You Can Help Fight Fraudulent Activity

Safeguarding Federal funds and maintaining a secure cyber environment is of the utmost importance to awarding agencies. Recipients are a crucial part of safeguarding funds. Security is everyone’s responsibility, and an effective cyber security strategy helps prevent and identify fraud. Your diligence is key. We encourage you to share this information within your organization.

Each year, the Federal government awards trillions in Federal financial assistance. The vast majority of these funds are used according to the terms of the award and support critical activities across the Nation and in your local communities. Yet award-making agencies, recipients, and the general public are often preyed upon by fraudulent actors who use a variety of tactics to steal funding and other resources from the government and recipients.

Recipient organizations are an important partner in addressing these threats.

The Recipient’s Role

• Institute Robust Internal Controls.  Recipients and their employees are critical in fighting waste, fraud, and abuse related to taxpayer-funded programs. It is in everyone’s best interest to ensure Federal funds are used properly.
  • As a Federal financial assistance award recipient, your organization is required to implement effective internal controls, as outlined in 2 CFR part 200.303, and in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

• Report Suspected Waste, Fraud, and Abuse.  Federal law mandates that all Federal contractors, subcontractors, grantees, subgrantees, or personal services contractors must report suspected fraud and inform their employees in writing of the rights and remedies of reporting suspected fraud provided under Federal law.
  • Where to Report.  Anyone may report suspected award-related waste, fraud, and abuse to their awarding agency Office of Inspector General.
  • Reporting Protections.  Recipients and subrecipients must advise affected parties on their protections when reporting fraud.

• Increase Fraud and Security Awareness.  In addition to internal controls,an educated workforce is the most important tool we have to prevent fraud. Train users to be aware of and understand policies, procedures, and best practices, including ensuring employees take and pass required security awareness and other training courses. This helps reduce human error, negligence, and misconduct. These additional materials may help you and your organization:
  • Grants.gov Grant Fraud website
  • U.S. Federal Trade Commission Government Grant Scams article
  • U.S. Department of Justice Grant Fraud Awareness handout
  • National Institute of Standards and Technology Cybersecurity is Everyone’s Job publication

• Strengthen Security and Mitigate Risk. The digital landscape is rife with cyber threats. The following best practices are essential to a proactive defense:
  • Set Role-Based Access Controls.  To manage system user access, accounts, and permissions, first identify each user’s roles and needs. Roles can be categorized based on functions and responsibilities, and user needs can be specific requirements and expectations of each role. Setting user role-based access controls will help define the appropriate user access and permissions.
  • Adopt a Zero-Trust Policy.  A zero-trust policy means that individuals and devices are considered potential threats and should be treated accordingly.  When working under the zero-trust policy, system administration employees should be able to identify and verify the identity of all users and devices, detect and respond to potential security risks, and consistently authenticate and authorize access to resources. It is also essential to identify any abnormal behaviors while tracking activities and risk levels.
  • Follow the Principle of Least Privilege.  The Principle of Least Privilege ensures users have the minimum access and permissions to perform their tasks. Practicing this principle helps reduce the risk of unauthorized access, data breaches, and vulnerabilities. To implement this, review and audit each user’s current access and permissions regularly and deactivate or restrict any unnecessary privileges that are not consistent with set role-based access controls.
  • Inventory, Update, and Audit User Accounts.  Regularly inventory, update, and audit accounts. Establish a schedule and a process for evaluating and modifying user access and permissions based on your network’s feedback, reports, audits, and role-based access controls. This ensures user access is current and allows system administration employees to identify accounts that should be deactivated quickly.