As of March 31, 2022, the OIG has identified the following areas of significant concern that cause the Department to be at particular risk of fraud, mismanagement, waste, deficiencies, or abuse. The identified areas of concern reflect continuing matters as well as emerging issues. Most of these issues appear in our annual Top Management and Performance Challenges report.
Deploying Unemployment Insurance Benefits Expeditiously and Efficiently While Reducing Improper Payments
The Office of Inspector General (OIG) has repeatedly reported significant concerns with the Department of Labor (DOL) and State Workforce Agencies’ (SWA) ability to deploy program benefits expeditiously and efficiently while ensuring integrity and adequate oversight, particularly in response to national emergencies and disasters. The OIG reiterated these concerns following the economic downturn created by the COVID-19 pandemic and the unprecedented levels of federal funding allocated to the unemployment insurance (UI) program, currently estimated at approximately $872.5 billion.
Following the start of the pandemic in the United States in early 2020, unemployment compensation claims rose exponentially to historically unprecedented levels. Prior to the pandemic, numbers of UI claims were low: on March 14, 2020, the Department reported 282,000 initial claims. Within 2 to 3 weeks, initial claims rose to 10 times pre-pandemic levels, far higher than state systems were designed to handle.1 Within 5 months, through August 15, 2020, the Department reported 57.4 million initial claims, the largest increase since the Department began tracking UI data in 1967.
Rapid deployment of Coronavirus, Aid, Relief, and Economic Security (CARES) Act funding was critical in helping workers in need. As the OIG’s prior audit work has shown, quickly deploying funds can result in shortcomings in the effective and efficient implementation of stimulus programs.
For example, the OIG had audited the Disaster Unemployment Assistance (DUA) program and found the Department had not established adequate controls to ensure benefits were paid timely. Similarly, for three key CARES Act UI programs, we identified that, on average, it took between 25 and 50 days for the first payment to be disbursed. Continued programmatic weaknesses led to workers unemployed through no fault of their own suffering lengthy delays in receiving benefits.
In addition, anticipating and addressing the increased risk that came with the expanded funding was also vital to meeting the intent of the CARES Act. For example, we reported on the challenges presented by the Pandemic Unemployment Assistance (PUA) program. PUA’s expanded coverage for a population of claimants who were traditionally ineligible to receive UI benefits2 presented significant challenges to states. The OIG reported the risk of fraud and improper payments was even higher under PUA than with DUA because claimants could self-certify their eligibility for UI. In June 2020, the OIG provided a member briefing3 and a statement for the record4 to Congress highlighting challenges DOL and SWAs faced in administering and overseeing the UI program as well as the substantially increased fraud risk. The reliance solely on claimant self-certifications without evidence of eligibility and wages during the program’s first 9 months rendered the PUA program extremely susceptible to improper payments and fraud. Congress addressed the self-certification issue under the Continued Assistance for Unemployed Workers Act of 2020, requiring individuals receiving PUA to substantiate their employment.
Further, for over 20 years, the OIG has reported on the Department’s limited ability to measure, report, and reduce improper payments in the UI program. Indeed, the UI program has experienced some of the highest improper payment rates across the federal government. The reported improper payment estimate for the regular UI program has been above 10 percent for 14 of the last 18 years. Our recommendations have specifically included the need for the Department to estimate improper payments within federally-funded temporary emergency programs. In August 2020, we recommended5 the Employment and Training Administration (ETA) estimate the improper payment rate for pandemic UI programs. In December 2021, consistent with our recommendation, ETA reported an improper payment rate of 18.71 percent for 2021, which ETA applied to two of three key pandemic UI programs. ETA states it will report the third program, PUA, in 2022.
Applying the 18.71 percent to the estimated $872.5 billion in pandemic-related UI payments,6 at least $163 billion in pandemic UI benefits could have been paid improperly, with a significant portion attributable to fraud. Based on our audit and investigative work, the improper payment rate for pandemic-related UI payments is likely higher.
The OIG has referred information to the Department and states on nearly $17 billion of potentially fraudulent UI benefits paid from March 2020 to October 2020 in four specific high-risk areas, to individuals with Social Security numbers: (1) filed in multiple states, (2) of deceased persons, (3) of federal prisoners, and (4) used to file for UI claims with suspicious email accounts (see Figure 1).
