 until 2016, Lockheed Martin held the 
Antarctic Support contract, NSF's largest. At that time Leidos took 
control of the contract. What is your assessment of Lockheed's 
performance over its contract term? Are there improvements Leidos can 
make?
    Answer. NSF, through the United States Antarctic Program, manages 
U.S. scientific research in Antarctica. The Antarctic Support Contract 
(ASC) was awarded to Lockheed Martin in December 2011 and is NSF's 
largest contract, valued at nearly $2 billion over 13 years.
    We have not conducted a comprehensive assessment of Lockheed's 
performance over its contract term. Our 2015 audit that assessed the 
effectiveness of NSF's oversight of Lockheed's performance in ensuring 
the overall health and safety of USAP participants concluded that 
Lockheed's performance was generally effective and did not recommend 
any significant improvements.
    In 2016, Leidos Holdings, Inc. and Lockheed Martin's Information 
Systems & Global Solutions business segment merged. Our FY 2017 audit 
plan includes an incurred cost of the Antarctic Support Contract and we 
are planning future audit work to examine issues related to the merger.

    Question 2. At the hearing, you mentioned the importance of 
strengthening the cybersecurity of government information and systems. 
What are the most important steps the Director should take to increase 
the effectiveness of the agency's cybersecurity programs?
    Answer. The most important steps NSF could take to ensure that it 
increases the effectiveness of its cybersecurity programs, would be to 
devote sufficient resources to correcting security vulnerabilities and 
to follow up to be certain that the Foundation implements proposed 
corrective actions in a timely fashion to ensure the integrity of its 
information and systems.
    NSF agreed with the six recommendations in our FY 2016 Federal 
Information Security Management Act (FISMA) evaluation to strengthen 
controls necessary to protect its data from unauthorized access. 
Significant recommendations included development of policies and 
procedures for privileged account access to ensure that the right 
people have the proper level of access to NSF systems and developing a 
process to ensure that system vulnerabilities are remediated in a 
timely manner. We received NSF's corrective action plan in February 
2017 and have issued a memo resolving the recommendations. The FY 2017 
FISMA evaluation will assess NSF's implementation of its proposed 
corrective actions.
    The confidentiality, integrity, and availability of NSF's data is 
crucial to NSF's ability to fulfill its mission. Thus, it is essential 
that NSF manage information security risk effectively throughout the 
organization. Complicating this effort is NSF's reliance on various 
technologies and service providers to support its Information 
Technology environment.

    Question 3. As your respective offices issue recommendations based 
on audit and investigation work, what steps do you take to ensure that 
the recommendations are discrete tasks that are feasible for the agency 
to implement in a reasonable timeframe?
    Answer. We take several steps to ensure that our recommendations 
are discrete tasks feasible for NSF to implement in a reasonable 
timeframe. Our recommendations are tied directly to our findings, which 
we discuss with NSF management during the course of the audit. We also 
discuss recommendations with NSF management and may revise 
recommendations, as appropriate, based on the agency's feedback to our 
draft report.
    Once we issue a report, we communicate frequently with NSF 
management during the audit resolution process to help ensure that our 
recommendations are addressed in a reasonable timeframe. In 2010, OIG 
and NSF management established a Stewardship Collaboration, comprised 
of staff from NSF's financial division and OIG's Office of Audits, 
which meets monthly to discuss current issues and identify possible 
barriers to resolving audit recommendations. This forum has helped 
resolve a number of audit recommendations more efficiently and helped 
ensure that NSF takes corrective actions in a timely manner.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Deb Fischer to 
                           Allison C. Lerner
    Question. Inspector General Lerner, your testimony references the 
Intergovernmental Personnel Program. I am concerned that this program 
could be a significant source of waste, fraud, and abuse at the 
Foundation. For example, the Foundation has paid salaries of up to 
$440,000 for members of the program and has funded a significant amount 
of travel for them as well. What steps is the Foundation taking to 
reduce the risk of waste, fraud, and abuse in this program and where do 
you think they can improve?
    Answer. In response to our 2013 and 2016 recommendations, NSF has 
taken steps to reduce IPA costs. In October 2016, NSF announced that it 
would start a pilot program to require institutions to contribute a 10 
percent cost share for IPAs' salaries and fringe benefits and NSF will 
eliminate lost-consulting reimbursements in new IPA agreements. In 
addition, in 2016 NSF limited IPA travel to the home institution under 
the Independent Research and Development Program to 12 trips per year.
    As a next step toward lowering IPA program costs, NSF could 
evaluate other cost saving measures recommended in our 2013 and 2016 
audits, including limiting the annualization of IPA salaries to 
comparable Federal pay rates and closely reviewing what it pays for IPA 
fringe benefits.
    Our audits have not identified fraud in the salaries paid under the 
IPA program.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Dean Heller to 
                           Allison C. Lerner
    Question. A difficulty for Inspectors General across Federal 
agencies has always been getting the information they need and pushing 
back on the agency when they dispute the IG's claims.
    It's something I've seen frequently at the Department of Veterans 
Affairs, and I've always felt very strongly that IG's must be willing 
to confront agencies to get the information they need to conduct a full 
investigation.
    Have any of you had difficult accessing the information you need to 
hold your agency accountable and are there tools you need from Congress 
to increase transparency?
    Answer. During my tenure as IG at NSF, my office has not had 
difficulty accessing information needed to hold NSF accountable. 
Additionally, the agency has not significantly delayed IG access to 
information or objected to IG access. I would add that the NSF Director 
recently reinforced OIG's access authorities by re-issuing a directive 
to all staff, reminding them, among other things, to fully and promptly 
comply with all OIG requests for documents, interviews, briefings, and 
other information and materials.
    We appreciate the Committee's support for IGs in general and for 
our office's oversight efforts to strengthen accountability and 
safeguard scarce Federal research dollars. We also grateful for the 
provisions in the Inspector General Empowerment Act that affirm and 
clarify IGs' access to necessary information in a timely manner.
    Response to Written Questions Submitted by Hon. Bill Nelson to 
                           Allison C. Lerner
    Question 1. According to the Inspector General Act of 1978, the 
role of an IG is to detect and prevent waste, fraud, and abuse at 
Federal agencies and conduct these duties in a nonpartisan manner. IGs 
also have an obligation under the IG Act to keep Congress fully 
informed about issues at their agencies. Can I count on you to be 
nonpartisan and independent when carrying out your duties?
    Answer. The National Science Foundation Office of Inspector General 
is an independent entity and reports directly to Congress and the 
National Science Board. As the NSF IG since 2009, I have always taken 
my responsibility to be nonpartisan and independent very seriously,. As 
you know, Inspectors General are selected on the basis of their 
demonstrated expertise in areas outlined in the Inspector General Act 
of 1978, as amended, and without regard to political affiliations.
    My office is committed to providing rigorous, independent 
nonpartisan oversight of the National Science Foundation (NSF). Our 
mission is to conduct independent audits and investigations of NSF's 
programs and operations and to recommend corrective actions to promote 
effectiveness and efficiency and prevent and detect waste, fraud, and 
abuse. Consistent with our statutory mandate, the OIG has an oversight 
role and does not determine policy or engage in management activities 
involving the Foundation or program operations.

    Question 2. Can I count on you to keep me and this Committee fully 
informed about pending issues and whistleblower complaints at your 
agencies?
    Answer. My office is committed to keeping Congress informed about 
pending issues and whistleblower complaints. With respect to pending 
issues, each year OIG identifies the most serious management and 
performance challenges facing NSF based on our audit and investigative 
work, general knowledge of the agency's operations and evaluative 
reports of others, including the GAO and NSF's various advisory 
committees, contractors, and staff. We articulate these challenges, as 
well as the progress NSF has made in responding to them, in our 
September Semiannual Reports to Congress.
    In addition, our annual audit work plan summarizes the audits, 
evaluations, and inspections we hope to undertake during the upcoming 
year. Given the changing environment in which we operate, the audit 
work plan is meant to be a flexible document; we may modify it to 
address high-priority issues that come up during the year or to respond 
to requests from Congress, NSF, the National Science Board, or other 
stakeholders. We also meet regularly with congressional staff to 
discuss ongoing issues and emerging areas of concern.
    Whistleblowers can be a valuable resource for exposing waste, 
fraud, and abuse. We take whistleblower complaints seriously and OIG 
educates NSF employees about whistleblower protections at presentations 
for new NSF employees; through information and resources on our public 
website; and by assisting NSF with annual Office of Special Counsel 
training. We will continue to keep the Committee informed about 
whistleblower complaints at NSF.

    Question 3. A relatively stagnant budget means that the NSF has to 
make tough choices between maintaining older research facilities and 
bringing new facilities online. This year the NSF is considering 
divesting two older observatories--the Arecibo Observatory in Puerto 
Rico and the Greenbank Observatory in West Virginia. Both of these 
research facilities produce good science and can play a part in 
important missions, like detecting near Earth asteroids. Is there a 
robust process to make decisions about divesting facilities that 
considers all the benefits of maintaining these facilities?
    Answer. Our Office of Audits plans to examine NSF's decision 
process for divesting large research facilities as we continue our work 
focused on the Foundation's cooperative agreements for large facility 
research projects. We started this work with audits of the proposed 
budgets to construct these projects. Pre-award oversight is especially 
important as the proposed budget for these projects, once approved by 
NSF, creates the basis upon which awardees can draw down advanced funds 
over the course of the award.
    The audits disclosed serious deficiencies in the proposed budgets 
for these projects, which led us to examine NSF's cost surveillance 
throughout the lifecycle of large facility projects. For example, 
audits of three of NSF's large facility projects questioned $305 
million in unallowable or unsupported costs out of $1.1 billion in 
total costs for the three projects.
    We are currently broadening our work in this area to encompass 
cooperative agreements for the operations phase of large facility 
projects. As the next phase of this overall effort, we plan to examine 
the decommissioning process. NSF management and our office are 
currently discussing several decommissioning issues that arose from a 
prior audit, including determining which awardees have unfunded 
liabilities and the amount of those liabilities.

    Question 4. The recent blockbuster ``Hidden Figures'' tells the 
true story of the women at NASA who played critical roles in the early 
days of the space program. Unfortunately, some of the challenges faced 
by these women in the 1950s remain today. Economists tell us we are 
facing a shortage of workers in STEM fields, yet women and minorities 
remain underrepresented in science and engineering jobs. The Federal 
Government should be leading the way in promoting workforce diversity, 
and ensuring the best people are in each job, regardless of their 
gender or race. How would you characterize the NSF's role in promoting 
diversity in STEM? Are there areas in which the NSF can improve?
    Answer. It appears that NSF recognizes its important role in 
promoting diversity. For example, NSF's February 2017 solicitation, the 
first under a new initiative to promote the inclusion of under-
represented groups of individuals, stated that diversity is essential 
to achieving excellence in science and engineering research and 
education. According to NSF, a primary goal of this initiative is to 
transform STEM so that it is fully and widely inclusive.
    At this point, we have not audited the effectiveness of NSF's 
efforts to promote diversity in STEM. We are therefore not in a 
position to identify areas in which the Foundation could improve.

