We initiated this evaluation of GSA’s site selection processes for the relocation of the Federal Bureau of Investigation’s (FBI) headquarters in response to requests from members of Congress and concerns raised by the FBI.

During the evaluation, we identified four findings. We found that:

1. GSA’s rationale for increasing the weighting of the cost criterion, due to the changing of cost elements, was not justified because certain risks that GSA factored into the change were minimal or non-existent.
2. GSA provided some inaccurate information to the Panel and Site Selection Authority related to the site selection cost for the Springfield, Virginia site.
3. GSA did not provide specific enough data related to sustainable siting and advancing equity for the Panel and Site Selection Authority to differentiate between the sites.
4. GSA officials failed to properly maintain cell phone text messages related to the relocation of the FBI headquarters project.

In addition, we also reviewed a former GSA official’s previous employment as the Vice President of Real Estate and Parking at Washington Metropolitan Area Transit Authority and found no evidence that the former GSA official, as the Site Selection Authority, violated federal ethics regulations.

Our report makes three recommendations to ensure that GSA:

1. Establishes policies on developing, changing, and approving site selection plans for future projects;
2. Establishes policies and processes to ensure data used in site selections is relevant, accurate, complete, and current for future projects; and
3. Requires personnel involved with the FBI headquarters project, and future projects, to review and preserve records created via text messages or chats.

In response to our report, the former GSA management agreed with our recommendations but disagreed with some of the conclusions in our findings as outlined in the Response to Management Comments section.

REPORT

The GSA Office of Inspector General (OIG) did not sponsor any conference in Fiscal Year 2024 where the costs exceeded $100,000. The OIG sponsored several internal meetings and events for OIG employees such as audit management training and law enforcement training. Each OIG-sponsored event was designed to minimize costs while providing a maximum amount of training or work-related activities for the attendees.

OIG employees also received training at several events sponsored by others. They attended these events in support of the OIG mission, which is to combat fraud, waste, and abuse and save taxpayer money. In total, the OIG spent approximately $51,000 for 183 attendees who received training at various events throughout the year.
 

This memorandum details recurring findings identified through our audits of GSA’s Public Buildings Service construction and basic repairs and alterations projects conducted during Fiscal Years 2020 through 2024. The frequency and recurring nature of these findings indicates the need for additional management attention.

Message from the Deputy Inspector General

I am pleased to submit to Congress our Semiannual Report for the period of April 1, 2024, through September 30, 2024.

During this reporting period, we issued 31 audit reports, including 15 contract audits, with more than $171.7 million in financial recommendations for potential cost savings and recoveries for the federal government. In addition, our investigative and legal work yielded $131.7 million in monetary recoveries. 

Of note, we reported on multiple building safety issues at GSA, including flaws with Public Buildings Service (PBS) water quality management and guidance, which led to an increased risk of exposure to lead, copper, Legionella bacteria, and other contaminants in federal buildings. We also found that PBS faces a significant backlog of occupational safety and health, and fire risk conditions with nearly 36,000 actionable, open risk conditions at almost 2,000 GSA-managed assets nationwide. While reviewing corrective actions GSA took in response to a 2020 report, we found that child care centers in GSA-controlled buildings still have significant security vulnerabilities. We also found that PBS Region 2 did not comply with applicable laws, regulations, and policies when awarding and administering a $5.6 million Infrastructure Investment and Jobs Act project to repave six land ports of entry at New York State’s northern border. Additionally, we reported that the GSA Federal Acquisition Service should strengthen its price analyses when consolidating multiple award schedule contracts. 

As a result of an evaluation, we determined that GSA lacked adequate controls over foreign gifts and decorations, finding that the Foreign Gifts and Decorations Program generally lacked adequate inventory management controls, and we identified prohibited gifts in the inventory. Another evaluation found that PBS is not effectively administering the fuel storage tank management program effectively by not properly accounting for or maintaining the fuel tanks. 

Our special agents uncovered a massive scheme to traffic fraudulent and counterfeit Cisco networking equipment which resulted in the chief executive officer being sentenced to 6.5 years in prison and ordered to pay more than $100 million in restitution. Additionally, our investigative work revealed that a company sold millions of dollars in Chinese-made ballistic products, while claiming that the products were made in the U.S., which led to the owner being sentenced to more than 1 year in prison and being ordered to pay $2.67 million in restitution. 

Finally, Avantor, Inc., agreed to pay the United States $5 million to resolve allegations that one of its subsidiaries, VWR International, LLC, fraudulently overcharged federal agencies for goods purchased between 2008 and 2017.

I am deeply grateful for the hard work of the men and women of GSA OIG who seek to combat waste, fraud, and abuse of taxpayer dollars on a daily basis. Our efforts would not be possible without the ongoing support of Congress and GSA management. 

Robert C. Erickson 
Deputy Inspector General 
September 30, 2024

REPORT:

Why We Performed This Audit

The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies, including the United States (U.S.) General Services Administration (GSA), to have an annual independent evaluation of their information security program and practices to determine the effectiveness of such program and practices. GSA contracted KPMG LLP (“KPMG” or “we”) to conduct this audit, and the GSA Office of Inspector General (OIG) monitored KPMG’s work to ensure it met professional standards and contractual requirements.

We conducted a performance audit of GSA’s information security program in accordance with Generally Accepted Government Auditing Standards (GAGAS) and with the Office of Management and Budget’s (OMB’s) most recent FISMA reporting guidance to determine the effectiveness of GSA’s information security program and practices for its information systems for the period of October 1, 2023, through May 31, 2024. In addition to GAGAS, we conducted this performance audit in accordance with Consulting Services Standards established by the American Institute of Certified Public Accountants.