Figure 1: Four High-Risk Areas for Potential UI Fraud7
As the OIG reported, the unprecedented infusion of federal funds into the UI program gave individuals and organized criminal groups a high-value target to exploit. That, combined with easily attainable stolen personally identifiable information (PII) and continuing UI program weaknesses identified by the OIG over the last several years, allowed criminals to defraud the system. Because many states were not prepared to process the extraordinary volume of new UI claims and struggled to implement new UI programs, many internal fraud controls that had been traditionally used or recommended for the processing of UI claims were not initially implemented. This created a situation where fraudsters had a high-reward target where an individual could make a fraudulent claim with relatively low risk of being caught. For example, as time went on, one fraudster could have been issued several UI debit cards, with tens of thousands of dollars on each card.
The volume of UI investigative matters currently under review is unprecedented in the OIG’s history. Prior to the pandemic, the OIG opened approximately 120 UI investigative matters annually. Since the pandemic started, the OIG has received more than 144,000 UI fraud complaints from the U.S. Department of Justice’s (DOJ) National Center for Disaster Fraud (NCDF) and has independently opened more than 39,000 investigative matters concerning UI fraud. That is an increase of more than 1,000 times in the volume of UI work that we are facing. UI investigations now account for approximately 94 percent of the OIG investigative case inventory, compared to approximately 11 percent prior to the pandemic.
While concerns persist within the UI program, DOL has instituted efforts to focus on program integrity when implementing the CARES Act and other pandemic-related UI programs. These efforts include establishing agreements with states to comply with all applicable requirements to receive funds, issuing operating guidance, and providing technical assistance to SWAs individually and through webinars. DOL has included requirements for SWAs to focus on program integrity in guidance relevant to pandemic-related UI funds. In addition, DOL has reinforced the need for SWAs to actively work with the OIG to address fraud in the UI program. DOL is also working with SWAs to further their participation with the UI Integrity Center, established by DOL through a cooperative agreement and operated by the National Association of State Workforce Agencies (NASWA).
On August 31, 2021, the Department announced the establishment of the Office of Unemployment Insurance Modernization to provide oversight and management of the $2 billion appropriated to UI initiatives by the American Rescue Plan Act of 2021 (ARPA). The funding is aimed at preventing and detecting fraud, promoting equitable access, ensuring timely benefits payments, and reducing backlogs. Of this $2 billion in funding, three grant programs have been set up: (1) a $140 million program for fraud prevention grants to be awarded to states to cover subscription costs for identity verification tools, establishment and expansion of data analytics, and implementation of cybersecurity defense strategies; (2) a separate $260 million program for equity grants to be awarded to states to improve customer service and claimant outreach, reduce claims backlogs, and improve access for workers in communities that may have historically experienced barriers to access; and (3) up to $200 million in funding to support states in improving UI systems and processes following a consultative assessment with a team of experts provided by DOL.
We plan to evaluate the effectiveness of the equity grants program as well as to continue our audit and investigative work on the Department’s and States’ ability to expeditiously and efficiently deploy UI benefits while reducing improper payments.
Providing the OIG Access to UI Claimant Data and Wage Records
The OIG’s lack of direct access to UI claimant data and wage records from SWAs is of significant concern because this deficiency directly and adversely impedes the OIG’s ability to combat fraud, waste, and abuse and provide independent oversight to help DOL reduce improper payments in its programs, including regular and temporary UI programs. Prior to the pandemic, DOL required states to disclose UI data for fraud investigations with data sharing agreements. DOL asserted it lacked the authority to require states to provide UI data to the OIG for audits. As a result, the OIG was forced to take the unprecedented step of using IG subpoenas to obtain this critical data. That process took many months and delayed our ability to detect fraud early in the pandemic. The Department revisited its position and, on August 3, 2021, issued an Unemployment Insurance Program Letter (UIPL) advising SWAs they must provide UI data to the OIG for benefits paid under the authority of the CARES Act. However, this was a temporary measure that applied to CARES Act UI programs, which sunsetted on September 6, 2021.8 Once the programs covered by the UIPL expired in September, the OIG was back to not having routine access due to the Department’s interpretation of its own regulation that it lacked authority to require states to provide UI data to the OIG for audit and investigative purposes. While the Department has required states to provide OIG with access to UI data as a condition of receiving fraud prevention grants, those grants are not being provided to every state and the provision requiring OIG access is temporary and will expire with the grants on December 31, 2023.