    Question 5. For over 50 years, the NSF has managed U.S. scientific 
research and related logistics in Antarctica. Sometimes this includes 
providing medical care or emergency rescue services for personnel 
associated with non-governmental organizations, including tourists. 
This diverts government funding and assets away from support for 
research and may pose significant costs to NSF. Currently, U.S. tour 
operators and other non-governmental entities do not need to certify 
before traveling to Antarctica that they have put in place adequate 
insurance, contingency plans, and other arrangements to ensure health, 
safety, search and rescue, and medical care and evacuation for their 
expeditions. There are also no mechanisms to ensure that NSF is 
reimbursed in the event the Foundation renders emergency assistance. Do 
you believe the lack of an enforcement regime for contingency plans or 
reimbursement mechanism pose a risk to NSF's Antarctic mission?
    Answer. Diverting scarce Federal funds and resources to provide 
medical care or evacuations for private entities and individuals is a 
concern. While NSF has informed us that it has requested reimbursement 
for humanitarian/emergency support it has provided in the past, we have 
not done an audit or inspection to assess the cost or impact of such 
actions, or the extent to which NSF was ultimately reimbursed. Given 
the fact that Antarctica is a land governed by international treaty, 
there would likely be unusual challenges in seeking to create a formal 
enforcement regime for contingency plans or reimbursements.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                        Hon. Peggy E. Gustafson
    Question 1. NOAA satellite acquisition has received considerable 
scrutiny in the past few years, including from this Committee. Several 
OIG and GAO reports have made recommendations on how to address the 
myriad schedule, cost, and functionality challenges for the $10.9 
billion Geostationary Operational Environmental Satellite-R Series 4, 
and the $11.3 billion Joint Polar Satellite System 4 programs.
    You noted in your testimony that NOAA's major satellite system 
programs are among the Department's largest investments, totaling more 
than 16 percent of its $9.7 billion Fiscal Year 2017 budget request. Do 
you believe NOAA will be able to avoid further cost overruns and delays 
in the acquisition process?
    Answer. It is likely that there will be future cost overruns and 
delays in these programs. As we have generally reported in our work, 
the JPSS and GOES instruments are highly complex systems, and the small 
number of satellites procured by each program creates a challenge from 
a program standpoint. If any of the new satellites suffer a setback, 
those discrete delays have the potential to complicate ongoing and 
future work in the program resulting in cost overruns, particularly if 
technical problems arise during the satellites' system assembly, 
integration, and testing.
    The OIG's past work concerning NOAA's satellites highlights risks 
and areas of improvement to the Department, giving the programs an 
opportunity to learn and improve from past efforts--resulting in many 
resolved audit recommendations over time. The OIG will continue its 
work auditing these programs and keep Congress informed of the progress 
and challenges faced by NOAA.

    Question 2. At the hearing, you mentioned the importance of 
strengthening the cybersecurity of government information and systems. 
What are the most important steps the Secretary should take to increase 
the effectiveness of the agency's cybersecurity programs?
    Answer. Our cybersecurity audits continue to find deficiencies in 
the Department's implementation of basic security measures, such as 
regularly identifying vulnerabilities, expeditiously remediating 
security flaws, and effectively managing access controls. These basic 
measures are essential for improving the security posture of IT systems 
Department-wide, as is evidenced in our recent reports titled:

   Successful Cyber Attack Highlights Longstanding Deficiencies 
        in NOAA's IT Security Program;

   Lack of Basic Security Practices Hindered BIS' Continuous 
        Monitoring Program and Placed Critical Systems at Risk;

   Significant Security Deficiencies in NOAA's Information 
        Systems Create Risks in its National Critical Mission; and

   Review of IT Security Policies, Procedures, Practices, and 
        Capabilities in Accordance with the Cybersecurity Act of 2015.

    In the short term, the Department should prioritize some actions 
over others to improve the effectiveness of the cybersecurity program:

   fully utilize the Department's enterprise security services 
        at each bureau to gain real-time situational awareness;

   conduct high-quality information system security assessments 
        to ensure adequate security is in place across the Department;

   prioritize the updating of IT security policies and 
        procedures to ensure a cohesive approach to cybersecurity 
        across the Department;

   implement strong security measures to protect the 
        Department's national security systems;

   implement multi-factor authentication for all users with 
        greater authorities; and

   Secure cloud-based systems in accordance with Federal 
        requirements.

    Question 3. As your respective offices issue recommendations based 
on audit and investigation work, what steps do you take to ensure that 
the recommendations are discrete tasks that are feasible for the agency 
to implement in a reasonable timeframe?
    Answer. With respect to recommendations contained in the OIG's 
audit reports, consistent with GAO's Government Auditing Standards, the 
OIG provides draft report findings and recommendations for review and 
comment by responsible Department management officials. The Department 
officials then have an opportunity to inform the OIG whether each 
recommendation is reasonable and feasible. If Department officials 
oppose any recommendations, and the OIG determines that the 
Department's views are valid and supported, the OIG modifies the 
recommendations to incorporate the Department's response in the final 
report. That final report, with the Department's response, is then 
issued for implementation.
    The OIG's investigative reports generally are geared toward two 
audiences: the Department of Justice (DOJ) for potential criminal 
action or Department of Commerce (Department) management for potential 
administrative action. DOJ makes an independent determination as to the 
feasibility and viability of any criminal case arising out of OIG 
investigative efforts. Likewise, Department management makes the 
determination of what administrative actions, if any, are supportable 
by OIG investigative work. The OIG does not recommend specific action 
be taken in the administrative context as such decisions are within the 
Department's management purview and not subject to OIG discretion. The 
OIG, does, however, highlight ``root causes'' of potential misconduct 
within the Department.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Deb Fischer to 
                        Hon. Peggy E. Gustafson
    Question. Inspector General Gustafson, in your written testimony, 
you highlighted more than $18 million in waste at the U.S. Patent and 
Trademark Office stemming from employees who falsified their 
timesheets. This is concerning, to say the least. Can you please 
discuss steps that have been taken by the Department to remedy this 
problem and any additional actions you think are necessary?
    Answer. In its January 27, 2017, written response to the OIG 
investigative report finding more than $18 million in potential waste, 
USPTO reported taking actions to improve workforce management and 
strengthen time and attendance controls. Some of the recent actions 
USPTO reported that it has taken include:

   Providing guidance to patents and trademark supervisors to 
        specifically monitor indicators of potential time and 
        attendance issues, such as responsiveness to supervisory 
        communications; inconsistent workload activity (e.g., claiming 
        80 hours of examining time in a bi-week, but not claiming any 
        work credits); and customer inquiries or complaints;

   Implementation of an Agency-wide July 2016 policy requiring 
        any employee with performance or time and attendance issues to 
        provide more specific schedule information to their supervisor;

   Issuance of an USPTO-wide refresher on time and attendance 
        obligations and training for all employees and supervisors on 
        time and attendance policies;

   Launching a program to improve supervisory mentoring of 
        patent examiners with low or inconsistent production;

   Providing guidance to all patent supervisors to regularly 
        utilize their IT dashboard tool to monitor examiners' 
        production and timeliness, which can provide an early warning 
        sign of potential time and attendance issues; and

   Additionally, the USPTO has implemented and/or taken action 
        that responds to the 23 National Academy of Public 
        Administration recommendations concerning internal controls 
        related to time and attendance.

    According to USPTO, some of its efforts to address the 
recommendations in the OIG's report are ongoing, including:

   Reevaluating USPTO's examiner production goals for each art 
        unit and revising them, to the extent necessary, to reflect 
        efficiencies in work processes from automation and other 
        enhancements; and

   Reviewing USPTO's policies, procedures, and practices 
        pertaining to overtime hours to identify and eliminate the 
        areas susceptible to abuse.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Dean Heller to 
                        Hon. Peggy E. Gustafson
    Question. A difficulty for Inspectors General across Federal 
agencies has always been getting the information they need and pushing 
back on the agency when they dispute the IG's claims.
    It's something I've seen frequently at the Department of Veterans 
Affairs, and I've always felt very strongly that IG's must be willing 
to confront agencies to get the information they need to conduct a full 
investigation.
    Have any of you had difficult accessing the information you need to 
hold your agency accountable and are there tools you need from Congress 
to increase transparency?
    Answer. Historically, the OIG has faced challenges gaining access 
to some information as a result of conflicting laws or occasional 
delays arising within the Department. The OIG has been successful 
enforcing our statutory right to have access to all records, reports, 
audits, reviews, documents, papers, recommendations, or other material 
available to the Department. More recently, the OIG encountered 
resistance from the Department in obtaining access to information 
protected by another statute. The OIG promptly informed Congress and 
the issue was resolved with full access being granted to the materials 
sought. As we move forward, we will continue to work with the 
Department to ensure timely access to all information needed to conduct 
our work.
    At this time, the OIG has no current access issues. Should the OIG 
experience an access issue in the future, we will promptly inform 
Congress.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Bill Nelson to 
                        Hon. Peggy E. Gustafson
    Question 1. According to the Inspector General Act of 1978, the 
role of an IG is to detect and prevent waste, fraud, and abuse at 
Federal agencies and conduct these duties in a nonpartisan manner. IGs 
also have an obligation under the IG Act to keep Congress fully 
informed about issues at their agencies. Can I count on you to be 
nonpartisan and independent when carrying out your duties?
    Answer. Yes, nonpartisan independence is a cornerstone of effective 
oversight.

    Question 2. Can I count on you to keep me and this Committee fully 
informed about pending issues and whistleblower complaints at your 
agencies?
    Answer. I will keep Congress fully informed of fraud and other 
serious deficiencies relating to the programs and operations of the 
Department.