What We Found

Our testing for Fiscal Year (FY) 2024 included procedures at the entity and system levels for five GSA-owned information systems and five contractor-owned information systems. The FY 2024 Core and Supplemental Group 2 Inspector General (IG) Metrics (FY 2024 IG FISMA Reporting Metrics) established in the FY 2023 – 2024 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics dated February 10, 2023, served as the basis for our test procedures.

Additionally, to support the overall performance audit objective, we also assessed management’s actions for a selection of penetration test results and findings and performed internal vulnerability scanning activities over a select set of GSA-owned information systems in order to identify potential system flaws, misconfigurations, or vulnerabilities that could increase the risk of unauthorized access or elevation of privileges to GSA systems and data. This technical security testing was completed as of June 27, 2024.

Finally, we followed up on the status of four prior year findings. As a result of our procedures and based on the maturity levels calculated in CyberScope, we assessed GSA’s information security program as “Effective” according to OMB guidance. We made this determination based on assessing a majority of the FY 2024 IG FISMA Reporting Metrics as “Managed and Measurable” and “Optimized.” Specifically, the Identify, Protect, Respond, and Recover cybersecurity functions were assessed as “Managed and Measurable,” while the Detect cybersecurity function was assessed as “Optimized.”

Based on our testing, we determined that GSA implemented corrective actions to remediate two of the four prior year findings and that these findings were closed (see Appendix I). However, we determined that the other two prior year findings remained open, and also reported seven new findings (see Section IV) in the Protect cybersecurity function within the following areas:

Configuration Management

• Configuration Change Control – Lack of Approval for Operating System (OS) Patches Prior to Implementation to the Production Environment
• Flaw Remediation – Configuration, Patch, and Vulnerability Management Programs for three GSA-owned information systems Needs Improvement
   

Identity and Access Management

• Session Termination – Incompliant Session Termination Period Configuration Setting
• Separation of Duties – Self Approval during Application Account Reauthorization Process for one GSA-owned information system
• Account Management – Access Authorizations for New Database (DB) and OS User Access Not Documented for one GSA-owned information system
   

Security Training

• Specialized Training – Evidence for Specialized Training for GSA Personnel Not Consistently Completed and Tracked
• Security Training and Awareness – Weakness in Removal of Network Access for Users Not Completing Security Awareness Training
   

The nature of these findings impacted our assessment of certain FY 2024 IG FISMA Reporting Metrics within the Protect function, which subsequently impacted the calculated average rating of the function.

What We Recommend

We made eight recommendations related to five of the seven new findings that should strengthen GSA’s information security program if effectively addressed by management. GSA management should also consider whether these recommendations apply to other information systems maintained in the organization’s FISMA system inventory and implement remedial action as needed.

We recommend that GSA management:

1. Enforce its defined procedures to obtain formal approval of all OS patches to three GSA-owned information systems prior to their implementation in the production environment and to retain associated supporting documentation.
2. Establish procedures and processes to enforce compliance with GSA’s configuration and patching requirements on the websites for three GSA-owned information systems.
3. Properly update and remediate vulnerabilities and configuration weaknesses throughout the environments for three GSA-owned information systems in accordance with GSA and National Institute of Standards and Technology requirements.
4. Establish milestones to perform root cause analysis and remediation of reported vulnerabilities for three GSA-owned information systems, including the creation of Plans of Action and Milestones.
5. Enforce proper completion of DB and OS request forms for one GSA-owned information system to include obtaining authorizations from designated management prior to provisioning administrator access to its DB and OS, respectively.
6. Validate that access is appropriate for all DB and OS accounts on one GSA-owned information system.
7. Commit resources and implement a process to provide and formally track the completion of specialized training for GSA IT security personnel.
8. Implement an oversight process to disable access for all new users who do not complete their required Security Awareness training within the agency’s defined timeframe and that is commensurate with GSA’s risk appetite.

GSA management agreed with each of our findings and recommendations. The GSA Chief Information Officer’s response is included in Section VI.

As required by the Reports Consolidation Act of 2000, Public Law 106-531, we prepared an assessment summarizing what we consider to be the most significant management and performance challenges facing GSA in Fiscal Year 2025. 

This year we have identified significant challenges in the following areas:

1. Establishing and Maintaining an Effective Internal Control Environment 
2. Improving Contract Award Administration 
3. Developing Efficient and Effective Acquisition Solutions 
4. Maximizing the Performance of GSA’s Real Property Inventory 
5. Managing Agency Cybersecurity Risks 
6. Providing a Safe Work Environment 
7. Securing Federal Facilities 
8. Managing the Electrification of the Federal Fleet 
9. Management of the Technology Transformation Service

The purpose of this memorandum is to notify the Public Buildings Service (PBS) Commissioner that PBS does not have complete and accurate asbestos information for the Herbert C. Hoover Federal Building. Based on our assessment of a hotline complaint, previously unidentified damaged asbestos-containing material was found in two of the building’s mechanical rooms. We also found that PBS does not have complete asbestos inspection records for the building.

USAID Office of Inspector General (OIG) reviewed the system of quality control for the audit organization of the General Services Administration (GSA) OIG in effect for the year ended March 31, 2024. A system of quality control encompasses GSA OIG’s organizational structure, and the policies adopted, and procedures established to provide it with reasonable assurance of conforming in all material respects with Government Auditing Standards and applicable legal and regulatory requirements. The elements of quality control are described in Government Auditing Standards.

In their opinion, the system of quality control for the audit organization of GSA OIG in effect for the year ending March 31, 2024, has been suitably designed and complied with to provide GSA OIG with reasonable assurance of performing and reporting in conformity with applicable professional standards and applicable legal and regulatory requirements in all material respects. 

Audit organizations can receive a rating of pass, pass with deficiencies, or fail. GSA OIG has received an External Peer Review rating of pass.

REPORT