The OIG requires permanent access to all UI program data to conduct effective oversight. In our June 16, 2021, alert memorandum,9 we recommended that ETA amend 20 CFR 603.5 and 603.6(a) through the rulemaking process and that ETA meet with the OIG to develop a permanent approach for the OIG to access UI data. We were optimistic the Department would work on its regulation prior to the expiration of the CARES Act programs, but, while the Department has been cooperative, this did not happen. ETA has required sharing of state UI data as a condition of the fraud prevention grants offered under ARPA. However, the grants provide the OIG access only for those states that chose to participate and only through the end of 2023. Given that a few states are not receiving grants and ETA has not effectuated another viable alternative for access to non-grantee data in the short-term, the data provided to the OIG will be incomplete; additional IG subpoenas may be necessary. However, as noted, use of IG subpoenas to obtain UI data on a recurring basis is time-consuming and inefficient. Thus, the OIG would not be able to obtain UI data in a manner that would allow it to more timely detect fraud.
The OIG must have easy and expeditious access to state UI claimant and wage records to conduct appropriate audit and investigative oversight of UI funds. As outlined in June 2021, disclosure limitations regarding UI potential fraud data10 contradict the Inspector General Act of 1978, as amended. To obtain access to UI data, the OIG had to issue two separate sets of IG subpoenas. The resulting delays equated to the lack of detection and prevention of billions of dollars in potentially fraudulent claims at the earliest opportunity. In support of the OIG’s oversight activities, the OIG needs access to UI claimant data and wage records from SWAs to verify claimants’ eligibility for UI benefits, including both initial eligibility (and amounts) and continuing eligibility. Direct and timely access to these records will permit the OIG to identify claimants who appear to be receiving benefits while also earning wages. Further, direct and timely access to UI data will allow the OIG to use our data analytics program to identify and investigate complex identity theft and multistate fraud schemes, as we have successfully done during the pandemic. The OIG could also use UI data to assess the outcomes of UI reemployment programs.
Congress should consider legislative action to authorize DOL and the OIG to have direct access to UI claimant data and wage records for our oversight responsibilities. Real time direct access to SWA UI claimant data and wage records systems would further enable the OIG to quickly identify large-scale fraud and expand its current efforts to share emerging fraud trends with ETA and SWAs in order to strengthen the UI program and prevent fraud before it occurs.
In addition, data analytics based on the direct access would further enable our auditors to identify program weaknesses and recommend corrective action that will improve the timeliness of UI benefit payments and the integrity of the UI program. To underscore this point, based on the data that was obtained by the OIG, our data scientists in our Office of Investigations and Office of Audit worked collaboratively to identify nearly $17 billion in potential UI fraud paid in the four specific high-risk areas, such as to multistate claimants and deceased persons.
Protecting the Safety and Health of Workers
The Occupational Safety and Health Administration (OSHA) is responsible for the safety and health of 130 million workers employed at more than 8 million establishments, and OSHA must ensure employers are providing the level of protection required under relevant laws and policies. The OIG remains concerned about OSHA’s ability to target its compliance activities to areas where it can have the greatest impact.
OSHA carries out its compliance responsibilities through a combination of self-initiated inspections and those resulting from complaints and referrals. However, because of resource limitations, the program only reaches a fraction of the regulated entities. Consequently, OSHA must target the most egregious or persistent violators to protect the most vulnerable worker populations. OSHA faces challenges to ensure that workplaces where workers are exposed to safety and health violations are sufficiently covered.
While OSHA has issued several guidance documents to enhance safety provisions during the pandemic, guidance does not carry the weight of OSHA rules or standards. In June 2021, more than a year into the pandemic, OSHA issued an emergency temporary standard (ETS) that only covered the health care industry. This emergency standard expired in December 2021. OSHA then substantially withdrew the ETS, retaining only its logging and recordkeeping sections. Despite the withdrawal of the vaccine or testing elements of the ETS, OSHA indicated it is pursuing a final rule on the subject.11 In addition, in September 2021, President Biden issued an executive order to write a rule requiring employers with at least 100 workers to require employees to get vaccinated or produce weekly test results showing they are virus free. This rule was issued as an ETS on November 5, 2021, but subsequently withdrawn by OSHA on January 26, 2022, after the U.S. Supreme Court ruled the Occupational Safety and Health Act of 1970 did not authorize the agency to issue it.