    Question 3. The Commerce OIG website has a mechanism for employees 
to report ``fraud, waste, abuse, or mismanagement,'' at the Commerce 
Department. I assume that political interference or censorship of 
science within the department--like at the National Oceanic Atmospheric 
Administration (NOAA)--would qualify as something employees could 
report to your office. However, it might not be clear to employees that 
a violation of the scientific integrity principles--like censorship or 
muzzling of science--can and should be reported to your office. Will 
you put reporting information specific to scientists and other 
technical staff on your website so that ``science is left to the 
scientists'' as Mr. Ross, the nominee for Secretary of Commerce, put 
it?
    Answer. The OIG maintains a robust website allowing all 
whistleblowers--regardless of subject--ready access to OIG staff. In 
addition, the OIG maintains a hotline for whistleblowers and other 
confidential tips with 24/7 access to live personnel for lodging 
confidential complaints regarding Department programs. Historically, 
the diversity of complaints received through these two mechanisms has 
shown that Commerce employees perceive both the hotline and the website 
as effective methods for confidential complaints to the OIG, regardless 
of the subject matter.

    Question 4. Given the concerns about muzzling scientists or 
suppressing data, will you commit to immediately notifying this 
Committee of any whistleblower allegations of censorship, intimidation, 
or political interference?
    Answer. As mentioned above, I will keep Congress fully informed of 
fraud and other serious deficiencies relating to the programs and 
operations of the Department. In that vein, I will report substantiated 
whistleblower allegations to the appropriate committees of 
jurisdiction.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Cory Booker to 
                        Hon. Peggy E. Gustafson
    Question 1. When Congress authorized FirstNet, we required FirstNet 
to partner with the private sector. Congress purposefully gave FirstNet 
and its partners the flexibility to design and operate a first-of-its-
kind network provided that the network met certain requirements such as 
infrastructure hardening and cybersecurity protections. As a practical 
matter, many of the challenges you identify with the program should be 
addressed after the private sector partner is selected. Do you agree 
with this analysis?
    Answer. The selection of a private sector partner will begin to 
answer questions about the implementation of the first responder 
network. FirstNet's actions addressing its challenges will be even more 
important after the private sector partner is selected. The OIG is 
committed to effective oversight of FirstNet during both the critical 
pre-award phase and the post-award roll out. Comprehensive oversight 
addressing identified challenges at their earliest point of detection 
ensures that FirstNet has ample time to deploy corrective actions 
likely to have the greatest impact.

    Question 2. If so, do you agree that it be more appropriate to 
discuss these concerns after the award of the contract, once we fully 
understand its terms and FirstNet's plans?
    Answer. As noted above, the OIG believes that FirstNet must 
continue to address challenges as they arise. In partnering with the 
private sector, the processes established during the critical pre-award 
phase will have significant impact on the success of the post-award 
activities. Effective oversight of the FirstNet program must be broad 
and include all phases of operation to ensure a successful 
implementation of the statutory requirements.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Tom Udall to 
                        Hon. Peggy E. Gustafson
    Question 1. Does the Federal hiring freeze put in place by 
President Trump apply to your office?
    Answer. Yes.

    Question 2. If so, could this impact your ability to root out 
waste, fraud and abuse?
    Answer. If continued for an extended period, it is foreseeable that 
the hiring freeze--coupled with spending held at FY 2016 levels--could 
have an increasing effect on the OIG's ability to conduct timely audits 
or investigations. Additionally, certain statutorily required work must 
be completed each year regardless of funding levels. As funding remains 
constant and statutorily required work increases, fewer resources 
remain available for other work involving allegations of fraud, waste 
or mismanagement.

    Question 3. Are there currently any open positions in your office 
that you are blocked from filling?
    Answer. There are positions that do not specifically meet any of 
the exemptions specified in the hiring freeze guidance (Memorandum M-
17-18) issues jointly by OPM and OMB on January 31, 2017.

    Question 4. President Trump's historic refusal to divest from his 
private companies and put his assets in a blind trust creates conflicts 
of interest across the Federal Government. This means that inspectors 
general could face new levels of work investigating improper use of 
public funds--or worse, investigating and reporting on corruption, 
waste, fraud, and abuse. Will you pledge to request from Congress 
adequate budget resources for Fiscal Year 2018 to fulfill your duties 
as Inspector General?
    Answer. Yes.

    Question 5. I am concerned about taxpayer dollars being used to 
promote President Trump's private businesses. There are news reports 
that taxpayers are on the hook for nearly $100,000 in Secret Service 
and embassy staff hotel charges for a two day Trump Organization 
promotional trip to Uruguay in January. Taxpayers may get stuck with 
the tab again for Trump family travel expenses related to the opening 
of a new Trump hotel in Vancouver, Canada and a new Trump International 
Golf Club in Dubai. It seems to me that any and all expenses related to 
President Trump's personal business should be paid for by those 
businesses, not by American taxpayers. The President and his family 
should have Secret Service protection. But the recent Uruguay trip 
highlights the significant conflicts of interest that exist due to the 
President's refusal to divest from his businesses and place the 
proceeds in a blind trust. Will you fully investigate and then report 
back to Congress on whether any Economic Development Administration, 
International Trade Administration or other Department of Commerce 
resources are being improperly used to promote the President's private 
business interests?
    Answer. The OIG is committed to reviewing allegations involving 
misuse of Department resources or abuse of authority by Commerce 
officials. The OIG will continue to work with the Economic Development 
Administration, International Trade Administration and the Department 
to ensure Commerce resources are utilized and accounted for 
appropriately. If the OIG determines that Commerce resources may have 
been misused, the OIG will take appropriate steps to review those 
allegations.

    Question 6. Whistleblower complaints and hotline tips from Federal 
workers are important ways an Inspector General can uncover waste, 
fraud and abuse. There are reports that nearly 1,000 career State 
Department employees signed on to a ``dissent memo'' challenging 
President Trump's Executive Order banning immigration from seven 
Muslim-majority countries. Use of dissent memos in the State Department 
is protected activity. So, I am very concerned when--reacting to 
diplomats' use of a protected forum--White House press secretary Sean 
Spicer told them, ``they should either get with the program or they can 
go.'' It is hard to imagine these comments will not have a chilling 
effect on State Department employees who have a right to circulate a 
dissent memo and other Federal workers who are protected when reporting 
misconduct. Will you give me your assurance that you and your office 
will protect whistleblowers from any unlawful retaliation from the 
White House?
    Answer. As indicated above, the OIG is committed to reviewing 
allegations involving misuse of Department resources or abuse of 
authority by Commerce officials made by whistleblowers. The OIG 
supports the various protections afforded whistleblowers and makes 
available a website for anonymously reporting allegations, a 
24/7 complaint hotline, and a whistleblower ombudsman. These processes 
ensure and enhance whistleblower rights and protections of Commerce 
employees and contractors.

    Question 7. What steps do you take to ensure Federal employees can 
confidentially report potential waste, fraud and abuse?
    Answer. Complainants may submit confidential and anonymous 
complaints through the OIG Hotline, via our website or directly to OIG 
staff. The OIG does not routinely disclose the identity of 
complainants, unless either the complainant expressly consents or the 
IG determines that a waiver of confidentiality is unavoidable during 
the course of an investigation, as required by the IG Act.

    Question 8. I was quite alarmed by news reports that the Trump 
transition team sought a list of all Department of Energy employees or 
contractors who have attended climate change-related meetings. This 
sparked fears of a potential purge of scientists based on their 
research. There are also news reports that Trump administration 
officials may be blocking the public release of information by EPA 
scientists. Will you assure the Committee that you will investigate if 
there are complaints of inappropriate political interference, 
intimidation or censorship of scientists at NOAA or other Commerce 
agencies?
    Answer. As mentioned above, the OIG is committed to reviewing 
allegations involving misuse of Department resources or abuse of 
authority by Commerce officials.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. John Thune to 
                             Hon. John Roth
    Question 1. In your testimony, you also highlighted the 
consistently disconcerting results of penetration testing efforts, 
which identified vulnerabilities in TSA's Advanced Imaging Technology 
equipment. You observed, however, that in the last 18 months, TSA's 
response to the findings has exhibited ``marked change from previous 
practice.'' What steps is TSA taking to mitigate the security 
vulnerabilities discovered in previous rounds of covert testing?
    Answer. In response to our findings, TSA:

   Immediately created Tiger Teams with a 10-Point Plan to take 
        action and correct the vulnerabilities identified in the 2015 
        tests. TSA's final Tiger Team report included root cause 
        analyses, recommendations, action plans, and mitigation 
        strategies;

   Worked with DHS' Tiger Team to develop a root cause analyses 
        of checkpoint screening systems and human performance to 
        explain why prohibited items were entering the sterilized area 
        of federalized airports;

   Promptly briefed all Federal Security Directors of our 2015 
        test results;

   Conducted ``Back to Basics'' Mission Essentials/Threat 
        Mitigation training for every Transportation Security Officer;

   Developed additional training to address: (1) the findings 
        of the OIG's 2015 covert testing; (2) information gleaned from 
        TSA's own covert testing; (3) relevant and current threat 
        information, and (4) other areas identified by the Tiger Team;

   Addressed weaknesses in its standard operating procedures; 
        and

   Is researching other technologies while trying to improve 
        the capabilities of the existing equipment.

    Question 2. At the hearing, you mentioned the importance of 
strengthening the cybersecurity of government information and systems. 
What are the most important steps the Secretary should take to increase 
the effectiveness of the agency's cybersecurity programs?
    Answer. Our Fiscal Year (FY) 2016 FISMA evaluation of DHS' agency-
wide security program indicates that DHS still has much to do to ensure 
the effectiveness of its cybersecurity programs.\1\
---------------------------------------------------------------------------
    \1\ Evaluation of DHS' Information Security Program for Fiscal Year 
2016, OIG-17-24 (January 2017).
---------------------------------------------------------------------------
    The Department can strengthen its oversight of its information 
security program for its unclassified, ``Secret,'' and ``Top Secret'' 
programs at the component level. For example, DHS Components were not 
consistently following DHS' policies and procedures to:

  (1)  Keep system authorities to operate (ATO) current. As of June 
        2016, DHS had 79 unclassified systems operating under expired 
        ATOs;\2\
---------------------------------------------------------------------------
    \2\ Under Secretary for Management Memorandum, Strengthening DHS 
Cyber Defenses (July 22, 2015).

