Through the Infrastructure Investment and Jobs Act (“IIJA”) and the Inflation Reduction Act, the Department of Energy (“DOE”) has awarded billions of dollars to a series of new infrastructure and clean energy programs. The scope and size of these programs have, in turn, attracted scrutiny from the DOE’s Office of Inspector General (“OIG”), as evidenced most recently by an OIG Special Report (“Report”) detailing what the OIG characterized as “Management Challenges” at DOE. The Report is notable for several reasons, but most striking is its sharp criticism of DOE’s apparent reluctance to fully accede to the OIG’s request for vast quantities of agency and contractor data in connection with preventative fraud detection efforts. This blog will cover the key findings of this Report and the most important takeaways for current and prospective DOE implementing partners.
Key Findings of the Report
Cybersecurity: The Report emphasized that improving DOE’s cybersecurity plans and coordination remains a top priority. DOE has already taken certain steps in this direction; for example, the Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”) recently identified 44 provisions to be included in cybersecurity plans used by IIJA recipients. However, the OIG’s Report identified several challenges DOE faces in managing cybersecurity, including its decentralized governance structure, which the Report says has resulted in DOE contracts with missing or outdated cybersecurity standards. The OIG also cited lack of adequate resources as another major challenge DOE faces in cybersecurity implementation, noting that DOE officials face evolving threats that require better tools but are often forced to choose between addressing cybersecurity weaknesses or conducting mission-specific work. Indeed, the Report noted that the OIG’s own lack of adequate resources impacted their ability to fully evaluate DOE’s cybersecurity posture and infrastructure, stating that OIG has only received a fraction of the funding they need to conduct the necessary oversight.
Theft of Intellectual Property by Foreign Adversaries: The Report also highlighted the significant funding DOE receives for research and development: $14.8 billion as reported in the FY 2022 Agency Financial Report. As much of this funding is subject to intellectual property protections and/or national security considerations, the Report highlighted that these research investments are a target for foreign competitors – most notably in China – that seek to access to cutting edge findings and developments arising from DOE-funded research. Consequently, the OIG highlighted the need for increased protections to prevent the theft of agency research and intellectual property. In particular, the Report cited the need to design procedures that facilitate timely investigations and prosecutions of individuals who have stolen valuable DOE intellectual property, paired with a focus on preventative measures to proactively detect and deter threats. To that end, OIG’s Office of Inspections, Intelligence Oversight, and Special Projects recently began an inspection focusing on the DOE’s compliance with requirements of DOE Order 486.1A, Foreign Government Sponsored or Affiliated Activities. The Order prohibits Department employees and contractors from participating in foreign government-sponsored talent recruitment programs and restricts other foreign government-sponsored or affiliated activities of a “foreign country of risk.”
Data Analytics: The Report saved its most pointed criticism of DOE for the topic of data collection and analytics, claiming that DOE has not “kept pace” with Federal requirements and is still in the “early stages” of their implementation. The OIG cited several areas in particular that present challenges for the agency, including that data analytics capabilities at some reporting entities “consisted primarily of maintaining spreadsheets and manual reconciliation efforts.” The OIG noted that improvements to data analytics would allow DOE to advance from identifying fraud after the fact to proactive, preventative measures.
Most notably, however, the Report highlighted what the OIG characterized as DOE’s lack of “full” cooperation with OIG efforts to collect information that the Report claims is necessary to protect DOE against fraud, waste, and abuse. In particular, the Report criticized DOE for not initially complying with or supporting the OIG’s expansive March 2022 request for “payroll-related data” from 10 contractors and their employees at 5 department sites. That said, the Report also noted that between September and mid-November of 2023, DOE has directed these contractors to provide at least some of the requested data, upon receipt of which the OIG will review the data and work with contractors to address any deficiencies. The OIG also intends to issue a separate Special Report on this subject in December 2023.
Furthermore, in revisiting these criticisms in the November 30th semi-annual report to Congress, the OIG indicated that they have begun requesting payroll-information from contractors directly, rather than going through DOE. Though the form of these requests was not explicitly discussed in the semi-annual report, OIG is likely requesting this information through an administrative subpoena, or a threat to issue one. The OIG noted in this report that a review of the data they obtained through a previous, similar request “uncovered numerous fraudulent activities, resulting in several active criminal investigations and indictments.” This indicates that OIG will continue to be aggressive in this space moving forward.
Key Takeaways from the Report
OIG Focus on “Identifying” Data: This Report offers the latest evidence of the DOE OIG’s aggressive push to collect large quantities of data related to DOE and its contractors—and their employees—in the name of detecting and preventing fraud, waste, and abuse. The OIG’s efforts have focused specifically on contractors, with an emphasis on contractor payroll records and “identifying data” related to their employees. In line with this approach, DOE’s November 27th System of Records Notice (“SORN”) outlines a broad range of data that the OIG may collect, including personally identifiable information, such as dates of birth, corporate-issued identifiers (e.g., frequent flyer numbers), and even Social Security numbers. The SORN also exempts the OIG from standard Privacy Act requirements to share certain information with individuals whose personal data is collected, citing statutory exemptions applicable to information pertaining to criminal enforcement and investigatory activities. The agency is currently accepting public comments on the SORN, which is slated to take effect on December 27th, 2023, absent an amendment or extension.
OIG Focus on “Preventative” Measures: The collection and analysis of data is an increasingly key piece of OIG’s enforcement toolkit, as evidenced by the OIG’s establishment of a new Data Analytics Division discussed in a September 2022 semi-annual report. While data analysis per se is not new, the OIG’s approach appears to be uniquely aggressive, using collection of personally identifiable information as a prophylactic measure rather than as a response to a specific allegation of fraud, waste, or abuse. For example, in the November 27th SORN, OIG emphasized the need to collect data to “assess risk,” “promote economic efficiency,” and “prevent and detect fraud, waste, and abuse.” In this regard, the OIG appears to be deploying a sweeping and far more aggressive data analytics operation.
OIG Continuing Focus on Exercising Enforcement Authority: In addition to promising a Special Project Report on DOE’s cooperation with respect to data analytics, the Report also foreshadowed a number of forthcoming reports that, taken together, suggest that the OIG is intent on maximizing the effect of its enforcement authority. Notably, the report previewed an upcoming Special Project Report on opportunities to improve the suspension and debarment process at DOE. Noting that DOE has not historically had a “robust” suspension and debarment program, OIG indicated that opportunities to improve this program may include suspension and debarment decisions based not just on criminal convictions or serious civil offenses, but also evidence to indicate that a company or individual is “not presently responsible.” The Report also previewed an upcoming Special Project Report on mandatory disclosures, citing “significant lapses” in mandatory reporting of violations of Federal criminal law. This Special Report, expected in December 2023, will detail OIG’s recommendations for DOE to improve its oversight efforts.
Given this increased scrutiny and OIG’s focus on strengthening their enforcement authority, DOE contractors and subcontractors must be hyper-vigilant in ensuring continued compliance with their contractual obligations. In line with OIG’s key areas of focus, contractors and subcontractors should pay particular attention to compliance with cybersecurity and data collection/retention provisions and should evaluate and improve internal procedures for the detection and disclosure of conflicts of interest and violations of Federal law that would be subject to mandatory disclosure requirements. We of course will continue to monitor policy developments and related enforcement activities in this area.