Protecting the Safety and Health of Miners
The Mine Safety and Health Administration’s (MSHA) ability to complete mine inspections while safeguarding the health of miners and the agency’s staff during the COVID-19 pandemic is a concern for the OIG. Some MSHA inspectors self-identified as being at high risk during the pandemic, which meant they were no longer required to perform mine inspections. The reduction in the number of inspectors able to conduct inspections, coupled with the logistical challenges of the pandemic, is a concern for the OIG. We are also concerned with the high incidence of powered haulage accidents in mines, which accounted for almost half of all mine fatalities in 2021 and have been continuing a trend in which powered haulage accidents account for a disproportionate share of overall fatalities over the last several years. MSHA also needs to develop strategies to address lung disease in coal mining states, particularly by updating regulations regarding silica content in respirable dust.12 Respirable crystalline silica can cause deadly and incurable chronic conditions, such as black lung disease. MSHA regulations on respirable silica have not changed in many years, even as the acceptable limit for silica exposure for workers other than miners has been significantly decreased by OSHA regulations.
Improving the Performance Accountability of Workforce Development Programs
The OIG has concerns about the Department’s ability to ensure its investment in workforce development programs is successful in advancing participants’ skills and placing them in suitable employment. The pandemic continues to highlight the importance of the Department’s workforce development programs assisting job seekers and employers in finding and filling available jobs and assisting workers in developing the right skills to fill new job openings. The Department’s ability to obtain accurate and reliable data to measure, assess, and make decisions regarding the performance of grant recipients, contractors, and states in meeting the programs’ goals is critical.
The Department needs to ensure its investments in credential attainment align with local employers’ needs and are having the desired impact on participants’ ability to obtain or advance in a job. In a 2018 audit13 that followed up on the employment status of a sample of Job Corps students 5 years after they left the program, we found that Job Corps faced challenges in demonstrating the extent to which its training programs helped those participants obtain meaningful jobs appropriate to their training.
In March 2018, ETA announced the National Health Emergency Grant program to help communities address the economic and workforce-related impacts of the opioid crisis. Research suggests that opioid dependency has been a leading cause of workforce exits for workers ages 25 to 54. To date, ETA has approved up to $143 million in grants to address the opioid crisis. It is vital that the Department monitor the performance of the discretionary grants it has awarded for the delivery of services to employers and workers affected by the opioid crisis.
As expressed in a March 2022 advisory report,14 the OIG continues to be concerned about three areas in particular where our body of work has identified weaknesses: awarding grants, reviewing grantees’ use of funds, and measuring grantee performance. Additional funding related to the COVID-19 pandemic has increased the need for ETA to ensure issues do not reoccur. Our June 2020 advisory report15 noted areas of concern that ETA should keep in mind when spending the additional $345 million allocated under the CARES Act through grants to assist dislocated workers adversely affected by the pandemic. The areas of concern were related to program eligibility, effectiveness, and compliance and monitoring. While ETA has taken action to address many related findings and recommendations, it must also proactively monitor the three key areas identified in the March 2022 advisory report and continue to assess for these weaknesses to ensure they do not reoccur.
Ensuring Safety During On-Site Instruction at Job Corps Centers and Implementing Distance Learning During the Pandemic
The OIG is concerned about the ability of Job Corps to mitigate the risk and spread of COVID-19 across the centers. Like many other educational institutions, preventing outbreaks of COVID-19 at Job Corps centers continues to be a significant priority. Job Corps centers are mostly residential, with students and some staff living on campus. While Job Corps has implemented its distance learning programs, the OIG is concerned with two issues related to distance learning. First, many Job Corps programs, such as plumbing and carpentry, are intensively hands-on and may not successfully transition to a virtual training model. Second, many Job Corps students may not have access to the equipment or high-speed Internet services they need in order to effectively participate in distance learning. To address these concerns, Job Corps granted extensions allowing students to physically return to Job Corps to complete their hands-on training components and procured and distributed laptops and mobile hotspots to students to participate in distance learning. Finally, the OIG is concerned with the potential learning gaps, such as those caused by delays to in-person instruction, that occurred because of the temporary suspension of Job Corps instructional programs at the onset of the pandemic and with how Job Corps intends to remediate these potential learning gaps.