  (2)  Consolidate all Internet traffic behind the Department's trusted 
        Internet connections. As of August 2016, the Federal Emergency 
        Management Agency (FEMA), Headquarters, Transportation Security 
        Administration (TSA), and U.S. Secret Service (USSS) had not 
        consolidated multiple connections behind trusted Internet 
---------------------------------------------------------------------------
        connections;

  (3)  Discontinue the use of unsupported operating systems that may 
        expose DHS data to unnecessary risks;

  (4)  Implement all the required United States Government 
        Configuration Baseline and DHS Baseline Configuration Settings, 
        which, when fully implemented, help secure the confidentiality, 
        integrity, and availability of DHS' information and systems;

  (5)  Mitigate security vulnerabilities by applying security patches 
        timely; and

  (6)  Implement technology to prevent the activation of malicious 
        links or attachments in phishing e-mails. As of September 2016, 
        DHS and its Components had implemented only about 25 percent of 
        the technology capability; FEMA and TSA had not begun their 
        deployment efforts.\3\
---------------------------------------------------------------------------
    \3\ DHS requires that Components achieve Full Operational 
Capability within 90 days of the issuance of the Under Secretary for 
Management's January 13, 2016 memorandum. See Under Secretary for 
Management Memorandum, Continuous Improvement of Department of Homeland 
Security Cyber Defenses (January 13, 2016).
---------------------------------------------------------------------------
    Without addressing these deficiencies, the Department cannot ensure 
that its systems are adequately secured to protect the sensitive 
information stored and processed in them.
    The Department is also responsible for providing crisis management, 
incident response, and defense against cyberattacks for Federal.gov 
networks. However, as the Government Accountability Office (GAO) 
reported in January 2016, only 5 of 23 agencies were receiving 
intrusion prevention services.\4\ Further, agencies had not taken all 
the technical steps needed to implement the Department's National 
Cybersecurity Protection System (NCPS), such as ensuring that all 
network traffic is routed through EINSTEIN sensors. GAO described the 
NCPS as limited in its effectiveness because it only detects known 
patterns of malicious data, but does not address threats that exploit 
many common security vulnerabilities. Moreover, it only monitors and 
blocks threats arriving by e-mail, but does not address the common 
threats that web traffic may pose.
---------------------------------------------------------------------------
    \4\ Information Security: DHS Needs to Enhance Capabilities, 
Improve Planning, and Support Greater Adoption of Its National 
Cybersecurity Protection System, GAO-16-294 (January 2016).
---------------------------------------------------------------------------
    Through various audits, we also identified inadequate protection of 
DHS Components' sensitive systems and the data they contain. For 
example, due to inadequate controls, USSS employees were able to gain 
unauthorized access to the Component's Master Central Index system 
containing Representative Chaffetz's personally identifiable 
information.\5\ DHS could better address insider threats by protecting 
against unauthorized removal of sensitive information via portable 
media devices and e-mail, establishing processes for routine wireless 
vulnerability and security scans, and strengthening physical security 
controls to protect IT assets from possible theft, destruction, or 
malicious actions.\6\ Moreover, the Department could develop a 
strategic implementation plan, a training program, and an automated 
information sharing tool to enhance coordination among its Components 
with cyber-related responsibilities.\7\
---------------------------------------------------------------------------
    \5\ USSS Faces Challenges Protecting Sensitive Case Management 
Systems and Data, OIG-17-01 (October 2016).
    \6\ United States Coast Guard Has Taken Steps to Address Insider 
Threats, but Challenges Remain, OIG-15-55 (March 2015); Domestic 
Nuclear Detection Office Has Taken Steps To Address Insider Threat, but 
Challenges Remain, OIG-14-113 (July 2014).
    \7\ DHS Can Strengthen Its Cyber Mission Coordination Efforts, OIG-
15-140 (September 2015).

    Question 3. As your respective offices issue recommendations based 
on audit and investigation work, what steps do you take to ensure that 
the recommendations are discrete tasks that are feasible for the agency 
to implement in a reasonable timeframe?
    Answer. We make a concerted effort to ensure that our 
recommendations are concrete, reasonable, and practicable. In addition 
to drawing on our teams' extensive knowledge of Department and 
Component organization, programs, and operations, we work closely with 
the Department and Components throughout our reviews to ensure our 
recommendations are both feasible and effective. For example, we may:

   Conduct briefings with program officials to inform them of 
        potential findings during the review so that they may begin to 
        work on solutions or take corrective actions immediately;

   Provide program officials with formal notices of potential 
        findings and recommendations during the audit and invite them 
        to comment on our proposed recommendations. We then work with 
        the agency to ensure the recommendations are feasible and 
        address the underlying cause of the problem;

   Issue a draft report to the agency and, if warranted based 
        on the agency's response, revise our recommendations before the 
        final report is issued to the public; and

   Revise or administratively close a recommendation that is no 
        longer relevant or feasible due to changing circumstances.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Deb Fischer to 
                             Hon. John Roth
    Question. Inspector General Roth, in your written testimony, you 
expressed serious concern about the lack of a risk-based security 
strategy at TSA, particularly as it relates to surface transportation 
security and oversight. As you are aware, I have been working with 
leaders of this Committee to address these challenges at TSA. How has 
the TSA responded to your concerns since the September 2016 report was 
released? Has TSA made any progress in strengthening surface 
transportation security programs?
    Answer. In November 2016, TSA provided us with an update on the 
actions it has taken to address the recommendations in our report, 
``TSA Needs a Crosscutting Risk-Based Security Strategy,'' OIG-16-134. 
TSA indicated that it expects to complete a risk-based security 
strategy that encompasses all transportation modes in the fourth 
quarter of FY 2017. TSA is also taking steps to integrate enterprise 
risk management with resource planning and expects to complete this 
process by December 31, 2020. Additionally, TSA has made some progress 
in implementing the three outstanding passenger rail transportation 
regulations required by the Implementing Recommendations of the 9/11 
Commission Act of 2007. On December 16, 2016, TSA published two 
rulemakings in the Federal Register:

   Notice of Proposed Rulemaking for Security Training for 
        Surface Transportation Employees, and

   Advance Notice of Proposed Rulemaking for Surface 
        Transportation Vulnerability Assessments and Security Plans.

    In January 2017, TSA reported it anticipates a Notice of Proposed 
Rulemaking for surface security vetting by the end of FY 2017. We 
anticipate an update from TSA in late April and will continue to 
monitor TSA's progress on addressing our recommendations.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Dean Heller to 
                             Hon. John Roth
    Question. A difficulty for Inspectors General across Federal 
agencies has always been getting the information they need and pushing 
back on the agency when they dispute the IG's claims.
    It's something I've seen frequently at the Department of Veterans 
Affairs, and I've always felt very strongly that IG's must be willing 
to confront agencies to get the information they need to conduct a full 
investigation.
    Have any of you had difficult accessing the information you need to 
hold your agency accountable and are there tools you need from Congress 
to increase transparency?
    Answer. As I testified at the hearing, historically, we have not 
had difficulty accessing the information we need to hold the Department 
accountable. However, after the hearing, I was made aware of an 
internal procedure at TSA restricting and delaying our access to 
documents. Specifically, I learned that on October 3, 2016, ``TSA HQ--
Executive Advisor'' sent a communication to TSA's ``Office of Security 
Capabilities Federal'' setting out instructions for interacting with 
the OIG. Among other things, the e-mail notifies TSA personnel that 
documents responsive to an OIG request must first be ``cleared'' within 
TSA before being provided to the OIG. The e-mail also states that, 
prior to production to the OIG, documents are to be subjected to 
multiple levels of review within TSA, including review by a Designated 
Program Office, OSC Audit Liaison Team, Office of Chief Counsel (OCC), 
and TSA leadership. Further, in a March 14, 2016 e-mail attached to the 
October 2016 e-mail, TSA personnel were instructed to inform TSA senior 
leadership of all interviews with, and productions of documents to, the 
OIG.
    These TSA requirements are contrary to previous DHS practice, 
violate the letter and intent of the Inspector General Act of 1978 as 
amended and DHS directives, and chill confidential communication with 
the OIG. While the October 2016 communication is addressed to a 
specific subset of TSA employees, we are concerned that it may reflect 
unwritten practices followed by other TSA offices and employees, or 
that other TSA offices might use this communication as guidance for 
responding to OIG requests. We are attempting to determine the scope of 
the issue within TSA, and address this with TSA senior leadership. If 
we fail to resolve this issue to our satisfaction, we will issue a 
public report with our findings.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Bill Nelson to 
                             Hon. John Roth
    Question 1. According to the Inspector General Act of 1978, the 
role of an IG is to detect and prevent waste, fraud, and abuse at 
Federal agencies and conduct these duties in a nonpartisan manner. IGs 
also have an obligation under the IG Act to keep Congress fully 
informed about issues at their agencies. Can I count on you to be 
nonpartisan and independent when carrying out your duties?
    Answer. Yes.

    Question 2. Can I count on you to keep me and this Committee fully 
informed about pending issues and whistleblower complaints at your 
agencies?
    Answer. Yes.

    Question 3. On February 1, you announced that you were starting an 
investigation into the Trump administration's ``implementation'' of the 
travel ban for visa and green card holders from seven countries in 
response to a request from Senators Durbin and Duckworth and 
whistleblower and IG hotline complaints. As you know, the travel ban 
has been the subject of several court orders, including a Federal 
District Court order blocking its enforcement nationwide. As a result 
of this order and the subsequent fallout, it appears that several 
countries may be looking to pull back on negotiations to allow Customs 
and Border Protection pre-clearance facilities in their countries. Pre-
clearance is helpful because it allows us to vet passengers before they 
get on a plane to the U.S. It also makes it easier for passengers when 
they get to their destinations, which is important in tourist 
destinations like Florida. As part of your investigation, are you 
looking into the potential impact on the pre-clearance program?
    Answer. Our investigation will cover the implementation of 
Executive Order, ``Protecting the Nation from Foreign Terrorist Entry 
into the United States.'' In addition to reviewing its implementation, 
we will review DHS' adherence to court orders and allegations of 
individual misconduct on the part of DHS personnel, including CBP 
agents. We will also consider adding other issues that arise during the 
course of the review. At present, our investigation does not include a 
review of the potential impact on the pre-clearance program, but we 
will consider adding the issue to our future audit work plans, 
depending on the status of the pre-clearance program and our audit 
resources.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Cory Booker to 
                             Hon. John Roth
    Question 1. America's surface transportation network, which 
includes numerous public transportation agencies, railroads, and bus 
companies, is an essential component of our Nation's transportation 
system. Last year, in my home state of New Jersey, more than 1.6 
million passengers passed through an Amtrak train station as part of 
their journey.\1\ There is a clear need to protect our surface 
transportation network from those who wish to do us harm. On September 
18, 2016, a backpack with five homemade bombs exploded near the New 
Jersey Transit train station in Elizabeth, NJ during a police 
examination of the device. I am immensely grateful that no one was 
hurt. Unfortunately, this incident came one day after bombings in 
Seaside Park, NJ, and in Manhattan, where at least 29 people were 
injured.\2\ As you know, the 9/11 Commission made a series of 
recommendations for the Transportation Security Administration (TSA) to 
provide direction to the entities that secure our Nation's surface 
transportation systems. In 2007, Congress passed legislation requiring 
TSA and other agencies to implement these recommendations. In December 
2016, you testified to this committee that 8 years after this law was 
passed, TSA had failed to make any significant progress on a number of 
these requirements. Since your testimony two months ago, what progress 
has TSA made in issuing proposed regulations to secure surface 
transportation networks?
---------------------------------------------------------------------------
    \1\ https://www.amtrak.com/ccurl/409/374/NEWJERSEY16,0.pdf
    \2\ https://www.nytimes.com/2016/09/20/nyregion/pipe-bombs-found-
near-train-station-in-elizabeth-nj-official-says.html?_r=0
---------------------------------------------------------------------------
    Answer. Since my testimony in December 2016, TSA has made progress 
in implementing the three outstanding passenger rail transportation 
regulations required by the Implementing Recommendations of the 9/11 
Commission Act of 2007 (9/11 Act). On December 16, 2016, TSA published 
two rulemakings in the Federal Register:

   Notice of Proposed Rulemaking for Security Training for 
        Surface Transportation Employees (Security Training) and

   Advance Notice of Proposed Rulemaking for Surface 
        Transportation Vulnerability Assessments and Security Plans 
        (VASP).

    In January 2017, TSA reported it anticipates issuing a Notice of 
Proposed Rulemaking for surface security vetting by the end of FY 2017. 
Based on TSA's actions we were able to change the status of our audit 
report recommendations from unresolved and open to resolved and open.

    Question 2. What are the potential consequences for the security of 
our Nation's vast surface transportation networks if TSA does not take 
action to implement these recommendations as required by law?
    Answer. As discussed in our audit report OIG-16-91, TSA Oversight 
of National Passenger Rail System Security, TSA's ability to strengthen 
passenger rail security may be diminished without fully implementing 
and enforcing the requirements from the 9/11 Act. The absence of 
regulations also impacts TSA's ability to require Amtrak to make 
security improvements that may prevent or deter acts of terrorism.
    In the absence of issuing formal regulations, TSA uses a variety of 
outreach programs, voluntary initiatives, and recommended measures to 
assess and strengthen rail security for Amtrak and other rail carriers. 
However, these security initiatives are voluntary, and therefore, rail 
carriers are not required to participate or implement TSA's recommended 
security measures.

    Question 3. In your professional judgment, what will it take to get 
TSA to finally implement these recommendations so that our surface 
transportation entities can protect the people who use their services?
    Answer. We believe that continued oversight--both by the OIG and 
Congress--is needed to ensure that these recommendations are 
successfully implemented.

    Question 4. For several years, TSA has stated that the agency uses 
an intelligence driven, risk-based strategy for transportation 
security. In December 2016, you testified to the Senate Committee on 
Commerce, Science, and Transportation that a DHS Inspector General 
report found that TSA does not have a risk-based strategy across all 
transportation modes. In fact, TSA only has a risk-based strategy for 
our Nation's airports, and only on the secured side of the airport. 
From your written testimony to the Committee today, I can only conclude 
that nothing has changed. You write,

        We found that TSA does not have an intelligence driven, risk-
        based security strategy to inform security and budget needs 
        across all types of transportation. In 2011, TSA began 
        publicizing that it uses an ``intelligence-driven, risk-based 
        approach'' across all transportation modes. However, we found 
        this not to be true . . .

        Additionally, TSA's agency-wide risk management organizations 
        provide little oversight of TSA's surface transportation 
        security programs . . . no entity at TSA places much emphasis 
        on non-air transportation modes.

    Can you explain the benefits of a risk-based strategy and how it 
differs from TSA's current approach?
    Answer. A crosscutting risk-based security strategy would help 
ensure that all transportation modes, not just air travel, consistently 
implement risk-based security. This would help TSA align limited 
resources effectively--placing necessarily finite resources against the 
greatest risk. To do otherwise compromises transportation security and 
may leave surface transportation vulnerable.
    TSA's current approach is essentially siloed; its security programs 
for the surface modes operate independently of the aviation mode. TSA's 
Executive Risk Steering Committee, comprising the Office of the Chief 
Risk Officer and 10 assistant administrators, has overarching 
responsibility for defining strategy and managing risk TSA-wide. 
However, it focuses primarily on the aviation mode and provides little 
oversight of the surface transportation modes.

    Question 5. What are the consequences for security--particularly 
surface transportation security--if TSA doesn't use a risk-based 
strategy?
    Answer. Without a crosscutting risk-based strategy for all 
transportation modes, TSA cannot ensure it consistently prioritizes 
security and resource allocation decisions to protect the traveling 
public and the Nation's transportation systems. TSA spends massive 
amounts of money on air transportation and only a tiny amount on 
surface transportation. However, TSA does not know exactly where its 
greatest risks lie. Without a disciplined process to look at risk 
across all modes of travel, TSA may be spending its resources in the 
wrong place, leaving the traveling public less safe.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Tom Udall to 
                             Hon. John Roth
    Question 1. Does the Federal hiring freeze put in place by 
President Trump apply to your office?
    Answer. Section 6(a)(5) of the Inspector General Act states that 
Inspectors General are to be treated as independent entities for 
purposes of staffing and training, and OMB Memorandum M-17-18, Federal 
Hiring Freeze Guidance, dated January 31, 2017, further clarified that 
``in the case of an Inspector General's (IG) office, the Inspector 
General is considered the agency head for the purposes of determining 
which positions in the IG office are exempt'' from the Federal hiring 
freeze. The IG, exercising his authority as an agency head under the 
Presidential Memorandum entitled ``Hiring Freeze,'' has determined that 
the OIG is exempt from the hiring freeze given the critical role the 
OIG plays in ensuring that the national security and public safety 
operations and programs administered by DHS are run effectively and 
efficiently, including investigating workforce integrity issues of the 
entire DHS population.

    Question 2. If so, could this impact your ability to root out 
waste, fraud and abuse?
    Answer. DHS OIG provides independent oversight over DHS programs 
and operations, including the significant public safety and national 
security missions of DHS' largest components: CBP, ICE, the Coast 
Guard, TSA, FEMA, NPPD, and USCIS (particularly as it relates to their 
fraud prevention and national security functions). DHS OIG mitigates 
the risk of mission failure when it finds shortfalls and provides 
assurances of mission execution to senior leadership when no such 
shortfalls are found. Failure to fully staff our audit, inspections and 
investigative functions to provide that independent oversight would 
directly impact the ability of DHS to conduct national security and 
public safety responsibilities, and undermine public confidence in the 
fair administration of laws.

    Question 3. Are there currently any open positions in your office 
that you are blocked from filling?
    Answer. As stated in the answer to Question 1 above, we are exempt 
from the hiring freeze. However, operating under a Continuing 
Resolution has hampered our ability to grow to the level that the 
Department, OMB, and Congress have deemed appropriate to allow us to 
accomplish our critical mission. This level requires approximately 80 
additional full-time employees. Moreover, the FY 2018 budget process 
has not followed the typical course, so we do not yet know whether we 
will have the resources we need moving forward.

    Question 4. President Trump's historic refusal to divest from his 
private companies and put his assets in a blind trust creates conflicts 
of interest across the Federal Government. This means that inspectors 
general could face new levels of work investigating improper use of 
public funds--or worse, investigating and reporting on corruption, 
waste, fraud, and abuse. Will you pledge to request from Congress 
adequate budget resources for Fiscal Year 2018 to fulfill your duties 
as Inspector General?
    Answer. Yes.

    Question 5. I am concerned about taxpayer dollars being used to 
promote President Trump's private businesses. There are news reports 
that taxpayers are on the hook for nearly $100,000 in Secret Service 
and embassy staff hotel charges for a two day Trump Organization 
promotional trip to Uruguay in January. Taxpayers may get stuck with 
the tab again for Trump family travel expenses related to the opening 
of a new Trump hotel in Vancouver, Canada and a new Trump International 
Golf Club in Dubai. It seems to me that any and all expenses related to 
President Trump's personal business should be paid for by those 
businesses, not by American taxpayers. The President and his family 
should have Secret Service protection. But the recent Uruguay trip 
highlights the significant conflicts of interest that exist due to the 
President's refusal to divest from his businesses and place the 
proceeds in a blind trust. Mr. Roth, will you fully investigate and 
then report back to Congress on whether any Secret Service or DHS 
resources are being improperly used to promote the President's private 
business interests?
    Answer. Investigating whether President Trump's use of DHS 
resources improperly promotes his personal business interests and 
presents a potential conflict of interest is beyond the jurisdiction 
afforded the DHS OIG by the Inspector General Act of 1978, as amended.

    Question 6. Whistleblower complaints and hotline tips from Federal 
workers are important ways an Inspector General can uncover waste, 
fraud and abuse. There are reports that nearly 1,000 career State 
Department employees signed on to a ``dissent memo'' challenging 
President Trump's Executive Order banning immigration from seven 
Muslim-majority countries. Use of dissent memos in the State Department 
is protected activity. So, I am very concerned when--reacting to 
diplomats' use of a protected forum--White House press secretary Sean 
Spicer told them, ``they should either get with the program or they can 
go.'' It is hard to imagine these comments will not have a chilling 
effect on State Department employees who have a right to circulate a 
dissent memo and other Federal workers who are protected when reporting 
misconduct. Will you give me your assurance that you and your office 
will protect whistleblowers from any unlawful retaliation from the 
White House?
    Answer. Yes. DHS OIG fully appreciates the invaluable contribution 
whistleblowers make to uncovering potential fraud, waste, and abuse in 
the Federal Government. DHS OIG considers whistleblower protection to 
be a critical part of its mission, and regularly investigates 
allegations of whistleblower reprisal made by uniformed United States 
Coast Guard members; DHS contractors, subcontractors and grantees; and 
DHS employees. Our Whistleblower Protection Unit (WPU) conducts 
investigations under the authority of the Inspector General Act of 
1978, as amended, and pursuant to the Military Whistleblower Protection 
Act, 10 U.S.C. Sec. 1034, Presidential Policy Directive 19, and the 
Pilot Program for Enhancement of Contractor Protection, 41 U.S.C. 
Sec. 4712. Investigations under these statutes are mandatory by DHS OIG 
when a prima facie case of reprisal is alleged. Additionally, in 
certain cases, DHS OIG conducts investigations pursuant to the 
Whistleblower Protection Act, 5 U.S.C. Sec. 2302.
    In the last year, DHS OIG undertook a substantial reorganization 
and rebuilding of its whistleblower protection function by creating a 
new and dedicated WPU housed in our Office of Counsel. The WPU consists 
of the Whistleblower Ombudsman, a supervisory whistleblower 
investigator and two newly hired whistleblower administrative 
investigators. The WPU has primarily been responsible for intake and 
preliminary complaint review during this timeframe, while Special 
Agents from the DHS OIG Office of Investigations and attorneys from the 
Office of Counsel jointly conduct all whistleblower investigations that 
are opened.