Ensuring the Safety of Students and Staff at Job Corps Centers
In addition to the safety challenges posed by the COVID-19 pandemic, averting on-campus violence and other potentially criminal behavior remains a challenge for Job Corps centers. The OIG audits from 201516 and 201717 revealed that some Job Corps centers failed to report and investigate serious misconduct, such as drug abuse and assaults. The audits also disclosed that some Job Corps centers downgraded incidents of violence to lesser infractions, creating an unsafe environment for students and staff. The follow-up work we completed in December 201718 and our ongoing review of Job Corps’ corrective actions showed that Job Corps has taken steps to improve center safety and security by establishing internal controls and revising policy. However, student misconduct concerns continue, and a March 2021 OIG audit report19 showed that the current process does not provide Job Corps centers the appropriate tools and resources to properly evaluate applicants for substance abuse and mental health issues as they enter the program and does not ensure centers have the necessary resources to mitigate them. While ETA told us it increased nursing and mental health consultants’ hours at every center to help address these concerns, it determined pre-enrollment behavioral assessments, of the type OIG identified, are not feasible legally or programmatically and pre-enrollment academic readiness screening of prospective students does not align with the program’s eligibility criteria and overall purpose to serve a diverse collection of youth. The OIG continues to monitor various safety initiatives and actions taken by Job Corps to keep students and staff safe.
Maintaining the Integrity of Foreign Labor Certification Programs
The DOL foreign labor certification (FLC) programs are intended to permit U.S. employers to hire foreign workers to meet their workforce needs while protecting U.S. workers’ jobs, wages, and working conditions. DOL’s administration of FLC programs under current laws has been a concern for the OIG for decades. Investigations have shown these visa programs, in particular the H-1B program for workers in specialty occupations, to be susceptible to significant fraud and abuse from perpetrators, including certain immigration agents, attorneys, labor brokers, employers, and, most often, organized criminal enterprises.
In 2003, the OIG issued a white paper20 outlining vulnerabilities that then existed in four FLC programs, permanent employment certification program (PERM), H-1B, H-2A, and H-2B, and, in 2020, we issued a similar report.21 We found the post-2003 rules revamped the PERM, H-2A, and H-2B visa programs, and addressed some of the vulnerabilities cited in audits and investigations by the OIG and the Government Accountability Office. Those same rules created challenges regarding DOL’s responsibilities. Additionally, DOL continues to have limited authority over the H-1B and PERM programs which challenges the goal of protecting the welfare of the nation’s workforce.
The statute limits DOL’s ability to deny H-1B applications. Specifically, DOL may only deny incomplete and obviously inaccurate H-1B applications and has only limited authority to conduct H-1B investigations in the absence of a complaint. DOL has recently established a process to begin utilizing the Secretary-initiated H-1B investigations. The PERM program itself is persistently vulnerable to employers not complying with its qualifying criteria. Therefore, both the PERM and H-1B programs remain highly prone to fraud.
With various new DOL rules going into effect since 2003, there have been opportunities for the PERM, H-2A, and H-2B visa programs to change. For example, these new rules implemented employer attestation programs, which allow employers to agree to the conditions of employment without providing supporting documentation to validate their agreements. However, DOL has identified instances in which employers are not complying with the conditions of employment, thereby reinforcing how susceptible these programs are to fraud.
Finally, DOL has established a risk-based process to determine which H-2A and H-2B applications to audit. The new selection process identifies appropriate risk factors based on adjudication experience and available H-2A and H-2B application processing data. DOL has implemented the process and started the audits. Because the process is still new, it is difficult for ETA to determine whether the applications audited were those most likely to result in violations eligible for employer debarment.
Protecting the Security of Employee Benefit Plan Assets
The OIG remains concerned about the Employee Benefits Security Administration’s (EBSA) ability to protect the benefit plans of about 158 million workers, retirees, and their families under the Employee Retirement Income Security Act (ERISA) of 1974. In particular, the OIG is concerned about the statutory limitations on EBSA’s oversight authority and inadequate resources to conduct compliance and enforcement. A decades-long challenge to EBSA’s compliance program, ERISA provisions allow billions of dollars in pension assets to escape full audit scrutiny. In 2013, we reported22 that as much as $3.3 trillion in pension assets, including an estimated $800 billion in hard-to-value alternative investments, held in otherwise regulated entities such as banks, received limited-scope audits that provided few assurances to participants regarding the financial health of their plans. EBSA needs to focus its limited available resources on investigations that are most likely to result in the deterrence, detection, and correction of ERISA violations, particularly given the number of benefit plans EBSA oversees relative to the number of investigators it employs. Finally, EBSA lacks the authority under the Federal Employees’ Retirement System Act (FERSA) to effectively oversee more than $769.4 billion in federal employee Thrift Savings Plan (TSP) assets. FERSA requires EBSA to conduct regular compliance audits to determine whether the Federal Retirement Thrift Investment Board (FRTIB), an independent agency, is fulfilling its fiduciary duties and properly safeguarding TSP participants’ assets; however, EBSA has no legal authority to compel FRTIB to implement its recommendations.
Managing Medical Benefits in the Office of Workers’ Compensation Programs
The OIG has concerns about the ability of the Office of Workers’ Compensation Programs’ (OWCP) to effectively manage rising home health care costs in the Energy Employees Occupational Illness Compensation Program Act (Energy Workers) program, and about the use and cost of pharmaceuticals in the Federal Employees’ Compensation Act (FECA) program. The Department needs to make sure it has controls in place to ensure that the medical benefits it provides to energy workers and FECA program claimants are safe, effective, medically necessary, and cost-effective.
In the Energy Workers program, with an aging claimant population and an increased demand for home health care services, there is a potential for providers to exploit these benefits through unauthorized or unnecessary billing. Since 2010, home health care costs paid by the Energy Workers program have grown from $100 million to more than $675 million, amounting to 74 percent of all medical benefits paid by the program in Fiscal Year (FY) 2020. OWCP needs to continue its efforts to analyze home health care billing for abusive practices and to identify and refer allegations involving potential fraud or abuse to the OIG for further investigation.
In the FECA program, we are currently conducting an audit to determine if OWCP effectively managed pharmaceutical spending from FY 2015 to FY 2020. Past audits have identified internal control weaknesses related to OWCP’s management of pharmaceuticals. For example, OWCP allowed increases in billing statements for compounded drugs to go undetected and failed to identify the overuse of opioids. Given the high risk of fraud related to prescription payments, OWCP needs to analyze and monitor FECA program costs to promptly detect and address emerging issues before they manifest into material concerns.
Consistent with prior audit recommendations by the OIG, OWCP imposed restrictions on opioid prescriptions in September 2019. In addition, in March 2021, OWCP contracted with a pharmacy benefits manager (PBM) that will be responsible for pharmaceutical transactions, including implementation of FECA eligibility determinations and pricing for pharmaceutical drugs. OWCP needs to provide adequate oversight over the PBM to ensure that it is providing the most cost-effective and safe medical benefits. OWCP should also continue to monitor the COVID-19 pandemic and potential impacts on its ability to provide timely and effective benefits to injured workers.
Ensuring the Solvency of the Black Lung Disability Trust Fund
Miners and their dependent survivors receive lifetime benefits when awarded under the Black Lung Benefits Act. Mine operators pay these benefits when possible, and the Black Lung Disability Trust Fund (BLDTF) pays the benefits when a miner’s former employer does not or cannot assume liability. The OIG’s primary concern is that the current annual income of the BLDTF (primarily from an excise tax on coal) is not sufficient to cover annual benefit obligations to meet administrative costs and to service past debt. The BLDTF expenditures have consistently exceeded revenue and it has essentially borrowed with interest from the U.S. Department of the Treasury’s (Treasury) general fund almost every year since 1979. According to DOL’s FY 2021 Agency Financial Report, the BLDTF had to borrow approximately $2.3 billion to cover its expenditures, which included debt and interest payments. As of September 30, 2021, the BLDTF was carrying close to a $6.1 billion deficit balance, which is projected to grow to nearly $13 billion (in constant dollars) by September 30, 2046.