    Question 7. What steps do you take to ensure Federal employees can 
confidentially report potential waste, fraud and abuse?
    Answer. Whistleblowers can confidentially report potential waste, 
fraud, and abuse to the DHS OIG Hotline. The Hotline is a resource for 
employees to report allegations of employee corruption, civil rights 
and civil liberties abuses, program fraud and financial crimes, and 
miscellaneous criminal and non-criminal activity associated with waste, 
abuse, or fraud affecting the programs and operations of the 
Department. The DHS OIG website provides a link to the Hotline, as does 
the Department's intranet, DHS Connect.
    We recently sent out a Department-wide e-mail regarding reporting 
fraud, waste, and abuse. This notice encouraged employees to take a 
proactive role in improving DHS by reporting wrongdoing, and instructed 
them on how to report such information. The notice also notified 
employees of their rights under relevant whistleblower protection 
statutes, and discussed the OIG Whistleblower Protection Unit, which 
was recently established to review and investigate complaints of 
whistleblower retaliation.
    DHS OIG educates all new agency employees about whistleblower 
protections shortly after they join the agency. The OIG Whistleblower 
Protection Ombudsman (WPO), who has primary responsibility for 
whistleblower protection training and education within the agency, 
provides training to all new DHS headquarters employees at the new 
employee orientations presented twice monthly by the DHS Chief Human 
Capital Office (CHCO). The WPO provides new employees an overview of 
his role and responsibilities, describes the elements of whistleblower 
protection and prohibited personnel practices, and educates the 
employees on their rights. At the training, new employees are provided 
with handouts prepared by the Office of Special Counsel (OSC) on each 
of these topics. DHS is in the process of scheduling training for new 
appointees, which will include OIG training on the Whistleblower 
Protection Act (WPA) and Whistleblower Protection Enhancement Act 
(WPEA).
    Beyond the training received as part of new employee onboarding, 
each DHS employee must also complete No Fear Act training every two 
years, which provides training on employees' rights and remedies under 
whistleblower protection and anti-discrimination laws. DHS employees in 
a supervisory role also receive additional whistleblower protection 
training. The WPO works closely with the DHS Under Secretary of 
Management's Office, the DHS CHCO, the DHS Chief Leadership Officer 
Council, and the individual training officers at each DHS component 
agency to address whistleblower protections. He collaborates with these 
groups on the role of the Ombudsman in DHS, the development of training 
materials for all employees through the DHS OIG website, and the 
delivery of mandatory whistleblower training materials to new and 
existing employees through the DHS learning management system.
    The WPO works directly with OSC to ensure that the OIG is providing 
DHS employees and supervisors with the most current whistleblower 
protection training. In Fiscal Year 2016, the WPO, working with OSC, 
provided supervisory training on the WPA and WPEA that fulfilled the 
necessary requirements to achieve OSC 2302c certification for the DHS 
OIG. The OIG then worked to achieve certification for the entire 
Department. Training for this certification required all 28,000 DHS 
supervisors to complete online OSC training and pass an online quiz. 
The WPO then worked with CHCO to convert the quiz into the DHS learning 
management system, where it is now required training for supervisors 
every three years.
    We have raised our profile within DHS as the entity to which 
whistleblower complaints are reported, and with effective results. It 
is our duty to protect these individuals from being retaliated against 
as a result of stepping forward and, as before, we remain committed to 
empowering and protecting agency whistleblowers.
                                 ______
                                 
     Response to Written Question Submitted by Hon. John Thune to 
                       Hon. Calvin L. Scovel III
    Question 1. As you know I recently sent a letter to FAA 
Administrator Huerta requesting a detailed status update on NextGen. 
The letter highlighted much of the work you and your office have done, 
and specifically cited points made in several of your NextGen reports. 
Do you have any comments on FAA's response to my letter?
    Answer. FAA's response includes valuable perspectives on measures 
of success, lessons learned, and plans for the future. However, we note 
the fact that NextGen has been redefined--this is a theme from our work 
as well as the May 2015 National Academy of Sciences report. We would 
like to offer several observations about FAA's responses.

   First, FAA states there is a misunderstanding or 
        misconception based on our report \1\ about the planned 
        enhancements to the En Route Automation Modernization (ERAM) 
        program, which modernizes systems controllers rely on to manage 
        high-altitude traffic and integration issues with other 
        programs. Contrary to FAA's comments, our report does not state 
        that ERAM is broken but rather points to the integration 
        challenges and the central role ERAM plays in critical NextGen 
        efforts. Specifically, as we noted in our 2016 report on the 
        transformational programs, FAA faces complex integration issues 
        with ERAM and Data Comm for controllers and pilots to ensure 
        that aircraft information can be displayed on controller 
        displays and flight information can be transmitted from the 
        aircraft to ground and FAA automation systems in the 2020 
        timeframe. We note that Data Comm is a joint FAA and industry 
        NextGen investment priority.
---------------------------------------------------------------------------
    \1\ Total Costs, Schedules, and Benefits of FAA's NextGen 
Transformational Programs Remain Uncertain (Report Number AV-2017-009), 
November 10, 2016

   Second, FAA's comment about our observations regarding 
        insufficient industry outreach is inaccurate and outdated. We 
        have long pointed to the importance of stakeholder involvement 
        as an important factor for success. Our ongoing work recognizes 
        the collaboration between FAA and the NextGen Advisory 
        Committee (NAC) on the NextGen priorities. The four high 
        priority areas, which include Performance-Based Navigation 
        (PBN) and Airport Surface Operations, have the potential for 
        significant benefits for users. The NextGen investment 
        priorities represent an important but long overdue effort. We 
        plan to issue a report on FAA's risk-mitigation efforts for 
---------------------------------------------------------------------------
        implementing the priorities this summer.

   Finally, we believe FAA's comments about their response to 
        our January 2016 report \2\ on FAA's progress with using 
        congressionally mandated reform recommendations are accurate, 
        but need some updating. We made three recommendations to 
        improve FAA's management of major acquisitions and better meet 
        the goals of its reforms, two of which are now closed. Our 
        recommendation for FAA to identify and incorporate Federal and 
        industry best practices and guidance for planning and acquiring 
        major capital investments into their acquisition process 
        remains open. We emphasize that FAA's efforts to respond to our 
        recommendation will assist FAA in leveraging its reform 
        authorities and achieve the efficiencies and productivity 
        enhancements envisioned by the Congress to meet the Nation's 
        aviation needs and result in better outcomes with major 
        acquisitions.
---------------------------------------------------------------------------
    \2\ FAA Reforms Have Not Achieved Expected Cost, Efficiency, and 
Modernization Outcomes (Report Number AV-2016-015), January 15, 2016

    Question 2. In his response to my letter, Administrator Huerta 
wrote that, ``when [NextGen] programs are measured properly against a 
positive cost-benefit analysis and [FAA's] commitment to invest, [FAA 
is] now on or ahead of schedule with many of [its] large investment 
programs.'' Do you share this perspective?
    Answer. FAA's statement requires some clarification about the costs 
and benefits of NextGen Programs. Each program is required by the FAA 
Acquisition Management System to have a cost-benefit analysis to drive 
investment decisions. However, as we reported in our November 2016 
report, FAA NextGen Transformational Programs,\3\ there is considerable 
uncertainty about when each program will deliver benefits to airspace 
users, and many benefits remain unquantified. This is illustrated by 
two of FAA's largest programs that have combined current cost estimates 
of $4.7 billion in Agency costs alone, which excludes airspace user 
costs to purchase and install new avionics and train flight crews.
---------------------------------------------------------------------------
    \3\ Total Costs, Schedules, and Benefits of FAA's NextGen 
Transformational Programs Remain Uncertain (OIG Report No. AV-2017-
009), November 10, 2016

   Automatic Dependent Surveillance-Broadcast (ADS-B): FAA has 
        completed the ground-based infrastructure for the system and 
        has mandated that airspace users must equip their aircraft with 
        new avionics for ADS-B Out by January 2020. The benefits that 
        FAA identified in its business case for the program depended on 
        savings from the decommissioning of radars and the reduction of 
        high-altitude separation standards (from 5 nautical miles down 
        to 3 nautical miles). It remains uncertain when and if radars 
        will be retired and if separation benefits from reducing 
        separation standards will be realized. In addition, FAA has yet 
        to quantify the benefits of ADS-B Out in congested airspace in 
---------------------------------------------------------------------------
        the vicinity of airports in areas such as New York and Chicago.

   DataComm: FAA, in response to NextGen Advisory Committee 
        recommendations, the Agency accelerated the implementation of 
        digital messaging of pre-departure clearance capabilities to 
        over 57 towers, 3 years ahead of its original schedule. 
        However, the major benefit of the program will be in the high-
        altitude en route environment using digital messaging to 
        reroute aircraft to avoid thunderstorms and other adverse 
        weather. To complete this effort, FAA must modify its ERAM en 
        route automation systems and train air traffic controllers, 
        along with airlines equipping their aircraft and training their 
        flight crews. FAA is planning to begin implementing this new 
        capability in the 2020 timeframe. FAA has yet to quantify the 
        productivity enhancements for the controller workforce, which 
        could be significant.

    Question 3. Many stakeholders in the aviation community cite 
funding stability as a past and ongoing concern with respect to 
modernization of the air traffic control system. Can we attribute the 
FAA's difficulties over the last dozen years, as laid out in 
independent reports from your office as well as the Government 
Accountability Office, solely to funding uncertainty?
    Answer. While funding uncertainty and the sequester in the 2013 
time-frame has impacted FAA, as with all Federal agencies, a lack of 
funding has not materially affected the pace of NextGen or air traffic 
control modernization in general. Our work shows that other factors 
have contributed to problems with NextGen. These include unrealistic 
expectations, an inability to establish requirements for key 
capabilities (like ADS-B In and the display of information in the 
cockpit), and a lack of agreed-upon investment priorities. FAA and the 
industry now have a set of investment priorities, including DataComm 
and Performance-Based Navigation--a long overdue step. We note Congress 
has provided $7.4 billion from Fiscal Years 2003 to 2016 to FAA to 
invest in various NextGen programs. A significant majority of FAA 
NextGen funding ($6.7 billion) has been in its Facilities and Equipment 
or capital accounts.