The excise tax that funds the BLDTF is levied on domestic sales of coal mined in the United States. On January 1, 2022, the temporary increased tax rates of $1.10 per ton of underground-mined coal and $0.55 per ton of surface-mined coal sold were reduced to the rates originally set when the trust fund was established in 1978 at $0.50 per ton of underground-mined coal and $0.25 per ton of surface-mined coal. The House Committee on Education and Labor introduced the bill, Black Lung Benefits Disability Trust Fund Solvency Act of 2022, to extend the temporary excise tax rates for 10 years through December 31, 2031, but it has not yet been enacted in law. The excise tax rate reduction plus the reduction in coal production will result in decreased cash inflows to the BLDTF. The Congressional Research Service reported in 2019 that “the decline in the excise tax rates will likely put additional financial strain on a trust fund that already borrows from the general fund to meet obligations.”23
Securing and Protecting Information Management Systems
We remain concerned about the Department’s ability to safeguard its data and information systems. The Department’s agencies rely on its information technology (IT) systems to obtain and create vast amounts of information and data in carrying out their missions, and included in these data are the PII and personal health information of the public, including federal employees. Over the past several years, the Department has made significant changes in the way it provides IT services to its program agencies. These changes included transitioning from a program agency-operated model to a shared services model, centralizing information technology under the Office of the Assistant Secretary for Administration and Management. While these changes have made improvements in managing the Department’s information technology, we continue to have concerns in the following areas:
Securing the Department’s information systems remains a concern as we continue to identify recurring deficiencies in the Department’s efforts to manage and implement security controls within identity and configuration management. In addition, we determined the Department has not adequately implemented the technology tools required to manage and monitor IT security. Recurring deficiencies were identified in four of the five information security functional areas (as defined by the National Institute of Standards and Technology Cybersecurity Framework) and occurred in the performance of security control assessments, account management controls, configuration management, and maintenance of system security plans. These deficiencies continue to hinder the Department in identifying security weaknesses; protecting its systems and data; and detecting, responding to, and recovering from incidents.
While Supply Chain Risk Management (SCRM) has been an on-going concern, recent cyber attacks, such as the 2020 Solar Winds attack, which took advantage of the supply chain process, has increased awareness and related concerns throughout the industry and the federal government. As a new domain for our annual information security testing, we determined that DOL has not adequately defined SCRM policies, procedures, and strategies.
The Department continues to move its information systems to a shared services model and expand its use of cloud and third-party providers for its information systems, infrastructure, and services. DOL’s ability to provide oversight and management required of these systems and services is still an issue. We continue to identify deficiencies in the Department’s oversight of information systems managed and/or operated by a third-party on behalf of the Department. As DOL continues this transition, the Department’s ability to provide the oversight and to retain the specialized knowledge and expertise required to protect and manage its systems, including the contracted systems, remains at risk. Our recent reviews identified inadequate oversight of continuous monitoring reviews and third-party systems. Also, prior year recommendations regarding validation of annual third-party and cloud service provider assessments and continuous monitoring training remained unimplemented.
As we return to the office, the Department is changing its work and IT landscape to significantly expand remote and telework operations for its employees. This expansion raises our concern with the DOL’s ability to secure the changing and expanding endpoint security requirements. In the past few years, more DOL employees are teleworking and more computers are connected remotely or connected as a service to primary office locations. DOL needs to ensure the endpoint security between all connection points and review data transmission. Network access control becomes less coordinated as different “software as a service” (SaaS) methods and non-centralized systems are required to be managed independently. Unpatched systems are continual targets and patching may or may not be a portion of a service rather than a direct responsibility. Without the technical, contractual, and wider scoped training, cyberattacks and data fraud are due to increase with the shift in working patterns and new remote services.
These areas of concern represent ongoing risks to the confidentiality, integrity, and availability of DOL’s information systems, which are necessary to support the Department’s mission. Our concern is whether DOL can implement the necessary strategies and tools to provide sufficient capability and effective security for the Department’s data and information systems as well as to support the execution of its mission.
Improving Job Corps’ Procurement Process
Job Corps spends about $1 billion on goods and services annually for 121 centers and is currently transitioning center operations from cost reimbursement to fixed-price contracts. The Department believes that this transition will lower government risk, reduce the administrative burden, generate more pre-award efficiencies, and encourage more competition for contracts. Increased competition among contractors should lead to better contractor performance with fewer staffing shortages and improved services, including those for centers’ safety and security.
We are concerned about the transition to fixed-price contracting because prior OIG work in this area found that Job Corps procurement processes did not ensure the best value for taxpayers.24 As the Department moves to fixed-price contracting, the Department must continue to ensure its contract requirements are well developed, contract competition is fair, and sound post-award oversight is used to quickly ameliorate deficiencies and poor performance.
1 outlining vulnerabilities that then existed in four - FLC programs, PERM, H-1B, H-2A, and H-2B, and, in 2020, we issued a similar report. We found that, although the post-2003 rules revamped the PERM, H-2A, and H-2B visa programs, as well as addressed some of the vulnerabilities cited in OIG and Government Accounting Office audits and investigations, those same rules created challenges regarding DOL’s responsibilities. Additionally, DOL continues to have limited authority over the H-1B and PERM program which challenges protecting the welfare of the nation’s workforce.