    Question 4. At the hearing, you mentioned the importance of 
strengthening the cybersecurity of government information and systems. 
What are the most important steps the Secretary should take to increase 
the effectiveness of the agency's cybersecurity programs?
    Answer. By taking the following steps, the Department could greatly 
strengthen its cybersecurity programs:

  1.  Complete the implementation of PIV cards for logical access.

  2.  Identify, assess risk, and improve the oversight of shared 
        controls among DOT networks.

  3.  Ensure all systems have adequate contingency plans and test these 
        plans.

  4.  Take action to reduce the risk of the growing number of systems 
        operating in DOT without executive authorization (currently 70 
        systems) and the high number of unresolved security weaknesses.

    Question 5. As your respective offices issue recommendations based 
on audit and investigation work, what steps do you take to ensure that 
the recommendations are discrete tasks that are feasible for the agency 
to implement in a reasonable timeframe?
    Answer. Government auditing standards require that we make 
recommendations that flow logically from the findings and conclusions, 
are directed at resolving the causes of identified deficiencies and 
findings, and clearly state the actions recommended. Additionally, 
these standards specify that recommendations are effective when they 
are specific, practical, cost-effective, and measurable.
    In addition to writing recommendations that adhere to these 
standards, we provide the audited agency with the opportunity to 
comment on the feasibility of our recommendations twice, first during 
the exit conference at the conclusion of the audit, and then again in 
their formal written comments to our draft report. Finally, to provide 
for recommendation closure in a timely manner, although audit standards 
do not specifically address the issue of timeframes, by DOT Order, the 
audited agency is required to provide a target date for completion for 
each recommendation once concurrence is reached. Depending on the 
complexity of the findings and recommendations, target dates may not be 
met, and new target dates may need to be established.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Roy Blunt to 
                       Hon. Calvin L. Scovel III
    Question 1. In a 2015 letter to five members of the House 
Transportation and Infrastructure committee, the Deputy Secretary of 
Transportation and Deputy Secretary of Defense announced that an eLoran 
system would be built to protect the Nation from local and wide spread 
GPS disruptions. Why has the Department of Transportation taken no 
action on this?
    Answer. We agree that it is important to have a backup system for 
GPS in the event of an intentional or unintentional problem with the 
system. However, we have not conducted any work on eLoran or the 
Department's decision to not pursue a backup system. We have forwarded 
the question to the Department for any response that they may have on 
this matter.

    Question 2. I understand that private entities have made proposals 
to the Department of Transportation and other departments to build a 
backup system for GPS using private funds. Why has the government not 
acted on these offers?
    Answer. We have not examined the proposals made to the Department 
by the private sector for a backup to the GPS system. We have forwarded 
the question to the Department for any response that they may have on 
this matter.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Deb Fischer to 
                       Hon. Calvin L. Scovel III
    Question 1. Inspector General Scovel, you mentioned in your written 
testimony that DOT's ``reported delinquent debt increased by over 300 
percent from $170 million to $737 million'' between 1999 and 2013. To 
me, these figures represent a massive mismanagement of critical 
transportation resources. What is the DOT doing to address delinquent 
debt recovery for financing programs such as RRIF and TIFIA?
    Answer. In our delinquent debt report, issued July 2015, we 
addressed delinquent debt from RRIF and TIFIA ($984K and $6.2M 
respectively) and from other loan programs as well. Our specific 
recommendation for improving loan programs was that DOT develop or 
enhance policies and procedures for complying with their specific 
requirements for delinquent loan collections. These policies and 
procedures vary from program to program. However, overall weaknesses in 
this area remain present because DOT has not completed the required 
actions.

    Question 2. Inspector General Scovel, you mentioned in your written 
testimony that the Pipelines and Hazardous Materials Safety 
Administration (PHMSA) has missed about 75 percent of its deadlines for 
Congressional mandates. This is unacceptable. Last year, Congress 
passed the Protecting Our Infrastructure of Pipelines and Enhancing 
Safety, or PIPES Act, which sought to study and reform how PHMSA 
oversees pipeline safety. Specifically, it re-prioritized outstanding 
Congressional directives from the 2011 PHMSA reauthorization, and gives 
PHMSA the ability to hire pipeline inspectors with greater flexibility. 
In your opinion, has PHMSA incorporated the recommendations from the 
PIPES Act into its oversight? What further recommendations do you have 
to reform PHMSA so the agency can complete its mandates on time?
    Answer. The OIG has not specifically examined the extent to which 
PHMSA has incorporated recommendations from the PIPES Act into its 
oversight. However, in October 2016, we reported that an impediment to 
PHMSA's timely action in implementing mandates and recommendations from 
NTSB/GAO/OIG was the lack of agency-wide processes, guidance, and 
oversight. More specifically, between 2005 and 2015, PHMSA's two 
program offices, the Office of Pipeline Safety and the Office of 
Hazardous Materials Safety, were primarily responsible for mandate 
implementation. As we examined how these program offices implemented 
mandates, we found that staff rarely followed project management 
requirements, and there was little accountability for meeting 
deadlines--both internal and external.
    To address the lack of processes, guidance, and oversight, we 
recommended that PHMSA develop a policy for mandate implementation. 
While we have not received information from PHMSA about its progress on 
this recommendation, PHMSA has made significant changes to its 
rulemaking process since we issued our report. Because many of PHMSA's 
safety-related mandates require rulemaking activities, we are 
encouraged that these recent changes will better position the Agency to 
address regulatory mandates more efficiently.
    We recently initiated an audit mandated by the PIPES Act related to 
PHMSA workforce management that should provide Congress better insight 
into the Agency's oversight of pipeline safety. As part of our review 
of workforce management we are examining PHMSA's efforts to hire 
inspectors. That work is currently underway, and we expect to report 
out later this year.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Dean Heller to 
                       Hon. Calvin L. Scovel III
    Question 1. A difficulty for Inspectors General across Federal 
agencies has always been getting the information they need and pushing 
back on the agency when they dispute the IG's claims.
    It's something I've seen frequently at the Department of Veterans 
Affairs, and I've always felt very strongly that IG's must be willing 
to confront agencies to get the information they need to conduct a full 
investigation.
    Have any of you had difficult accessing the information you need to 
hold your agency accountable and are there tools you need from Congress 
to increase transparency?
    Answer. We have a good working relationship with the Department to 
access the information we require to ensure accountability. That being 
said, if we encounter delays and lack of timeliness in obtaining Agency 
documents, we work directly with Department officials at the proper 
level to resolve them. When appropriate, access and delay issues and 
their impact on the scope of our work are documented in our reports. We 
are not requesting any additional tools from Congress to increase 
transparency.

    Question 2. Every year, our offices are flooded with requests from 
local government and transportation commissions on the assortment of 
discretionary grants that the Department is authorized to issue for 
specific transportation projects. Nevada has benefitted from some of 
these programs without a doubt--but there are some overarching concerns 
about how the Office of the Secretary reviews these applications from 
Administration to Administration. Regardless of who is in control of 
the executive branch, our local stakeholders should know what they need 
to do to compete for these Federal resources year after year.
    It is my understanding that you have conducted an audit on the 
policies and procedures in place for TIGER grant applications--what 
types of safeguards can be put into place to ensure applications to all 
discretionary programs are reviewed on the merits and each application 
is given a fair shake?
    Answer. Currently, our office is conducting an audit of the Office 
of the Secretary of Transportation's (OST) policies and procedures for 
evaluating cost-benefit analyses in TIGER grant applications and plan 
to issue a report in early summer. Previously, on September 20, 2012, 
we issued a report--DOT Established Timely Controls for the TIGER 
Discretionary Grant Program, But Opportunities Exist to Strengthen 
Oversight (OIG Report No. MH201218)--that focused on OST's management 
and oversight of the TIGER program, including performance measures for 
determining economic and transportation-related impacts and (2) the 
policies and practices established for overseeing the TIGER projects 
once awarded. The report made seven recommendations to the Under 
Secretary of Transportation Policy to address vulnerabilities in the 
process for reviewing grants and documentation, capabilities to manage 
the TIGER program, and establish a methodology to identify program 
outcomes. OST completed implementation action on the last of these 
recommendations in January 2017. Of particular note is one 
recommendation directed at transparency, by establishing and 
implementing a systematic process for documenting significant 
management decisions involving the program and individual TIGER 
projects, including follow-up actions resulting from meetings with 
Department of Transportation agencies. We would view this as one key 
safeguard to put in place when reviewing grant applications.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Todd Young to 
                       Hon. Calvin L. Scovel III
    Question 1. General Scovel, on August 20, 2015, your Office of 
Inspector General issued a report regarding the efficiency of FAA Air 
Traffic Control (ATC) towers. In this report, you found that the FAA 
regularly fails to analyze their internal databases to review cost data 
and potential productivity efficiencies. By the report's estimation, 
this failure to review data cost the FAA as much as $142 million each 
year due to ATC tower inefficiencies. What recommendations do you have 
for this committee to ensure that the FAA regularly reviews their own 
data and extrapolates cost efficiencies through the ATC tower network?
    Answer. The recommendation we made in that report remains open. 
Specifically, we recommended that FAA identify the factors contributing 
to greater resource use by the least efficient towers as compared with 
the relatively efficient towers identified in the report, and develop a 
plan for addressing those factors.
    FAA only partially concurred with the recommendation in its formal 
response to the report. On July 22, 2016, FAA provided documentation of 
analyses undertaken in an attempt to fulfill the recommendation. We 
found FAA's analyses inadequate, because they were too cursory to 
identify the factors driving differences in resource usage, let alone 
support development of a plan to address such differences.
    We met with FAA personnel on October 5, 2016, and on February 16, 
2017, to discuss what we would need from the Agency to close the 
recommendation. We also provided documentation on why their earlier 
response had been inadequate and additional information to help focus 
Agency efforts. Following the October meeting, FAA committed to a 
target action date of April 30, 2017. In the February meeting, they 
told us that they would probably ask for an extension after they had 
the opportunity to examine the additional information, but they have 
yet not done so.
    While it would be fruitful in the future for FAA to analyze their 
data to identify inefficiencies, we are still waiting for the Agency to 
develop an adequate response to addressing the inefficiencies we have 
already identified.

    Question 2. General Scovel, On April 5, 2012, your office of 
Inspector General issued a report reviewing the utilization of ARRA 
funding and suggested methods for the Federal Highway Administration 
(FHWA) to increase competition for State DOT contracts and advance best 
practices for the awarding of those federal-aid contracts. To date the 
FHWA has completed the OIG recommended assessment, but failed to 
implement several specific policies regarding the confidentially of 
bids, the implementation of performance metrics to assess state 
contract trends, and the sharing of best practices by State DOTs. What, 
if any, barriers currently exist that prevent states from sharing best 
practices and implementing policies that will result in increased 
competition for State DOTs?
    Answer. FHWA has taken several actions to address our report's five 
recommendations. One recommendation is closed, and four remain open. 
One of the open recommendations addresses the sharing of State best 
practices, and the FHWA has made some progress toward closing it. 
Before our report was issued, FHWA--along with the American Association 
of State Highway and Transportation Officials (AASHTO)--began a Survey 
on Construction Cost Increases and Competition. This survey was 
completed in May of 2012, and identified industry trends and best 
practices. In February 2015, FHWA completed its National Review of 
State Cost Estimation Practices, which also addressed our report 
recommendations concerning evaluating competition and establishing 
performance metrics. The AASHTO survey and National Review results were 
transmitted to the states by FHWA in order to share best practices. In 
addition, we have been informed by FHWA that it plans to update its 
``Guidelines on Preparing the Engineer's Estimate, Bid Review & 
Evaluation'' by September 1, 2017, as part of Agency efforts to address 
our recommendations and to implement performance metrics to assess 
State contract trends and share best practices among State DOTs.
    At the completion of the 2015 National Review, FHWA concluded that 
the cost of keeping bidders' names and estimates confidential 
outweighed the benefits, because it would require resource-intensive 
regulatory revisions to Federal law and some State laws. Discussions 
concerning actions to close this recommendation are ongoing; the target 
action date for closure is September 1, 2017.

    Question 3. General Scovel, as you note in the Top Management 
Challenges for FY17, the FAA continues to face significant hurdles as 
it attempts to implement the Next Generation Air Transportation System 
(NextGen). The FAA fails to properly define costs and meet delivery 
timelines for this program, impeding the implementation of this vital 
system. As Congress considers an FAA reauthorization bill this year, 
what advice does your office recommend to ensure for the on-time and 
on-budget delivery of NextGen's performance based navigation (PBN) to 
the American public?
    Answer. While there has been some progress, FAA must continue to 
address key areas to ensure an on-time and on-budget delivery of PBN 
flight procedures that deliver benefits. This includes early outreach 
to communities to address potential noise concerns and collaboration 
with airspace users and air traffic controllers throughout the process. 
To maximize the benefits of PBN, our work shows FAA also needs to 
deploy automated decision support tools to help controllers space and 
sequence air traffic close to busy airports. This is important because 
many airlines are equipped with Required Navigation Performance 
technology that allows them to fly advanced flight procedures, 
including curved paths into airport runways. However, FAA has been slow 
to deploy advanced procedures and controller automation necessary to 
optimize benefits. Without these tools, it is difficult, if not 
impossible, for controllers to manage the flow of air traffic in a 
(mixed equipage) environment where some are using more advanced curved 
approaches and others are using straight-in approaches. FAA is 
currently developing an automated tool for managing airport arrivals, 
but will not begin deploying it until 2019 at the earliest.

    Question 4. General Scovel, in a July 9, 2015 report, your office 
reported on the Department of Transportation's lax debt collection 
policies that left in excess of $700 million in uncollected delinquent 
debt. Through your office's audit, you identified that the DOT failed 
to comply with proper debt collection procedures on 66 percent of all 
debt obligations collected. The report cites multiple failures in the 
DOT's utilization of the Enterprise Services Center (ESC) that inhibit 
their ability to accurately report on delinquent debt. Could you please 
outline what immediate actions should be taken to ensure the Department 
reports debt by statutory timelines, improves training for the proper 
collection of the Department's debt, and ensures for the full 
compliance to standard operating procedures for the department's ESC 
personnel?
    Answer. In our delinquent debt report issued July 2015, we made six 
actionable recommendations, which remain open, to address DOTs 
weaknesses in identifying, reporting, and recovering delinquent debts. 
These included developing and implementing department-wide policies and 
procedures for accurately identifying and reporting delinquent debt and 
recoveries, and collecting debts in a timely manner; establishing clear 
policies and guidance for overseeing delinquent debt collections made 
by Operating Administrations and ESC; requiring relevant training for 
all personnel who are responsible for identifying, collecting, and 
reporting on delinquent debt; directing Operating Administrations that 
must comply with legal requirements outside of the Debt Collection 
Improvement Act to develop clear and effective debt collection policies 
and procedures for their unique requirements and to share these 
policies and procedures with ESC; directing ESC to clarify its standard 
operating procedures (SOPs), including (a) delineating the different 
processes for administrative and loan debts and (b) identifying the 
Operating Administrations that the SOPs apply to and; directing 
Operating Administrations that have loan programs to develop or enhance 
policies and procedures for complying with their specific requirements 
for delinquent loan collections.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Bill Nelson to 
                       Hon. Calvin L. Scovel III
    Question 1. According to the Inspector General Act of 1978, the 
role of an IG is to detect and prevent waste, fraud, and abuse at 
Federal agencies and conduct these duties in a nonpartisan manner. IGs 
also have an obligation under the IG Act to keep Congress fully 
informed about issues at their agencies. Can I count on you to be 
nonpartisan and independent when carrying out your duties?
    Answer. Yes. Since taking on my role as DOT Inspector General in 
October 2006, I have been steadfastly committed to working with 
Congress, particularly with the Senate Commerce Committee, and with the 
DOT Secretary to help ensure that my office fully executes its mission 
to provide independent and objective reviews of DOT programs and 
operations.

    Question 2. Can I count on you to keep me and this Committee fully 
informed about pending issues and whistleblower complaints at your 
agencies?
    Answer. As mandated by the Inspector General Act, I will keep the 
Congress and the Secretary fully and currently informed about problems 
and deficiencies relating to the administration of DOT's programs and 
operations and the necessity for and progress of corrective action. We 
will comply with the direction and privacy protections afforded to 
whistleblowers by whistleblower protection statutes and will, as 
appropriate, inform the Committee about whistleblower complaints.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Tom Udall to 
                       Hon. Calvin L. Scovel III
    Question 1. Does the Federal hiring freeze put in place by 
President Trump apply to your office?
    Answer. Yes.

    Question 2. If so, could this impact your ability to root out 
waste, fraud and abuse?
    Answer. I understand the President's desire to review current 
staffing levels across Executive Branch agencies. In fact, we are 
currently undertaking our own workforce assessment in an effort to 
apply our resources most effectively. Such assessments are a sensible 
best practice.
    One thing that will remain at DOT OIG is our reliance on the 
specialized expertise of our workforce, which consistently amounts to 
at least 75 percent of our budget. Or put another way: our budget 
equals people, and people equal product. Sustained funding that allows 
us to develop and maintain well-qualified auditors, investigators, and 
subject matter experts is critical to our success. If the 
Administration and Congress commit to a significant infrastructure 
investment, such sustained support allows us to have meaningful 
oversight in place right from the start. Depending on the scope, 
timing, and direction of any such program, additional dedicated 
oversight resources, as were found in the Recovery Act and the 
Hurricane Sandy Disaster Relief Appropriations Act, may also be needed. 
Otherwise, the likely result would be DOT OIG pulling staff from other 
high priority areas in order to meet the challenges inherent with that 
new investment. Such a redirection of existing OIG resources could 
delay our efforts to meet other congressional mandates.
    The oversight that DOT OIG provides demonstrably helps prevent 
fraud, waste, and abuse of taxpayer dollars. In Fiscal Year 2016, that 
amounted to a return on investment of $54 for every appropriated 
dollar; over the last 5 fiscal years, the average was $35 to $1.

    Question 3. Are there currently any open positions in your office 
that you are blocked from filling?
    Answer. No.

    Question 4. President Trump's historic refusal to divest from his 
private companies and put his assets in a blind trust creates conflicts 
of interest across the Federal Government. This means that inspectors 
general could face new levels of work investigating improper use of 
public funds--or worse, investigating and reporting on corruption, 
waste, fraud, and abuse. Will you pledge to request from Congress 
adequate budget resources for Fiscal Year 2018 to fulfill your duties 
as Inspector General?
    Answer. Yes.

    Question 5. Whistleblower complaints and hotline tips from Federal 
workers are important ways an Inspector General can uncover waste, 
fraud and abuse. There are reports that nearly 1,000 career State 
Department employees signed on to a ``dissent memo'' challenging 
President Trump's Executive Order banning immigration from seven 
Muslim-majority countries. Use of dissent memos in the State Department 
is protected activity. So, I am very concerned when--reacting to 
diplomats' use of a protected forum--White House press secretary Sean 
Spicer told them, ``they should either get with the program or they can 
go.'' It is hard to imagine these comments will not have a chilling 
effect on State Department employees who have a right to circulate a 
dissent memo and other Federal workers who are protected when reporting 
misconduct. Will you give me your assurance that you and your office 
will protect whistleblowers from any unlawful retaliation from the 
White House?
    Answer. As we have historically done with all whistleblowers, yes, 
we will continue to do our part to protect them from unlawful 
retaliation and comply with the requirements in the whistleblower 
protection statutes.

    Question 6. What steps do you take to ensure Federal employees can 
confidentially report potential waste, fraud and abuse?
    Answer. We offer several ways for Federal employees to report 
potential waste, fraud, and abuse confidentially, including anonymously 
if they so desire. DOT OIG operates a Hotline (www.oig.dot.gov/hotline) 
that is staffed 24 hours a day, 7 days a week, 365 days a year. We also 
have a Whistleblower Protection Ombudsman who helps educate U.S. DOT 
employees about prohibitions against retaliating against Federal 
whistleblowers. Our Office of Investigations provides fraud prevention 
briefings to various individuals including regional DOT employees and 
contractors, which include information about the various ways to alert 
OIG to allegations of fraud, waste, and abuse.

    Question 7. I was quite alarmed by news reports that the Trump 
transition team sought a list of all Department of Energy employees or 
contractors who have attended climate change-related meetings. This 
sparked fears of a potential purge of scientists based on their 
research. There are also news reports that Trump administration 
officials may be blocking the public release of information by EPA 
scientists. Will you assure the Committee that you will investigate if 
there are complaints of inappropriate political interference, 
intimidation or censorship of scientists at NHTSA or other DOT 
agencies?
    Answer. Yes. As with any complaint that we may receive, including 
those about DOT employees who may be subject to inappropriate conduct 
or are otherwise prevented from carrying out their responsibilities, we 
will carefully evaluate it to determine the proper course of action.